From 08c898ed46067286a859a706b96d45ff4dd50bc1 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Sun, 28 May 2023 00:16:46 +0200 Subject: [PATCH] Initial move to 23.05 --- flake.lock | 34 ++++--------- flake.nix | 4 +- hosts/architect/default.nix | 16 +++++-- hosts/architect/dns.nix | 56 ++++++---------------- hosts/architect/gitea.nix | 4 +- hosts/architect/headscale.nix | 7 +-- hosts/architect/nginx.nix | 90 +++++++++++++++++------------------ hosts/architect/openid.nix | 84 ++++++++++++++++---------------- hosts/architect/tailscale.nix | 3 +- lib/host.nix | 5 +- roles/common.nix | 6 ++- roles/home/common.nix | 2 +- roles/home/helix.nix | 2 +- 13 files changed, 140 insertions(+), 173 deletions(-) diff --git a/flake.lock b/flake.lock index f581dff..8fe4a37 100644 --- a/flake.lock +++ b/flake.lock @@ -4,20 +4,19 @@ "inputs": { "nixpkgs": [ "nixpkgs" - ], - "utils": "utils" + ] }, "locked": { - "lastModified": 1681092193, - "narHash": "sha256-JerCqqOqbT2tBnXQW4EqwFl0hHnuZp21rIQ6lu/N4rI=", + "lastModified": 1685189510, + "narHash": "sha256-Hq5WF7zIixojPgvhgcd6MBvywwycVZ9wpK/8ogOyoaA=", "owner": "nix-community", "repo": "home-manager", - "rev": "f9edbedaf015013eb35f8caacbe0c9666bbc16af", + "rev": "2d963854ae2499193c0c72fd67435fee34d3e4fd", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-22.11", + "ref": "master", "repo": "home-manager", "type": "github" } @@ -40,16 +39,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1683928319, - "narHash": "sha256-maz0DRKixJVcNRMiAMWlJniiF8IuQ+WbfmlJJ8D+jfM=", + "lastModified": 1685004253, + "narHash": "sha256-AbVL1nN/TDicUQ5wXZ8xdLERxz/eJr7+o8lqkIOVuaE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9656e85a15a0fe67847ee8cdb99a20d8df499962", + "rev": "3e01645c40b92d29f3ae76344a6d654986a91a91", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-22.11", + "ref": "nixos-23.05", "repo": "nixpkgs", "type": "github" } @@ -60,21 +59,6 @@ "nixos-unstable": "nixos-unstable", "nixpkgs": "nixpkgs" } - }, - "utils": { - "locked": { - "lastModified": 1667395993, - "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 62fd26e..90c5aca 100644 --- a/flake.nix +++ b/flake.nix @@ -1,9 +1,9 @@ { inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05"; nixos-unstable.url = "github:NixOS/nixpkgs/master"; home-manager = { - url = "github:nix-community/home-manager/release-22.11"; + url = "github:nix-community/home-manager/master"; inputs.nixpkgs.follows = "nixpkgs"; }; }; diff --git a/hosts/architect/default.nix b/hosts/architect/default.nix index 2d2c1a0..1cc767e 100644 --- a/hosts/architect/default.nix +++ b/hosts/architect/default.nix @@ -5,7 +5,7 @@ let "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230" ]; domain = "devs.giugl.io"; - + utilities = import ./utilities.nix { inherit lib config; }; inherit (utilities) generateDeviceStrings; in @@ -88,6 +88,8 @@ in "memmap=32M$0x4ca6f9478" ]; + kernelPackages = pkgs.linuxPackages; + kernel.sysctl = { "net.ipv4.ip_forward" = 1; }; loader = { @@ -100,7 +102,7 @@ in supportedFilesystems = [ "zfs" ]; zfs.requestEncryptionCredentials = true; - tmpOnTmpfsSize = "50%"; + tmp.tmpfsSize = "50%"; }; networking = with config.architect.networks.lan; { @@ -151,8 +153,12 @@ in xserver.videoDrivers = [ "nvidia" ]; openssh = { enable = true; - passwordAuthentication = false; - kbdInteractiveAuthentication = false; + + settings = { + passwordAuthentication = false; + kbdInteractiveAuthentication = false; + + }; extraConfig = '' MaxAuthTries 15 ''; @@ -162,7 +168,7 @@ in environment = { variables = { LIBVA_DRIVER_NAME = "vdpau"; }; - systemPackages = with pkgs; [ cachix ]; + systemPackages = with pkgs; [ cachix linuxPackages.usbip ]; }; } diff --git a/hosts/architect/dns.nix b/hosts/architect/dns.nix index fb6fd01..5d667a8 100644 --- a/hosts/architect/dns.nix +++ b/hosts/architect/dns.nix @@ -1,53 +1,27 @@ { config, pkgs, lib, ... }: -let - adguard_webui_port = 3031; - adguard_dns_port = "5300"; - dnscrypt_listen_port = "5353"; -in { architect.firewall.openUDPVPN = [ 53 ]; services = { dnsmasq = { - enable = true; - # adguard port - servers = [ "127.0.0.1#${adguard_dns_port}" ]; - extraConfig = '' - localise-queries - min-cache-ttl=120 - max-cache-ttl=2400 - - domain=runas.rocks - domain=giugl.io - domain=devs.runas.rocks - domain=devs.giugl.io - ''; - }; - - adguardhome = { - enable = true; - port = adguard_webui_port; - }; - - dnscrypt-proxy2 = { enable = true; settings = { - listen_addresses = [ "127.0.0.1:${dnscrypt_listen_port}" ]; - ipv4_servers = true; - ipv6_servers = false; - block_ipv6 = true; - dnscrypt_servers = true; - doh_servers = true; - require_nolog = true; - require_nofilter = true; - timeout = 350; - lb_strategy = "p4"; - lb_estimator = true; - ignore_system_dns = true; - fallback_resolvers = [ "1.1.1.1:53" "9.9.9.9:53" ]; - cache_min_ttl = 450; - cache_max_ttl = 2400; + server = [ + "45.90.28.77" + "45.90.30.77" + "2a07:a8c0::d6:5174" + "2a07:a8c1::d6:5174" + ]; + localise-queries = true; + min-cache-ttl = 120; + max-cache-ttl = 2400; + domain = [ + "runas.rocks" + "giugl.io" + "devs.runas.rocks" + "devs.giugl.io" + ]; }; }; }; diff --git a/hosts/architect/gitea.nix b/hosts/architect/gitea.nix index 49dd14a..58b0474 100644 --- a/hosts/architect/gitea.nix +++ b/hosts/architect/gitea.nix @@ -12,11 +12,11 @@ in services.gitea = { enable = true; database.type = "sqlite3"; - domain = domain; appName = "Gitea"; - rootUrl = "https://${domain}"; settings = { server = { + DOMAIN = domain; + ROOT_URL = "https://${domain}"; LFS_START_SERVER = true; SSH_PORT = 22; }; diff --git a/hosts/architect/headscale.nix b/hosts/architect/headscale.nix index 7afa411..1fe0f3b 100644 --- a/hosts/architect/headscale.nix +++ b/hosts/architect/headscale.nix @@ -13,12 +13,13 @@ in services = { headscale = { enable = true; - package = pkgs.unstablePkgs.headscale; + package = pkgs.headscale; port = 1194; address = "0.0.0.0"; - serverUrl = "https://${domain}"; - logLevel = "debug"; + settings = { + server_url = "https://${domain}"; + log.level = "debug"; dns_config = { magic_dns = true; base_domain = "giugl.io"; diff --git a/hosts/architect/nginx.nix b/hosts/architect/nginx.nix index d1d2e2c..3a44116 100644 --- a/hosts/architect/nginx.nix +++ b/hosts/architect/nginx.nix @@ -32,59 +32,59 @@ }; }; - appendHttpConfig = - let - extraPureLuaPackages = with pkgs.luajitPackages; [ - lua-resty-openidc - lua-resty-http - lua-resty-session - lua-resty-jwt - lua-resty-openssl - ]; - luaPath = pkg: "${pkg}/share/lua/5.1/?.lua"; - makeLuaPath = lib.concatMapStringsSep ";" luaPath; - in - '' - # https://stackoverflow.com/questions/38931468/nginx-reverse-proxy-error14077438ssl-ssl-do-handshake-failed - proxy_ssl_server_name on; + # appendHttpConfig = + # let + # extraPureLuaPackages = with pkgs.luajitPackages; [ + # lua-resty-openidc + # lua-resty-http + # lua-resty-session + # lua-resty-jwt + # lua-resty-openssl + # ]; + # luaPath = pkg: "${pkg}/share/lua/5.1/?.lua"; + # makeLuaPath = lib.concatMapStringsSep ";" luaPath; + # in + # '' + # # https://stackoverflow.com/questions/38931468/nginx-reverse-proxy-error14077438ssl-ssl-do-handshake-failed + # proxy_ssl_server_name on; - lua_package_path '${makeLuaPath extraPureLuaPackages};;'; - lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; - lua_ssl_verify_depth 5; + # lua_package_path '${makeLuaPath extraPureLuaPackages};;'; + # lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; + # lua_ssl_verify_depth 5; - # cache for OIDC discovery metadata - lua_shared_dict discovery 1m; - lua_shared_dict jwks 1m; + # # cache for OIDC discovery metadata + # lua_shared_dict discovery 1m; + # lua_shared_dict jwks 1m; - # https://github.com/openresty/lua-resty-redis/issues/159 - resolver local=on ipv6=off; + # # https://github.com/openresty/lua-resty-redis/issues/159 + # resolver local=on ipv6=off; - init_worker_by_lua_block { - function check_role (res, role) - if res.user.roles == nil then - return false - end + # init_worker_by_lua_block { + # function check_role (res, role) + # if res.user.roles == nil then + # return false + # end - for _,v in pairs(res.user.roles) do - if string.lower(v) == role then - return true - end - end + # for _,v in pairs(res.user.roles) do + # if string.lower(v) == role then + # return true + # end + # end - return false - end + # return false + # end - function is_ip_whitelisted(ip, whitelist) - for _, x in ipairs(whitelist) do - if ip == x then - return true - end - end + # function is_ip_whitelisted(ip, whitelist) + # for _, x in ipairs(whitelist) do + # if ip == x then + # return true + # end + # end - return false - end - } - ''; + # return false + # end + # } + # ''; appendConfig = '' worker_processes 24; diff --git a/hosts/architect/openid.nix b/hosts/architect/openid.nix index cd2fd31..4c6326b 100644 --- a/hosts/architect/openid.nix +++ b/hosts/architect/openid.nix @@ -3,46 +3,48 @@ { openresty_oidc_block = { access_role ? "", whitelisted_ips ? [ ] }: '' - access_by_lua_block { - local opts = { - discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration", - client_id = "nginx", - client_secret = "9C6BYxPhTbrRS4DIwd3Smk7e11ABmnt8", - logout_path = "/logout", - redirect_after_logout_uri = "/", - redirect_uri = "/redirect_uri", - keepalive = "yes", - accept_none_alg = true, - revoke_tokens_on_logout = true, - -- access token valid for a day - access_token_expires_in = 86400 - } - - ${lib.optionalString (whitelisted_ips != []) '' - local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}} - - if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then - return - end - ''} - - -- call introspect for OAuth 2.0 Bearer Access Token validation - local res, err = require("resty.openidc").authenticate(opts) - - if err then - ngx.status = 403 - ngx.say(err) - ngx.exit(ngx.HTTP_FORBIDDEN) - end - - ${lib.optionalString (access_role != "") '' - if not check_role(res, "${access_role}") then - ngx.status = 401 - ngx.header.content_type = 'text/html'; - ngx.say("You are not authorized to access this page. Please contact Er Pepotto.") - ngx.exit(ngx.HTTP_UNAUTHORIZED) - end - ''} - } + ''; + # access_by_lua_block { + # local opts = { + # discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration", + # client_id = "nginx", + # client_secret = "9C6BYxPhTbrRS4DIwd3Smk7e11ABmnt8", + # logout_path = "/logout", + # redirect_after_logout_uri = "/", + # redirect_uri = "/redirect_uri", + # keepalive = "yes", + # accept_none_alg = true, + # revoke_tokens_on_logout = true, + # -- access token valid for a day + # access_token_expires_in = 86400 + # } + + # ${lib.optionalString (whitelisted_ips != []) '' + # local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}} + + # if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then + # return + # end + # ''} + + # -- call introspect for OAuth 2.0 Bearer Access Token validation + # local res, err = require("resty.openidc").authenticate(opts) + + # if err then + # ngx.status = 403 + # ngx.say(err) + # ngx.exit(ngx.HTTP_FORBIDDEN) + # end + + # ${lib.optionalString (access_role != "") '' + # if not check_role(res, "${access_role}") then + # ngx.status = 401 + # ngx.header.content_type = 'text/html'; + # ngx.say("You are not authorized to access this page. Please contact Er Pepotto.") + # ngx.exit(ngx.HTTP_UNAUTHORIZED) + # end + # ''} + # } + # ''; } diff --git a/hosts/architect/tailscale.nix b/hosts/architect/tailscale.nix index 014aad0..77692ad 100644 --- a/hosts/architect/tailscale.nix +++ b/hosts/architect/tailscale.nix @@ -21,6 +21,7 @@ in tommy = { address = "100.64.0.7"; hostname = "tommy.${domain}"; }; ucsb-workstation = { address = "100.64.0.8"; hostname = "ucsb-workstation.${domain}"; }; alfredo = { address = "100.64.0.9"; hostname = "alfredo.${domain}"; }; + parallels = { address = "100.64.0.3"; hostname = "parallels.${domain}"; }; }; }; }; @@ -29,7 +30,7 @@ in tailscale = { enable = true; interfaceName = config.architect.networks.tailscale.interface; - package = pkgs.unstablePkgs.tailscale; + package = pkgs.tailscale; }; }; diff --git a/lib/host.nix b/lib/host.nix index a6f5105..7ec6ed9 100644 --- a/lib/host.nix +++ b/lib/host.nix @@ -38,10 +38,7 @@ useGlobalPkgs = true; }; - system.stateVersion = "22.11"; - - environment.shells = [ pkgs.zsh ]; - users.defaultUserShell = pkgs.zsh; + system.stateVersion = "23.05"; } home-manager.nixosModules.home-manager diff --git a/roles/common.nix b/roles/common.nix index ccfe52a..1987fad 100644 --- a/roles/common.nix +++ b/roles/common.nix @@ -1,7 +1,9 @@ { config, pkgs, lib, ... }: { - boot.tmpOnTmpfs = true; + boot.tmp = { + useTmpfs = true; + }; console = { keyMap = "us"; @@ -41,7 +43,6 @@ glances tcpdump restic - neovim tmux parted unzip @@ -50,5 +51,6 @@ nmap ripgrep jq + helix ]; } diff --git a/roles/home/common.nix b/roles/home/common.nix index 8b5128d..e65c744 100644 --- a/roles/home/common.nix +++ b/roles/home/common.nix @@ -14,6 +14,6 @@ ] ++ lib.optional (!stdenv.isDarwin) pastebinit; - stateVersion = "22.11"; + stateVersion = "23.05"; }; } diff --git a/roles/home/helix.nix b/roles/home/helix.nix index b305f77..cb90d35 100644 --- a/roles/home/helix.nix +++ b/roles/home/helix.nix @@ -118,7 +118,7 @@ nodePackages.vscode-langservers-extracted nodePackages.typescript nodePackages.svelte-language-server - swiProlog +# swiProlog nixpkgs-fmt ]; };