peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Initial move to 23.05

Browse Source
This commit is contained in:
Giulio De Pasquale 2023-05-28 00:16:46 +02:00
parent 84df2e348d
commit 08c898ed46
13 changed files with 140 additions and 173 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
flake.lock generated
View File

@ -4,20 +4,19 @@
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ]
"utils": "utils"
}, },
"locked": { "locked": {
"lastModified": 1681092193, "lastModified": 1685189510,
"narHash": "sha256-JerCqqOqbT2tBnXQW4EqwFl0hHnuZp21rIQ6lu/N4rI=", "narHash": "sha256-Hq5WF7zIixojPgvhgcd6MBvywwycVZ9wpK/8ogOyoaA=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "f9edbedaf015013eb35f8caacbe0c9666bbc16af", "rev": "2d963854ae2499193c0c72fd67435fee34d3e4fd",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "nix-community",
"ref": "release-22.11", "ref": "master",
"repo": "home-manager", "repo": "home-manager",
"type": "github" "type": "github"
} }
@ -40,16 +39,16 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1683928319, "lastModified": 1685004253,
"narHash": "sha256-maz0DRKixJVcNRMiAMWlJniiF8IuQ+WbfmlJJ8D+jfM=", "narHash": "sha256-AbVL1nN/TDicUQ5wXZ8xdLERxz/eJr7+o8lqkIOVuaE=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "9656e85a15a0fe67847ee8cdb99a20d8df499962", "rev": "3e01645c40b92d29f3ae76344a6d654986a91a91",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixos-22.11", "ref": "nixos-23.05",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@ -60,21 +59,6 @@
"nixos-unstable": "nixos-unstable", "nixos-unstable": "nixos-unstable",
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs"
} }
},
"utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

4
flake.nix
View File

@ -1,9 +1,9 @@
{ {
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05";
nixos-unstable.url = "github:NixOS/nixpkgs/master"; nixos-unstable.url = "github:NixOS/nixpkgs/master";
home-manager = { home-manager = {
url = "github:nix-community/home-manager/release-22.11"; url = "github:nix-community/home-manager/master";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
}; };

14
hosts/architect/default.nix
View File

@ -88,6 +88,8 @@ in
"memmap=32M$0x4ca6f9478" "memmap=32M$0x4ca6f9478"
]; ];
kernelPackages = pkgs.linuxPackages;
kernel.sysctl = { "net.ipv4.ip_forward" = 1; }; kernel.sysctl = { "net.ipv4.ip_forward" = 1; };
loader = { loader = {
@ -100,7 +102,7 @@ in
supportedFilesystems = [ "zfs" ]; supportedFilesystems = [ "zfs" ];
zfs.requestEncryptionCredentials = true; zfs.requestEncryptionCredentials = true;
tmpOnTmpfsSize = "50%"; tmp.tmpfsSize = "50%";
}; };
networking = with config.architect.networks.lan; { networking = with config.architect.networks.lan; {
@ -151,8 +153,12 @@ in
xserver.videoDrivers = [ "nvidia" ]; xserver.videoDrivers = [ "nvidia" ];
openssh = { openssh = {
enable = true; enable = true;
passwordAuthentication = false;
kbdInteractiveAuthentication = false; settings = {
passwordAuthentication = false;
kbdInteractiveAuthentication = false;
};
extraConfig = '' extraConfig = ''
MaxAuthTries 15 MaxAuthTries 15
''; '';
@ -162,7 +168,7 @@ in
environment = { environment = {
variables = { LIBVA_DRIVER_NAME = "vdpau"; }; variables = { LIBVA_DRIVER_NAME = "vdpau"; };
systemPackages = with pkgs; [ cachix ]; systemPackages = with pkgs; [ cachix linuxPackages.usbip ];
}; };
} }

56
hosts/architect/dns.nix
View File

@ -1,53 +1,27 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let
adguard_webui_port = 3031;
adguard_dns_port = "5300";
dnscrypt_listen_port = "5353";
in
{ {
architect.firewall.openUDPVPN = [ 53 ]; architect.firewall.openUDPVPN = [ 53 ];
services = { services = {
dnsmasq = { dnsmasq = {
enable = true;
# adguard port
servers = [ "127.0.0.1#${adguard_dns_port}" ];
extraConfig = ''
localise-queries
min-cache-ttl=120
max-cache-ttl=2400
domain=runas.rocks
domain=giugl.io
domain=devs.runas.rocks
domain=devs.giugl.io
'';
};
adguardhome = {
enable = true;
port = adguard_webui_port;
};
dnscrypt-proxy2 = {
enable = true; enable = true;
settings = { settings = {
listen_addresses = [ "127.0.0.1:${dnscrypt_listen_port}" ]; server = [
ipv4_servers = true; "45.90.28.77"
ipv6_servers = false; "45.90.30.77"
block_ipv6 = true; "2a07:a8c0::d6:5174"
dnscrypt_servers = true; "2a07:a8c1::d6:5174"
doh_servers = true; ];
require_nolog = true; localise-queries = true;
require_nofilter = true; min-cache-ttl = 120;
timeout = 350; max-cache-ttl = 2400;
lb_strategy = "p4"; domain = [
lb_estimator = true; "runas.rocks"
ignore_system_dns = true; "giugl.io"
fallback_resolvers = [ "1.1.1.1:53" "9.9.9.9:53" ]; "devs.runas.rocks"
cache_min_ttl = 450; "devs.giugl.io"
cache_max_ttl = 2400; ];
}; };
}; };
}; };

4
hosts/architect/gitea.nix
View File

@ -12,11 +12,11 @@ in
services.gitea = { services.gitea = {
enable = true; enable = true;
database.type = "sqlite3"; database.type = "sqlite3";
domain = domain;
appName = "Gitea"; appName = "Gitea";
rootUrl = "https://${domain}";
settings = { settings = {
server = { server = {
DOMAIN = domain;
ROOT_URL = "https://${domain}";
LFS_START_SERVER = true; LFS_START_SERVER = true;
SSH_PORT = 22; SSH_PORT = 22;
}; };

7
hosts/architect/headscale.nix
View File

@ -13,12 +13,13 @@ in
services = { services = {
headscale = { headscale = {
enable = true; enable = true;
package = pkgs.unstablePkgs.headscale; package = pkgs.headscale;
port = 1194; port = 1194;
address = "0.0.0.0"; address = "0.0.0.0";
serverUrl = "https://${domain}";
logLevel = "debug";
settings = { settings = {
server_url = "https://${domain}";
log.level = "debug";
dns_config = { dns_config = {
magic_dns = true; magic_dns = true;
base_domain = "giugl.io"; base_domain = "giugl.io";

90
hosts/architect/nginx.nix
View File

@ -32,59 +32,59 @@
}; };
}; };
appendHttpConfig = # appendHttpConfig =
let # let
extraPureLuaPackages = with pkgs.luajitPackages; [ # extraPureLuaPackages = with pkgs.luajitPackages; [
lua-resty-openidc # lua-resty-openidc
lua-resty-http # lua-resty-http
lua-resty-session # lua-resty-session
lua-resty-jwt # lua-resty-jwt
lua-resty-openssl # lua-resty-openssl
]; # ];
luaPath = pkg: "${pkg}/share/lua/5.1/?.lua"; # luaPath = pkg: "${pkg}/share/lua/5.1/?.lua";
makeLuaPath = lib.concatMapStringsSep ";" luaPath; # makeLuaPath = lib.concatMapStringsSep ";" luaPath;
in # in
'' # ''
# https://stackoverflow.com/questions/38931468/nginx-reverse-proxy-error14077438ssl-ssl-do-handshake-failed # # https://stackoverflow.com/questions/38931468/nginx-reverse-proxy-error14077438ssl-ssl-do-handshake-failed
proxy_ssl_server_name on; # proxy_ssl_server_name on;
lua_package_path '${makeLuaPath extraPureLuaPackages};;'; # lua_package_path '${makeLuaPath extraPureLuaPackages};;';
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; # lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
lua_ssl_verify_depth 5; # lua_ssl_verify_depth 5;
# cache for OIDC discovery metadata # # cache for OIDC discovery metadata
lua_shared_dict discovery 1m; # lua_shared_dict discovery 1m;
lua_shared_dict jwks 1m; # lua_shared_dict jwks 1m;
# https://github.com/openresty/lua-resty-redis/issues/159 # # https://github.com/openresty/lua-resty-redis/issues/159
resolver local=on ipv6=off; # resolver local=on ipv6=off;
init_worker_by_lua_block { # init_worker_by_lua_block {
function check_role (res, role) # function check_role (res, role)
if res.user.roles == nil then # if res.user.roles == nil then
return false # return false
end # end
for _,v in pairs(res.user.roles) do # for _,v in pairs(res.user.roles) do
if string.lower(v) == role then # if string.lower(v) == role then
return true # return true
end # end
end # end
return false # return false
end # end
function is_ip_whitelisted(ip, whitelist) # function is_ip_whitelisted(ip, whitelist)
for _, x in ipairs(whitelist) do # for _, x in ipairs(whitelist) do
if ip == x then # if ip == x then
return true # return true
end # end
end # end
return false # return false
end # end
} # }
''; # '';
appendConfig = '' appendConfig = ''
worker_processes 24; worker_processes 24;

82
hosts/architect/openid.nix
View File

@ -3,46 +3,48 @@
{ {
openresty_oidc_block = openresty_oidc_block =
{ access_role ? "", whitelisted_ips ? [ ] }: '' { access_role ? "", whitelisted_ips ? [ ] }: ''
access_by_lua_block {
local opts = {
discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
client_id = "nginx",
client_secret = "9C6BYxPhTbrRS4DIwd3Smk7e11ABmnt8",
logout_path = "/logout",
redirect_after_logout_uri = "/",
redirect_uri = "/redirect_uri",
keepalive = "yes",
accept_none_alg = true,
revoke_tokens_on_logout = true,
-- access token valid for a day
access_token_expires_in = 86400
}
${lib.optionalString (whitelisted_ips != []) ''
local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}}
if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then
return
end
''}
-- call introspect for OAuth 2.0 Bearer Access Token validation
local res, err = require("resty.openidc").authenticate(opts)
if err then
ngx.status = 403
ngx.say(err)
ngx.exit(ngx.HTTP_FORBIDDEN)
end
${lib.optionalString (access_role != "") ''
if not check_role(res, "${access_role}") then
ngx.status = 401
ngx.header.content_type = 'text/html';
ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
ngx.exit(ngx.HTTP_UNAUTHORIZED)
end
''}
}
''; '';
# access_by_lua_block {
# local opts = {
# discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
# client_id = "nginx",
# client_secret = "9C6BYxPhTbrRS4DIwd3Smk7e11ABmnt8",
# logout_path = "/logout",
# redirect_after_logout_uri = "/",
# redirect_uri = "/redirect_uri",
# keepalive = "yes",
# accept_none_alg = true,
# revoke_tokens_on_logout = true,
# -- access token valid for a day
# access_token_expires_in = 86400
# }
# ${lib.optionalString (whitelisted_ips != []) ''
# local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}}
# if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then
# return
# end
# ''}
# -- call introspect for OAuth 2.0 Bearer Access Token validation
# local res, err = require("resty.openidc").authenticate(opts)
# if err then
# ngx.status = 403
# ngx.say(err)
# ngx.exit(ngx.HTTP_FORBIDDEN)
# end
# ${lib.optionalString (access_role != "") ''
# if not check_role(res, "${access_role}") then
# ngx.status = 401
# ngx.header.content_type = 'text/html';
# ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
# ngx.exit(ngx.HTTP_UNAUTHORIZED)
# end
# ''}
# }
# '';
} }

3
hosts/architect/tailscale.nix
View File

@ -21,6 +21,7 @@ in
tommy = { address = "100.64.0.7"; hostname = "tommy.${domain}"; }; tommy = { address = "100.64.0.7"; hostname = "tommy.${domain}"; };
ucsb-workstation = { address = "100.64.0.8"; hostname = "ucsb-workstation.${domain}"; }; ucsb-workstation = { address = "100.64.0.8"; hostname = "ucsb-workstation.${domain}"; };
alfredo = { address = "100.64.0.9"; hostname = "alfredo.${domain}"; }; alfredo = { address = "100.64.0.9"; hostname = "alfredo.${domain}"; };
parallels = { address = "100.64.0.3"; hostname = "parallels.${domain}"; };
}; };
}; };
}; };
@ -29,7 +30,7 @@ in
tailscale = { tailscale = {
enable = true; enable = true;
interfaceName = config.architect.networks.tailscale.interface; interfaceName = config.architect.networks.tailscale.interface;
package = pkgs.unstablePkgs.tailscale; package = pkgs.tailscale;
}; };
}; };

5
lib/host.nix
View File

@ -38,10 +38,7 @@
useGlobalPkgs = true; useGlobalPkgs = true;
}; };
system.stateVersion = "22.11"; system.stateVersion = "23.05";
environment.shells = [ pkgs.zsh ];
users.defaultUserShell = pkgs.zsh;
} }
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager

6
roles/common.nix
View File

@ -1,7 +1,9 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
{ {
boot.tmpOnTmpfs = true; boot.tmp = {
useTmpfs = true;
};
console = { console = {
keyMap = "us"; keyMap = "us";
@ -41,7 +43,6 @@
glances glances
tcpdump tcpdump
restic restic
neovim
tmux tmux
parted parted
unzip unzip
@ -50,5 +51,6 @@
nmap nmap
ripgrep ripgrep
jq jq
helix
]; ];
} }

2
roles/home/common.nix
View File

@ -14,6 +14,6 @@
] ]
++ lib.optional (!stdenv.isDarwin) pastebinit; ++ lib.optional (!stdenv.isDarwin) pastebinit;
stateVersion = "22.11"; stateVersion = "23.05";
}; };
} }

2
roles/home/helix.nix
View File

@ -118,7 +118,7 @@
nodePackages.vscode-langservers-extracted nodePackages.vscode-langservers-extracted
nodePackages.typescript nodePackages.typescript
nodePackages.svelte-language-server nodePackages.svelte-language-server
swiProlog # swiProlog
nixpkgs-fmt nixpkgs-fmt
]; ];
}; };