Initial move to 23.05

2023-05-28 00:16:46 +02:00 · 2023-05-28 00:16:46 +02:00 · 08c898ed46
commit 08c898ed46
parent 84df2e348d
13 changed files with 140 additions and 173 deletions
--- a/flake.lock
+++ b/flake.lock
@ -4,20 +4,19 @@
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
-        ],
+        ]
        "utils": "utils"
      },
      "locked": {
-        "lastModified": 1681092193,
+        "lastModified": 1685189510,
-        "narHash": "sha256-JerCqqOqbT2tBnXQW4EqwFl0hHnuZp21rIQ6lu/N4rI=",
+        "narHash": "sha256-Hq5WF7zIixojPgvhgcd6MBvywwycVZ9wpK/8ogOyoaA=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "f9edbedaf015013eb35f8caacbe0c9666bbc16af",
+        "rev": "2d963854ae2499193c0c72fd67435fee34d3e4fd",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "release-22.11",
+        "ref": "master",
        "repo": "home-manager",
        "type": "github"
      }
@ -40,16 +39,16 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1683928319,
+        "lastModified": 1685004253,
-        "narHash": "sha256-maz0DRKixJVcNRMiAMWlJniiF8IuQ+WbfmlJJ8D+jfM=",
+        "narHash": "sha256-AbVL1nN/TDicUQ5wXZ8xdLERxz/eJr7+o8lqkIOVuaE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "9656e85a15a0fe67847ee8cdb99a20d8df499962",
+        "rev": "3e01645c40b92d29f3ae76344a6d654986a91a91",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-22.11",
+        "ref": "nixos-23.05",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -60,21 +59,6 @@
        "nixos-unstable": "nixos-unstable",
        "nixpkgs": "nixpkgs"
      }
    },
    "utils": {
      "locked": {
        "lastModified": 1667395993,
        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -1,9 +1,9 @@
 {
  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05";
    nixos-unstable.url = "github:NixOS/nixpkgs/master";
    home-manager = {
-      url = "github:nix-community/home-manager/release-22.11";
+      url = "github:nix-community/home-manager/master";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
--- a/hosts/architect/default.nix
+++ b/hosts/architect/default.nix
@ -5,7 +5,7 @@ let
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230"
  ];
  domain = "devs.giugl.io";
-  
+
  utilities = import ./utilities.nix { inherit lib config; };
  inherit (utilities) generateDeviceStrings;
 in
@ -88,6 +88,8 @@ in
      "memmap=32M$0x4ca6f9478"
    ];
    kernelPackages = pkgs.linuxPackages;
    kernel.sysctl = { "net.ipv4.ip_forward" = 1; };
    loader = {
@ -100,7 +102,7 @@ in
    supportedFilesystems = [ "zfs" ];
    zfs.requestEncryptionCredentials = true;
-    tmpOnTmpfsSize = "50%";
+    tmp.tmpfsSize = "50%";
  };
  networking = with config.architect.networks.lan; {
@ -151,8 +153,12 @@ in
    xserver.videoDrivers = [ "nvidia" ];
    openssh = {
      enable = true;
-      passwordAuthentication = false;
+
-      kbdInteractiveAuthentication = false;
+      settings = {
        passwordAuthentication = false;
        kbdInteractiveAuthentication = false;
      };
      extraConfig = ''
        MaxAuthTries 15
      '';
@ -162,7 +168,7 @@ in
  environment = {
    variables = { LIBVA_DRIVER_NAME = "vdpau"; };
-    systemPackages = with pkgs; [ cachix ];
+    systemPackages = with pkgs; [ cachix linuxPackages.usbip ];
  };
 }
--- a/hosts/architect/dns.nix
+++ b/hosts/architect/dns.nix
@ -1,53 +1,27 @@
 { config, pkgs, lib, ... }:
 let
  adguard_webui_port = 3031;
  adguard_dns_port = "5300";
  dnscrypt_listen_port = "5353";
 in
 {
  architect.firewall.openUDPVPN = [ 53 ];
  services = {
    dnsmasq = {
      enable = true;
      # adguard port
      servers = [ "127.0.0.1#${adguard_dns_port}" ];
      extraConfig = ''
        localise-queries
        min-cache-ttl=120
        max-cache-ttl=2400
        domain=runas.rocks
        domain=giugl.io
        domain=devs.runas.rocks
        domain=devs.giugl.io
      '';
    };
    adguardhome = {
      enable = true;
      port = adguard_webui_port;
    };
    dnscrypt-proxy2 = {
      enable = true;
      settings = {
-        listen_addresses = [ "127.0.0.1:${dnscrypt_listen_port}" ];
+        server = [
-        ipv4_servers = true;
+          "45.90.28.77"
-        ipv6_servers = false;
+          "45.90.30.77"
-        block_ipv6 = true;
+          "2a07:a8c0::d6:5174"
-        dnscrypt_servers = true;
+          "2a07:a8c1::d6:5174"
-        doh_servers = true;
+        ];
-        require_nolog = true;
+        localise-queries = true;
-        require_nofilter = true;
+        min-cache-ttl = 120;
-        timeout = 350;
+        max-cache-ttl = 2400;
-        lb_strategy = "p4";
+        domain = [
-        lb_estimator = true;
+          "runas.rocks"
-        ignore_system_dns = true;
+          "giugl.io"
-        fallback_resolvers = [ "1.1.1.1:53" "9.9.9.9:53" ];
+          "devs.runas.rocks"
-        cache_min_ttl = 450;
+          "devs.giugl.io"
-        cache_max_ttl = 2400;
+        ];
      };
    };
  };
--- a/hosts/architect/gitea.nix
+++ b/hosts/architect/gitea.nix
@ -12,11 +12,11 @@ in
  services.gitea = {
    enable = true;
    database.type = "sqlite3";
    domain = domain;
    appName = "Gitea";
    rootUrl = "https://${domain}";
    settings = {
      server = {
        DOMAIN = domain;
        ROOT_URL = "https://${domain}";
        LFS_START_SERVER = true;
        SSH_PORT = 22;
      };
--- a/hosts/architect/headscale.nix
+++ b/hosts/architect/headscale.nix
@ -13,12 +13,13 @@ in
  services = {
    headscale = {
      enable = true;
-      package = pkgs.unstablePkgs.headscale;
+      package = pkgs.headscale;
      port = 1194;
      address = "0.0.0.0";
-      serverUrl = "https://${domain}";
+
      logLevel = "debug";
      settings = {
        server_url = "https://${domain}";
        log.level = "debug";
        dns_config = {
          magic_dns = true;
          base_domain = "giugl.io";
--- a/hosts/architect/nginx.nix
+++ b/hosts/architect/nginx.nix
@ -32,59 +32,59 @@
      };
    };
-    appendHttpConfig =
+    # appendHttpConfig =
-      let
+    #   let
-        extraPureLuaPackages = with pkgs.luajitPackages; [
+    #     extraPureLuaPackages = with pkgs.luajitPackages; [
-          lua-resty-openidc
+    #       lua-resty-openidc
-          lua-resty-http
+    #       lua-resty-http
-          lua-resty-session
+    #       lua-resty-session
-          lua-resty-jwt
+    #       lua-resty-jwt
-          lua-resty-openssl
+    #       lua-resty-openssl
-        ];
+    #     ];
-        luaPath = pkg: "${pkg}/share/lua/5.1/?.lua";
+    #     luaPath = pkg: "${pkg}/share/lua/5.1/?.lua";
-        makeLuaPath = lib.concatMapStringsSep ";" luaPath;
+    #     makeLuaPath = lib.concatMapStringsSep ";" luaPath;
-      in
+    #   in
-      ''
+    #   ''
-        # https://stackoverflow.com/questions/38931468/nginx-reverse-proxy-error14077438ssl-ssl-do-handshake-failed
+    #     # https://stackoverflow.com/questions/38931468/nginx-reverse-proxy-error14077438ssl-ssl-do-handshake-failed
-        proxy_ssl_server_name on;
+    #     proxy_ssl_server_name on;
-        lua_package_path '${makeLuaPath extraPureLuaPackages};;';
+    #     lua_package_path '${makeLuaPath extraPureLuaPackages};;';
-        lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
+    #     lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
-        lua_ssl_verify_depth 5;
+    #     lua_ssl_verify_depth 5;
-        # cache for OIDC discovery metadata
+    #     # cache for OIDC discovery metadata
-        lua_shared_dict discovery 1m;
+    #     lua_shared_dict discovery 1m;
-        lua_shared_dict jwks 1m;
+    #     lua_shared_dict jwks 1m;
-        # https://github.com/openresty/lua-resty-redis/issues/159
+    #     # https://github.com/openresty/lua-resty-redis/issues/159
-        resolver local=on ipv6=off;
+    #     resolver local=on ipv6=off;
-        init_worker_by_lua_block {
+    #     init_worker_by_lua_block {
-          function check_role (res, role)
+    #       function check_role (res, role)
-            if res.user.roles == nil then
+    #         if res.user.roles == nil then
-              return false
+    #           return false
-            end
+    #         end
-            for _,v in pairs(res.user.roles) do
+    #         for _,v in pairs(res.user.roles) do
-              if string.lower(v) == role then
+    #           if string.lower(v) == role then
-                return true
+    #             return true
-              end
+    #           end
-            end
+    #         end
-            return false
+    #         return false
-          end
+    #       end
-          function is_ip_whitelisted(ip, whitelist)
+    #       function is_ip_whitelisted(ip, whitelist)
-            for _, x in ipairs(whitelist) do
+    #         for _, x in ipairs(whitelist) do
-              if ip == x then
+    #           if ip == x then
-                return true
+    #             return true
-              end
+    #           end
-            end
+    #         end
-            return false
+    #         return false
-          end
+    #       end
-        }
+    #     }
-      '';
+    #   '';
    appendConfig = ''
      worker_processes 24;
--- a/hosts/architect/openid.nix
+++ b/hosts/architect/openid.nix
@ -3,46 +3,48 @@
 {
  openresty_oidc_block =
    { access_role ? "", whitelisted_ips ? [ ] }: ''
-      access_by_lua_block {
+      
        local opts = {
          discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
          client_id = "nginx",
          client_secret = "9C6BYxPhTbrRS4DIwd3Smk7e11ABmnt8",
          logout_path = "/logout",
          redirect_after_logout_uri = "/",
          redirect_uri = "/redirect_uri",
          keepalive = "yes",
          accept_none_alg = true,
          revoke_tokens_on_logout = true,
          -- access token valid for a day
          access_token_expires_in = 86400
        }
        ${lib.optionalString (whitelisted_ips != []) ''
          local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}}          
          if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then
            return
          end
        ''}
        -- call introspect for OAuth 2.0 Bearer Access Token validation
        local res, err = require("resty.openidc").authenticate(opts)
        if err then
          ngx.status = 403
          ngx.say(err)
          ngx.exit(ngx.HTTP_FORBIDDEN)
        end
        ${lib.optionalString (access_role != "") ''
          if not check_role(res, "${access_role}") then
            ngx.status = 401
            ngx.header.content_type = 'text/html';
            ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
            ngx.exit(ngx.HTTP_UNAUTHORIZED)
          end
        ''}
      }
    '';
    #   access_by_lua_block {
    #     local opts = {
    #       discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
    #       client_id = "nginx",
    #       client_secret = "9C6BYxPhTbrRS4DIwd3Smk7e11ABmnt8",
    #       logout_path = "/logout",
    #       redirect_after_logout_uri = "/",
    #       redirect_uri = "/redirect_uri",
    #       keepalive = "yes",
    #       accept_none_alg = true,
    #       revoke_tokens_on_logout = true,
    #       -- access token valid for a day
    #       access_token_expires_in = 86400
    #     }
    #     ${lib.optionalString (whitelisted_ips != []) ''
    #       local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}}          
    #       if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then
    #         return
    #       end
    #     ''}
    #     -- call introspect for OAuth 2.0 Bearer Access Token validation
    #     local res, err = require("resty.openidc").authenticate(opts)
    #     if err then
    #       ngx.status = 403
    #       ngx.say(err)
    #       ngx.exit(ngx.HTTP_FORBIDDEN)
    #     end
    #     ${lib.optionalString (access_role != "") ''
    #       if not check_role(res, "${access_role}") then
    #         ngx.status = 401
    #         ngx.header.content_type = 'text/html';
    #         ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
    #         ngx.exit(ngx.HTTP_UNAUTHORIZED)
    #       end
    #     ''}
    #   }
    # '';
 }
--- a/hosts/architect/tailscale.nix
+++ b/hosts/architect/tailscale.nix
@ -21,6 +21,7 @@ in
        tommy = { address = "100.64.0.7"; hostname = "tommy.${domain}"; };
        ucsb-workstation = { address = "100.64.0.8"; hostname = "ucsb-workstation.${domain}"; };
        alfredo = { address = "100.64.0.9"; hostname = "alfredo.${domain}"; };
        parallels = { address = "100.64.0.3"; hostname = "parallels.${domain}"; };
      };
    };
  };
@ -29,7 +30,7 @@ in
    tailscale = {
      enable = true;
      interfaceName = config.architect.networks.tailscale.interface;
-      package = pkgs.unstablePkgs.tailscale;
+      package = pkgs.tailscale;
    };
  };
--- a/lib/host.nix
+++ b/lib/host.nix
@ -38,10 +38,7 @@
            useGlobalPkgs = true;
          };
-          system.stateVersion = "22.11";
+          system.stateVersion = "23.05";
          environment.shells = [ pkgs.zsh ];
          users.defaultUserShell = pkgs.zsh;
        }
        home-manager.nixosModules.home-manager
--- a/roles/common.nix
+++ b/roles/common.nix
@ -1,7 +1,9 @@
 { config, pkgs, lib, ... }:
 {
-  boot.tmpOnTmpfs = true;
+  boot.tmp = {
    useTmpfs = true;
  };
  console = {
    keyMap = "us";
@ -41,7 +43,6 @@
    glances
    tcpdump
    restic
    neovim
    tmux
    parted
    unzip
@ -50,5 +51,6 @@
    nmap
    ripgrep
    jq
    helix
  ];
 }
--- a/roles/home/common.nix
+++ b/roles/home/common.nix
@ -14,6 +14,6 @@
    ]
    ++ lib.optional (!stdenv.isDarwin) pastebinit;
-    stateVersion = "22.11";
+    stateVersion = "23.05";
  };
 }
--- a/roles/home/helix.nix
+++ b/roles/home/helix.nix
@ -118,7 +118,7 @@
      nodePackages.vscode-langservers-extracted
      nodePackages.typescript
      nodePackages.svelte-language-server
-      swiProlog
+#      swiProlog
      nixpkgs-fmt
    ];
  };