peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Initial move to 23.05

Browse Source
This commit is contained in:
Giulio De Pasquale 2023-05-28 00:16:46 +02:00
parent 84df2e348d
commit 08c898ed46
13 changed files with 140 additions and 173 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
flake.lock generated
View File

@ -4,20 +4,19 @@
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"utils": "utils"
]
},
"locked": {
"lastModified": 1681092193,
"narHash": "sha256-JerCqqOqbT2tBnXQW4EqwFl0hHnuZp21rIQ6lu/N4rI=",
"lastModified": 1685189510,
"narHash": "sha256-Hq5WF7zIixojPgvhgcd6MBvywwycVZ9wpK/8ogOyoaA=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "f9edbedaf015013eb35f8caacbe0c9666bbc16af",
"rev": "2d963854ae2499193c0c72fd67435fee34d3e4fd",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-22.11",
"ref": "master",
"repo": "home-manager",
"type": "github"
}
@ -40,16 +39,16 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1683928319,
"narHash": "sha256-maz0DRKixJVcNRMiAMWlJniiF8IuQ+WbfmlJJ8D+jfM=",
"lastModified": 1685004253,
"narHash": "sha256-AbVL1nN/TDicUQ5wXZ8xdLERxz/eJr7+o8lqkIOVuaE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9656e85a15a0fe67847ee8cdb99a20d8df499962",
"rev": "3e01645c40b92d29f3ae76344a6d654986a91a91",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-22.11",
"ref": "nixos-23.05",
"repo": "nixpkgs",
"type": "github"
}
@ -60,21 +59,6 @@
"nixos-unstable": "nixos-unstable",
"nixpkgs": "nixpkgs"
}
},
"utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",

4
flake.nix
View File

@ -1,9 +1,9 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05";
nixos-unstable.url = "github:NixOS/nixpkgs/master";
home-manager = {
url = "github:nix-community/home-manager/release-22.11";
url = "github:nix-community/home-manager/master";
inputs.nixpkgs.follows = "nixpkgs";
};
};

10
hosts/architect/default.nix
View File

@ -88,6 +88,8 @@ in
"memmap=32M$0x4ca6f9478"
];
kernelPackages = pkgs.linuxPackages;
kernel.sysctl = { "net.ipv4.ip_forward" = 1; };
loader = {
@ -100,7 +102,7 @@ in
supportedFilesystems = [ "zfs" ];
zfs.requestEncryptionCredentials = true;
tmpOnTmpfsSize = "50%";
tmp.tmpfsSize = "50%";
};
networking = with config.architect.networks.lan; {
@ -151,8 +153,12 @@ in
xserver.videoDrivers = [ "nvidia" ];
openssh = {
enable = true;
settings = {
passwordAuthentication = false;
kbdInteractiveAuthentication = false;
};
extraConfig = ''
MaxAuthTries 15
'';
@ -162,7 +168,7 @@ in
environment = {
variables = { LIBVA_DRIVER_NAME = "vdpau"; };
systemPackages = with pkgs; [ cachix ];
systemPackages = with pkgs; [ cachix linuxPackages.usbip ];
};
}

56
hosts/architect/dns.nix
View File

@ -1,53 +1,27 @@
{ config, pkgs, lib, ... }:
let
adguard_webui_port = 3031;
adguard_dns_port = "5300";
dnscrypt_listen_port = "5353";
in
{
architect.firewall.openUDPVPN = [ 53 ];
services = {
dnsmasq = {
enable = true;
# adguard port
servers = [ "127.0.0.1#${adguard_dns_port}" ];
extraConfig = ''
localise-queries
min-cache-ttl=120
max-cache-ttl=2400
domain=runas.rocks
domain=giugl.io
domain=devs.runas.rocks
domain=devs.giugl.io
'';
};
adguardhome = {
enable = true;
port = adguard_webui_port;
};
dnscrypt-proxy2 = {
enable = true;
settings = {
listen_addresses = [ "127.0.0.1:${dnscrypt_listen_port}" ];
ipv4_servers = true;
ipv6_servers = false;
block_ipv6 = true;
dnscrypt_servers = true;
doh_servers = true;
require_nolog = true;
require_nofilter = true;
timeout = 350;
lb_strategy = "p4";
lb_estimator = true;
ignore_system_dns = true;
fallback_resolvers = [ "1.1.1.1:53" "9.9.9.9:53" ];
cache_min_ttl = 450;
cache_max_ttl = 2400;
server = [
"45.90.28.77"
"45.90.30.77"
"2a07:a8c0::d6:5174"
"2a07:a8c1::d6:5174"
];
localise-queries = true;
min-cache-ttl = 120;
max-cache-ttl = 2400;
domain = [
"runas.rocks"
"giugl.io"
"devs.runas.rocks"
"devs.giugl.io"
];
};
};
};

4
hosts/architect/gitea.nix
View File

@ -12,11 +12,11 @@ in
services.gitea = {
enable = true;
database.type = "sqlite3";
domain = domain;
appName = "Gitea";
rootUrl = "https://${domain}";
settings = {
server = {
DOMAIN = domain;
ROOT_URL = "https://${domain}";
LFS_START_SERVER = true;
SSH_PORT = 22;
};

7
hosts/architect/headscale.nix
View File

@ -13,12 +13,13 @@ in
services = {
headscale = {
enable = true;
package = pkgs.unstablePkgs.headscale;
package = pkgs.headscale;
port = 1194;
address = "0.0.0.0";
serverUrl = "https://${domain}";
logLevel = "debug";
settings = {
server_url = "https://${domain}";
log.level = "debug";
dns_config = {
magic_dns = true;
base_domain = "giugl.io";

90
hosts/architect/nginx.nix
View File

@ -32,59 +32,59 @@
};
};
appendHttpConfig =
let
extraPureLuaPackages = with pkgs.luajitPackages; [
lua-resty-openidc
lua-resty-http
lua-resty-session
lua-resty-jwt
lua-resty-openssl
];
luaPath = pkg: "${pkg}/share/lua/5.1/?.lua";
makeLuaPath = lib.concatMapStringsSep ";" luaPath;
in
''
# https://stackoverflow.com/questions/38931468/nginx-reverse-proxy-error14077438ssl-ssl-do-handshake-failed
proxy_ssl_server_name on;
# appendHttpConfig =
# let
# extraPureLuaPackages = with pkgs.luajitPackages; [
# lua-resty-openidc
# lua-resty-http
# lua-resty-session
# lua-resty-jwt
# lua-resty-openssl
# ];
# luaPath = pkg: "${pkg}/share/lua/5.1/?.lua";
# makeLuaPath = lib.concatMapStringsSep ";" luaPath;
# in
# ''
# # https://stackoverflow.com/questions/38931468/nginx-reverse-proxy-error14077438ssl-ssl-do-handshake-failed
# proxy_ssl_server_name on;
lua_package_path '${makeLuaPath extraPureLuaPackages};;';
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
lua_ssl_verify_depth 5;
# lua_package_path '${makeLuaPath extraPureLuaPackages};;';
# lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
# lua_ssl_verify_depth 5;
# cache for OIDC discovery metadata
lua_shared_dict discovery 1m;
lua_shared_dict jwks 1m;
# # cache for OIDC discovery metadata
# lua_shared_dict discovery 1m;
# lua_shared_dict jwks 1m;
# https://github.com/openresty/lua-resty-redis/issues/159
resolver local=on ipv6=off;
# # https://github.com/openresty/lua-resty-redis/issues/159
# resolver local=on ipv6=off;
init_worker_by_lua_block {
function check_role (res, role)
if res.user.roles == nil then
return false
end
# init_worker_by_lua_block {
# function check_role (res, role)
# if res.user.roles == nil then
# return false
# end
for _,v in pairs(res.user.roles) do
if string.lower(v) == role then
return true
end
end
# for _,v in pairs(res.user.roles) do
# if string.lower(v) == role then
# return true
# end
# end
return false
end
# return false
# end
function is_ip_whitelisted(ip, whitelist)
for _, x in ipairs(whitelist) do
if ip == x then
return true
end
end
# function is_ip_whitelisted(ip, whitelist)
# for _, x in ipairs(whitelist) do
# if ip == x then
# return true
# end
# end
return false
end
}
'';
# return false
# end
# }
# '';
appendConfig = ''
worker_processes 24;

82
hosts/architect/openid.nix
View File

@ -3,46 +3,48 @@
{
openresty_oidc_block =
{ access_role ? "", whitelisted_ips ? [ ] }: ''
access_by_lua_block {
local opts = {
discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
client_id = "nginx",
client_secret = "9C6BYxPhTbrRS4DIwd3Smk7e11ABmnt8",
logout_path = "/logout",
redirect_after_logout_uri = "/",
redirect_uri = "/redirect_uri",
keepalive = "yes",
accept_none_alg = true,
revoke_tokens_on_logout = true,
-- access token valid for a day
access_token_expires_in = 86400
}
${lib.optionalString (whitelisted_ips != []) ''
local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}}
if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then
return
end
''}
-- call introspect for OAuth 2.0 Bearer Access Token validation
local res, err = require("resty.openidc").authenticate(opts)
if err then
ngx.status = 403
ngx.say(err)
ngx.exit(ngx.HTTP_FORBIDDEN)
end
${lib.optionalString (access_role != "") ''
if not check_role(res, "${access_role}") then
ngx.status = 401
ngx.header.content_type = 'text/html';
ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
ngx.exit(ngx.HTTP_UNAUTHORIZED)
end
''}
}
'';
# access_by_lua_block {
# local opts = {
# discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
# client_id = "nginx",
# client_secret = "9C6BYxPhTbrRS4DIwd3Smk7e11ABmnt8",
# logout_path = "/logout",
# redirect_after_logout_uri = "/",
# redirect_uri = "/redirect_uri",
# keepalive = "yes",
# accept_none_alg = true,
# revoke_tokens_on_logout = true,
# -- access token valid for a day
# access_token_expires_in = 86400
# }
# ${lib.optionalString (whitelisted_ips != []) ''
# local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}}
# if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then
# return
# end
# ''}
# -- call introspect for OAuth 2.0 Bearer Access Token validation
# local res, err = require("resty.openidc").authenticate(opts)
# if err then
# ngx.status = 403
# ngx.say(err)
# ngx.exit(ngx.HTTP_FORBIDDEN)
# end
# ${lib.optionalString (access_role != "") ''
# if not check_role(res, "${access_role}") then
# ngx.status = 401
# ngx.header.content_type = 'text/html';
# ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
# ngx.exit(ngx.HTTP_UNAUTHORIZED)
# end
# ''}
# }
# '';
}

3
hosts/architect/tailscale.nix
View File

@ -21,6 +21,7 @@ in
tommy = { address = "100.64.0.7"; hostname = "tommy.${domain}"; };
ucsb-workstation = { address = "100.64.0.8"; hostname = "ucsb-workstation.${domain}"; };
alfredo = { address = "100.64.0.9"; hostname = "alfredo.${domain}"; };
parallels = { address = "100.64.0.3"; hostname = "parallels.${domain}"; };
};
};
};
@ -29,7 +30,7 @@ in
tailscale = {
enable = true;
interfaceName = config.architect.networks.tailscale.interface;
package = pkgs.unstablePkgs.tailscale;
package = pkgs.tailscale;
};
};

5
lib/host.nix
View File

@ -38,10 +38,7 @@
useGlobalPkgs = true;
};
system.stateVersion = "22.11";
environment.shells = [ pkgs.zsh ];
users.defaultUserShell = pkgs.zsh;
system.stateVersion = "23.05";
}
home-manager.nixosModules.home-manager

6
roles/common.nix
View File

@ -1,7 +1,9 @@
{ config, pkgs, lib, ... }:
{
boot.tmpOnTmpfs = true;
boot.tmp = {
useTmpfs = true;
};
console = {
keyMap = "us";
@ -41,7 +43,6 @@
glances
tcpdump
restic
neovim
tmux
parted
unzip
@ -50,5 +51,6 @@
nmap
ripgrep
jq
helix
];
}

2
roles/home/common.nix
View File

@ -14,6 +14,6 @@
]
++ lib.optional (!stdenv.isDarwin) pastebinit;
stateVersion = "22.11";
stateVersion = "23.05";
};
}

2
roles/home/helix.nix
View File

@ -118,7 +118,7 @@
nodePackages.vscode-langservers-extracted
nodePackages.typescript
nodePackages.svelte-language-server
swiProlog
# swiProlog
nixpkgs-fmt
];
};