moving to flakes, wip. no home-manager

2021-07-13 10:53:22 +02:00 · 2021-07-13 10:53:22 +02:00 · 905945dfdd
commit 905945dfdd
parent 863cc724f5
15 changed files with 529 additions and 51 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,2 @@
 result
 result/
--- a/common.nix
+++ b/common.nix
@ -1,8 +1,6 @@
 { pkgs, variables, ... }:
 { 
  # Select internationalisation properties.
  console = {
    keyMap = "us";
    font   = "Lat2-Terminus16";
@ -12,12 +10,10 @@
  nix = {
    autoOptimiseStore = true;
-
+    package = pkgs.nixUnstable;
-    nixPath           = [
+    extraOptions = ''
-      "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos"
+      experimental-features = nix-command flakes
-      "nixos-config=/etc/nixos/hosts/${variables.hostname}/default.nix"
+    '';
      "/nix/var/nix/profiles/per-user/root/channels"
    ];
    gc = {
      automatic  = true;
@ -49,14 +45,10 @@
    ripgrep
    tmux
    parted
    unzip
    tree
  ];
  fileSystems."/tmp" = {
    device = "tmpfs";
    fsType = "tmpfs";
    options = ["size=5G"];
  };
  fileSystems."/var/cache" = {
    device = "tmpfs";
    fsType = "tmpfs";
--- a/flake.lock
+++ b/flake.lock
@ -0,0 +1,66 @@
 {
  "nodes": {
    "home-manager": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1626073055,
        "narHash": "sha256-vocByfpVu6m9zvtJugDvmd6/9iT2HJuG4tmDICKd0lI=",
        "owner": "rycee",
        "repo": "home-manager",
        "rev": "775cb20bd4af7781fbf336fb201df02ee3d544bb",
        "type": "github"
      },
      "original": {
        "owner": "rycee",
        "ref": "master",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "nixos-unstable": {
      "locked": {
        "lastModified": 1625874246,
        "narHash": "sha256-7cGgcysIXz/j/lRpJn7cNJjf0+k7sQ5EuGn62252Svw=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "45fc7d4a35c5343e58541a7847f6415654ccbb37",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1625919529,
        "narHash": "sha256-Epn7JRegnKN81hQh4hGx1FOwfp3fBxDCIuSZDgqaBQ4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "cf59fbd539681f5ec2f4a82cf77aae7ab827a03f",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-21.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "home-manager": "home-manager",
        "nixos-unstable": "nixos-unstable",
        "nixpkgs": "nixpkgs"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/flake.nix
+++ b/flake.nix
@ -0,0 +1,45 @@
 {
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.05";
    nixos-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
    home-manager = {
      url = "github:rycee/home-manager/master";
      inputs.nixpkgs.follows = "nixpkgs";
    }; 
  };
  outputs = { self, nixpkgs, nixos-unstable, home-manager }:   
  let
    system = "x86_64-linux";
    unstable = import nixos-unstable { 
      inherit system; 
      config.allowUnfree = true; 
    };
    pkgs = import nixpkgs { 
      inherit system; 
      config.allowUnfree = true; 
      overlays = [ (final: prev: { inherit unstable; }) ];
    };
  in {
    nixosConfigurations.architect = nixpkgs.lib.nixosSystem {
      inherit system;
      modules = [ 
        {
          nixpkgs.pkgs = pkgs;
          nix.nixPath = [ 
            "nixpkgs=${nixpkgs}" 
            "unstable=${nixos-unstable}"
          ];
          nix.registry.nixpkgs.flake = nixpkgs;
          nix.registry.unstable.flake = nixos-unstable;
        }
 #        home-manager.nixosModules.home-manager
        ./hosts/architect/default.nix
      ];
    };
  };
 }
--- a/hosts/architect/default.nix
+++ b/hosts/architect/default.nix
@ -1,12 +1,7 @@
-# Edit this configuration file to define what should be installed on
+{ config, pkgs, ... }:
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 { config, pkgs, variables, ... }:
 with import ./network.nix;
 let
  unstable = import <nixos-unstable> {};
  pubkeys     = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230"];
  hostname    = "architect";
 in 
@ -14,7 +9,6 @@ in
    imports =
      [ # Include the results of the hardware scan.
      ./hardware.nix
      ../../variables.nix
      ../../common.nix
      ../../users.nix
      ./firewall.nix
@ -25,15 +19,24 @@ in
      ./bazarr.nix
      ./nzbget.nix
      ./jellyfin.nix
      ./nextcloud.nix
      ./wireguard.nix
      ./minio.nix
    ];
    variables.hostname                             = hostname;
    time.timeZone                                  = "Europe/Rome";
    system.stateVersion                            = "21.05"; # Did you read the comment?
    users.users.giulio.openssh.authorizedKeys.keys = pubkeys;
    fileSystems."/tmp" = {
      device = "tmpfs";
      fsType = "tmpfs";
      options = ["size=20G"];
    };
    boot = {
      kernelParams = ["ip=${architect-lan}::10.0.0.1:255.255.255.0::${wan-if}:off"];
      kernel.sysctl."net.ipv4.ip_forward" = 1;
      initrd = {
        availableKernelModules = ["igc" "r8169"];
@ -76,17 +79,17 @@ in
        wlp4s0.useDHCP = false;
      };
      extraHosts = ''
-        127.0.0.1      ${hostname}.devs.giugl.io localhost
+        127.0.0.1      ${hostname}.devs.giugl.io giugl.io localhost
        # LAN
-        ${architect-lan} ${hostname}.devs.giugl.io
+        ${architect-lan} ${hostname}.devs.giugl.io giugl.io
        10.0.0.1       router.devs.giugl.io
        ${dvr-lan}      dvr.devs.giugl.io
        ${nas-lan}      nas.devs.giugl.io
        # Wireguard hosts
-        ${architect-wg} ${hostname}.devs.giugl.io
+        ${architect-wg} ${hostname}.devs.giugl.io giugl.io
        ${galuminum-wg}        galuminum.devs.giugl.io
        ${oneplus-wg}  oneplus.devs.giugl.io
        ${ipad-wg}     ipad.devs.giugl.io
@ -104,6 +107,10 @@ in
        ${eleonora-wg} eleonora.devs.giugl.io
        ${broccolino-wg}       broccolino.devs.giugl.io
        ${hotpottino-wg}       hotpottino.devs.giugl.io
        ${salvatore-wg}         salvatore.devs.giugl.io
        ${papa-wg}            papa.devs.giugl.io
        ${defy-wg}            defy.devs.giugl.io
        ${germano-wg}         germano.devs.giugl.io
        # Blacklist
        0.0.0.0                metrics.plex.tv
@ -148,14 +155,14 @@ in
      zfs.autoScrub.enable = true;
      xserver.videoDrivers = [ "nvidia" ];
      openssh.enable = true;
      mysql.enable = true;
      mysql.package = with pkgs; mysql80;
      dnsmasq = {
        enable      = true;
        servers     = ["127.0.0.1#5353"];
        extraConfig = ''
            localise-queries
            min-cache-ttl=120
            max-cache-ttl=2400
        '';
      };
@ -165,6 +172,7 @@ in
          listen_addresses   = ["127.0.0.1:5353"];
          ipv4_servers       = true;
          ipv6_servers       = false;
          block_ipv6         = true;
          dnscrypt_servers   = true;
          doh_servers        = true;
          require_nolog      = true;
@ -174,6 +182,8 @@ in
          lb_estimator       = true;
          ignore_system_dns  = true;
          fallback_resolvers = ["1.1.1.1:53" "9.9.9.9:53"];
          cache_min_ttl = 450;
          cache_max_ttl = 2400;
        };
      };
    };
--- a/hosts/architect/firewall.nix
+++ b/hosts/architect/firewall.nix
@ -127,8 +127,10 @@ in {
            # client to client
            ip saddr {${lib.concatStringsSep "," c2c-wg}} ip daddr {${lib.concatStringsSep "," c2c-wg}} accept
-            # gdevices talking to each other
+            
-            ip saddr {${lib.concatStringsSep "," gdevices-wg}} ip daddr {${lib.concatStringsSep "," gdevices-wg}} accept
+            # gdevices talking to everyone in VPN
            ip saddr {${lib.concatStringsSep "," gdevices-wg}} ip daddr ${vpn-net} accept
            # nat to wan
            oifname ${wan-if} ip saddr {${lib.concatStringsSep "," towan-wg}} accept
--- a/hosts/architect/hardware.nix
+++ b/hosts/architect/hardware.nix
@ -28,10 +28,10 @@
    fsType = "zfs";
  };
-#  fileSystems."/docker" =
+  fileSystems."/secrets" =
-#    { device = "backedpool/docker";
+    { device = "backedpool/secrets";
-#    fsType = "zfs";
+    fsType = "zfs";
-#  };
+  };
  fileSystems."/var/lib" =
    { device = "backedpool/services";
--- a/hosts/architect/jellyfin.nix
+++ b/hosts/architect/jellyfin.nix
@ -1,5 +1,12 @@
 { pkgs, ... }:
 with import ./network.nix;
 {
  disabledModules = ["services/misc/jellyfin.nix"];
  imports = [
    ./modules/jellyfin.nix
  ];
  services = {
    jellyfin.enable = true;
--- a/hosts/architect/minio.nix
+++ b/hosts/architect/minio.nix
@ -0,0 +1,25 @@
 with import ./network.nix;
 {
  services = {
    minio.enable = true;
    nginx.virtualHosts.${miniodomain} = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://localhost:9000";
        extraConfig = ''
          allow 10.0.0.0/24;
          allow 10.3.0.0/24;
          deny all;
        '';
      };
    };
  };
  networking.extraHosts = ''
    127.0.0.1 ${miniodomain}
    ${architect-lan} ${miniodomain}
    ${architect-wg} ${miniodomain}
  '';
 }
--- a/hosts/architect/modules/jellyfin.nix
+++ b/hosts/architect/modules/jellyfin.nix
@ -0,0 +1,127 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
  cfg = config.services.jellyfin;
 in
 {
  options = {
    services.jellyfin = {
      enable = mkEnableOption "Jellyfin Media Server";
      user = mkOption {
        type = types.str;
        default = "jellyfin";
        description = "User account under which Jellyfin runs.";
      };
      package = mkOption {
        type = types.package;
        default = pkgs.jellyfin;
        example = literalExample "pkgs.jellyfin";
        description = ''
          Jellyfin package to use.
        '';
      };
      group = mkOption {
        type = types.str;
        default = "jellyfin";
        description = "Group under which jellyfin runs.";
      };
      openFirewall = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Open the default ports in the firewall for the media server. The
          HTTP/HTTPS ports can be changed in the Web UI, so this option should
          only be used if they are unchanged.
        '';
      };
    };
  };
  config = mkIf cfg.enable {
    systemd.services.jellyfin = {
      description = "Jellyfin Media Server";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig = rec {
        User = cfg.user;
        Group = cfg.group;
        # Allows access to drm devices for transcoding with hardware acceleration
        SupplementaryGroups = [ "video" ];
        StateDirectory = "jellyfin";
        CacheDirectory = "jellyfin";
        ExecStart = "${cfg.package}/bin/jellyfin --datadir '/var/lib/${StateDirectory}' --cachedir '/var/cache/${CacheDirectory}'";
        Restart = "on-failure";
        # Security options:
        NoNewPrivileges = true;
        AmbientCapabilities = "";
        CapabilityBoundingSet = "";
        # ProtectClock= adds DeviceAllow=char-rtc r
 #        DeviceAllow = [
 #          "char-drm r" 
 #          "/dev/nvidia0 r" 
 #          "/dev/nvidiactl r"
 #          "/dev/nvidia-uvm r"
 #          "/dev/nvidia-uvm-tools r"
 #        ];
 #        LockPersonality = true;
 #
         PrivateTmp = true;
 #        PrivateUsers = true;
 #
 #        ProtectClock = true;
 #        ProtectControlGroups = true;
 #        ProtectHostname = true;
 #        ProtectKernelLogs = true;
 #        ProtectKernelModules = true;
 #        ProtectKernelTunables = true;
 #
 #        RemoveIPC = true;
 #
 #        RestrictNamespaces = true;
 #        # AF_NETLINK needed because Jellyfin monitors the network connection
 #        RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET" "AF_INET6" ];
 #        RestrictRealtime = true;
 #        RestrictSUIDSGID = true;
 #
 #        SystemCallArchitectures = "native";
 #        SystemCallErrorNumber = "EPERM";
 #        SystemCallFilter = [
 #          "@system-service"
 #          "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid"
 #        ];
      };
    };
    users.users = mkIf (cfg.user == "jellyfin") {
      jellyfin = {
        group = cfg.group;
        isSystemUser = true;
      };
    };
    users.groups = mkIf (cfg.group == "jellyfin") {
      jellyfin = {};
    };
    networking.firewall = mkIf cfg.openFirewall {
      # from https://jellyfin.org/docs/general/networking/index.html
      allowedTCPPorts = [ 8096 8920 ];
      allowedUDPPorts = [ 1900 7359 ];
    };
  };
  meta.maintainers = with lib.maintainers; [ minijackson ];
 }
--- a/hosts/architect/network.nix
+++ b/hosts/architect/network.nix
@ -28,6 +28,10 @@ rec {
  angelino-wg      = "10.3.0.13";
  pepos_one-wg     = "10.3.0.14";
  pepos_two-wg     = "10.3.0.15";
  salvatore-wg     = "10.3.0.16";
  papa-wg          = "10.3.0.17";
  defy-wg          = "10.3.0.18";
  germano-wg       = "10.3.0.19";
  eleonora-wg      = "10.3.0.100";
  broccolino-wg    = "10.3.0.200";
  hotpottino-wg    = "10.3.0.201";
@ -45,4 +49,7 @@ rec {
  nzbgetdomain = "htnzb.giugl.io";
  mediadomain = "media.giugl.io";
  gitdomain = "git.giugl.io";
  nextclouddomain = "cloud.giugl.io";
  miniodomain = "s3.giugl.io";
  clouddomain = "cloud.giugl.io";
 }
--- a/hosts/architect/nextcloud.nix
+++ b/hosts/architect/nextcloud.nix
@ -0,0 +1,50 @@
 {pkgs, ...}:
 with import ./network.nix;
 {
  services = {
    mysql.enable = true;
    mysql.package = pkgs.unstable.mysql80;
    redis.enable = true;
    nextcloud = {
      enable = true;
      hostName = "${nextclouddomain}";
      https = true;
      caching.redis = true;
      autoUpdateApps.enable = true;
      autoUpdateApps.startAt = "05:00:00";
      logLevel = 1;
      config = {
        overwriteProtocol = "https";
        dbtype = "mysql";
        dbuser = "oc_giulio2";
        dbhost = "localhost";
        dbname = "nextcloud_final";
        dbpassFile = "/secrets/nextcloud/dbpass.txt";
        adminpassFile = "/secrets/nextcloud/adminpass.txt";
        adminuser = "giulio";
        extraTrustedDomains = ["${nextclouddomain}"];
      };
    };
  };
  systemd.services."nextcloud-setup" = {
    requires = ["mysql.service"];
    after = ["mysql.service"];
  };
  networking.extraHosts = ''
    127.0.0.1 ${clouddomain}
    ${architect-lan} ${clouddomain}
    ${architect-wg} ${clouddomain}
  '';
  services.nginx.virtualHosts.${clouddomain} = {
      forceSSL = true;
      enableACME = true;
    };
 }
--- a/hosts/architect/wireguard.nix
+++ b/hosts/architect/wireguard.nix
@ -0,0 +1,153 @@
 with import ./network.nix;
 {
  networking.wireguard = {
    interfaces.${vpn-if} = {
      listenPort = 1194;
      ips = ["10.3.0.1/24"];
      privateKeyFile = "/secrets/wireguard/server.key";
      peers = [
        {
          # gAluminum
          allowedIPs = [galuminum-wg];
          publicKey = "pEEgSs7xmO0cfyvoQlU8lfwqdYM1ISgmPAunPtF+0xw=";
        }
        {
          # OnePlus
          allowedIPs = [oneplus-wg];
          publicKey = "uOQUJo+AfhTAFq50Pt80rdX4PmO28WUARngE2AtwdXU=";
        }
        {
          # iPad
          allowedIPs = [ipad-wg];
          publicKey = "DPpd+P/hV1XLuvdcrCRv1sgz8BeZt1y5D6VehNuhjSQ=";
        }
        {
          # Manduria
          allowedIPs = [manduria-wg];
          publicKey = "wT38oXvDQ8g0hI+pAXQobOWf/Wott2zhwo8TLvXK400=";
        }
        {
          # Antonio
          allowedIPs = [antonio-wg];
          publicKey = "SPndCvEzuLHtGAQV8u/4dfLlFHoPcXS3L98oFOwTljc=";
        }
        {
          # Eleonora
          allowedIPs = [eleonora-wg];
          publicKey = "SL54f1ZeieFyn5X5UAPmypP10GV/c419O94vCzGHFhg=";
        }
        {
          # padulino
          allowedIPs = [padulino-wg];
          publicKey = "sk2Wr2OesND9jcuP/8k7BirSpR4pNNbS9gBkbOxZxwg=";
        }
        {
          # GBEAST
          allowedIPs = [gbeast-wg];
          publicKey = "XiK+wk+DErz0RmCWRxuaJN1cvdj+3DoiU6tcR+uZfAI=";
        }
        {
          # parisa-phone
          allowedIPs = [parisaphone-wg];
          publicKey = "t9EUnIkfr1b2HPlTXi17+AKMMe5VfeKq7exRVAwaai0=";
        }
        {
          # parisa-pc
          allowedIPs = [parisapc-wg];
          publicKey = "b2QzZDTgGQbNXSCLYB4KUzq0/099pH2T8H5BckfNSTQ=";
        }
        {
         # peppiniell
         allowedIPs = [peppiniell-wg];
         publicKey = "bzoW3Rx+7Un9hx/2opgBQJmmnZ/hgj1lQ2FnonCHjTc=";
       }
       {
          # broccolino
          allowedIPs = [broccolino-wg];
          publicKey = "Ig97XCKYZvMperGlQgoKdqvw6VyNHf5+MvcimKEUs1Y=";
        }
        {
          # hotpottino
          allowedIPs = [hotpottino-wg];
          publicKey = "YqtzTWqGBs2GwSPNO0aRSV4nvJDW3UHHt6fV4UC7vnU=";
        }
        {
          # shield
          allowedIPs = [shield-wg];
          publicKey = "1GaV/M48sHqQTrBVRQ+jrFU2pUMmv2xkguncVcwPCFs=";
        }
        {
          # angelino
          allowedIPs = [angelino-wg];
          publicKey = "MhY4d824LuKPltQHfaUbtWGiQz4XsfqCRAx0n1FDaiY=";
        }
        {
          # pepos_one
          allowedIPs = [pepos_one-wg];
          publicKey = "HcIqulGahsHJeuq6zAt5EJieWhDSKX4tFlUOEr2U1gA=";
        }
        {
          # pepos_two
          allowedIPs = [pepos_two-wg];
          publicKey = "mb1VaMLML5J24oCMBuhqvBrT6S4tAqWERn30z+h/LwM=";
        }
        {
          # salvatore
          allowedIPs = [salvatore-wg];
          publicKey = "fhlnBHeMyHZKLUCTSA9kmkKoM5x/qzz/rnCJrUh3Gzs=";
        }
        {
          # papa
          allowedIPs = [papa-wg];
          publicKey = "oGHygt02Oni3IFbScKD0NVEfHKCp6bpw68aq5g4RrAA=";
        }
        { 
          # defy
          allowedIPs = [defy-wg];
          publicKey = "wEkDNap9/qmkGd0a0PN8ANHgXgxwp+ZdmDW1CmIl4kM=";
        }
        {
          # germano
          allowedIPs = [germano-wg];
          publicKey = "gi4o+pZWKItzVs7vY8fvXh98jX6CNeCwc1YDzhc3mA4=";
        }
      ];
    };
  };
 }
--- a/hosts/gAluminum/default.nix
+++ b/hosts/gAluminum/default.nix
@ -93,11 +93,5 @@ in {
  system.stateVersion = "21.05"; # Did you read the comment?
  security.pam.services.gdm.enableGnomeKeyring = true;
  fileSystems."/tmp" = {
    device = "tmpfs";
    fsType = "tmpfs";
    options = ["size=2G"];
  };
 }
--- a/users.nix
+++ b/users.nix
@ -1,8 +1,6 @@
-{config, pkgs, ...}:
+{config, pkgs, home-manager, ...}:
 {
  imports = [ <home-manager/nixos> ];
  users.users = {
    giulio = {
      description  = "Giulio De Pasquale";
@ -21,13 +19,13 @@
    enableCompletion     = true;
  };
-  home-manager.users.root = {
+#  home-manager.users.root = {
-    imports = [ ./home/zsh.nix ./home/code.nix ];
+#    imports = [ ./home/zsh.nix ./home/code.nix ];
-  };
+#  };
-
+#
-  home-manager.users.giulio = {
+#  home-manager.users.giulio = {
-    imports = [ ./home ];
+#    imports = [ ./home ];
-  };
+#  };
  fileSystems."/home/giulio/Downloads" = {
    device = "tmpfs";