diff options
25 files changed, 813 insertions, 74 deletions
diff --git a/flake.lock b/flake.lock index 3893592..3b8c5e8 100644 --- a/flake.lock +++ b/flake.lock @@ -52,11 +52,11 @@ ] }, "locked": { - "lastModified": 1722924007, - "narHash": "sha256-+CQDamNwqO33REJLft8c26NbUi2Td083hq6SvAm2xkU=", + "lastModified": 1724561770, + "narHash": "sha256-zv8C9RNa86CIpyHwPIVO/k+5TfM8ZbjGwOOpTe1grls=", "ref": "refs/heads/master", - "rev": "91010a5613ffd7ee23ee9263213157a1c422b705", - "revCount": 1665, + "rev": "ac5694a0b855a981e81b4d9f14052e3ff46ca39e", + "revCount": 1677, "type": "git", "url": "https://github.com/lnl7/nix-darwin" }, @@ -106,11 +106,11 @@ }, "hefe-internal": { "locked": { - "lastModified": 1717507265, - "narHash": "sha256-gM6eTS9asXKJygWENGYCMjbSqGM4KBIZyI7WuEv75dk=", + "lastModified": 1725785744, + "narHash": "sha256-f3WryUoeDQ5gpid07hQlfgkpFsuZ1M2hkeRuq/PxpIs=", "ref": "refs/heads/main", - "rev": "944c5e639c60d4ffb4dd8da3f14c8cc64bd8d9b1", - "revCount": 117, + "rev": "e4ddde3ae3ccf03f2b31b69c3537212fccab84d3", + "revCount": 128, "type": "git", "url": "ssh://git@git.emile.space/hefe-internal" }, @@ -183,11 +183,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1723449574, - "narHash": "sha256-9c/blnpryB8JYUZDt8ePD9HxWfJgVKyd8gZX80H8DnI=", + "lastModified": 1724871466, + "narHash": "sha256-A3f55caUR3uHP2KMyqX1Kl2YbmnOb+hED1ztgHsqlVg=", "ref": "release-24.05", - "rev": "1e6169f8966165bf2320fb5d1df605558902e4cf", - "revCount": 634030, + "rev": "66b58d0e1d08395781fd7c3f77093de4e4584c03", + "revCount": 634574, "type": "git", "url": "https://github.com/nixos/nixpkgs" }, @@ -199,11 +199,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1723221148, - "narHash": "sha256-7pjpeQlZUNQ4eeVntytU3jkw9dFK3k1Htgk2iuXjaD8=", + "lastModified": 1724748588, + "narHash": "sha256-NlpGA4+AIf1dKNq76ps90rxowlFXUsV9x7vK/mN37JM=", "ref": "nixpkgs-unstable", - "rev": "154bcb95ad51bc257c2ce4043a725de6ca700ef6", - "revCount": 664329, + "rev": "a6292e34000dc93d43bccf78338770c1c5ec8a99", + "revCount": 672159, "type": "git", "url": "https://github.com/nixos/nixpkgs" }, diff --git a/flake.nix b/flake.nix index 411bf42..0b48f3f 100644 --- a/flake.nix +++ b/flake.nix @@ -123,14 +123,13 @@ darwinConfigurations = helper.mapToDarwinConfigurations self.hosts; nixosModules = { - emile = import ./nix/modules; - default = self.nixosModules.emile; + x86_64-linux = import ./nix/modules/x86_64-linux.nix; + default = self.nixosModules.x86_64-linux; }; overlays = { emile = import ./nix/pkgs/overlay.nix; - default = self.overlays.emile; - + default = self.overlays.x86_64-linux; unstable = final: prev: { unstable = import nixpkgs-unstable { system = "x86_64-linux"; @@ -148,7 +147,11 @@ pkgs = import nixpkgs { inherit system; overlays = [ - self.overlays.emile + + (if system == "x86_64-linux" then self.overlays.x86_64-linux + else if system == "aarch64-darwin" then self.overlays.aarch64-darwin + else null) + # self.overlays.emile # some arguments for packages (_: _: { inherit naersk; }) diff --git a/nix/hosts/caladan/aliases.nix b/nix/hosts/caladan/aliases.nix index e314f72..58c224e 100644 --- a/nix/hosts/caladan/aliases.nix +++ b/nix/hosts/caladan/aliases.nix @@ -1,30 +1,27 @@ { ":q" = "exit"; ls = "eza"; - ytop = "btm"; # short forms tf = "terraform"; - h = "mosh hack"; r2help = ''r2 -qq -c "?*~..." --''; mosh = "mosh --no-init"; t = "task"; tw = "timew"; - ipa = "scutil --nwi"; + ipa = "scutil --nwi"; # more `ip a` like info on macos # this can be super nice and super annoying at the same time: # ssh = "kitty +kitten ssh"; - light = "kitty +kitten themes --reload-in=all Ayu Light"; - dark = "kitty +kitten themes --reload-in=all Ayu"; - - ".." = "cd .."; "..." = "cd ../.."; "...." = "cd ../../.."; "....." = "cd ../../../.."; + "......" = "cd ../../../../.."; + "......." = "cd ../../../../../.."; + "........" = "cd ../../../../../../.."; grep = "grep --color=auto"; nix-stray-roots = '' @@ -34,7 +31,7 @@ servethis = "python3 -m http.server"; - # nmap foo + # these are the oh-my-zsh nmap plugin aliases which are nice to have around imho nmap_open_ports = "nmap --open"; nmap_list_interfaces = "nmap --iflist"; nmap_slow = "sudo nmap -sS -v -T1"; @@ -50,6 +47,7 @@ nmap_full_with_scripts = "sudo nmap -sS -sU -T4 -A -v -PE -PP -PS21,22,23,25,80,113,31339 -PA80,113,443,10042 -PO --script all " ; nmap_web_safe_osscan = "sudo nmap -p 80,443 -O -v --osscan-guess --fuzzy "; nmap_ping_scan = "nmap -n -sP"; - lm = "sudo kitten themes --reload-in=all 3024 Day"; - dm = "sudo kitten themes --reload-in=all Default"; + + light = "sudo kitten themes --reload-in=all 3024 Day"; + dark = "sudo kitten themes --reload-in=all Default"; } diff --git a/nix/hosts/caladan/darwin-configuration.nix b/nix/hosts/caladan/darwin-configuration.nix index a181b35..2461fd2 100644 --- a/nix/hosts/caladan/darwin-configuration.nix +++ b/nix/hosts/caladan/darwin-configuration.nix @@ -85,17 +85,14 @@ config.allowUnfree = true; }; - programs.fish.enable = true; - services.nix-daemon.enable = true; + # <3 security.pam.enableSudoTouchIdAuth = true; environment = { - systemPackages = [ - pkgs.yarr - ]; - shells = with pkgs; [ bashInteractive zsh fish ]; + systemPackages = [ ]; # set via home-manager + shells = with pkgs; [ bashInteractive zsh ]; }; } diff --git a/nix/hosts/caladan/home_emile.nix b/nix/hosts/caladan/home_emile.nix index f57daaf..06131dd 100644 --- a/nix/hosts/caladan/home_emile.nix +++ b/nix/hosts/caladan/home_emile.nix @@ -1,14 +1,17 @@ -{ pkgs, lib, stdenv, ... }: +{ pkgs, ... }: { home = { + # The state version is required and should stay at the version you + # originally installed. stateVersion = "22.11"; username = "emile"; homeDirectory = "/Users/emile"; }; - # let home-manager install and manage itself programs = { + + # let home-manager install and manage itself home-manager.enable = true; direnv = { @@ -56,8 +59,285 @@ emacs = { enable = true; package = pkgs.emacs; + extraPackages = epkgs: with epkgs; [ + nix-mode + magit + meow + ]; extraConfig = '' (setq standard-indent 2) + + ;; MELPA Packages + (require 'package) + (package-initialize) + (add-to-list 'package-archives '("melpa" . "https://melpa.org/packages/") t) + (unless package-archive-contents + (package-refresh-contents)) + + ;; Install packages. + (dolist (package '(use-package sly corfu org)) + (unless (package-installed-p package) + (package-install package))) + + (use-package org) + + ;(use-package evil-colemak-basics) + + (when (display-graphic-p) + (tool-bar-mode 0) + (scroll-bar-mode 0)) + (setq inhibit-startup-screen t) + + (load-theme 'leuven) ;; light theme + + ;; pixel perfect scrolling + (setq pixel-scroll-precision-mode 1) + + ;; dont create lockfiles + (setq create-lockfiles nil) + + ;; delete excess backup version silently + (setq delete-old-versions -1) + (setq make-backup-files nil) ; stop creating ~ files + + ;; use version controll + (setq version-control t) + + ;; utf8 by default(setq coding-system-for-read 'utf-8) + (setq coding-system-for-write 'utf-8) + + ;; org-mode + (require 'org) + (define-key global-map "\C-cl" 'org-store-link) + (define-key global-map "\C-ca" 'org-agenda) + (setq org-log-done t) + + ;; random emacs foo + (setq-default indent-tabs-mode nil) ;; use spaces, not tabs + (setq show-paren-delay 0) + (show-paren-mode) + + ;; write customizations to a custom file + (setq custom-file (expand-file-name "custom.el" user-emacs-directory)) + + ;; Configure SBCL as the Lisp program for SLIME + (add-to-list 'exec-path "/Users/emile/.nix-profile/bin") + (defvar inerior-lisp-program "clisp") + + ;; configure parinfer to be enabled as a mode when the major lisp mode is enabled + (add-to-list 'load-path "/Users/emile/parinfer-rust") + (add-hook 'emacs-lisp-mode 'parinfer-rust-mode) + (add-hook 'emacs-lisp-mods (lambda () (lispy-mode 1))) + + (require 'meow) + + (defun meow-setup () + "My colemak-dh meow keybindings with some helix influence." + (setq meow-cheatsheet-layout meow-cheatsheet-layout-colemak-dh) + (meow-motion-overwrite-define-key + ;; Use e to move up, n to move down. + ;; Since special modes usually use n to move down, we only overwrite e here. + '("e" . meow-prev) + '("<escape>" . ignore)) + (meow-leader-define-key + '("?" . meow-cheatsheet) + ;; To execute the originally e in MOTION state, use SPC e. + '("e" . "H-e") + '("1" . meow-digit-argument) + '("2" . meow-digit-argument) + '("3" . meow-digit-argument) + '("4" . meow-digit-argument) + '("5" . meow-digit-argument) + '("6" . meow-digit-argument) + '("7" . meow-digit-argument) + '("8" . meow-digit-argument) + '("9" . meow-digit-argument) + '("0" . meow-digit-argument)) + (meow-normal-define-key + '("0" . meow-expand-0) + '("1" . meow-expand-1) + '("2" . meow-expand-2) + '("3" . meow-expand-3) + '("4" . meow-expand-4) + '("5" . meow-expand-5) + '("6" . meow-expand-6) + '("7" . meow-expand-7) + '("8" . meow-expand-8) + '("9" . meow-expand-9) + '("-" . negative-argument) + '(";" . meow-reverse) + '("," . meow-inner-of-thing) + '("." . meow-bounds-of-thing) + '("[" . meow-beginning-of-thing) + '("]" . meow-end-of-thing) + '("/" . meow-visit) + '("a" . meow-append) + '("A" . meow-open-below) + '("b" . meow-back-word) + '("B" . meow-back-symbol) + '("c" . meow-change) + ; '("C" . ) + '("d" . meow-delete) + ;'("D" . delete-window) + '("e" . meow-next) + '("E" . meow-next-expand) + '("f" . find-file) + '("F" . flycheck-list-errors) + '("g" . meow-cancel-selection) + '("G" . meow-grab) + '("h" . meow-mark-word) + '("H" . meow-mark-symbol) + '("i" . meow-prev) + '("I" . meow-prev-expand) + '("j" . meow-join) + ; '("J" . ) + '("k" . meow-kill) + '("K" . meow-paren-mode) + '("l" . meow-line) + '("L" . meow-goto-line) + '("m" . meow-block) + '("M" . meow-to-block) + '("n" . meow-left) + '("N" . meow-left-expand) + '("o" . meow-right) + '("O" . meow-right-expand) + '("p" . meow-yank) + ; '("P" . ) + '("q" . meow-quit) + ; '("Q" . ) + '("r" . meow-replace) + '("R" . undo-redo) + '("s" . meow-insert) + '("S" . meow-open-above) + '("t" . meow-till) + ; '("T" . ) + '("u" . meow-undo) + '("U" . meow-undo-in-selection) + '("v" . meow-search) + '("w" . meow-next-word) + '("W" . meow-next-symbol) + '("x" . meow-delete) + '("X" . meow-backward-delete) + '("y" . meow-save) + '("z" . meow-pop-selection) + ; '("Z" . ) + '("'" . repeat) + '("<escape>" . ignore))) + + + (meow-setup) + (meow-global-mode 1) + + ;; Corfu completion + (use-package corfu + :custom + (corfu-cycle-tab t) + (corfu-auto t) + (corfu-auto-prefix 2) + (corfu-auto-delay 0.0) + (corfu-quit-at-boundary 'separator) + (corfu-echo-documentation 0.5) + (corfu-preview-current 'insert) + (corfu-preselect 'prompt) + :bind (:map corfu-map + ("M-SPC" . corfu-insert-separator) + ("RET" . nil) + ("TAB" . corfu-next) + ([tab] . corfu-next) + ("S-TAB" . corfu-previous) + ([backtab] . corfu-previous) + ("S-<return>" . corfu-inser)) + :init + (global-corfu-mode) + (corfu-history-mode) + + :config + (add-hook 'eshell-mode-hook + (lambda () + (setq-local corfu-quit-at-boundary t + corfu-quit-no-match t + corfu-auto nil) + (corfu-mode)))) + + ;; In-margin annotations + (use-package marginalia + :custom + (marginalia-max-relative-age 0) + (marginalia-align 'right) + :init + (marginalia-mode)) + + ;; Fancy icons + (use-package all-the-icons-completion + :after (marginalia all-the-icons) + :hook (marginalia . all-the-icons-completion-marginalia-setup) + :init (all-the-icons-completion-mode)) + + ;; Usable minibuffers + (use-package vertico + :init (vertico-mode) + :custom (vertico-count 13) + (vertico-resize t) + (vertico-cycle nil) + :config (vertico-mode)) + + ;; orderless completion + ;; This allows searching for space separated terms in any order + (use-package orderless + :init (setq completion-styles '(orderless basic) + completion-category-defaults nil + completion-category-overrides '((file (styles partial-completion))) + )) + + ;; general purpose emacs settings + (use-package emacs + :init + + ;; do not allow cursor in the minibuffer prompt + (setq minibuffer-prompt-properties + '(read-only t cursor-intangible t face minibuffer-prompt)) + (add-hook 'minibuffer-setup-hook #'cursor-intangible-mode) + + ;; support opening new minibuffers from inside existing minibuffers + (setq enable-recursive-minibuffers t) + + ;; Emacs 28 and newer: Hide commands in M-x which do not work in the current + ;; mode. Vertico commands are hidden in normal buffers. This setting is + ;; useful beyond Vertico. + (setq read-extended-command-predicate #'command-completion-default-include-p)) + + ;; Add "lisp" to the list of languages babel is allowed to eval + ;(setq-default org-babel-lisp-eval-fn #'sly-eval) + (org-babel-do-load-languages + 'org-babel-load-languages + '((lisp . t))) + + ;; markdown mode + (use-package markdown-mode + :ensure t + :mode ("README\\.md\\'" . gfm-mode) + :init (setq markdown-command "multimarkdown")) + + ;; minibuffer with help when waiting too long + (use-package which-key + :ensure t + :config + (setq which-key-idle-delay 0.1) + (setq which-key-idle-secondary-delay 0.1) + (which-key-mode)) + + ;; Display imenu (symbols) in a separate buffer + (use-package imenu-list :ensure t + :init + (setq imenu-list-auto-resize t) + (setq imenu-list-focus-after-activation t)) + + ;; error checking + (use-package flycheck + :ensure t + :init (global-flycheck-mode)) + + (provide '.emacs) ; makes flycheck happy ''; }; @@ -103,7 +383,7 @@ "cmd+shift+k" = "move_window up"; "cmd+shift+l" = "move_window right"; - "cmd+shift+m" = "detach_window ask"; + # "cmd+shift+m" = "detach_window ask"; "command+j" = "kitten pass_keys.py neighboring_window bottom command+j"; "command+k" = "kitten pass_keys.py neighboring_window top command+k"; @@ -112,14 +392,14 @@ "command+b" = "combine : clear_terminal scroll active : send_text normal,application \x0c"; # "ctrl+n" = "send_text all \x0e"; - "ctrl+e" = "send_text all \x01h"; - "ctrl+n" = "send_text all \x01i"; - "ctrlshift++n" = "send_text all \x01i"; - - "ctrl+left" = "resize_window wider"; - "ctrl+right" = "resize_window narrower"; - "ctrl+up" = "resize_window shorter"; - "ctrl+down" = "resize_window taller"; + # "ctrl+e" = "send_text all \x01h"; + # "ctrl+n" = "send_text all \x01i"; + # "ctrlshift++n" = "send_text all \x01i"; + + # "ctrl+left" = "resize_window wider"; + # "ctrl+right" = "resize_window narrower"; + # "ctrl+up" = "resize_window shorter"; + # "ctrl+down" = "resize_window taller"; }; environment = { }; @@ -193,6 +473,10 @@ tiny # irc + rlwrap + + entr + # blender # ] ++ lib.optionals stdenv.isDarwin [ diff --git a/nix/hosts/caladan/home_hydra.nix b/nix/hosts/caladan/home_hydra.nix index 25686da..1161d9a 100644 --- a/nix/hosts/caladan/home_hydra.nix +++ b/nix/hosts/caladan/home_hydra.nix @@ -7,8 +7,8 @@ homeDirectory = "/Users/hydra"; }; - # let home-manager install and manage itself programs = { + # let home-manager install and manage itself home-manager.enable = true; }; diff --git a/nix/hosts/caladan/session_variables.zsh b/nix/hosts/caladan/session_variables.zsh index 05badcd..6f850c8 100644 --- a/nix/hosts/caladan/session_variables.zsh +++ b/nix/hosts/caladan/session_variables.zsh @@ -6,8 +6,10 @@ export PROMPT="; " # minimal prompt #export RPROMPT="%F{green}%/%F{reset}" export RPROMPT="%F{green}%/%F{reset} %D{%K:%M:%S}" -# reset the prompt, so we get the time the command was executed -# in the rprompt +# Reset the prompt, so we get the time the command was executed +# in the rprompt. A single second was to much, as it also breaks all the +# prompt suggestions, 5 seconds seems quite sensible, and you can just hit +# `TAB` yet another time if you want to see the suggestions again TMOUT=5 TRAPALRM() { zle reset-prompt diff --git a/nix/hosts/corrino/configuration.nix b/nix/hosts/corrino/configuration.nix index 1f054ff..5f012b0 100644 --- a/nix/hosts/corrino/configuration.nix +++ b/nix/hosts/corrino/configuration.nix @@ -18,6 +18,9 @@ in { ./ports.nix ./www/git + ./www/nix-cache + + # screego # web ./www/emile.space.nix @@ -36,6 +39,9 @@ in { ./www/social.emile.space.nix ./www/sso.emile.space.nix ./www/s3.emile.space.nix + ./www/cs.emile.space.nix + ./www/irc.emile.space.nix + ./www/db.emile.space.nix # ./www/irc.emile.space.nix # ./www/irc @@ -456,10 +462,6 @@ in { }; }; - virtualisation.podman = { - enable = true; - autoPrune.enable = true; - }; virtualisation = { # docker.enable = true; libvirtd = { @@ -479,6 +481,10 @@ in { }; }; }; + podman = { + enable = true; + autoPrune.enable = true; + }; }; # programs.virt-manager.enable = true; diff --git a/nix/hosts/corrino/ports.nix b/nix/hosts/corrino/ports.nix index 2d7ba06..6f17be5 100644 --- a/nix/hosts/corrino/ports.nix +++ b/nix/hosts/corrino/ports.nix @@ -11,13 +11,16 @@ grafana = 3002; md = 3003; gotosocial = 3004; + harmonia = 5000; irc = { clear = 6667; ssl = 6697; }; + hound = 6080; stream = 8080; netbox = 8001; restic = 8002; + nocodb = 8003; r2wars-web = 8089; ctf = 8338; magic-hash = 8339; diff --git a/nix/hosts/corrino/www/cs.emile.space.nix b/nix/hosts/corrino/www/cs.emile.space.nix new file mode 100644 index 0000000..4f1b91e --- /dev/null +++ b/nix/hosts/corrino/www/cs.emile.space.nix @@ -0,0 +1,54 @@ +{ config, lib, ... }: + +let + + # get's all repos configured in cgit and converts them into some JSON that is used by hound + repos = builtins.toJSON + (lib.mergeAttrsList + (map + (x: {"${x.name}" = { url = "file://${x.path}"; }; }) + (lib.mapAttrsToList + (name: value: value // { name = "${name}"; }) + config.services.cgit.main.repos))); +in { + services.nginx.virtualHosts."cs.emile.space" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://${config.services.hound.listen}"; + }; + }; + }; + + # add hound user to git group so the local repos can be read + # users.users.hound.extraGroups = [ "git" ]; + + users.groups."git".members = [ "hound" ]; + + # The `.gitignore` of the user `hound` should contain the following: + # + # [safe] + # directory = /var/lib/git/repositories/* + # directory = /var/lib/git/repositories/faila.git + # directory = /var/lib/git/repositories/faila2.git + + services.hound = { + enable = true; + + config = '' + { + "dbpath": "/var/lib/hound/data", + "max-concurrent-indexers" : 6, + "vcs-config" : { + "git" : { + "detect-ref" : true + } + }, + "repos" : ${repos} + } + ''; + + listen = "127.0.0.1:${toString config.emile.ports.hound}"; + }; +} diff --git a/nix/hosts/corrino/www/db.emile.space.nix b/nix/hosts/corrino/www/db.emile.space.nix new file mode 100644 index 0000000..7cb365e --- /dev/null +++ b/nix/hosts/corrino/www/db.emile.space.nix @@ -0,0 +1,23 @@ +{ config, ... }: + +{ + services.nginx.virtualHosts."db.emile.space" = { + forceSSL = true; + enableACME = true; + + locations = { + "/" = { + proxyPass = "http://127.0.0.1:${toString config.emile.ports.nocodb}"; + }; + }; + }; + virtualisation.oci-containers = { + containers = { + "noco" = { + image = "nocodb/nocodb:latest"; + volumes = [ "nocodb:/usr/app/data" ]; + ports = [ "${toString config.emile.ports.nocodb}:8080" ]; + }; + }; + }; +} diff --git a/nix/hosts/corrino/www/emile.space.nix b/nix/hosts/corrino/www/emile.space.nix index c39ca31..8b67d84 100644 --- a/nix/hosts/corrino/www/emile.space.nix +++ b/nix/hosts/corrino/www/emile.space.nix @@ -13,6 +13,8 @@ ''; }; + # As the social.emile.space server actually uses redirects from emile.space, they have to be + # setup somewhere. Well... this is that place "/@hanemile".extraConfig = '' return 301 https://social.emile.space/@hanemile; ''; diff --git a/nix/hosts/corrino/www/git/cgit.nix b/nix/hosts/corrino/www/git/cgit.nix index 1e63dfc..b48157a 100644 --- a/nix/hosts/corrino/www/git/cgit.nix +++ b/nix/hosts/corrino/www/git/cgit.nix @@ -1,10 +1,33 @@ { config, lib, pkgs, ... }: +let + repodirs = builtins.concatStringsSep "\n" + (map + (x: "directory = ${x}") + (lib.lists.flatten + (map + (x: lib.attrValues (lib.getAttrs [ "path" ] x)) + (lib.mapAttrsToList + (name: value: value) + config.services.cgit.main.repos)))); +in { environment.systemPackages = with pkgs; [ - md4c # used to get md2html for rendering the READMEs + md4c # used to get md2html for rendering the READMEs within cgit-pink ]; + # set all the repos as safe + environment.etc = { + gitconfig = { + text = '' + [http] + sslCAinfo = /etc/ssl/certs/ca-certificates.crt + [safe] + ${repodirs} + ''; + }; + }; + services = { nginx.virtualHosts."git.emile.space" = { forceSSL = true; @@ -469,7 +492,7 @@ # articles barnes-hut = { desc = "A one pager compressing the JuFo19 project"; - path = "/var/lib/git/repositories/paged-out-barnes-hut.git"; + path = "/var/lib/git/repositories/barnes-hut.git"; section = "Articles"; owner = "emile"; }; @@ -544,7 +567,7 @@ # exposing stuff gitDaemon = { - enable = true; + enable = false; user = "git"; group = "git"; diff --git a/nix/hosts/corrino/www/grafana.emile.space.nix b/nix/hosts/corrino/www/grafana.emile.space.nix index 3464421..eaf88b5 100644 --- a/nix/hosts/corrino/www/grafana.emile.space.nix +++ b/nix/hosts/corrino/www/grafana.emile.space.nix @@ -2,12 +2,22 @@ { services = { - nginx.virtualHosts."grafana.emile.space" = { - addSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://${toString config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}/"; - proxyWebsockets = true; + nginx.virtualHosts = { + "grafana.emile.space" = { + addSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://${toString config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}/"; + proxyWebsockets = true; + }; + }; + "prometheus.emile.space" = { + addSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}/"; + proxyWebsockets = true; + }; }; }; @@ -47,6 +57,8 @@ prometheus = { enable = true; retentionTime = "356d"; + + listenAddress = "[::1]"; port = config.emile.ports.prometheus; exporters = { diff --git a/nix/hosts/corrino/www/hydra.emile.space.nix b/nix/hosts/corrino/www/hydra.emile.space.nix index 97d5962..6628a67 100644 --- a/nix/hosts/corrino/www/hydra.emile.space.nix +++ b/nix/hosts/corrino/www/hydra.emile.space.nix @@ -57,7 +57,8 @@ <git-input> timeout = 3600 </git-input> - evaluator_restrict_eval = false + binary_cache_public_uri = https://nix-cache.emile.space ''; + # evaluator_restrict_eval = false }; } diff --git a/nix/hosts/corrino/www/irc.emile.space.nix b/nix/hosts/corrino/www/irc.emile.space.nix new file mode 100644 index 0000000..f738d62 --- /dev/null +++ b/nix/hosts/corrino/www/irc.emile.space.nix @@ -0,0 +1,155 @@ +{ config, ... }: + +{ + # Create a tls cert for the irc server + security.acme.certs = { + "irc.emile.space" = { + webroot = "/var/lib/acme/acme-challenge/"; + email = "acme@emile.space"; + postRun = "cp fullchain.pem /home/ergo/ && cp key.pem /home/ergo && chown ergo:ergo /home/ergo/*.pem && systemctl reload ergo.service"; + }; + }; + + # Allow ergo to access the created cert + # The systemd server runs using a dynamic user, so the below inserts the .pem files + # into "/run/credentials/ergochat.service/key.pem" + systemd.services.ergochat.serviceConfig = { + LoadCredential = [ + "fullchain.pem:/var/lib/acme/irc.emile.space/fullchain.pem" + "key.pem:/var/lib/acme/irc.emile.space/key.pem" + ]; + }; + + # allow connections to the port from the "outside" + networking.firewall.allowedTCPPorts = [ config.emile.ports.irc.ssl ]; + + services.ergochat = { + enable = true; + + # https://raw.githubusercontent.com/ergochat/ergo/master/default.yaml + settings = { + accounts = { + authentication-enabled = true; + multiclient = { + allowed-by-default = true; + always-on = "opt-out"; + auto-away = "opt-out"; + enabled = true; + }; + registration = { + enabled = true; + allow-before-connect = true; + bcrypt-cost = 4; + email-verification = { + enabled = false; + }; + throttling = { + duration = "10m"; + enabled = true; + max-attempts = 30; + }; + }; + }; + channels = { + default-modes = "+ntC"; + registration = { + enabled = true; + }; + }; + datastore = { + autoupgrade = true; + path = "/var/lib/ergo/ircd.db"; + }; + history = { + enabled = true; + autoreplay-on-join = 0; + autoresize-window = "3d"; + channel-length = 2048; + chathistory-maxmessages = 100; + client-length = 256; + restrictions = { + expire-time = "1w"; + grace-period = "1h"; + query-cutoff = "none"; + }; + retention = { + allow-individual-delete = false; + enable-account-indexing = false; + }; + tagmsg-storage = { + default = false; + whitelist = [ + "+draft/react" + "+react" + ]; + }; + znc-maxmessages = 2048; + }; + limits = { + awaylen = 390; + channellen = 64; + identlen = 20; + kicklen = 390; + nicklen = 32; + topiclen = 390; + }; + network = { + name = "emilespace"; + }; + server = { + casemapping = "permissive"; + check-ident = false; + enforce-utf = true; + forward-confirm-hostnames = false; + ip-cloaking = { + enabled = false; + }; + ip-limits = { + count = false; + throttle = false; + }; + listeners = { + # sts only port + ":6667".sts-only = true; + + # loopback listeners + # "127.0.0.1:6668" = {}; + # "[::]:6668" = {}; + + ":${toString config.emile.ports.irc.ssl}" = { + tls = { + cert = "/run/credentials/ergochat.service/fullchain.pem"; + key = "/run/credentials/ergochat.service/key.pem"; + }; + + # for cloud load balancers setting a PROXY header, NOT reverse proxies... + proxy = false; + + min-tls-version = 1.2; + }; + }; + lookup-hostnames = false; + max-sendq = "1M"; + name = "emile.space"; + relaymsg = { + enabled = false; + }; + sts = { + enabled = true; # redirect from plain to tls if supported + + # how long clients should be forced to use TLS for. + # (Emile): no clue why, can I set something like \infty here? + duration = "12m"; + + }; + }; + logging = [ + { + method = "stderr"; + type = "* -userinput -useroutput"; + level = "debug"; + } + ]; + }; + }; +} diff --git a/nix/hosts/corrino/www/nix-cache/default.nix b/nix/hosts/corrino/www/nix-cache/default.nix new file mode 100644 index 0000000..da2537c --- /dev/null +++ b/nix/hosts/corrino/www/nix-cache/default.nix @@ -0,0 +1,7 @@ +{ ... }: + +{ + imports = [ + ./nix-cache.emile.space.nix + ]; +} diff --git a/nix/hosts/corrino/www/nix-cache/index.txt b/nix/hosts/corrino/www/nix-cache/index.txt new file mode 100644 index 0000000..514b288 --- /dev/null +++ b/nix/hosts/corrino/www/nix-cache/index.txt @@ -0,0 +1,22 @@ +Nix Cache by emile + +Public key: + + nix-cache.emile.space:3xzJknXMsR/EL3SBTu6V6oCOkjxe6MgJm0nOrElW33A= + +NixOS Configuration: + + nix.settings = { + substituters = [ + "https://nix-cache.emile.space" + ]; + trusted-public-keys = [ + "nix-cache.emile.space:3xzJknXMsR/EL3SBTu6V6oCOkjxe6MgJm0nOrElW33A=" + ]; + } + +Try: + + nix build --substituters "https://nix-cache.emile.space" \ + --trusted-public-keys "nix-cache.emile.space:3xzJknXMsR/EL3SBTu6V6oCOkjxe6MgJm0nOrElW33A=" \ + "git+https://git.emile.space/hefe.git#r2wars-web" diff --git a/nix/hosts/corrino/www/nix-cache/nix-cache.emile.space.nix b/nix/hosts/corrino/www/nix-cache/nix-cache.emile.space.nix new file mode 100644 index 0000000..690e422 --- /dev/null +++ b/nix/hosts/corrino/www/nix-cache/nix-cache.emile.space.nix @@ -0,0 +1,58 @@ +{ ... }: + +{ + services.nginx.virtualHosts."nix-cache.emile.space" = { + forceSSL = false; + enableACME = false; + }; + # locations = { + # "/" = { + # root = "/var/www/emile.space"; + # extraConfig = '' + # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + # ''; + # }; + # }; + # locations."= /" = { + # index = "/index.txt"; + # }; + # locations."= /index.txt" = { + # root = ./index.txt; + # }; + # locations."= /nix/store/" = { + # extraConfig = '' + # return 404; + # ''; + # }; + # locations."/nix/store/" = { + # root = "/"; + # extraConfig = '' + # autoindex on; + # autoindex_exact_size off; + # ''; + # }; + # locations."/" = { + # proxyPass = "http://${config.services.harmonia.settings.bind}"; + # extraConfig = '' + # proxy_set_header Host $host; + # proxy_redirect http:// https://; + # proxy_http_version 1.1; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # proxy_set_header Upgrade $http_upgrade; + # proxy_set_header Connection $connection_upgrade; + + # zstd on; + # zstd_types application/x-nix-archive; + # ''; + # }; + # }; + + # services.harmonia = { + # enable = true; + + # # TODO(emile): manage this using age + # signKeyPath = "/var/lib/secrets/harmonia.secret"; + + # settings.bind = "[::1]:${toString config.emile.ports.harmonia}"; + # }; +} diff --git a/nix/hosts/lampadas/configuration.nix b/nix/hosts/lampadas/configuration.nix index 2453a88..748164c 100644 --- a/nix/hosts/lampadas/configuration.nix +++ b/nix/hosts/lampadas/configuration.nix @@ -153,14 +153,15 @@ in { load printers = no server min protocol = SMB3 server smb encrypt = required - read raw = Yes - write raw = Yes - socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072 min receivefile size = 16384 use sendfile = true aio read size = 16384 aio write size = 16384 server multi channel support = yes + socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072 + read raw = Yes + write raw = Yes + large readwrite = yes ''; shares = { public = { @@ -172,8 +173,8 @@ in { "available" = "yes"; "create mask" = "2775"; "directory mask" = "2775"; - "force create mask" = "2775"; - "force directory mask" = "2775"; + # "force create mask" = "2775"; + # "force directory mask" = "2775"; "force user" = "samba-guest"; "comment" = "public data"; "writable" = "yes"; diff --git a/nix/lib/flake-helper.nix b/nix/lib/flake-helper.nix index 37e7b1f..b720232 100644 --- a/nix/lib/flake-helper.nix +++ b/nix/lib/flake-helper.nix @@ -36,7 +36,10 @@ rec { modules = modules ++ [ - self.nixosModules.emile + (if system == "x86_64-linux" then self.nixosModules.x86_64-linux + else + if system == "aarch64-darwin" then ({}) + else null) # a module so that we can access the flake output from inside the # flake (yes, I need this for fetching the system type while building the hosts for deploy-rs) @@ -46,6 +49,7 @@ rec { ({ ... }: { nixpkgs.overlays = [ self.overlays.emile + (_: _: { inherit (agenix.packages."x86_64-linux") agenix; }) (_: _: { unstable = import nixpkgs-unstable { diff --git a/nix/modules/r2wars-web/default.nix b/nix/modules/r2wars-web/default.nix index de3f105..509824e 100644 --- a/nix/modules/r2wars-web/default.nix +++ b/nix/modules/r2wars-web/default.nix @@ -3,7 +3,6 @@ let cfg = config.services.emile.r2wars-web; in with lib; { - options.services.emile.r2wars-web = { enable = mkEnableOption "Enable r2wars-web"; diff --git a/nix/modules/vm/default.nix b/nix/modules/vm/default.nix new file mode 100644 index 0000000..0f65765 --- /dev/null +++ b/nix/modules/vm/default.nix @@ -0,0 +1,78 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.emile.r2wars-web; +in with lib; { + options.services.emile.r2wars-web = { + enable = mkEnableOption "Enable r2wars-web"; + + # ip and port to listen on + guest = mkOption { + type = types.str; + default = "vmnameone"; + example = "vmnameone"; + description = "The name of the vm"; + }; + }; + + config = mkIf cfg.enable { + systemd.services = lib.mapAttrs' (name: guest: lib.nameValuePair "libvirtd-guest-${name}" { + after = [ "libvirtd.service" ]; + requires = [ "libvirtd.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; + }; + script = + let + xml = pkgs.writeText "libvirt-guest-${name}.xml" + '' + <domain type="kvm"> + <name>${name}</name> + <uuid>UUID</uuid> + <os> + <type>hvm</type> + </os> + <memory unit="GiB">${guest.memory}</memory> + <devices> + <disk type="volume"> + <source volume="guest-${name}"/> + <target dev="vda" bus="virtio"/> + </disk> + <graphics type="spice" autoport="yes"/> + <input type="keyboard" bus="usb"/> + <interface type="direct"> + <source dev="${hostNic}" mode="bridge"/> + <mac address="${guest.mac}"/> + <model type="virtio"/> + </interface> + </devices> + <features> + <acpi/> + </features> + </domain> + ''; + in + '' + uuid="$(${pkgs.libvirt}/bin/virsh domuuid '${name}' || true)" + ${pkgs.libvirt}/bin/virsh define <(sed "s/UUID/$uuid/" '${xml}') + ${pkgs.libvirt}/bin/virsh start '${name}' + ''; + preStop = + '' + ${pkgs.libvirt}/bin/virsh shutdown '${name}' + let "timeout = $(date +%s) + 10" + while [ "$(${pkgs.libvirt}/bin/virsh list --name | grep --count '^${name}$')" -gt 0 ]; do + if [ "$(date +%s)" -ge "$timeout" ]; then + # Meh, we warned it... + ${pkgs.libvirt}/bin/virsh destroy '${name}' + else + # The machine is still running, let's give it some time to shut down + sleep 0.5 + fi + done + ''; + }) guests; + }; +} diff --git a/nix/modules/default.nix b/nix/modules/x86_64-linux.nix index 6e6faae..9f81e10 100644 --- a/nix/modules/default.nix +++ b/nix/modules/x86_64-linux.nix @@ -1,5 +1,3 @@ -{ ... }: - { imports = [ ./ports diff --git a/update-host.sh b/update-host.sh new file mode 100755 index 0000000..a70b053 --- /dev/null +++ b/update-host.sh @@ -0,0 +1,9 @@ +HOSTNAME="corrino" + +HYDRA=https://hydra.emile.space/job/hefe/builds/nixosConfigurations.${HOSTNAME}/latest-finished +STORE_PATH="$(curl -sL -H "Accept: application/json" "${HYDRA}" | jq -r ".buildoutputs.out.path")" + +nix copy --from "https://nix-cache.emile.space" "${STORE_PATH}" +nix-env -p "/nix/var/nix/profiles/system" --set "${STORE_PATH}" +/nix/var/nix/profiles/system/bin/switch-to-configuration boot + |
