diff options
Diffstat (limited to 'nix')
59 files changed, 2415 insertions, 2101 deletions
diff --git a/nix/hosts/caladan/aliases.nix b/nix/hosts/caladan/aliases.nix index 58c224e..a48d403 100644 --- a/nix/hosts/caladan/aliases.nix +++ b/nix/hosts/caladan/aliases.nix @@ -24,8 +24,7 @@ "........" = "cd ../../../../../../.."; grep = "grep --color=auto"; - nix-stray-roots = '' - nix-store --gc --print-roots | egrep -v "^(/nix/var|/run/w+-system|{memory)"''; + nix-stray-roots = ''nix-store --gc --print-roots | egrep -v "^(/nix/var|/run/w+-system|{memory)"''; holdmybeer = "sudo "; @@ -44,7 +43,7 @@ nmap_check_for_vulns = "nmap --script = vuln"; nmap_full_udp = "sudo nmap -sS -sU -T4 -A -v -PE -PS22,25,80 -PA21,23,80,443,3389 "; nmap_traceroute = "sudo nmap -sP -PE -PS22,25,80 -PA21,23,80,3389 -PU -PO --traceroute "; - nmap_full_with_scripts = "sudo nmap -sS -sU -T4 -A -v -PE -PP -PS21,22,23,25,80,113,31339 -PA80,113,443,10042 -PO --script all " ; + nmap_full_with_scripts = "sudo nmap -sS -sU -T4 -A -v -PE -PP -PS21,22,23,25,80,113,31339 -PA80,113,443,10042 -PO --script all "; nmap_web_safe_osscan = "sudo nmap -p 80,443 -O -v --osscan-guess --fuzzy "; nmap_ping_scan = "nmap -n -sP"; diff --git a/nix/hosts/caladan/darwin-configuration.nix b/nix/hosts/caladan/darwin-configuration.nix index 2461fd2..597ee1a 100644 --- a/nix/hosts/caladan/darwin-configuration.nix +++ b/nix/hosts/caladan/darwin-configuration.nix @@ -1,9 +1,7 @@ { pkgs, lib, ... }: { - imports = [ - ./overlay.nix - ]; + imports = [ ./overlay.nix ]; users.users.emile = { name = "emile"; @@ -31,15 +29,21 @@ nix = { useDaemon = true; package = pkgs.nixFlakes; - extraOptions = '' - builders-use-substitutes = true - auto-optimise-store = true - '' + lib.optionalString (pkgs.system == "aarch64-darwin") '' - extra-platforms = x86_64-darwin aarch64-darwin - ''; + extraOptions = + '' + builders-use-substitutes = true + auto-optimise-store = true + '' + + lib.optionalString (pkgs.system == "aarch64-darwin") '' + extra-platforms = x86_64-darwin aarch64-darwin + ''; settings = { - trusted-users = [ "root" "hydra" "emile" ]; + trusted-users = [ + "root" + "hydra" + "emile" + ]; trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" @@ -52,12 +56,15 @@ "https://cache.garnix.io" ]; - experimental-features = [ "nix-command" "flakes" ]; + experimental-features = [ + "nix-command" + "flakes" + ]; }; distributedBuilds = true; - buildMachines = [ + buildMachines = [ { hostName = "corrino.emile.space"; system = "x86_64-linux"; @@ -75,9 +82,14 @@ # cat /etc/nix/machines # root@corrino x86_64-linux /home/nix/.ssh/id_ed25519 8 1 kvm,benchmark - supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; + supportedFeatures = [ + "nixos-test" + "benchmark" + "big-parallel" + "kvm" + ]; mandatoryFeatures = [ ]; - } + } ]; }; @@ -92,7 +104,10 @@ environment = { systemPackages = [ ]; # set via home-manager - shells = with pkgs; [ bashInteractive zsh ]; + shells = with pkgs; [ + bashInteractive + zsh + ]; }; } diff --git a/nix/hosts/caladan/home_emile.nix b/nix/hosts/caladan/home_emile.nix index ee6c64b..c700da6 100644 --- a/nix/hosts/caladan/home_emile.nix +++ b/nix/hosts/caladan/home_emile.nix @@ -14,7 +14,7 @@ # let home-manager install and manage itself home-manager.enable = true; - direnv = { + direnv = { enable = true; nix-direnv.enable = true; }; @@ -33,7 +33,11 @@ # enableAutosuggestions = true; oh-my-zsh = { enable = true; - plugins = [ "git" "web-search" "urltools" ]; + plugins = [ + "git" + "web-search" + "urltools" + ]; }; defaultKeymap = "viins"; @@ -59,11 +63,12 @@ emacs = { enable = true; package = pkgs.emacs; - extraPackages = epkgs: with epkgs; [ - nix-mode - magit - meow - ]; + extraPackages = + epkgs: with epkgs; [ + nix-mode + magit + meow + ]; extraConfig = '' (setq standard-indent 2) @@ -407,16 +412,30 @@ }; home.packages = with pkgs; [ - coreutils mpv + coreutils + mpv # terminal foo # kitty - jq ripgrep fd eza lsd tree broot - du-dust mktemp htop rsync - p7zip imagemagick binwalk lftp + jq + ripgrep + fd + eza + lsd + tree + broot + du-dust + mktemp + htop + rsync + p7zip + imagemagick + binwalk + lftp graphviz - git tig + git + tig # nix related tools deploy-rs @@ -442,7 +461,8 @@ yarr # go foo - go delve + go + delve # c foo cmake @@ -458,7 +478,7 @@ # qemu tooling qemu - sphinx #docs + sphinx # docs virt-manager # lisp foo @@ -468,7 +488,8 @@ clisp # infrastructure as code foo - terraform ansible + terraform + ansible portmidi @@ -480,6 +501,6 @@ # blender - # ] ++ lib.optionals stdenv.isDarwin [ + # ] ++ lib.optionals stdenv.isDarwin [ ]; } diff --git a/nix/hosts/caladan/home_hydra.nix b/nix/hosts/caladan/home_hydra.nix index 1161d9a..4834b67 100644 --- a/nix/hosts/caladan/home_hydra.nix +++ b/nix/hosts/caladan/home_hydra.nix @@ -1,20 +1,18 @@ { pkgs, ... }: { - home = { - stateVersion = "22.11"; - username = "hydra"; - homeDirectory = "/Users/hydra"; - }; + home = { + stateVersion = "22.11"; + username = "hydra"; + homeDirectory = "/Users/hydra"; + }; - programs = { - # let home-manager install and manage itself - home-manager.enable = true; - }; + programs = { + # let home-manager install and manage itself + home-manager.enable = true; + }; - home.packages = with pkgs; [ - tailscale - ]; + home.packages = with pkgs; [ tailscale ]; - services.openssh.enable = true; + services.openssh.enable = true; } diff --git a/nix/hosts/chusuk/configuration.nix b/nix/hosts/chusuk/configuration.nix index c9c52e7..5ec116f 100644 --- a/nix/hosts/chusuk/configuration.nix +++ b/nix/hosts/chusuk/configuration.nix @@ -5,10 +5,10 @@ { config, pkgs, ... }: { - imports = - [ # Include the results of the hardware scan. - ./hardware-configuration.nix - ]; + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; @@ -19,7 +19,7 @@ networking = { hostName = "chusuk"; # Define your hostname. - wireless.enable = true; # Enables wireless support via wpa_supplicant. + wireless.enable = true; # Enables wireless support via wpa_supplicant. # The global useDHCP flag is deprecated, therefore explicitly set to false here. # Per-interface useDHCP will be mandatory in the future, so this generated config @@ -62,9 +62,14 @@ environment = { pathsToLink = [ "/libexec" ]; systemPackages = with pkgs; [ - kitty - vim helix - wget htop eza fd du-dust + kitty + vim + helix + wget + htop + eza + fd + du-dust tailscale cryptsetup firefox @@ -76,7 +81,8 @@ waybar hyprpaper # wallpaper - tofi rofi + tofi + rofi dolphin mako @@ -123,7 +129,10 @@ windowManager.i3 = { enable = true; extraPackages = with pkgs; [ - dmenu i3status i3lock i3blocks + dmenu + i3status + i3lock + i3blocks ]; }; }; @@ -138,4 +147,3 @@ system.stateVersion = "21.05"; # Did you read the comment? } - diff --git a/nix/hosts/chusuk/hardware-configuration.nix b/nix/hosts/chusuk/hardware-configuration.nix index 6b34e3b..ebe26fc 100644 --- a/nix/hosts/chusuk/hardware-configuration.nix +++ b/nix/hosts/chusuk/hardware-configuration.nix @@ -1,31 +1,39 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" ]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "nvme" + "usb_storage" + "sd_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/22445c0e-71bd-488f-88e5-0abc60441e58"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/22445c0e-71bd-488f-88e5-0abc60441e58"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/29BB-5D28"; - fsType = "vfat"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/29BB-5D28"; + fsType = "vfat"; + }; - swapDevices = - [ { device = "/dev/disk/by-uuid/d79efda2-1190-428c-8598-6911793175fb"; } - ]; + swapDevices = [ { device = "/dev/disk/by-uuid/d79efda2-1190-428c-8598-6911793175fb"; } ]; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; } diff --git a/nix/hosts/corrino/configuration.nix b/nix/hosts/corrino/configuration.nix index 5f012b0..9ba6c55 100644 --- a/nix/hosts/corrino/configuration.nix +++ b/nix/hosts/corrino/configuration.nix @@ -5,60 +5,61 @@ let # keys = key; keys = { emile = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZi43zHEsoWaQomLGaftPE5k0RqVrZyiTtGqZlpWsew emile@caladan" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGzY3eCD6D07Kc8iBIO3nLRsqaOZ+Q+RKykXLefT26eU shortcuts@caladan" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMoHWyC9r0LVk6UlkhBWAJph0F6KHYHh83EI5U9wtfq2 shortcuts@ginaz" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZi43zHEsoWaQomLGaftPE5k0RqVrZyiTtGqZlpWsew emile@caladan" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGzY3eCD6D07Kc8iBIO3nLRsqaOZ+Q+RKykXLefT26eU shortcuts@caladan" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMoHWyC9r0LVk6UlkhBWAJph0F6KHYHh83EI5U9wtfq2 shortcuts@ginaz" ]; }; -in { - imports = - [ # Include the results of the hardware scan. - ./hardware-configuration.nix +in +{ + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix - ./ports.nix + ./ports.nix - ./www/git - ./www/nix-cache + ./www/git + ./www/nix-cache - # screego + # screego - # web - ./www/emile.space.nix - ./www/tmp.emile.space.nix - ./www/hydra.emile.space.nix - ./www/netbox.emile.space.nix - ./www/grafana.emile.space.nix + # web + ./www/emile.space.nix + ./www/tmp.emile.space.nix + ./www/hydra.emile.space.nix + ./www/netbox.emile.space.nix + ./www/grafana.emile.space.nix - # ./www/photo.emile.space.nix - # ./www/photo + # ./www/photo.emile.space.nix + # ./www/photo - ./www/tickets.emile.space.nix - ./www/talks.emile.space.nix - ./www/stream.emile.space.nix - ./www/md.emile.space.nix - ./www/social.emile.space.nix - ./www/sso.emile.space.nix - ./www/s3.emile.space.nix - ./www/cs.emile.space.nix - ./www/irc.emile.space.nix - ./www/db.emile.space.nix + ./www/tickets.emile.space.nix + ./www/talks.emile.space.nix + ./www/stream.emile.space.nix + ./www/md.emile.space.nix + ./www/social.emile.space.nix + ./www/sso.emile.space.nix + ./www/s3.emile.space.nix + ./www/cs.emile.space.nix + ./www/irc.emile.space.nix + ./www/db.emile.space.nix - # ./www/irc.emile.space.nix - # ./www/irc + # ./www/irc.emile.space.nix + # ./www/irc - ./www/ctf.emile.space.nix - # ./www/magic-hash.emile.space.nix + ./www/ctf.emile.space.nix + # ./www/magic-hash.emile.space.nix - # gemini - ./gemini/emile.space.nix + # gemini + ./gemini/emile.space.nix - # general purpose modules + # general purpose modules - # r2wars - ./www/r2wa.rs.nix + # r2wars + ./www/r2wa.rs.nix - # containers - ]; + # containers + ]; # Use GRUB2 as the boot loader. # We don't use systemd-boot because Hetzner uses BIOS legacy boot. @@ -71,21 +72,30 @@ in { efiSupport = false; enableCryptodisk = true; device = "nodev"; - devices = [ "/dev/nvme0n1" "/dev/nvme1n1"]; + devices = [ + "/dev/nvme0n1" + "/dev/nvme1n1" + ]; }; - kernelParams = [ "ip=135.181.142.139::135.181.142.129:255.255.255.192:corrino:enp35s0:off:8.8.8.8:8.8.4.4:" ]; + kernelParams = [ + "ip=135.181.142.139::135.181.142.129:255.255.255.192:corrino:enp35s0:off:8.8.8.8:8.8.4.4:" + ]; initrd = { kernelModules = [ "dm-snapshot" ]; - availableKernelModules = [ "cryptd" "aesni_intel" "igb" ];#"FIXME Your network driver" ]; + availableKernelModules = [ + "cryptd" + "aesni_intel" + "igb" + ]; # "FIXME Your network driver" ]; network = { enable = true; ssh = { enable = true; - + # ssh port during boot for luks decryption port = config.emile.ports.initrd_ssh; authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys; @@ -106,7 +116,7 @@ in { }; }; }; - + secrets = { "/initrd_ssh_host_ecdsa_key" = "/initrd_ssh_host_ecdsa_key"; }; @@ -203,8 +213,14 @@ in { description = "Automatic connection to Tailscale"; # make sure tailscale is running before trying to connect to tailscale - after = [ "network-pre.target" "tailscale.service" ]; - wants = [ "network-pre.target" "tailscale.service" ]; + after = [ + "network-pre.target" + "tailscale.service" + ]; + wants = [ + "network-pre.target" + "tailscale.service" + ]; wantedBy = [ "multi-user.target" ]; # set this service as a oneshot job @@ -225,7 +241,7 @@ in { ${tailscale}/bin/tailscale up \ --advertise-exit-node --exit-node ''; - # -authkey ${config.age.secrets.tailscale_authkey} + # -authkey ${config.age.secrets.tailscale_authkey} }; networking = { @@ -237,18 +253,30 @@ in { interfaces = { "enp35s0" = { ipv4.addresses = [ - { address = "135.181.142.139"; prefixLength = 26; } + { + address = "135.181.142.139"; + prefixLength = 26; + } ]; }; "enp35s0".ipv6.addresses = [ - { address = "2a01:4f9:3a:16a4::1"; prefixLength = 64; } + { + address = "2a01:4f9:3a:16a4::1"; + prefixLength = 64; + } ]; }; defaultGateway = "135.181.142.129"; - defaultGateway6 = { address = "fe80::1"; interface = "enp35s0"; }; + defaultGateway6 = { + address = "fe80::1"; + interface = "enp35s0"; + }; - nameservers = [ "8.8.8.8" "8.8.4.4" ]; + nameservers = [ + "8.8.8.8" + "8.8.4.4" + ]; # incus doesn't support iptables, so we're using nftables here nftables.enable = true; @@ -257,13 +285,17 @@ in { enable = true; allowedTCPPorts = [ config.emile.ports.gitDaemon # gitDaemon - 80 443 # normal web + 80 + 443 # normal web ]; allowedUDPPorts = [ 51820 # wireguard ]; allowedUDPPortRanges = [ - { from = 60000; to = 61000; } # mosh + { + from = 60000; + to = 61000; + } # mosh ]; interfaces."tailscale0".allowedTCPPorts = [ @@ -275,7 +307,10 @@ in { enable = true; enableIPv6 = true; externalInterface = "enp35s0"; - internalInterfaces = [ "wg0" "ve-+"]; + internalInterfaces = [ + "wg0" + "ve-+" + ]; }; wireguard = { @@ -298,12 +333,14 @@ in { peers = [ # List of allowed peers. - { # Emiles-MBA + { + # Emiles-MBA publicKey = "Ebsjn7w2FeUs5lUN6ALoUcF/o9/+SopDL324YJPSCDY="; # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing. allowedIPs = [ "10.87.0.2/32" ]; } - { # Emiles-IphoneX + { + # Emiles-IphoneX publicKey = "xGfmwraI0Eh3eFEXjJrd2AYCgUM1uK4Y+FX5ACAQZ3M="; # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing. allowedIPs = [ "10.87.0.3/32" ]; @@ -317,7 +354,7 @@ in { users.users = { root = { initialHashedPassword = ""; - openssh.authorizedKeys.keys = [] ++ keys.emile; + openssh.authorizedKeys.keys = [ ] ++ keys.emile; packages = with pkgs; [ mdadm tailscale @@ -326,15 +363,22 @@ in { htop git vim - fd ripgrep + fd + ripgrep + ]; + extraGroups = [ + "docker" + "libvirtd" ]; - extraGroups = [ "docker" "libvirtd" ]; }; hack = { isNormalUser = true; - openssh.authorizedKeys.keys = [] ++ keys.emile; - extraGroups = [ "docker" "libvirtd" ]; + openssh.authorizedKeys.keys = [ ] ++ keys.emile; + extraGroups = [ + "docker" + "libvirtd" + ]; }; tmpuser1 = { @@ -343,7 +387,7 @@ in { # TODO(emile): read after the whole user system is setup # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJMMq7gVuOuJEuarcsss2pb4JJS39zW/Fuow0foyqlV5 noobtracker@noobtracker-linux" - openssh.authorizedKeys.keys = [] ++ keys.emile; + openssh.authorizedKeys.keys = [ ] ++ keys.emile; }; }; @@ -371,9 +415,12 @@ in { useRoutingFeatures = "both"; }; }; - + nix = { - settings.experimental-features = [ "nix-command" "flakes" ]; + settings.experimental-features = [ + "nix-command" + "flakes" + ]; gc = { automatic = true; @@ -419,7 +466,7 @@ in { builders-use-substitutes = true allowed-uris = http:// https:// ''; - # allowed-uris = ssh://git@git.emile.space/hefe-internal git.emile.space git@git.emile.space ssh://git@git.emile.space + # allowed-uris = ssh://git@git.emile.space/hefe-internal git.emile.space git@git.emile.space ssh://git@git.emile.space # allowed-uris = git.emile.space: gitea@git.emile.space: ssh://gitea@git.emile.space/hanemile/hefe-internal.git git+ssh: git+https: # settings.allowed-uris = [ @@ -432,7 +479,12 @@ in { system = "x86_64-linux"; protocol = "ssh-ng"; maxJobs = 1; - supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; + supportedFeatures = [ + "nixos-test" + "benchmark" + "big-parallel" + "kvm" + ]; } { hostName = "caladan.pinto-pike.ts.net"; @@ -440,12 +492,17 @@ in { protocol = "ssh-ng"; maxJobs = 1; speedFactor = 2; - supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; + supportedFeatures = [ + "nixos-test" + "benchmark" + "big-parallel" + "kvm" + ]; mandatoryFeatures = [ ]; } ]; - distributedBuilds = true; + distributedBuilds = true; }; nixpkgs.config = { @@ -491,7 +548,10 @@ in { fileSystems."/proc" = { device = "/proc"; options = [ - "nosuid" "nodev" "noexec" "relatime" # normal foo + "nosuid" + "nodev" + "noexec" + "relatime" # normal foo "hidepid=2" # this makes sure users can only see their own processes ]; }; @@ -502,7 +562,8 @@ in { options = let automount_opts = "_netdev,x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s"; - in ["${automount_opts},credentials=${config.age.secrets.storage_box_bx11_password.path}"]; + in + [ "${automount_opts},credentials=${config.age.secrets.storage_box_bx11_password.path}" ]; }; # FIXME diff --git a/nix/hosts/corrino/default.nix b/nix/hosts/corrino/default.nix index 87486c5..157af45 100644 --- a/nix/hosts/corrino/default.nix +++ b/nix/hosts/corrino/default.nix @@ -1,3 +1 @@ -{ - sshKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFzoWTW3c7CKWx5t0OZzTfKTlC6R2VHXczVatgYI57N"; -} +{ sshKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFzoWTW3c7CKWx5t0OZzTfKTlC6R2VHXczVatgYI57N"; } diff --git a/nix/hosts/corrino/emile.space.nix b/nix/hosts/corrino/emile.space.nix index 9cca880..d30c29f 100644 --- a/nix/hosts/corrino/emile.space.nix +++ b/nix/hosts/corrino/emile.space.nix @@ -10,7 +10,7 @@ root = "/var/www/emile.space"; extraConfig = '' add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - ''; + ''; }; #"/.well-known" = { diff --git a/nix/hosts/corrino/hardware-configuration.nix b/nix/hosts/corrino/hardware-configuration.nix index b4e8c1e..ed55c25 100644 --- a/nix/hosts/corrino/hardware-configuration.nix +++ b/nix/hosts/corrino/hardware-configuration.nix @@ -1,28 +1,34 @@ - - # Do not modify this file! It was generated by ‘nixos-generate-config’ +# Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = [ "ahci" "nvme" ]; + boot.initrd.availableKernelModules = [ + "ahci" + "nvme" + ]; boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.kernelModules = [ "kvm-amd" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/4d372699-9d47-44bf-a68e-eeb126fb7ad6"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/4d372699-9d47-44bf-a68e-eeb126fb7ad6"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/726db4ba-5b90-47e2-b924-72623f02585a"; - fsType = "ext4"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/726db4ba-5b90-47e2-b924-72623f02585a"; + fsType = "ext4"; + }; swapDevices = [ ]; diff --git a/nix/hosts/corrino/ports.nix b/nix/hosts/corrino/ports.nix index 6f17be5..0c2bd2a 100644 --- a/nix/hosts/corrino/ports.nix +++ b/nix/hosts/corrino/ports.nix @@ -1,40 +1,40 @@ { - emile.ports = { - stream_rtmp = 1935; - initrd_ssh = 2222; - photo = { - photoprism = 2342; - immich = 2343; - }; - git = 3000; - hydra = 3001; - grafana = 3002; - md = 3003; - gotosocial = 3004; - harmonia = 5000; - irc = { - clear = 6667; - ssl = 6697; - }; - hound = 6080; - stream = 8080; - netbox = 8001; - restic = 8002; - nocodb = 8003; - r2wars-web = 8089; - ctf = 8338; - magic-hash = 8339; - tickets = 8349; - talks = 8350; - minio = { - s3 = 9000; - web = 9001; - }; - authelia = 9091; - prometheus = 9003; - gitDaemon = 9418; - prometheus_node_exporter = 9002; - prometheus_systemd_exporter = 9558; - prometheus_smartctl_exporter = 9633; - }; + emile.ports = { + stream_rtmp = 1935; + initrd_ssh = 2222; + photo = { + photoprism = 2342; + immich = 2343; + }; + git = 3000; + hydra = 3001; + grafana = 3002; + md = 3003; + gotosocial = 3004; + harmonia = 5000; + irc = { + clear = 6667; + ssl = 6697; + }; + hound = 6080; + stream = 8080; + netbox = 8001; + restic = 8002; + nocodb = 8003; + r2wars-web = 8089; + ctf = 8338; + magic-hash = 8339; + tickets = 8349; + talks = 8350; + minio = { + s3 = 9000; + web = 9001; + }; + authelia = 9091; + prometheus = 9003; + gitDaemon = 9418; + prometheus_node_exporter = 9002; + prometheus_systemd_exporter = 9558; + prometheus_smartctl_exporter = 9633; + }; } diff --git a/nix/hosts/corrino/www/cs.emile.space.nix b/nix/hosts/corrino/www/cs.emile.space.nix index 4f1b91e..7aefc64 100644 --- a/nix/hosts/corrino/www/cs.emile.space.nix +++ b/nix/hosts/corrino/www/cs.emile.space.nix @@ -2,53 +2,58 @@ let - # get's all repos configured in cgit and converts them into some JSON that is used by hound - repos = builtins.toJSON - (lib.mergeAttrsList - (map - (x: {"${x.name}" = { url = "file://${x.path}"; }; }) - (lib.mapAttrsToList - (name: value: value // { name = "${name}"; }) - config.services.cgit.main.repos))); -in { - services.nginx.virtualHosts."cs.emile.space" = { - forceSSL = true; - enableACME = true; - locations = { - "/" = { + # get's all repos configured in cgit and converts them into some JSON that is used by hound + repos = builtins.toJSON ( + lib.mergeAttrsList ( + map + (x: { + "${x.name}" = { + url = "file://${x.path}"; + }; + }) + (lib.mapAttrsToList (name: value: value // { name = "${name}"; }) config.services.cgit.main.repos) + ) + ); +in +{ + services.nginx.virtualHosts."cs.emile.space" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { proxyPass = "http://${config.services.hound.listen}"; - }; - }; - }; + }; + }; + }; - # add hound user to git group so the local repos can be read + # add hound user to git group so the local repos can be read # users.users.hound.extraGroups = [ "git" ]; - users.groups."git".members = [ "hound" ]; + users.groups."git".members = [ "hound" ]; - # The `.gitignore` of the user `hound` should contain the following: - # - # [safe] + # The `.gitignore` of the user `hound` should contain the following: + # + # [safe] # directory = /var/lib/git/repositories/* # directory = /var/lib/git/repositories/faila.git # directory = /var/lib/git/repositories/faila2.git - services.hound = { - enable = true; - - config = '' - { - "dbpath": "/var/lib/hound/data", - "max-concurrent-indexers" : 6, - "vcs-config" : { - "git" : { - "detect-ref" : true - } - }, - "repos" : ${repos} - } - ''; - - listen = "127.0.0.1:${toString config.emile.ports.hound}"; - }; + services.hound = { + enable = true; + + config = '' + { + "dbpath": "/var/lib/hound/data", + "max-concurrent-indexers" : 6, + "vcs-config" : { + "git" : { + "detect-ref" : true + } + }, + "repos" : ${repos} + } + ''; + + listen = "127.0.0.1:${toString config.emile.ports.hound}"; + }; } diff --git a/nix/hosts/corrino/www/ctf.emile.space.nix b/nix/hosts/corrino/www/ctf.emile.space.nix index 6eee75f..28c9419 100644 --- a/nix/hosts/corrino/www/ctf.emile.space.nix +++ b/nix/hosts/corrino/www/ctf.emile.space.nix @@ -17,9 +17,7 @@ containers = { "ctfd" = { image = "ctfd/ctfd"; - ports = [ - "${toString config.emile.ports.ctf}:8000" - ]; + ports = [ "${toString config.emile.ports.ctf}:8000" ]; }; }; }; diff --git a/nix/hosts/corrino/www/db.emile.space.nix b/nix/hosts/corrino/www/db.emile.space.nix index 7cb365e..3385319 100644 --- a/nix/hosts/corrino/www/db.emile.space.nix +++ b/nix/hosts/corrino/www/db.emile.space.nix @@ -15,7 +15,7 @@ containers = { "noco" = { image = "nocodb/nocodb:latest"; - volumes = [ "nocodb:/usr/app/data" ]; + volumes = [ "nocodb:/usr/app/data" ]; ports = [ "${toString config.emile.ports.nocodb}:8080" ]; }; }; diff --git a/nix/hosts/corrino/www/git/cgit.nix b/nix/hosts/corrino/www/git/cgit.nix index b48157a..edbbe2f 100644 --- a/nix/hosts/corrino/www/git/cgit.nix +++ b/nix/hosts/corrino/www/git/cgit.nix @@ -1,603 +1,607 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let - repodirs = builtins.concatStringsSep "\n" - (map - (x: "directory = ${x}") - (lib.lists.flatten - (map - (x: lib.attrValues (lib.getAttrs [ "path" ] x)) - (lib.mapAttrsToList - (name: value: value) - config.services.cgit.main.repos)))); + repodirs = builtins.concatStringsSep "\n" ( + map (x: "directory = ${x}") ( + lib.lists.flatten ( + map (x: lib.attrValues (lib.getAttrs [ "path" ] x)) ( + lib.mapAttrsToList (name: value: value) config.services.cgit.main.repos + ) + ) + ) + ); in { environment.systemPackages = with pkgs; [ - md4c # used to get md2html for rendering the READMEs within cgit-pink - ]; - - # set all the repos as safe - environment.etc = { - gitconfig = { - text = '' - [http] - sslCAinfo = /etc/ssl/certs/ca-certificates.crt - [safe] - ${repodirs} - ''; - }; - }; - + md4c # used to get md2html for rendering the READMEs within cgit-pink + ]; + + # set all the repos as safe + environment.etc = { + gitconfig = { + text = '' + [http] + sslCAinfo = /etc/ssl/certs/ca-certificates.crt + [safe] + ${repodirs} + ''; + }; + }; + services = { - nginx.virtualHosts."git.emile.space" = { - forceSSL = true; - enableACME = true; - }; - - cgit.main = { - enable = true; - package = pkgs.cgit-pink; - nginx.virtualHost = "git.emile.space"; - nginx.location = "/"; - repos = { + nginx.virtualHosts."git.emile.space" = { + forceSSL = true; + enableACME = true; + }; + + cgit.main = { + enable = true; + package = pkgs.cgit-pink; + nginx.virtualHost = "git.emile.space"; + nginx.location = "/"; + repos = { # ops - hefe = { - desc = "Yet another monorepo (the big nix config)"; - path = "/var/lib/git/repositories/hefe.git"; - section = "Infra"; - owner = "emile"; - }; - vokobe = { - desc = "A custom static site generator written in rust"; - path = "/var/lib/git/repositories/vokobe.git"; - section = "Infra"; - owner = "emile"; - }; - massscan-docker = { - desc = "A Dockerfile for massscan"; - path = "/var/lib/git/repositories/massscan-docker.git"; - section = "Infra"; - owner = "emile"; - }; - metrics-bundler = { - desc = "A super basic metrics bundler"; - path = "/var/lib/git/repositories/metrics-bundler.git"; - section = "Infra"; - owner = "emile"; - }; - - # matrix - matrix-sdk = { - desc = "A simpler matrix sdk"; - path = "/var/lib/git/repositories/matrix-sdk.git"; - section = "Matrix"; - owner = "emile"; - }; - matrix-weather-bot = { - desc = "A basic weather bot using matrix-sdk"; - path = "/var/lib/git/repositories/matrix-weather-bot.git"; - section = "Matrix"; - owner = "emile"; - }; - + hefe = { + desc = "Yet another monorepo (the big nix config)"; + path = "/var/lib/git/repositories/hefe.git"; + section = "Infra"; + owner = "emile"; + }; + vokobe = { + desc = "A custom static site generator written in rust"; + path = "/var/lib/git/repositories/vokobe.git"; + section = "Infra"; + owner = "emile"; + }; + massscan-docker = { + desc = "A Dockerfile for massscan"; + path = "/var/lib/git/repositories/massscan-docker.git"; + section = "Infra"; + owner = "emile"; + }; + metrics-bundler = { + desc = "A super basic metrics bundler"; + path = "/var/lib/git/repositories/metrics-bundler.git"; + section = "Infra"; + owner = "emile"; + }; + + # matrix + matrix-sdk = { + desc = "A simpler matrix sdk"; + path = "/var/lib/git/repositories/matrix-sdk.git"; + section = "Matrix"; + owner = "emile"; + }; + matrix-weather-bot = { + desc = "A basic weather bot using matrix-sdk"; + path = "/var/lib/git/repositories/matrix-weather-bot.git"; + section = "Matrix"; + owner = "emile"; + }; # radare2 - radare2-GoReSym = { - desc = "A script to load goresym symbols into radare2"; - path = "/var/lib/git/repositories/radare2-GoReSym.git"; - section = "Radare2"; - owner = "emile"; - }; - r2wars = { - desc = "A golang implementation of radare2"; - path = "/var/lib/git/repositories/r2wars.git"; - section = "Radare2"; - owner = "emile"; - }; - r2wars-web = { - desc = "The software behind https://r2wa.rs"; - path = "/var/lib/git/repositories/r2wars-web.git"; - section = "Radare2"; - owner = "emile"; - }; - r2wars-rs = { - desc = "A rust implementation of radare2"; - path = "/var/lib/git/repositories/r2wars-rs.git"; - section = "Radare2"; - owner = "emile"; - }; - - # ctf - ctf_clusters = { - desc = "visualizing CTF clusters at DEFCON CTF Finals 2022"; - path = "/var/lib/git/repositories/ctf_clusters.git"; - section = "CTF"; - owner = "emile"; - }; - lambda = { - desc = "hacktm ctf 2023 / misc / know your lambda calculus"; - path = "/var/lib/git/repositories/lambda.git"; - section = "CTF"; - owner = "emile"; - }; - ctfdget = { - desc = "Simply fetch all challenges from a CTF from CTFd."; - path = "/var/lib/git/repositories/ctfdget.git"; - section = "CTF"; - owner = "emile"; - }; + radare2-GoReSym = { + desc = "A script to load goresym symbols into radare2"; + path = "/var/lib/git/repositories/radare2-GoReSym.git"; + section = "Radare2"; + owner = "emile"; + }; + r2wars = { + desc = "A golang implementation of radare2"; + path = "/var/lib/git/repositories/r2wars.git"; + section = "Radare2"; + owner = "emile"; + }; + r2wars-web = { + desc = "The software behind https://r2wa.rs"; + path = "/var/lib/git/repositories/r2wars-web.git"; + section = "Radare2"; + owner = "emile"; + }; + r2wars-rs = { + desc = "A rust implementation of radare2"; + path = "/var/lib/git/repositories/r2wars-rs.git"; + section = "Radare2"; + owner = "emile"; + }; + + # ctf + ctf_clusters = { + desc = "visualizing CTF clusters at DEFCON CTF Finals 2022"; + path = "/var/lib/git/repositories/ctf_clusters.git"; + section = "CTF"; + owner = "emile"; + }; + lambda = { + desc = "hacktm ctf 2023 / misc / know your lambda calculus"; + path = "/var/lib/git/repositories/lambda.git"; + section = "CTF"; + owner = "emile"; + }; + ctfdget = { + desc = "Simply fetch all challenges from a CTF from CTFd."; + path = "/var/lib/git/repositories/ctfdget.git"; + section = "CTF"; + owner = "emile"; + }; # keyboard - zmk-config = { - desc = "ferris sweep zmk config"; - path = "/var/lib/git/repositories/zmk-config.git"; - section = "Keyboard"; - owner = "emile"; - }; - - # chaosdorf - map = { - desc = "A map of the chaosdorf hackspace"; - path = "/var/lib/git/repositories/map.git"; - section = "Chaosdorf"; - owner = "emile"; - }; - freitagsfoo = { - desc = "A service to submit talks for freitagsfoo"; - path = "/var/lib/git/repositories/freitagsfoo.git"; - section = "Chaosdorf"; - owner = "emile"; - }; - inventory = { - desc = "A common-lisp mapping and inventory system"; - path = "/var/lib/git/repositories/inventory.git"; - section = "Chaosdorf"; - owner = "emile"; - }; - - # jugend forscht - SatelliteComputation = { - desc = "Estimating possible Satellite collisions"; - path = "/var/lib/git/repositories/SatelliteComputation.git"; - section = "Jugend Forscht 2017"; - owner = "emile"; - }; - GalaxyGeneration = { - desc = "Generating Galaxies"; - path = "/var/lib/git/repositories/GalaxyGeneration.git"; - section = "Jugend Forscht 2018"; - owner = "emile"; - }; - - brute-force = { - desc = "A simple benchmark showing how slow this can be"; - path = "/var/lib/git/repositories/galaxy-sim-brute-force.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - generatePointcloud = { - desc = "Generate pointclouds using the NFW profile"; - path = "/var/lib/git/repositories/generatePointcloud.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - quadtree = { - desc = "Simple quadtree implementation"; - path = "/var/lib/git/repositories/quadtree.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - viewer = { - desc = "A viewer for galaxies stored in trees"; - path = "/var/lib/git/repositories/viewer.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - structs = { - desc = "All of the structures used in the GalaxySimulator"; - path = "/var/lib/git/repositories/structs.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - simulator-container-rewrite = { - desc = "Clean rewrite of the simulator-container"; - path = "/var/lib/git/repositories/simulator-container-rewrite.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - simulator-container = { - desc = "Simulating the new position of a galaxye"; - path = "/var/lib/git/repositories/simulator-container.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - pres = { - desc = "Presentation material"; - path = "/var/lib/git/repositories/pres.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - manager-container = { - desc = "The overall manager"; - path = "/var/lib/git/repositories/manager-container.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - generator-container = { - desc = "Generates point clouds using the NFW profile"; - path = "/var/lib/git/repositories/generator-container.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - frontpage = { - desc = "Web page showing people what the project is about"; - path = "/var/lib/git/repositories/frontpage.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - distributor = { - desc = "Distributing tasks"; - path = "/var/lib/git/repositories/distributor-container.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - db-controller = { - desc = "Interaction with the Database"; - path = "/var/lib/git/repositories/db-controller.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - db-container = { - desc = "The main database"; - path = "/var/lib/git/repositories/db-container.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - db-actions = { - desc = "Actions to be performed on the batabase"; - path = "/var/lib/git/repositories/db-actions.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - Writeup = { - desc = "Writeups using LaTeX"; - path = "/var/lib/git/repositories/Writeup.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - Source = { - desc = "Code from the beginning"; - path = "/var/lib/git/repositories/Source.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - NFW-container = { - desc = "A container purely for generating galaxies"; - path = "/var/lib/git/repositories/NFW-container.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - - # games - "0h-gamejam-game" = { - desc = "Created a game in 0 hours"; - path = "/var/lib/git/repositories/0hour-gamejam-game.git"; - section = "Games"; - owner = "emile"; - }; - - # 3D - "3D" = { - desc = "3D models"; - path = "/var/lib/git/repositories/3D.git"; - section = "3D"; - owner = "emile"; - }; - - # http - faila = { - desc = "The caddy fileserver look, but int pure golang"; - path = "/var/lib/git/repositories/faila.git"; - section = "HTTP"; - owner = "emile"; - }; - faila2 = { - desc = "faila, but simpler"; - path = "/var/lib/git/repositories/faila2.git"; - section = "HTTP"; - owner = "emile"; - }; - gofuzz = { - desc = "wfuzz, but in go. Didn't know ffuf at the time"; - path = "/var/lib/git/repositories/gofuzz.git"; - section = "HTTP"; - owner = "emile"; - }; - graphClicker = { - desc = "A metrics bundler, but with a simple web interface"; - path = "/var/lib/git/repositories/graphClicker.git"; - section = "HTTP"; - owner = "emile"; - }; - randomHttp = { - desc = "A simple HTTP server returning random HTTP codes"; - path = "/var/lib/git/repositories/randomHTTP.git"; - section = "HTTP"; - owner = "emile"; - }; - redir = { - desc = "A webserver with the soul purpose of redirecting."; - path = "/var/lib/git/repositories/redir.git"; - section = "HTTP"; - owner = "emile"; - }; - reqlog = { - desc = "A simple request logger"; - path = "/var/lib/git/repositories/reqlog.git"; - section = "HTTP"; - owner = "emile"; - }; - - # honeypot - ssh-catch-test = { - desc = "A simple honeypot emulating an ssh server."; - path = "/var/lib/git/repositories/ssh-catch-test.git"; - section = "Honeypot"; - owner = "emile"; - }; - honeypot-monitoring = { - desc = "Grafana + Prometheus monitoring"; - path = "/var/lib/git/repositories/honeypot-monitoring.git"; - section = "Honeypot"; - owner = "emile"; - }; - ftp-grab-password = { - desc = "Grab ftp creds (made by twink0r)"; - path = "/var/lib/git/repositories/ftp-grab-password.git"; - section = "Honeypot"; - owner = "emile"; - }; - log-analyzer = { - desc = "Analyse the logs"; - path = "/var/lib/git/repositories/honeypot-log-analyzer.git"; - section = "Honeypot"; - owner = "emile"; - }; - http-grab-basicauth = { - desc = "Grab basicauth creds (made by maride)"; - path = "/var/lib/git/repositories/http-grab-basicauth.git"; - section = "Honeypot"; - owner = "emile"; - }; - http-grab-url = { - desc = "Grab urls (made by twink0r)"; - path = "/var/lib/git/repositories/http-grab-url.git"; - section = "Honeypot"; - owner = "emile"; - }; - ssh-grab-keypass = { - desc = "Grab keys from ssh logins (made by maride)"; - path = "/var/lib/git/repositories/ssh-grab-keypass.git"; - section = "Honeypot"; - owner = "emile"; - }; - ssh-grab-passwords = { - desc = "Grab passwords from ssh logins (made by maride)"; - path = "/var/lib/git/repositories/ssh-grab-passwords.git"; - section = "Honeypot"; - owner = "emile"; - }; - ssh-grab-passwords-map = { - desc = "A nice visual map of the login attempts"; - path = "/var/lib/git/repositories/ssh-grab-passwords-map.git"; - section = "Honeypot"; - owner = "emile"; - }; + zmk-config = { + desc = "ferris sweep zmk config"; + path = "/var/lib/git/repositories/zmk-config.git"; + section = "Keyboard"; + owner = "emile"; + }; + + # chaosdorf + map = { + desc = "A map of the chaosdorf hackspace"; + path = "/var/lib/git/repositories/map.git"; + section = "Chaosdorf"; + owner = "emile"; + }; + freitagsfoo = { + desc = "A service to submit talks for freitagsfoo"; + path = "/var/lib/git/repositories/freitagsfoo.git"; + section = "Chaosdorf"; + owner = "emile"; + }; + inventory = { + desc = "A common-lisp mapping and inventory system"; + path = "/var/lib/git/repositories/inventory.git"; + section = "Chaosdorf"; + owner = "emile"; + }; + + # jugend forscht + SatelliteComputation = { + desc = "Estimating possible Satellite collisions"; + path = "/var/lib/git/repositories/SatelliteComputation.git"; + section = "Jugend Forscht 2017"; + owner = "emile"; + }; + GalaxyGeneration = { + desc = "Generating Galaxies"; + path = "/var/lib/git/repositories/GalaxyGeneration.git"; + section = "Jugend Forscht 2018"; + owner = "emile"; + }; + + brute-force = { + desc = "A simple benchmark showing how slow this can be"; + path = "/var/lib/git/repositories/galaxy-sim-brute-force.git"; + section = "Jugend Forscht 2019"; + owner = "emile"; + }; + generatePointcloud = { + desc = "Generate pointclouds using the NFW profile"; + path = "/var/lib/git/repositories/generatePointcloud.git"; + section = "Jugend Forscht 2019"; + owner = "emile"; + }; + quadtree = { + desc = "Simple quadtree implementation"; + path = "/var/lib/git/repositories/quadtree.git"; + section = "Jugend Forscht 2019"; + owner = "emile"; + }; + viewer = { + desc = "A viewer for galaxies stored in trees"; + path = "/var/lib/git/repositories/viewer.git"; + section = "Jugend Forscht 2019"; + owner = "emile"; + }; + structs = { + desc = "All of the structures used in the GalaxySimulator"; + path = "/var/lib/git/repositories/structs.git"; + section = "Jugend Forscht 2019"; + owner = "emile"; + }; + simulator-container-rewrite = { + desc = "Clean rewrite of the simulator-container"; + path = "/var/lib/git/repositories/simulator-container-rewrite.git"; + section = "Jugend Forscht 2019"; + owner = "emile"; + }; + simulator-container = { + desc = "Simulating the new position of a galaxye"; + path = "/var/lib/git/repositories/simulator-container.git"; + section = "Jugend Forscht 2019"; + owner = "emile"; + }; + pres = { + desc = "Presentation material"; + path = "/var/lib/git/repositories/pres.git"; + section = "Jugend Forscht 2019"; + owner = "emile"; + }; + manager-container = { + desc = "The overall manager"; + path = "/var/lib/git/repositories/manager-container.git"; + section = "Jugend Forscht 2019"; + owner = "emile"; + }; + generator-container = { + desc = "Generates point clouds using the NFW profile"; + path = "/var/lib/git/repositories/generator-container.git"; + section = "Jugend Forscht 2019"; + owner = "emile"; + }; + frontpage = { + desc = "Web page showing people what the project is about"; + path = "/var/lib/git/repositories/frontpage.git"; + section = "Jugend Forscht 2019"; + owner = "emile"; + }; + distributor = { + desc = "Distributing tasks"; + path = "/var/lib/git/repositories/distributor-container.git"; + section = "Jugend Forscht 2019"; + owner = "emile"; + }; + db-controller = { + desc = "Interaction with the Database"; + path = "/var/lib/git/repositories/db-controller.git"; + section = "Jugend Forscht 2019"; + owner = "emile"; + }; + db-container = { + desc = "The main database"; + path = "/var/lib/git/repositories/db-container.git"; + section = "Jugend Forscht 2019"; + owner = "emile"; + }; + db-actions = { + desc = "Actions to be performed on the batabase"; + path = "/var/lib/git/repositories/db-actions.git"; + section = "Jugend Forscht 2019"; + owner = "emile"; + }; + Writeup = { + desc = "Writeups using LaTeX"; + path = "/var/lib/git/repositories/Writeup.git"; + section = "Jugend Forscht 2019"; + owner = "emile"; + }; + Source = { + desc = "Code from the beginning"; + path = "/var/lib/git/repositories/Source.git"; + section = "Jugend Forscht 2019"; + owner = "emile"; + }; + NFW-container = { + desc = "A container purely for generating galaxies"; + path = "/var/lib/git/repositories/NFW-container.git"; + section = "Jugend Forscht 2019"; + owner = "emile"; + }; + + # games + "0h-gamejam-game" = { + desc = "Created a game in 0 hours"; + path = "/var/lib/git/repositories/0hour-gamejam-game.git"; + section = "Games"; + owner = "emile"; + }; + + # 3D + "3D" = { + desc = "3D models"; + path = "/var/lib/git/repositories/3D.git"; + section = "3D"; + owner = "emile"; + }; + + # http + faila = { + desc = "The caddy fileserver look, but int pure golang"; + path = "/var/lib/git/repositories/faila.git"; + section = "HTTP"; + owner = "emile"; + }; + faila2 = { + desc = "faila, but simpler"; + path = "/var/lib/git/repositories/faila2.git"; + section = "HTTP"; + owner = "emile"; + }; + gofuzz = { + desc = "wfuzz, but in go. Didn't know ffuf at the time"; + path = "/var/lib/git/repositories/gofuzz.git"; + section = "HTTP"; + owner = "emile"; + }; + graphClicker = { + desc = "A metrics bundler, but with a simple web interface"; + path = "/var/lib/git/repositories/graphClicker.git"; + section = "HTTP"; + owner = "emile"; + }; + randomHttp = { + desc = "A simple HTTP server returning random HTTP codes"; + path = "/var/lib/git/repositories/randomHTTP.git"; + section = "HTTP"; + owner = "emile"; + }; + redir = { + desc = "A webserver with the soul purpose of redirecting."; + path = "/var/lib/git/repositories/redir.git"; + section = "HTTP"; + owner = "emile"; + }; + reqlog = { + desc = "A simple request logger"; + path = "/var/lib/git/repositories/reqlog.git"; + section = "HTTP"; + owner = "emile"; + }; + + # honeypot + ssh-catch-test = { + desc = "A simple honeypot emulating an ssh server."; + path = "/var/lib/git/repositories/ssh-catch-test.git"; + section = "Honeypot"; + owner = "emile"; + }; + honeypot-monitoring = { + desc = "Grafana + Prometheus monitoring"; + path = "/var/lib/git/repositories/honeypot-monitoring.git"; + section = "Honeypot"; + owner = "emile"; + }; + ftp-grab-password = { + desc = "Grab ftp creds (made by twink0r)"; + path = "/var/lib/git/repositories/ftp-grab-password.git"; + section = "Honeypot"; + owner = "emile"; + }; + log-analyzer = { + desc = "Analyse the logs"; + path = "/var/lib/git/repositories/honeypot-log-analyzer.git"; + section = "Honeypot"; + owner = "emile"; + }; + http-grab-basicauth = { + desc = "Grab basicauth creds (made by maride)"; + path = "/var/lib/git/repositories/http-grab-basicauth.git"; + section = "Honeypot"; + owner = "emile"; + }; + http-grab-url = { + desc = "Grab urls (made by twink0r)"; + path = "/var/lib/git/repositories/http-grab-url.git"; + section = "Honeypot"; + owner = "emile"; + }; + ssh-grab-keypass = { + desc = "Grab keys from ssh logins (made by maride)"; + path = "/var/lib/git/repositories/ssh-grab-keypass.git"; + section = "Honeypot"; + owner = "emile"; + }; + ssh-grab-passwords = { + desc = "Grab passwords from ssh logins (made by maride)"; + path = "/var/lib/git/repositories/ssh-grab-passwords.git"; + section = "Honeypot"; + owner = "emile"; + }; + ssh-grab-passwords-map = { + desc = "A nice visual map of the login attempts"; + path = "/var/lib/git/repositories/ssh-grab-passwords-map.git"; + section = "Honeypot"; + owner = "emile"; + }; # fuzzing - stdin-to-tcp = { - desc = "Bending stdin to tcp"; - path = "/var/lib/git/repositories/stdin-to-tcp.git"; - section = "Fuzzing"; - owner = "emile"; - }; - - # firmware - firmware = { - desc = "Gathering firmware via nix"; - path = "/var/lib/git/repositories/firmware.git"; - section = "Firmware"; - owner = "emile"; - }; - - # crypto - Substitution-Cracker = { - desc = "Some code for cracking substitution ciphers"; - path = "/var/lib/git/repositories/Substitution-Cracker.git"; - section = "Crypto"; - owner = "emile"; - }; - - # fun - giff = { - desc = "A party service: give it gifs and it'll play them"; - path = "/var/lib/git/repositories/giff.git"; - section = "Fun"; - owner = "emile"; - }; - pixeltsunami = { - desc = "The obligatory pixelflut client"; - path = "/var/lib/git/repositories/pixeltsunami.git"; - section = "Fun"; - owner = "emile"; - }; - - # circus - companion = { - desc = "The companion spawned for one user."; - path = "/var/lib/git/repositories/companion.git"; - section = "Circus"; - owner = "emile"; - }; - compose = { - desc = "The docker-compose foo"; - path = "/var/lib/git/repositories/compose.git"; - section = "Circus"; - owner = "emile"; - }; - container-manager = { - desc = "The meta container managemer"; - path = "/var/lib/git/repositories/container-manager.git"; - section = "Circus"; - owner = "emile"; - }; - landingpage = { - desc = "The landing page"; - path = "/var/lib/git/repositories/landingpage.git"; - section = "Circus"; - owner = "emile"; - }; - manager = { - desc = "The manager"; - path = "/var/lib/git/repositories/manager.git"; - section = "Circus"; - owner = "emile"; - }; - register = { - desc = "The registration"; - path = "/var/lib/git/repositories/register.git"; - section = "Circus"; - owner = "emile"; - }; - scoreboard = { - desc = "The scoreboard"; - path = "/var/lib/git/repositories/scoreboard.git"; - section = "Circus"; - owner = "emile"; - }; - static = { - desc = "Some static files"; - path = "/var/lib/git/repositories/static.git"; - section = "Circus"; - owner = "emile"; - }; - vpn = { - desc = "The VPN stuff"; - path = "/var/lib/git/repositories/vpn.git"; - section = "Circus"; - owner = "emile"; - }; - - # articles - barnes-hut = { - desc = "A one pager compressing the JuFo19 project"; - path = "/var/lib/git/repositories/barnes-hut.git"; - section = "Articles"; - owner = "emile"; - }; - - # satellite - tle = { - desc = "golang tle lib"; - path = "/var/lib/git/repositories/tle.git"; - section = "Satellite"; - owner = "emile"; - }; - tle2json = { - desc = "golang tle to json"; - path = "/var/lib/git/repositories/tle2json.git"; - section = "Satellite"; - owner = "emile"; - }; - }; - settings = { - css = "https://emile.space/cgit.css"; - root-title = "git.emile.space"; - root-desc = ""; - - enable-index-owner = 0; # why show this? I own 'em all! - enable-commit-graph = 1; - max-repo-count = 5000; # like: why not? - - readme = ":README.md"; - about-filter = "${pkgs.cgit-pink}/lib/cgit/filters/about-formatting.sh"; - source-filter = "${pkgs.cgit-pink}/lib/cgit/filters/syntax-highlighting.py"; - - summary-log = 50; + stdin-to-tcp = { + desc = "Bending stdin to tcp"; + path = "/var/lib/git/repositories/stdin-to-tcp.git"; + section = "Fuzzing"; + owner = "emile"; + }; + + # firmware + firmware = { + desc = "Gathering firmware via nix"; + path = "/var/lib/git/repositories/firmware.git"; + section = "Firmware"; + owner = "emile"; + }; + + # crypto + Substitution-Cracker = { + desc = "Some code for cracking substitution ciphers"; + path = "/var/lib/git/repositories/Substitution-Cracker.git"; + section = "Crypto"; + owner = "emile"; + }; + + # fun + giff = { + desc = "A party service: give it gifs and it'll play them"; + path = "/var/lib/git/repositories/giff.git"; + section = "Fun"; + owner = "emile"; + }; + pixeltsunami = { + desc = "The obligatory pixelflut client"; + path = "/var/lib/git/repositories/pixeltsunami.git"; + section = "Fun"; + owner = "emile"; + }; + + # circus + companion = { + desc = "The companion spawned for one user."; + path = "/var/lib/git/repositories/companion.git"; + section = "Circus"; + owner = "emile"; + }; + compose = { + desc = "The docker-compose foo"; + path = "/var/lib/git/repositories/compose.git"; + section = "Circus"; + owner = "emile"; + }; + container-manager = { + desc = "The meta container managemer"; + path = "/var/lib/git/repositories/container-manager.git"; + section = "Circus"; + owner = "emile"; + }; + landingpage = { + desc = "The landing page"; + path = "/var/lib/git/repositories/landingpage.git"; + section = "Circus"; + owner = "emile"; + }; + manager = { + desc = "The manager"; + path = "/var/lib/git/repositories/manager.git"; + section = "Circus"; + owner = "emile"; + }; + register = { + desc = "The registration"; + path = "/var/lib/git/repositories/register.git"; + section = "Circus"; + owner = "emile"; + }; + scoreboard = { + desc = "The scoreboard"; + path = "/var/lib/git/repositories/scoreboard.git"; + section = "Circus"; + owner = "emile"; + }; + static = { + desc = "Some static files"; + path = "/var/lib/git/repositories/static.git"; + section = "Circus"; + owner = "emile"; + }; + vpn = { + desc = "The VPN stuff"; + path = "/var/lib/git/repositories/vpn.git"; + section = "Circus"; + owner = "emile"; + }; + + # articles + barnes-hut = { + desc = "A one pager compressing the JuFo19 project"; + path = "/var/lib/git/repositories/barnes-hut.git"; + section = "Articles"; + owner = "emile"; + }; + + # satellite + tle = { + desc = "golang tle lib"; + path = "/var/lib/git/repositories/tle.git"; + section = "Satellite"; + owner = "emile"; + }; + tle2json = { + desc = "golang tle to json"; + path = "/var/lib/git/repositories/tle2json.git"; + section = "Satellite"; + owner = "emile"; + }; + }; + settings = { + css = "https://emile.space/cgit.css"; + root-title = "git.emile.space"; + root-desc = ""; + + enable-index-owner = 0; # why show this? I own 'em all! + enable-commit-graph = 1; + max-repo-count = 5000; # like: why not? + + readme = ":README.md"; + about-filter = "${pkgs.cgit-pink}/lib/cgit/filters/about-formatting.sh"; + source-filter = "${pkgs.cgit-pink}/lib/cgit/filters/syntax-highlighting.py"; + + summary-log = 50; # mobile friendly - head-include = builtins.toFile "cgit_head.html" '' - <meta name="viewport" content="width=device-width initial-scale=1.0"/> - ''; - - footer = builtins.toFile "cgit_footer.html" '' - <div class="footer"> - <div class="float-left"> - generated by <a href='https://git.causal.agency/cgit-pink/'>cgit-pink ${pkgs.cgit-pink.version}</a> - </div> - <div class="float-right"> - <a href="https://social.emile.space/@hanemile/feed.rss" target="_blank" rel="noopener" class="icon"><img class="webring" src="https://emile.space/rss.svg" alt="rss feed of @hanemile@chaos.social mastodon" height="32px"></a> - <a href="https://lieu.cblgh.org/" target="_blank" rel="noopener" class="icon"><img class="webring" src="https://emile.space/lieu.svg" alt="lieu webring search engine" height="32px"></a> - <a href="https://webring.xxiivv.com/#emile" target="_blank" rel="noopener" class="icon"><img class="webring" src="https://emile.space/webring.svg" alt="XXIIVV webring" height="32px"></a> - <a rel="me" href="https://social.emile.space/@hanemile" target="_blank" class="icon"><img class="webring" src="https://emile.space/activitypub.svg" alt="activitypub" height="32px"/></a> - </div> - ''; - - }; - }; - - # access control - gitolite = { - enable = true; - - dataDir = "/var/lib/git"; - - user = "git"; - group = "git"; - - description = "emile"; - - adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZi43zHEsoWaQomLGaftPE5k0RqVrZyiTtGqZlpWsew emile@caladan"; - extraGitoliteRc = '' - $RC{UMASK} = 0027; - $RC{GIT_CONFIG_KEYS} = '.*'; - ''; - }; - - # exposing stuff - gitDaemon = { - enable = false; - - user = "git"; - group = "git"; - - repositories = []; # use all repos under basePath - exportAll = true; - basePath = "/var/lib/git/repositories"; - - listenAddress = "git.emile.space"; - port = config.emile.ports.gitDaemon; - - options = "--timeout=30"; # extra Config - }; - }; + head-include = builtins.toFile "cgit_head.html" '' + <meta name="viewport" content="width=device-width initial-scale=1.0"/> + ''; + + footer = builtins.toFile "cgit_footer.html" '' + <div class="footer"> + <div class="float-left"> + generated by <a href='https://git.causal.agency/cgit-pink/'>cgit-pink ${pkgs.cgit-pink.version}</a> + </div> + <div class="float-right"> + <a href="https://social.emile.space/@hanemile/feed.rss" target="_blank" rel="noopener" class="icon"><img class="webring" src="https://emile.space/rss.svg" alt="rss feed of @hanemile@chaos.social mastodon" height="32px"></a> + <a href="https://lieu.cblgh.org/" target="_blank" rel="noopener" class="icon"><img class="webring" src="https://emile.space/lieu.svg" alt="lieu webring search engine" height="32px"></a> + <a href="https://webring.xxiivv.com/#emile" target="_blank" rel="noopener" class="icon"><img class="webring" src="https://emile.space/webring.svg" alt="XXIIVV webring" height="32px"></a> + <a rel="me" href="https://social.emile.space/@hanemile" target="_blank" class="icon"><img class="webring" src="https://emile.space/activitypub.svg" alt="activitypub" height="32px"/></a> + </div> + ''; + + }; + }; + + # access control + gitolite = { + enable = true; + + dataDir = "/var/lib/git"; + + user = "git"; + group = "git"; + + description = "emile"; + + adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZi43zHEsoWaQomLGaftPE5k0RqVrZyiTtGqZlpWsew emile@caladan"; + extraGitoliteRc = '' + $RC{UMASK} = 0027; + $RC{GIT_CONFIG_KEYS} = '.*'; + ''; + }; + + # exposing stuff + gitDaemon = { + enable = false; + + user = "git"; + group = "git"; + + repositories = [ ]; # use all repos under basePath + exportAll = true; + basePath = "/var/lib/git/repositories"; + + listenAddress = "git.emile.space"; + port = config.emile.ports.gitDaemon; + + options = "--timeout=30"; # extra Config + }; + }; users.extraUsers.nginx.extraGroups = [ "git" ]; - # Have to use lib.mkForce below, as the gitolite and gitDaemon user both - # configure the git user and group (differently) + # Have to use lib.mkForce below, as the gitolite and gitDaemon user both + # configure the git user and group (differently) users.users.git = { isSystemUser = true; useDefaultShell = true; - description = lib.mkForce "cgit-pink, gitolite and gitDaemon"; + description = lib.mkForce "cgit-pink, gitolite and gitDaemon"; group = "git"; extraGroups = [ "gitea" ]; home = "/var/lib/git"; uid = lib.mkForce 127; }; users.groups.git = { - gid = lib.mkForce 127; - }; + gid = lib.mkForce 127; + }; } diff --git a/nix/hosts/corrino/www/git/default.nix b/nix/hosts/corrino/www/git/default.nix index 9c76441..92fb85b 100644 --- a/nix/hosts/corrino/www/git/default.nix +++ b/nix/hosts/corrino/www/git/default.nix @@ -1,7 +1,5 @@ { ... }: { - imports = [ - ./cgit.nix - ]; + imports = [ ./cgit.nix ]; } diff --git a/nix/hosts/corrino/www/git/git.nix b/nix/hosts/corrino/www/git/git.nix index d815f9c..3a2b9da 100644 --- a/nix/hosts/corrino/www/git/git.nix +++ b/nix/hosts/corrino/www/git/git.nix @@ -1,8 +1,14 @@ -{ lib, pkgs, config, ... }: +{ + lib, + pkgs, + config, + ... +}: let cfg = config.services.gitea; -in { +in +{ services.nginx.virtualHosts."git.emile.space" = { forceSSL = true; enableACME = true; @@ -21,24 +27,22 @@ in { }; }; - # auth via authelia - services.authelia.instances.main.settings.identity_providers.oidc.clients = [ - { - id = "git"; - - # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 - secret = "$pbkdf2-sha512$310000$4bi9wRkfcqnjbdmgt7rU.g$pQ2mC6GW4.BQwanGKKFhFyIx6Y.WY80xd/YpmlYOPnlnGBWpp0dSOTv6a/2yqSA5D.EuRkGCyeexSE5FdCK2TA"; - public = false; - authorization_policy = "two_factor"; - redirect_uris = [ - "https://git.emile.space/user/oauth2/authelia/callback" - ]; - scopes = [ - "openid" - "email" - "profile" - ]; - } + # auth via authelia + services.authelia.instances.main.settings.identity_providers.oidc.clients = [ + { + id = "git"; + + # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 + secret = "$pbkdf2-sha512$310000$4bi9wRkfcqnjbdmgt7rU.g$pQ2mC6GW4.BQwanGKKFhFyIx6Y.WY80xd/YpmlYOPnlnGBWpp0dSOTv6a/2yqSA5D.EuRkGCyeexSE5FdCK2TA"; + public = false; + authorization_policy = "two_factor"; + redirect_uris = [ "https://git.emile.space/user/oauth2/authelia/callback" ]; + scopes = [ + "openid" + "email" + "profile" + ]; + } ]; services.gitea = rec { diff --git a/nix/hosts/corrino/www/grafana.emile.space.nix b/nix/hosts/corrino/www/grafana.emile.space.nix index eaf88b5..8e7d529 100644 --- a/nix/hosts/corrino/www/grafana.emile.space.nix +++ b/nix/hosts/corrino/www/grafana.emile.space.nix @@ -7,16 +7,16 @@ addSSL = true; enableACME = true; locations."/" = { - proxyPass = "http://${toString config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}/"; - proxyWebsockets = true; + proxyPass = "http://${toString config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}/"; + proxyWebsockets = true; }; }; "prometheus.emile.space" = { addSSL = true; enableACME = true; locations."/" = { - proxyPass = "http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}/"; - proxyWebsockets = true; + proxyPass = "http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}/"; + proxyWebsockets = true; }; }; }; diff --git a/nix/hosts/corrino/www/grafana_full.emile.space.nix b/nix/hosts/corrino/www/grafana_full.emile.space.nix index 8a9aa02..3dc05dc 100644 --- a/nix/hosts/corrino/www/grafana_full.emile.space.nix +++ b/nix/hosts/corrino/www/grafana_full.emile.space.nix @@ -2,7 +2,8 @@ let cfg = config.services.grafana; -in { +in +{ services.nginx.virtualHosts."git.emile.space" = { forceSSL = true; enableACME = true; @@ -69,7 +70,7 @@ in { allow_sign_up = false; # Set to false to prohibit users from creating new organizations. - allow_org_create = false; + allow_org_create = false; }; smtp = { @@ -79,11 +80,11 @@ in { # StartTLS policy when connecting to server. # null or one of "OpportunisticStartTLS", "MandatoryStartTLS", "NoStartTLS" startTLS_policy = null; - + # Verify SSL for SMTP server. skip_verify = false; - # Password used for authentication. Please note that the contents of this option will end up in a world-readable Nix store. Use the file provider pointing at a reasonably secured file in the local filesystem to work around that. Look at the documentation for details: https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider + # Password used for authentication. Please note that the contents of this option will end up in a world-readable Nix store. Use the file provider pointing at a reasonably secured file in the local filesystem to work around that. Look at the documentation for details: https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider password = ""; # File path to a key file. @@ -201,13 +202,13 @@ in { disable_brute_force_login_protection = false; # Define a whitelist of allowed IP addresses or domains, with ports, to be used in data source URLs with the Grafana data source proxy. Format: ip_or_domain:port separated by spaces. PostgreSQL, MySQL, and MSSQL data sources do not use the proxy and are therefore unaffected by this setting. - data_source_proxy_whitelist = []; + data_source_proxy_whitelist = [ ]; # List of additional allowed URLs to pass by the CSRF check. Suggested when authentication comes from an IdP. - csrf_trusted_origins = []; + csrf_trusted_origins = [ ]; # List of allowed headers to be set by the user. Suggested to use for if authentication lives behind reverse proxies. - csrf_additional_headers = []; + csrf_additional_headers = [ ]; # Set to true if you host Grafana behind HTTPS. cookie_secure = true; @@ -437,4 +438,4 @@ in { }; }; -} \ No newline at end of file +} diff --git a/nix/hosts/corrino/www/hydra.emile.space.nix b/nix/hosts/corrino/www/hydra.emile.space.nix index 6628a67..e89888b 100644 --- a/nix/hosts/corrino/www/hydra.emile.space.nix +++ b/nix/hosts/corrino/www/hydra.emile.space.nix @@ -22,9 +22,7 @@ enable = true; package = pkgs.hydra_unstable.overrideAttrs (old: { - patches = (if old ? patches then old.patches else []) ++ [ - ./hydra.patch - ]; + patches = (if old ? patches then old.patches else [ ]) ++ [ ./hydra.patch ]; }); listenHost = "*"; @@ -35,11 +33,10 @@ gcRootsDir = "/nix/var/nix/gcroots/hydra"; # a standalone hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/hosts - buildMachinesFiles = []; + buildMachinesFiles = [ ]; # you will probably also want, otherwise *everything* will be built from scratch useSubstitutes = true; - # notification settings smtpHost = "mail.emile.space"; notificationSender = "hydra@emile.space"; @@ -59,6 +56,6 @@ </git-input> binary_cache_public_uri = https://nix-cache.emile.space ''; - # evaluator_restrict_eval = false + # evaluator_restrict_eval = false }; } diff --git a/nix/hosts/corrino/www/irc.emile.space.nix b/nix/hosts/corrino/www/irc.emile.space.nix index f738d62..ac00445 100644 --- a/nix/hosts/corrino/www/irc.emile.space.nix +++ b/nix/hosts/corrino/www/irc.emile.space.nix @@ -1,155 +1,155 @@ { config, ... }: { - # Create a tls cert for the irc server - security.acme.certs = { - "irc.emile.space" = { - webroot = "/var/lib/acme/acme-challenge/"; - email = "acme@emile.space"; - postRun = "cp fullchain.pem /home/ergo/ && cp key.pem /home/ergo && chown ergo:ergo /home/ergo/*.pem && systemctl reload ergo.service"; - }; - }; + # Create a tls cert for the irc server + security.acme.certs = { + "irc.emile.space" = { + webroot = "/var/lib/acme/acme-challenge/"; + email = "acme@emile.space"; + postRun = "cp fullchain.pem /home/ergo/ && cp key.pem /home/ergo && chown ergo:ergo /home/ergo/*.pem && systemctl reload ergo.service"; + }; + }; - # Allow ergo to access the created cert - # The systemd server runs using a dynamic user, so the below inserts the .pem files - # into "/run/credentials/ergochat.service/key.pem" - systemd.services.ergochat.serviceConfig = { - LoadCredential = [ - "fullchain.pem:/var/lib/acme/irc.emile.space/fullchain.pem" - "key.pem:/var/lib/acme/irc.emile.space/key.pem" - ]; - }; + # Allow ergo to access the created cert + # The systemd server runs using a dynamic user, so the below inserts the .pem files + # into "/run/credentials/ergochat.service/key.pem" + systemd.services.ergochat.serviceConfig = { + LoadCredential = [ + "fullchain.pem:/var/lib/acme/irc.emile.space/fullchain.pem" + "key.pem:/var/lib/acme/irc.emile.space/key.pem" + ]; + }; - # allow connections to the port from the "outside" + # allow connections to the port from the "outside" networking.firewall.allowedTCPPorts = [ config.emile.ports.irc.ssl ]; - services.ergochat = { - enable = true; + services.ergochat = { + enable = true; - # https://raw.githubusercontent.com/ergochat/ergo/master/default.yaml - settings = { - accounts = { - authentication-enabled = true; - multiclient = { - allowed-by-default = true; - always-on = "opt-out"; - auto-away = "opt-out"; - enabled = true; - }; - registration = { - enabled = true; - allow-before-connect = true; - bcrypt-cost = 4; - email-verification = { - enabled = false; - }; - throttling = { - duration = "10m"; - enabled = true; - max-attempts = 30; - }; - }; - }; - channels = { - default-modes = "+ntC"; - registration = { - enabled = true; - }; - }; - datastore = { - autoupgrade = true; - path = "/var/lib/ergo/ircd.db"; - }; - history = { - enabled = true; - autoreplay-on-join = 0; - autoresize-window = "3d"; - channel-length = 2048; - chathistory-maxmessages = 100; - client-length = 256; - restrictions = { - expire-time = "1w"; - grace-period = "1h"; - query-cutoff = "none"; - }; - retention = { - allow-individual-delete = false; - enable-account-indexing = false; - }; - tagmsg-storage = { - default = false; - whitelist = [ - "+draft/react" - "+react" - ]; - }; - znc-maxmessages = 2048; - }; - limits = { - awaylen = 390; - channellen = 64; - identlen = 20; - kicklen = 390; - nicklen = 32; - topiclen = 390; - }; - network = { - name = "emilespace"; - }; - server = { - casemapping = "permissive"; - check-ident = false; - enforce-utf = true; - forward-confirm-hostnames = false; - ip-cloaking = { - enabled = false; - }; - ip-limits = { - count = false; - throttle = false; - }; - listeners = { - # sts only port - ":6667".sts-only = true; + # https://raw.githubusercontent.com/ergochat/ergo/master/default.yaml + settings = { + accounts = { + authentication-enabled = true; + multiclient = { + allowed-by-default = true; + always-on = "opt-out"; + auto-away = "opt-out"; + enabled = true; + }; + registration = { + enabled = true; + allow-before-connect = true; + bcrypt-cost = 4; + email-verification = { + enabled = false; + }; + throttling = { + duration = "10m"; + enabled = true; + max-attempts = 30; + }; + }; + }; + channels = { + default-modes = "+ntC"; + registration = { + enabled = true; + }; + }; + datastore = { + autoupgrade = true; + path = "/var/lib/ergo/ircd.db"; + }; + history = { + enabled = true; + autoreplay-on-join = 0; + autoresize-window = "3d"; + channel-length = 2048; + chathistory-maxmessages = 100; + client-length = 256; + restrictions = { + expire-time = "1w"; + grace-period = "1h"; + query-cutoff = "none"; + }; + retention = { + allow-individual-delete = false; + enable-account-indexing = false; + }; + tagmsg-storage = { + default = false; + whitelist = [ + "+draft/react" + "+react" + ]; + }; + znc-maxmessages = 2048; + }; + limits = { + awaylen = 390; + channellen = 64; + identlen = 20; + kicklen = 390; + nicklen = 32; + topiclen = 390; + }; + network = { + name = "emilespace"; + }; + server = { + casemapping = "permissive"; + check-ident = false; + enforce-utf = true; + forward-confirm-hostnames = false; + ip-cloaking = { + enabled = false; + }; + ip-limits = { + count = false; + throttle = false; + }; + listeners = { + # sts only port + ":6667".sts-only = true; - # loopback listeners - # "127.0.0.1:6668" = {}; - # "[::]:6668" = {}; + # loopback listeners + # "127.0.0.1:6668" = {}; + # "[::]:6668" = {}; - ":${toString config.emile.ports.irc.ssl}" = { - tls = { - cert = "/run/credentials/ergochat.service/fullchain.pem"; - key = "/run/credentials/ergochat.service/key.pem"; - }; + ":${toString config.emile.ports.irc.ssl}" = { + tls = { + cert = "/run/credentials/ergochat.service/fullchain.pem"; + key = "/run/credentials/ergochat.service/key.pem"; + }; - # for cloud load balancers setting a PROXY header, NOT reverse proxies... - proxy = false; + # for cloud load balancers setting a PROXY header, NOT reverse proxies... + proxy = false; - min-tls-version = 1.2; - }; - }; - lookup-hostnames = false; - max-sendq = "1M"; - name = "emile.space"; - relaymsg = { - enabled = false; - }; - sts = { - enabled = true; # redirect from plain to tls if supported + min-tls-version = 1.2; + }; + }; + lookup-hostnames = false; + max-sendq = "1M"; + name = "emile.space"; + relaymsg = { + enabled = false; + }; + sts = { + enabled = true; # redirect from plain to tls if supported - # how long clients should be forced to use TLS for. - # (Emile): no clue why, can I set something like \infty here? - duration = "12m"; + # how long clients should be forced to use TLS for. + # (Emile): no clue why, can I set something like \infty here? + duration = "12m"; - }; - }; - logging = [ - { - method = "stderr"; - type = "* -userinput -useroutput"; - level = "debug"; - } - ]; - }; - }; + }; + }; + logging = [ + { + method = "stderr"; + type = "* -userinput -useroutput"; + level = "debug"; + } + ]; + }; + }; } diff --git a/nix/hosts/corrino/www/magic-hash.emile.space.nix b/nix/hosts/corrino/www/magic-hash.emile.space.nix index f41fb80..48d0f47 100644 --- a/nix/hosts/corrino/www/magic-hash.emile.space.nix +++ b/nix/hosts/corrino/www/magic-hash.emile.space.nix @@ -17,9 +17,7 @@ containers = { "ctfd" = { image = "magic-hash"; - ports = [ - "${toString config.emile.ports.magic-hash}:80" - ]; + ports = [ "${toString config.emile.ports.magic-hash}:80" ]; environment = { # this is not encouraged, but should work for the weekend (this is a diff --git a/nix/hosts/corrino/www/netbox.emile.space.nix b/nix/hosts/corrino/www/netbox.emile.space.nix index fdfadc0..25ea7e3 100644 --- a/nix/hosts/corrino/www/netbox.emile.space.nix +++ b/nix/hosts/corrino/www/netbox.emile.space.nix @@ -23,7 +23,7 @@ dataDir = "/var/lib/netbox"; settings.ALLOWED_HOSTS = [ "*" ]; enableLdap = false; - settings = {}; + settings = { }; secretKeyFile = config.age.secrets.netbox_secret.path; port = config.emile.ports.netbox; listenAddress = "[::1]"; @@ -60,4 +60,3 @@ # }; # users.users.nginx.extraGroups = [ "netbox" ]; } - diff --git a/nix/hosts/corrino/www/nix-cache/default.nix b/nix/hosts/corrino/www/nix-cache/default.nix index da2537c..de4a849 100644 --- a/nix/hosts/corrino/www/nix-cache/default.nix +++ b/nix/hosts/corrino/www/nix-cache/default.nix @@ -1,7 +1,5 @@ { ... }: { - imports = [ - ./nix-cache.emile.space.nix - ]; + imports = [ ./nix-cache.emile.space.nix ]; } diff --git a/nix/hosts/corrino/www/nix-cache/nix-cache.emile.space.nix b/nix/hosts/corrino/www/nix-cache/nix-cache.emile.space.nix index 690e422..c8f7264 100644 --- a/nix/hosts/corrino/www/nix-cache/nix-cache.emile.space.nix +++ b/nix/hosts/corrino/www/nix-cache/nix-cache.emile.space.nix @@ -1,10 +1,10 @@ { ... }: { - services.nginx.virtualHosts."nix-cache.emile.space" = { - forceSSL = false; - enableACME = false; - }; + services.nginx.virtualHosts."nix-cache.emile.space" = { + forceSSL = false; + enableACME = false; + }; # locations = { # "/" = { # root = "/var/www/emile.space"; @@ -12,10 +12,10 @@ # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # ''; # }; - # }; - # locations."= /" = { - # index = "/index.txt"; - # }; + # }; + # locations."= /" = { + # index = "/index.txt"; + # }; # locations."= /index.txt" = { # root = ./index.txt; # }; @@ -32,27 +32,27 @@ # ''; # }; # locations."/" = { - # proxyPass = "http://${config.services.harmonia.settings.bind}"; - # extraConfig = '' - # proxy_set_header Host $host; - # proxy_redirect http:// https://; - # proxy_http_version 1.1; - # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # proxy_set_header Upgrade $http_upgrade; - # proxy_set_header Connection $connection_upgrade; + # proxyPass = "http://${config.services.harmonia.settings.bind}"; + # extraConfig = '' + # proxy_set_header Host $host; + # proxy_redirect http:// https://; + # proxy_http_version 1.1; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # proxy_set_header Upgrade $http_upgrade; + # proxy_set_header Connection $connection_upgrade; - # zstd on; - # zstd_types application/x-nix-archive; - # ''; - # }; - # }; + # zstd on; + # zstd_types application/x-nix-archive; + # ''; + # }; + # }; - # services.harmonia = { - # enable = true; + # services.harmonia = { + # enable = true; - # # TODO(emile): manage this using age - # signKeyPath = "/var/lib/secrets/harmonia.secret"; + # # TODO(emile): manage this using age + # signKeyPath = "/var/lib/secrets/harmonia.secret"; - # settings.bind = "[::1]:${toString config.emile.ports.harmonia}"; - # }; + # settings.bind = "[::1]:${toString config.emile.ports.harmonia}"; + # }; } diff --git a/nix/hosts/corrino/www/photo/default.nix b/nix/hosts/corrino/www/photo/default.nix index dd555e4..46266ae 100644 --- a/nix/hosts/corrino/www/photo/default.nix +++ b/nix/hosts/corrino/www/photo/default.nix @@ -1,8 +1,8 @@ { ... }: { - imports = [ - ./photoprism.nix - # ./immich.nix - ]; + imports = [ + ./photoprism.nix + # ./immich.nix + ]; } diff --git a/nix/hosts/corrino/www/s3.emile.space.nix b/nix/hosts/corrino/www/s3.emile.space.nix index f1300f7..b4646ad 100644 --- a/nix/hosts/corrino/www/s3.emile.space.nix +++ b/nix/hosts/corrino/www/s3.emile.space.nix @@ -21,19 +21,19 @@ }; }; - services.minio = { - enable = true; - region = "eu-north-1-hel-1a"; # corrino is in the helsinki hetzner dc + services.minio = { + enable = true; + region = "eu-north-1-hel-1a"; # corrino is in the helsinki hetzner dc - listenAddress = "[::1]:${toString config.emile.ports.minio.s3}"; + listenAddress = "[::1]:${toString config.emile.ports.minio.s3}"; - browser = true; - consoleAddress = "[::1]:${toString config.emile.ports.minio.web}"; + browser = true; + consoleAddress = "[::1]:${toString config.emile.ports.minio.web}"; - dataDir = [ "/minio/data" ]; - configDir = "/minio/config"; + dataDir = [ "/minio/data" ]; + configDir = "/minio/config"; - rootCredentialsFile = config.age.secrets.minio_root_credz.path; - # accessKey - }; + rootCredentialsFile = config.age.secrets.minio_root_credz.path; + # accessKey + }; } diff --git a/nix/hosts/corrino/www/social.emile.space.nix b/nix/hosts/corrino/www/social.emile.space.nix index 9f9a6f1..47c5015 100644 --- a/nix/hosts/corrino/www/social.emile.space.nix +++ b/nix/hosts/corrino/www/social.emile.space.nix @@ -2,14 +2,14 @@ { - # the reverse proxy to gotosocial + # the reverse proxy to gotosocial services.nginx.virtualHosts."social.emile.space" = { forceSSL = true; enableACME = true; locations = { "/" = { proxyPass = "http://127.0.0.1:${toString config.emile.ports.gotosocial}"; - proxyWebsockets = true; + proxyWebsockets = true; extraConfig = '' client_max_body_size 40M; ''; @@ -18,79 +18,74 @@ }; }; - # Redirects from emile.space to social.emile.space - # Without this, other instances have problems getting from the username - # @hanemile@emile.space to the host social.emile.space - # https://docs.gotosocial.org/en/latest/advanced/host-account-domain/ + # Redirects from emile.space to social.emile.space + # Without this, other instances have problems getting from the username + # @hanemile@emile.space to the host social.emile.space + # https://docs.gotosocial.org/en/latest/advanced/host-account-domain/ services.nginx.virtualHosts."emile.space" = { locations = { - "/.well-known/webfinger".extraConfig = '' - rewrite ^.*$ https://social.emile.space/.well-known/webfinger permanent; + "/.well-known/webfinger".extraConfig = '' + rewrite ^.*$ https://social.emile.space/.well-known/webfinger permanent; ''; - "/.well-known/host-meta".extraConfig = '' - rewrite ^.*$ https://social.emile.space/.well-known/host-meta permanent; - ''; + "/.well-known/host-meta".extraConfig = '' + rewrite ^.*$ https://social.emile.space/.well-known/host-meta permanent; + ''; - "/.well-known/nodeinfo".extraConfig = '' - rewrite ^.*$ https://social.emile.space/.well-known/nodeinfo permanent; - ''; - }; - }; + "/.well-known/nodeinfo".extraConfig = '' + rewrite ^.*$ https://social.emile.space/.well-known/nodeinfo permanent; + ''; + }; + }; + # auth via authelia + services.authelia.instances.main.settings.identity_providers.oidc.clients = [ + { + id = "gotosocial"; - # auth via authelia - services.authelia.instances.main.settings.identity_providers.oidc.clients = [ - { - id = "gotosocial"; + # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 + secret = "$pbkdf2-sha512$310000$oDpZ5FuO965TbjPoophJXw$dbkAwWFvLN1h1Zh9US2ZOE5ilPRdEHMdGF/x0uorou2UqURrXF0KQmXxsV38F2yYMS7u/ecramKlvfMwsqHOcg"; + public = false; + authorization_policy = "two_factor"; + redirect_uris = [ "https://social.emile.space/auth/callback" ]; + scopes = [ + "openid" + "email" + "profile" + "groups" + ]; + grant_types = [ + "refresh_token" + "authorization_code" + ]; + response_types = [ "code" ]; + response_modes = [ + "form_post" + "query" + "fragment" + ]; + } + ]; - # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 - secret = "$pbkdf2-sha512$310000$oDpZ5FuO965TbjPoophJXw$dbkAwWFvLN1h1Zh9US2ZOE5ilPRdEHMdGF/x0uorou2UqURrXF0KQmXxsV38F2yYMS7u/ecramKlvfMwsqHOcg"; - public = false; - authorization_policy = "two_factor"; - redirect_uris = [ - "https://social.emile.space/auth/callback" - ]; - scopes = [ - "openid" - "email" - "profile" - "groups" - ]; - grant_types = [ - "refresh_token" - "authorization_code" - ]; - response_types = [ - "code" - ]; - response_modes = [ - "form_post" - "query" - "fragment" - ]; - } - ]; - - services.gotosocial = { - enable = true; - package = pkgs.gotosocial; - settings = { - host = "social.emile.space"; - port = config.emile.ports.gotosocial; - bind-address = "127.0.0.1"; - account-domain = "emile.space"; - db-type = "sqlite"; - db-address = "/var/lib/gotosocial/database.sqlite"; - protocol = "https"; - storage-local-base-path = "/var/lib/gotosocial/storage"; - oidc-idp-name = "authelia"; - oidc-client-id = "gotosocial"; - advanced-rate-limit-requests = 0; - accounts-allow-custom-css = true; - }; - environmentFile = config.age.secrets.gotosocial_environment_file.path; - }; + services.gotosocial = { + enable = true; + package = pkgs.gotosocial; + settings = { + host = "social.emile.space"; + port = config.emile.ports.gotosocial; + bind-address = "127.0.0.1"; + account-domain = "emile.space"; + db-type = "sqlite"; + db-address = "/var/lib/gotosocial/database.sqlite"; + protocol = "https"; + storage-local-base-path = "/var/lib/gotosocial/storage"; + oidc-idp-name = "authelia"; + oidc-client-id = "gotosocial"; + advanced-rate-limit-requests = 0; + accounts-allow-custom-css = true; + }; + environmentFile = config.age.secrets.gotosocial_environment_file.path; + }; systemd.services.gotosocial = { after = [ "authelia-main.service" ]; diff --git a/nix/hosts/corrino/www/sso.emile.space.nix b/nix/hosts/corrino/www/sso.emile.space.nix index 0f77197..e51db9a 100644 --- a/nix/hosts/corrino/www/sso.emile.space.nix +++ b/nix/hosts/corrino/www/sso.emile.space.nix @@ -1,214 +1,212 @@ { config, pkgs, ... }: let - authelia_port = config.services.authelia.instances.main.settings.server.port; -in { - - services.nginx.virtualHosts."sso.emile.space" = { - forceSSL = true; - enableACME = true; - - locations = { - "/" = { - proxyPass = "http://127.0.0.1:${toString authelia_port}"; - - extraConfig = '' - ## Headers - proxy_set_header Host $host; - proxy_set_header X-Original-URL $scheme://$http_host$request_uri; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $http_host; - proxy_set_header X-Forwarded-URI $request_uri; - proxy_set_header X-Forwarded-Ssl on; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Real-IP $remote_addr; - - ## Basic Proxy Configuration - client_body_buffer_size 128k; - proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead. - proxy_redirect http:// $scheme://; - proxy_http_version 1.1; - proxy_cache_bypass $cookie_session; - proxy_no_cache $cookie_session; - proxy_buffers 64 256k; - - ## Trusted Proxies Configuration - ## Please read the following documentation before configuring this: - ## https://www.authelia.com/integration/proxies/nginx/#trusted-proxies - # set_real_ip_from 10.0.0.0/8; - # set_real_ip_from 172.16.0.0/12; - # set_real_ip_from 192.168.0.0/16; - # set_real_ip_from fc00::/7; - set_real_ip_from 127.0.0.1/32; - real_ip_header X-Forwarded-For; - real_ip_recursive on; - - ## Advanced Proxy Configuration - send_timeout 5m; - proxy_read_timeout 360; - proxy_send_timeout 360; - proxy_connect_timeout 360; - ''; - }; - - "/api/verify" = { - proxyPass = "http://127.0.0.1:${toString authelia_port}"; - }; - - "/api/authz/" = { - proxyPass = "http://127.0.0.1:${toString authelia_port}"; - }; - }; - }; - - # set the permissions for the secrets... - age.secrets = { - # ... passwed via environment vars - authelia_session_secret.owner = "authelia-main"; - authelia_session_secret.group = "authelia-main"; - authelia_mail_password.owner = "authelia-main"; - authelia_mail_password.group = "authelia-main"; - - # ... passed via the services.authelia.instances.main.secrets attribute - authelia_storage_encryption_key.owner = "authelia-main"; - authelia_storage_encryption_key.group = "authelia-main"; - authelia_jwt_secret.owner = "authelia-main"; - authelia_jwt_secret.group = "authelia-main"; - authelia_oidc_issuer_private_key.owner = "authelia-main"; - authelia_oidc_issuer_private_key.group = "authelia-main"; - authelia_oidc_hmac_secret.owner = "authelia-main"; - authelia_oidc_hmac_secret.group = "authelia-main"; - }; - - - services.authelia.instances = { - main = { - enable = true; - package = pkgs.authelia; - - # pass some of the secrets in as env-vars - environmentVariables = with config.age.secrets; { - AUTHELIA_SESSION_SECRET_FILE = authelia_session_secret.path; - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = authelia_mail_password.path; - }; - secrets = with config.age.secrets; { - manual = true; - - # some other secrets can be defined here, but not all... - storageEncryptionKeyFile = authelia_storage_encryption_key.path; - jwtSecretFile = authelia_jwt_secret.path; - oidcIssuerPrivateKeyFile = authelia_oidc_issuer_private_key.path; - oidcHmacSecretFile = authelia_oidc_hmac_secret.path; - }; - settings = { - theme = "dark"; - - server = { - host = "127.0.0.1"; - port = config.emile.ports.authelia; - }; - - # we're using a file to store the user information - authentication_backend = { - refresh_interval = "20s"; - file = { - path = "/var/lib/authelia-main/user.yml"; - watch = true; - password = { - algorithm = "argon2id"; - iterations = 3; - key_length = 32; - salt_length = 16; - memory = 65; - parallelism = 4; - }; - }; - }; - - storage.local.path = "/var/lib/authelia-main/db.sqlite"; - - session = { - domain = "sso.emile.space"; - expiration = 3600; # 1 hour - inactivity = 300; # 5 minutes - }; - - notifier = { - disable_startup_check = false; - smtp = { - host = "mail.emile.space"; - port = 587; - timeout = "30s"; - username = "mail@emile.space"; - - sender = "mail@emile.space"; - subject = "[Authelia] {title}"; - - disable_require_tls = false; - disable_starttls = false; - disable_html_emails = true; - - tls = { - server_name = "mail.emile.space"; - skip_verify = true; - minimum_version = "TLS1.3"; - }; - }; - }; - - identity_providers = { - oidc = { - # regenerate keys like this: - # ; nix run nixpkgs#authelia -- crypto certificate rsa generate - # current serial: deb83f17e27e663f544a16ad2947631d - - enable_client_debug_messages = false; - minimum_parameter_entropy = 8; - enforce_pkce = "public_clients_only"; - enable_pkce_plain_challenge = false; - cors = { - endpoints = [ - "authorization" - "token" - "revocation" - "introspection" - ]; - allowed_origins = [ - "https://emile.space" - ]; - allowed_origins_from_client_redirect_uris = false; - }; - }; - }; - - access_control = { - default_policy = "deny"; - rules = [ - { - domain = "*.emile.space"; - policy = "two_factor"; - } - ]; - }; - - totp = { - disable = false; - issuer = "sso.emile.space"; - algorithm = "sha1"; - digits = 6; - period = 30; - skew = 1; - secret_size = 32; - }; - - ntp = { - address = "time.cloudflare.com:123"; - version = 3; - max_desync = "3s"; - disable_startup_check = false; - disable_failure = false; - }; - }; - }; - }; + authelia_port = config.services.authelia.instances.main.settings.server.port; +in +{ + + services.nginx.virtualHosts."sso.emile.space" = { + forceSSL = true; + enableACME = true; + + locations = { + "/" = { + proxyPass = "http://127.0.0.1:${toString authelia_port}"; + + extraConfig = '' + ## Headers + proxy_set_header Host $host; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-URI $request_uri; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Real-IP $remote_addr; + + ## Basic Proxy Configuration + client_body_buffer_size 128k; + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead. + proxy_redirect http:// $scheme://; + proxy_http_version 1.1; + proxy_cache_bypass $cookie_session; + proxy_no_cache $cookie_session; + proxy_buffers 64 256k; + + ## Trusted Proxies Configuration + ## Please read the following documentation before configuring this: + ## https://www.authelia.com/integration/proxies/nginx/#trusted-proxies + # set_real_ip_from 10.0.0.0/8; + # set_real_ip_from 172.16.0.0/12; + # set_real_ip_from 192.168.0.0/16; + # set_real_ip_from fc00::/7; + set_real_ip_from 127.0.0.1/32; + real_ip_header X-Forwarded-For; + real_ip_recursive on; + + ## Advanced Proxy Configuration + send_timeout 5m; + proxy_read_timeout 360; + proxy_send_timeout 360; + proxy_connect_timeout 360; + ''; + }; + + "/api/verify" = { + proxyPass = "http://127.0.0.1:${toString authelia_port}"; + }; + + "/api/authz/" = { + proxyPass = "http://127.0.0.1:${toString authelia_port}"; + }; + }; + }; + + # set the permissions for the secrets... + age.secrets = { + # ... passwed via environment vars + authelia_session_secret.owner = "authelia-main"; + authelia_session_secret.group = "authelia-main"; + authelia_mail_password.owner = "authelia-main"; + authelia_mail_password.group = "authelia-main"; + + # ... passed via the services.authelia.instances.main.secrets attribute + authelia_storage_encryption_key.owner = "authelia-main"; + authelia_storage_encryption_key.group = "authelia-main"; + authelia_jwt_secret.owner = "authelia-main"; + authelia_jwt_secret.group = "authelia-main"; + authelia_oidc_issuer_private_key.owner = "authelia-main"; + authelia_oidc_issuer_private_key.group = "authelia-main"; + authelia_oidc_hmac_secret.owner = "authelia-main"; + authelia_oidc_hmac_secret.group = "authelia-main"; + }; + + services.authelia.instances = { + main = { + enable = true; + package = pkgs.authelia; + + # pass some of the secrets in as env-vars + environmentVariables = with config.age.secrets; { + AUTHELIA_SESSION_SECRET_FILE = authelia_session_secret.path; + AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = authelia_mail_password.path; + }; + secrets = with config.age.secrets; { + manual = true; + + # some other secrets can be defined here, but not all... + storageEncryptionKeyFile = authelia_storage_encryption_key.path; + jwtSecretFile = authelia_jwt_secret.path; + oidcIssuerPrivateKeyFile = authelia_oidc_issuer_private_key.path; + oidcHmacSecretFile = authelia_oidc_hmac_secret.path; + }; + settings = { + theme = "dark"; + + server = { + host = "127.0.0.1"; + port = config.emile.ports.authelia; + }; + + # we're using a file to store the user information + authentication_backend = { + refresh_interval = "20s"; + file = { + path = "/var/lib/authelia-main/user.yml"; + watch = true; + password = { + algorithm = "argon2id"; + iterations = 3; + key_length = 32; + salt_length = 16; + memory = 65; + parallelism = 4; + }; + }; + }; + + storage.local.path = "/var/lib/authelia-main/db.sqlite"; + + session = { + domain = "sso.emile.space"; + expiration = 3600; # 1 hour + inactivity = 300; # 5 minutes + }; + + notifier = { + disable_startup_check = false; + smtp = { + host = "mail.emile.space"; + port = 587; + timeout = "30s"; + username = "mail@emile.space"; + + sender = "mail@emile.space"; + subject = "[Authelia] {title}"; + + disable_require_tls = false; + disable_starttls = false; + disable_html_emails = true; + + tls = { + server_name = "mail.emile.space"; + skip_verify = true; + minimum_version = "TLS1.3"; + }; + }; + }; + + identity_providers = { + oidc = { + # regenerate keys like this: + # ; nix run nixpkgs#authelia -- crypto certificate rsa generate + # current serial: deb83f17e27e663f544a16ad2947631d + + enable_client_debug_messages = false; + minimum_parameter_entropy = 8; + enforce_pkce = "public_clients_only"; + enable_pkce_plain_challenge = false; + cors = { + endpoints = [ + "authorization" + "token" + "revocation" + "introspection" + ]; + allowed_origins = [ "https://emile.space" ]; + allowed_origins_from_client_redirect_uris = false; + }; + }; + }; + + access_control = { + default_policy = "deny"; + rules = [ + { + domain = "*.emile.space"; + policy = "two_factor"; + } + ]; + }; + + totp = { + disable = false; + issuer = "sso.emile.space"; + algorithm = "sha1"; + digits = 6; + period = 30; + skew = 1; + secret_size = 32; + }; + + ntp = { + address = "time.cloudflare.com:123"; + version = 3; + max_desync = "3s"; + disable_startup_check = false; + disable_failure = false; + }; + }; + }; + }; } diff --git a/nix/hosts/corrino/www/tickets.emile.space.nix b/nix/hosts/corrino/www/tickets.emile.space.nix index a53b878..fb12961 100644 --- a/nix/hosts/corrino/www/tickets.emile.space.nix +++ b/nix/hosts/corrino/www/tickets.emile.space.nix @@ -17,7 +17,10 @@ pretix = { enable = true; package = pkgs.pretix; - plugins = with config.services.pretix.package.plugins; [ passbook pages ]; + plugins = with config.services.pretix.package.plugins; [ + passbook + pages + ]; user = "pretix"; group = "pretix"; gunicorn.extraArgs = [ diff --git a/nix/hosts/corrino/www/tmp.emile.space.nix b/nix/hosts/corrino/www/tmp.emile.space.nix index eeb7f8b..395c4dd 100644 --- a/nix/hosts/corrino/www/tmp.emile.space.nix +++ b/nix/hosts/corrino/www/tmp.emile.space.nix @@ -10,7 +10,7 @@ extraConfig = '' add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; autoindex on; - ''; + ''; }; }; }; diff --git a/nix/hosts/gamont/configuration.nix b/nix/hosts/gamont/configuration.nix index 4ea1678..b0d0d9d 100644 --- a/nix/hosts/gamont/configuration.nix +++ b/nix/hosts/gamont/configuration.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let user = "nixos"; @@ -11,14 +16,19 @@ let "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZi43zHEsoWaQomLGaftPE5k0RqVrZyiTtGqZlpWsew emile@caladan" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEzLZ56SEgwZZ0OusTdSDDhpMlxSg1zPNdRLuxKOfrR5 emile@chusuk" ]; -in { +in +{ boot = { kernelPackages = pkgs.linuxKernel.packages.linux_rpi4; kernel.sysctl = { "net.ipv4.conf.all.forwarding" = true; }; - initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ]; + initrd.availableKernelModules = [ + "xhci_pci" + "usbhid" + "usb_storage" + ]; loader = { grub.enable = false; generic-extlinux-compatible.enable = true; @@ -47,7 +57,12 @@ in { }; interfaces.end0 = { - ipv4.addresses = [ { address = "192.168.1.1"; prefixLength = 24; } ]; + ipv4.addresses = [ + { + address = "192.168.1.1"; + prefixLength = 24; + } + ]; }; nftables = { @@ -80,13 +95,14 @@ in { }; }; - environment.systemPackages = with pkgs; [ + environment.systemPackages = with pkgs; [ helix - vim + vim dnsmasq tcpdump curl - iptables nftables + iptables + nftables ]; services = { diff --git a/nix/hosts/hacknix/burpsuitepro/default.nix b/nix/hosts/hacknix/burpsuitepro/default.nix index 0365bb9..8c9605d 100644 --- a/nix/hosts/hacknix/burpsuitepro/default.nix +++ b/nix/hosts/hacknix/burpsuitepro/default.nix @@ -24,7 +24,6 @@ pkgs.stdenvNoCC.mkDerivation rec { runHook postInstall ''; - preferLocalBuild = true; meta = with nixpkgs.lib; { @@ -40,7 +39,7 @@ pkgs.stdenvNoCC.mkDerivation rec { sourceProvenance = with sourceTypes; [ binaryBytecode ]; #license = licenses.unfree; platforms = pkgs.jdk19.meta.platforms; - hydraPlatforms = []; + hydraPlatforms = [ ]; maintainers = with maintainers; [ hanemile ]; }; } diff --git a/nix/hosts/hacknix/configuration.nix b/nix/hosts/hacknix/configuration.nix index 6706f52..a408466 100644 --- a/nix/hosts/hacknix/configuration.nix +++ b/nix/hosts/hacknix/configuration.nix @@ -2,17 +2,28 @@ # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ nixpkgs, nixpkgs-unstable, config, lib, pkgs, ... }: +{ + nixpkgs, + nixpkgs-unstable, + config, + lib, + pkgs, + ... +}: let - burppro = pkgs.callPackage ./burpsuitepro { inherit pkgs; nixpkgs=pkgs; }; - # TODO: pull licence from git -in { - imports = - [ # Include the results of the hardware scan. - ./hardware-configuration.nix - ./overlay - ]; + burppro = pkgs.callPackage ./burpsuitepro { + inherit pkgs; + nixpkgs = pkgs; + }; +in +# TODO: pull licence from git +{ + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ./overlay + ]; nixpkgs = { config.allowUnfree = true; # for virtualisation.virtualbox @@ -37,43 +48,43 @@ in { services = { dbus.enable = true; xserver = { - enable = true; - - # Keyboard settings - layout = "us"; - xkbOptions = "caps:compose"; - - desktopManager = { - xterm.enable = false; - - # we don't use the xfce interface, only the fancy desktopManager - # settings and the session - xfce = { - enable = true; - noDesktop = true; - enableXfwm = false; - }; - }; - - # default display manager when logging in - displayManager = { - defaultSession = "xfce+i3"; - sessionCommands = '' - ''; - }; - - windowManager.i3 = { - enable = true; - configFile = "/etc/i3.conf"; # see environment.etc."i3.conf".text - extraPackages = with pkgs; [ - dmenu - i3status i3blocks - ]; - }; + enable = true; + + # Keyboard settings + layout = "us"; + xkbOptions = "caps:compose"; + + desktopManager = { + xterm.enable = false; + + # we don't use the xfce interface, only the fancy desktopManager + # settings and the session + xfce = { + enable = true; + noDesktop = true; + enableXfwm = false; + }; + }; + + # default display manager when logging in + displayManager = { + defaultSession = "xfce+i3"; + sessionCommands = ''''; + }; + + windowManager.i3 = { + enable = true; + configFile = "/etc/i3.conf"; # see environment.etc."i3.conf".text + extraPackages = with pkgs; [ + dmenu + i3status + i3blocks + ]; + }; }; }; - environment.etc."i3.conf".text = pkgs.callPackage ./i3-config.nix {}; + environment.etc."i3.conf".text = pkgs.callPackage ./i3-config.nix { }; # Enable CUPS to print documents. # services.printing.enable = true; @@ -101,129 +112,133 @@ in { #ls = "lsd"; ls = "eza"; }; - systemPackages = with pkgs; [ - unstable.obsidian + systemPackages = + with pkgs; + [ + unstable.obsidian - kitty + kitty - # editors - vim + # editors + vim - helix + helix marksman # markdown lsp cuelsp # cue lsp - terraform-lsp terraform-ls # terraform lsp + terraform-lsp + terraform-ls # terraform lsp # rnix-lsp # nix lsp (CVE-2024-27297, that's why it's commented!) - # command line tools - fd - ripgrep - htop - fzf - jq - eza - lsd - du-dust - pwgen - - # x11 foo - arandr - feh - - # shell - zsh oh-my-zsh - - # browser - chromium - firefox - - # programming languages - go - gopls # (Official language server for the Go language) - go-outline # (Utility to extract JSON representation of declarations from a Go source file) - go-tools # staticcheck (A collection of tools and libraries for working with Go code, including linters and static analysis) - gocode-gomod # (An autocompletion daemon for the Go programming language) - gotest # (go test with colors) - gotests # (Generate Go tests from your source code) - gomodifytags # (Go tool to modify struct field tags) - impl # (Generate method stubs for implementing an interface) - delve # dlv (debugger for the Go programming language) - - (pkgs.python3.withPackages (ps: with ps; [ - pwntools - requests - tqdm - beautifulsoup4 - mitmproxy - - ( - buildPythonPackage rec { - pname = "pandoc"; - version = "2.3"; - src = fetchPypi { - inherit pname version; - sha256 = "sha256-53LCxthxFGiUV5go268e/VOOtk/H5x1KazoRoYuu+Q0="; - }; - doCheck = false; - propagatedBuildInputs = [ - # pkgs.python310Packages.ply - # pkgs.python310Packages.plumbum - # Specify dependencies - #pkgs.python3Packages.numpy - ]; - } - ) - ])) - - # dev - vscode - docker-compose - - # analysis - binwalk - file - - # communication - element-desktop - - # view pdfs - zathura okular - - # infra - cue - cuetools - - #radare2 - # r2 - capstone # Advanced disassembly library - keystone # Lightweight multi-platform, multi-architecture assembler framework - unicorn # Lightweight multi-platform CPU emulator library - - # hashicorp stuff - # vault vault-bin vaultenv vault-medusa - # nomad_1_4 - # consul - # terraform - - #unstable.mitmproxy - #mitmproxy_bs4 - - dex - xss-lock - networkmanagerapplet - - p7zip - m4 - - libreoffice - - pandoc - tmux - - python311Packages.python-lsp-server - ] ++ [ - burppro - ]; + # command line tools + fd + ripgrep + htop + fzf + jq + eza + lsd + du-dust + pwgen + + # x11 foo + arandr + feh + + # shell + zsh + oh-my-zsh + + # browser + chromium + firefox + + # programming languages + go + gopls # (Official language server for the Go language) + go-outline # (Utility to extract JSON representation of declarations from a Go source file) + go-tools # staticcheck (A collection of tools and libraries for working with Go code, including linters and static analysis) + gocode-gomod # (An autocompletion daemon for the Go programming language) + gotest # (go test with colors) + gotests # (Generate Go tests from your source code) + gomodifytags # (Go tool to modify struct field tags) + impl # (Generate method stubs for implementing an interface) + delve # dlv (debugger for the Go programming language) + + (pkgs.python3.withPackages ( + ps: with ps; [ + pwntools + requests + tqdm + beautifulsoup4 + mitmproxy + + (buildPythonPackage rec { + pname = "pandoc"; + version = "2.3"; + src = fetchPypi { + inherit pname version; + sha256 = "sha256-53LCxthxFGiUV5go268e/VOOtk/H5x1KazoRoYuu+Q0="; + }; + doCheck = false; + propagatedBuildInputs = [ + # pkgs.python310Packages.ply + # pkgs.python310Packages.plumbum + # Specify dependencies + #pkgs.python3Packages.numpy + ]; + }) + ] + )) + + # dev + vscode + docker-compose + + # analysis + binwalk + file + + # communication + element-desktop + + # view pdfs + zathura + okular + + # infra + cue + cuetools + + #radare2 + # r2 + capstone # Advanced disassembly library + keystone # Lightweight multi-platform, multi-architecture assembler framework + unicorn # Lightweight multi-platform CPU emulator library + + # hashicorp stuff + # vault vault-bin vaultenv vault-medusa + # nomad_1_4 + # consul + # terraform + + #unstable.mitmproxy + #mitmproxy_bs4 + + dex + xss-lock + networkmanagerapplet + + p7zip + m4 + + libreoffice + + pandoc + tmux + + python311Packages.python-lsp-server + ] + ++ [ burppro ]; }; fonts.packages = with pkgs; [ @@ -236,13 +251,13 @@ in { # Some programs need SUID wrappers, can be configured further or are # started in user sessions. programs = { - + vim.defaultEditor = true; htop = { enable = true; settings = { - hide_kernel_threads = true; + hide_kernel_threads = true; }; }; @@ -269,7 +284,7 @@ in { enable = true; homepageLocation = "https://emile.space"; extraOpts = { - "ClientCertificateManagementAllowed" = 0; + "ClientCertificateManagementAllowed" = 0; }; }; @@ -344,12 +359,17 @@ in { # 127.0.0.1 localhost # ::1 localhost }; - + firewall = { enable = true; # open further TCP and/or UDP ports in the firewall - allowedTCPPorts = [ 80 443 8123 8080 ]; + allowedTCPPorts = [ + 80 + 443 + 8123 + 8080 + ]; #allowedUDPPorts = [ 53 ]; }; @@ -392,4 +412,3 @@ in { # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "22.11"; # Did you read the comment? } - diff --git a/nix/hosts/hacknix/hardware-configuration.nix b/nix/hosts/hacknix/hardware-configuration.nix index d887abc..c0ececb 100644 --- a/nix/hosts/hacknix/hardware-configuration.nix +++ b/nix/hosts/hacknix/hardware-configuration.nix @@ -1,25 +1,38 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { imports = [ ]; - boot.initrd.availableKernelModules = [ "ata_piix" "ohci_pci" "ehci_pci" "ahci" "sd_mod" "sr_mod" ]; + boot.initrd.availableKernelModules = [ + "ata_piix" + "ohci_pci" + "ehci_pci" + "ahci" + "sd_mod" + "sr_mod" + ]; boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/0c22b35c-1d78-4186-aff0-62282e832ad7"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/0c22b35c-1d78-4186-aff0-62282e832ad7"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/9545-D744"; - fsType = "vfat"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/9545-D744"; + fsType = "vfat"; + }; swapDevices = [ ]; diff --git a/nix/hosts/hacknix/i3-config.nix b/nix/hosts/hacknix/i3-config.nix index ea06d2d..5836fda 100644 --- a/nix/hosts/hacknix/i3-config.nix +++ b/nix/hosts/hacknix/i3-config.nix @@ -1,139 +1,139 @@ -{}: +{ }: '' -set $mod Mod1 + set $mod Mod1 -font pango:monospace 8 + font pango:monospace 8 -exec --no-startup-id dex --autostart --environment i3 -exec --no-startup-id xss-lock --transfer-sleep-lock -- i3lock --nofork -exec --no-startup-id nm-applet - -set $refresh_i3status killall -SIGUSR1 i3status -bindsym XF86AudioRaiseVolume exec --no-startup-id pactl set-sink-volume @DEFAULT_SINK@ +10% && $refresh_i3status -bindsym XF86AudioLowerVolume exec --no-startup-id pactl set-sink-volume @DEFAULT_SINK@ -10% && $refresh_i3status -bindsym XF86AudioMute exec --no-startup-id pactl set-sink-mute @DEFAULT_SINK@ toggle && $refresh_i3status -bindsym XF86AudioMicMute exec --no-startup-id pactl set-source-mute @DEFAULT_SOURCE@ toggle && $refresh_i3status - -floating_modifier $mod - -tiling_drag modifier titlebar - -#bindsym $mod+Return exec i3-sensible-terminal -bindsym $mod+Return exec kitty - -bindsym $mod+Shift+q kill - -bindsym $mod+d exec --no-startup-id dmenu_run - -bindsym $mod+h focus left -bindsym $mod+j focus down -bindsym $mod+k focus up -bindsym $mod+l focus right - -bindsym $mod+Left focus left -bindsym $mod+Down focus down -bindsym $mod+Up focus up -bindsym $mod+Right focus right - -bindsym $mod+Shift+h move left -bindsym $mod+Shift+j move down -bindsym $mod+Shift+k move up -bindsym $mod+Shift+l move right - -bindsym $mod+Shift+Left move left -bindsym $mod+Shift+Down move down -bindsym $mod+Shift+Up move up -bindsym $mod+Shift+Right move right - -bindsym $mod+b split h - -bindsym $mod+v split v - -bindsym $mod+f fullscreen toggle - -bindsym $mod+s layout stacking -bindsym $mod+w layout tabbed -bindsym $mod+e layout toggle split - -bindsym $mod+Shift+space floating toggle - -bindsym $mod+space focus mode_toggle - -bindsym $mod+a focus parent - - -set $ws1 "1" -set $ws2 "2" -set $ws3 "3" -set $ws4 "4" -set $ws5 "5" -set $ws6 "6" -set $ws7 "7" -set $ws8 "8" -set $ws9 "9" -set $ws10 "10" - -bindsym $mod+1 workspace number $ws1 -bindsym $mod+2 workspace number $ws2 -bindsym $mod+3 workspace number $ws3 -bindsym $mod+4 workspace number $ws4 -bindsym $mod+5 workspace number $ws5 -bindsym $mod+6 workspace number $ws6 -bindsym $mod+7 workspace number $ws7 -bindsym $mod+8 workspace number $ws8 -bindsym $mod+9 workspace number $ws9 -bindsym $mod+0 workspace number $ws10 - -bindsym $mod+Shift+1 move container to workspace number $ws1 -bindsym $mod+Shift+2 move container to workspace number $ws2 -bindsym $mod+Shift+3 move container to workspace number $ws3 -bindsym $mod+Shift+4 move container to workspace number $ws4 -bindsym $mod+Shift+5 move container to workspace number $ws5 -bindsym $mod+Shift+6 move container to workspace number $ws6 -bindsym $mod+Shift+7 move container to workspace number $ws7 -bindsym $mod+Shift+8 move container to workspace number $ws8 -bindsym $mod+Shift+9 move container to workspace number $ws9 -bindsym $mod+Shift+0 move container to workspace number $ws10 - -bindsym $mod+Shift+c reload -bindsym $mod+Shift+r restart -bindsym $mod+Shift+e exec "i3-nagbar -t warning -m 'You pressed the exit shortcut. Do you really want to exit i3? This will end your X session.' -B 'Yes, exit i3' 'i3-msg exit'" - -mode "resize" { - # These bindings trigger as soon as you enter the resize mode - - # Pressing left will shrink the window’s width. - # Pressing right will grow the window’s width. - # Pressing up will shrink the window’s height. - # Pressing down will grow the window’s height. - bindsym h resize shrink width 10 px or 10 ppt - bindsym j resize grow height 10 px or 10 ppt - bindsym k resize shrink height 10 px or 10 ppt - bindsym l resize grow width 10 px or 10 ppt - - # same bindings, but for the arrow keys - bindsym Left resize shrink width 10 px or 10 ppt - bindsym Down resize grow height 10 px or 10 ppt - bindsym Up resize shrink height 10 px or 10 ppt - bindsym Right resize grow width 10 px or 10 ppt - - # back to normal: Enter or Escape or $mod+r - bindsym Return mode "default" - bindsym Escape mode "default" - bindsym $mod+r mode "default" -} - -bindsym $mod+r mode "resize" - -bar { - position top - status_command i3status -} - -default_border pixel 1 -hide_edge_borders smart -smart_borders on - -bindsym $mod+shift+m border toggle + exec --no-startup-id dex --autostart --environment i3 + exec --no-startup-id xss-lock --transfer-sleep-lock -- i3lock --nofork + exec --no-startup-id nm-applet + + set $refresh_i3status killall -SIGUSR1 i3status + bindsym XF86AudioRaiseVolume exec --no-startup-id pactl set-sink-volume @DEFAULT_SINK@ +10% && $refresh_i3status + bindsym XF86AudioLowerVolume exec --no-startup-id pactl set-sink-volume @DEFAULT_SINK@ -10% && $refresh_i3status + bindsym XF86AudioMute exec --no-startup-id pactl set-sink-mute @DEFAULT_SINK@ toggle && $refresh_i3status + bindsym XF86AudioMicMute exec --no-startup-id pactl set-source-mute @DEFAULT_SOURCE@ toggle && $refresh_i3status + + floating_modifier $mod + + tiling_drag modifier titlebar + + #bindsym $mod+Return exec i3-sensible-terminal + bindsym $mod+Return exec kitty + + bindsym $mod+Shift+q kill + + bindsym $mod+d exec --no-startup-id dmenu_run + + bindsym $mod+h focus left + bindsym $mod+j focus down + bindsym $mod+k focus up + bindsym $mod+l focus right + + bindsym $mod+Left focus left + bindsym $mod+Down focus down + bindsym $mod+Up focus up + bindsym $mod+Right focus right + + bindsym $mod+Shift+h move left + bindsym $mod+Shift+j move down + bindsym $mod+Shift+k move up + bindsym $mod+Shift+l move right + + bindsym $mod+Shift+Left move left + bindsym $mod+Shift+Down move down + bindsym $mod+Shift+Up move up + bindsym $mod+Shift+Right move right + + bindsym $mod+b split h + + bindsym $mod+v split v + + bindsym $mod+f fullscreen toggle + + bindsym $mod+s layout stacking + bindsym $mod+w layout tabbed + bindsym $mod+e layout toggle split + + bindsym $mod+Shift+space floating toggle + + bindsym $mod+space focus mode_toggle + + bindsym $mod+a focus parent + + + set $ws1 "1" + set $ws2 "2" + set $ws3 "3" + set $ws4 "4" + set $ws5 "5" + set $ws6 "6" + set $ws7 "7" + set $ws8 "8" + set $ws9 "9" + set $ws10 "10" + + bindsym $mod+1 workspace number $ws1 + bindsym $mod+2 workspace number $ws2 + bindsym $mod+3 workspace number $ws3 + bindsym $mod+4 workspace number $ws4 + bindsym $mod+5 workspace number $ws5 + bindsym $mod+6 workspace number $ws6 + bindsym $mod+7 workspace number $ws7 + bindsym $mod+8 workspace number $ws8 + bindsym $mod+9 workspace number $ws9 + bindsym $mod+0 workspace number $ws10 + + bindsym $mod+Shift+1 move container to workspace number $ws1 + bindsym $mod+Shift+2 move container to workspace number $ws2 + bindsym $mod+Shift+3 move container to workspace number $ws3 + bindsym $mod+Shift+4 move container to workspace number $ws4 + bindsym $mod+Shift+5 move container to workspace number $ws5 + bindsym $mod+Shift+6 move container to workspace number $ws6 + bindsym $mod+Shift+7 move container to workspace number $ws7 + bindsym $mod+Shift+8 move container to workspace number $ws8 + bindsym $mod+Shift+9 move container to workspace number $ws9 + bindsym $mod+Shift+0 move container to workspace number $ws10 + + bindsym $mod+Shift+c reload + bindsym $mod+Shift+r restart + bindsym $mod+Shift+e exec "i3-nagbar -t warning -m 'You pressed the exit shortcut. Do you really want to exit i3? This will end your X session.' -B 'Yes, exit i3' 'i3-msg exit'" + + mode "resize" { + # These bindings trigger as soon as you enter the resize mode + + # Pressing left will shrink the window’s width. + # Pressing right will grow the window’s width. + # Pressing up will shrink the window’s height. + # Pressing down will grow the window’s height. + bindsym h resize shrink width 10 px or 10 ppt + bindsym j resize grow height 10 px or 10 ppt + bindsym k resize shrink height 10 px or 10 ppt + bindsym l resize grow width 10 px or 10 ppt + + # same bindings, but for the arrow keys + bindsym Left resize shrink width 10 px or 10 ppt + bindsym Down resize grow height 10 px or 10 ppt + bindsym Up resize shrink height 10 px or 10 ppt + bindsym Right resize grow width 10 px or 10 ppt + + # back to normal: Enter or Escape or $mod+r + bindsym Return mode "default" + bindsym Escape mode "default" + bindsym $mod+r mode "default" + } + + bindsym $mod+r mode "resize" + + bar { + position top + status_command i3status + } + + default_border pixel 1 + hide_edge_borders smart + smart_borders on + + bindsym $mod+shift+m border toggle '' diff --git a/nix/hosts/hacknix/overlay/default.nix b/nix/hosts/hacknix/overlay/default.nix index 96a3510..fad057e 100644 --- a/nix/hosts/hacknix/overlay/default.nix +++ b/nix/hosts/hacknix/overlay/default.nix @@ -10,7 +10,7 @@ ]; config = { allowUnfree = true; - allowBroken= true; + allowBroken = true; }; }; } diff --git a/nix/hosts/hacknix/pkgs/helix-2303/default.nix b/nix/hosts/hacknix/pkgs/helix-2303/default.nix index bdbc112..eb54a90 100644 --- a/nix/hosts/hacknix/pkgs/helix-2303/default.nix +++ b/nix/hosts/hacknix/pkgs/helix-2303/default.nix @@ -1,4 +1,10 @@ -{ fetchzip, lib, rustPlatform, installShellFiles, makeWrapper }: +{ + fetchzip, + lib, + rustPlatform, + installShellFiles, + makeWrapper, +}: rustPlatform.buildRustPackage rec { pname = "helix"; @@ -29,7 +35,10 @@ rustPlatform.buildRustPackage rec { }; }; - nativeBuildInputs = [ installShellFiles makeWrapper ]; + nativeBuildInputs = [ + installShellFiles + makeWrapper + ]; postInstall = '' # not needed at runtime @@ -50,6 +59,9 @@ rustPlatform.buildRustPackage rec { homepage = "https://helix-editor.com"; license = licenses.mpl20; mainProgram = "hx"; - maintainers = with maintainers; [ danth yusdacra ]; + maintainers = with maintainers; [ + danth + yusdacra + ]; }; } diff --git a/nix/hosts/hacknix/pkgs/radare2-5.8.4/default.nix b/nix/hosts/hacknix/pkgs/radare2-5.8.4/default.nix index cbd6a56..ebabd40 100644 --- a/nix/hosts/hacknix/pkgs/radare2-5.8.4/default.nix +++ b/nix/hosts/hacknix/pkgs/radare2-5.8.4/default.nix @@ -1,32 +1,33 @@ -{ lib -, stdenv -, fetchFromGitHub -, fetchpatch -, buildPackages -, pkg-config -, meson -, ninja -, libusb-compat-0_1 -, readline -, libewf -, perl -, zlib -, openssl -, libuv -, file -, libzip -, xxHash -, gtk2 -, vte -, gtkdialog -, python3 -, ruby -, lua -, lz4 -, capstone -, useX11 ? false -, rubyBindings ? false -, luaBindings ? false +{ + lib, + stdenv, + fetchFromGitHub, + fetchpatch, + buildPackages, + pkg-config, + meson, + ninja, + libusb-compat-0_1, + readline, + libewf, + perl, + zlib, + openssl, + libuv, + file, + libzip, + xxHash, + gtk2, + vte, + gtkdialog, + python3, + ruby, + lua, + lz4, + capstone, + useX11 ? false, + rubyBindings ? false, + luaBindings ? false, }: let @@ -71,12 +72,12 @@ stdenv.mkDerivation rec { ''; mesonFlags = [ - "-Duse_sys_capstone=true" - "-Duse_sys_magic=true" - "-Duse_sys_zip=true" - "-Duse_sys_xxhash=true" - "-Duse_sys_lz4=true" - "-Dr2_gittap=${version}" + "-Duse_sys_capstone=true" + "-Duse_sys_magic=true" + "-Duse_sys_zip=true" + "-Duse_sys_xxhash=true" + "-Duse_sys_lz4=true" + "-Dr2_gittap=${version}" ]; enableParallelBuilding = true; @@ -84,19 +85,30 @@ stdenv.mkDerivation rec { strictDeps = true; - nativeBuildInputs = [ pkg-config meson ninja python3 ]; - buildInputs = [ - capstone - file - readline - libusb-compat-0_1 - libewf - perl - zlib - openssl - libuv - lz4 - ] ++ lib.optionals useX11 [ gtkdialog vte gtk2 ] + nativeBuildInputs = [ + pkg-config + meson + ninja + python3 + ]; + buildInputs = + [ + capstone + file + readline + libusb-compat-0_1 + libewf + perl + zlib + openssl + libuv + lz4 + ] + ++ lib.optionals useX11 [ + gtkdialog + vte + gtk2 + ] ++ lib.optionals rubyBindings [ ruby ] ++ lib.optionals luaBindings [ lua ]; @@ -112,7 +124,13 @@ stdenv.mkDerivation rec { homepage = "https://radare.org"; changelog = "https://github.com/radareorg/radare2/releases/tag/${version}"; license = licenses.gpl2Plus; - maintainers = with maintainers; [ azahi raskin makefu mic92 arkivm ]; + maintainers = with maintainers; [ + azahi + raskin + makefu + mic92 + arkivm + ]; platforms = platforms.unix; }; } diff --git a/nix/hosts/lampadas/configuration.nix b/nix/hosts/lampadas/configuration.nix index 748164c..48df5d9 100644 --- a/nix/hosts/lampadas/configuration.nix +++ b/nix/hosts/lampadas/configuration.nix @@ -4,17 +4,18 @@ { pkgs, ... }: -let +let emile_keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZi43zHEsoWaQomLGaftPE5k0RqVrZyiTtGqZlpWsew emile@caladan" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEzLZ56SEgwZZ0OusTdSDDhpMlxSg1zPNdRLuxKOfrR5 emile@chusuk" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMoHWyC9r0LVk6UlkhBWAJph0F6KHYHh83EI5U9wtfq2 shortcuts@ginaz" ]; -in { - imports = - [ # Include the results of the hardware scan. - ./hardware-configuration.nix - ]; +in +{ + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; boot = { loader = { @@ -30,7 +31,7 @@ in { ssh = { enable = true; port = 22; - hostKeys = ["/initrd_ssh_host_key_ed25519"]; + hostKeys = [ "/initrd_ssh_host_key_ed25519" ]; authorizedKeys = emile_keys; }; postCommands = '' @@ -38,17 +39,20 @@ in { ''; }; luks.devices = { - # unsure why luksdata1 is recognized and added to the - # hardware-configuration.nix automatically, but luksdata2 isn't + # unsure why luksdata1 is recognized and added to the + # hardware-configuration.nix automatically, but luksdata2 isn't "luksdata2".device = "/dev/disk/by-uuid/e94d7f32-26ef-41e1-b3f3-9e63e4858001"; }; }; }; fileSystems = { - "/".options = ["compress=zstd"]; - "/home".options = ["compress=zstd"]; - "/nix".options = ["compress=zstd" "noatime"]; + "/".options = [ "compress=zstd" ]; + "/home".options = [ "compress=zstd" ]; + "/nix".options = [ + "compress=zstd" + "noatime" + ]; }; networking = { @@ -59,7 +63,11 @@ in { firewall.allowedTCPPorts = [ 5201 ]; firewall.allowedUDPPorts = [ 5201 ]; - nameservers = [ "8.8.8.8" "8.8.4.4" "1.1.1.1"]; + nameservers = [ + "8.8.8.8" + "8.8.4.4" + "1.1.1.1" + ]; }; time.timeZone = "Europe/Berlin"; @@ -78,7 +86,10 @@ in { }; emile = { isNormalUser = true; - extraGroups = [ "wheel" "samba-guest" ]; + extraGroups = [ + "wheel" + "samba-guest" + ]; openssh.authorizedKeys.keys = emile_keys; }; samba-guest = { @@ -91,7 +102,7 @@ in { }; }; }; - users.groups.samba-guest = {}; + users.groups.samba-guest = { }; systemd.tmpfiles.rules = [ "d /data 0755 root root" @@ -101,8 +112,12 @@ in { ]; environment.systemPackages = with pkgs; [ - vim tailscale - nmap ffuf git unzip + vim + tailscale + nmap + ffuf + git + unzip ]; programs.mosh.enable = true; @@ -194,7 +209,7 @@ in { "public" = "no"; "writeable" = "yes"; "valid users" = "emile"; - "force user" = "emile"; + "force user" = "emile"; "fruit:aapl" = "yes"; "fruit:time machine" = "yes"; "fruit:delete_empty_adfiles" = "yes"; @@ -220,7 +235,10 @@ in { }; nix = { - settings.experimental-features = [ "nix-command" "flakes" ]; + settings.experimental-features = [ + "nix-command" + "flakes" + ]; gc = { automatic = true; dates = "weekly"; @@ -231,4 +249,3 @@ in { }; }; } - diff --git a/nix/hosts/lampadas/hardware-configuration.nix b/nix/hosts/lampadas/hardware-configuration.nix index e07fadc..77af5be 100644 --- a/nix/hosts/lampadas/hardware-configuration.nix +++ b/nix/hosts/lampadas/hardware-configuration.nix @@ -1,50 +1,63 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "usb_storage" + "usbhid" + "sd_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/ad228603-254e-4b2b-bc43-d8bb8bea02b5"; - fsType = "btrfs"; - options = [ "subvol=root" ]; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/ad228603-254e-4b2b-bc43-d8bb8bea02b5"; + fsType = "btrfs"; + options = [ "subvol=root" ]; + }; boot.initrd.luks.devices."luksroot1".device = "/dev/disk/by-uuid/aacddcd3-c861-4a43-8a59-473b2a42e52e"; - fileSystems."/home" = - { device = "/dev/disk/by-uuid/ad228603-254e-4b2b-bc43-d8bb8bea02b5"; - fsType = "btrfs"; - options = [ "subvol=home" ]; - }; + fileSystems."/home" = { + device = "/dev/disk/by-uuid/ad228603-254e-4b2b-bc43-d8bb8bea02b5"; + fsType = "btrfs"; + options = [ "subvol=home" ]; + }; - fileSystems."/nix" = - { device = "/dev/disk/by-uuid/ad228603-254e-4b2b-bc43-d8bb8bea02b5"; - fsType = "btrfs"; - options = [ "subvol=nix" ]; - }; + fileSystems."/nix" = { + device = "/dev/disk/by-uuid/ad228603-254e-4b2b-bc43-d8bb8bea02b5"; + fsType = "btrfs"; + options = [ "subvol=nix" ]; + }; - fileSystems."/data" = - { device = "/dev/mapper/luksdata1"; - fsType = "btrfs"; - }; + fileSystems."/data" = { + device = "/dev/mapper/luksdata1"; + fsType = "btrfs"; + }; boot.initrd.luks.devices."luksdata1".device = "/dev/disk/by-uuid/0737dc4a-a320-4468-a0e1-0db9a1d16b4c"; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/DE69-5562"; - fsType = "vfat"; - options = [ "fmask=0077" "dmask=0077" ]; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/DE69-5562"; + fsType = "vfat"; + options = [ + "fmask=0077" + "dmask=0077" + ]; + }; swapDevices = [ ]; diff --git a/nix/hosts/lernaeus/configuration.nix b/nix/hosts/lernaeus/configuration.nix index cfbc35f..26444e7 100644 --- a/nix/hosts/lernaeus/configuration.nix +++ b/nix/hosts/lernaeus/configuration.nix @@ -2,18 +2,24 @@ # your system. Help is available in the configuration.nix(5) man page, on # https://search.nixos.org/options and in the NixOS manual (`nixos-help`). -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let emile_keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZi43zHEsoWaQomLGaftPE5k0RqVrZyiTtGqZlpWsew emile@caladan" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEzLZ56SEgwZZ0OusTdSDDhpMlxSg1zPNdRLuxKOfrR5 emile@chusuk" ]; -in { - imports = - [ # Include the results of the hardware scan. - ./hardware-configuration.nix - ]; +in +{ + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; boot = { loader.systemd-boot.enable = true; @@ -38,7 +44,10 @@ in { fileSystems = { "/".options = [ "compress=zstd" ]; "/home".options = [ "compress=zstd" ]; - "/nix".options = [ "compress=zstd" "noatime" ]; + "/nix".options = [ + "compress=zstd" + "noatime" + ]; }; networking = { @@ -59,12 +68,15 @@ in { }; emile = { isNormalUser = true; - extraGroups = ["wheel"]; + extraGroups = [ "wheel" ]; openssh.authorizedKeys.keys = emile_keys; }; }; - environment.systemPackages = with pkgs; [ vim tailscale ]; + environment.systemPackages = with pkgs; [ + vim + tailscale + ]; programs.mosh.enable = true; @@ -74,8 +86,8 @@ in { tailscale.enable = true; btrfs = { - autoScrub.enable = true; - autoScrub.interval = "weekly"; + autoScrub.enable = true; + autoScrub.interval = "weekly"; }; prometheus.exporters = { @@ -101,4 +113,3 @@ in { autoUpgrade.enable = true; }; } - diff --git a/nix/hosts/lernaeus/hardware-configuration.nix b/nix/hosts/lernaeus/hardware-configuration.nix index 389185a..2d5d8b1 100644 --- a/nix/hosts/lernaeus/hardware-configuration.nix +++ b/nix/hosts/lernaeus/hardware-configuration.nix @@ -1,37 +1,48 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + config, + lib, + pkgs, + modulesPath, + ... +}: - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ]; +{ + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; + + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "nvme" + "usbhid" + "usb_storage" + "sd_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-amd" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/5156d8cd-a3d3-4897-b330-156cc10f1aa1"; - fsType = "btrfs"; - options = [ "subvol=root" ]; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/5156d8cd-a3d3-4897-b330-156cc10f1aa1"; + fsType = "btrfs"; + options = [ "subvol=root" ]; + }; boot.initrd.luks.devices."luksroot1".device = "/dev/disk/by-uuid/6c4e193a-3e6b-45e1-bb1a-aa18fbcab725"; - fileSystems."/home" = - { device = "/dev/disk/by-uuid/5156d8cd-a3d3-4897-b330-156cc10f1aa1"; - fsType = "btrfs"; - options = [ "subvol=home" ]; - }; - - fileSystems."/nix" = - { device = "/dev/disk/by-uuid/5156d8cd-a3d3-4897-b330-156cc10f1aa1"; - fsType = "btrfs"; - options = [ "subvol=nix" ]; - }; + fileSystems."/home" = { + device = "/dev/disk/by-uuid/5156d8cd-a3d3-4897-b330-156cc10f1aa1"; + fsType = "btrfs"; + options = [ "subvol=home" ]; + }; + + fileSystems."/nix" = { + device = "/dev/disk/by-uuid/5156d8cd-a3d3-4897-b330-156cc10f1aa1"; + fsType = "btrfs"; + options = [ "subvol=nix" ]; + }; swapDevices = [ ]; diff --git a/nix/hosts/mail/configuration.nix b/nix/hosts/mail/configuration.nix index 564025c..d2a9c8b 100644 --- a/nix/hosts/mail/configuration.nix +++ b/nix/hosts/mail/configuration.nix @@ -5,11 +5,11 @@ { config, pkgs, ... }: { - imports = - [ # Include the results of the hardware scan. - ./hardware-configuration.nix - ./mail.nix - ]; + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ./mail.nix + ]; # Use the GRUB 2 boot loader. boot.loader.grub.enable = true; @@ -46,9 +46,6 @@ # Enable the X11 windowing system. # services.xserver.enable = true; - - - # Configure keymap in X11 # services.xserver.layout = "us"; # services.xserver.xkbOptions = "eurosign:e"; @@ -104,9 +101,6 @@ # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "21.11"; # Did you read the comment? - - - boot.loader.grub.devices = [ "/dev/sda" ]; # Initial empty root password for easy login: @@ -123,4 +117,3 @@ security.acme.acceptTerms = true; security.acme.certs."mail.emile.space".email = "security@emile.space"; } - diff --git a/nix/hosts/mail/hardware-configuration.nix b/nix/hosts/mail/hardware-configuration.nix index 2653297..1ede4cd 100644 --- a/nix/hosts/mail/hardware-configuration.nix +++ b/nix/hosts/mail/hardware-configuration.nix @@ -1,22 +1,33 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ]; + boot.initrd.availableKernelModules = [ + "ata_piix" + "virtio_pci" + "virtio_scsi" + "xhci_pci" + "sd_mod" + "sr_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/eccc47d3-7cee-4af5-822a-4ae0b302cb10"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/eccc47d3-7cee-4af5-822a-4ae0b302cb10"; + fsType = "ext4"; + }; swapDevices = [ ]; diff --git a/nix/hosts/mail/mail.nix b/nix/hosts/mail/mail.nix index 4224e04..9c15e66 100644 --- a/nix/hosts/mail/mail.nix +++ b/nix/hosts/mail/mail.nix @@ -1,7 +1,8 @@ { ... }: let release = "nixos-23.05"; -in { +in +{ imports = [ (builtins.fetchTarball { # Pick a commit from the branch you are interested in @@ -19,10 +20,10 @@ in { # A list of all login accounts. To create the password hashes, use # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 loginAccounts = { - "mail@emile.space" = { - hashedPasswordFile = "/etc/nixos/keys/mail"; - aliases = ["@emile.space"]; - }; + "mail@emile.space" = { + hashedPasswordFile = "/etc/nixos/keys/mail"; + aliases = [ "@emile.space" ]; + }; }; localDnsResolver = false; diff --git a/nix/hosts/pi1/default.nix b/nix/hosts/pi1/default.nix index c79cfc7..3469ff8 100644 --- a/nix/hosts/pi1/default.nix +++ b/nix/hosts/pi1/default.nix @@ -12,9 +12,7 @@ { lib, ... }: { - imports = [ - <nixpkgs/nixos/modules/installer/sd-card/sd-image-raspberrypi.nix> - ]; + imports = [ <nixpkgs/nixos/modules/installer/sd-card/sd-image-raspberrypi.nix> ]; users.users = { emile = { @@ -26,15 +24,15 @@ nixpkgs = { crossSystem = lib.systems.examples.raspberryPi; - localSystem = { system = "x86_64-linux"; }; + localSystem = { + system = "x86_64-linux"; + }; overlays = [ (final: super: { # Due to https://github.com/NixOS/nixpkgs/issues/154163#issuecomment-1350599022 - makeModulesClosure = x: - super.makeModulesClosure (x // { allowMissing = true; }); + makeModulesClosure = x: super.makeModulesClosure (x // { allowMissing = true; }); }) ]; }; system.stateVersion = "24.05"; } - diff --git a/nix/hosts/pi2/default.nix b/nix/hosts/pi2/default.nix index 939027f..6c8b2eb 100644 --- a/nix/hosts/pi2/default.nix +++ b/nix/hosts/pi2/default.nix @@ -33,15 +33,15 @@ # crossSystem = lib.systems.examples.raspberryPi; crossSystem = lib.systems.examples.armv7l-hf-multiplatform; # localSystem = { system = "x86_64-linux"; }; - localSystem = { system = "aarch64-darwin"; }; + localSystem = { + system = "aarch64-darwin"; + }; overlays = [ (final: super: { # Due to https://github.com/NixOS/nixpkgs/issues/154163#issuecomment-1350599022 - makeModulesClosure = x: - super.makeModulesClosure (x // { allowMissing = true; }); + makeModulesClosure = x: super.makeModulesClosure (x // { allowMissing = true; }); }) ]; }; system.stateVersion = "24.05"; } - diff --git a/nix/lib/default.nix b/nix/lib/default.nix index 99a47fc..1fc134e 100644 --- a/nix/lib/default.nix +++ b/nix/lib/default.nix @@ -4,19 +4,18 @@ inputs: let - callLibs = file: import file ({ - inherit lib inputs; - } // inputs); + callLibs = file: import file ({ inherit lib inputs; } // inputs); - lib = { - flake-helper = callLibs ./flake-helper.nix; - inherit ("flake-helper") - generateSystem - mapToNixosConfigurations - mapToDarwinConfigurations - generateDeployRsHost - mapToDeployRsConfiguration - buildHosts; - }; + lib = { + flake-helper = callLibs ./flake-helper.nix; + inherit ("flake-helper") + generateSystem + mapToNixosConfigurations + mapToDarwinConfigurations + generateDeployRsHost + mapToDeployRsConfiguration + buildHosts + ; + }; in - lib +lib diff --git a/nix/lib/flake-helper.nix b/nix/lib/flake-helper.nix index b720232..ed5e9ba 100644 --- a/nix/lib/flake-helper.nix +++ b/nix/lib/flake-helper.nix @@ -1,173 +1,215 @@ -{ self, agenix, nixpkgs, nixpkgs-unstable, deploy-rs, home-manager, darwin, ... }@inputs: +{ + self, + agenix, + nixpkgs, + nixpkgs-unstable, + deploy-rs, + home-manager, + darwin, + ... +}@inputs: rec { - generateSystem = name: { - hostname ? name, - username ? "emile", - system ? "x86_64-linux", - deployUser ? "root", - homeManagerEnable ? false, - group ? null, - modules ? [], - ... - }: - let - - # inputs.nixpkgs-${name}, if that doesn't exist, just use nixpkgs - localNixpkgs = - nixpkgs.lib.attrByPath - [ "nixpkgs-${name}" ] # path - nixpkgs # default - inputs; # base - - # determine if our system type that is used further down - systemType = - if system == "x86_64-linux" then localNixpkgs.lib.nixosSystem - else - if system == "aarch64-darwin" then darwin.lib.darwinSystem - else null; - - in systemType { # this may fail if we aren't using x86_64-linux or aarch64-darwin - inherit system; - - # ; nix repl - # nix-repl> :lf . - # nix-repl> nixosConfigurations.corrino._module.args.modules - - modules = modules ++ [ - - (if system == "x86_64-linux" then self.nixosModules.x86_64-linux - else - if system == "aarch64-darwin" then ({}) - else null) - - # a module so that we can access the flake output from inside the - # flake (yes, I need this for fetching the system type while building the hosts for deploy-rs) - { config._module.args = { flake = self; }; } - - # overlays - ({ ... }: { - nixpkgs.overlays = [ - self.overlays.emile - - (_: _: { inherit (agenix.packages."x86_64-linux") agenix; }) - (_: _: { - unstable = import nixpkgs-unstable { - system = "x86_64-linux"; - config.allowUnfree = true; - }; - }) - ]; - }) - - # general modules - agenix.nixosModules.default - - # # the host config itself - (../hosts + - (if (system == "x86_64-linux") - then "/${name}/configuration.nix" - else - if (system == "aarch64-darwin") - then "/${name}/darwin-configuration.nix" - else "")) - - # secrets (have to be added to git (crypted) #lessonslearned) - ({ lib ? (import <nixpkgs/lib>), ... }: let - secretsPath = (../hosts + "/${name}/secrets"); - in { - age.secrets = lib.mapAttrs' - (filename: _: - lib.nameValuePair (lib.removeSuffix ".age" filename) - { file = secretsPath + "/${filename}"; } - ) - (lib.filterAttrs - (name: type: - (type == "regular") && - (lib.hasSuffix ".age" name) ) - (if builtins.pathExists secretsPath - then builtins.readDir secretsPath - else {} ) - ); - }) - ] - - ++ (if (system == "aarch64-darwin") - then [ (home-manager.darwinModules.home-manager) ] - else []) - - ++ (if (homeManagerEnable == true) - then [{ - home-manager = { - useGlobalPkgs = true; - users."${username}" = - import (../hosts + "/${hostname}/home_${username}.nix"); - }; - }] - else []); - }; - - mapToNixosConfigurations = { system ? "x86_64-linux", ... }@hosts: - builtins.mapAttrs - (name: host: generateSystem name host) - (nixpkgs.lib.filterAttrs - (n: v: v.system or "" == "x86_64-linux") hosts); - - mapToDarwinConfigurations = hosts: - builtins.mapAttrs - (name: host: generateSystem name host) - (nixpkgs.lib.filterAttrs - (n: v: v.system or "" == "aarch64-darwin") hosts); - - generateDeployRsHost = name: { - hostname ? name, - ip ? "${name}.pinto-pike.ts.net", - sshUser ? "root", - system ? "x86_64-linux", - ... - }: { - reboteBuild = true; - hostname = "${ip}"; - fastConnection = true; - profiles.system = { - user = "root"; # user to install as - sshUser = sshUser; # user to ssh to as - - # make sure people can use sudo - # sshOpts = ["-A", "-t", "-S"]; - - # make sure to add the nix foo on the darwin hosts to ~/.zshenv - # as the ~/.zshrc doesn't get sourced when ssh-ing into the system - - path = (if system == "x86_64-linux" - then deploy-rs.lib.x86_64-linux.activate.nixos - self.nixosConfigurations."${name}" - else - if system == "aarch64-darwin" - then deploy-rs.lib.aarch64-darwin.activate.darwin - self.darwinConfigurations."${name}" - else ""); - - # Timeout for profile activation. - # This defaults to 240 seconds. - activationTimeout = 600; - - # Timeout for profile activation confirmation. - # This defaults to 30 seconds. - confirmTimeout = 120; - - }; - }; - - mapToDeployRsConfiguration = hosts: - builtins.mapAttrs (name: host: generateDeployRsHost name host) hosts; - - buildHosts = hosts: - builtins.mapAttrs (name: host: host.config.system.build.toplevel) - - # don't build hosts that start with an underscore - (nixpkgs.lib.filterAttrs - (name: host: (builtins.substring 0 1 name) != "_") - hosts - ); + generateSystem = + name: + { + hostname ? name, + username ? "emile", + system ? "x86_64-linux", + deployUser ? "root", + homeManagerEnable ? false, + group ? null, + modules ? [ ], + ... + }: + let + + # inputs.nixpkgs-${name}, if that doesn't exist, just use nixpkgs + localNixpkgs = + nixpkgs.lib.attrByPath [ "nixpkgs-${name}" ] # path + nixpkgs # default + inputs; # base + + # determine if our system type that is used further down + systemType = + if system == "x86_64-linux" then + localNixpkgs.lib.nixosSystem + else if system == "aarch64-darwin" then + darwin.lib.darwinSystem + else + null; + + in + systemType { + # this may fail if we aren't using x86_64-linux or aarch64-darwin + inherit system; + + # ; nix repl + # nix-repl> :lf . + # nix-repl> nixosConfigurations.corrino._module.args.modules + + modules = + modules + ++ [ + + ( + if system == "x86_64-linux" then + self.nixosModules.x86_64-linux + else if system == "aarch64-darwin" then + ({ }) + else + null + ) + + # a module so that we can access the flake output from inside the + # flake (yes, I need this for fetching the system type while building the hosts for deploy-rs) + { + config._module.args = { + flake = self; + }; + } + + # overlays + ( + { ... }: + { + nixpkgs.overlays = [ + self.overlays.emile + + (_: _: { inherit (agenix.packages."x86_64-linux") agenix; }) + (_: _: { + unstable = import nixpkgs-unstable { + system = "x86_64-linux"; + config.allowUnfree = true; + }; + }) + ]; + } + ) + + # general modules + agenix.nixosModules.default + + # # the host config itself + ( + ../hosts + + ( + if (system == "x86_64-linux") then + "/${name}/configuration.nix" + else if (system == "aarch64-darwin") then + "/${name}/darwin-configuration.nix" + else + "" + ) + ) + + # secrets (have to be added to git (crypted) #lessonslearned) + ( + { + lib ? (import <nixpkgs/lib>), + ... + }: + let + secretsPath = (../hosts + "/${name}/secrets"); + in + { + age.secrets = + lib.mapAttrs' + ( + filename: _: + lib.nameValuePair (lib.removeSuffix ".age" filename) { file = secretsPath + "/${filename}"; } + ) + ( + lib.filterAttrs (name: type: (type == "regular") && (lib.hasSuffix ".age" name)) ( + if builtins.pathExists secretsPath then builtins.readDir secretsPath else { } + ) + ); + } + ) + ] + + ++ (if (system == "aarch64-darwin") then [ (home-manager.darwinModules.home-manager) ] else [ ]) + + ++ ( + if (homeManagerEnable == true) then + [ + { + home-manager = { + useGlobalPkgs = true; + users."${username}" = import (../hosts + "/${hostname}/home_${username}.nix"); + }; + } + ] + else + [ ] + ); + }; + + mapToNixosConfigurations = + { + system ? "x86_64-linux", + ... + }@hosts: + builtins.mapAttrs (name: host: generateSystem name host) ( + nixpkgs.lib.filterAttrs (n: v: v.system or "" == "x86_64-linux") hosts + ); + + mapToDarwinConfigurations = + hosts: + builtins.mapAttrs (name: host: generateSystem name host) ( + nixpkgs.lib.filterAttrs (n: v: v.system or "" == "aarch64-darwin") hosts + ); + + generateDeployRsHost = + name: + { + hostname ? name, + ip ? "${name}.pinto-pike.ts.net", + sshUser ? "root", + system ? "x86_64-linux", + ... + }: + { + reboteBuild = true; + hostname = "${ip}"; + fastConnection = true; + profiles.system = { + user = "root"; # user to install as + sshUser = sshUser; # user to ssh to as + + # make sure people can use sudo + # sshOpts = ["-A", "-t", "-S"]; + + # make sure to add the nix foo on the darwin hosts to ~/.zshenv + # as the ~/.zshrc doesn't get sourced when ssh-ing into the system + + path = ( + if system == "x86_64-linux" then + deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations."${name}" + else if system == "aarch64-darwin" then + deploy-rs.lib.aarch64-darwin.activate.darwin self.darwinConfigurations."${name}" + else + "" + ); + + # Timeout for profile activation. + # This defaults to 240 seconds. + activationTimeout = 600; + + # Timeout for profile activation confirmation. + # This defaults to 30 seconds. + confirmTimeout = 120; + + }; + }; + + mapToDeployRsConfiguration = + hosts: builtins.mapAttrs (name: host: generateDeployRsHost name host) hosts; + + buildHosts = + hosts: + builtins.mapAttrs (name: host: host.config.system.build.toplevel) + + # don't build hosts that start with an underscore + (nixpkgs.lib.filterAttrs (name: host: (builtins.substring 0 1 name) != "_") hosts); } diff --git a/nix/modules/ports/default.nix b/nix/modules/ports/default.nix index 6f79635..fe98536 100644 --- a/nix/modules/ports/default.nix +++ b/nix/modules/ports/default.nix @@ -1,7 +1,6 @@ -{ lib, ... }: +{ lib, ... }: -with lib; { - options.emile.ports = mkOption { - type = types.anything; - }; +with lib; +{ + options.emile.ports = mkOption { type = types.anything; }; } diff --git a/nix/modules/r2wars-web/default.nix b/nix/modules/r2wars-web/default.nix index 509824e..58be2ad 100644 --- a/nix/modules/r2wars-web/default.nix +++ b/nix/modules/r2wars-web/default.nix @@ -1,8 +1,15 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let cfg = config.services.emile.r2wars-web; -in with lib; { +in +with lib; +{ options.services.emile.r2wars-web = { enable = mkEnableOption "Enable r2wars-web"; diff --git a/nix/modules/vm/default.nix b/nix/modules/vm/default.nix index 0f65765..6352c80 100644 --- a/nix/modules/vm/default.nix +++ b/nix/modules/vm/default.nix @@ -1,8 +1,15 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let cfg = config.services.emile.r2wars-web; -in with lib; { +in +with lib; +{ options.services.emile.r2wars-web = { enable = mkEnableOption "Enable r2wars-web"; @@ -16,18 +23,19 @@ in with lib; { }; config = mkIf cfg.enable { - systemd.services = lib.mapAttrs' (name: guest: lib.nameValuePair "libvirtd-guest-${name}" { - after = [ "libvirtd.service" ]; - requires = [ "libvirtd.service" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = "yes"; - }; - script = - let - xml = pkgs.writeText "libvirt-guest-${name}.xml" - '' + systemd.services = lib.mapAttrs' ( + name: guest: + lib.nameValuePair "libvirtd-guest-${name}" { + after = [ "libvirtd.service" ]; + requires = [ "libvirtd.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; + }; + script = + let + xml = pkgs.writeText "libvirt-guest-${name}.xml" '' <domain type="kvm"> <name>${name}</name> <uuid>UUID</uuid> @@ -53,14 +61,13 @@ in with lib; { </features> </domain> ''; - in + in '' uuid="$(${pkgs.libvirt}/bin/virsh domuuid '${name}' || true)" ${pkgs.libvirt}/bin/virsh define <(sed "s/UUID/$uuid/" '${xml}') ${pkgs.libvirt}/bin/virsh start '${name}' ''; - preStop = - '' + preStop = '' ${pkgs.libvirt}/bin/virsh shutdown '${name}' let "timeout = $(date +%s) + 10" while [ "$(${pkgs.libvirt}/bin/virsh list --name | grep --count '^${name}$')" -gt 0 ]; do @@ -73,6 +80,7 @@ in with lib; { fi done ''; - }) guests; + } + ) guests; }; } diff --git a/nix/pkgs/overlay.nix b/nix/pkgs/overlay.nix index d9e3999..c5ecaa7 100644 --- a/nix/pkgs/overlay.nix +++ b/nix/pkgs/overlay.nix @@ -1,5 +1,4 @@ final: prev: { - vokobe = final.callPackage ./vokobe { inherit (final) naersk; }; - r2wars-web = final.callPackage ./r2wars-web { }; + vokobe = final.callPackage ./vokobe { inherit (final) naersk; }; + r2wars-web = final.callPackage ./r2wars-web { }; } - diff --git a/nix/pkgs/r2wars-web/default.nix b/nix/pkgs/r2wars-web/default.nix index 028df10..3e7fffd 100644 --- a/nix/pkgs/r2wars-web/default.nix +++ b/nix/pkgs/r2wars-web/default.nix @@ -1,4 +1,8 @@ -{ pkgs, lib, fetchgit }: +{ + pkgs, + lib, + fetchgit, +}: pkgs.buildGoModule rec { name = "r2wars-web-${version}"; @@ -10,7 +14,7 @@ pkgs.buildGoModule rec { }; vendorHash = null; - CGO_ENABLED=0; + CGO_ENABLED = 0; subPackages = [ "src" ]; postInstall = '' @@ -19,7 +23,7 @@ pkgs.buildGoModule rec { mv $out/bin/src $out/bin/r2wars-web ''; - + doCheck = false; meta = { diff --git a/nix/pkgs/vokobe/flaaaaake.nix b/nix/pkgs/vokobe/flaaaaake.nix index 7cf2f03..902cabd 100644 --- a/nix/pkgs/vokobe/flaaaaake.nix +++ b/nix/pkgs/vokobe/flaaaaake.nix @@ -5,35 +5,41 @@ nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; }; - outputs = { self, flake-utils, naersk, nixpkgs }: + outputs = + { + self, + flake-utils, + naersk, + nixpkgs, + }: let - pkgs = (import nixpkgs) { - system = "x86_64-linux"; - }; + pkgs = (import nixpkgs) { system = "x86_64-linux"; }; + + naersk' = pkgs.callPackage naersk { }; - naersk' = pkgs.callPackage naersk {}; - - in rec { + in + rec { packages."x86_64-linux".vokobe = naersk'.buildPackage { src = ./.; meta = with pkgs.lib; { description = "A minimal static site generator tailored to my needs."; - homepage = "https://git.emile.space/hanemile/vokobe"; - license = licenses.mit; - platforms = platforms.all; - maintainers = with maintainers; [ - hanemile - ]; + homepage = "https://git.emile.space/hanemile/vokobe"; + license = licenses.mit; + platforms = platforms.all; + maintainers = with maintainers; [ hanemile ]; }; }; - + # For `nix build` & `nix run`: defaultPackage = packages."x86_64-linux".vokobe; # For `nix develop` (optional, can be skipped): devShell = pkgs.mkShell { - nativeBuildInputs = with pkgs; [ rustc cargo ]; + nativeBuildInputs = with pkgs; [ + rustc + cargo + ]; }; # hydraJobs."<attr>"."<system>" = derivation; @@ -41,4 +47,4 @@ build."x86_64-linux" = packages."x86_64-linux".vokobe; }; }; -} \ No newline at end of file +} diff --git a/nix/templates/ctf/flake.nix b/nix/templates/ctf/flake.nix index de6e2c1..67f33ca 100644 --- a/nix/templates/ctf/flake.nix +++ b/nix/templates/ctf/flake.nix @@ -7,7 +7,8 @@ }; # Flake outputs - outputs = { self, nixpkgs }: + outputs = + { self, nixpkgs }: let # Systems supported allSystems = [ @@ -20,28 +21,32 @@ # Helper to provide system-specific attributes nameValuePair = name: value: { inherit name value; }; genAttrs = names: f: builtins.listToAttrs (map (n: nameValuePair n (f n)) names); - forAllSystems = f: genAttrs allSystems (system: f { - pkgs = import nixpkgs { inherit system; }; - }); + forAllSystems = f: genAttrs allSystems (system: f { pkgs = import nixpkgs { inherit system; }; }); in { # Development environment output - devShells = forAllSystems ({ pkgs }: { - default = - let - python = pkgs.python311; # Use Python 3.11 - in - pkgs.mkShell { - packages = with pkgs; [ - qemu - ] ++ [ - # Python plus helper tools - (python.withPackages (ps: with ps; [ - pwntools - pycryptodome - ])) - ]; - }; - }); + devShells = forAllSystems ( + { pkgs }: + { + default = + let + python = pkgs.python311; # Use Python 3.11 + in + pkgs.mkShell { + packages = + with pkgs; + [ qemu ] + ++ [ + # Python plus helper tools + (python.withPackages ( + ps: with ps; [ + pwntools + pycryptodome + ] + )) + ]; + }; + } + ); }; } diff --git a/nix/templates/python3/flake.nix b/nix/templates/python3/flake.nix index f5c2378..b080013 100644 --- a/nix/templates/python3/flake.nix +++ b/nix/templates/python3/flake.nix @@ -1,31 +1,32 @@ { - description = "a simple flake for using python with some dependencies"; - nixConfig.bash-promt = "py; "; + description = "a simple flake for using python with some dependencies"; + nixConfig.bash-promt = "py; "; - inputs = { + inputs = { nixpkgs.url = "git+https://github.com/nixos/nixpkgs?ref=release-23.11"; - }; - - outputs = { nixpkgs, ... }: - - let - pkgs = import nixpkgs { - system = "aarch64-darwin"; - }; - in { - devShells."aarch64-darwin".default = - let - python = pkgs.python311; - in - pkgs.mkShell { - packages = [ - (python.withPackages (ps: with ps; [ - pwntools - beautifulsoup4 - requests - ])) - ]; - }; - }; -} + }; + + outputs = + { nixpkgs, ... }: + let + pkgs = import nixpkgs { system = "aarch64-darwin"; }; + in + { + devShells."aarch64-darwin".default = + let + python = pkgs.python311; + in + pkgs.mkShell { + packages = [ + (python.withPackages ( + ps: with ps; [ + pwntools + beautifulsoup4 + requests + ] + )) + ]; + }; + }; +} diff --git a/nix/users/emile/keys.nix b/nix/users/emile/keys.nix index f52cd19..94a704d 100644 --- a/nix/users/emile/keys.nix +++ b/nix/users/emile/keys.nix @@ -1,9 +1,9 @@ { ... }: { - all = [ + all = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZi43zHEsoWaQomLGaftPE5k0RqVrZyiTtGqZlpWsew emile@caladan" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEzLZ56SEgwZZ0OusTdSDDhpMlxSg1zPNdRLuxKOfrR5 emile@chusuk" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMoHWyC9r0LVk6UlkhBWAJph0F6KHYHh83EI5U9wtfq2 shortcuts@ginaz" - ]; + ]; } |