From 55ee036fd7ebed24097c8da1ca8a0b0829264670 Mon Sep 17 00:00:00 2001 From: Emile Date: Sat, 9 Mar 2024 22:56:01 +0100 Subject: big bang --- nix/hosts/caladan/README.md | 3 + nix/hosts/caladan/aliases.nix | 53 + nix/hosts/caladan/darwin-configuration.nix | 82 + nix/hosts/caladan/functions.zsh | 30 + nix/hosts/caladan/home_emile.nix | 180 ++ nix/hosts/caladan/home_hydra.nix | 18 + nix/hosts/caladan/overlay.nix | 18 + nix/hosts/caladan/session_variables.zsh | 35 + nix/hosts/caladan/ssh.pub | 1 + nix/hosts/chusuk/README.md | 3 + nix/hosts/chusuk/configuration.nix | 141 ++ nix/hosts/chusuk/hardware-configuration.nix | 31 + nix/hosts/corrino/README.md | 4 + nix/hosts/corrino/configuration.nix | 415 ++++ nix/hosts/corrino/default.nix | 3 + nix/hosts/corrino/emile.space.nix | 60 + nix/hosts/corrino/gemini/emile.space.nix | 16 + nix/hosts/corrino/hardware-configuration.nix | 39 + nix/hosts/corrino/secrets/factorio_password.age | Bin 0 -> 588 bytes .../corrino/secrets/grafana_admin_password.age | 9 + .../corrino/secrets/grafana_database_password.age | 11 + nix/hosts/corrino/secrets/grafana_secret_key.age | 9 + .../corrino/secrets/grafana_smtp_password.age | 10 + nix/hosts/corrino/secrets/magic-hash-flag.age | 10 + nix/hosts/corrino/secrets/mail_password.age | 7 + nix/hosts/corrino/secrets/netbox_secret.age | 11 + nix/hosts/corrino/secrets/photoprism_password.age | 9 + nix/hosts/corrino/secrets/pretix.age | Bin 0 -> 1487 bytes nix/hosts/corrino/secrets/pretix_postgres_pw.age | 9 + .../corrino/secrets/storage_box_bx11_password.age | 7 + nix/hosts/corrino/secrets/tailscale_authkey.age | Bin 0 -> 524 bytes nix/hosts/corrino/secrets/wireguard_privatekey.age | Bin 0 -> 440 bytes nix/hosts/corrino/ssh.pub | 1 + nix/hosts/corrino/www/cs.emile.space.nix | 56 + nix/hosts/corrino/www/ctf.emile.space.nix | 26 + nix/hosts/corrino/www/emile.space.nix | 60 + nix/hosts/corrino/www/events.emile.space.nix | 59 + nix/hosts/corrino/www/git.emile.space.nix | 73 + nix/hosts/corrino/www/grafana.emile.space.nix | 217 ++ nix/hosts/corrino/www/grafana_full.emile.space.nix | 440 ++++ nix/hosts/corrino/www/hydra.emile.space.nix | 57 + nix/hosts/corrino/www/jupyter.emile.space.nix | 60 + nix/hosts/corrino/www/magic-hash.emile.space.nix | 33 + nix/hosts/corrino/www/netbox.emile.space.nix | 63 + nix/hosts/corrino/www/pgweb.emile.space.nix | 21 + nix/hosts/corrino/www/photo.emile.space.nix | 33 + nix/hosts/corrino/www/stream.emile.space.nix | 24 + nix/hosts/corrino/www/talks.emile.space.nix | 97 + nix/hosts/corrino/www/tickets.emile.space.nix | 120 + .../www/tickets.emile.space.nix_chaos.jetzt.nix | 107 + nix/hosts/corrino/www/znc.emile.space.nix | 47 + nix/hosts/hacknix/README.md | 46 + nix/hosts/hacknix/burpsuitepro/default.nix | 46 + nix/hosts/hacknix/configuration.nix | 396 +++ nix/hosts/hacknix/hardware-configuration.nix | 36 + nix/hosts/hacknix/i3-config.nix | 139 ++ nix/hosts/hacknix/overlay/default.nix | 16 + nix/hosts/hacknix/pkgs/helix-2303/Cargo.lock | 2561 ++++++++++++++++++++ nix/hosts/hacknix/pkgs/helix-2303/default.nix | 55 + nix/hosts/hacknix/pkgs/radare2-5.8.4/default.nix | 118 + nix/hosts/mail/configuration.nix | 126 + nix/hosts/mail/hardware-configuration.nix | 24 + nix/hosts/mail/mail.nix | 50 + nix/lib/default.nix | 22 + nix/lib/flake-helper.nix | 158 ++ nix/lib/sec.nix | 25 + nix/pkgs/overlay.nix | 4 + nix/templates/ctf/flake.nix | 47 + nix/users/emile/default.nix | 13 + nix/users/emile/ssh.pub | 1 + 70 files changed, 6701 insertions(+) create mode 100644 nix/hosts/caladan/README.md create mode 100644 nix/hosts/caladan/aliases.nix create mode 100644 nix/hosts/caladan/darwin-configuration.nix create mode 100644 nix/hosts/caladan/functions.zsh create mode 100644 nix/hosts/caladan/home_emile.nix create mode 100644 nix/hosts/caladan/home_hydra.nix create mode 100644 nix/hosts/caladan/overlay.nix create mode 100644 nix/hosts/caladan/session_variables.zsh create mode 100644 nix/hosts/caladan/ssh.pub create mode 100644 nix/hosts/chusuk/README.md create mode 100644 nix/hosts/chusuk/configuration.nix create mode 100644 nix/hosts/chusuk/hardware-configuration.nix create mode 100644 nix/hosts/corrino/README.md create mode 100644 nix/hosts/corrino/configuration.nix create mode 100644 nix/hosts/corrino/default.nix create mode 100644 nix/hosts/corrino/emile.space.nix create mode 100644 nix/hosts/corrino/gemini/emile.space.nix create mode 100644 nix/hosts/corrino/hardware-configuration.nix create mode 100644 nix/hosts/corrino/secrets/factorio_password.age create mode 100644 nix/hosts/corrino/secrets/grafana_admin_password.age create mode 100644 nix/hosts/corrino/secrets/grafana_database_password.age create mode 100644 nix/hosts/corrino/secrets/grafana_secret_key.age create mode 100644 nix/hosts/corrino/secrets/grafana_smtp_password.age create mode 100644 nix/hosts/corrino/secrets/magic-hash-flag.age create mode 100644 nix/hosts/corrino/secrets/mail_password.age create mode 100644 nix/hosts/corrino/secrets/netbox_secret.age create mode 100644 nix/hosts/corrino/secrets/photoprism_password.age create mode 100644 nix/hosts/corrino/secrets/pretix.age create mode 100644 nix/hosts/corrino/secrets/pretix_postgres_pw.age create mode 100644 nix/hosts/corrino/secrets/storage_box_bx11_password.age create mode 100644 nix/hosts/corrino/secrets/tailscale_authkey.age create mode 100644 nix/hosts/corrino/secrets/wireguard_privatekey.age create mode 100644 nix/hosts/corrino/ssh.pub create mode 100644 nix/hosts/corrino/www/cs.emile.space.nix create mode 100644 nix/hosts/corrino/www/ctf.emile.space.nix create mode 100644 nix/hosts/corrino/www/emile.space.nix create mode 100644 nix/hosts/corrino/www/events.emile.space.nix create mode 100644 nix/hosts/corrino/www/git.emile.space.nix create mode 100644 nix/hosts/corrino/www/grafana.emile.space.nix create mode 100644 nix/hosts/corrino/www/grafana_full.emile.space.nix create mode 100644 nix/hosts/corrino/www/hydra.emile.space.nix create mode 100644 nix/hosts/corrino/www/jupyter.emile.space.nix create mode 100644 nix/hosts/corrino/www/magic-hash.emile.space.nix create mode 100644 nix/hosts/corrino/www/netbox.emile.space.nix create mode 100644 nix/hosts/corrino/www/pgweb.emile.space.nix create mode 100644 nix/hosts/corrino/www/photo.emile.space.nix create mode 100644 nix/hosts/corrino/www/stream.emile.space.nix create mode 100644 nix/hosts/corrino/www/talks.emile.space.nix create mode 100644 nix/hosts/corrino/www/tickets.emile.space.nix create mode 100644 nix/hosts/corrino/www/tickets.emile.space.nix_chaos.jetzt.nix create mode 100644 nix/hosts/corrino/www/znc.emile.space.nix create mode 100644 nix/hosts/hacknix/README.md create mode 100644 nix/hosts/hacknix/burpsuitepro/default.nix create mode 100644 nix/hosts/hacknix/configuration.nix create mode 100644 nix/hosts/hacknix/hardware-configuration.nix create mode 100644 nix/hosts/hacknix/i3-config.nix create mode 100644 nix/hosts/hacknix/overlay/default.nix create mode 100644 nix/hosts/hacknix/pkgs/helix-2303/Cargo.lock create mode 100644 nix/hosts/hacknix/pkgs/helix-2303/default.nix create mode 100644 nix/hosts/hacknix/pkgs/radare2-5.8.4/default.nix create mode 100644 nix/hosts/mail/configuration.nix create mode 100644 nix/hosts/mail/hardware-configuration.nix create mode 100644 nix/hosts/mail/mail.nix create mode 100644 nix/lib/default.nix create mode 100644 nix/lib/flake-helper.nix create mode 100644 nix/lib/sec.nix create mode 100644 nix/pkgs/overlay.nix create mode 100644 nix/templates/ctf/flake.nix create mode 100644 nix/users/emile/default.nix create mode 100644 nix/users/emile/ssh.pub (limited to 'nix') diff --git a/nix/hosts/caladan/README.md b/nix/hosts/caladan/README.md new file mode 100644 index 0000000..733f564 --- /dev/null +++ b/nix/hosts/caladan/README.md @@ -0,0 +1,3 @@ +# caladan + +m1 macbook air \ No newline at end of file diff --git a/nix/hosts/caladan/aliases.nix b/nix/hosts/caladan/aliases.nix new file mode 100644 index 0000000..5ffff74 --- /dev/null +++ b/nix/hosts/caladan/aliases.nix @@ -0,0 +1,53 @@ +{ + ":q" = "exit"; + ls = "eza"; + ytop = "btm"; + + # short forms + tf = "terraform"; + h = "mosh hack"; + + r2help = ''r2 -qq -c "?*~..." --''; + mosh = "mosh --no-init"; + t = "task"; + tw = "timew"; + + ipa = "scutil --nwi"; + + # this can be super nice and super annoying at the same time: + # ssh = "kitty +kitten ssh"; + + light = "kitty +kitten themes --reload-in=all Ayu Light"; + dark = "kitty +kitten themes --reload-in=all Ayu"; + + + ".." = "cd .."; + "..." = "cd ../.."; + "...." = "cd ../../.."; + "....." = "cd ../../../.."; + + grep = "grep --color=auto"; + nix-stray-roots = '' + nix-store --gc --print-roots | egrep -v "^(/nix/var|/run/w+-system|{memory)"''; + + holdmybeer = "sudo "; + + servethis = "python3 -m http.server"; + + # nmap foo + nmap_open_ports = "nmap --open"; + nmap_list_interfaces = "nmap --iflist"; + nmap_slow = "sudo nmap -sS -v -T1"; + nmap_fin = "sudo nmap -sF -v"; + nmap_full = "sudo nmap -sS -T4 -PE -PP -PS80,443 -PY -g 53 -A -p1-65535 -v"; + nmap_check_for_firewall = "sudo nmap -sA -p1-65535 -v -T4"; + nmap_ping_through_firewall = "nmap -PS -PA"; + nmap_fast = "nmap -F -T5 --version-light --top-ports 300"; + nmap_detect_versions = "sudo nmap -sV -p1-65535 -O --osscan-guess -T4 -Pn"; + nmap_check_for_vulns = "nmap --script = vuln"; + nmap_full_udp = "sudo nmap -sS -sU -T4 -A -v -PE -PS22,25,80 -PA21,23,80,443,3389 "; + nmap_traceroute = "sudo nmap -sP -PE -PS22,25,80 -PA21,23,80,3389 -PU -PO --traceroute "; + nmap_full_with_scripts = "sudo nmap -sS -sU -T4 -A -v -PE -PP -PS21,22,23,25,80,113,31339 -PA80,113,443,10042 -PO --script all " ; + nmap_web_safe_osscan = "sudo nmap -p 80,443 -O -v --osscan-guess --fuzzy "; + nmap_ping_scan = "nmap -n -sP"; +} diff --git a/nix/hosts/caladan/darwin-configuration.nix b/nix/hosts/caladan/darwin-configuration.nix new file mode 100644 index 0000000..b31b6b3 --- /dev/null +++ b/nix/hosts/caladan/darwin-configuration.nix @@ -0,0 +1,82 @@ +{ pkgs, lib, ... }: + +{ + imports = [ + ./overlay.nix + ]; + + users.users.emile = { + name = "emile"; + home = "/Users/emile"; + }; + + users.users.hydra = { + name = "hydra"; + home = "/Users/hydra"; + }; + + nix = { + useDaemon = true; + package = pkgs.nixFlakes; + extraOptions = '' + builders-use-substitutes = true + auto-optimise-store = true + '' + lib.optionalString (pkgs.system == "aarch64-darwin") '' + extra-platforms = x86_64-darwin aarch64-darwin + ''; + + settings = { + trusted-public-keys = [ + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + ]; + substituters = [ + "https://cache.nixos.org" + ]; + + experimental-features = [ "nix-command" "flakes" ]; + }; + + distributedBuilds = true; + + buildMachines = [ + { + hostName = "corrino.emile.space"; + system = "x86_64-linux"; + maxJobs = 1; + speedFactor = 2; + + # Feature | Derivations requiring it + # --------------|----------------------------------------------------- + # kvm | Everything which builds inside a vm, like NixOS tests + # nixos-test | Machine can run NixOS tests + # big-parallel | kernel config, libreoffice, evolution, llvm and chromium. + # benchmark | Machine can generate metrics (Means the builds usually + # | takes the same amount of time) + + # cat /etc/nix/machines + # root@corrino x86_64-linux /home/nix/.ssh/id_ed25519 8 1 kvm,benchmark + + supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; + mandatoryFeatures = [ ]; + } + ]; + }; + + nixpkgs = { + config.allowUnfree = true; + }; + + programs.fish.enable = true; + + services.nix-daemon.enable = true; + + security.pam.enableSudoTouchIdAuth = true; + + environment = { + systemPackages = [ + pkgs.yarr + ]; + shells = with pkgs; [ bashInteractive zsh fish ]; + }; + +} diff --git a/nix/hosts/caladan/functions.zsh b/nix/hosts/caladan/functions.zsh new file mode 100644 index 0000000..b134ef3 --- /dev/null +++ b/nix/hosts/caladan/functions.zsh @@ -0,0 +1,30 @@ +function pmk() { + docker run \ + -v \ + "$(pwd):/pwn" \ + --cap-add=SYS_PTRACE \ + --security-opt seccomp=unconfined \ + -d \ + --name $1 \ + -i \ + ctf_ubuntu22.10; +} + +function pcd() { + docker exec \ + -it \ + --workdir /pwn \ + $1 \ + bash; +} + +function prm() { + docker stop $1; +} + +function pls() { + docker ps \ + -a \ + -f ancestor=ctf_ubuntu22.10 \ + --format "{{.Names}}"; +} diff --git a/nix/hosts/caladan/home_emile.nix b/nix/hosts/caladan/home_emile.nix new file mode 100644 index 0000000..d3428cf --- /dev/null +++ b/nix/hosts/caladan/home_emile.nix @@ -0,0 +1,180 @@ +{ pkgs, lib, ... }: + +{ + home = { + stateVersion = "22.11"; + username = "emile"; + homeDirectory = "/Users/emile"; + }; + + # let home-manager install and manage itself + programs = { + home-manager.enable = true; + + direnv = { + enable = true; + nix-direnv.enable = true; + }; + + htop = { + enable = true; + settings.show_program_with_path = true; + }; + + zsh = { + enable = true; + enableCompletion = true; + #syntaxHighlighting.enable = true; + shellAliases = import ./aliases.nix; + enableAutosuggestions = true; + oh-my-zsh = { + enable = true; + plugins = [ "git" "vi-mode" "web-search" "urltools" ]; + }; + + # this has to be added, so we can ssh into the host using deploy-rs and + # access the `nix-store` stuff + envExtra = '' + if [ -e '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh' ]; then + . '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh' + fi + ''; + + initExtraBeforeCompInit = '' + ${builtins.readFile ./session_variables.zsh} + ${builtins.readFile ./functions.zsh} + + eval "$(direnv hook zsh)" + + setopt autocd # cd without needing to use the cd command + ''; + }; + + kitty = { + enable = true; + + # font = pkgs.iosevka; + + font = { + name = "Iosevka Nerd Font"; + size = 13; + }; + + settings = { + font_size = 12; + + disable_ligatures = "never"; + close_on_child_death = "yes"; + + tab_bar_edge = "top"; + tab_bar_style = "slant"; + tab_bar_min_tabs = 1; + + # tab_title_template = "{index}[{layout_name[0:2]}]: {title.replace('emile', 'e')[title.rfind('/')+1:]}"; + tab_title_template = "{index}[{layout_name[0:2]}]: {title.replace('emile', 'e')}"; + + editor = "/Users/emile/.cargo/bin/hx"; + + macos_option_as_alt = "no"; + macos_quit_when_last_window_closed = "yes"; + + kitty_mod = "ctrl+shift"; + + clear_all_shortcuts = ""; + }; + + keybindings = { + "cmd+enter" = "launch --cwd=current --location=split"; + "cmd+shift+enter" = "launch --cwd=current --location=hsplit"; + + "cmd+shift+h" = "move_window left"; + "cmd+shift+j" = "move_window down"; + "cmd+shift+k" = "move_window up"; + "cmd+shift+l" = "move_window right"; + + "cmd+shift+m" = "detach_window ask"; + + "command+j" = "kitten pass_keys.py neighboring_window bottom command+j"; + "command+k" = "kitten pass_keys.py neighboring_window top command+k"; + "command+h" = "kitten pass_keys.py neighboring_window left command+h"; + "command+l" = "kitten pass_keys.py neighboring_window right command+l"; + "command+b" = "combine : clear_terminal scroll active : send_text normal,application \x0c"; + + # "ctrl+n" = "send_text all \x0e"; + "ctrl+e" = "send_text all \x01h"; + "ctrl+n" = "send_text all \x01i"; + "ctrlshift++n" = "send_text all \x01i"; + + "ctrl+left" = "resize_window wider"; + "ctrl+right" = "resize_window narrower"; + "ctrl+up" = "resize_window shorter"; + "ctrl+down" = "resize_window taller"; + }; + + environment = { }; + }; + }; + + home.packages = with pkgs; [ + coreutils mpv + + # terminal foo + kitty + jq ripgrep fd eza lsd tree broot + du-dust mktemp htop rsync + p7zip imagemagick binwalk lftp + graphviz + + git tig + + # nix related tools + deploy-rs + cachix + nixos-rebuild + + # editor + helix + nodePackages_latest.typescript-language-server # js language server + nil # nix language server + nodePackages.yaml-language-server # yaml language server + + # binary foo + radare2 + + # network foo + curl + wireguard-tools + # tailscale + + # rss foo + yarr + + # go foo + go delve + + # c foo + cmake + + # iot hack foo + minicom + + SDL2 + + # macos foo + # karabiner-elements + + # qemu tooling + qemu + sphinx #docs + virt-manager + + # lisp foo + unstable.sbcl + + # infrastructure as code foo + terraform ansible + + ] ++ lib.optionals stdenv.isDarwin [ + m-cli + ]; +} diff --git a/nix/hosts/caladan/home_hydra.nix b/nix/hosts/caladan/home_hydra.nix new file mode 100644 index 0000000..63d3563 --- /dev/null +++ b/nix/hosts/caladan/home_hydra.nix @@ -0,0 +1,18 @@ +{ config, pkgs, ... }: + +{ + home = { + stateVersion = "22.11"; + username = "hydra"; + homeDirectory = "/Users/hydra"; + }; + + # let home-manager install and manage itself + programs = { + home-manager.enable = true; + }; + + home.packages = with pkgs; [ + tailscale + ]; +} diff --git a/nix/hosts/caladan/overlay.nix b/nix/hosts/caladan/overlay.nix new file mode 100644 index 0000000..a96e3f3 --- /dev/null +++ b/nix/hosts/caladan/overlay.nix @@ -0,0 +1,18 @@ +{ ... }: + +{ + nixpkgs = { + overlays = [ + (self: super: { + # helix-2303 = self.callPackage ../../pkgs/helix-2303 { }; + # r2 = self.callPackage ../../pkgs/radare2-5.8.4 { }; + # ansel = self.callPackage ../../pkgs/ansel { }; + # typst = self.callPackage ../pkgs/radare2-5.8.4 { }; + }) + ]; + config = { + allowUnfree = true; + allowBroken= true; + }; + }; +} diff --git a/nix/hosts/caladan/session_variables.zsh b/nix/hosts/caladan/session_variables.zsh new file mode 100644 index 0000000..863f31c --- /dev/null +++ b/nix/hosts/caladan/session_variables.zsh @@ -0,0 +1,35 @@ +export PROMPT="; " # minimal prompt +export RPROMPT="%F{green}%/%F{reset}" +export PROMPT_EOL_MARK="%" # hide EOL sign ('%') + +export EDITOR="hx" +export LC_ALL="en_US.UTF-8" +export LANG="en_US.UTF-8" + + +export GOPATH=~/go +export GOBIN=$GOPATH/bin + +# /usr/local/bin is mac specific and where brew installs stuff. As we are +# making use of brew as fallback so we need to add it +export PATH="$HOME/.local/bin:$HOME/.nix-profile/bin:/usr/local/bin:$PATH" +export PATH=$PATH:~/go/bin +export PATH=$PATH:~/.emacs.d/bin +export PATH=$PATH:~/bin +export PATH=$PATH:"/Applications/Racket v8.8/bin" +export PATH=/Users/emile/.cargo/bin:$PATH +export PATH=$PATH:/opt/homebrew/bin + +# uxn +export PATH=$PATH:/Users/emile/Documents/projects/uxn/bin + +# fzf +export FZF_BASE=$(whereis fzf | awk '{print $2}' | sed "s/fzf$//g") +if [ -n "${commands[fzf-share]}" ]; then + source "$(fzf-share)/key-bindings.zsh" + source "$(fzf-share)/completion.zsh" +fi + +if [ -e '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh' ]; then + . '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh' +fi diff --git a/nix/hosts/caladan/ssh.pub b/nix/hosts/caladan/ssh.pub new file mode 100644 index 0000000..e68dee1 --- /dev/null +++ b/nix/hosts/caladan/ssh.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZi43zHEsoWaQomLGaftPE5k0RqVrZyiTtGqZlpWsew diff --git a/nix/hosts/chusuk/README.md b/nix/hosts/chusuk/README.md new file mode 100644 index 0000000..7dcab5f --- /dev/null +++ b/nix/hosts/chusuk/README.md @@ -0,0 +1,3 @@ +# chusuk + +t480 diff --git a/nix/hosts/chusuk/configuration.nix b/nix/hosts/chusuk/configuration.nix new file mode 100644 index 0000000..c9c52e7 --- /dev/null +++ b/nix/hosts/chusuk/configuration.nix @@ -0,0 +1,141 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + # Set your time zone. + time.timeZone = "Europe/Amsterdam"; + + networking = { + hostName = "chusuk"; # Define your hostname. + wireless.enable = true; # Enables wireless support via wpa_supplicant. + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + useDHCP = false; + interfaces.enp0s31f6.useDHCP = true; + interfaces.wlp3s0.useDHCP = true; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + firewall.enable = true; + }; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = "us"; + }; + + # Define a user account. Don't forget to set a password with ‘passwd’. + users.users.emile = { + isNormalUser = true; + extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + }; + users.users.root = { + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZi43zHEsoWaQomLGaftPE5k0RqVrZyiTtGqZlpWsew" + ]; + }; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment = { + pathsToLink = [ "/libexec" ]; + systemPackages = with pkgs; [ + kitty + vim helix + wget htop eza fd du-dust + tailscale + cryptsetup + firefox + + networkmanager + + ###################################3 + # wayland foo + waybar + hyprpaper # wallpaper + + tofi rofi + dolphin + mako + + pipewire + wireplumber + + xdg-desktop-portal + ###################################3 + ]; + }; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + + programs = { + mosh.enable = true; + + hyprland = { + enable = true; + }; + }; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + services = { + openssh.enable = true; + tailscale.enable = true; + xserver = { + enable = true; + desktopManager = { + xterm.enable = false; + }; + + displayManager = { + defaultSession = "none+i3"; + }; + + windowManager.i3 = { + enable = true; + extraPackages = with pkgs; [ + dmenu i3status i3lock i3blocks + ]; + }; + }; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "21.05"; # Did you read the comment? + +} + diff --git a/nix/hosts/chusuk/hardware-configuration.nix b/nix/hosts/chusuk/hardware-configuration.nix new file mode 100644 index 0000000..6b34e3b --- /dev/null +++ b/nix/hosts/chusuk/hardware-configuration.nix @@ -0,0 +1,31 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/22445c0e-71bd-488f-88e5-0abc60441e58"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/29BB-5D28"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/d79efda2-1190-428c-8598-6911793175fb"; } + ]; + + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; +} diff --git a/nix/hosts/corrino/README.md b/nix/hosts/corrino/README.md new file mode 100644 index 0000000..edeb74c --- /dev/null +++ b/nix/hosts/corrino/README.md @@ -0,0 +1,4 @@ +# corrino + +`corrino.emile.space` is my current (2023-05-28) "main" server for hosting +services, running build tasks and more. diff --git a/nix/hosts/corrino/configuration.nix b/nix/hosts/corrino/configuration.nix new file mode 100644 index 0000000..aed56cf --- /dev/null +++ b/nix/hosts/corrino/configuration.nix @@ -0,0 +1,415 @@ +{ config, pkgs, ... }: +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + # ./age_secrets.nix + + ./www/emile.space.nix + ./www/git.emile.space.nix + ./www/hydra.emile.space.nix + ./www/netbox.emile.space.nix + # ./www/grafana.emile.space.nix + ./www/photo.emile.space.nix + + + # ./www/events.emile.space.nix + ./www/tickets.emile.space.nix + ./www/talks.emile.space.nix + ./www/stream.emile.space.nix + + ./www/pgweb.emile.space.nix + + ./www/ctf.emile.space.nix + # ./www/magic-hash.emile.space.nix + + # ./www/znc.emile.space.nix + + ./gemini/emile.space.nix + ]; + + # Use GRUB2 as the boot loader. + # We don't use systemd-boot because Hetzner uses BIOS legacy boot. + boot = { + #supportsInitrdSecrets = true; + + loader.systemd-boot.enable = false; + loader.grub = { + enable = true; + efiSupport = false; + enableCryptodisk = true; + device = "nodev"; + devices = [ "/dev/nvme0n1" "/dev/nvme1n1"]; + }; + + kernelParams = [ "ip=135.181.142.139::135.181.142.129:255.255.255.192:corrino:enp35s0:off:8.8.8.8:8.8.4.4:" ]; + + initrd = { + kernelModules = [ "dm-snapshot" ]; + + availableKernelModules = [ "cryptd" "aesni_intel" "igb" ];#"FIXME Your network driver" ]; + + network = { + enable = true; + ssh = { + enable = true; + + # ssh port during boot for luks decryption + port = 2222; + authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys; + hostKeys = [ "/initrd_ssh_host_ecdsa_key" ]; + }; + postCommands = '' + echo 'cryptsetup-askpass' >> /root/.profile + ''; + }; + + luks = { + forceLuksSupportInInitrd = true; + devices = { + root = { + preLVM = true; + device = "/dev/md1"; + allowDiscards = true; + }; + }; + }; + + secrets = { + "/initrd_ssh_host_ecdsa_key" = "/initrd_ssh_host_ecdsa_key"; + }; + + # The RAIDs are assembled in stage1, so we need to make the config + # available there. + # services.swraid.mdadmConf = config.environment.etc."mdadm.conf".text; + }; + + # From the nixos 23.11 release notes changelog breaking changes section: + # mdraid support is optional now. This reduces initramfs size and prevents + # the potentially undesired automatic detection and activation of software + # RAID pools. It is disabled by default in new configurations (determined + # by stateVersion), but the appropriate settings will be generated by + # nixos-generate-config when installing to a software RAID device, so the + # standard installation procedure should be unaffected. If you have custom + # configs relying on mdraid, ensure that you use stateVersion correctly or + # set boot.swraid.enable manually. On systems with an updated stateVersion + # we now also emit warnings if mdadm.conf does not contain the minimum + # required configuration necessary to run the dynamically enabled monitoring + # daemons. + swraid = { + enable = true; + # mdadmConf = config.environment.etc."mdadm.conf".text; + mdadmConf = '' + HOMEHOST + MAILADDR root + ''; + }; + + supportedFilesystems = [ "cifs" ]; + }; + + # The mdadm RAID1s were created with 'mdadm --create ... --homehost=hetzner', + # but the hostname for each machine may be different, and mdadm's HOMEHOST + # setting defaults to '' (using the system hostname). + # This results mdadm considering such disks as "foreign" as opposed to + # "local", and showing them as e.g. '/dev/md/hetzner:root0' + # instead of '/dev/md/root0'. + # This is mdadm's protection against accidentally putting a RAID disk + # into the wrong machine and corrupting data by accidental sync, see + # https://bugzilla.redhat.com/show_bug.cgi?id=606481#c14 and onward. + # We do not worry about plugging disks into the wrong machine because + # we will never exchange disks between machines, so we tell mdadm to + # ignore the homehost entirely. + environment = { + etc."mdadm.conf".text = '' + HOMEHOST + MAILADDR root + ''; + + systemPackages = with pkgs; [ + git + du-dust + ncdu + # helix + + sshfs + ]; + }; + + programs = { + mosh.enable = true; + mtr.enable = true; + }; + + # create a oneshot job to authenticate to Tailscale + systemd.services.tailscale-autoconnect = { + description = "Automatic connection to Tailscale"; + + # make sure tailscale is running before trying to connect to tailscale + after = [ "network-pre.target" "tailscale.service" ]; + wants = [ "network-pre.target" "tailscale.service" ]; + wantedBy = [ "multi-user.target" ]; + + # set this service as a oneshot job + serviceConfig.Type = "oneshot"; + + # have the job run this shell script + script = with pkgs; '' + # wait for tailscaled to settle + sleep 2 + + # check if we are already authenticated to tailscale + status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" + if [ $status = "Running" ]; then # if so, then do nothing + exit 0 + fi + + # otherwise authenticate with tailscale + ${tailscale}/bin/tailscale up \ + --advertise-exit-node --exit-node \ + -authkey tskey-auth-kfswm86CNTRL-QdFyL42rAhJDw7VZ2poVaJgDewQvmUu5K + ''; + # this is an old authkey which I found (was used once, now it's landed here but long expired...). I'm adding an age secret instead, although it isn't used anymore... + # -authkey ${config.age.secrets.tailscale_authkey} + }; + + + networking = { + hostName = "corrino"; + domain = "emile.space"; + + # Network (Hetzner uses static IP assignments, and we don't use DHCP here) + useDHCP = false; + interfaces = { + "enp35s0" = { + ipv4.addresses = [ + { address = "135.181.142.139"; prefixLength = 26; } + ]; + }; + "enp35s0".ipv6.addresses = [ + { address = "2a01:4f9:3a:16a4::1"; prefixLength = 64; } + ]; + }; + + defaultGateway = "135.181.142.129"; + defaultGateway6 = { address = "fe80::1"; interface = "enp35s0"; }; + + nameservers = [ "8.8.8.8" "8.8.4.4" ]; + + + firewall = { + enable = true; + allowedTCPPorts = [ + 80 443 # normal web + ]; + allowedUDPPorts = [ + 51820 # wireguard + ]; + allowedUDPPortRanges = [ + { from = 60000; to = 61000; } # mosh + ]; + + interfaces."tailscale0".allowedTCPPorts = [ + 8085 # random internal web server port + ]; + }; + + nat = { + enable = true; + enableIPv6 = true; + externalInterface = "enp35s0"; + internalInterfaces = [ "wg0" ]; + }; + + wireguard = { + enable = true; + interfaces."wg0" = { + ips = [ "10.87.0.1/24" ]; + listenPort = 51820; + # This allows the wireguard server to route your traffic to the internet and hence be like a VPN + # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.87.0.0/24 -o eth0 -j MASQUERADE + ''; + + # This undoes the above command + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.87.0.0/24 -o eth0 -j MASQUERADE + ''; + + privateKeyFile = config.age.secrets.wireguard_privatekey.path; + + peers = [ + # List of allowed peers. + { # Emiles-MBA + publicKey = "Ebsjn7w2FeUs5lUN6ALoUcF/o9/+SopDL324YJPSCDY="; + # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing. + allowedIPs = [ "10.87.0.2/32" ]; + } + { # Emiles-IphoneX + publicKey = "xGfmwraI0Eh3eFEXjJrd2AYCgUM1uK4Y+FX5ACAQZ3M="; + # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing. + allowedIPs = [ "10.87.0.3/32" ]; + } + ]; + }; + }; + }; + + # Initial empty root password for easy login: + users.users = { + root = { + initialHashedPassword = ""; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZi43zHEsoWaQomLGaftPE5k0RqVrZyiTtGqZlpWsew emile@caladan" + ]; + packages = with pkgs; [ + mdadm + tailscale + + # random useful stuff + htop + git + vim + fd ripgrep + ]; + extraGroups = [ "docker" "libvirtd" ]; + }; + + hack = { + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZi43zHEsoWaQomLGaftPE5k0RqVrZyiTtGqZlpWsew emile@caladan" + ]; + extraGroups = [ "docker" "libvirtd" ]; + }; + + tmpuser1 = { + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZi43zHEsoWaQomLGaftPE5k0RqVrZyiTtGqZlpWsew emile@caladan" + # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJMMq7gVuOuJEuarcsss2pb4JJS39zW/Fuow0foyqlV5 noobtracker@noobtracker-linux" + ]; + }; + }; + + services = { + openssh = { + settings = { + PermitRootLogin = "prohibit-password"; + PasswordAuthentication = false; + }; + enable = true; + }; + + nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + }; + + tailscale = { + enable = true; + + # use corrino as a subnet router and an exit node + useRoutingFeatures = "both"; + }; + }; + + nix = { + settings.experimental-features = [ "nix-command" "flakes" ]; + + gc = { + automatic = true; + dates = "daily"; + options = "--delete-older-than 7d"; + }; + + optimise = { + automatic = true; + dates = [ "03:45" ]; + }; + + # we need the below in order for hydra to be allowed to access the pages + extraOptions = '' + allowed-uris = ssh://gitea@git.emile.space git+https://git.emile.space https://git.emile.space https://portswigger-cdn.net https://git.sr.ht/ https://gitlab.com/simple-nixos-mailserver https://github.com/nixos/nixpkgs + builders-use-substitutes = true + ''; + + buildMachines = [ + { + hostName = "localhost"; + system = "x86_64-linux"; + protocol = "ssh-ng"; + maxJobs = 1; + supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; + } + { + hostName = "caladan"; + system = "aarch64-darwin"; + protocol = "ssh-ng"; + maxJobs = 1; + speedFactor = 2; + supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; + mandatoryFeatures = [ ]; + } + ]; + + distributedBuilds = true; + }; + + nixpkgs.config = { + allowUnfree = true; + permittedInsecurePackages = [ + # none :D + ]; + }; + + security = { + acme = { + acceptTerms = true; + defaults.email = "admin+acme@emile.space"; + }; + }; + + virtualisation = { + docker.enable = true; + # libvirtd = { + # enable = true; + # qemu = { + # swtpm.enable = true; + # ovmf.enable = true; + # ovmf.packages = [ pkgs.OVMFFull.fd ]; + # }; + # }; + # spiceUSBRedirection.enable = true; + }; + + # programs.virt-manager.enable = true; + + fileSystems."/proc" = { + device = "/proc"; + options = [ + "nosuid" "nodev" "noexec" "relatime" # normal foo + "hidepid=2" # this makes sure users can only see their own processes + ]; + }; + + fileSystems."/mnt/storagebox-bx11" = { + device = "//u331921.your-storagebox.de/backup"; + fsType = "cifs"; + options = + let + automount_opts = "_netdev,x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s"; + in ["${automount_opts},credentials=${config.age.secrets.storage_box_bx11_password.path}"]; + }; + + # FIXME + # This value determines the NixOS release with which your system is to be + # compatible, in order to avoid breaking some software such as database + # servers. You should change this only after NixOS release notes say you + # should. + system.stateVersion = "22.11"; # Did you read the comment? +} diff --git a/nix/hosts/corrino/default.nix b/nix/hosts/corrino/default.nix new file mode 100644 index 0000000..87486c5 --- /dev/null +++ b/nix/hosts/corrino/default.nix @@ -0,0 +1,3 @@ +{ + sshKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFzoWTW3c7CKWx5t0OZzTfKTlC6R2VHXczVatgYI57N"; +} diff --git a/nix/hosts/corrino/emile.space.nix b/nix/hosts/corrino/emile.space.nix new file mode 100644 index 0000000..9cca880 --- /dev/null +++ b/nix/hosts/corrino/emile.space.nix @@ -0,0 +1,60 @@ +{ + services.nginx.virtualHosts."emile.space" = { + forceSSL = true; + enableACME = true; + + # kTLS = true; + + locations = { + "/" = { + root = "/var/www/emile.space"; + extraConfig = '' + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + ''; + }; + + #"/.well-known" = { + # root = "/var/www/emile.space"; + # extraConfig = '' + # autoindex on; + # ''; + #}; + + ## I ran a matrix homeserver for some time, then stopped, but the other + ## homeserver don't know and don't stop sending me requests (5e5 a day or + ## so). + #"/.well-known/matrix/server".extraConfig = '' + # return 410; + #''; + }; + }; + + # services.stargazer = { + # enable = true; + # user = "stargazer"; + # group = "stargazer"; + + # certLifetime = "1m"; + # store = /var/lib/gemini/certs; + + # genCerts = true; + # regenCerts = true; + # responseTimeout = 0; + # requestTimeout = 5; + + # routes = [ + # { + # route = "emile.space"; + # root = "/srv/gemini/emile.space"; + # } + # ]; + + # listen = [ "0.0.0.0" "[2002:a00:1::]" ]; + + # ipLogPartial = false; + # ipLog = false; + # connectionLogging = false; + + # certOrg = "emile.space"; + # }; +} diff --git a/nix/hosts/corrino/gemini/emile.space.nix b/nix/hosts/corrino/gemini/emile.space.nix new file mode 100644 index 0000000..f7116ae --- /dev/null +++ b/nix/hosts/corrino/gemini/emile.space.nix @@ -0,0 +1,16 @@ +{ ... }: + +{ + services.agate = { + # TODO: fix link generation in vokobe + enable = true; + contentDir = "/var/www/emile.space"; + hostnames = [ + "emile.space" + ]; + addresses = [ + "0.0.0.0:1965" + ]; + }; + networking.firewall.allowedTCPPorts = [ 1965 ]; +} diff --git a/nix/hosts/corrino/hardware-configuration.nix b/nix/hosts/corrino/hardware-configuration.nix new file mode 100644 index 0000000..b4e8c1e --- /dev/null +++ b/nix/hosts/corrino/hardware-configuration.nix @@ -0,0 +1,39 @@ + + # Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "nvme" ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/4d372699-9d47-44bf-a68e-eeb126fb7ad6"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/726db4ba-5b90-47e2-b924-72623f02585a"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eth0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/nix/hosts/corrino/secrets/factorio_password.age b/nix/hosts/corrino/secrets/factorio_password.age new file mode 100644 index 0000000..7f02410 Binary files /dev/null and b/nix/hosts/corrino/secrets/factorio_password.age differ diff --git a/nix/hosts/corrino/secrets/grafana_admin_password.age b/nix/hosts/corrino/secrets/grafana_admin_password.age new file mode 100644 index 0000000..52fb988 --- /dev/null +++ b/nix/hosts/corrino/secrets/grafana_admin_password.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 gvwQ2Q SSBiaII5ILPTF1He6qWvze7l8CpnPVFa63m8TCXRsmw +s4ey6wROQcE3VTw6zGlsg5sK7Zgw0JXIgjX8DHRGlQc +-> ssh-ed25519 m8VklA T1KaNA2bHqTNtXgb3MxkuavpOR9lmvhNQjHK8V3sc04 +PIHSYhLHAC+JBUEQpCVb6C9CYOPCsJtzu9iQ0xGcg1U +-> pV-grease +oIQ +--- XSICvGbcTxVppwbDi7vH/CUEPxd6pHfL005t7t9J0jc +!PYoi]*.9HE8 z@gk]`8K60v3[dj5x \ No newline at end of file diff --git a/nix/hosts/corrino/secrets/grafana_database_password.age b/nix/hosts/corrino/secrets/grafana_database_password.age new file mode 100644 index 0000000..69d76d9 --- /dev/null +++ b/nix/hosts/corrino/secrets/grafana_database_password.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 gvwQ2Q FrSCB6WTRKb54AGqjFeIDv62uxFT1HvXFQ22BVzwGR0 +/MplLgIhHZJdg+jXn+w3bSs0MyJUXEz+SxWcN/lYngM +-> ssh-ed25519 m8VklA 8D9irb+/PKIWFhm/YRpJ5Fd7Gne1ie8Y9XxZj36WtBY +/V30odo5GRJSgigbUZ8ngT1H8Akm3VzUM399RcBcyC8 +-> Iv)bM-grease :v "isNt%u 8W][} +Slv5G4yrVQ94QVVU4qDo/cYCohRBSxAJdE0IuZMZTbqoc/BOJ7cLuUKNC3l8V0Fg +pUbO +--- iyg9ZkWkjQBrUUdG+mV5NlQW9l2F7NeCyOitAf6Ggb4 +6!{J |c}(4m^,\-w +AV7~Sb]/O'L`+* \ No newline at end of file diff --git a/nix/hosts/corrino/secrets/grafana_secret_key.age b/nix/hosts/corrino/secrets/grafana_secret_key.age new file mode 100644 index 0000000..b76483e --- /dev/null +++ b/nix/hosts/corrino/secrets/grafana_secret_key.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 gvwQ2Q RTJU0rMUPybqjF0DpYvb74/xvmmybM3gVXqzwGgqzxs +QtuBSKXrbZPfqkkKQdarK9i1R5ykxJ0shmK7OCutpPY +-> ssh-ed25519 m8VklA 2/9r5xZ9Ta/4PO0LvoerlXANl/k58s1eq8QlUuOPrjA +pS0Q+rRnBdzrEJVYRhua/PkHRGi6xmiMQQZDXYdntKY +-> -MxO/.cF-grease Xm7e:5 +d6qhrhkhcqjBj4bSsBT1qqxoG/PUKKjZJ4V2QcHBwi57NwtbD4mktKTMfWai +--- cc8nZhs0oc2YDB0mvAnrQe0Drg5xi1vy0Qx8dm/5AWg +!f+P"j=3Ib'H@ZPyuN=mZaj ssh-ed25519 gvwQ2Q 4bKX/wv0cMPXZzRJM8LqNw7F1GoYUwJh8AlALIQkqgY +xYPghPguhfrXKPq1EBwEZWV/imO1ZI6taj1WIbQ8JqU +-> ssh-ed25519 m8VklA NBPHb4cZeJ9wFZQyUu0ikWLoO1RlXkEz6LOMqzhnfRQ +/2//XHuIxlVk4klgYPBdXSWpa4cIpfsRHE7duXJ3P0s +-> P_YApO--grease s" PT MLCA Hz{}~ +brb+DX4hyKS2Pckyt6UC5yAD4mCfufypzNkRYw70adWlp+YEXA +--- jt3ZEMFoOlikvQD/4XxoD5l8jyrg7f2UtzfMuBOj/tY +K_u8w'o#%b.dP9_g955RVPDŻC3;vΚ Z +C!7%t*SȒ:t \ No newline at end of file diff --git a/nix/hosts/corrino/secrets/magic-hash-flag.age b/nix/hosts/corrino/secrets/magic-hash-flag.age new file mode 100644 index 0000000..e0a56b4 --- /dev/null +++ b/nix/hosts/corrino/secrets/magic-hash-flag.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 gvwQ2Q 82J5AdcqPHQ9uUNFmiRLHNhXUm/Npwee2NssXBmW2hE +FUjeBE4LFw1u7jfHyrONEMJUMsDlzU06ghhzOaIq2t8 +-> ssh-ed25519 m8VklA o0t4X6iD7QN69F5DBTkxHDLvtKjOCHVHbas1a2WLfGI +mfKoJBja+ZuJzPyfdlRXl6hsiUF1d5OmIx3MXwd6Kjw +-> beyszd-grease ^PZ +Y+VrEhNbCrjAxVvGIlTsh73ojA9eQms4hbl5RzTf4Ykx3k10lrq1kXGVIt1c1G0+ +1ljVNk7mCQ1+YbudED68Vsz1rhA/3gxcd+5hdIQZPFkbQ4y6 +--- RA3DdqkgplKJhsClt14A7zEZiga/s9+l/V5/rC9II80 +SA/<‡ OS[QEݒ(ÌT7[?yu R?w+Q4\m&٧G ťԌzy]*"&q% \ No newline at end of file diff --git a/nix/hosts/corrino/secrets/mail_password.age b/nix/hosts/corrino/secrets/mail_password.age new file mode 100644 index 0000000..5601304 --- /dev/null +++ b/nix/hosts/corrino/secrets/mail_password.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 gvwQ2Q DNAJBlZ9d46k703peMMsEVTRvCGfGOJ0VnchUb8dsl4 +xN3l7wkznSCThKVXsic0ix9mSB510w1AFCH3taZIUlk +-> ssh-ed25519 gvwQ2Q BO6dxNpeWETkukjpD5g+U3tlHnLIPknb4+emb6cfACQ +j4VYw1trP0rPtSQRYO7nBYyYNkaAbUO3oh1WbPKT6eg +--- sB9tKpo8a5RT3eam8Cyejdg0Kg66YvSmoY+bQtSpCvk +o@+@pqǼ\OY8XH[9f<=.mFZ  7!>iH>I=~fu}]Oڬ2 \ No newline at end of file diff --git a/nix/hosts/corrino/secrets/netbox_secret.age b/nix/hosts/corrino/secrets/netbox_secret.age new file mode 100644 index 0000000..8f24203 --- /dev/null +++ b/nix/hosts/corrino/secrets/netbox_secret.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 gvwQ2Q qEh2F+z0JcOwGITW2vwI+pCc0gEX5bArBkJ2+tUsORc +gHGoC7aE6KGQFxxQ/vXle0H8VMfeHuV6iRWCZZx977Q +-> ssh-ed25519 m8VklA wdnUaCTsF+GvQNPViRTOEfc9ytlsrwGXSvi43+288kg +qxJsSryGAnFyDPrraVjSH29GlgiSsonvg+VM8EpDZ7k +-> y1&ZO-grease t x I>Fl(`} +6pzix/Gj077lu+LBkaoWN987JuYbOF2fzpAT3oIi65NTK22yjn063E1k2Utkb6vq +J4hcpDXKRHpdUE9mor7k7kS3Mwlt4aQrudmJ2I1bZIy/pox6gcICafokmsAeZODR +vw +--- wi8HjK7ujilpSz4d3A3velISw+J8oiSVJk0JvKPb21k +>Ǫ UNK輋'xC>c cr5FJ*hmeL/42 L>&[ގ&N(4Ow :\P\B \ No newline at end of file diff --git a/nix/hosts/corrino/secrets/photoprism_password.age b/nix/hosts/corrino/secrets/photoprism_password.age new file mode 100644 index 0000000..4b0ad76 --- /dev/null +++ b/nix/hosts/corrino/secrets/photoprism_password.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 gvwQ2Q KdqNkMZUY5J1JRtoQ2KFgMafkcG29UM+uNXZSlmbji0 +FsDbzx0zMNQ3lGIm2JmmAf7b8h+qbeOG0QRPRP+ighs +-> ssh-ed25519 m8VklA 9X1J6AOCzhhVYAJiMB9hWWOWf2eLVDUkHXxOj8UvbHo +e2R2ICTBOiKOO392NkoOQSBlJLiQA+H18dJRIrjtSUQ +-> movYQ$-grease zm=!&Kz +rbksk8Roi2pC/P4b +--- +WxRRQ9MlQlp6zdJJhrbdM0k1YJrRlWgpHF9uuvmTko +8kWM[w=-qW^LhDTAU%z!eqɊ&dn",g@B] ssh-ed25519 gvwQ2Q brYZ6kTQTDViC7girn6bcdKYBW6JAKHDtRe8CpPhJkw +HQCJSPZ0ZUG5LeoCEatTMBBVlQ/p33cWsR2HzPXKAf8 +-> ssh-ed25519 m8VklA YTjOBL2U7dsnW2Gvu/Hbd6MFtoA9//uhBGCb7aXYzno +oG67Syidm5PeTahPLm7vRzm147tUvU8U3WGA2Ej/zOA +-> fD[[4QR-grease 1'8$Jt +^, Q+F:D(p Ks +64cLnDft3WoVEE5AfxgIkdY +--- z2zfa+/k3RtxoRfJyiEV6j7HMUgLOog697UART4Mio4 +h]PTNl:1Żl)3䣈4(H[zQؤ۠& \ No newline at end of file diff --git a/nix/hosts/corrino/secrets/storage_box_bx11_password.age b/nix/hosts/corrino/secrets/storage_box_bx11_password.age new file mode 100644 index 0000000..a02a210 --- /dev/null +++ b/nix/hosts/corrino/secrets/storage_box_bx11_password.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 gvwQ2Q wKf98LIfuGnY5Tz0SDT4BF1RhU44BrGOoHEd7p0AGgY +DX/MAYTMp1MxXJaFN8R6crggEyhCIb+apdKJ27YnwRw +-> ssh-ed25519 m8VklA 4hvYcyt/NuIq7fH7nWq7vnYeeGDDDwok0njyb53e+ys +SOEU0i6khudr5n16QyH+zlIXka2btCGNDGFi1ccIZlI +--- +2ZDWzJj8rqh0oAnVz1L46qHnepK3oR7epAhJ1Z7jFs +G2$#=0.hac\'* fZ,;9v\'aUSڠ{E4lۓÕ"ZadAVi2Y7e|qױ \ No newline at end of file diff --git a/nix/hosts/corrino/secrets/tailscale_authkey.age b/nix/hosts/corrino/secrets/tailscale_authkey.age new file mode 100644 index 0000000..8102f1a Binary files /dev/null and b/nix/hosts/corrino/secrets/tailscale_authkey.age differ diff --git a/nix/hosts/corrino/secrets/wireguard_privatekey.age b/nix/hosts/corrino/secrets/wireguard_privatekey.age new file mode 100644 index 0000000..b92fbe5 Binary files /dev/null and b/nix/hosts/corrino/secrets/wireguard_privatekey.age differ diff --git a/nix/hosts/corrino/ssh.pub b/nix/hosts/corrino/ssh.pub new file mode 100644 index 0000000..73387ce --- /dev/null +++ b/nix/hosts/corrino/ssh.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFzoWTW3c7CKWx5t0OZzTfKTlC6R2VHXczVatgYI57N diff --git a/nix/hosts/corrino/www/cs.emile.space.nix b/nix/hosts/corrino/www/cs.emile.space.nix new file mode 100644 index 0000000..de4d67e --- /dev/null +++ b/nix/hosts/corrino/www/cs.emile.space.nix @@ -0,0 +1,56 @@ +# Run sourcegraph, including its entire machinery, in a container. +# Running it outside of a container is a futile endeavour for now. + +# adapted from https://cs.tvl.fyi/depot/-/blob/ops/modules/sourcegraph.nix + +{ ... }: + +{ + services.nginx.virtualHosts."cs.emile.space" = { + forceSSL = true; + enableACME = true; + + locations = { + "/" = { + proxyPass = "http://127.0.0.1:3463"; + + extraConfig = '' + location = / { + return 301 https://cs.emile.space/hefe; + } + + location / { + proxy_set_header X-Sg-Auth "Anonymous"; + proxy_pass http://localhost:7080; + } + + location /users/Anonymous/settings { + return 301 https://cs.emile.space; + } + ''; + }; + }; + }; + + virtualisation.oci-containers.backend = "docker"; + virtualisation.oci-containers.containers.sourcegraph = { + image = "sourcegraph/server:5.1.1"; + + ports = [ + "127.0.0.1:3463:7080" + ]; + + volumes = [ + "/var/lib/sourcegraph/etc:/etc/sourcegraph" + "/var/lib/sourcegraph/data:/var/opt/sourcegraph" + ]; + + # Sourcegraph needs a higher nofile limit, it logs warnings + # otherwise (unclear whether it actually affects the service). + extraOptions = [ + "--ulimit" + "nofile=10000:10000" + ]; + }; +} + diff --git a/nix/hosts/corrino/www/ctf.emile.space.nix b/nix/hosts/corrino/www/ctf.emile.space.nix new file mode 100644 index 0000000..c4de8c5 --- /dev/null +++ b/nix/hosts/corrino/www/ctf.emile.space.nix @@ -0,0 +1,26 @@ +{ ... }: + +{ + services.nginx.virtualHosts."ctf.emile.space" = { + forceSSL = true; + enableACME = true; + + locations = { + "/" = { + proxyPass = "http://127.0.0.1:8338"; + }; + }; + }; + + virtualisation.oci-containers = { + backend = "docker"; + containers = { + "ctfd" = { + image = "ctfd/ctfd"; + ports = [ + "8338:8000" + ]; + }; + }; + }; +} diff --git a/nix/hosts/corrino/www/emile.space.nix b/nix/hosts/corrino/www/emile.space.nix new file mode 100644 index 0000000..9cca880 --- /dev/null +++ b/nix/hosts/corrino/www/emile.space.nix @@ -0,0 +1,60 @@ +{ + services.nginx.virtualHosts."emile.space" = { + forceSSL = true; + enableACME = true; + + # kTLS = true; + + locations = { + "/" = { + root = "/var/www/emile.space"; + extraConfig = '' + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + ''; + }; + + #"/.well-known" = { + # root = "/var/www/emile.space"; + # extraConfig = '' + # autoindex on; + # ''; + #}; + + ## I ran a matrix homeserver for some time, then stopped, but the other + ## homeserver don't know and don't stop sending me requests (5e5 a day or + ## so). + #"/.well-known/matrix/server".extraConfig = '' + # return 410; + #''; + }; + }; + + # services.stargazer = { + # enable = true; + # user = "stargazer"; + # group = "stargazer"; + + # certLifetime = "1m"; + # store = /var/lib/gemini/certs; + + # genCerts = true; + # regenCerts = true; + # responseTimeout = 0; + # requestTimeout = 5; + + # routes = [ + # { + # route = "emile.space"; + # root = "/srv/gemini/emile.space"; + # } + # ]; + + # listen = [ "0.0.0.0" "[2002:a00:1::]" ]; + + # ipLogPartial = false; + # ipLog = false; + # connectionLogging = false; + + # certOrg = "emile.space"; + # }; +} diff --git a/nix/hosts/corrino/www/events.emile.space.nix b/nix/hosts/corrino/www/events.emile.space.nix new file mode 100644 index 0000000..bb4db38 --- /dev/null +++ b/nix/hosts/corrino/www/events.emile.space.nix @@ -0,0 +1,59 @@ +{ ... }: + +{ + services.nginx.virtualHosts."events.emile.space" = { + forceSSL = true; + enableACME = true; + + locations = { + "/" = { + extraConfig = '' + proxy_pass http://[::1]:4000; + ''; + }; + }; + }; + + # Create users: + # + # go into the mobilizon-launchers directory within the nix store (systemctl + # status mobilizon..., you'll find it there somehow) + # + # ; sudo -u mobilizon ./bin/mobilizon_ctl users.new emile@emile.space --moderator --admin + + services = { + mobilizon = { + enable = true; + settings.":mobilizon" = { + "Mobilizon.Web.Endpoint" = { + url.host = "events.emile.space"; + http.port = 4000; + + # The IP address to listen on. Defaults to [::1] notated as a byte + # tuple. + # (Yes, this is an elexir application and they've mapped the type system + # into nix) + http.ip = { + _elixirType = "tuple"; + value = [ 0 0 0 0 0 0 0 1 ]; + }; + + has_reverse_proxy = true; + }; + + "Mobilizon.Storage.Repo" = { + username = "mobilizon"; + socket_dir = "/var/run/postgresql"; + database = "mobilizon_prod"; + }; + + ":instance" = rec { + name = "events.emile.space"; + hostname = "emile.space"; + email_reply_to = email_from; + email_from = "noreply@$emile.space"; + }; + }; + }; + }; +} diff --git a/nix/hosts/corrino/www/git.emile.space.nix b/nix/hosts/corrino/www/git.emile.space.nix new file mode 100644 index 0000000..2c7d64e --- /dev/null +++ b/nix/hosts/corrino/www/git.emile.space.nix @@ -0,0 +1,73 @@ +{ pkgs, config, ... }: + +let + cfg = config.services.gitea; +in { + services.nginx.virtualHosts."git.emile.space" = { + forceSSL = true; + enableACME = true; + + locations = { + "/" = { + proxyPass = "http://127.0.0.1:3000"; + }; + }; + }; + + services.gitea = rec { + enable = true; + + appName = "git.emile.space"; + + # unstable in order to use the 1.20... version + #package = pkgs.forgejo; + package = pkgs.unstable.forgejo; + + stateDir = "/var/lib/gitea"; + repositoryRoot = "${stateDir}/repositories"; + + settings = { + service.DISABLE_REGISTRATION = true; + + DEFAULT = { + WORK_PATH = "/var/lib/gitea"; + }; + + server = { + DOMAIN = pkgs.lib.mkForce "git.emile.space"; + ROOT_URL = pkgs.lib.mkForce "https://git.emile.space"; + + #START_SSH_SERVER = true; + BUILTIN_SSH_SERVER_USER = "git"; + SSH_USER = "gitea"; + SSH_DOMAIN = "git.emile.space"; + + REPO_INDEXER_ENABLED = true; + }; + + indexer = { + REPO_INDEXER_ENABLED = true; + ISSUE_INDEXER_PATH = "${stateDir}/indexers/issues.bleve"; + REPO_INDEXER_PATH = "${stateDir}/indexers/repos.bleve"; + MAX_FILE_SIZE = 1048576; + REPO_INDEXER_INCLUDE = ""; + REPO_INDEXER_EXCLUDE = "resources/bin/**"; + }; + + #federation = { + # enable = true; + # share_user_statistics = true; + # max_size = 4; + #}; + }; + }; + + users.users.git = { + isSystemUser = true; + useDefaultShell = true; + group = "git"; + extraGroups = [ "gitea" ]; + home = cfg.stateDir; + }; + users.groups.git = { }; +} diff --git a/nix/hosts/corrino/www/grafana.emile.space.nix b/nix/hosts/corrino/www/grafana.emile.space.nix new file mode 100644 index 0000000..0f73147 --- /dev/null +++ b/nix/hosts/corrino/www/grafana.emile.space.nix @@ -0,0 +1,217 @@ +{ config, ... }: + +{ + services = { + nginx.virtualHosts."grafana.emile.space" = { + addSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://${toString config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}/"; + proxyWebsockets = true; + }; + }; + + grafana = { + enable = true; + settings = { + server = { + http_addr = "127.0.0.1"; + http_port = 3002; + domain = "grafana.emile.space"; + root_url = "https://grafana.emile.space/"; + }; + }; + + provision = { + datasources = { + settings = { + datasources = [ + { + url = "http://localhost:${toString config.services.prometheus.port}"; + type = "prometheus"; + name = "Prometheus"; + editable = false; + access = "proxy"; # server = "proxy", browser = "direct" + } + { + name = "loki"; + url = "http://localhost:${toString config.services.loki.configuration.server.http_listen_port}"; + type = "loki"; + } + ]; + }; + }; + }; + }; + + prometheus = { + enable = true; + retentionTime = "356d"; + port = 9003; + + exporters = { + node = { + enable = true; + enabledCollectors = [ "systemd" ]; + port = 9002; + }; + }; + scrapeConfigs = [ + { + job_name = "corrino"; + static_configs = [{ + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; + }]; + } + ]; + }; + + loki = { + enable = true; + configuration = { + auth_enabled = false; + server = { + http_listen_port = 9004; + }; + + limits_config = { + reject_old_samples = true; + reject_old_samples_max_age = "7d"; + max_global_streams_per_user = 100000; + }; + + common = { + instance_addr = "127.0.0.1"; + ring = { + instance_addr = "127.0.0.1"; + kvstore.store = "inmemory"; + }; + replication_factor = 1; + path_prefix = "/tmp/loki"; + }; + + schema_config.configs = [{ + from = "2023-05-09"; + store = "boltdb-shipper"; + object_store = "filesystem"; + schema = "v11"; + index = { + prefix = "index_"; + period = "24h"; + }; + }]; + }; + }; + }; + + # allow the promtail user to read the nginx access files + users.users.promtail.extraGroups = [ "nginx" ]; + + services = { + promtail = { + enable = true; + configuration = { + server = { + http_listen_port = 9005; + grpc_listen_port = 0; + }; + positions.filename = "/tmp/positions.yml"; + clients = [{ + url = "http://localhost:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push"; + }]; + scrape_configs = [ + + # systemd + { + job_name = "journal"; + journal = { + max_age = "12h"; + labels = { + job = "systemd-journal"; + host = config.networking.hostName; + }; + }; + relabel_configs = [ + { + source_labels = [ "__journal__systemd_unit" ]; + target_label = "unit"; + } + ]; + } + + # nginx error log + { + job_name = "nginx-error-logs"; + static_configs = [{ + targets = [ "localhost" ]; + labels = { + job = "nginx-error-logs"; + host = "corrino"; + __path__ = "/var/log/nginx/*error.log"; + }; + }]; + } + + # nginx + { + job_name = "nginx"; + static_configs = [ + { + targets = [ "localhost" ]; + labels = { + job = "nginx"; + host = "corrino"; + __path__ = "/var/log/nginx/*access.log"; + }; + } + ]; + pipeline_stages = [ + # { + # regex = { + # expression = "(?:[0-9]{1,3}\.){3}([0-9]{1,3})"; + # replace = "***"; + # }; + # } + { + regex = { + expression = ''(?P.+) - - \[(?P.+)\] "(?P.+) (?P.+) (HTTP\/(?P\d.\d))" (?P\d{3}) (?P\d+) (["](?P(\-)|(.+))["]) (["](?P.+)["])''; + }; + } + { + labels = { + remote_addr = null; + time_local = null; + method = null; + url = null; + status = null; + body_bytes_sent = null; + http_referer = null; + http_user_agent = null; + }; + } + # { + # timestamp = { + # source = "time_local"; + # format = "02/Jan/2006:15:04:05 -0700"; + # }; + # } + { + drop = { + source = "url"; + expression = ''/(_matrix|.well-known|notifications|api|identity).*''; + }; + } + { + drop = { + source = "url"; + expression = ''grafana.*''; + }; + } + ]; + } + + ]; + }; + }; + }; +} \ No newline at end of file diff --git a/nix/hosts/corrino/www/grafana_full.emile.space.nix b/nix/hosts/corrino/www/grafana_full.emile.space.nix new file mode 100644 index 0000000..8a9aa02 --- /dev/null +++ b/nix/hosts/corrino/www/grafana_full.emile.space.nix @@ -0,0 +1,440 @@ +{ pkgs, config, ... }: + +let + cfg = config.services.grafana; +in { + services.nginx.virtualHosts."git.emile.space" = { + forceSSL = true; + enableACME = true; + + locations = { + "/" = { + proxyPass = "http://127.0.0.1:3000"; + }; + }; + }; + + services = { + grafana = { + enable = true; + package = pkgs.grafana; + #declarativePlugins = with pkgs.grafanaPlugins; [ + # grafana-piechart-panel + #]; + dataDir = "/var/lib/grafana"; + + settings = { + users = { + # Viewers can access and use Explore and perform temporary edits on panels in dashboards they have access to. They cannot save their changes. + viewers_can_edit = true; + + # Require email validation before sign up completes + verify_email_enabled = false; + + # The duration in time a user invitation remains valid before expiring. This setting should be expressed as a duration. Examples: 6h (hours), 2d (days), 1w (week). The minimum supported duration is 15m (15 minutes). + user_invite_max_lifetime_duration = "24h"; + + # Text used as placeholder text on login page for password input. + password_hint = "password"; + + # Text used as placeholder text on login page for login/username input. + login_hint = "email or username"; + + # Path to a custom home page. Users are only redirected to this if the default home dashboard is used. It should match a frontend route and contain a leading slash. + home_page = ""; + + # This is a comma-separated list of usernames. Users specified here are hidden in the Grafana UI. They are still visible to Grafana administrators and to themselves. + hidden_users = ""; + + # Editors can administrate dashboards, folders and teams they create. + editors_can_admin = false; + + # Sets the default UI theme. system matches the user’s system theme. + default_theme = "system"; + + # This setting configures the default UI language, which must be a supported IETF language tag, such as en-US. + default_language = "en-US"; + + # The role new users will be assigned for the main organization (if the auto_assign_org setting is set to true). + # one of "Viewer", "Editor", "Admin" + auto_assign_org_role = "Viewer"; + + # Set this value to automatically add new users to the provided org. This requires auto_assign_org to be set to true. Please make sure that this organization already exists. + auto_assign_org_id = 1; + + # Set to true to automatically add new users to the main organization (id 1). When set to false, new users automatically cause a new organization to be created for that new user. The organization will be created even if the allow_org_create setting is set to false. + auto_assign_org = true; + + # Set to false to prohibit users from being able to sign up / create user accounts. The admin user can still create users. + allow_sign_up = false; + + # Set to false to prohibit users from creating new organizations. + allow_org_create = false; + }; + + smtp = { + # User used for authentication. + user = "mail"; + + # StartTLS policy when connecting to server. + # null or one of "OpportunisticStartTLS", "MandatoryStartTLS", "NoStartTLS" + startTLS_policy = null; + + # Verify SSL for SMTP server. + skip_verify = false; + + # Password used for authentication. Please note that the contents of this option will end up in a world-readable Nix store. Use the file provider pointing at a reasonably secured file in the local filesystem to work around that. Look at the documentation for details: https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider + password = ""; + + # File path to a key file. + key_file = "$__file{${config.age.secrets.grafana_smtp_password.path}}"; + + # Host to connect to. + host = "localhost:25"; + + # Name to be used as client identity for EHLO in SMTP dialog. + from_name = "Grafana"; + + # Address used when sending out emails + from_address = "admin@grafana.localhost"; + + # Whether to enable SMTP + enabled = true; + + # Name to be used as client identity for EHLO in SMTP dialog + ehlo_identity = null; + + # File path to a cert file + cert_file = null; + }; + server = { + # Root path for static assets. + #static_root_path = "${package}/share/grafana/public"; + + # Mode where the socket should be set when protocol=socket. Make sure that Grafana process is the file owner before you change this setting. + socket_mode = "0660"; + + # GID where the socket should be set when protocol=socket. Make sure that the target group is in the group of Grafana process and that Grafana process is the file owner before you change this setting. It is recommended to set the gid as http server user gid. Not set when the value is -1. + socket_gid = -1; + + # Path where the socket should be created when protocol=socket. Make sure that Grafana has appropriate permissions before you change this setting. + socket = "/run/grafana/grafana.sock"; + + # Serve Grafana from subpath specified in the root_url setting. By default it is set to false for compatibility reasons. + # + # By enabling this setting and using a subpath in root_url above, e.g. root_url = "http://localhost:3000/grafana", Grafana is accessible on http://localhost:3000/grafana. If accessed without subpath, Grafana will redirect to an URL with the subpath. + serve_from_sub_path = false; + + # Set to true for Grafana to log all HTTP requests (not just errors). These are logged as Info level events to the Grafana log. + router_logging = false; + + # This is the full URL used to access Grafana from a web browser. This is important if you use Google or GitHub OAuth authentication (for the callback URL to be correct). + # + # This setting is also important if you have a reverse proxy in front of Grafana that exposes it through a subpath. In that case add the subpath to the end of this URL setting. + root_url = "%(protocol)s://%(domain)s:%(http_port)s/"; + + # Sets the maximum time using a duration format (5s/5m/5ms) before timing out read of an incoming request and closing idle connections. 0 means there is no timeout for reading the request. + read_timeout = 0; + + # Which protocol to listen. + # one of "http", "https", "h2", "socket" + protocol = "http"; + + # Listening port. + http_port = "3000"; + + # Listening address. + # This setting intentionally varies from upstream’s default to be a bit more secure by default. + http_addr = "127.0.0.1"; + + # Redirect to correct domain if the host header does not match the domain. Prevents DNS rebinding attacks. + enforce_domain = true; + + # Set this option to true to enable HTTP compression, this can improve transfer speed and bandwidth utilization. It is recommended that most users set it to true. By default it is set to false for compatibility reasons. + enable_gzip = true; + + # The public facing domain name used to access grafana from a browser. + # This setting is only used in the default value of the root_url setting. If you set the latter manually, this option does not have to be specified. + domain = "grafana.emile.space"; + + # Path to the certificate key file (if protocol is set to https or h2). + cert_key = null; + + # Path to the certificate file (if protocol is set to https or h2). + cert_file = null; + + # Specify a full HTTP URL address to the root of your Grafana CDN assets. Grafana will add edition and version paths. + # + # For example, given a cdn url like https://cdn.myserver.com grafana will try to load a javascript file from http://cdn.myserver.com/grafana-oss/7.4.0/public/build/app..js. + cdn_url = null; + }; + + security = { + # Set to false to disable the X-XSS-Protection header, which tells browsers to stop pages from loading when they detect reflected cross-site scripting (XSS) attacks. + x_xss_protection = true; + + # Set to false to disable the X-Content-Type-Options response header. The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. + x_content_type_options = true; + + # Set to true to enable HSTS includeSubDomains option. Only applied if strict_transport_security is enabled. + strict_transport_security_subdomains = true; + + # Set to true to enable HSTS preloading option. Only applied if strict_transport_security is enabled. + strict_transport_security_preload = true; + + # Sets how long a browser should cache HSTS in seconds. Only applied if strict_transport_security is enabled. + strict_transport_security_max_age_seconds = 86400; + + # Set to true if you want to enable HTTP Strict-Transport-Security (HSTS) response header. Only use this when HTTPS is enabled in your configuration, or when there is another upstream system that ensures your application does HTTPS (like a frontend load balancer). HSTS tells browsers that the site should only be accessed using HTTPS. + strict_transport_security = true; + + # Secret key used for signing. Please note that the contents of this option will end up in a world-readable Nix store. Use the file provider pointing at a reasonably secured file in the local filesystem to work around that. Look at the documentation for details: https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider + secret_key = "$__file{${config.age.secrets.grafana_secret_key.path}}"; + + # Disable creation of admin user on first start of Grafana. + disable_initial_admin_creation = false; + + # Set to true to disable the use of Gravatar for user profile images. + disable_gravatar = false; + + # Set to true to disable brute force login protection. + disable_brute_force_login_protection = false; + + # Define a whitelist of allowed IP addresses or domains, with ports, to be used in data source URLs with the Grafana data source proxy. Format: ip_or_domain:port separated by spaces. PostgreSQL, MySQL, and MSSQL data sources do not use the proxy and are therefore unaffected by this setting. + data_source_proxy_whitelist = []; + + # List of additional allowed URLs to pass by the CSRF check. Suggested when authentication comes from an IdP. + csrf_trusted_origins = []; + + # List of allowed headers to be set by the user. Suggested to use for if authentication lives behind reverse proxies. + csrf_additional_headers = []; + + # Set to true if you host Grafana behind HTTPS. + cookie_secure = true; + + # Sets the SameSite cookie attribute and prevents the browser from sending this cookie along with cross-site requests. The main goal is to mitigate the risk of cross-origin information leakage. This setting also provides some protection against cross-site request forgery attacks (CSRF), read more about SameSite here. Using value disabled does not add any SameSite attribute to cookies. + # one of "lax", "strict", "none", "disabled" + cookie_samesite = "strict"; + + # Set to true to add the Content-Security-Policy-Report-Only header to your requests. CSP in Report Only mode enables you to experiment with policies by monitoring their effects without enforcing them. You can enable both policies simultaneously. + content_security_policy_report_only = false; + + # Set to true to add the Content-Security-Policy header to your requests. CSP allows to control resources that the user agent can load and helps prevent XSS attacks. + content_security_policy = true; + + # When false, the HTTP header X-Frame-Options: deny will be set in Grafana HTTP responses which will instruct browsers to not allow rendering Grafana in a ,