From 015f66b6491e77d09932c7f47ccc4de132e51966 Mon Sep 17 00:00:00 2001 From: catvayor Date: Thu, 5 Dec 2024 17:03:42 +0100 Subject: [PATCH] feat: made some node stable, and npins update --- hive.nix | 66 +++++--- kat/default.nix | 3 +- kat/users/default.nix | 6 +- machines/kat-betamail/configuration.nix | 147 +++++++++++++++++ machines/kat-betamail/default.nix | 148 +---------------- machines/kat-degette/configuration.nix | 91 +++++++++++ machines/kat-degette/default.nix | 91 +---------- machines/kat-iso.nix | 82 +++++----- machines/kat-kexec.nix | 82 +++++----- machines/kat-manah/configuration.nix | 109 +++++++++++++ machines/kat-manah/default.nix | 109 +------------ machines/kat-orchid/configuration.nix | 207 ++++++++++++++++++++++++ machines/kat-orchid/default.nix | 206 +---------------------- machines/kat-probook/configuration.nix | 154 ++++++++++++++++++ machines/kat-probook/default.nix | 154 +----------------- machines/kat-son/configuration.nix | 80 +++++++++ machines/kat-son/default.nix | 80 +-------- machines/kat-watcher/configuration.nix | 115 +++++++++++++ machines/kat-watcher/default.nix | 115 +------------ machines/kat-www/configuration.nix | 119 ++++++++++++++ machines/kat-www/default.nix | 119 +------------- npins/sources.json | 58 +++++-- patches/default.nix | 10 +- shell.nix | 2 +- 24 files changed, 1230 insertions(+), 1123 deletions(-) create mode 100644 machines/kat-betamail/configuration.nix create mode 100644 machines/kat-degette/configuration.nix create mode 100644 machines/kat-manah/configuration.nix create mode 100644 machines/kat-orchid/configuration.nix create mode 100644 machines/kat-probook/configuration.nix create mode 100644 machines/kat-son/configuration.nix create mode 100644 machines/kat-watcher/configuration.nix create mode 100644 machines/kat-www/configuration.nix diff --git a/hive.nix b/hive.nix index 06fdb8a..34ea79a 100644 --- a/hive.nix +++ b/hive.nix @@ -3,27 +3,58 @@ let users = import ./users; sources = import ./npins; inherit (import sources.nix-patches { patchFile = ./patches; }) mkNixpkgsSrc; - inherit - (import (mkNixpkgsSrc { - src = sources.nixpkgs; + + unstable = { + nixpkgs = import (mkNixpkgsSrc { + src = sources.nixpkgs-unstable; version = "unstable"; - }) { }) - lib - ; + }) { }; + home-manager = "${sources.home-manager-unstable}/nixos"; + nixvim = import sources.nixvim-unstable; + }; + stable = { + nixpkgs = import (mkNixpkgsSrc { + src = sources.nixpkgs-stable; + version = "stable"; + }) { }; + home-manager = "${sources.home-manager-stable}/nixos"; + nixvim = import sources.nixvim-stable; + }; + inherit (unstable.nixpkgs) lib; + + nodes = lib.mapAttrs' (name: _: { + name = lib.removeSuffix ".nix" name; + value = import ./machines/${name}; + }) (builtins.readDir ./machines); + + nodes-meta = lib.mapAttrs (_: n: n.meta) nodes; in { - meta = { - nixpkgs = mkNixpkgsSrc { - src = sources.nixpkgs; - version = "unstable"; - }; - nodeNixpkgs."kat-mail-test" = mkNixpkgsSrc { - src = sources.nixpkgs; - version = "betamail"; - }; + meta = rec { + inherit (unstable) nixpkgs; specialArgs = { inherit mods users sources; + meta = nodes-meta; + versions = { + inherit unstable stable; + }; }; + nodeNixpkgs = lib.mapAttrs ( + _: node: + lib.foldl ( + pkgs: patch: + import (mkNixpkgsSrc { + src = pkgs; + version = patch; + }) { } + ) (if node.unstable then unstable else stable).nixpkgs (node.nixPatches or []) + ) nodes-meta; + nodeSpecialArgs = lib.mapAttrs (name: node: { + inherit (node) unstable; + self-version = (if node.unstable then unstable else stable) // { + nixpkgs = nodeNixpkgs."${name}"; + }; + }) nodes-meta; }; defaults = { @@ -35,7 +66,4 @@ in networking.hostName = name; }; } -// lib.mapAttrs' (name: _: { - name = lib.removeSuffix ".nix" name; - value = import ./machines/${name}; -}) (builtins.readDir ./machines) +// lib.mapAttrs (_: n: n.config) nodes diff --git a/kat/default.nix b/kat/default.nix index 62c04fd..916fcbc 100644 --- a/kat/default.nix +++ b/kat/default.nix @@ -3,6 +3,7 @@ config, pkgs, sources, + self-version, ... }: with lib; @@ -11,7 +12,7 @@ with lib; ./users ./proxies ./root.nix - "${sources.home-manager}/nixos" + self-version.home-manager "${sources.disko}/module.nix" ]; options.kat = { diff --git a/kat/users/default.nix b/kat/users/default.nix index 68d5038..45ecfad 100644 --- a/kat/users/default.nix +++ b/kat/users/default.nix @@ -1,4 +1,4 @@ -{ config, sources, pkgs, ... }: +{ config, pkgs, self-version, ... }: let zsh = import ./zsh.nix; in @@ -9,14 +9,14 @@ in imports = [ zsh.user ./neovim.nix - (import sources.nixvim).homeManagerModules.nixvim + self-version.nixvim.homeManagerModules.nixvim ]; # options.kat = { # ssh = mkEnableOption "ssh configuration"; # }; config = { home = { - stateVersion = config.system.stateVersion; + inherit (config.system) stateVersion; packages = [ pkgs.rlwrap ]; }; }; diff --git a/machines/kat-betamail/configuration.nix b/machines/kat-betamail/configuration.nix new file mode 100644 index 0000000..6a1694f --- /dev/null +++ b/machines/kat-betamail/configuration.nix @@ -0,0 +1,147 @@ +{ + nodes, + sources, + ssh-keys, + ... +}: +let + host = "catvayor.sh"; +in +{ + deployment = { + targetHost = "betamail.kat"; + tags = [ "kat-vms" ]; + }; + imports = [ + "${sources.nixos-mailserver}" + ./hardware-configuration.nix + ./disks.nix + ./modo.nix + ]; + + users.users.root.openssh.authorizedKeys.keys = ssh-keys.sylvain; + + kat = { + fqdn = "betamail.katvayor.net"; + wireguardPubKey = "Znj451+hGJcPV1zFgpRMA8hg8edmUInA5zBtYBUuL3k="; + proxies = { + ip = "192.168.122.3"; + aliases = [ "catvayor.sh" ]; + open-tcp = [ + { + internal = 22; + external = 22002; + } + 25 + 465 + 993 + ]; + }; + }; + + boot = { + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + kernelParams = [ "console=ttyS0" ]; + }; + + systemd.network = { + networks = { + "10-enp1s0" = { + name = "enp1s0"; + address = [ + "192.168.122.3/24" + "fe80::3/64" + ]; + routes = [ + { + Destination = "10.42.0.2/32"; + Gateway = "192.168.122.1"; + } + ]; + dns = [ "192.168.122.1" ]; + }; + "50-wg0" = { + name = "wg0"; + address = [ "10.42.2.1/16" ]; + routes = [ + { + Gateway = "10.42.0.2"; + } + ]; + }; + }; + netdevs = { + "50-wg0" = { + netdevConfig = { + Name = "wg0"; + Kind = "wireguard"; + }; + wireguardConfig = { + PrivateKeyFile = "/wg/private.key"; + }; + + wireguardPeers = [ + { + Endpoint = "10.42.0.2:1194"; + AllowedIPs = [ + "0.0.0.0/0" + ]; + PersistentKeepalive = 20; + PublicKey = nodes.kat-watcher.config.kat.wireguardPubKey; + } + ]; + }; + }; + }; + + networking = { + useDHCP = false; + firewall.enable = false; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "root@katvayor.net"; + }; + services = { + openssh.enable = true; + qemuGuest.enable = true; + getty.autologinUser = "root"; + nginx = { + enable = true; + virtualHosts."catvayor.sh".enableACME = true; + virtualHosts."betamail.katvayor.net" = { + enableACME = true; + addSSL = true; + locations."/" = { + recommendedProxySettings = true; + proxyPass = "http://localhost:8000/"; + }; + }; + }; + }; + + mailserver = { + enable = true; + fqdn = "betamail.katvayor.net"; + domains = [ host ]; + + loginAccounts = { + "root@${host}" = { + catchAll = [ host ]; + aliases = builtins.genList (id: "user${toString id}@${host}") 10 ++ [ + "moderators@${host}" + "daemon@${host}" + ]; + hashedPassword = "$2b$05$FoCVDECXYG0KXPigPuIZtuNFiviwSg8RuXx0FbnzC7ZRp.Mz8VWOe"; + }; + }; + + certificateScheme = "acme"; + }; + + system.stateVersion = "23.11"; +} diff --git a/machines/kat-betamail/default.nix b/machines/kat-betamail/default.nix index 6a1694f..6b048bd 100644 --- a/machines/kat-betamail/default.nix +++ b/machines/kat-betamail/default.nix @@ -1,147 +1,7 @@ { - nodes, - sources, - ssh-keys, - ... -}: -let - host = "catvayor.sh"; -in -{ - deployment = { - targetHost = "betamail.kat"; - tags = [ "kat-vms" ]; + meta = { + unstable = false; + pkgsPatches = [ "betamail" ]; }; - imports = [ - "${sources.nixos-mailserver}" - ./hardware-configuration.nix - ./disks.nix - ./modo.nix - ]; - - users.users.root.openssh.authorizedKeys.keys = ssh-keys.sylvain; - - kat = { - fqdn = "betamail.katvayor.net"; - wireguardPubKey = "Znj451+hGJcPV1zFgpRMA8hg8edmUInA5zBtYBUuL3k="; - proxies = { - ip = "192.168.122.3"; - aliases = [ "catvayor.sh" ]; - open-tcp = [ - { - internal = 22; - external = 22002; - } - 25 - 465 - 993 - ]; - }; - }; - - boot = { - loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; - kernelParams = [ "console=ttyS0" ]; - }; - - systemd.network = { - networks = { - "10-enp1s0" = { - name = "enp1s0"; - address = [ - "192.168.122.3/24" - "fe80::3/64" - ]; - routes = [ - { - Destination = "10.42.0.2/32"; - Gateway = "192.168.122.1"; - } - ]; - dns = [ "192.168.122.1" ]; - }; - "50-wg0" = { - name = "wg0"; - address = [ "10.42.2.1/16" ]; - routes = [ - { - Gateway = "10.42.0.2"; - } - ]; - }; - }; - netdevs = { - "50-wg0" = { - netdevConfig = { - Name = "wg0"; - Kind = "wireguard"; - }; - wireguardConfig = { - PrivateKeyFile = "/wg/private.key"; - }; - - wireguardPeers = [ - { - Endpoint = "10.42.0.2:1194"; - AllowedIPs = [ - "0.0.0.0/0" - ]; - PersistentKeepalive = 20; - PublicKey = nodes.kat-watcher.config.kat.wireguardPubKey; - } - ]; - }; - }; - }; - - networking = { - useDHCP = false; - firewall.enable = false; - }; - - security.acme = { - acceptTerms = true; - defaults.email = "root@katvayor.net"; - }; - services = { - openssh.enable = true; - qemuGuest.enable = true; - getty.autologinUser = "root"; - nginx = { - enable = true; - virtualHosts."catvayor.sh".enableACME = true; - virtualHosts."betamail.katvayor.net" = { - enableACME = true; - addSSL = true; - locations."/" = { - recommendedProxySettings = true; - proxyPass = "http://localhost:8000/"; - }; - }; - }; - }; - - mailserver = { - enable = true; - fqdn = "betamail.katvayor.net"; - domains = [ host ]; - - loginAccounts = { - "root@${host}" = { - catchAll = [ host ]; - aliases = builtins.genList (id: "user${toString id}@${host}") 10 ++ [ - "moderators@${host}" - "daemon@${host}" - ]; - hashedPassword = "$2b$05$FoCVDECXYG0KXPigPuIZtuNFiviwSg8RuXx0FbnzC7ZRp.Mz8VWOe"; - }; - }; - - certificateScheme = "acme"; - }; - - system.stateVersion = "23.11"; + config = import ./configuration.nix; } diff --git a/machines/kat-degette/configuration.nix b/machines/kat-degette/configuration.nix new file mode 100644 index 0000000..3587096 --- /dev/null +++ b/machines/kat-degette/configuration.nix @@ -0,0 +1,91 @@ +{ + lib, + ssh-keys, + ... +}: +{ + deployment = { + targetHost = "degette.kat"; + tags = [ "kat-vms" ]; + }; + + imports = [ ./hardware-configuration.nix ]; + + boot = { + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + kernelParams = [ "console=ttyS0" ]; + }; + + kat = { + fqdn = "degette.katvayor.net"; + proxies = { + ip = "192.168.122.2"; + open-tcp = [ + { + internal = 22; + external = 22000; + } + ]; + }; + }; + + systemd.network.enable = lib.mkForce false; + networking = { + useNetworkd = lib.mkForce false; + interfaces."enp1s0" = { + useDHCP = false; + ipv4.addresses = [ + { + address = "192.168.122.2"; + prefixLength = 24; + } + ]; + ipv6.addresses = [ + { + address = "fe80::2"; + prefixLength = 64; + } + ]; + }; + defaultGateway = "192.168.122.1"; + defaultGateway6 = { + address = "fe80::1"; + interface = "enp1s0"; + }; + nameservers = [ + "192.168.122.1" + "fe80::1%enp1s0" + ]; + }; + + services = { + openssh.enable = true; + qemuGuest.enable = true; + getty.autologinUser = "root"; + nginx = { + enable = true; + virtualHosts."degette.katvayor.net" = { + enableACME = true; + addSSL = true; + locations."/" = { + recommendedProxySettings = true; + proxyPass = "http://localhost:8000/"; + }; + }; + }; + }; + + users.users.root.openssh.authorizedKeys.keys = with ssh-keys; sylvain ++ gaby; + + security.acme = { + acceptTerms = true; + defaults.email = "root@katvayor.net"; + }; + + networking.firewall.enable = false; + + system.stateVersion = "23.11"; +} diff --git a/machines/kat-degette/default.nix b/machines/kat-degette/default.nix index 3587096..e3d020b 100644 --- a/machines/kat-degette/default.nix +++ b/machines/kat-degette/default.nix @@ -1,91 +1,4 @@ { - lib, - ssh-keys, - ... -}: -{ - deployment = { - targetHost = "degette.kat"; - tags = [ "kat-vms" ]; - }; - - imports = [ ./hardware-configuration.nix ]; - - boot = { - loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; - kernelParams = [ "console=ttyS0" ]; - }; - - kat = { - fqdn = "degette.katvayor.net"; - proxies = { - ip = "192.168.122.2"; - open-tcp = [ - { - internal = 22; - external = 22000; - } - ]; - }; - }; - - systemd.network.enable = lib.mkForce false; - networking = { - useNetworkd = lib.mkForce false; - interfaces."enp1s0" = { - useDHCP = false; - ipv4.addresses = [ - { - address = "192.168.122.2"; - prefixLength = 24; - } - ]; - ipv6.addresses = [ - { - address = "fe80::2"; - prefixLength = 64; - } - ]; - }; - defaultGateway = "192.168.122.1"; - defaultGateway6 = { - address = "fe80::1"; - interface = "enp1s0"; - }; - nameservers = [ - "192.168.122.1" - "fe80::1%enp1s0" - ]; - }; - - services = { - openssh.enable = true; - qemuGuest.enable = true; - getty.autologinUser = "root"; - nginx = { - enable = true; - virtualHosts."degette.katvayor.net" = { - enableACME = true; - addSSL = true; - locations."/" = { - recommendedProxySettings = true; - proxyPass = "http://localhost:8000/"; - }; - }; - }; - }; - - users.users.root.openssh.authorizedKeys.keys = with ssh-keys; sylvain ++ gaby; - - security.acme = { - acceptTerms = true; - defaults.email = "root@katvayor.net"; - }; - - networking.firewall.enable = false; - - system.stateVersion = "23.11"; + meta.unstable = false; + config = import ./configuration.nix; } diff --git a/machines/kat-iso.nix b/machines/kat-iso.nix index b3aee3a..56b9068 100644 --- a/machines/kat-iso.nix +++ b/machines/kat-iso.nix @@ -1,44 +1,48 @@ { - pkgs, - modulesPath, - lib, - ... -}: -{ - deployment = { - allowLocalDeployment = false; - targetHost = null; - }; + meta.unstable = true; + config = + { + pkgs, + modulesPath, + lib, + ... + }: + { + deployment = { + allowLocalDeployment = false; + targetHost = null; + }; - imports = [ - (modulesPath + "/installer/cd-dvd/installation-cd-minimal-new-kernel-no-zfs.nix") - ]; + imports = [ + (modulesPath + "/installer/cd-dvd/installation-cd-minimal-new-kernel-no-zfs.nix") + ]; - boot = { - supportedFilesystems = { - bcachefs = true; - zfs = lib.mkForce false; + boot = { + supportedFilesystems = { + bcachefs = true; + zfs = lib.mkForce false; + }; + kernelParams = [ "console=ttyS0" ]; + kernelPackages = lib.mkForce pkgs.linuxPackages_latest; + }; + + networking = { + networkmanager.enable = true; + wireless.enable = false; + }; + console.keyMap = "fr"; + + environment.systemPackages = with pkgs; [ + perl + git + ]; + programs.zsh.enable = true; + services = { + openssh.enable = true; + qemuGuest.enable = true; + getty.autologinUser = lib.mkForce "root"; + }; + + system.stateVersion = lib.mkForce "24.11"; }; - kernelParams = [ "console=ttyS0" ]; - kernelPackages = lib.mkForce pkgs.linuxPackages_latest; - }; - - networking = { - networkmanager.enable = true; - wireless.enable = false; - }; - console.keyMap = "fr"; - - environment.systemPackages = with pkgs; [ - perl - git - ]; - programs.zsh.enable = true; - services = { - openssh.enable = true; - qemuGuest.enable = true; - getty.autologinUser = lib.mkForce "root"; - }; - - system.stateVersion = lib.mkForce "24.11"; } diff --git a/machines/kat-kexec.nix b/machines/kat-kexec.nix index 502ef20..8fe1ac6 100644 --- a/machines/kat-kexec.nix +++ b/machines/kat-kexec.nix @@ -1,44 +1,48 @@ { - pkgs, - lib, - sources, - ... -}: -{ - deployment = { - allowLocalDeployment = false; - targetHost = null; - }; + meta.unstable = true; + config = + { + pkgs, + lib, + sources, + ... + }: + { + deployment = { + allowLocalDeployment = false; + targetHost = null; + }; - imports = [ - "${sources.nixos-images}/nix/kexec-installer/module.nix" - ]; + imports = [ + "${sources.nixos-images}/nix/kexec-installer/module.nix" + ]; - boot = { - kernelParams = [ "console=ttyS0" ]; - kernelPackages = lib.mkForce pkgs.linuxPackages_latest; - supportedFilesystems = { - bcachefs = true; - zfs = lib.mkForce false; + boot = { + kernelParams = [ "console=ttyS0" ]; + kernelPackages = lib.mkForce pkgs.linuxPackages_latest; + supportedFilesystems = { + bcachefs = true; + zfs = lib.mkForce false; + }; + }; + + networking = { + networkmanager.enable = false; + wireless.enable = false; + }; + console.keyMap = "fr"; + + environment.systemPackages = with pkgs; [ + perl + git + ]; + programs.zsh.enable = true; + services = { + openssh.enable = true; + qemuGuest.enable = true; + getty.autologinUser = lib.mkForce "root"; + }; + + system.stateVersion = lib.mkForce "24.11"; }; - }; - - networking = { - networkmanager.enable = false; - wireless.enable = false; - }; - console.keyMap = "fr"; - - environment.systemPackages = with pkgs; [ - perl - git - ]; - programs.zsh.enable = true; - services = { - openssh.enable = true; - qemuGuest.enable = true; - getty.autologinUser = lib.mkForce "root"; - }; - - system.stateVersion = lib.mkForce "24.11"; } diff --git a/machines/kat-manah/configuration.nix b/machines/kat-manah/configuration.nix new file mode 100644 index 0000000..ba00500 --- /dev/null +++ b/machines/kat-manah/configuration.nix @@ -0,0 +1,109 @@ +{ + pkgs, + nodes, + ... +}: +{ + deployment.targetHost = "manah.kat"; + + imports = [ + ./hardware-configuration.nix + ]; + + boot = { + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + kernel.sysctl."net.ipv4.ip_forward" = true; + kernelModules = [ + "kvm-intel" + "kvm-amd" + ]; + }; + + kat = { + fqdn = "manah.katvayor.net"; + proxies = { + ip = "10.42.0.1"; + open-tcp = [ + 9000 + 9500 + ]; + redirects = [ + "kat-orchid" + "kat-son" + "kat-www" + "kat-degette" + "kat-betamail" + ]; + }; + wireguardPubKey = "2rMQV5fyBhl7t/0j70iPOfEr/lAWQfLXQKMwtzaXxnM="; + }; + + systemd.network = { + enable = true; + networks = { + "50-wg0" = { + name = "wg0"; + address = [ "10.42.0.1/16" ]; + }; + }; + netdevs = { + "50-wg0" = { + netdevConfig = { + Name = "wg0"; + Kind = "wireguard"; + }; + wireguardConfig = { + PrivateKeyFile = "/etc/wg/private.key"; + }; + + wireguardPeers = [ + { + Endpoint = "watcher.katvayor.net:1194"; + AllowedIPs = [ + "10.42.0.2/32" + ]; + PersistentKeepalive = 20; + PublicKey = nodes.kat-watcher.config.kat.wireguardPubKey; + } + ]; + }; + }; + }; + + environment.systemPackages = with pkgs; [ + dnsmasq + tcpdump + ]; + + programs.virt-manager.enable = true; + virtualisation.libvirtd = { + enable = true; + qemu.vhostUserPackages = [ pkgs.virtiofsd ]; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "root@katvayor.net"; + }; + + services = { + openssh.enable = true; + weechat = { + enable = true; + binary = "${pkgs.weechat}/bin/weechat-headless"; + }; + }; + + networking.firewall = { + allowedTCPPorts = [ + 9000 + 9500 + 53 + ]; + allowedUDPPorts = [ 67 ]; + }; + system.stateVersion = "23.11"; +} diff --git a/machines/kat-manah/default.nix b/machines/kat-manah/default.nix index ba00500..66da70b 100644 --- a/machines/kat-manah/default.nix +++ b/machines/kat-manah/default.nix @@ -1,109 +1,4 @@ { - pkgs, - nodes, - ... -}: -{ - deployment.targetHost = "manah.kat"; - - imports = [ - ./hardware-configuration.nix - ]; - - boot = { - loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; - kernel.sysctl."net.ipv4.ip_forward" = true; - kernelModules = [ - "kvm-intel" - "kvm-amd" - ]; - }; - - kat = { - fqdn = "manah.katvayor.net"; - proxies = { - ip = "10.42.0.1"; - open-tcp = [ - 9000 - 9500 - ]; - redirects = [ - "kat-orchid" - "kat-son" - "kat-www" - "kat-degette" - "kat-betamail" - ]; - }; - wireguardPubKey = "2rMQV5fyBhl7t/0j70iPOfEr/lAWQfLXQKMwtzaXxnM="; - }; - - systemd.network = { - enable = true; - networks = { - "50-wg0" = { - name = "wg0"; - address = [ "10.42.0.1/16" ]; - }; - }; - netdevs = { - "50-wg0" = { - netdevConfig = { - Name = "wg0"; - Kind = "wireguard"; - }; - wireguardConfig = { - PrivateKeyFile = "/etc/wg/private.key"; - }; - - wireguardPeers = [ - { - Endpoint = "watcher.katvayor.net:1194"; - AllowedIPs = [ - "10.42.0.2/32" - ]; - PersistentKeepalive = 20; - PublicKey = nodes.kat-watcher.config.kat.wireguardPubKey; - } - ]; - }; - }; - }; - - environment.systemPackages = with pkgs; [ - dnsmasq - tcpdump - ]; - - programs.virt-manager.enable = true; - virtualisation.libvirtd = { - enable = true; - qemu.vhostUserPackages = [ pkgs.virtiofsd ]; - }; - - security.acme = { - acceptTerms = true; - defaults.email = "root@katvayor.net"; - }; - - services = { - openssh.enable = true; - weechat = { - enable = true; - binary = "${pkgs.weechat}/bin/weechat-headless"; - }; - }; - - networking.firewall = { - allowedTCPPorts = [ - 9000 - 9500 - 53 - ]; - allowedUDPPorts = [ 67 ]; - }; - system.stateVersion = "23.11"; + meta.unstable = true; + config = import ./configuration.nix; } diff --git a/machines/kat-orchid/configuration.nix b/machines/kat-orchid/configuration.nix new file mode 100644 index 0000000..3f67f22 --- /dev/null +++ b/machines/kat-orchid/configuration.nix @@ -0,0 +1,207 @@ +{ + config, + lib, + pkgs, + kat-path, + ssh-keys, + sources, + self-version, + ... +}: +{ + deployment = { + targetHost = "orchid.kat"; + tags = [ "kat-vms" ]; + }; + imports = [ + ./hardware-configuration.nix + ./disks.nix + ]; + + boot = { + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + kernelParams = [ "console=ttyS0" ]; + }; + + kat = { + fqdn = "orchid.katvayor.net"; + proxies = { + ip = "192.168.122.6"; + aliases = [ + "simply-wise.fr" + "www.simply-wise.fr" + ]; + open-tcp = [ + { + internal = 22; + external = 22042; + } + ]; + }; + }; + + systemd.network.enable = lib.mkForce false; + networking = { + useNetworkd = lib.mkForce false; + firewall.allowedTCPPorts = [ + 80 + 443 + ]; + interfaces."enp1s0" = { + useDHCP = false; + ipv4.addresses = [ + { + address = "192.168.122.6"; + prefixLength = 24; + } + ]; + ipv6.addresses = [ + { + address = "fe80::6"; + prefixLength = 64; + } + ]; + }; + defaultGateway = "192.168.122.1"; + defaultGateway6 = { + address = "fe80::1"; + interface = "enp1s0"; + }; + nameservers = [ + "192.168.122.1" + "fe80::1%enp1s0" + ]; + }; + + nixpkgs.config.allowUnfree = true; + + security.acme = { + acceptTerms = true; + defaults.email = "root@katvayor.net"; + certs."orchid.katvayor.net".extraDomainNames = [ + "simply-wise.fr" + "www.simply-wise.fr" + ]; + }; + services = { + openssh.enable = true; + qemuGuest.enable = true; + getty.autologinUser = "root"; + nginx = { + enable = true; + virtualHosts = { + "orchid.katvayor.net" = { + enableACME = true; + forceSSL = true; + locations = { + "/static/".alias = "/srv/orchid/"; + "/" = { + recommendedProxySettings = true; + proxyPass = "https://192.168.123.2/"; + }; + }; + }; + "simply-wise.fr" = { + useACMEHost = "orchid.katvayor.net"; + forceSSL = true; + serverAliases = [ "www.simply-wise.fr" ]; + locations."/" = { + root = pkgs.runCommand "building" { } '' + mkdir -p $out + ln -nsf ${./building.html} $out/building.html + ''; + extraConfig = '' + internal; + error_page 404 =503 /building.html; + ''; + }; + }; + }; + }; + }; + containers.wordpress = + let + inherit (config.security.acme) certs; + in + { + privateNetwork = true; + bindMounts.certs = { + hostPath = certs."orchid.katvayor.net".directory; + mountPoint = certs."orchid.katvayor.net".directory; + isReadOnly = true; + }; + hostAddress = "192.168.123.1"; + localAddress = "192.168.123.2"; + autoStart = true; + specialArgs = { + inherit kat-path ssh-keys sources self-version; + }; + config = { + imports = [ kat-path ]; + kat.addArgs = false; + boot.kernel.enable = false; + systemd.network.enable = lib.mkForce false; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + services = { + nginx = { + enable = true; + virtualHosts."orchid.katvayor.net" = { + addSSL = true; + sslCertificate = "${certs."orchid.katvayor.net".directory}/fullchain.pem"; + sslCertificateKey = "${certs."orchid.katvayor.net".directory}/key.pem"; + sslTrustedCertificate = "${certs."orchid.katvayor.net".directory}/chain.pem"; + }; + }; + openssh.enable = true; + wordpress = { + webserver = "nginx"; + sites."orchid.katvayor.net" = { + themes = { + inherit (pkgs.wordpressPackages.themes) twentytwentythree; + }; + }; + }; + }; + environment.systemPackages = [ pkgs.wp-cli ]; + system.stateVersion = "24.11"; + }; + }; + fileSystems."/home/orchid/content/www" = { + device = "/srv/orchid"; + options = [ "bind" ]; + }; + systemd = { + tmpfiles.settings."10-srv-orchid"."/srv/orchid" = { + d = { + group = "users"; + user = "orchid"; + }; + Z = { + group = "users"; + user = "orchid"; + mode = "0755"; + }; + }; + timers.srv-tmpfiles = { + wantedBy = [ "timers.target" ]; + timerConfig.OnCalendar = "*-*-* *:*:07..57/10"; + }; + services.srv-tmpfiles = { + path = [ pkgs.systemd ]; + script = '' + systemd-tmpfiles --create --prefix=/srv + ''; + }; + }; + + users.users.orchid.isNormalUser = true; + home-manager.users.orchid = { }; + + system.stateVersion = "23.11"; +} diff --git a/machines/kat-orchid/default.nix b/machines/kat-orchid/default.nix index 4c223bd..e3d020b 100644 --- a/machines/kat-orchid/default.nix +++ b/machines/kat-orchid/default.nix @@ -1,206 +1,4 @@ { - config, - lib, - pkgs, - kat-path, - ssh-keys, - sources, - ... -}: -{ - deployment = { - targetHost = "orchid.kat"; - tags = [ "kat-vms" ]; - }; - imports = [ - ./hardware-configuration.nix - ./disks.nix - ]; - - boot = { - loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; - kernelParams = [ "console=ttyS0" ]; - }; - - kat = { - fqdn = "orchid.katvayor.net"; - proxies = { - ip = "192.168.122.6"; - aliases = [ - "simply-wise.fr" - "www.simply-wise.fr" - ]; - open-tcp = [ - { - internal = 22; - external = 22042; - } - ]; - }; - }; - - systemd.network.enable = lib.mkForce false; - networking = { - useNetworkd = lib.mkForce false; - firewall.allowedTCPPorts = [ - 80 - 443 - ]; - interfaces."enp1s0" = { - useDHCP = false; - ipv4.addresses = [ - { - address = "192.168.122.6"; - prefixLength = 24; - } - ]; - ipv6.addresses = [ - { - address = "fe80::6"; - prefixLength = 64; - } - ]; - }; - defaultGateway = "192.168.122.1"; - defaultGateway6 = { - address = "fe80::1"; - interface = "enp1s0"; - }; - nameservers = [ - "192.168.122.1" - "fe80::1%enp1s0" - ]; - }; - - nixpkgs.config.allowUnfree = true; - - security.acme = { - acceptTerms = true; - defaults.email = "root@katvayor.net"; - certs."orchid.katvayor.net".extraDomainNames = [ - "simply-wise.fr" - "www.simply-wise.fr" - ]; - }; - services = { - openssh.enable = true; - qemuGuest.enable = true; - getty.autologinUser = "root"; - nginx = { - enable = true; - virtualHosts = { - "orchid.katvayor.net" = { - enableACME = true; - forceSSL = true; - locations = { - "/static/".alias = "/srv/orchid/"; - "/" = { - recommendedProxySettings = true; - proxyPass = "https://192.168.123.2/"; - }; - }; - }; - "simply-wise.fr" = { - useACMEHost = "orchid.katvayor.net"; - forceSSL = true; - serverAliases = [ "www.simply-wise.fr" ]; - locations."/" = { - root = pkgs.runCommand "building" { } '' - mkdir -p $out - ln -nsf ${./building.html} $out/building.html - ''; - extraConfig = '' - internal; - error_page 404 =503 /building.html; - ''; - }; - }; - }; - }; - }; - containers.wordpress = - let - inherit (config.security.acme) certs; - in - { - privateNetwork = true; - bindMounts.certs = { - hostPath = certs."orchid.katvayor.net".directory; - mountPoint = certs."orchid.katvayor.net".directory; - isReadOnly = true; - }; - hostAddress = "192.168.123.1"; - localAddress = "192.168.123.2"; - autoStart = true; - specialArgs = { - inherit kat-path ssh-keys sources; - }; - config = { - imports = [ kat-path ]; - kat.addArgs = false; - boot.kernel.enable = false; - systemd.network.enable = lib.mkForce false; - networking.firewall.allowedTCPPorts = [ - 80 - 443 - ]; - services = { - nginx = { - enable = true; - virtualHosts."orchid.katvayor.net" = { - addSSL = true; - sslCertificate = "${certs."orchid.katvayor.net".directory}/fullchain.pem"; - sslCertificateKey = "${certs."orchid.katvayor.net".directory}/key.pem"; - sslTrustedCertificate = "${certs."orchid.katvayor.net".directory}/chain.pem"; - }; - }; - openssh.enable = true; - wordpress = { - webserver = "nginx"; - sites."orchid.katvayor.net" = { - themes = { - inherit (pkgs.wordpressPackages.themes) twentytwentythree; - }; - }; - }; - }; - environment.systemPackages = [ pkgs.wp-cli ]; - system.stateVersion = "24.11"; - }; - }; - fileSystems."/home/orchid/content/www" = { - device = "/srv/orchid"; - options = [ "bind" ]; - }; - systemd = { - tmpfiles.settings."10-srv-orchid"."/srv/orchid" = { - d = { - group = "users"; - user = "orchid"; - }; - Z = { - group = "users"; - user = "orchid"; - mode = "0755"; - }; - }; - timers.srv-tmpfiles = { - wantedBy = [ "timers.target" ]; - timerConfig.OnCalendar = "*-*-* *:*:07..57/10"; - }; - services.srv-tmpfiles = { - path = [ pkgs.systemd ]; - script = '' - systemd-tmpfiles --create --prefix=/srv - ''; - }; - }; - - users.users.orchid.isNormalUser = true; - home-manager.users.orchid = { }; - - system.stateVersion = "23.11"; + meta.unstable = false; + config = import ./configuration.nix; } diff --git a/machines/kat-probook/configuration.nix b/machines/kat-probook/configuration.nix new file mode 100644 index 0000000..d5d1e4d --- /dev/null +++ b/machines/kat-probook/configuration.nix @@ -0,0 +1,154 @@ +{ + pkgs, + nodes, + users, + ... +}: +{ + deployment.allowLocalDeployment = true; + + imports = [ + ./hardware-configuration.nix + users.catvayor + ./router.nix + ]; + + fileSystems."/tmp" = { + fsType = "tmpfs"; + device = "tmpfs"; + options = [ + "nosuid" + "nodev" + "relatime" + "size=12G" + ]; + }; + boot = { + kernel.sysctl."net.ipv4.ip_forward" = true; + binfmt.emulatedSystems = [ "aarch64-linux" ]; + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + }; + + nix.settings.trusted-users = [ + "root" + "@wheel" + ]; + networking.networkmanager = { + enable = true; + unmanaged = [ + "enp2s0" + "wg0" + ]; + }; + kat.wireguardPubKey = "zIHvCSzk5a94jvnXU4iscbp9RUGzbWpARDMRgHNtMl4="; + systemd.network = { + wait-online.anyInterface = true; + networks = { + "50-wg0" = { + name = "wg0"; + address = [ + "10.10.10.13/24" + "10.42.1.1/16" + ]; + }; + "10-enp2s0" = { + name = "enp2s0"; + DHCP = "ipv4"; + networkConfig.IPv6AcceptRA = "yes"; + dhcpV4Config.RouteMetric = 500; + dhcpV6Config.RouteMetric = 500; + ipv6AcceptRAConfig.RouteMetric = 500; + }; + }; + netdevs."50-wg0" = { + netdevConfig = { + Name = "wg0"; + Kind = "wireguard"; + }; + wireguardConfig.PrivateKeyFile = "/wg/private.key"; + + wireguardPeers = [ + { + AllowedIPs = [ + "10.10.10.0/24" + ]; + PublicKey = "CzUK0RPHsoG9N1NisOG0u7xwyGhTZnjhl7Cus3X76Es="; + Endpoint = "129.199.129.76:1194"; + PersistentKeepalive = 25; + } + { + AllowedIPs = [ + "10.42.0.0/16" + ]; + PublicKey = nodes.kat-watcher.config.kat.wireguardPubKey; + Endpoint = "watcher.katvayor.net:1194"; + PersistentKeepalive = 25; + } + ]; + }; + }; + + nixpkgs.config.allowUnfree = true; + + security.rtkit.enable = true; + hardware.bluetooth = { + enable = true; + powerOnBoot = false; + }; + + environment.systemPackages = with pkgs; [ brightnessctl ]; + fonts.packages = with pkgs; [ + fira-code-nerdfont + font-awesome + ]; + + services = { + pipewire = { + enable = true; + alsa = { + enable = true; + support32Bit = true; + }; + pulse.enable = true; + }; + syncthing = { + enable = true; + systemService = true; + dataDir = "/home/catvayor"; + user = "catvayor"; + group = "users"; + openDefaultPorts = true; + settings = { + folders."essentials" = { + path = "~/essentials"; + id = "vgpwu-fk3ct"; + devices = [ + "katel" + ]; + }; + devices.katel.id = "DYOKK7J-HZAF5S7-FYTHQF5-UD5GJZ2-4JMV5I5-STUM3HG-5YM2JPR-LATJNAZ"; + }; + }; + }; + + programs = { + steam.enable = true; + virt-manager.enable = true; + gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + }; + + home-manager.users = { + "root".kat.neovim.lsp = true; + "catvayor".kat.neovim.lsp = true; + }; + + virtualisation.libvirtd.enable = true; + + system.stateVersion = "23.11"; +} diff --git a/machines/kat-probook/default.nix b/machines/kat-probook/default.nix index d5d1e4d..66da70b 100644 --- a/machines/kat-probook/default.nix +++ b/machines/kat-probook/default.nix @@ -1,154 +1,4 @@ { - pkgs, - nodes, - users, - ... -}: -{ - deployment.allowLocalDeployment = true; - - imports = [ - ./hardware-configuration.nix - users.catvayor - ./router.nix - ]; - - fileSystems."/tmp" = { - fsType = "tmpfs"; - device = "tmpfs"; - options = [ - "nosuid" - "nodev" - "relatime" - "size=12G" - ]; - }; - boot = { - kernel.sysctl."net.ipv4.ip_forward" = true; - binfmt.emulatedSystems = [ "aarch64-linux" ]; - loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; - }; - - nix.settings.trusted-users = [ - "root" - "@wheel" - ]; - networking.networkmanager = { - enable = true; - unmanaged = [ - "enp2s0" - "wg0" - ]; - }; - kat.wireguardPubKey = "zIHvCSzk5a94jvnXU4iscbp9RUGzbWpARDMRgHNtMl4="; - systemd.network = { - wait-online.anyInterface = true; - networks = { - "50-wg0" = { - name = "wg0"; - address = [ - "10.10.10.13/24" - "10.42.1.1/16" - ]; - }; - "10-enp2s0" = { - name = "enp2s0"; - DHCP = "ipv4"; - networkConfig.IPv6AcceptRA = "yes"; - dhcpV4Config.RouteMetric = 500; - dhcpV6Config.RouteMetric = 500; - ipv6AcceptRAConfig.RouteMetric = 500; - }; - }; - netdevs."50-wg0" = { - netdevConfig = { - Name = "wg0"; - Kind = "wireguard"; - }; - wireguardConfig.PrivateKeyFile = "/wg/private.key"; - - wireguardPeers = [ - { - AllowedIPs = [ - "10.10.10.0/24" - ]; - PublicKey = "CzUK0RPHsoG9N1NisOG0u7xwyGhTZnjhl7Cus3X76Es="; - Endpoint = "129.199.129.76:1194"; - PersistentKeepalive = 25; - } - { - AllowedIPs = [ - "10.42.0.0/16" - ]; - PublicKey = nodes.kat-watcher.config.kat.wireguardPubKey; - Endpoint = "watcher.katvayor.net:1194"; - PersistentKeepalive = 25; - } - ]; - }; - }; - - nixpkgs.config.allowUnfree = true; - - security.rtkit.enable = true; - hardware.bluetooth = { - enable = true; - powerOnBoot = false; - }; - - environment.systemPackages = with pkgs; [ brightnessctl ]; - fonts.packages = with pkgs; [ - fira-code-nerdfont - font-awesome - ]; - - services = { - pipewire = { - enable = true; - alsa = { - enable = true; - support32Bit = true; - }; - pulse.enable = true; - }; - syncthing = { - enable = true; - systemService = true; - dataDir = "/home/catvayor"; - user = "catvayor"; - group = "users"; - openDefaultPorts = true; - settings = { - folders."essentials" = { - path = "~/essentials"; - id = "vgpwu-fk3ct"; - devices = [ - "katel" - ]; - }; - devices.katel.id = "DYOKK7J-HZAF5S7-FYTHQF5-UD5GJZ2-4JMV5I5-STUM3HG-5YM2JPR-LATJNAZ"; - }; - }; - }; - - programs = { - steam.enable = true; - virt-manager.enable = true; - gnupg.agent = { - enable = true; - enableSSHSupport = true; - }; - }; - - home-manager.users = { - "root".kat.neovim.lsp = true; - "catvayor".kat.neovim.lsp = true; - }; - - virtualisation.libvirtd.enable = true; - - system.stateVersion = "23.11"; + meta.unstable = true; + config = import ./configuration.nix; } diff --git a/machines/kat-son/configuration.nix b/machines/kat-son/configuration.nix new file mode 100644 index 0000000..ddaba31 --- /dev/null +++ b/machines/kat-son/configuration.nix @@ -0,0 +1,80 @@ +{ + lib, + ... +}: +{ + deployment = { + targetHost = "son.kat"; + tags = [ "kat-vms" ]; + }; + + imports = [ + ./hardware-configuration.nix + ./disks.nix + ]; + + boot = { + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + kernelParams = [ "console=ttyS0" ]; + }; + + kat = { + fqdn = "son.katvayor.net"; + proxies.ip = "192.168.122.5"; + }; + + systemd.network.enable = lib.mkForce false; + networking = { + useNetworkd = lib.mkForce false; + interfaces."enp1s0" = { + useDHCP = false; + ipv4.addresses = [ + { + address = "192.168.122.5"; + prefixLength = 24; + } + ]; + ipv6.addresses = [ + { + address = "fe80::5"; + prefixLength = 64; + } + ]; + }; + defaultGateway = "192.168.122.1"; + defaultGateway6 = { + address = "fe80::1"; + interface = "enp1s0"; + }; + nameservers = [ + "192.168.122.1" + "fe80::1%enp1s0" + ]; + }; + + networking.firewall.enable = false; + + security.acme = { + acceptTerms = true; + defaults.email = "root@katvayor.net"; + }; + services = { + openssh.enable = true; + qemuGuest.enable = true; + getty.autologinUser = "root"; + nginx = { + enable = true; + virtualHosts = { + "son.katvayor.net" = { + enableACME = true; + addSSL = true; + }; + }; + }; + }; + + system.stateVersion = "23.11"; +} diff --git a/machines/kat-son/default.nix b/machines/kat-son/default.nix index ddaba31..66da70b 100644 --- a/machines/kat-son/default.nix +++ b/machines/kat-son/default.nix @@ -1,80 +1,4 @@ { - lib, - ... -}: -{ - deployment = { - targetHost = "son.kat"; - tags = [ "kat-vms" ]; - }; - - imports = [ - ./hardware-configuration.nix - ./disks.nix - ]; - - boot = { - loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; - kernelParams = [ "console=ttyS0" ]; - }; - - kat = { - fqdn = "son.katvayor.net"; - proxies.ip = "192.168.122.5"; - }; - - systemd.network.enable = lib.mkForce false; - networking = { - useNetworkd = lib.mkForce false; - interfaces."enp1s0" = { - useDHCP = false; - ipv4.addresses = [ - { - address = "192.168.122.5"; - prefixLength = 24; - } - ]; - ipv6.addresses = [ - { - address = "fe80::5"; - prefixLength = 64; - } - ]; - }; - defaultGateway = "192.168.122.1"; - defaultGateway6 = { - address = "fe80::1"; - interface = "enp1s0"; - }; - nameservers = [ - "192.168.122.1" - "fe80::1%enp1s0" - ]; - }; - - networking.firewall.enable = false; - - security.acme = { - acceptTerms = true; - defaults.email = "root@katvayor.net"; - }; - services = { - openssh.enable = true; - qemuGuest.enable = true; - getty.autologinUser = "root"; - nginx = { - enable = true; - virtualHosts = { - "son.katvayor.net" = { - enableACME = true; - addSSL = true; - }; - }; - }; - }; - - system.stateVersion = "23.11"; + meta.unstable = true; + config = import ./configuration.nix; } diff --git a/machines/kat-watcher/configuration.nix b/machines/kat-watcher/configuration.nix new file mode 100644 index 0000000..c55e717 --- /dev/null +++ b/machines/kat-watcher/configuration.nix @@ -0,0 +1,115 @@ +{ + pkgs, + nodes, + ... +}: +{ + deployment.targetHost = "watcher.kat"; + + imports = [ + ./hardware-configuration.nix + ./disks.nix + ]; + + boot = { + loader.grub = { + enable = true; + efiSupport = true; + efiInstallAsRemovable = true; + }; + kernel.sysctl."net.ipv4.ip_forward" = true; + }; + + kat = { + wireguardPubKey = "BgLBrWG7DRj2Gwoyj+vHZTjiB3gPEnwVcDFEQH/BYgg="; + fqdn = "watcher.katvayor.net"; + proxies.redirects = [ "kat-manah" ]; + }; + + networking = { + useDHCP = false; + firewall.allowedUDPPorts = [ 1194 ]; + nftables = { + enable = true; + tables.nat = { + family = "ip"; + content = '' + chain postrouting { + type nat hook postrouting priority 100; + ip saddr 10.42.0.0/16 masquerade + } + ''; + }; + }; + }; + systemd.network = { + enable = true; + networks = { + "10-ens3" = { + name = "ens3"; + address = [ + "51.83.69.54/32" + "2001:41d0:305:2100::5c52/56" + ]; + routes = [ + { Destination = "51.83.68.1/32"; } + { + Destination = "213.186.33.99/32"; + Gateway = "51.83.68.1"; + } + { Gateway = "51.83.68.1"; } + { Gateway = "2001:41d0:305:2100::1"; } + ]; + dns = [ "213.186.33.99" ]; + }; + "50-wg0" = { + name = "wg0"; + address = [ "10.42.0.2/16" ]; + }; + }; + netdevs = { + "50-wg0" = { + netdevConfig = { + Name = "wg0"; + Kind = "wireguard"; + }; + wireguardConfig = { + ListenPort = 1194; + PrivateKeyFile = "/etc/wg/private.key"; + }; + + wireguardPeers = [ + { + AllowedIPs = [ + "10.42.0.1/32" + ]; + PublicKey = nodes.kat-manah.config.kat.wireguardPubKey; + } + { + AllowedIPs = [ + "10.42.1.1/32" + ]; + PublicKey = nodes.kat-probook.config.kat.wireguardPubKey; + } + { + AllowedIPs = [ + "10.42.2.1/32" + ]; + PublicKey = nodes.kat-betamail.config.kat.wireguardPubKey; + } + ]; + }; + }; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "root@katvayor.net"; + }; + + environment.systemPackages = with pkgs; [ tcpdump ]; + + services.openssh.enable = true; + + system.stateVersion = "23.11"; +} diff --git a/machines/kat-watcher/default.nix b/machines/kat-watcher/default.nix index c55e717..66da70b 100644 --- a/machines/kat-watcher/default.nix +++ b/machines/kat-watcher/default.nix @@ -1,115 +1,4 @@ { - pkgs, - nodes, - ... -}: -{ - deployment.targetHost = "watcher.kat"; - - imports = [ - ./hardware-configuration.nix - ./disks.nix - ]; - - boot = { - loader.grub = { - enable = true; - efiSupport = true; - efiInstallAsRemovable = true; - }; - kernel.sysctl."net.ipv4.ip_forward" = true; - }; - - kat = { - wireguardPubKey = "BgLBrWG7DRj2Gwoyj+vHZTjiB3gPEnwVcDFEQH/BYgg="; - fqdn = "watcher.katvayor.net"; - proxies.redirects = [ "kat-manah" ]; - }; - - networking = { - useDHCP = false; - firewall.allowedUDPPorts = [ 1194 ]; - nftables = { - enable = true; - tables.nat = { - family = "ip"; - content = '' - chain postrouting { - type nat hook postrouting priority 100; - ip saddr 10.42.0.0/16 masquerade - } - ''; - }; - }; - }; - systemd.network = { - enable = true; - networks = { - "10-ens3" = { - name = "ens3"; - address = [ - "51.83.69.54/32" - "2001:41d0:305:2100::5c52/56" - ]; - routes = [ - { Destination = "51.83.68.1/32"; } - { - Destination = "213.186.33.99/32"; - Gateway = "51.83.68.1"; - } - { Gateway = "51.83.68.1"; } - { Gateway = "2001:41d0:305:2100::1"; } - ]; - dns = [ "213.186.33.99" ]; - }; - "50-wg0" = { - name = "wg0"; - address = [ "10.42.0.2/16" ]; - }; - }; - netdevs = { - "50-wg0" = { - netdevConfig = { - Name = "wg0"; - Kind = "wireguard"; - }; - wireguardConfig = { - ListenPort = 1194; - PrivateKeyFile = "/etc/wg/private.key"; - }; - - wireguardPeers = [ - { - AllowedIPs = [ - "10.42.0.1/32" - ]; - PublicKey = nodes.kat-manah.config.kat.wireguardPubKey; - } - { - AllowedIPs = [ - "10.42.1.1/32" - ]; - PublicKey = nodes.kat-probook.config.kat.wireguardPubKey; - } - { - AllowedIPs = [ - "10.42.2.1/32" - ]; - PublicKey = nodes.kat-betamail.config.kat.wireguardPubKey; - } - ]; - }; - }; - }; - - security.acme = { - acceptTerms = true; - defaults.email = "root@katvayor.net"; - }; - - environment.systemPackages = with pkgs; [ tcpdump ]; - - services.openssh.enable = true; - - system.stateVersion = "23.11"; + meta.unstable = true; + config = import ./configuration.nix; } diff --git a/machines/kat-www/configuration.nix b/machines/kat-www/configuration.nix new file mode 100644 index 0000000..0f79ce8 --- /dev/null +++ b/machines/kat-www/configuration.nix @@ -0,0 +1,119 @@ +{ + config, + lib, + pkgs, + ... +}: +{ + deployment = { + targetHost = "www.kat"; + tags = [ "kat-vms" ]; + }; + + imports = [ + ./hardware-configuration.nix + ./disks.nix + ]; + + boot = { + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + kernelParams = [ "console=ttyS0" ]; + }; + + kat = { + fqdn = "website.katvayor.net"; + proxies = { + aliases = [ + "www.katvayor.net" + "katvayor.net" + "netbox.katvayor.net" + ]; + ip = "192.168.122.7"; + }; + }; + + systemd.network.enable = lib.mkForce false; + networking = { + useNetworkd = lib.mkForce false; + interfaces."enp1s0" = { + useDHCP = false; + ipv4.addresses = [ + { + address = "192.168.122.7"; + prefixLength = 24; + } + ]; + ipv6.addresses = [ + { + address = "fe80::7"; + prefixLength = 64; + } + ]; + }; + defaultGateway = "192.168.122.1"; + defaultGateway6 = { + address = "fe80::1"; + interface = "enp1s0"; + }; + nameservers = [ + "192.168.122.1" + "fe80::1%enp1s0" + ]; + }; + + networking.firewall.enable = false; + + security.acme = { + acceptTerms = true; + defaults.email = "root@katvayor.net"; + certs."website.katvayor.net".extraDomainNames = [ "netbox.katvayor.net" ]; + }; + services = { + openssh.enable = true; + qemuGuest.enable = true; + getty.autologinUser = "root"; + + nginx = { + enable = true; + virtualHosts = { + "website.katvayor.net" = { + serverAliases = [ + "www.katvayor.net" + "katvayor.net" + ]; + enableACME = true; + addSSL = true; + locations."/" = { + alias = "/var/lib/www/"; + index = "index.html"; + }; + }; + "netbox.katvayor.net" = { + useACMEHost = "website.katvayor.net"; + addSSL = true; + locations = { + "/" = { + recommendedProxySettings = true; + proxyPass = "http://localhost:8001"; + }; + "/static/".alias = "${config.services.netbox.dataDir}/static/"; + }; + }; + }; + }; + + netbox = { + enable = true; + package = pkgs.netbox_4_1; + listenAddress = "127.0.0.1"; + secretKeyFile = "${config.services.netbox.dataDir}/secret.key"; + }; + }; + + users.users.nginx.extraGroups = [ "netbox" ]; + + system.stateVersion = "23.11"; +} diff --git a/machines/kat-www/default.nix b/machines/kat-www/default.nix index 0f79ce8..e3d020b 100644 --- a/machines/kat-www/default.nix +++ b/machines/kat-www/default.nix @@ -1,119 +1,4 @@ { - config, - lib, - pkgs, - ... -}: -{ - deployment = { - targetHost = "www.kat"; - tags = [ "kat-vms" ]; - }; - - imports = [ - ./hardware-configuration.nix - ./disks.nix - ]; - - boot = { - loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; - kernelParams = [ "console=ttyS0" ]; - }; - - kat = { - fqdn = "website.katvayor.net"; - proxies = { - aliases = [ - "www.katvayor.net" - "katvayor.net" - "netbox.katvayor.net" - ]; - ip = "192.168.122.7"; - }; - }; - - systemd.network.enable = lib.mkForce false; - networking = { - useNetworkd = lib.mkForce false; - interfaces."enp1s0" = { - useDHCP = false; - ipv4.addresses = [ - { - address = "192.168.122.7"; - prefixLength = 24; - } - ]; - ipv6.addresses = [ - { - address = "fe80::7"; - prefixLength = 64; - } - ]; - }; - defaultGateway = "192.168.122.1"; - defaultGateway6 = { - address = "fe80::1"; - interface = "enp1s0"; - }; - nameservers = [ - "192.168.122.1" - "fe80::1%enp1s0" - ]; - }; - - networking.firewall.enable = false; - - security.acme = { - acceptTerms = true; - defaults.email = "root@katvayor.net"; - certs."website.katvayor.net".extraDomainNames = [ "netbox.katvayor.net" ]; - }; - services = { - openssh.enable = true; - qemuGuest.enable = true; - getty.autologinUser = "root"; - - nginx = { - enable = true; - virtualHosts = { - "website.katvayor.net" = { - serverAliases = [ - "www.katvayor.net" - "katvayor.net" - ]; - enableACME = true; - addSSL = true; - locations."/" = { - alias = "/var/lib/www/"; - index = "index.html"; - }; - }; - "netbox.katvayor.net" = { - useACMEHost = "website.katvayor.net"; - addSSL = true; - locations = { - "/" = { - recommendedProxySettings = true; - proxyPass = "http://localhost:8001"; - }; - "/static/".alias = "${config.services.netbox.dataDir}/static/"; - }; - }; - }; - }; - - netbox = { - enable = true; - package = pkgs.netbox_4_1; - listenAddress = "127.0.0.1"; - secretKeyFile = "${config.services.netbox.dataDir}/secret.key"; - }; - }; - - users.users.nginx.extraGroups = [ "netbox" ]; - - system.stateVersion = "23.11"; + meta.unstable = false; + config = import ./configuration.nix; } diff --git a/npins/sources.json b/npins/sources.json index 9753d21..a74b970 100644 --- a/npins/sources.json +++ b/npins/sources.json @@ -15,7 +15,19 @@ "url": "https://api.github.com/repos/nix-community/disko/tarball/v1.9.0", "hash": "0j76ar4qz320fakdii4659w5lww8wiz6yb7g47npywqvf2lbp388" }, - "home-manager": { + "home-manager-stable": { + "type": "Git", + "repository": { + "type": "GitHub", + "owner": "nix-community", + "repo": "home-manager" + }, + "branch": "release-24.11", + "revision": "62d536255879be574ebfe9b87c4ac194febf47c5", + "url": "https://github.com/nix-community/home-manager/archive/62d536255879be574ebfe9b87c4ac194febf47c5.tar.gz", + "hash": "0v9bsc6r2626kap2m12zxw47m4p2kpr4pjldr7wvgqq48vwd72cm" + }, + "home-manager-unstable": { "type": "Git", "repository": { "type": "GitHub", @@ -23,9 +35,9 @@ "repo": "home-manager" }, "branch": "master", - "revision": "2f607e07f3ac7e53541120536708e824acccfaa8", - "url": "https://github.com/nix-community/home-manager/archive/2f607e07f3ac7e53541120536708e824acccfaa8.tar.gz", - "hash": "19w63qccz78v0spx03911z98w1bvlxvd07hb0ma14a4vdzi4ninj" + "revision": "65912bc6841cf420eb8c0a20e03df7cbbff5963f", + "url": "https://github.com/nix-community/home-manager/archive/65912bc6841cf420eb8c0a20e03df7cbbff5963f.tar.gz", + "hash": "026hmc30kkyd9ihpjd6cm1b22galdi164ardhmj5x5jcszhjx4r9" }, "nix-patches": { "type": "GitRelease", @@ -49,9 +61,9 @@ "repo": "nixos-images" }, "branch": "main", - "revision": "16f7f3496167ff95a1ef823bf56309a5d42237e1", - "url": "https://github.com/nix-community/nixos-images/archive/16f7f3496167ff95a1ef823bf56309a5d42237e1.tar.gz", - "hash": "0nwpxajd6ny9qry58ch624ahr4nmsbkxq1m9ijqcwk8jx0cgv3vy" + "revision": "a5e3e9e083d607b8a780d69323148ac99c09787b", + "url": "https://github.com/nix-community/nixos-images/archive/a5e3e9e083d607b8a780d69323148ac99c09787b.tar.gz", + "hash": "1nacp8n3in0bv59jl3s8k3yhc3dv96dpfv9r508jjr35bvvgzx91" }, "nixos-mailserver": { "type": "Git", @@ -65,13 +77,31 @@ "url": "https://gitlab.com/api/v4/projects/simple-nixos-mailserver%2Fnixos-mailserver/repository/archive.tar.gz?sha=af7d3bf5daeba3fc28089b015c0dd43f06b176f2", "hash": "1j0r52ij5pw8b8wc5xz1bmm5idwkmsnwpla6smz8gypcjls860ma" }, - "nixpkgs": { + "nixpkgs-stable": { + "type": "Channel", + "name": "nixos-24.11", + "url": "https://releases.nixos.org/nixos/24.11/nixos-24.11.710315.b681065d0919/nixexprs.tar.xz", + "hash": "0j2djx0mqp2hiq1w7sl5837mzgqrc3534257b9sdv8p5672gpbmv" + }, + "nixpkgs-unstable": { "type": "Channel", "name": "nixpkgs-unstable", - "url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.11pre704822.85f7e662eda4/nixexprs.tar.xz", - "hash": "0dqlz0xqd3nn49hnx943y5sfqd7nmj25s6gi1pjm907j3vbgg47k" + "url": "https://releases.nixos.org/nixpkgs/nixpkgs-25.05pre716127.566e53c2ad75/nixexprs.tar.xz", + "hash": "182d5xq2w70znk61b8bn0cyq4jmp7vw239vmxbmsvv13zrjainbv" }, - "nixvim": { + "nixvim-stable": { + "type": "Git", + "repository": { + "type": "GitHub", + "owner": "nix-community", + "repo": "nixvim" + }, + "branch": "nixos-24.11", + "revision": "667b2a5f7a7925fb3247fd3201f4a9e0bcebcd48", + "url": "https://github.com/nix-community/nixvim/archive/667b2a5f7a7925fb3247fd3201f4a9e0bcebcd48.tar.gz", + "hash": "181fhbqfz4lqrpsg2c3hkn0d95s736wkhsrbcl0mndjgm3202bpb" + }, + "nixvim-unstable": { "type": "Git", "repository": { "type": "GitHub", @@ -79,9 +109,9 @@ "repo": "nixvim" }, "branch": "main", - "revision": "aabbd60633947baba11db44df84f402edc241440", - "url": "https://github.com/nix-community/nixvim/archive/aabbd60633947baba11db44df84f402edc241440.tar.gz", - "hash": "1mkmz8mvydj4mbfqipywncf68i8dcnag088cr4xkp2z3h4ary0ap" + "revision": "38885227461de58a712362c1c484803d6c90a8b2", + "url": "https://github.com/nix-community/nixvim/archive/38885227461de58a712362c1c484803d6c90a8b2.tar.gz", + "hash": "1cyx21v1dm4r6n5y2d32wpzhxy534h8j79ws1wi2b6rlpcqasrkg" } }, "version": 3 diff --git a/patches/default.nix b/patches/default.nix index 06b1313..68dd6fe 100644 --- a/patches/default.nix +++ b/patches/default.nix @@ -1,11 +1,15 @@ -rec { - unstable = [ +let + general = [ { _type = "static"; path = ./nginx-fallback.patch; } ]; - betamail = unstable ++ [ +in +{ + unstable = general; + stable = general; + betamail = [ { _type = "static"; path = ./procmail_322.patch; diff --git a/shell.nix b/shell.nix index 44e073d..66d361a 100644 --- a/shell.nix +++ b/shell.nix @@ -1,6 +1,6 @@ let sources = import ./npins; - pkgs = import sources.nixpkgs { }; + pkgs = import sources.nixpkgs-unstable { }; in pkgs.mkShell { packages = with pkgs; [