From f44aa47daaa0d4032167be1ef3f627b5c3625a02 Mon Sep 17 00:00:00 2001 From: catvayor Date: Sat, 13 Apr 2024 00:03:06 +0200 Subject: [PATCH] config BOQ --- BOcal/configuration.nix | 51 +++++++++++ BOcal/hardware-configuration.nix | 41 +++++++++ BOcal/net-user/configuration.nix | 149 +++++++++++++++++++++++++++++++ BOcal/net_config.nix | 105 ++++++++++++++++++++++ BOcal/router.nix | 59 ++++++++++++ hive.nix | 16 ++-- 6 files changed, 415 insertions(+), 6 deletions(-) create mode 100644 BOcal/configuration.nix create mode 100644 BOcal/hardware-configuration.nix create mode 100644 BOcal/net-user/configuration.nix create mode 100644 BOcal/net_config.nix create mode 100644 BOcal/router.nix diff --git a/BOcal/configuration.nix b/BOcal/configuration.nix new file mode 100644 index 0000000..285bfe2 --- /dev/null +++ b/BOcal/configuration.nix @@ -0,0 +1,51 @@ +{ config, lib, pkgs, users, ... }: + +{ + imports = + [ + ./hardware-configuration.nix + ./router.nix + ./net_config.nix + (users.root { ssh = true; }) + ]; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.supportedFilesystems = [ "bcachefs" ]; + boot.kernelPackages = pkgs.linuxPackages_latest; + + time.timeZone = "Europe/Paris"; + + i18n.defaultLocale = "en_US.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = "fr"; + }; + + services.dbus.packages = with pkgs; [ dconf ]; + + programs.zsh.enable = true; + + environment.systemPackages = with pkgs; [ + wget + brightnessctl + nix-search-cli + git + btop + ranger + dnsmasq + screen + ]; + + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + + services.openssh.enable = true; + + networking.firewall.enable = false; + networking.useDHCP = false; + + system.stateVersion = "23.11"; +} diff --git a/BOcal/hardware-configuration.nix b/BOcal/hardware-configuration.nix new file mode 100644 index 0000000..9c7bdef --- /dev/null +++ b/BOcal/hardware-configuration.nix @@ -0,0 +1,41 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/b56a6a08-60e7-4997-9f7b-05c58006e730"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/3975-DEB6"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/b196b10b-5480-49b9-a6fb-ed2f21850815"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true; + # networking.interfaces.enp3s2.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/BOcal/net-user/configuration.nix b/BOcal/net-user/configuration.nix new file mode 100644 index 0000000..84b4b28 --- /dev/null +++ b/BOcal/net-user/configuration.nix @@ -0,0 +1,149 @@ +distant-users-id: +{ pkgs, lib, users, mods, ... }: { + imports = [ + + + + (users.root { ssh = true; }) + ]; + system.stateVersion = "23.11"; + networking = { + hostName = "net-bocal"; + firewall.enable = false; + }; + time.timeZone = "Europe/Paris"; + i18n.defaultLocale = "fr_FR.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = "fr"; + }; + environment.systemPackages = with pkgs; [ + git + ]; + security.polkit.extraConfig = '' + polkit.addRule(function(action, subject) { + if ( + subject.isInGroup("bocal") + && ( + //action.id == "org.freedesktop.login1.chvt" || + action.id == "org.freedesktop.accounts.change-own-password" || + action.id == "org.freedesktop.locale1.set-keyboard" || + action.id == "org.freedesktop.locale1.set-locale" || + action.id == "org.freedesktop.login1.attach-device" || + action.id == "org.freedesktop.login1.flush-devices" || + action.id == "org.freedesktop.login1.halt" || + action.id == "org.freedesktop.login1.halt-ignore-inhibit" || + action.id == "org.freedesktop.login1.halt-multiple-sessions" || + action.id == "org.freedesktop.login1.hibernate" || + action.id == "org.freedesktop.login1.hibernate-ignore-inhibit" || + action.id == "org.freedesktop.login1.hibernate-multiple-sessions" || + action.id == "org.freedesktop.login1.inhibit-block-idle" || + action.id == "org.freedesktop.login1.inhibit-block-shutdown" || + action.id == "org.freedesktop.login1.inhibit-block-sleep" || + action.id == "org.freedesktop.login1.inhibit-delay-shutdown" || + action.id == "org.freedesktop.login1.inhibit-delay-sleep" || + action.id == "org.freedesktop.login1.inhibit-handle-hibernate-key" || + action.id == "org.freedesktop.login1.inhibit-handle-lid-switch" || + action.id == "org.freedesktop.login1.inhibit-handle-power-key" || + action.id == "org.freedesktop.login1.inhibit-handle-reboot-key" || + action.id == "org.freedesktop.login1.inhibit-handle-suspend-key" || + action.id == "org.freedesktop.login1.lock-sessions" || + action.id == "org.freedesktop.login1.manage" || + action.id == "org.freedesktop.login1.power-off" || + action.id == "org.freedesktop.login1.power-off-ignore-inhibit" || + action.id == "org.freedesktop.login1.power-off-multiple-sessions" || + action.id == "org.freedesktop.login1.reboot" || + action.id == "org.freedesktop.login1.reboot-ignore-inhibit" || + action.id == "org.freedesktop.login1.reboot-multiple-sessions" || + action.id == "org.freedesktop.login1.set-reboot-parameter" || + action.id == "org.freedesktop.login1.set-reboot-to-boot-loader-entry" || + action.id == "org.freedesktop.login1.set-reboot-to-boot-loader-menu" || + action.id == "org.freedesktop.login1.set-reboot-to-firmware-setup" || + action.id == "org.freedesktop.login1.set-self-linger" || + action.id == "org.freedesktop.login1.set-user-linger" || + action.id == "org.freedesktop.login1.set-wall-message" || + action.id == "org.freedesktop.login1.suspend" || + action.id == "org.freedesktop.login1.suspend-ignore-inhibit" || + action.id == "org.freedesktop.login1.suspend-multiple-sessions" + ) + ) + { + return polkit.Result.NO; + } + }) + ''; + + + users.groups.bocal.gid = 2000; + users.users = let + template = { name, uid }: { + inherit name; + value = { + isNormalUser = true; + inherit uid; + shell = pkgs.zsh; + group = "bocal"; + homeMode = "750"; + }; + }; + in builtins.listToAttrs (map template distant-users-id) // { + root.hashedPassword = "$y$j9T$GK2ejPfMgk0GlBqZX0aBo/$n3nds9zcBi8X8p9aG5Aywq1A.R6Bt/dIOccvfIdMM/1"; + root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCvi5VUsDrwS4XqQQfFFIx1JoRDPVdtChUQWqKFbPFtP8gH51woXiKtKRbDebL0z/EmkdYKxxIkzixHTR5xQXjo8JiFZbwldZi5IvMr3x//ad9sVyOhmbRx1DXLKjyOdWyo+w0vORvbEDu2lHktfSvhHGrvUHfFc3EY+cAl7IImgGEeGNPruAuNkN90Lth9QgwJVsdOEs9j7hwwKtpfMMETL5tkW34Nu7io03+SaPxwi2xLuWTdTklfZ7GWYtG2w/hFkzDbkW97rp5dxB1HO58cPqyRlqyfhZFpiUmWlyuMba3Tip6JarCa52IpFffEIDR0CSeh5CFPoeppo/TPDiXDie370TjjQpxJiG+9PobBhmChH5FmQ/lksffI/WimqpVO7Ixf5cYiHN5Z0mgJgZsXwI3YPICQLA8ebSKHA8+mdmkunDmCBRaBj1qEgkp/UoYqXT6BjBm07nOsnL+3SG/yfx4fLotgWtdm2mkjEAG+OGVR7G3Vk/POxn0EqX7Z+gU= sylvain@idefix" + ]; + }; + home-manager.users = let + template = { name, uid }: { + inherit name; + value = { + home.stateVersion = "23.11"; + imports = with mods.home; [ zsh neovim ]; + programs.zsh.profileExtra = "exec ${pkgs.plasma5Packages.plasma-workspace}/bin/startplasma-wayland"; + programs.firefox.enable = true; + home.packages = with pkgs; [ + gedit + ]; + }; + }; + in builtins.listToAttrs (map template distant-users-id); + + services.getty = { + loginProgram = pkgs.writeShellScript "autologin" '' + ${pkgs.sudo}/bin/sudo -u $BOCAL rm /home/$BOCAL/.local/state/nix/profiles/home-manager* + ${pkgs.sudo}/bin/sudo -u $BOCAL rm /home/$BOCAL/.local/state/home-manager/gcroots/current-home + ${pkgs.systemd}/bin/systemctl restart home-manager-''${BOCAL}.service + exec ${pkgs.shadow}/bin/login -f $BOCAL + ''; + autologinUser = "bocal"; + }; + systemd.services.unlock = { + wantedBy = ["multi-user.target"]; + script = '' + ${pkgs.dbus}/bin/dbus-monitor --system "type='signal',interface='org.freedesktop.DBus.Properties',path_namespace='/org/freedesktop/login1/session'" | while read x; do + case "$x" in + *"boolean true"*) ${pkgs.systemd}/bin/loginctl unlock-sessions + esac + done + ''; + }; + services.xserver = { + enable = true; + xkb.layout = "fr"; + desktopManager.plasma5.enable = true; + displayManager.lightdm.enable = false; + }; + fileSystems = let + template = { name, uid }: { + name = "/home/${name}"; + value = { + device = "192.168.222.1:/home/${name}"; + fsType = "nfs"; + }; + }; + in { + "/home/bocal" = { + device = "192.168.222.1:/home/bocal"; + fsType = "nfs"; + }; + } // builtins.listToAttrs (map template distant-users-id); +} diff --git a/BOcal/net_config.nix b/BOcal/net_config.nix new file mode 100644 index 0000000..dc21949 --- /dev/null +++ b/BOcal/net_config.nix @@ -0,0 +1,105 @@ +{ lib, users, mods, pkgs, ... }: +let + machines = { + "54:bf:64:5d:33:5e" = "arturgo"; + "54:bf:64:5d:33:f9" = "catvayor"; + "54:bf:64:5d:32:d4" = "darksysy"; + "48:4d:7e:d6:fa:1e" = "empraeleerup"; + "48:4d:7e:d6:cf:57" = "glohuglohu"; + "54:bf:64:5d:33:7e" = "h"; + "54:bf:64:5d:32:b7" = "inutile.club"; + "54:bf:64:5d:33:f5" = "jimmicrosoft"; + "48:4d:7e:d6:fc:e8" = "krik"; + "54:bf:64:5d:31:fd" = "loony"; + }; + distant-users = builtins.attrValues machines; + distant-users-id = builtins.genList (i: { name = builtins.elemAt distant-users i; uid = 2001 + i; }) (builtins.length distant-users); + remote_sys = (import (pkgs.path + "/nixos/lib/eval-config.nix") { + system = "x86_64-linux"; + specialArgs = { inherit users mods; }; + modules = [ (import ./net-user/configuration.nix distant-users-id) ]; + }); + remote_build = remote_sys.config.system.build; + json_maker = mac: user: pkgs.writeText "netboot-${mac}.json" '' + { + "kernel": "/kernel", + "initrd": [ "/initrd" ], + "cmdline": "init=${remote_build.toplevel}/init loglevel=4 systemd.setenv=BOCAL=${user}" + } + ''; + json_ln = mac: json: ''ln -s ${json} $out/v1/boot/${mac}''; + cmds = [ + "mkdir -p $out/v1/boot" + "ln -s ${remote_build.kernel}/bzImage $out/kernel" + "ln -s ${remote_build.netbootRamdisk}/initrd $out/initrd" + ] ++ builtins.attrValues (builtins.mapAttrs json_ln (builtins.mapAttrs json_maker machines)); + webroot = pkgs.runCommand "netboot-apiroot" {} (builtins.concatStringsSep "\n" cmds); +in { + users.groups.bocal.gid = 2000; + users.users = let + template = { name, uid }: { + inherit name; + value = { + isNormalUser = true; + inherit uid; + shell = pkgs.zsh; + group = "bocal"; + homeMode = "750"; + }; + }; + in builtins.listToAttrs (map template distant-users-id) // { + bocal = { + isNormalUser = true; + uid = 2000; + shell = pkgs.zsh; + group = "bocal"; + homeMode = "750"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCvi5VUsDrwS4XqQQfFFIx1JoRDPVdtChUQWqKFbPFtP8gH51woXiKtKRbDebL0z/EmkdYKxxIkzixHTR5xQXjo8JiFZbwldZi5IvMr3x//ad9sVyOhmbRx1DXLKjyOdWyo+w0vORvbEDu2lHktfSvhHGrvUHfFc3EY+cAl7IImgGEeGNPruAuNkN90Lth9QgwJVsdOEs9j7hwwKtpfMMETL5tkW34Nu7io03+SaPxwi2xLuWTdTklfZ7GWYtG2w/hFkzDbkW97rp5dxB1HO58cPqyRlqyfhZFpiUmWlyuMba3Tip6JarCa52IpFffEIDR0CSeh5CFPoeppo/TPDiXDie370TjjQpxJiG+9PobBhmChH5FmQ/lksffI/WimqpVO7Ixf5cYiHN5Z0mgJgZsXwI3YPICQLA8ebSKHA8+mdmkunDmCBRaBj1qEgkp/UoYqXT6BjBm07nOsnL+3SG/yfx4fLotgWtdm2mkjEAG+OGVR7G3Vk/POxn0EqX7Z+gU= sylvain@idefix" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvGR9LIJrb9fEIuYn4DMAiyPq0gZ/J8Hv/hIcszu0Tp vincent@vincent-ZB" + ]; + }; + }; + home-manager.users.bocal = { + home.stateVersion = "23.11"; + imports = with mods.home; [ zsh neovim ]; + programs.zsh.shellAliases = { + "redac" = "/home/bocal/bin/redac"; + "faire" = "redac faire"; + }; + }; + + services.pixiecore = { + enable = true; + openFirewall = true; + dhcpNoBind = true; + apiServer = "http://localhost:8000"; + mode = "api"; + listen = "192.168.222.1"; + }; + services.nfs.server = { + enable = true; + exports = let + template = { name, uid }: "/home/${name} 192.168.222.0/24(rw,nohide,insecure,no_subtree_check,anonuid=${builtins.toString uid},anongid=2000)"; + in builtins.concatStringsSep "\n" ([ + "/home/bocal 192.168.222.0/24(rw,nohide,insecure,no_subtree_check)" + ] ++ map template distant-users-id); + }; + services.dnsmasq = { + enable = true; + settings = { + interface = [ "netboot-client" ]; + bind-dynamic = true; + dhcp-option = "3,0.0.0.0"; + dhcp-range = "192.168.222.100,192.168.222.200,255.255.255.0,12h"; + }; + }; + services.nginx = { + enable = true; + virtualHosts."localhost" = { + listen = [{ addr = "localhost"; port = 8000; }]; + root = webroot; + }; + }; +} diff --git a/BOcal/router.nix b/BOcal/router.nix new file mode 100644 index 0000000..8494ebd --- /dev/null +++ b/BOcal/router.nix @@ -0,0 +1,59 @@ +{ config, lib, pkgs, ... }: { + boot.kernel.sysctl."net.ipv4.ip_forward" = true; + + systemd.network = { + enable = true; + networks = { + "uplink" = { + name = "eno1"; + DHCP = "ipv4"; + # networkConfig.IPMasquerade = "ipv4"; + }; + "10-enp2s0" = { + name = "enp2s0"; + bridge = [ "netboot-client" ]; + networkConfig = { + LLDP = false; + EmitLLDP = false; + LinkLocalAddressing = false; + IPv6AcceptRA = false; + IPv6SendRA = false; + }; + }; + "10-enp3s2" = { + name = "enp3s2"; + bridge = [ "netboot-client" ]; + networkConfig = { + LLDP = false; + EmitLLDP = false; + LinkLocalAddressing = false; + IPv6AcceptRA = false; + IPv6SendRA = false; + }; + }; + "11-netboot-client" = { + name = "netboot-client"; + address = [ "192.168.222.1/24" ]; + # dhcpServerConfig = { + # PoolOffset = 100; + # PoolSize = 100; + # BootServerAddress = "192.168.222.1"; + # }; + }; + }; + netdevs."10-client".netdevConfig = { + Name = "netboot-client"; + Kind = "bridge"; + }; + }; + networking.nameservers = + [ "208.67.222.222" ]; + + networking.nat = { + enable = true; + internalInterfaces = [ "netboot-client" ]; + externalInterface = "eno1"; + }; + + services.netbird.enable = true; +} diff --git a/hive.nix b/hive.nix index 870f98f..454058c 100644 --- a/hive.nix +++ b/hive.nix @@ -6,9 +6,10 @@ in { meta.specialArgs = { inherit mods users; }; - defaults = { pkgs, ... }: { + defaults = { name, pkgs, ... }: { imports = [ ]; boot.tmp.useTmpfs = true; + networking.hostName = name; }; kat-probook = { name, nodes, ... }: { @@ -19,7 +20,6 @@ in { (users.root { ssh = false; }) users.catvayor ]; - networking.hostName = name; }; kat-r86s = { name, nodes, ... }: { @@ -28,7 +28,6 @@ in { ./machines/kat-r86s/configuration.nix (users.root { ssh = true; }) ]; - networking.hostName = name; }; kat-test = { name, nodes, ... }: { @@ -42,7 +41,6 @@ in { (users.root { ssh = true; }) users.catvayor ]; - networking.hostName = name; home-manager.users.catvayor = { imports = [ mods.home.mail ]; }; @@ -55,12 +53,19 @@ in { ./machines/kat-virt/configuration.nix (users.root { ssh = true; }) ]; - networking.hostName = name; users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCvi5VUsDrwS4XqQQfFFIx1JoRDPVdtChUQWqKFbPFtP8gH51woXiKtKRbDebL0z/EmkdYKxxIkzixHTR5xQXjo8JiFZbwldZi5IvMr3x//ad9sVyOhmbRx1DXLKjyOdWyo+w0vORvbEDu2lHktfSvhHGrvUHfFc3EY+cAl7IImgGEeGNPruAuNkN90Lth9QgwJVsdOEs9j7hwwKtpfMMETL5tkW34Nu7io03+SaPxwi2xLuWTdTklfZ7GWYtG2w/hFkzDbkW97rp5dxB1HO58cPqyRlqyfhZFpiUmWlyuMba3Tip6JarCa52IpFffEIDR0CSeh5CFPoeppo/TPDiXDie370TjjQpxJiG+9PobBhmChH5FmQ/lksffI/WimqpVO7Ixf5cYiHN5Z0mgJgZsXwI3YPICQLA8ebSKHA8+mdmkunDmCBRaBj1qEgkp/UoYqXT6BjBm07nOsnL+3SG/yfx4fLotgWtdm2mkjEAG+OGVR7G3Vk/POxn0EqX7Z+gU= sylvain@idefix" ]; }; + BOcal = { + deployment.targetHost = "192.168.222.1"; + imports = [ ./BOcal/configuration.nix ]; + + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCvi5VUsDrwS4XqQQfFFIx1JoRDPVdtChUQWqKFbPFtP8gH51woXiKtKRbDebL0z/EmkdYKxxIkzixHTR5xQXjo8JiFZbwldZi5IvMr3x//ad9sVyOhmbRx1DXLKjyOdWyo+w0vORvbEDu2lHktfSvhHGrvUHfFc3EY+cAl7IImgGEeGNPruAuNkN90Lth9QgwJVsdOEs9j7hwwKtpfMMETL5tkW34Nu7io03+SaPxwi2xLuWTdTklfZ7GWYtG2w/hFkzDbkW97rp5dxB1HO58cPqyRlqyfhZFpiUmWlyuMba3Tip6JarCa52IpFffEIDR0CSeh5CFPoeppo/TPDiXDie370TjjQpxJiG+9PobBhmChH5FmQ/lksffI/WimqpVO7Ixf5cYiHN5Z0mgJgZsXwI3YPICQLA8ebSKHA8+mdmkunDmCBRaBj1qEgkp/UoYqXT6BjBm07nOsnL+3SG/yfx4fLotgWtdm2mkjEAG+OGVR7G3Vk/POxn0EqX7Z+gU= sylvain@idefix" + ]; + }; kat-iso = { name, pkgs, ... }:{ deployment = { @@ -74,7 +79,6 @@ in { ]; networking = { - hostName = name; networkmanager.enable = true; wireless.enable = false; };