2023-06-15 16:44:31 +02:00
|
|
|
# NUC in my closet.
|
|
|
|
_: # ignore readTree options
|
|
|
|
|
|
|
|
{ config, depot, lib, pkgs, ... }:
|
|
|
|
|
|
|
|
let
|
|
|
|
mod = name: depot.path.origSrc + ("/ops/modules/" + name);
|
|
|
|
usermod = name: depot.path.origSrc + ("/users/tazjin/nixos/modules/" + name);
|
|
|
|
in
|
|
|
|
{
|
|
|
|
imports = [
|
|
|
|
(mod "quassel.nix")
|
|
|
|
(mod "www/base.nix")
|
2023-10-01 00:49:43 +02:00
|
|
|
(usermod "airsonic.nix")
|
|
|
|
(usermod "geesefs.nix")
|
2024-09-14 22:24:10 +02:00
|
|
|
(usermod "homepage.nix")
|
|
|
|
(usermod "miniflux.nix")
|
2023-06-15 23:29:04 +02:00
|
|
|
(usermod "predlozhnik.nix")
|
2023-06-18 14:25:45 +02:00
|
|
|
(usermod "tgsa.nix")
|
|
|
|
(depot.third_party.agenix.src + "/modules/age.nix")
|
2023-06-15 16:44:31 +02:00
|
|
|
];
|
|
|
|
|
|
|
|
boot = {
|
|
|
|
loader.systemd-boot.enable = true;
|
|
|
|
loader.efi.canTouchEfiVariables = true;
|
|
|
|
initrd.availableKernelModules = [ "ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" ];
|
|
|
|
kernelModules = [ "kvm-intel" ];
|
|
|
|
kernelParams = [ "nomodeset" ];
|
|
|
|
};
|
|
|
|
|
|
|
|
nix.settings.trusted-users = [ "tazjin" ];
|
|
|
|
|
|
|
|
fileSystems = {
|
|
|
|
"/" = {
|
|
|
|
device = "rpool/root";
|
|
|
|
fsType = "zfs";
|
|
|
|
};
|
|
|
|
|
|
|
|
"/boot" = {
|
|
|
|
device = "/dev/disk/by-uuid/E214-E6B3";
|
|
|
|
fsType = "vfat";
|
|
|
|
};
|
|
|
|
|
|
|
|
"/var" = {
|
|
|
|
device = "rpool/var";
|
|
|
|
fsType = "zfs";
|
|
|
|
};
|
|
|
|
|
|
|
|
"/home" = {
|
|
|
|
device = "rpool/home";
|
|
|
|
fsType = "zfs";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
hardware.cpu.intel.updateMicrocode = true;
|
|
|
|
hardware.enableRedistributableFirmware = true;
|
|
|
|
services.fwupd.enable = true;
|
|
|
|
|
|
|
|
networking = {
|
|
|
|
hostName = "koptevo";
|
|
|
|
hostId = "07bbbf4f";
|
|
|
|
domain = "tazj.in";
|
|
|
|
useDHCP = true;
|
|
|
|
firewall.enable = true;
|
2024-09-14 22:12:08 +02:00
|
|
|
firewall.allowedTCPPorts = [ 22 80 443 8776 9443 ];
|
2023-06-15 16:44:31 +02:00
|
|
|
|
|
|
|
wireless.enable = true;
|
|
|
|
wireless.networks."How do I computer fast?" = {
|
|
|
|
psk = "washyourface";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
time.timeZone = "UTC";
|
|
|
|
|
2024-09-14 21:52:54 +02:00
|
|
|
security.acme = {
|
|
|
|
acceptTerms = true;
|
|
|
|
defaults.email = lib.mkForce "acme@tazj.in";
|
|
|
|
|
|
|
|
# wildcard cert for usage with Yggdrasil services
|
|
|
|
certs."y.tazj.in" = {
|
|
|
|
dnsProvider = "yandexcloud";
|
|
|
|
credentialFiles.YANDEX_CLOUD_IAM_TOKEN_FILE = "/run/agenix/lego-yandex";
|
|
|
|
extraDomainNames = [ "*.y.tazj.in" ];
|
|
|
|
|
|
|
|
# folder tvl/tazjin-private/default
|
|
|
|
environmentFile = builtins.toFile "lego-yandex-env" ''
|
|
|
|
YANDEX_CLOUD_FOLDER_ID=b1gq41rsbggeum4qafnh
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
2023-06-15 16:44:31 +02:00
|
|
|
|
|
|
|
programs.fish.enable = true;
|
|
|
|
|
|
|
|
users.users.tazjin = {
|
|
|
|
isNormalUser = true;
|
2023-06-15 22:20:07 +02:00
|
|
|
extraGroups = [ "wheel" "docker" "systemd-journal" ];
|
2023-06-15 16:44:31 +02:00
|
|
|
shell = pkgs.fish;
|
|
|
|
openssh.authorizedKeys.keys = depot.users.tazjin.keys.all;
|
|
|
|
};
|
|
|
|
|
2024-09-14 22:24:30 +02:00
|
|
|
users.users.nginx.extraGroups = [ "acme" ];
|
|
|
|
|
2023-06-18 14:25:45 +02:00
|
|
|
age.secrets =
|
|
|
|
let
|
|
|
|
secretFile = name: depot.users.tazjin.secrets."${name}.age";
|
|
|
|
in
|
|
|
|
{
|
2024-09-14 21:52:54 +02:00
|
|
|
lego-yandex.file = secretFile "lego-yandex";
|
2023-06-18 14:25:45 +02:00
|
|
|
tgsa-yandex.file = secretFile "tgsa-yandex";
|
|
|
|
};
|
|
|
|
|
2023-06-15 16:44:31 +02:00
|
|
|
security.sudo.wheelNeedsPassword = false;
|
|
|
|
|
2023-06-15 22:20:07 +02:00
|
|
|
services.openssh.enable = true;
|
|
|
|
|
2023-06-15 16:44:31 +02:00
|
|
|
services.depot.quassel = {
|
|
|
|
enable = true;
|
|
|
|
acmeHost = "koptevo.tazj.in";
|
|
|
|
bindAddresses = [
|
|
|
|
"0.0.0.0"
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
feat(ops): introduce (head|tail)scale server at net.tvl.fyi
This runs a headscale server on sanduny which lets users join their
machines to the TVL tailscale network.
This would theoretically let people communicate with each other on the
internal network, but also more notably joined servers can advertise
exit node capability so that we can have our own "VPN network", for
starters with endpoints in Germany, UK and Russia (whitby, sanduny and
koptevo respectively).
This setup isn't fully stable yet, notably:
* The IP range used by tailscale is just the default one right now,
I'm not sure if that should be changed or what.
* The system is stateful (on sanduny), but the state is not (yet)
backed up anywhere. Use with caution.
* Machine joining is a manual process requiring SSH & root access to
sanduny.
The process is to log in to sanduny, then get a headscale shell with
`sudo -u headscale bash`, and to use the `headscale` CLI within
there to administrate access.
I've opted to create a user account `tvl` for TVL-owned machines,
and a personal account for myself and my machines.
Change-Id: I4f1be1fe8062a6c2e77203ff72fe8709f4e4dec8
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8837
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
2023-06-20 13:59:01 +02:00
|
|
|
services.tailscale = {
|
|
|
|
enable = true;
|
|
|
|
useRoutingFeatures = "server"; # for exit-node usage
|
|
|
|
};
|
|
|
|
|
2023-06-15 16:44:31 +02:00
|
|
|
# Automatically collect garbage from the Nix store.
|
|
|
|
services.depot.automatic-gc = {
|
|
|
|
enable = true;
|
|
|
|
interval = "daily";
|
2023-09-30 22:21:24 +02:00
|
|
|
diskThreshold = 15; # GiB
|
|
|
|
maxFreed = 10; # GiB
|
2023-06-15 16:44:31 +02:00
|
|
|
preserveGenerations = "14d";
|
|
|
|
};
|
|
|
|
|
2023-06-15 22:20:56 +02:00
|
|
|
services.nginx.virtualHosts."koptevo.tazj.in" = {
|
|
|
|
addSSL = true;
|
|
|
|
enableACME = true;
|
|
|
|
|
|
|
|
extraConfig = ''
|
|
|
|
location = / {
|
|
|
|
return 302 https://at.tvl.fyi/?q=%2F%2Fusers%2Ftazjin%2Fnixos%2Fkoptevo%2Fdefault.nix;
|
|
|
|
}
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2024-04-24 16:05:45 +02:00
|
|
|
# I don't use the podcast nor playlist feature,
|
|
|
|
# but I *have to* supply podcasts to gonic ...
|
2023-09-30 22:21:24 +02:00
|
|
|
systemd.tmpfiles.rules = [
|
|
|
|
"d /tmp/fake-podcasts 0555 nobody nobody -"
|
2024-04-24 16:05:45 +02:00
|
|
|
"d /tmp/fake-playlists 0555 nobody nobody -"
|
2023-09-30 22:21:24 +02:00
|
|
|
];
|
|
|
|
|
|
|
|
services.gonic = {
|
|
|
|
enable = true;
|
|
|
|
settings = {
|
|
|
|
listen-addr = "0.0.0.0:4747";
|
|
|
|
scan-interval = 5;
|
|
|
|
scan-at-start-enabled = true;
|
|
|
|
podcast-path = [ "/tmp/fake-podcasts" ];
|
2024-04-24 16:05:45 +02:00
|
|
|
playlists-path = [ "/tmp/fake-playlists" ];
|
2023-09-30 22:21:24 +02:00
|
|
|
music-path = [ "/var/lib/geesefs/tazjins-files/music" ];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2023-10-01 23:53:57 +02:00
|
|
|
# hack to work around the strict sandboxing of the gonic module
|
2024-02-26 12:28:52 +01:00
|
|
|
# breaking DNS resolution
|
2023-10-01 23:53:57 +02:00
|
|
|
systemd.services.gonic.serviceConfig.BindReadOnlyPaths = [
|
|
|
|
"-/etc/resolv.conf"
|
|
|
|
];
|
|
|
|
|
2024-02-26 12:28:52 +01:00
|
|
|
# add a hard dependency on the FUSE mount
|
|
|
|
systemd.services.gonic.requires = [ "geesefs.service" ];
|
|
|
|
|
2023-09-30 22:21:24 +02:00
|
|
|
services.nginx.virtualHosts."music.tazj.in" = {
|
|
|
|
addSSL = true;
|
|
|
|
enableACME = true;
|
|
|
|
|
|
|
|
locations."/" = {
|
|
|
|
proxyPass = "http://127.0.0.1:4747";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2023-06-15 16:44:31 +02:00
|
|
|
# List packages installed in system profile. To search, run:
|
|
|
|
# $ nix search wget
|
|
|
|
environment.systemPackages = with pkgs; [
|
2024-09-13 11:25:24 +02:00
|
|
|
bat
|
2023-06-15 16:44:31 +02:00
|
|
|
curl
|
2024-09-13 11:25:24 +02:00
|
|
|
emacs-nox
|
2023-06-15 16:44:31 +02:00
|
|
|
htop
|
|
|
|
jq
|
|
|
|
nano
|
2024-09-13 11:25:24 +02:00
|
|
|
nmap
|
|
|
|
radicle-node
|
2023-06-15 16:44:31 +02:00
|
|
|
wget
|
|
|
|
];
|
|
|
|
|
2024-09-14 22:12:08 +02:00
|
|
|
# configure Yggdrasil network
|
|
|
|
services.yggdrasil = {
|
|
|
|
enable = true;
|
|
|
|
persistentKeys = true;
|
|
|
|
openMulticastPort = true;
|
|
|
|
|
|
|
|
settings = {
|
2024-09-16 01:19:07 +02:00
|
|
|
Listen = [ "tls://[::]:9443" ]; # yggd
|
2024-09-14 22:12:08 +02:00
|
|
|
IfName = "ygg0";
|
|
|
|
Peers = [
|
|
|
|
"quic://ygg-msk-1.averyan.ru:8364"
|
|
|
|
"tls://ekb.itrus.su:7992"
|
|
|
|
"tls://s-mow-1.sergeysedoy97.ru:65534"
|
|
|
|
];
|
|
|
|
|
|
|
|
MulticastInterfaces = [{
|
|
|
|
Regex = "enp.*";
|
|
|
|
Beacon = true;
|
|
|
|
Listen = true;
|
2024-09-16 01:19:07 +02:00
|
|
|
Port = 0;
|
2024-09-14 22:12:08 +02:00
|
|
|
}];
|
2024-09-14 23:00:51 +02:00
|
|
|
|
|
|
|
AllowedPublicKeys = [
|
2024-09-16 01:19:07 +02:00
|
|
|
"573fd89392e2741ead4edd85034c91c88f1e560d991bbdbf1fccb6233db4d325" # khamovnik
|
2024-09-14 23:00:51 +02:00
|
|
|
];
|
2024-09-14 22:12:08 +02:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2024-09-15 00:24:34 +02:00
|
|
|
# TODO(tazjin): move this to a module for radicle stuff
|
|
|
|
services.radicle = {
|
|
|
|
enable = true;
|
|
|
|
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILHs6jSvMdtu9oJCt48etEs8ExjfGY5PmWQsRzFleogS";
|
|
|
|
privateKeyFile = "/etc/secrets/radicle"; # TODO: to manage, or not to manage ...
|
|
|
|
|
|
|
|
settings = {
|
|
|
|
web.pinned.repositories = [
|
2024-09-15 01:08:44 +02:00
|
|
|
"rad:z3r5zMi9U3az3i4cPKxMcA3K7xx9L" # depot
|
2024-09-15 00:24:34 +02:00
|
|
|
"rad:z2mdnBK1tX6pibdBfRct3ThCgheHu" # tvix-go
|
|
|
|
];
|
|
|
|
|
|
|
|
node = {
|
|
|
|
alias = "rad.tazj.in";
|
|
|
|
seedingPolicy.default = "block";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
node = {
|
|
|
|
openFirewall = true;
|
|
|
|
listenAddress = "[::]";
|
|
|
|
};
|
|
|
|
|
|
|
|
httpd = {
|
|
|
|
enable = true;
|
|
|
|
listenAddress = "127.0.0.1";
|
|
|
|
listenPort = 7235; # radl
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
services.nginx.virtualHosts."rad.tazj.in" = {
|
|
|
|
enableACME = true;
|
|
|
|
forceSSL = true;
|
|
|
|
locations."/".proxyPass = "http://127.0.0.1:7235";
|
|
|
|
};
|
|
|
|
|
|
|
|
services.nginx.virtualHosts."rad.y.tazj.in" = {
|
|
|
|
enableSSL = true;
|
|
|
|
useACMEHost = "y.tazj.in";
|
2024-09-15 01:08:44 +02:00
|
|
|
locations = config.services.nginx.virtualHosts."rad.tazj.in".locations;
|
|
|
|
};
|
|
|
|
|
|
|
|
services.nginx.virtualHosts."src.tazj.in" = {
|
|
|
|
enableACME = true;
|
|
|
|
forceSSL = true;
|
2024-09-15 01:57:17 +02:00
|
|
|
root = depot.third_party.radicle-explorer.withPreferredSeeds [{
|
|
|
|
hostname = "rad.tazj.in";
|
|
|
|
port = 443;
|
|
|
|
scheme = "https";
|
|
|
|
}];
|
2024-09-15 01:08:44 +02:00
|
|
|
|
|
|
|
locations."/" = {
|
|
|
|
index = "index.html";
|
|
|
|
extraConfig = ''
|
|
|
|
try_files $uri $uri/ /index.html;
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
services.nginx.virtualHosts."src.y.tazj.in" = {
|
|
|
|
enableSSL = true;
|
|
|
|
useACMEHost = "y.tazj.in";
|
2024-09-15 01:57:17 +02:00
|
|
|
root = depot.third_party.radicle-explorer.withPreferredSeeds [{
|
|
|
|
hostname = "rad.y.tazj.in";
|
|
|
|
port = 443;
|
|
|
|
scheme = "https";
|
|
|
|
}];
|
|
|
|
|
2024-09-15 01:08:44 +02:00
|
|
|
locations = config.services.nginx.virtualHosts."src.tazj.in".locations;
|
2024-09-15 00:24:34 +02:00
|
|
|
};
|
|
|
|
|
2023-06-15 16:44:31 +02:00
|
|
|
programs.mtr.enable = true;
|
|
|
|
programs.mosh.enable = true;
|
2023-10-01 13:17:21 +02:00
|
|
|
zramSwap.enable = true;
|
2023-06-15 22:20:07 +02:00
|
|
|
|
2023-06-15 16:44:31 +02:00
|
|
|
system.stateVersion = "23.05";
|
|
|
|
}
|