feat(gs/system): Init mugwump

Init the config for mugwump, a NUC that I bought from ncl and which I'm going to use as a simple home server and ssh bastion box. Since this is the first time I've set up a server using my nixos config, this also moves a bunch of desktop (xserver, audio, etc.) related config out of modules/common.nix and into a new modules/desktop.nix. Coming soon: nixos-rebuild switch --target, but in the depot! Change-Id: I67bd5ba6e3c26f80f77058af186fd41cc245d5d2 Reviewed-on: https://cl.tvl.fyi/c/depot/+/2016 Reviewed-by: glittershark <grfn@gws.fyi> Tested-by: BuildkiteCI
2020-09-29 23:42:59 -04:00 · 2020-09-29 23:42:59 -04:00 · 3fc1143a04
commit 3fc1143a04
parent 734d07b864
6 changed files with 144 additions and 61 deletions
--- a/users/glittershark/system/home/modules/common.nix
+++ b/users/glittershark/system/home/modules/common.nix
@ -45,4 +45,23 @@
    nix-review
    cachix
  ];
+
+  programs.ssh = {
+    enable = true;
+
+    matchBlocks = {
+      "dobharchu" = {
+        host = "dobharchu";
+        hostname = "172.16.0.4";
+        forwardAgent = true;
+        user = "griffin";
+      };
+
+      "mugwump" = {
+        host = "mugwump";
+        hostname = "172.16.0.5";
+        forwardAgent = true;
+      };
+    };
+  };
 }
--- a/users/glittershark/system/system/default.nix
+++ b/users/glittershark/system/system/default.nix
@ -7,11 +7,19 @@ rec {
    configuration = chupacabra;
  }).system;

+  mugwump = import ./machines/mugwump.nix;
+
+  mugwumpSystem = (pkgs.nixos {
+    configuration = mugwump;
+  }).system;
+
  iso = import ./iso.nix args;

  # Build chupacabra in CI
  meta.targets = [
    "chupacabraSystem"
+    "mugwumpSystem"
+
    "iso"
  ];

--- a/users/glittershark/system/system/machines/chupacabra.nix
+++ b/users/glittershark/system/system/machines/chupacabra.nix
@ -7,6 +7,7 @@
    ../modules/tvl.nix
    ../modules/urbint.nix
    ../modules/fcitx.nix
+    ../modules/rtlsdr.nix
    ../../../../../ops/nixos/v4l2loopback.nix
  ];

@ -101,4 +102,15 @@
    libvdpau-va-gl
    intel-media-driver
  ];
+
+  services.udev.extraRules = ''
+    # UDEV rules for Teensy USB devices
+    ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", ENV{ID_MM_DEVICE_IGNORE}="1"
+    ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789A]?", ENV{MTP_NO_PROBE}="1"
+    SUBSYSTEMS=="usb", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789ABCD]?", MODE:="0666"
+    KERNEL=="ttyACM*", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", MODE:="0666"
+  '';
+
+  # Necessary to get steam working
+  hardware.opengl.driSupport32Bit = true;
 }
--- a/users/glittershark/system/system/machines/mugwump.nix
+++ b/users/glittershark/system/system/machines/mugwump.nix
@ -0,0 +1,74 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [
+    ../modules/common.nix
+    ../modules/tvl.nix
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  networking.hostName = "mugwump";
+
+  boot = {
+    loader.systemd-boot.enable = true;
+
+    kernelModules = [ "kvm-intel" ];
+    extraModulePackages = [ ];
+
+    initrd = {
+      availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
+      kernelModules = [
+        "uas" "usbcore" "usb_storage" "vfat" "nls_cp437" "nls_iso8859_1"
+      ];
+
+      postDeviceCommands = pkgs.lib.mkBefore ''
+        mkdir -m 0755 -p /key
+        sleep 2
+        mount -n -t vfat -o ro `findfs UUID=9048-A9D5` /key
+      '';
+
+      luks.devices."cryptroot" = {
+        device = "/dev/disk/by-uuid/803a9028-339c-4617-a213-4fe138161f6d";
+        keyFile = "/key/keyfile";
+        preLVM = false;
+      };
+    };
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/mapper/cryptroot";
+      fsType = "btrfs";
+    };
+    "/boot" = {
+      device = "/dev/disk/by-uuid/7D74-0E4B";
+      fsType = "vfat";
+    };
+  };
+
+  networking.interfaces = {
+    enp0s25.useDHCP = false;
+    wlp2s0.useDHCP = false;
+  };
+
+  networking.firewall.enable = true;
+  networking.firewall.allowedTCPPorts = [ 22 ];
+
+  security.sudo.extraRules = [{
+    groups = ["wheel"];
+    commands = [{ command = "ALL"; options = ["NOPASSWD"]; }];
+  }];
+
+  services.fail2ban = {
+    enable = true;
+    ignoreIP = [
+      "172.16.0.0/16"
+    ];
+  };
+
+  services.openssh = {
+    allowSFTP = false;
+    passwordAuthentication = false;
+    permitRootLogin = "no";
+  };
+}
--- a/users/glittershark/system/system/modules/common.nix
+++ b/users/glittershark/system/system/modules/common.nix
@ -6,30 +6,19 @@ let

 in

-{
-  imports =
-    [
-      ./xserver.nix
-      ./fonts.nix
-      ./sound.nix
-      ./kernel.nix
-      ./rtlsdr.nix
-    ];
+with lib;

+{
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;

  networking.useDHCP = false;
  networking.networkmanager.enable = true;

-  # Select internationalisation properties.
-  # i18n = {
-  #   consoleFont = "Lat2-Terminus16";
-  #   consoleKeyMap = "us";
-  #   defaultLocale = "en_US.UTF-8";
-  # };
+  i18n = {
+    defaultLocale = "en_US.UTF-8";
+  };

-  # Set your time zone.
  time.timeZone = "America/New_York";

  environment.systemPackages = with pkgs; [
@ -44,30 +33,11 @@ in
    depot.users.glittershark.system.system.rebuilder
  ];

-  # Some programs need SUID wrappers, can be configured further or are
-  # started in user sessions.
-  # programs.mtr.enable = true;
-  # programs.gnupg.agent = {
-  #   enable = true;
-  #   enableSSHSupport = true;
-  #   pinentryFlavor = "gnome3";
-  # };
-
-  programs.nm-applet.enable = true;
-
-
  services.openssh.enable = true;

  programs.ssh.startAgent = true;

-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  networking.firewall.enable = false;
-
-  # Enable CUPS to print documents.
-  # services.printing.enable = true;
+  networking.firewall.enable = mkDefault false;

  users.mutableUsers = true;
  programs.zsh.enable = true;
@ -94,20 +64,6 @@ in

  nixpkgs.config.allowUnfree = true;

-  services.geoclue2.enable = true;
-
-  powerManagement = {
-    enable = true;
-    cpuFreqGovernor = lib.mkDefault "powersave";
-    powertop.enable = true;
-  };
-  # Hibernate on low battery
-  laptop.onLowBattery = {
-    enable = true;
-    action = "hibernate";
-    thresholdPercentage = 5;
-  };
-
  nix = {
    trustedUsers = [ "grfn" ];
    autoOptimiseStore = true;
@ -139,15 +95,4 @@ in
      options = "--delete-older-than 30d";
    };
  };
-
-  services.udev.extraRules = ''
-    # UDEV rules for Teensy USB devices
-    ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", ENV{ID_MM_DEVICE_IGNORE}="1"
-    ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789A]?", ENV{MTP_NO_PROBE}="1"
-    SUBSYSTEMS=="usb", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789ABCD]?", MODE:="0666"
-    KERNEL=="ttyACM*", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", MODE:="0666"
-  '';
-
-  # Necessary to get steam working
-  hardware.opengl.driSupport32Bit = true;
 }
--- a/users/glittershark/system/system/modules/desktop.nix
+++ b/users/glittershark/system/system/modules/desktop.nix
@ -0,0 +1,25 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    ./xserver.nix
+    ./fonts.nix
+    ./sound.nix
+    ./kernel.nix
+  ];
+
+  programs.nm-applet.enable = true;
+
+  users.users.grfn.extraGroups = [
+    "audio"
+    "video"
+  ];
+
+  services.geoclue2.enable = true;
+
+  powerManagement = {
+    enable = true;
+    cpuFreqGovernor = lib.mkDefault "powersave";
+    powertop.enable = true;
+  };
+}