Browse Source

Merge branch 'master' of ssh://gitea.c3d2.de:2222/C3D2/nix-config

pull/5/head
Daniel Poelzleithner 1 year ago
parent
commit
60f270224b
  1. 65
      flake.lock
  2. 23
      flake.nix
  3. 2
      host-registry.nix
  4. 3
      hosts/containers/deployer/configuration.nix
  5. 5
      hosts/containers/dhcp/configuration.nix
  6. 12
      hosts/containers/dn42/configuration.nix
  7. 4
      hosts/containers/dnscache/configuration.nix
  8. 2
      hosts/containers/elastic/configuration.nix
  9. 2
      hosts/containers/freifunk/sysinfo-json.nix
  10. 14
      hosts/containers/grafana/configuration.nix
  11. 66
      hosts/containers/kibana/configuration.nix
  12. 13
      hosts/containers/ledstripes/configuration.nix
  13. 2
      hosts/containers/logging/configuration.nix
  14. 14
      hosts/containers/lxc-template.nix
  15. 2
      hosts/containers/mongo/configuration.nix
  16. 6
      hosts/containers/mucbot/configuration.nix
  17. 14
      hosts/containers/public-access-proxy/configuration.nix
  18. 127
      hosts/containers/scrape/configuration.nix
  19. 7
      hosts/containers/spaceapi/configuration.nix
  20. 30
      hosts/glotzbert/configuration.nix
  21. 28
      hosts/glotzbert/hardware-configuration.nix
  22. 292
      hosts/pulsebert/configuration.nix
  23. 30
      hosts/pulsebert/hardware-configuration.nix
  24. 17
      hosts/pulsebert/home.nix
  25. 23
      hosts/pulsebert/mpdConsole.nix
  26. 2
      hosts/server7/containers/outer-defaults.nix
  27. 14
      hosts/server7/containers/storage/default.nix
  28. 57
      hosts/server7/default.nix
  29. 113
      hosts/server7/hardware-configuration.nix
  30. 14
      hosts/server7/nix-serve.nix
  31. 3
      hosts/server7/yggdrasil-prefix.nix
  32. 4
      hq.nixops
  33. 14
      krops.nix
  34. 4
      lib/default.nix
  35. 15
      lib/lxc-container.nix
  36. 0
      lib/server7-yggaddr.nix
  37. 2
      secrets

65
flake.lock

@ -1,39 +1,33 @@
{
"nodes": {
"hydra": {
"info": {
"lastModified": 1587883324,
"narHash": "sha256-WQxv9rrG2HX8j2UfXjifeBkMjgea3uIAEB3Swv+IIus="
},
"inputs": {
"nix": "nix",
"nixpkgs": "nixpkgs_2"
},
"locked": {
"owner": "ehmry",
"lastModified": 1593509723,
"narHash": "sha256-ESv86LNnQQy5cYqeC1S4otpvkA8ABgs/zbge8xp35aE=",
"owner": "NixOS",
"repo": "hydra",
"rev": "e93c36aab1bf96cf392ab0e40157b0620638b599",
"rev": "d0deebc4fc95dbeb0249f7b774b03d366596fbed",
"type": "github"
},
"original": {
"owner": "ehmry",
"ref": "sotest",
"repo": "hydra",
"type": "github"
"id": "hydra",
"type": "indirect"
}
},
"nix": {
"info": {
"lastModified": 1586440843,
"narHash": "sha256-7YxrpRPmAOoCSl6KtepKCXcae5MUm1Pl+lwDunBFGoo="
},
"inputs": {
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1592818267,
"narHash": "sha256-t66Ny6NDA9sQa0U79iqo4w7tEBitUGgio9U/H6z3QpE=",
"owner": "NixOS",
"repo": "nix",
"rev": "3aaceeb7e2d3fb8a07a1aa5a21df1dca6bbaa0ef",
"rev": "334e26bfc2ce82912602e8a0f9f9c7e0fb5c3221",
"type": "github"
},
"original": {
@ -42,14 +36,12 @@
}
},
"nixpkgs": {
"info": {
"lastModified": 1585405475,
"narHash": "sha256-bESW0n4KgPmZ0luxvwJ+UyATrC6iIltVCsGdLiphVeE="
},
"locked": {
"lastModified": 1591633336,
"narHash": "sha256-oVXv4xAnDJB03LvZGbC72vSVlIbbJr8tpjEW5o/Fdek=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b88ff468e9850410070d4e0ccd68c7011f15b2be",
"rev": "70717a337f7ae4e486ba71a500367cad697e5f09",
"type": "github"
},
"original": {
@ -59,14 +51,12 @@
}
},
"nixpkgs_2": {
"info": {
"lastModified": 1586219474,
"narHash": "sha256-fvfrMnEA2lDnXvH/eInGV5i0sO/EGLVHa4pOek8VG78="
},
"locked": {
"lastModified": 1592263354,
"narHash": "sha256-1wHPn5qKfzfG06dZhpXDEg5Zt6HwvfyPPgW1tkYFejg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "29eddfc36d720dcc4822581175217543b387b1e8",
"rev": "a84b797b28eb104db758b5cb2b61ba8face6744b",
"type": "github"
},
"original": {
@ -75,31 +65,16 @@
"type": "indirect"
}
},
"nixpkgs_3": {
"info": {
"lastModified": 1586724123,
"narHash": "sha256-VQ7zZy2xpz6dULpjar4jxNaQ0N/2q68l+EYO2nXaXDo="
},
"locked": {
"owner": "nixos",
"repo": "nixpkgs-channels",
"rev": "708cb6b307b04ad862cc50de792e57e7a4a8bb5a",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-20.03",
"repo": "nixpkgs-channels",
"type": "github"
}
},
"root": {
"inputs": {
"hydra": "hydra",
"nixpkgs": "nixpkgs_3"
"nixpkgs": [
"hydra",
"nixpkgs"
]
}
}
},
"root": "root",
"version": 5
"version": 7
}

23
flake.nix

@ -1,17 +1,18 @@
{
description = "C3D2 NixOS configurations";
edition = 201909;
inputs.nixpkgs.url = "github:nixos/nixpkgs-channels/nixos-20.03";
inputs.hydra.url = "github:ehmry/hydra/sotest";
inputs = {
nixpkgs.follows = "hydra/nixpkgs";
# nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
# secrets.url = "git+file:///etc/nixos/secrets";
};
outputs = { self, nixpkgs, hydra }: {
nixosConfigurations = {
server7 = nixpkgs.lib.nixosSystem {
modules = [ ./hosts/server7 hydra.nixosModules.hydra ];
glotzbert = nixpkgs.lib.nixosSystem {
modules = [ ./hosts/glotzbert/configuration.nix ];
system = "x86_64-linux";
};
@ -20,8 +21,18 @@
system = "x86_64-linux";
};
kibana = nixpkgs.lib.nixosSystem {
modules = [ ./hosts/containers/kibana/configuration.nix ];
system = "x86_64-linux";
};
pulsebert = nixpkgs.lib.nixosSystem {
modules = [ ./hosts/pulsebert/configuration.nix ];
system = "aarch64-linux";
};
server7 = nixpkgs.lib.nixosSystem {
modules = [ ./hosts/server7 hydra.nixosModules.hydra ];
system = "x86_64-linux";
};

2
host-registry.nix

@ -9,7 +9,7 @@ rec {
ledstripes = {};
glotzbert.publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHPrkD07abpTU/66fEjmiMYsUfJCSF62MVFe8BED7wu4";
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAnEWn/8CKIiCtehh6Ha3XUQqjODj0ygyo3aGAsFWgfG";
hydra.publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDhurL/sxsXRglKdLfiWIcK+iqpyhGrGt/MoBODsgvig";

3
hosts/containers/deployer/configuration.nix

@ -25,6 +25,9 @@
htop
];
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.16"; prefixLength = 26; } ];
networking.defaultGateway = "172.20.73.1";
networking = {
hostName = "deployer";
# usePredictableInterfacenames = false;

5
hosts/containers/dhcp/configuration.nix

@ -31,7 +31,10 @@
services.dhcpd4 = {
enable = true;
interfaces = [ "eth0" ];
extraConfig = builtins.readFile ../../../secrets/hosts/dhcp/config;
extraConfig = ''
authoritative;
'' + builtins.readFile ../../../secrets/hosts/dhcp/config;
};
# This value determines the NixOS release with which your system is to be

12
hosts/containers/dn42/configuration.nix

@ -30,8 +30,6 @@ in {
environment.systemPackages = with pkgs; [
vim
# for `vtysh`
quagga
];
# SSH for nixops
@ -41,6 +39,12 @@ in {
# No Firewalling!
networking.firewall.enable = false;
boot.postBootCommands = ''
if [ ! -c /dev/net/tun ]; then
mkdir -p /dev/net
mknod -m 666 /dev/net/tun c 10 200
fi
'';
services.openvpn =
let
openvpnNeighbors = lib.filterAttrs (_: conf: conf ? openvpn) neighbors;
@ -63,7 +67,9 @@ in {
secret ${keyfile name}
'';
up = ''
${pkgs.iproute}/bin/ip a a fe80::deca:fbad/64 dev $1
${pkgs.iproute}/bin/ip addr flush dev $1
${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} peer ${conf.address4}/32
${pkgs.iproute}/bin/ip addr add ${address6}/64 dev $1
'';
};
in {

4
hosts/containers/dnscache/configuration.nix vendored

@ -22,6 +22,7 @@
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.8"; prefixLength = 26; } ];
networking.defaultGateway = "172.20.73.1";
services.resolved.enable = false;
networking.nameservers = [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ];
# Set your time zone.
time.timeZone = "Europe/Berlin";
@ -73,6 +74,7 @@
"::1/128"
"172.20.72.0/21"
"10.0.0.0/24"
"10.200.0.0/15"
"172.22.99.0/24"
"127.0.0.0/8"
];
@ -217,7 +219,7 @@
Exec "collectd" "${pkgs.ruby}/bin/ruby" "${unboundScript}"
'';
network = ''
Server "grafana.hq.c3d2.de" "25826"
Server "grafana.serv.zentralwerk.dn42" "25826"
'';
};
extraConfig = ''

2
hosts/containers/elastic/configuration.nix

@ -17,6 +17,8 @@
networking = {
hostName = "elastic1";
interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.15"; prefixLength = 26; } ];
defaultGateway = "172.20.73.1";
firewall = {
allowedTCPPorts = [
22

2
hosts/containers/freifunk/sysinfo-json.nix

@ -56,7 +56,7 @@ stdenv.mkDerivation {
--replace awk ${gawk}/bin/awk
'' +
lib.strings.concatStrings (lib.attrsets.mapAttrsToList (
var: value: "substituteInPlace sysinfo-json.cgi --replace ${lib.strings.escapeShellArg "$(nvram get ${var})"} '${value}'\n"
var: value: "substituteInPlace sysinfo-json.cgi --replace ${lib.strings.escapeShellArg "$(uci -qX get ffdd.sys.${var})"} '${value}'\n"
) nvram);
installPhase = ''
pwd

14
hosts/containers/grafana/configuration.nix

@ -1,24 +1,22 @@
{ config, pkgs, lib, ... }:
{ config, pkgs, lib, modulesPath, ... }:
{
imports = [
<nixpkgs/nixos/modules/profiles/minimal.nix>
(modulesPath + "/profiles/minimal.nix")
../../../lib
../../../lib/lxc-container.nix
../../../lib/shared.nix
../../../lib/admins.nix
];
c3d2 = {
isInHq = true;
hq.interface = "eth0";
enableHail = true;
};
c3d2.isInHq = false;
services.openssh.enable = true;
networking.hostName = "grafana";
networking.useNetworkd = true;
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.43"; prefixLength = 26; } ];
networking.defaultGateway = "172.20.73.1";
# http https influxdb
networking.firewall.allowedTCPPorts = [ 80 443 8086 ];
@ -39,7 +37,7 @@
enable = true;
org_name = "Chaos";
};
users.allowSignUp = true;
users.allowSignUp = false;
};
services.influxdb = let
collectdTypes = pkgs.stdenv.mkDerivation {

66
hosts/containers/kibana/configuration.nix

@ -0,0 +1,66 @@
{ config, pkgs, lib, modulesPath, ... }:
{
imports = [
(modulesPath + "/profiles/minimal.nix")
../../../lib
../../../lib/lxc-container.nix
../../../lib/shared.nix
];
networking.hostName = "kibana";
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.44"; prefixLength = 26; } ];
networking.defaultGateway = "172.20.73.1";
networking.firewall.allowedTCPPorts = [ 80 443 ];
# Required for krops
services.openssh.enable = true;
environment.systemPackages = [ pkgs.git ];
nixpkgs.config.allowUnfree = true;
services.elasticsearch = {
enable = true;
package = pkgs.elasticsearch7;
};
services.kibana = {
enable = true;
package = pkgs.kibana7;
};
security.acme = {
acceptTerms = true;
email = "mail@c3d2.de";
};
services.nginx =
let
authFile = pkgs.writeText "htpasswd" "k-ot:sawCOTsl/fIUY";
vhost = url: {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = url;
extraConfig = ''
auth_basic "Chaos";
auth_basic_user_file ${authFile};
'';
};
};
in
{
enable = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"kibana.hq.c3d2.de" =
vhost "http://127.0.0.1:${toString config.services.kibana.port}";
"kibana-es.hq.c3d2.de" =
vhost "http://127.0.0.1:${toString config.services.elasticsearch.port}";
};
};
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "20.03"; # Did you read the comment?
}

13
hosts/containers/ledstripes/configuration.nix

@ -1,11 +1,11 @@
{ config, pkgs, lib, ... }:
{ config, pkgs, lib, modulesPath, ... }:
{
imports = [
<nixpkgs/nixos/modules/profiles/minimal.nix>
<lib>
<lib/lxc-container.nix>
<lib/shared.nix>
(modulesPath + "/profiles/minimal.nix")
../../../lib
../../../lib/lxc-container.nix
../../../lib/shared.nix
];
c3d2 = {
@ -22,8 +22,7 @@
environment.systemPackages = [ pkgs.git ];
systemd.services.ledball =
let
pile = import (toString <lib/pkgs/pile.nix>) { inherit pkgs; };
let pile = import ../../../lib/pkgs/pile.nix { inherit pkgs; };
in {
after = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];

2
hosts/containers/logging/configuration.nix

@ -17,6 +17,8 @@
networking = {
hostName = "logging";
interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.13"; prefixLength = 26; } ];
defaultGateway = "172.20.73.1";
firewall = {
allowedTCPPorts = [
22

14
hosts/containers/lxc-template.nix

@ -2,15 +2,15 @@
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).
{ config, pkgs, lib, ... }:
{ config, pkgs, lib, modulesPath, ... }:
{
imports =
[ ../../lib/lxc-container.nix
../../lib/shared.nix
../../lib/admins.nix
<nixpkgs/nixos/modules/profiles/minimal.nix>
];
imports = [
../../lib/lxc-container.nix
../../lib/shared.nix
../../lib/admins.nix
(modulesPath + "/profiles/minimal.nix")
];
networking.hostName = "nixbert"; # Define your hostname.
networking.useNetworkd = false;

2
hosts/containers/mongo/configuration.nix

@ -18,6 +18,8 @@
networking = {
hostName = "mongo";
interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.21"; prefixLength = 26; } ];
defaultGateway = "172.20.73.1";
firewall = {
allowedTCPPorts = [
22

6
hosts/containers/mucbot/configuration.nix

@ -12,11 +12,9 @@ in
];
networking.hostName = "mucbot";
networking.useNetworkd = true;
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = true;
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.27"; prefixLength = 26; } ];
networking.defaultGateway = "172.20.73.1";
networking.nameservers = [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ];
services.resolved.enable = false;
users.users.tigger = {
createHome = true;

14
hosts/containers/public-access-proxy/configuration.nix

@ -9,13 +9,15 @@
[ ../../../lib/lxc-container.nix
../../../lib/shared.nix
../../../lib/admins.nix
../../../lib/default-gateway.nix
./proxy.nix
];
networking.hostName = "public-access-proxy";
networking.useNetworkd = true;
networking.dhcpcd.enable = lib.mkForce true;
networking.interfaces.eth0 = {
ipv4.addresses = [ { address = "172.20.73.45"; prefixLength = 26; } ];
};
networking.defaultGateway = "172.20.73.1";
my.services.proxy = {
enable = true;
@ -24,6 +26,14 @@
hostNames = [ "cloud.bombenverleih.de" "unifi.arkom.men" ];
proxyTo = { host = "172.22.99.192"; httpPort = 80; httpsPort = 443; };
}
{
hostNames = [ "grafana.hq.c3d2.de" ];
proxyTo = { host = "grafana.serv.zentralwerk.dn42"; httpPort = 80; httpsPort = 443; };
}
{
hostNames = [ "kibana.hq.c3d2.de" "kibana-es.hq.c3d2.de" ];
proxyTo = { host = "kibana.serv.zentralwerk.dn42"; httpPort = 80; httpsPort = 443; };
}
];
};

127
hosts/containers/scrape/configuration.nix

@ -1,11 +1,21 @@
{ config, pkgs, lib, ... }:
{ config, pkgs, lib, modulesPath, ... }:
{
let
freifunkNodes = {
"1139" = "10.200.4.120";
"1487" = "10.200.5.213";
"1884" = "10.200.7.100";
"1891" = "10.200.7.107";
"1768" = "10.200.6.239";
"1176" = "10.200.7.80";
"1099" = "10.200.4.80";
};
in {
imports = [
<nixpkgs/nixos/modules/profiles/minimal.nix>
<lib>
<lib/lxc-container.nix>
<lib/shared.nix>
(modulesPath + "/profiles/minimal.nix")
../../../lib
../../../lib/lxc-container.nix
../../../lib/shared.nix
];
c3d2 = {
@ -16,7 +26,8 @@
networking.hostName = "scrape";
networking.useNetworkd = true;
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.32"; prefixLength = 26; } ];
networking.defaultGateway = "172.20.73.1";
# Required for krops
services.openssh.enable = true;
@ -35,6 +46,13 @@
xeriLogin = import <secrets/hosts/scrape/xeri.nix>;
fhemLogin = import <secrets/hosts/scrape/fhem.nix>;
matematLogin = import <secrets/hosts/scrape/matemat.nix>;
makeNodeScraper = nodeId: {
name = "scrape-node${nodeId}";
value = makeService {
script = "freifunk_node";
host = freifunkNodes.${nodeId};
};
};
in {
scrape-xeri = makeService {
script = "xerox";
@ -55,81 +73,28 @@
host = "matemat.hq.c3d2.de";
inherit (matematLogin) user password;
};
scrape-node1139 = makeService {
script = "freifunk_node";
host = "10.200.4.120";
};
scrape-node1487 = makeService {
script = "freifunk_node";
host = "10.200.5.213";
};
scrape-node1884 = makeService {
script = "freifunk_node";
host = "10.200.7.100";
};
scrape-node1891 = makeService {
script = "freifunk_node";
host = "10.200.7.107";
};
scrape-node1768 = makeService {
script = "freifunk_node";
host = "10.200.6.239";
};
scrape-node1176 = makeService {
script = "freifunk_node";
host = "10.200.7.80";
} // builtins.listToAttrs (map makeNodeScraper (builtins.attrNames freifunkNodes));
systemd.timers =
let
makeTimer = service: interval: {
partOf = [ "${service}.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = interval;
};
};
systemd.timers.scrape-xeri = {
partOf = [ "scrape-xeri.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
systemd.timers.scrape-roxi = {
partOf = [ "scrape-roxi.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
systemd.timers.scrape-fhem = {
partOf = [ "scrape-fhem.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
systemd.timers.scrape-matemat = {
partOf = [ "scrape-matemat.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
systemd.timers.scrape-node1139 = {
partOf = [ "scrape-node1139.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
systemd.timers.scrape-node1487 = {
partOf = [ "scrape-node1487.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
systemd.timers.scrape-node1884 = {
partOf = [ "scrape-node1884.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
systemd.timers.scrape-node1891 = {
partOf = [ "scrape-node1894.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
systemd.timers.scrape-node1768 = {
partOf = [ "scrape-node1768.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
systemd.timers.scrape-node1176 = {
partOf = [ "scrape-node1176.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
makeNodeScraperTimer = nodeId:
let
name = "scrape-node${nodeId}";
in {
inherit name;
value = makeTimer name "minutely";
};
in {
scrape-xeri = makeTimer "scrape-xeri.service" "minutely";
scrape-roxi = makeTimer "scrape-roxi.service" "minutely";
scrape-fhem = makeTimer "scrape-fhem.service" "minutely";
scrape-matemat = makeTimer "scrape-matemat.service" "minutely";
} // builtins.listToAttrs (map makeNodeScraperTimer (builtins.attrNames freifunkNodes));
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database

7
hosts/containers/spaceapi/configuration.nix

@ -8,14 +8,13 @@ in
[ ../../../lib/lxc-container.nix
../../../lib/shared.nix
../../../lib/admins.nix
../../../lib/default-gateway.nix
"${spacemsgGit}/spaceapi/module.nix"
];
networking.hostName = "spaceapi";
networking.useNetworkd = true;
networking.useDHCP = lib.mkForce true;
networking.firewall.allowedTCPPorts = [ 3000 3001 ];
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.25"; prefixLength = 26; } ];
networking.defaultGateway = "172.20.73.1";
networking.firewall.enable = false;
services.spaceapi = {
enable = true;

30
hosts/glotzbert/configuration.nix

@ -6,41 +6,48 @@
c3d2 = {
users.k-ot = true;
isInHq = true;
hq.interface = "enp0s10";
enableHail = true;
hq.interface = "eno1";
hq.enableBinaryCache = false;
enableHail = false;
};
nixpkgs.config.allowUnfree = true;
nix = {
useSandbox = true;
buildCores = 2;
buildCores = 4;
maxJobs = 4;
};
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.kernelPackages = pkgs.linuxPackages_4_19;
boot.kernelPackages = pkgs.linuxPackages_latest;
networking.hostName = "glotzbert"; # Define your hostname.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
networking.interfaces.eno1.useDHCP = true;
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Select internationalisation properties.
i18n = {
consoleFont = "Lat2-Terminus16";
consoleKeyMap = "de";
defaultLocale = "en_US.UTF-8";
console = {
font = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";
keyMap = "de";
};
i18n.defaultLocale = "en_US.UTF-8";
# Set your time zone.
time.timeZone = "Europe/Berlin";
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [ wget vim x11vnc ];
environment.systemPackages = with pkgs; [
wget vim git tmux screen
chromium firefox
mpv kodi
];
systemd.user.services.x11vnc = {
description = "X11 VNC server";
@ -108,11 +115,11 @@
user = "k-ot";
};
};
defaultSession = "gnome-xorg";
};
services.xserver.desktopManager = {
gnome3.enable = true;
kodi.enable = true;
default = "kodi";
};
security.sudo = {
@ -123,7 +130,6 @@
# Define a user account. Don't forget to set a password with ‘passwd’.
users.groups."k-ot" = { gid = 1000; };
users.users."k-ot" = {
password = "k-ot";
isNormalUser = true;
uid = 1000;
group = "k-ot";
@ -133,6 +139,8 @@
];
};
users.users.emery.cryptHomeLuks = "/home/emery.luks.img";
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you

28
hosts/glotzbert/hardware-configuration.nix

@ -1,33 +1,27 @@
# Do not modify this file! It was generated by ‘nixos-generate-config’
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, ... }:
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = [ "ohci_pci" "ehci_pci" "ahci" "firewire_ohci" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
boot.kernelModules = [ "kvm-intel" "wl" "forcedeth" "b43" ];
boot.kernelParams = [ "irqpoll" "hpet=off" ]; # noapic seems to improve things
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/4568bf11-6e40-4514-9bc9-3194a299c45f";
fsType = "btrfs";
{ device = "/dev/disk/by-uuid/3a8ddd25-0c5d-4fec-b957-bdcea1c52db4";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/67E3-17ED";
{ device = "/dev/disk/by-uuid/6490-45A0";
fsType = "vfat";
};
zramSwap = { enable = true; priority = 1000; };
swapDevices = [
{ device = "/dev/disk/by-uuid/f602ea23-99e5-416b-98d2-ef76cbc5c934";
} ];
swapDevices = [ ];
nix.maxJobs = lib.mkDefault 2;
services.xserver.videoDriver = "nouveau";
nix.maxJobs = lib.mkDefault 4;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
}

292
hosts/pulsebert/configuration.nix

@ -4,164 +4,116 @@
{ config, pkgs, ... }:
let
ympdPort = 8080;
mpdVhost = "mpd.hq.c3d2.de";
in {
{
imports = [ # Include the results of the hardware scan.
./hardware-configuration.nix
../../lib
../../lib/admins.nix
../../lib/hq.nix
./mpdConsole.nix
];
c3d2 = {
users = {
emery = true;
k-ot = true;
};
isInHq = true;
mapHqHosts = true;
hq = {
interface = "eno1";
enableMpdProxy = true;
yggdrasi.enableGateway = true;
};
enableHail = true;
};
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = false;
boot.loader.raspberryPi = { enable = true; version = 4; uboot.enable = false; };
#boot.kernelPackages = pkgs.linuxPackages_rpi4;
boot.kernelPackages = pkgs.linuxPackages_latest;
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.kernelPackages = pkgs.linuxPackages_4_19;
boot.tmpOnTmpfs = true;
nix.buildCores = 4;
nix.maxJobs = 4;
networking.hostName = "pulsebert"; # Define your hostname.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = true;
networking.interfaces.wlan0.useDHCP = true;
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Select internationalisation properties.
i18n = {
consoleFont = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";
consoleKeyMap = "us";
defaultLocale = "en_US.UTF-8";
};
# i18n.defaultLocale = "en_US.UTF-8";
# console = {
# font = "Lat2-Terminus16";
# keyMap = "us";
# };
# Set your time zone.
# time.timeZone = "Europe/Amsterdam";
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
# specific printer drivers for our printers
epson-escpr
splix
# utilities
nix-index
usbutils
tmux
vim
git
openssl
# NCurses Music Player Client (Plus Plus)
# a commandline front-end client for mpd
# 2019-01-21 mag vater gern gleich einen schoenen lokalen Verwaltung fuer MPD haben.
# ncmpcpp
home-manager
mumble
ncpamixer
ffmpeg
wget vim git
raspberrypi-tools
];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# pinentryFlavor = "gnome3";
# };
# List services that you want to enable:
# Do not log to flash:
services.journald.extraConfig = ''
Storage=volatile
'';
# Enable the OpenSSH daemon.
services.openssh.enable = true;
services.openssh.permitRootLogin = "yes";
security.sudo = {
enable = true;
wheelNeedsPassword = false;
};
users.users.k-ot = {
isNormalUser = true;
extraGroups = [ "wheel" "audio" ];
};
# X11 Forwarding for mumble...
programs.ssh.forwardX11 = true;
services.openssh.forwardX11 = true;
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [
4713 # PulseAudio
631 # cups
80
443 # Web/ympd
5000 # shairport
config.services.mpd.network.port
];
networking.firewall.allowedUDPPorts = [ 631 ];
networking.firewall.extraCommands = ''
iptables -I INPUT -p udp --dport mdns -d 224.0.0.251 -j ACCEPT # zeroconf
iptables -I OUTPUT -p udp --dport mdns -d 224.0.0.251 -j ACCEPT # zeroconf
''; # networking.firewall.allowedUDPPorts = [ ... ];
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
networking.firewall.enable = false;
# Enable CUPS to print documents.
services.printing = {
enable = true;
browsing = true;
listenAddresses = [ "*:631" ];
defaultShared = true;
# logLevel = "debug";
drivers = [ pkgs.gutenprint pkgs.hplip pkgs.splix ];
extraConf =
''
DefaultAuthType Basic
<Location />
Order allow,deny
Allow ALL
</Location>
<Location /admin>
Order allow,deny
Allow ALL
</Location>
<Location /admin/conf>
AuthType Basic
Require user @SYSTEM
Order allow,deny
Allow ALL
</Location>
<Policy default>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
AuthType Basic
Require user @SYSTEM
Order deny,allow
</Limit>
<Limit Cancel-Job CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
'';
};
# services.printing.enable = true;
# Enable sound.
sound.enable = true;
hardware.pulseaudio.enable = true;
# PulseAudio as-a-Service
hardware.pulseaudio.systemWide = true;
hardware.pulseaudio.tcp.anonymousClients.allowedIpRanges = [
"127.0.0.0/8" "::1/128"
"172.22.99.0/24" "2a02:8106:208:5201:58::/64"
];
hardware.pulseaudio.tcp.enable = true;
hardware.pulseaudio.zeroconf.publish.enable = true;
hardware.bluetooth = {
enable = true;
config = {
Policy.AutoEnable = true;
General = {
Enable = "Source,Sink,Media,Socket";
#DiscoverableTimeout = 0;
#Discoverable = true;
};
};
};
hardware.pulseaudio = {
enable = true;
systemWide = true;
tcp.enable = true;
tcp.anonymousClients.allowedIpRanges = [
"127.0.0.0/8" "::1/128"
"172.22.99.0/24" "2a02:8106:208:5201:58::/64"
];
zeroconf.publish.enable = true;
package = pkgs.pulseaudioFull;
extraModules = [ pkgs.pulseaudio-modules-bt ];
};
# tell Avahi to publish CUPS and PulseAudio
services.avahi = {
@ -170,9 +122,6 @@ in {
publish.userServices = true;
};
# Enable Audio streaming for Mac clients
services.shairport-sync.enable = true;
# Enable the X11 windowing system.
# services.xserver.enable = true;
# services.xserver.layout = "us";
@ -185,88 +134,19 @@ in {
# services.xserver.displayManager.sddm.enable = true;
# services.xserver.desktopManager.plasma5.enable = true;
security.pam.enableSSHAgentAuth = true;
security.sudo = {
enable = true;
wheelNeedsPassword = false;
};
users.users.k-ot.extraGroups = [ "wheel" ];
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "18.09"; # Did you read the comment?
# vater hoerte, dass menschen im space gern mpd fuer das abspielen von musik erwarten wuerden
#### https://nixos.org/nixos/options.html#services.mpd.enable
# See ../../mpd.nix
services.mpd = {
enable = true;
dbFile = null;
musicDirectory = "/mnt/storage/Music";
playlistDirectory = "/home/k-ot/Playlists";
network.listenAddress = "any";
extraConfig = ''
audio_output {
type "pulse"
name "/proc"
}
'';
};
services.caddy = {
enable = true;
agree = true;
# TODO: add auth?
config = ''
${mpdVhost} {
proxy / localhost:${toString ympdPort}
}
:80 {
redir https://${mpdVhost}{uri}
}
'';
};
fileSystems."/mnt/storage" = {
#device = "storage-ng.hq.c3d2.de:/mnt/zroot/storage/rpool";
#device = "storage-ng.hq.c3d2.de:/c3d2/rpool";
device =
"172.22.99.13:6789,172.22.99.15:6789,172.22.99.16:6789:/c3d2/rpool";
fsType = "ceph";
options = [
"rw"
"relatime"
"name=public"
"secret=AQDgER1chJcMORAAK1ysRTN59B5x/MyniwVXFQ=="
"acl"
"wsize=16777216"
"_netdev"
];
};
# Define a user account. Don't forget to set a password with ‘passwd’.
# users.users.jane = {
# isNormalUser = true;
# extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
# };
# MPD music playing daemon with webinterface
services.ympd = {
enable = true;
webPort = toString ympdPort;
};
nixpkgs.config.packageOverrides = pkgs: with pkgs; {
ympd = ympd.overrideAttrs (oldAttrs: {
src = fetchFromGitHub {
owner = "c3d2";
repo = "ympd";
rev = "feature/somafm_browser";
sha256 = "17x3jfys6gxghz5yp0gvd39ylvzfm59qxg75hwc5a52rj1n2jpb1";
};
});
};
programs.bash.shellAliases = {
mpv = "mpv --no-vid";
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. It‘s perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "20.09"; # Did you read the comment?
users.users.emery.cryptHomeLuks = "/home/emery.luks.img";
}

30
hosts/pulsebert/hardware-configuration.nix

@ -1,29 +1,39 @@
# Do not modify this file! It was generated by ‘nixos-generate-config’
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, ... }:
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];
#imports =
# [ (modulesPath + "/installer/scan/not-detected.nix")
# ];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.kernelModules = [ "kvm-intel" ];
boot.initrd.availableKernelModules = [ "usbhid" ];