c2vi/dotfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

a bunch of random changes again

Browse Source
This commit is contained in:
Sebastian Moser
2024-01-16 09:03:26 +01:00
parent 6c72ddc81d
commit 22d3e2bd96
96 changed files with 1878 additions and 476 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
hosts/acern.nix
View File

@@ -20,7 +20,7 @@
settings.KbdInteractiveAuthentication = false;
};
programs.bash.loginShellInit = "nixos-wsl-welcome";
programs.bash.loginShellInit = "";
# to build rpi images
boot.binfmt.emulatedSystems = [
@@ -30,6 +30,7 @@
######################### networking #####################################
networking.hostName = "acern";
networking.firewall.allowPing = true;
networking.firewall.enable = true;
networking.firewall.allowedUDPPorts = [

107
hosts/fusu.nix Normal file
View File

@@ -0,0 +1,107 @@
{ inputs, pkgs, ... }:
{
imports = [
../common/all.nix
../common/nixos.nix
../common/building.nix
inputs.home-manager.nixosModules.home-manager
../users/me/headless.nix
../users/root/default.nix
../users/server/headles.nix
];
# mac address for wakeonlan: 00:19:99:fd:28:23
# allow acern to ssh into server
users.users.server.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTV1VoNAjMha5IP+qb8XABDo02pW3iN0yPBIbSqZA27 me@acern"
];
# allow server user to shutdown fusu
security.sudo.extraRules = [
{
users = [ "server" ];
commands = [ { command = "/run/current-system/sw/bin/shutdown"; options = [ "SETENV" "NOPASSWD" ]; } ];
}
];
# Use the GRUB 2 boot loader.
boot.loader.grub = {
enable = true;
device = "/dev/sda";
efiSupport = false;
extraConfig = ''
set timeout=2
'';
};
#fileSystems."/boot" = {
# device = "/dev/disk/by-label/fusu-boot";
# fsType = "fat32";
#};
services.openssh = {
enable = true;
# require public key authentication for better security
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
settings.PermitRootLogin = "yes";
#settings.X11UseLocalhost = "no";
settings.X11Forwarding = true;
#settings.AddressFamily = "inet";
};
networking.firewall.allowPing = true;
networking.firewall.enable = true;
services.samba.openFirewall = true;
networking.firewall.allowedTCPPorts = [
8888 # for general usage
9999 # for general usage
8080 # for mitm proxy
25565 # mc server
25566 # mc server
];
networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
# to build rpi images
boot.binfmt.emulatedSystems = [
"aarch64-linux"
];
environment.systemPackages = with pkgs; [
ntfs3g
];
nix.settings = {
trusted-public-keys = [
"sebastian@c2vi.dev:0tIXGRJMLaI9H1ZPdU4gh+BikUuBVHtk+e1B5HggdZo="
];
trusted-users = [ "me" ];
};
networking = {
#usePredictableInterfaceNames = false;
defaultGateway = {
address = "192.168.1.1";
interface = "eth0";
};
hostName = "fusu";
nameservers = [ "1.1.1.1" "8.8.8.8" ];
interfaces = {
"enp0s25" = {
name = "eth0";
ipv4.addresses = [
{ address = "192.168.1.3"; prefixLength = 24;}
];
};
};
};
}

7
hosts/hpm.nix Normal file → Executable file
View File

@@ -53,5 +53,12 @@
};
};
};
services.logind = {
lidSwitch = "ignore";
lidSwitchExternalPower = "ignore";
lidSwitchDocked = "ignore";
};
}

24
hosts/lush.nix Normal file → Executable file
View File

@@ -1,4 +1,4 @@
{ lib, pkgs, inputs, secretsDir, ... }:
{ lib, pkgs, inputs, secretsDir, workDir, ... }:
{
#system.stateVersion = "23.05"; # Did you read the comment?
@@ -11,7 +11,15 @@
../common/all.nix
inputs.home-manager.nixosModules.home-manager
../users/me/headless.nix
#../users/me/headless.nix
##### project modules
# the module for the zwave setup
#"${workDir}/htl/labor/hackl/zwave.nix"
# labor nas project
"${workDir}/htl/labor/nas/nixos/lush-module.nix"
];
# home-manager.users.me = import ../users/me/home-headless.nix;
@@ -36,13 +44,19 @@
];
*/
services.blueman.enable = true;
hardware.bluetooth.enable = true;
hardware.enableRedistributableFirmware = true;
# This causes an overlay which causes a lot of rebuilding
environment.noXlibs = lib.mkForce false;
environment.systemPackages = with pkgs; [ vim git ];
environment.systemPackages = with pkgs; [
vim
bluez
git
];
# "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" creates a
# disk with this label on first boot. Therefore, we need to keep it. It is the
@@ -124,7 +138,7 @@
id = "pt";
uuid = "f028117e-9eef-47c1-8483-574f7ee798a4";
type = "bluetooth";
autoconnect = "false";
autoconnect = "true";
};
bluetooth = {
@@ -133,7 +147,7 @@
};
ipv4 = {
address1 = "192.168.20.21/24";
address1 = "192.168.44.22/24";
method = "auto";
};
};

99
hosts/main.nix
View File

@@ -10,6 +10,9 @@
# ??????????? TODO
# fileSystems."/".options = [ "noatime" "nodiratime" "discard" ];
services.nscd.enable = lib.mkForce false;
system.nssModules = lib.mkForce [];
imports = [
../common/all.nix
@@ -23,11 +26,22 @@
../users/root/default.nix
];
environment.systemPackages = with pkgs; [
cifs-utils
ntfs3g
dhcpcd
looking-glass-client
];
# enable ntp
#services.ntp.enable = true;
# if i hibernate and ren unhibernate in the school network ... the time will be off, because 0.nixos.pool.ntp.org can't be reached
services.timesyncd.enable = true;
################################### optimisations ####################################
#boot.kernelPackages = pkgs.linuxPackages; # .overrideAttrs (old: {
#NIX_CFLAGS_COMPILE = [ (old.NIX_CFLAGS_COMPILE or "") ] ++ [ "-O3" "-march=native" ];
@@ -37,15 +51,16 @@
NIX_CFLAGS_COMPILE = [ (old.NIX_CFLAGS_COMPILE or "") ] ++ [ "-O3" "-march=native" ];
})));
*/
boot.kernelPackages = pkgs.linuxPackagesFor (pkgs.linux_6_1.override {
argsOverride = rec {
NIX_CFLAGS_COMPILE = [ "-O3" "-march=native" ];
};
});
#boot.kernelPackages = pkgs.linuxPackagesFor (pkgs.linux_6_1.override {
#argsOverride = rec {
#NIX_CFLAGS_COMPILE = [ "-O3" "-march=native" ];
#};
#});
#*/
#(old: {
#}));
/*
nixpkgs.overlays = [
(final: prev: {
optimizeWithFlags = pkg: flags:
@@ -59,6 +74,7 @@
firefox = final.optimizeForThisHost prev.firefox;
})
];
*/
hardware.bluetooth.settings = {
@@ -77,6 +93,7 @@
];
# some bind mounts
/*
fileSystems."${workDir}/priv-share/things" = {
device = "${workDir}/things";
options = [ "bind" ];
@@ -89,6 +106,7 @@
device = "${workDir}/diplomarbeit";
options = [ "bind" ];
};
# */
################################ my youtube blocking service #############################
environment.etc."host.conf" = {
@@ -109,8 +127,19 @@
if [ -f "/etc/hosts-youtube-block" ];
then
timeout=$(cat /etc/hosts-youtube-block)
# check our daily limit
if [ -f "/etc/hosts-youtube-daily" ];
then
echo hi
#today=$(cat /etc/hosts-youtube-daily)
# set timeout to 0 when dayli limit is over 90m
# and also write
fi
echo "read timeout $timeout"
if [[ "$timeout" == "1" ]] || [[ "$timeout" == "1\n" ]]
if [[ "$timeout" == "1" ]] || [[ "$timeout" == "1\n" ]] || [[ "$timeout" == "-1" ]] || [[ "$timeout" == "0" ]]
then
rm -rf /etc/hosts-youtube-block
else
@@ -153,9 +182,15 @@
services.avahi.enable = true;
networking.networkmanager.enable = true;
#networking.networkmanager.extraConfig = ''
#[main]
#dhcp=dhcpcd
#'';
#networking.useDHCP = lib.mkForce true;
networking.firewall.allowPing = true;
networking.firewall.enable = true;
services.samba.openFirewall = true;
networking.firewall.allowedTCPPorts = [
@@ -215,6 +250,7 @@
};
wifi-security = {
key-mgmt = "wpa-eap";
auth-alg = "open";
};
"802-1x" = {
eap = "peap";
@@ -288,6 +324,24 @@
};
};
dhcp = {
connection = {
id = "dhcp";
uuid = "c006389a-1697-4f77-91c3-95b466f85f13";
type = "ethernet";
autoconnect = "false";
interface-name = "enp1s0";
};
ethernet = {
mac-address = "F4:39:09:4A:DF:0E";
};
ipv4 = {
method = "auto";
};
};
/*
me = {
connection = {
@@ -309,6 +363,7 @@
*/
};
/*
networking.wireguard.interfaces = {
me1 = {
ips = [ "10.1.1.11/24" ];
@@ -319,6 +374,7 @@
peers = import ../common/wg-peers.nix { inherit secretsDir; };
};
};
# */
@@ -363,19 +419,34 @@
virtualisation.libvirtd.enable = true;
virtualisation.podman.enable = true;
system.activationScripts.setupLibvirt = lib.stringAfter [ "var" ] ''
mkdir -p /var/lib/libvirt/storage
ln -nsf ${workDir}/vm/libvirt/my-image-pool.xml /var/lib/libvirt/storage/my-image-pool.xml
rm -rf /var/lib/libvirt/qemu/networks
ls ${workDir}/vm/qemu | while read path
do
ln -nsf ${workDir}/vm/qemu/$path /var/lib/libvirt/qemu/$path
done
virtualisation.kvmgt.enable = true;
boot.extraModprobeConfig = "options i915 enable_guc=2";
boot.kernelParams = [ "intel_iommu=on" ];
virtualisation.kvmgt.vgpus = {
"i915-GVTg_V5_8" = {
uuid = [ "1382e8c5-b033-481b-99b8-e553ef6a0056" ];
};
};
# /*
system.activationScripts.setupLibvirt = lib.stringAfter [ "var" ] ''
mkdir -p /var/lib/libvirt/storage
ln -nsf ${workDir}/vm/libvirt/my-image-pool.xml /var/lib/libvirt/storage/my-image-pool.xml
rm -rf /var/lib/libvirt/qemu/networks
ls ${workDir}/vm/qemu | while read path
do
ln -nsf ${workDir}/vm/qemu/$path /var/lib/libvirt/qemu/$path
done
'';
# */
system.activationScripts.makeBinBash = lib.stringAfter [ "var" ] ''
# there is no /bin/bash
# https://discourse.nixos.org/t/add-bin-bash-to-avoid-unnecessary-pain/5673
ln -nsf /run/current-system/sw/bin/bash /bin/bash
'';
# */
############################## swap and hibernate ###################################

0
hosts/nix-on-phone.nix Normal file → Executable file
View File

0
hosts/phone/default.nix Normal file → Executable file
View File

0
hosts/phone/nix-on-droid.nix Normal file → Executable file
View File

0
hosts/phone/stuff.md Normal file → Executable file
View File

0
hosts/privision-main.nix Normal file → Executable file
View File

70
hosts/rpi.md
View File

@@ -1,70 +0,0 @@
# get pi to boot from usb-source
echo program_usb_boot_mode=1 | sudo tee -a /boot/config.txt
https://www.elektronik-kompendium.de/sites/raspberry-pi/2404241.htm
# setup
## set static ip (192.168.1.2)
used /etc/network/interfaces (seems to be debian only)
## enable ssh (touch ssh file in the boot partition)
## set root pwd (copy hash from local /etc/shadow)
CMD: apt update
CMD: apt install nodejs npm
CMD: npm i -g @bitwarden/cli
## set hostname
## setup bcache
- if "sudo make-bcache -C /dev/sda3 -B /dev/md0" then no need for registering (i think)
PKG: bcache-tools git build-essential uuid-dev mdadm
CMD: sudo make-bcache -C /dev/sda3
CMD: sudo mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/sdb /dev/sdc
CMD: sudo make-bcache -B /dev/md0
## other bcache things
- you can echo 1 > /sys/fs/bcache/<UUID>/unregister
- but there also is: echo 1 > /sys/block/bcache0/bcache/stop
- if seccond is not done, volumes used by this bcache device will show as "<dev> is apparently in use by the system; will not make a filesystem here!", when mkfs.ext5 <dev>
## mdadm things
- do a check: https://www.thomas-krenn.com/de/wiki/Mdadm_checkarray
## add swap file maybe
CMD: sudo vim /etc/dphys-swapfile
CMD: sudo dphys-swapfile setup
CMD: sudo dphys-swapfile swapon
# things
- mdadm
- bcache
- mount /home/files/storage
- so that other users can't read it
- podman containers
- me-net (wireguard)
- rclone mount onedrive backups
- borgmatic
## things done
- smb shares
- swap
- users
admin - sudo without password and access to bitwarden
files - for managing files (old: dateimanager)
server - for deployed servers (podman)
mamafiles - for the mamafiles share
- ssh acces
- ssh config: PermitRootAccess and PasswordAuthentication
- dyndns
- wstunnel for wireguard

184
hosts/rpi.nix
View File

@@ -1,4 +1,4 @@
{ lib, pkgs, inputs, secretsDir, ... }:
{ lib, pkgs, inputs, secretsDir, system, ... }:
{
imports = [
"${inputs.nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
@@ -7,6 +7,7 @@
../common/all.nix
../common/nixos-headless.nix
../common/nixos.nix
inputs.home-manager.nixosModules.home-manager
../users/me/headless.nix
@@ -15,8 +16,6 @@
../users/files/headless.nix
];
system.stateVersion = "23.05";
# to cross compile
#nixpkgs.hostPlatform.system = "aarch64-linux";
#nixpkgs.buildPlatform.system = "x86_64-linux";
@@ -31,6 +30,8 @@
environment.systemPackages = with pkgs; [
bcache-tools
su
fuse3
];
fileSystems."/" =
@@ -38,6 +39,16 @@
fsType = "ext4";
};
fileSystems."/home/files/storage" =
{ device = "/dev/bcache0p1";
fsType = "ext4";
};
fileSystems."/svn" = {
device = "/home/files/storage/files/stuff/svn";
options = [ "bind" ];
};
swapDevices = [ {
device = "/swapfile";
size = 10*1024;
@@ -98,7 +109,7 @@
uuid = "a02273d9-ad12-395e-8372-f61129635b6f";
type = "ethernet";
autoconnect-priority = "-999";
interface-name = "eth0";
interface-name = "end0";
};
ipv4 = {
address1 = "192.168.1.2/24,192.168.1.1";
@@ -107,6 +118,7 @@
};
};
/*
me = {
connection = {
id = "me";
@@ -124,6 +136,7 @@
method = "manual";
};
} // (import ../common/wg-peers.nix { inherit secretsDir; }) ;
*/
};
######################################### wstunnel #######################################
@@ -155,13 +168,14 @@
ip=$(curl my.ip.fi)
curl "http://dynv6.com/api/update?hostname=${builtins.readFile "${secretsDir}/dns-name-two"}&ipv4=$ip&token=${builtins.readFile "${secretsDir}/dns-name-two-token"}"
curl "https://dynamicdns.park-your-domain.com/update?host=@&domain=${builtins.readFile "${secretsDir}/dns-name"}&password=${builtins.readFile "${secretsDir}/dns-name-token"}&ip=$ip"
# https://www.namecheap.com/support/knowledgebase/article.aspx/29/11/how-to-dynamically-update-the-hosts-ip-with-an-https-request/
'';
};
in
{
enable = true;
description = "block Youtube";
description = "dyndns ip updates";
unitConfig = {
Type = "simple";
};
@@ -249,4 +263,164 @@
};
};
};
############################## files backup ##################################
# needs that
programs.fuse.userAllowOther = true;
systemd.services.rclone-mount-backup = {
enable = true;
description = "Mount rclone backup folder";
unitConfig = {
Type = "simple";
};
serviceConfig = {
ExecStart = "${pkgs.bash}/bin/bash -c 'export PATH=/run/wrappers/bin:$PATH; id; ${pkgs.rclone}/bin/rclone mount --allow-non-empty --allow-other --vfs-cache-max-size 2G --vfs-cache-mode full backup: /home/files/backup'";
User = "files";
Group = "files";
};
wantedBy = [ "multi-user.target" ];
};
services.borgbackup.jobs.files = {
#user = "files";
extraCreateArgs = "--verbose --list --filter=AMECbchfsx --stats --checkpoint-interval 600";
extraArgs = "--progress";
paths = "/home/files/storage";
doInit = false;
repo = "/home/files/backup/dateien-backup-borg-repo";
compression = "lzma,9";
startAt = "weekly";
user = "files";
group = "files";
postCreate = ''
echo create done!!!!!
'';
extraPruneArgs = "--stats --list --save-space";
patterns = [
"- /home/files/storage/files/no-backup"
];
encryption.mode = "repokey-blake2";
encryption.passCommand = "cat /home/files/secrets/borg-passphrase";
environment.BORG_KEY_FILE = "/home/files/secrets/borg-key";
prune.keep = {
#within = "1w"; # Keep all archives from the last day
daily = 7;
weekly = 7;
monthly = -1; # Keep at least one archive for each month
};
};
################################ server ######################################
/*
systemd.services.nginx-pod = {
enable = true;
description = "pod for nginx proxy manager";
unitConfig = {
Type = "simple";
};
serviceConfig = {
ExecStart = let prg = pkgs.writeShellApplication {
name = "nginx-pod";
runtimeInputs = with pkgs; [ su shadow ];
text = lib.strings.concatStringsSep " " [
"${inputs.podman.packages.${system}.podman}/bin/podman" "pod" "create"
"--name=nginx"
"--share net"
"-p 81:81"
"-p 80:80"
"-p 443:443"
];
}; in "${prg}/bin/nginx-pod";
User = "server";
Group = "server";
};
wantedBy = [ "multi-user.target" ];
};
systemd.services.nginx-db = {
enable = true;
description = "bar";
unitConfig = {
Type = "simple";
};
serviceConfig = {
ExecStart = let prg = pkgs.writeShellApplication {
name = "nginx-db";
runtimeInputs = with pkgs; [ su shadow ];
text = lib.strings.concatStringsSep " " [
# make data dir if non existent
"${pkgs.coreutils}/bin/mkdir -p /home/server/here/nginx/data;"
"${inputs.podman.packages.${system}.podman}/bin/podman" "container" "run"
"--name=nginx_db"
"--pod=nginx"
"-e MYSQL_ROOT_PASSWORD=HAg!HZiZQ9ydGlFK7KP4"
"-e MYSQL_DATABASE=nginx-proxy-manager"
"-e MYSQL_USER=webserver"
''"-e MYSQL_PASSWORD=n1jK69EQEBOiJ&YPmbeW"''
"-v /home/server/here/nginx/data/mysql:/var/lib/mysql:Z"
"--add-host app:127.0.0.1"
"--add-host nginx_app:127.0.0.1"
"--add-host db:127.0.0.1"
"--add-host nginx_db:127.0.0.1"
"--restart unless-stopped"
# last image name
"nginx-proxy-manager"
];
}; in "${prg}/bin/nginx-db";
User = "server";
Group = "server";
};
wantedBy = [ "multi-user.target" ];
};
systemd.services.nginx = {
enable = true;
description = "bar";
unitConfig = {
Type = "simple";
};
serviceConfig = {
ExecStart = let prg = pkgs.writeShellApplication {
name = "nginx";
runtimeInputs = with pkgs; [ su shadow ];
text = lib.strings.concatStringsSep " " [
# make data dir if non existent
"${pkgs.coreutils}/bin/mkdir -p /home/server/here/nginx/data;"
"${inputs.podman.packages.${system}.podman}/bin/podman" "container" "run"
"--name=nginx_app"
"--pod=nginx"
"-e DB_MYSQL_HOST=db"
"-e DB_MYSQL_PORT=3306"
"-e DB_MYSQL_USER=webserver"
''"e DB_MYSQL_PASSWORD=n1jK69EQEBOiJ&YPmbeW"''
"-e DB_MYSQL_NAME=nginx-proxy-manager"
"-v /home/server/here/nginx/data:/data"
"-v /home/server/here/nginx/data/letsencrypt:/etc/letsencrypt"
"--add-host app:127.0.0.1"
"--add-host nginx_app:127.0.0.1"
"--add-host db:127.0.0.1"
"--add-host nginx_db:127.0.0.1"
"--restart unless-stopped"
# last image name
"mariadb-aria"
];
}; in "${prg}/bin/nginx";
User = "server";
Group = "users";
};
wantedBy = [ "multi-user.target" ];
};
*/
}

0
hosts/tab/nix-on-droid.nix Normal file → Executable file
View File

10
hosts/the-most-default.nix
View File

@@ -11,8 +11,8 @@
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
#boot.loader.systemd-boot.enable = true;
#boot.loader.efi.canTouchEfiVariables = true;
# networking.hostName = "nixos"; # Define your hostname.
# Pick only one of the below networking options.
@@ -35,12 +35,12 @@
# };
# Enable the X11 windowing system.
services.xserver.enable = true;
#services.xserver.enable = true;
# Enable the GNOME Desktop Environment.
services.xserver.displayManager.gdm.enable = true;
services.xserver.desktopManager.gnome.enable = true;
#services.xserver.displayManager.gdm.enable = true;
#services.xserver.desktopManager.gnome.enable = true;
# Configure keymap in X11