From 4a62c235f12f95a14679550d62a537c4ecc3590a Mon Sep 17 00:00:00 2001 From: Sebastian Moser Date: Tue, 14 Apr 2026 19:10:25 +0200 Subject: [PATCH] screen capture no longer working --- common/all.nix | 4 +- common/nixos.nix | 19 ++++++- flake.lock | 6 +- flake.nix | 9 ++- hosts/fasu.nix | 5 +- hosts/fe.nix | 8 --- hosts/fusu.nix | 26 +++++---- hosts/lush.nix | 61 +++++++++++++++++++- hosts/mac.nix | 22 ++------ hosts/main.nix | 105 ++++++++++++++++++++++------------ hosts/te.nix | 8 ++- misc/my-hosts-t | 20 +++---- mods/fesu-hosting-base.nix | 16 ++++++ mods/fesu-services.nix | 113 ++++++++++++++++++++++++++++++------- mods/fusu-services.nix | 39 +++++++++++-- mybin/nixre | 7 +-- programs/bash.nix | 2 +- programs/ssh.nix | 20 +++++-- users/me/gui-home.nix | 3 + 19 files changed, 358 insertions(+), 135 deletions(-) diff --git a/common/all.nix b/common/all.nix index 1edce2c..506b077 100644 --- a/common/all.nix +++ b/common/all.nix @@ -1,4 +1,4 @@ -{ lib, inputs, self, secretsDir, specialArgs, ... }: +{ lib, inputs, self, secretsDir, specialArgs, pkgsUnstable, ... }: # config that i use on all my hosts @@ -8,7 +8,7 @@ ]; - home-manager.extraSpecialArgs = specialArgs; + home-manager.extraSpecialArgs = specialArgs // { inherit pkgsUnstable; }; programs.dconf.enable = true; diff --git a/common/nixos.nix b/common/nixos.nix index 5e70e21..dec7a88 100644 --- a/common/nixos.nix +++ b/common/nixos.nix @@ -1,10 +1,26 @@ -{ lib, self, ... }: +{ lib, self, pkgsUnstable, ... }: # config that i use on all my hosts, that run native nixos # excluding for example my phone phone { ##system.stateVersion = "23.05"; # Did you read the comment? + + ##### Netbird Configuration + services.netbird.package = pkgsUnstable.netbird; + services.netbird.clients.ppc = { + #login = { + #enable = true; + #setupKeyFile = "${secretsDir}/netbird-setup-key"; + #}; + port = 51821; + ui.enable = false; + openFirewall = true; + #openInternalFirewall = true; + }; + networking.firewall.trustedInterfaces = [ + "nb-ppc" + ]; # Select internationalisation properties. @@ -27,4 +43,3 @@ ${builtins.readFile "${self}/misc/my-hosts-t"} ''; } - diff --git a/flake.lock b/flake.lock index de30291..d6394c0 100644 --- a/flake.lock +++ b/flake.lock @@ -3775,11 +3775,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1758690382, - "narHash": "sha256-NY3kSorgqE5LMm1LqNwGne3ZLMF2/ILgLpFr1fS4X3o=", + "lastModified": 1772624091, + "narHash": "sha256-QKyJ0QGWBn6r0invrMAK8dmJoBYWoOWy7lN+UHzW1jc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e643668fd71b949c53f8626614b21ff71a07379d", + "rev": "80bdc1e5ce51f56b19791b52b2901187931f5353", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 2af10f0..1fa0d50 100644 --- a/flake.nix +++ b/flake.nix @@ -179,6 +179,13 @@ allowUnfree = true; }; }; + + pkgsUnstableArm = import nixpkgs-unstable { + system = "aarch64-linux"; + config = { + allowUnfree = true; + }; + }; specialArgs = { inherit inputs confDir workDir secretsDir persistentDir self tunepkgs unstable nur pkgsUnstable dataDir; @@ -616,7 +623,7 @@ # my raspberry to try out stuff with "lush" = nixpkgs.lib.nixosSystem rec { system = "aarch64-linux"; - specialArgs = { inherit inputs confDir workDir secretsDir persistentDir self system; }; + specialArgs = { inherit inputs confDir workDir secretsDir persistentDir self system; pkgsUnstable = pkgsUnstableArm; }; modules = [ ./hosts/lush.nix ]; diff --git a/hosts/fasu.nix b/hosts/fasu.nix index ff768ee..9457e69 100644 --- a/hosts/fasu.nix +++ b/hosts/fasu.nix @@ -10,7 +10,7 @@ inputs.home-manager.nixosModules.home-manager ../users/me/headless.nix ../users/root/default.nix - ../users/server/headles.nix + ../users/server/headless.nix ]; # allow acern to ssh into server @@ -26,9 +26,6 @@ } ]; - services.tailscale.enable = true; - - #fileSystems."/boot" = { # device = "/dev/disk/by-label/fusu-boot"; # fsType = "fat32"; diff --git a/hosts/fe.nix b/hosts/fe.nix index 819808c..78a49d4 100644 --- a/hosts/fe.nix +++ b/hosts/fe.nix @@ -25,8 +25,6 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKNXOPxlnSxkhm050ui56D5SHrkhuFwUOU0Gf0C+Vmks melektron@goarnix" ]; - services.tailscale.enable = true; - virtualisation.libvirtd = { enable = true; qemuOvmf = true; @@ -74,12 +72,6 @@ networking.firewall.allowPing = true; networking.firewall.enable = true; - networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ - 443 # couchdb for obsidian live sync https - 44444 # resilio sync - 9000 # resilio webui - ]; - services.samba.openFirewall = true; networking.firewall.allowedTCPPorts = [ diff --git a/hosts/fusu.nix b/hosts/fusu.nix index d51106f..79f97ab 100644 --- a/hosts/fusu.nix +++ b/hosts/fusu.nix @@ -51,9 +51,6 @@ in { - services.tailscale.enable = true; - - services.resilio = { enable = true; enableWebUI = true; @@ -61,19 +58,17 @@ in { checkForUpdates = false; listeningPort = 44444; }; - networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ - 44444 # resilio sync - 9000 # resilio webui - 9001 # fwin vnc - 9002 # fwin rdp - 9003 # fwin ssh - ]; + networking.firewall.interfaces."br0".allowedTCPPorts = [ 44444 # resilio sync 9000 # resilio webui 9001 # fwin vnc 9002 # fwin rdp 9003 # fwin ssh + 9003 # fwin ssh + ]; + networking.firewall.interfaces."br0".allowedTCPPortRanges = [ + {from = 8000; to = 10000;} ]; @@ -86,6 +81,10 @@ in { device = "storage"; fsType = "zfs"; }; + fileSystems."/data" = { + device = "storage"; + fsType = "zfs"; + }; # Use the GRUB 2 boot loader. boot.loader.grub = { @@ -124,6 +123,7 @@ in { services.samba.openFirewall = true; networking.firewall.allowedTCPPorts = [ + 22 8888 # for general usage 9999 # for general usage 8080 # for mitm proxy @@ -163,6 +163,7 @@ in { ]; environment.systemPackages = with pkgs; [ + tcpdump sshfs ntfs3g virtiofsd @@ -223,8 +224,9 @@ in { text = '' ip=$(curl -4 my.ip.fi) - curl "http://dynv6.com/api/update?hostname=${builtins.readFile "${secretsDir}/dns-name-two"}&ipv4=$ip&token=${builtins.readFile "${secretsDir}/dns-name-two-token"}" - curl "https://dynamicdns.park-your-domain.com/update?host=home&domain=${builtins.readFile "${secretsDir}/dns-name"}&password=${builtins.readFile "${secretsDir}/dns-name-token"}&ip=$ip" + #curl "http://dynv6.com/api/update?hostname=${builtins.readFile "${secretsDir}/dns-name-two"}&ipv4=$ip&token=${builtins.readFile "${secretsDir}/dns-name-two-token"}" + curl "http://dynv6.com/api/update?hostname=${builtins.readFile "${secretsDir}/dns-name-mati"}&ipv4=$ip&token=${builtins.readFile "${secretsDir}/dns-name-mati-token"}" + # curl "https://dynamicdns.park-your-domain.com/update?host=home&domain=${builtins.readFile "${secretsDir}/dns-name"}&password=${builtins.readFile "${secretsDir}/dns-name-token"}&ip=$ip" # https://www.namecheap.com/support/knowledgebase/article.aspx/29/11/how-to-dynamically-update-the-hosts-ip-with-an-https-request/ ''; diff --git a/hosts/lush.nix b/hosts/lush.nix index cf6584b..748ad31 100644 --- a/hosts/lush.nix +++ b/hosts/lush.nix @@ -9,6 +9,7 @@ inputs.networkmanager.nixosModules.networkmanager ../common/all.nix + ../common/nixos.nix inputs.home-manager.nixosModules.home-manager ../users/me/headless.nix @@ -31,6 +32,7 @@ powerOnBoot = true; }; }; +swapDevices = [ { device = "/swapfile"; } ]; # get usbip working boot.extraModulePackages = [ @@ -68,8 +70,6 @@ services.blueman.enable = true; hardware.enableRedistributableFirmware = true; - services.tailscale.enable = true; - environment.systemPackages = with pkgs; [ linuxPackages.usbip vim @@ -107,6 +107,63 @@ X11UseLocalhost no ''; }; + + ########################### kiosk ############################ + + boot.plymouth.enable = true; + services.dbus.enable = true; + + fonts.enableDefaultPackages = true; + xdg.icons.enable = true; + gtk.iconCache.enable = true; + + services.udisks2.enable = false; + hardware.opengl.enable = true; + + systemd.services."cage@" = { + enable = false; + after = [ "systemd-user-sessions.service" "dbus.socket" "systemd-logind.service" "getty@%i.service" "plymouth-deactivate.service" "plymouth-quit.service" ]; + before = [ "graphical.target" ]; + wants = [ "dbus.socket" "systemd-logind.service" "plymouth-deactivate.service" ]; + wantedBy = [ "graphical.target" ]; + conflicts = [ "getty@%i.service" ]; # "plymouth-quit.service" "plymouth-quit-wait.service" + + restartIfChanged = false; + serviceConfig = { + ExecStart = "${pkgs.cage}/bin/cage -d -- /home/me/here/mize/target/debug/ppc c2vi-dash"; + User = "root"; + + # ConditionPathExists = "/dev/tty0"; + IgnoreSIGPIPE = "no"; + + # Log this user with utmp, letting it show up with commands 'w' and + # 'who'. This is needed since we replace (a)getty. + UtmpIdentifier = "%I"; + UtmpMode = "user"; + # A virtual terminal is needed. + TTYPath = "/dev/%I"; + TTYReset = "yes"; + TTYVHangup = "yes"; + TTYVTDisallocate = "yes"; + # Fail to start if not controlling the virtual terminal. + StandardInput = "tty-fail"; + #StandardOutput = "syslog"; + #StandardError = "syslog"; + # Set up a full (custom) user session for the user, required by Cage. + PAMName = "cage"; + }; + }; + + security.pam.services.cage.text = '' + auth required pam_unix.so nullok + account required pam_unix.so + session required pam_unix.so + session required ${pkgs.systemd}/lib/security/pam_systemd.so + ''; + + systemd.targets.graphical.wants = [ "cage@tty1.service" ]; + + systemd.defaultUnit = "graphical.target"; ####################################### networking ########################## diff --git a/hosts/mac.nix b/hosts/mac.nix index a4cc69b..d7bb50f 100644 --- a/hosts/mac.nix +++ b/hosts/mac.nix @@ -22,7 +22,6 @@ in { ../users/root/default.nix ../common/nixos-wayland.nix ]; - services.tailscale.enable = true; programs.nix-ld.enable = true; #services.pid-fan-controller.enable = true; @@ -62,19 +61,6 @@ in { 4410 # lan-mouse ]; - ##### Netbird Configuration - services.netbird.clients.ppc = { - #login = { - #enable = true; - #setupKeyFile = "${secretsDir}/netbird-setup-key"; - #}; - port = 51821; - ui.enable = false; - openFirewall = true; - #openInternalFirewall = true; - }; - - swapDevices = [ { device = "/swapfile"; } ]; boot.kernelModules = [ "usbip_core" ]; @@ -95,6 +81,9 @@ in { firewall_backend = "nftables" ''; }; + networking.firewall.trustedInterfaces = [ + "nb-ppc" + ]; # Use the GRUB 2 boot loader. boot.loader.grub = { @@ -189,7 +178,7 @@ in { position = "left"; hostname = "main"; activate_on_startup = true; - ips = [ "192.168.4.2" "100.71.47.106" ]; + ips = [ "192.168.4.2" "100.88.218.34" ]; port = 4410; } ]; @@ -451,7 +440,8 @@ in { uuid = "ab51de8a-9742-465a-928b-be54a83ab6a3"; type = "wifi"; interface-name = "wlp3s0"; - autoconnect-priority = "100"; + #autoconnect-priority = "100"; + autoconnect = false; }; wifi = { mode = "ap"; diff --git a/hosts/main.nix b/hosts/main.nix index 2dcd045..2b2faaf 100644 --- a/hosts/main.nix +++ b/hosts/main.nix @@ -44,6 +44,15 @@ obs-teleport ]; }; + documentation.enable = true; + documentation.man.enable = true; + +fileSystems."/home/me/nico" = { + device = "100.88.28.123:/data/incus/default-pool/containers/nico/rootfs/root/work/"; + fsType = "nfs"; + options = [ "x-systemd.automount" "noauto" "x-systemd.idle-timeout=600" ]; +}; + # virtual display /* @@ -85,18 +94,6 @@ }; */ - ##### Netbird Configuration - services.netbird.clients.ppc = { - #login = { - #enable = true; - #setupKeyFile = "${secretsDir}/netbird-setup-key"; - #}; - port = 51821; - ui.enable = false; - openFirewall = true; - #openInternalFirewall = true; - }; - programs.fuse.userAllowOther = true; @@ -189,7 +186,7 @@ position = "right"; hostname = "mac"; activate_on_startup = true; - ips = [ "192.168.4.3" "100.100.55.117" ]; + ips = [ "192.168.4.3" "100.88.112.181" ]; port = 4410; } ]; @@ -202,23 +199,6 @@ virtualisation.vmVariant.services.timesyncd.enable = lib.mkForce false; - services.tailscale.enable = true; - - services.resilio = { - enable = false; - enableWebUI = true; - httpListenAddr = "100.71.47.106"; - checkForUpdates = false; - listeningPort = 44444; - }; - users.users.me.homeMode = "770"; # important for resilio - networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ - 44444 # resilio sync - 9000 # resilio webui - ]; - - - virtualisation.waydroid.enable = true; @@ -563,7 +543,6 @@ 8080 # for mitm proxy 51820 # wireguard 6000 # Xserver - 10000 # tailscale tcp funnel 4405 # clipboard sync with imac ]; @@ -574,7 +553,6 @@ 53 # allow dns 48899 # GoodWe inverter discovery 4410 # lan-mouse - 41641 # tailscale ]; #networking.search = [ "c2vi.local" ]; @@ -590,11 +568,11 @@ uuid = "a02273d9-ad12-395e-8372-f61129635b6f"; type = "ethernet"; autoconnect-priority = "-999"; - interface-name = "enp0s13f0u1u4u3"; + interface-name = "enp0s20f0u4u4u3"; }; ipv4 = { address2 = "192.168.4.2/24"; - dns = "1.1.1.1;"; + dns = "100.88.218.34;"; method = "manual"; }; }; @@ -666,7 +644,7 @@ ipv4 = { #address1 = "192.168.20.11/24"; - dns = "1.1.1.1;8.8.8.8;"; + dns = "100.88.218.34;"; method = "auto"; }; }; @@ -693,7 +671,7 @@ ipv4 = { #address1 = "192.168.20.11/24"; - dns = "1.1.1.1;8.8.8.8;"; + dns = "100.88.218.34;"; method = "auto"; }; }; @@ -918,6 +896,61 @@ ''; # */ + ############################## suspend and hibernate http server ################################### + networking.firewall.interfaces.nb-ppc.allowedTCPPorts = [ 46733 ]; + + systemd.services.power-http-control = + let + powerHttpServer = pkgs.writeTextFile { + name = "power-http-server"; + destination = "/bin/power-http-server.py"; + executable = true; + text = '' + #!${pkgs.python3}/bin/python3 + from http.server import BaseHTTPRequestHandler, HTTPServer + import subprocess + + HOST = "0.0.0.0" + PORT = 46733 + + class Handler(BaseHTTPRequestHandler): + def do_GET(self): + if self.path == "/suspend": + self.send_response(200) + self.end_headers() + self.wfile.write(b"Suspending") + subprocess.Popen(["systemctl", "suspend"]) + + elif self.path == "/shutdown": + self.send_response(200) + self.end_headers() + self.wfile.write(b"Shutting down") + subprocess.Popen(["systemctl", "hibernate"]) + + else: + self.send_response(404) + self.end_headers() + self.wfile.write(b"Not found") + + def log_message(self, format, *args): + pass + + HTTPServer((HOST, PORT), Handler).serve_forever() + ''; + }; + in + { + description = "Simple HTTP server for suspend/shutdown"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + ExecStart = "${powerHttpServer}/bin/power-http-server.py"; + Restart = "always"; + RestartSec = 5; + Type = "simple"; + }; + }; ############################## swap and hibernate ################################### diff --git a/hosts/te.nix b/hosts/te.nix index 5447c90..70ecd63 100644 --- a/hosts/te.nix +++ b/hosts/te.nix @@ -18,7 +18,6 @@ in { ../common/nixos-wayland.nix ]; - services.tailscale.enable = true; programs.nix-ld.enable = true; networking.hostName = "te"; @@ -308,7 +307,10 @@ in { ############### disk config # the flash drive in use for te #disko.devices.disk.root.device = "/dev/disk/by-id/usb-Generic_Flash_Disk_FF830E8F-0:0"; - disko.devices.disk.root.device = "/dev/disk/by-id/ata-KBG40ZNV512G_KIOXIA_70GPGA85QBV1"; + #disko.devices.disk.root.device = "/dev/disk/by-id/ata-KBG40ZNV512G_KIOXIA_70GPGA85QBV1"; + + # the 500G ssd previously in fusu + disko.devices.disk.root.device = "/dev/disk/by-id/ata-WDC_PC_SN520_SDAPNUW-256G-1006_190399802515"; disko.devices = { disk = { root = { @@ -334,7 +336,7 @@ in { }; root = { - size = "240G"; + size = "100G"; content = { # LUKS passphrase will be prompted interactively only type = "luks"; diff --git a/misc/my-hosts-t b/misc/my-hosts-t index 0a640e7..be83d11 100644 --- a/misc/my-hosts-t +++ b/misc/my-hosts-t @@ -1,14 +1,10 @@ -100.71.47.106 main -100.77.80.77 phone -100.70.54.18 fusu -100.70.54.18 files -100.81.207.107 lush -100.76.146.119 tab -100.70.39.65 waydroid 100.107.67.76 te -100.100.55.117 mac -100.96.201.42 ki -100.107.101.77 fe -100.107.101.77 fesu 100.93.225.52 fasu -100.91.200.82 fwin +100.88.42.194 fwin +100.88.28.123 fe +100.88.79.207 fusu +100.88.79.207 files +100.88.164.39 lush +100.88.112.181 mac +100.88.116.225 nico +100.88.245.227 phone diff --git a/mods/fesu-hosting-base.nix b/mods/fesu-hosting-base.nix index 8c8766b..6ce5e06 100644 --- a/mods/fesu-hosting-base.nix +++ b/mods/fesu-hosting-base.nix @@ -34,6 +34,7 @@ ]; services.openssh = { enable = true; + ports = [ 9000 ]; # require public key authentication for better security settings.PasswordAuthentication = false; settings.KbdInteractiveAuthentication = false; @@ -45,6 +46,21 @@ X11UseLocalhost no ''; }; + + ##### Netbird Configuration + services.netbird.clients.ppc = { + #login = { + #enable = true; + #setupKeyFile = "${secretsDir}/netbird-setup-key"; + #}; + port = 51821; + ui.enable = false; + openFirewall = true; + #openInternalFirewall = true; + }; + networking.firewall.trustedInterfaces = [ + "nb-ppc" + ]; /* system.activationScripts.addDefaultRoute = { diff --git a/mods/fesu-services.nix b/mods/fesu-services.nix index 61302db..ee47f9d 100644 --- a/mods/fesu-services.nix +++ b/mods/fesu-services.nix @@ -1,8 +1,9 @@ -{ pkgs, dataDir, config, inputs, system, lib, secretsDir, ... }: +{ pkgs, dataDir, config, inputs, system, lib, secretsDir, pkgsUnstable, ... }: /* ## ports +## forwarded ports - 49001 ssh me-hosting - 49002 ssh ppc-hosting - 49003 ssh pcmc @@ -22,22 +23,27 @@ - 49112 mc second voice - 49113 mc second bedrock - 49114 mc lobby bedrock +- 49115 mc nilla +- 49116 mc nilla voice -- me hosting ports +## non forwarded ports +- 5000 compass-site +- 5001 ppc-site + +## me hosting ports - 8000 wiki site - 8001 lage0 site - 8002 plausible site - - 8003 ppc-site - 8004 instant db - 8005 instant webui -- ppc hosting ports +## ppc hosting ports - 8000 dav - 8001 affine - 8002 git - 8003 git ssh -## hosting container ips (on the interface br-proxy +## hosting container ips (on the interface br-proxy) - fusu 192.168.1.2 - me-hosting 192.168.1.20 - ppc-hosting 192.168.1.21 @@ -71,7 +77,7 @@ services = lib.attrsets.mergeAttrsList (serviceList ++ extraServices); in { inherit routers services; }; - basicTraefikSetting = { name, domain, host, port }: let + basicTraefikSetting = { name, domain, host, port, extraRouterConfig ? {}, extraServiceConfig ? {}, middlewares ? [] }: let host_ip = if host == "me-hosting" then "192.168.1.20" else if host == "pcmc" then "192.168.1.23" @@ -80,12 +86,8 @@ else host; in { - - impotrs = [ - "${inputs.hetzner_ddns}/release/nixos_module.nix" - ]; - routers.${name} = { + inherit middlewares; rule = "Host(`${domain}`)"; service = name; tls = { @@ -93,13 +95,14 @@ domains = [ { main = domain; } ]; - }; + } // extraRouterConfig; }; - services.${name}.loadBalancer.servers = [ - { url = "http://${host_ip}:${builtins.toString port}"; } - ]; - + services.${name} = { + loadBalancer.servers = [ + { url = "http://${host_ip}:${builtins.toString port}"; } + ]; + } // extraServiceConfig; }; @@ -230,6 +233,7 @@ in { imports = [ ./fesu-hosting-base.nix ]; + services.netbird.package = pkgsUnstable.netbird; }; }; @@ -276,11 +280,23 @@ in { imports = [ ./fesu-hosting-base.nix ]; + services.netbird.package = pkgsUnstable.netbird; users.users.root = { openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuH2ilZeIQrr9wYtBtQyRD5oaVkuLImjm9EIGfn+wqw" # Mr3DAlien ]; }; + systemd.services.ppc = { + environment = { + MIZE_CONFIG_FILES = "/root/host/ppc-website-config.toml"; + }; + description = "PPC Website"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "/root/host/ppc-src/target/release/ppc server"; + Restart = "always"; + }; + }; }; }; @@ -342,11 +358,26 @@ in { imports = [ ./fesu-hosting-base.nix ]; + services.netbird.package = pkgsUnstable.netbird; + + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM82mBUZqo7nfU8XJQDoEcOa+DfQyJE7T7ddFjQVhg93 me@main" + ]; }; }; + ############################ nico nfs share ######################### + services.nfs.server = { + enable = true; + exports = '' + /data/incus/default-pool/containers/nico/rootfs/root/work/ 100.88.0.0/16(rw,sync,no_subtree_check) + ''; + }; + # Open necessary firewall ports + networking.firewall.allowedTCPPorts = [ 111 2049 20048 ]; + networking.firewall.allowedUDPPorts = [ 111 2049 20048 ]; @@ -367,16 +398,45 @@ in { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; }; + + ############################ ppc app ######################### + systemd.services.ppc = { + enable = true; + description = "PPC website"; + unitConfig = { + Type = "simple"; + }; + environment = { + MIZE_CONFIG_FILES = "/home/server/here/ppc.toml"; + }; + serviceConfig = { + User = "server"; + Group = "server"; + Restart = "always"; + RestartSec = "500s"; + ExecStart = "/home/server/here/ppc server"; + }; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + }; ############################ traefik ######################### + # without this traefik will try to put downloaded plugins into "/plugins-storate/ which fails with permission denied" + systemd.services.traefik.serviceConfig.WorkingDirectory = config.services.traefik.dataDir; services.traefik = { enable = true; #dataDir = "${dataDir}/traefik"; staticConfigOptions = { + experimental.plugins = { + traefikoidc = { + moduleName = "github.com/lukaszraczylo/traefikoidc"; + version = "v0.7.10"; + }; + }; entryPoints = { web = { @@ -418,14 +478,19 @@ in { { name = "wiki-site"; domain = "wiki.ppc.social"; host = "me-hosting"; port = 8000; } { name = "lage0-site"; domain = "lage0.c2vi.dev"; host = "me-hosting"; port = 8001; } { name = "plausible"; domain = "plausible.c2vi.dev"; host = "me-hosting"; port = 8002; } - { name = "ppc-site"; domain = "ppc.social"; host = "me-hosting"; port = 8003; } - { name = "compass-site"; domain = "compass.ppc.social"; host = "fesu"; port = 3000; } + { name = "ppc-site"; domain = "ppc.social"; host = "fesu"; port = 5001; } + { name = "compass-site"; domain = "compass.ppc.social"; host = "fesu"; port = 5000; } { name = "dav"; domain = "dav.ppc.social"; host = "ppc-hosting"; port = 8000; } { name = "instant"; domain = "instant.ppc.social"; host = "me-hosting"; port = 8004; } { name = "instant-backend"; domain = "instant-backend.ppc.social"; host = "me-hosting"; port = 8005; } { name = "isotoke-website"; domain = "isotoke.ppc.social"; host = "192.168.1.26"; port = 80; } { name = "affine"; domain = "affine.ppc.social"; host = "ppc-hosting"; port = 8001; } { name = "gitea"; domain = "git.ppc.social"; host = "ppc-hosting"; port = 8002; } + { name = "nico"; domain = "nico.ppc.social"; host = "192.168.1.14"; port = 18789; middlewares = [ "oidc-nico" ]; } + #{ name = "spacetime"; domain = "spacetime.ppc.social"; host = "ppc-hosting"; port = 8005; extraRouterConfig = { + # rule = "Host(`spacetime.ppc.social`) && PathPrefix(`/v1/database`)"; + # }; + #} ] # extraRouters (full configs) @@ -434,7 +499,17 @@ in { # extraServices (full configs) [ - ]); + ]) + // { + middlewares.oidc-nico.plugin.traefikoidc = { + providerURL = "https://auth.ppc.social"; + callbackURL = "/oauth2/callback"; + clientSecret = builtins.readFile "${secretsDir}/nico-oidc-secret"; + clientID = "361779269791186947"; + sessionEncryptionKey = builtins.readFile "${secretsDir}/nico-session-encryption-key"; + logLevel = "debug"; + }; + }; }; }; diff --git a/mods/fusu-services.nix b/mods/fusu-services.nix index bfe18e8..b7dfecb 100644 --- a/mods/fusu-services.nix +++ b/mods/fusu-services.nix @@ -1,4 +1,14 @@ -{ pkgs, dataDir, config, inputs, system, ... }: let +{ pkgs, dataDir, config, inputs, system, secretsDir, ... }: let + +#################################### ports ############################## +# 49388 ssh +# 8001 backup-c2vi +# 8002 backup-mom +# 8003 backup-dad +# 8004 backup-brother +# 9001 fwin vnc +# 9002 fwin rdp +# 9003 fwin ssh /** thanks: @melektron @@ -16,10 +26,26 @@ ${pkgs.lib.getExe inputs.arion.packages."${system}".arion} --prebuilt-file ${config.virtualisation.arion.projects."${srv_name}".settings.out.dockerComposeYaml} $@ '' ); + + backupContainers = configs: builtins.listToAttrs (map (config: { + name = config.name; + # virtualisation.arion.projects.backup.services.settings = + value.service = { + image = "restic/rest-server"; + volumes = [ "/data/backups/${config.name}:/data" ]; + ports = [ "${builtins.toString config.port}:8000" ]; + environment.OPTIONS = "--debug"; + }; + }) configs); in { + + imports = [ + inputs.arion.nixosModules.arion + ]; environment.systemPackages = [ + (createArionServiceManager "backup" "") pkgs.arion # Do install the docker CLI to talk to podman. @@ -40,9 +66,14 @@ in { virtualisation.arion = { backend = "podman-socket"; - - }; - + + virtualisation.arion.projects.backup.serviceName = "backup"; + virtualisation.arion.projects.backup.settings.services = backupContainers [ + { name = "c2vi"; port = 8001; } + { name = "mom"; port = 8002; } + { name = "dad"; port = 8003; } + { name = "brother"; port = 8004; } + ]; } diff --git a/mybin/nixre b/mybin/nixre index 3749ec0..dd4f7eb 100755 --- a/mybin/nixre +++ b/mybin/nixre @@ -44,6 +44,8 @@ build_remote () { rsync -r -v $HOME/work/config/* $host:my-nixos-config --exclude=.git --exclude=gitignore +return 0; + out_path=$(ssh $host nix build "\$HOME/my-nixos-config#nixosConfigurations.$host.config.system.build.toplevel" --impure --no-link --print-out-paths -v -L "${args_to_pass[@]}") if [[ "$out_path" == "" ]] @@ -128,7 +130,4 @@ then else echo "rebuild from local (~/work/config/)" build_from_local && do_switch -fi - - - +fi diff --git a/programs/bash.nix b/programs/bash.nix index 9aebf2e..c456b18 100644 --- a/programs/bash.nix +++ b/programs/bash.nix @@ -43,7 +43,7 @@ #zed="WAYLAND_DISPLAY= zeditor"; npm="pnpm"; - md="~/work/modules/modules/dev/run"; + md="~/work/mize/md"; mize="~/work/mize/mize"; m="~/work/mize/mize"; diff --git a/programs/ssh.nix b/programs/ssh.nix index 5fa2946..66c2cce 100644 --- a/programs/ssh.nix +++ b/programs/ssh.nix @@ -23,6 +23,11 @@ "github.com" = { hostname = "github.com"; }; + hetzner2 = { + user = "c2vi"; + port = 2222; + hostname = "hetzner2.ecbb.cc"; + }; sepp = { user = "seb"; }; @@ -35,6 +40,9 @@ port = 49388; user = "files"; }; + nico = { + user = "root"; + }; rpis = { hostname = "rpi"; port = 49388; @@ -48,18 +56,18 @@ feh = { user = "root"; - hostname = "100.107.101.77"; - port = 49001; + hostname = "100.88.93.24"; + port = 9000; }; ppc-hosting = { user = "root"; - hostname = "100.107.101.77"; - port = 49002; + hostname = "100.88.46.87"; + port = 9000; }; pcmc = { user = "root"; - hostname = "100.107.101.77"; - port = 49003; + hostname = "100.88.33.187"; + port = 9000; }; diff --git a/users/me/gui-home.nix b/users/me/gui-home.nix index 7bd8dd4..e90f35a 100755 --- a/users/me/gui-home.nix +++ b/users/me/gui-home.nix @@ -26,6 +26,9 @@ package = inputs.zed.packages.x86_64-linux.default; }; + + programs.direnv.enable = true; + programs.walker = { enable = false; runAsService = true;