c2vi/dotfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

...

Browse Source
This commit is contained in:
Sebastian Moser
2023-11-21 20:11:26 +01:00
parent 7ed54e66ec
commit c712d76fac
17 changed files with 605 additions and 85 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
hosts/acern.nix
View File

@@ -17,10 +17,5 @@
settings.KbdInteractiveAuthentication = false;
};
users.users.me.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjgXf9S9hxjyph2EEFh1el0z4OUT9fMoFAaDanjiuKa me@main"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICWsqiz0gEepvPONYxqhKKq4Vxfe1h+jo11k88QozUch me@bitwarden"
];
programs.bash.loginShellInit = "nixos-wsl-welcome";
}

14
hosts/hpm.nix
View File

@@ -6,7 +6,8 @@
../common/nixos-graphical.nix
../common/building.nix
../users/me/default.nix
inputs.home-manager.nixosModules.home-manager
../users/me/gui.nix
];
services.openssh = {
@@ -17,6 +18,13 @@
settings.PermitRootLogin = "yes";
};
networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
# to build rpi images
boot.binfmt.emulatedSystems = [
"aarch64-linux"
];
environment.systemPackages = with pkgs; [
ntfs3g
];
@@ -28,10 +36,6 @@
trusted-users = [ "me" ];
};
users.users.me.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjgXf9S9hxjyph2EEFh1el0z4OUT9fMoFAaDanjiuKa me@main"
];
networking = {
#usePredictableInterfaceNames = false;
defaultGateway = {

125
hosts/lush.nix
View File

@@ -1,12 +1,22 @@
{ lib, pkgs, inputs, ... }:
{ lib, pkgs, inputs, secretsDir, ... }:
{
system.stateVersion = "23.05"; # Did you read the comment?
#system.stateVersion = "23.05"; # Did you read the comment?
imports = [
"${inputs.nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
#inputs.nixos-hardware.nixosModules.raspberry-pi-4
inputs.networkmanager.nixosModules.networkmanager
../common/all.nix
inputs.home-manager.nixosModules.home-manager
../users/me/headless.nix
];
# home-manager.users.me = import ../users/me/home-headless.nix;
#nixpkgs.hostPlatform.system = "aarch64-linux";
#nixpkgs.buildPlatform.system = "x86_64-linux";
@@ -14,6 +24,10 @@
# This causes an overlay which causes a lot of rebuilding
environment.noXlibs = lib.mkForce false;
environment.systemPackages = with pkgs; [ vim git ];
# "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" creates a
# disk with this label on first boot. Therefore, we need to keep it. It is the
# only information from the installer image that we need to keep persistent
@@ -30,31 +44,98 @@
};
};
########################### ssh ############################
services.openssh = {
enable = true;
ports = [ 22 ];
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
settings.PermitRootLogin = "no";
};
# end of base.nix
environment.systemPackages = with pkgs; [ vim git ];
####################################### networking ##########################
networking.hostName = "lush";
users = {
users.me = {
password = "hello";
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjgXf9S9hxjyph2EEFh1el0z4OUT9fMoFAaDanjiuKa me@main"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICWsqiz0gEepvPONYxqhKKq4Vxfe1h+jo11k88QozUch me@bitwarden"
];
networking.networkmanager.enable = true;
networking.networkmanager.profiles = {
main = {
connection = {
id = "main";
uuid = "a02273d9-ad12-395e-8372-f61129635b6f";
type = "ethernet";
autoconnect-priority = "-999";
interface-name = "eth0";
};
ipv4 = {
address1 = "192.168.1.44/24,192.168.1.1";
dns = "1.1.1.1;";
method = "manual";
};
};
pw = {
connection = {
id = "pw";
uuid = "e0103dac-7da0-4e32-a01b-487b8c4c813c";
type = "wifi";
interface-name = "wlan0";
};
wifi = {
hidden = "true";
mode = "infrastructure";
ssid = builtins.readFile "${secretsDir}/wifi-ssid";
};
wifi-security = {
key-mgmt = "wpa-psk";
psk = builtins.readFile "${secretsDir}/wifi-password";
};
ipv4 = {
address1 = "192.168.20.21/24";
method = "auto";
};
};
me = {
connection = {
id = "me";
uuid = "fe45d3bc-21c6-41ff-bc06-c936017c6e02";
type = "wireguard";
autoconnect = "true";
interface-name = "me0";
};
wireguard = {
listen-port = "51820";
private-key = builtins.readFile "${secretsDir}/wg-private-lush";
};
ipv4 = {
address1 = "10.1.1.4/24";
method = "manual";
};
} // (import ../common/wg-peers.nix { inherit secretsDir; });
};
systemd.services.iwd.serviceConfig.Restart = "always";
/*
networking = {
interfaces."wlan0".useDHCP = true;
interfaces."eth0" = {
#name = "eth0";
ipv4.addresses = [
{ address = "192.168.5.5"; prefixLength = 24;}
];
};
*/
/*
wireless = {
interfaces = [ "wlan0" ];
enable = true;
@@ -64,6 +145,24 @@
};
};
*/
####################################### wireguard ##########################
/*
systemd.network.netdevs.me0 = {
enable = true;
wireguardPeers = import ../common/wg-peers.nix { inherit secretsDir; };
wireguardConfig = {
ListenPort = 51820;
PrivateKeyFile = "/etc/wireguard/secret.key";
};
};
networking.wireguard.interfaces = {
me = {
ips = [ "10.1.1.11/24" ];
};
*/
/*
boot = {

181
hosts/main.nix
View File

@@ -1,5 +1,5 @@
{ pkgs, lib, workDir, self, secretsDir, config, ... }:
{ pkgs, lib, workDir, self, secretsDir, config, inputs, ... }:
{
# https://bugzilla.kernel.org/show_bug.cgi?id=110941
@@ -17,18 +17,17 @@
../common/nixos-graphical.nix
../common/building.nix
../users/me/default.nix
inputs.networkmanager.nixosModules.networkmanager
inputs.home-manager.nixosModules.home-manager
../users/me/gui.nix
../users/root/default.nix
];
services.avahi.enable = true;
environment.systemPackages = with pkgs; [
cifs-utils
ntfs3g
];
virtualisation.podman.enable = true;
hardware.bluetooth.settings = {
General = {
@@ -40,22 +39,11 @@
distributedBuilds = false; # false, because i can't build on hpm currently ... not signed by trusted user error
};
networking.hostName = "main";
networking.search = [ "c2vi.local" ];
networking.extraHosts = ''
192.168.1.6 hpm
192.168.1.2 rpi
127.0.0.1 youtube.com
127.0.0.1 www.youtube.com
'';
# to build rpi images
boot.binfmt.emulatedSystems = [
"aarch64-linux"
#"x86_64-unknown-linux-gnu"
#"armv6l-unknown-linux-gnueabihf"
#"armv7l-hf-multiplatform"
];
@@ -73,7 +61,7 @@
options = [ "bind" ];
};
# my youtube blocking service
################################ my youtube blocking service #############################
systemd.services.stark =
let
stark = pkgs.writeShellApplication {
@@ -89,9 +77,9 @@
then
rm /etc/host-youtube-block
else
echo old: $timeout
echo old: "$timeout"
timeout=$((timeout - 1))
echo new: $timeout
echo new: "$timeout"
echo -en $timeout > /etc/host-youtube-block
fi
else
@@ -116,7 +104,7 @@
};
# syncthing for main
############################## syncthing for main #############################################
services.syncthing = {
enable = true;
user = "me";
@@ -146,16 +134,20 @@
};
############################## networking ###############################################
networking.hostName = "main";
security.polkit.enable = true;
services.avahi.enable = true;
networking.networkmanager.enable = true;
networking.firewall.allowPing = true;
networking.firewall.enable = true;
services.samba.openFirewall = true;
# samba
services.samba-wsdd.enable = true; # make shares visible for windows 10 clients
networking.firewall.allowedTCPPorts = [
5357 # wsdd
8888 # for general usage
@@ -165,7 +157,144 @@
networking.firewall.allowedUDPPorts = [
3702 # wsdd
51820 # wireguard
];
networking.search = [ "c2vi.local" ];
networking.extraHosts = ''
192.168.1.6 hpm
192.168.1.2 rpi
127.0.0.1 youtube.com
127.0.0.1 www.youtube.com
'';
networking.networkmanager.profiles = {
home = {
connection = {
id = "home";
uuid = "a02273d9-ad12-395e-8372-f61129635b6f";
type = "ethernet";
autoconnect-priority = "-999";
interface-name = "enp1s0";
};
ipv4 = {
address1 = "192.168.1.40/24,192.168.1.1";
dns = "1.1.1.1;";
method = "manual";
};
};
htl = {
connection = {
id = "htl";
uuid = "0d3af539-9abd-4417-b882-cbff96fc3490";
type = "wifi";
interface-name = "wlp2s0";
};
ipv4 = {
method = "auto";
};
wifi = {
mode = "infrastructure";
ssid = "HTLinn";
};
wifi-security = {
key-mgmt = "wpa-eap";
};
"802-1x" = {
eap = "peap";
identity = builtins.readFile "${secretsDir}/school-username";
password = builtins.readFile "${secretsDir}/school-password";
phase2-auth = "mschapv2";
};
};
pt = {
connection = {
id = "pt";
uuid = "f028117e-9eef-47c1-8483-574f7ee798a4";
type = "bluetooth";
autoconnect = "false";
};
bluetooth = {
bdaddr = "E8:78:29:C4:BA:7C";
type = "panu";
};
ipv4 = {
method = "auto";
};
};
pw = {
connection = {
id = "pw";
uuid = "e0103dac-7da0-4e32-a01b-487b8c4c813c";
type = "wifi";
interface-name = "wlp2s0";
};
wifi = {
hidden = "true";
mode = "infrastructure";
ssid = builtins.readFile "${secretsDir}/wifi-ssid";
};
wifi-security = {
key-mgmt = "wpa-psk";
psk = builtins.readFile "${secretsDir}/wifi-password";
};
ipv4 = {
address1 = "192.168.20.20/24";
method = "auto";
};
};
hot = {
connection = {
id = "hot";
uuid = "ab51de8a-9742-465a-928b-be54a83ab6a3";
type = "wifi";
autoconnect = "false";
interface-name = "wlp2s0";
};
wifi = {
mac-address = "0C:96:E6:E3:64:03";
mode = "ap";
ssid = "c2vi-main";
};
ipv4 = {
method = "shared";
};
};
me = {
connection = {
id = "me";
uuid = "fe45d3bc-21c6-41ff-bc06-c936017c6e02";
type = "wireguard";
autoconnect = "true";
interface-name = "me0";
};
wireguard = {
listen-port = "12345";
private-key = builtins.readFile "${secretsDir}/wg-private-main";
};
ipv4 = {
address1 = "10.1.1.1/24";
method = "manual";
};
} // (import ../common/wg-peers.nix { inherit secretsDir; });
};
#################################### samba ######################################
services.samba-wsdd.enable = true; # make shares visible for windows 10 clients
services.samba = {
enable = true;
securityType = "user";
@@ -200,7 +329,9 @@
};
######################################### virtualisation ###############################
virtualisation.libvirtd.enable = true;
virtualisation.podman.enable = true;
system.activationScripts.setupLibvirt = lib.stringAfter [ "var" ] ''
mkdir -p /var/lib/libvirt/storage
@@ -217,7 +348,7 @@
'';
# swap and hibernate
############################## swap and hibernate ###################################
swapDevices = [ { device = "/dev/lvm0/swap"; } ];
boot.resumeDevice = "/dev/lvm0/swap";
services.logind = {

26
hosts/rpi.md
View File

@@ -40,26 +40,30 @@ CMD: sudo dphys-swapfile setup
CMD: sudo dphys-swapfile swapon
# things
- mdadm
- bcache
- mount /home/files/storage
- so that other users can't read it
- podman containers
- me-net (wireguard)
- rclone mount onedrive backups
- borgmatic
## things done
- smb shares
- swap
- users
admin - sudo without password and access to bitwarden
files - for managing files (old: dateimanager)
server - for deployed servers (podman)
mamafiles - for the mamafiles share
- swap
- mdadm
- bcache
- mount /home/files/storage
- so that other users can't read it
- smb shares
- ssh acces
- ssh config: PermitRootAccess and PasswordAuthentication
- me-net (wireguard)
- podman containers
- dyndns
- wstunnel for wireguard
- rclone mount onedrive backups
- borgmatic

127
hosts/rpi.nix
View File

@@ -1,14 +1,17 @@
{ lib, pkgs, inputs, ... }:
{ lib, pkgs, inputs, secretsDir, ... }:
{
imports = [
"${inputs.nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
inputs.nixos-hardware.nixosModules.raspberry-pi-4
#inputs.nixos-hardware.nixosModules.raspberry-pi-4
../common/all.nix
../common/nixos-headless.nix
inputs.home-manager.nixosModules.home-manager
../users/me/headless.nix
../users/root/default.nix
../users/server/headles.nix
../users/files/headless.nix
];
system.stateVersion = "23.05";
@@ -25,11 +28,20 @@
# disk with this label on first boot. Therefore, we need to keep it. It is the
# only information from the installer image that we need to keep persistent
environment.systemPackages = with pkgs; [
bcache-tools
];
fileSystems."/" =
{ device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
};
swapDevices = [ {
device = "/swapfile";
size = 10*1024;
} ];
boot = {
#kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
loader = {
@@ -43,6 +55,14 @@
virtualisation.podman.enable = true;
users.users.mamafiles = {
isNormalUser = true;
password = "changeme";
};
########################## networking ###########################################
networking.firewall.allowPing = true;
networking.firewall.enable = true;
services.samba.openFirewall = true;
@@ -55,10 +75,10 @@
interface = "eth0";
};
interface."eth0" = {
interfaces."eth0" = {
#name = "eth0";
ipv4.addresses = [
{ address = "192.168.1.6"; prefixLength = 24;}
{ address = "192.168.1.2"; prefixLength = 24;}
];
};
@@ -85,11 +105,100 @@
];
networking.networkmanager.enable = true;
networking.networkmanager.profiles = {
main = {
connection = {
id = "main";
uuid = "a02273d9-ad12-395e-8372-f61129635b6f";
type = "ethernet";
autoconnect-priority = "-999";
interface-name = "eth0";
};
ipv4 = {
address1 = "192.168.1.2/24,192.168.1.1";
dns = "1.1.1.1;";
method = "manual";
};
};
me = {
connection = {
id = "me";
uuid = "fe45d3bc-21c6-41ff-bc06-c936017c6e02";
type = "wireguard";
autoconnect = "true";
interface-name = "me0";
};
wireguard = {
listen-port = "49390";
private-key = builtins.readFile "${secretsDir}/wg-private-rpi";
};
ipv4 = {
address1 = "10.1.1.2/24";
method = "manual";
};
} // (import ../common/wg-peers.nix { inherit secretsDir; }) ;
};
######################################### wstunnel #######################################
systemd.services.wstunnel = {
enable = true;
description = "WStunnel for SSH connections and Wireguard VPN";
after = [ "network.target" ];
unitConfig = {
Type = "simple";
};
serviceConfig = {
Restart = "always";
ExecStart = "${pkgs.wstunnel}/bin/wstunnel --server ws://0.0.0.0:49389 -r 127.0.0.1:49388 -r 127.0.0.1:49390";
};
wantedBy = [ "multi-user.target" ];
};
###################################### dyndns ####################################
systemd.services.update-ip =
let
update-ip = pkgs.writeShellApplication {
name = "update-ip";
runtimeInputs = with pkgs; [ curl w3m ];
text = ''
ip=$(curl my.ip.fi)
curl "http://dynv6.com/api/update?hostname=${builtins.readFile "${secretsDir}/dns-name-two"}&ipv4=$ip&token=${builtins.readFile "${secretsDir}/dns-name-two-token"}"
curl "https://dynamicdns.park-your-domain.com/update?host=@&domain=${builtins.readFile "${secretsDir}/dns-name"}&password=${builtins.readFile "${secretsDir}/dns-name-token"}&ip=$ip"
# https://www.namecheap.com/support/knowledgebase/article.aspx/29/11/how-to-dynamically-update-the-hosts-ip-with-an-https-request/
'';
};
in
{
enable = true;
description = "block Youtube";
unitConfig = {
Type = "simple";
};
serviceConfig = {
Restart = "always";
RestartSec = "500s";
ExecStart = "${update-ip}/bin/update-ip";
};
wantedBy = [ "multi-user.target" ];
};
################################## ssh ######################################
services.openssh.enable = true;
users.users.me.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjgXf9S9hxjyph2EEFh1el0z4OUT9fMoFAaDanjiuKa me@main"
];
services.openssh = {
enable = true;
ports = [ 49388 ];
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
settings.PermitRootLogin = "no";
};
################################ samba ######################################
services.samba-wsdd.enable = true; # make shares visible for windows 10 clients
@@ -111,6 +220,7 @@
"valid users" = "files";
"comment" = "all my files";
"path" = "/home/files/storage/files";
"browsable" = "no";
"read only" = "no";
"guest ok" = "no";
"force user" = "files";
@@ -145,6 +255,7 @@
mama = {
"comment" = "Meine Dateien auf Mamas Laptop";
"path" = "/home/files/storage/files/stuff/Mamas-Laptop";
"browsable" = "no";
"read only" = "no";
"guest ok" = "no";
"valid users" = "mamafiles";