From 0f7e06553348894ca6f2004d3dc57dd737c35e50 Mon Sep 17 00:00:00 2001 From: Kjetil Orbekk Date: Sat, 9 Dec 2023 13:49:23 -0500 Subject: update --- config/hydra.nix | 57 ------ config/router.nix | 408 ----------------------------------------- data/aliases.nix | 8 - data/dns/db.orbekk.shared.zone | 3 +- flake.lock | 56 +++--- flake.nix | 56 +++--- machines/container-shape.nix | 24 --- machines/dragon.nix | 3 - machines/minideck.nix | 10 - machines/x1-pincer.nix | 10 - modules/bridge.nix | 71 ------- modules/common.nix | 1 - modules/desktop.nix | 6 +- modules/gaming.nix | 192 +------------------ modules/nextcloud.nix | 3 +- modules/users.nix | 12 -- secrets/bridge-nightly.age | 22 --- secrets/secrets.nix | 2 - 18 files changed, 65 insertions(+), 879 deletions(-) delete mode 100644 config/hydra.nix delete mode 100644 config/router.nix delete mode 100644 machines/container-shape.nix delete mode 100644 modules/bridge.nix delete mode 100644 secrets/bridge-nightly.age diff --git a/config/hydra.nix b/config/hydra.nix deleted file mode 100644 index 5ebc605..0000000 --- a/config/hydra.nix +++ /dev/null @@ -1,57 +0,0 @@ -{ config, lib, pkgs, ... }: -let hydraPort = (import ../data/aliases.nix).services.hydra.port; -in { - networking.firewall.allowedTCPPorts = [ hydraPort ]; - - virtualisation.virtualbox.host.enable = true; - - services.hydra = { - enable = true; - hydraURL = "https://hydra.orbekk.com"; - notificationSender = "kj+hydra@orbekk.com"; - buildMachinesFiles = [ ]; - useSubstitutes = true; - port = hydraPort; - extraConfig = '' - store-uri = file:///nix/store?secret-key=/opt/secret/hydra_key/hydra.orbekk.com-1/secret - ''; - }; - - # From https://github.com/input-output-hk/iohk-nixops - systemd.services.hydra-manual-setup = { - description = "Create Keys for Hydra"; - serviceConfig.Type = "oneshot"; - serviceConfig.RemainAfterExit = true; - wantedBy = [ "multi-user.target" ]; - requires = [ "hydra-init.service" ]; - after = [ "hydra-init.service" ]; - environment = lib.mkForce config.systemd.services.hydra-init.environment; - script = '' - if [ ! -e /opt/secret/hydra_key/initialized ]; then - # create signing keys - /run/current-system/sw/bin/install -d -m 551 /opt/secret/hydra_key/hydra.orbekk.com-1 - /run/current-system/sw/bin/nix-store --generate-binary-cache-key hydra.orbekk.com-1 /opt/secret/hydra_key/hydra.orbekk.com-1/secret /opt/secret/hydra_key/hydra.orbekk.com-1/public - /run/current-system/sw/bin/chown -R hydra:hydra /opt/secret/hydra_key - /run/current-system/sw/bin/chmod 440 /opt/secret/hydra_key/hydra.orbekk.com-1/secret - /run/current-system/sw/bin/chmod 444 /opt/secret/hydra_key/hydra.orbekk.com-1/public - # done - touch /opt/secret/hydra_key/initialized - fi - ''; - }; - - nix = { - distributedBuilds = true; - nrBuildUsers = 30; - # Enable this if I run low on disk. - gc.automatic = lib.mkForce false; - buildMachines = [{ - hostName = "localhost"; - systems = [ "x86_64-linux" "i686-linux" ]; - maxJobs = "16"; - supportedFeatures = [ "kvm" "nixos-test" "big-parallel" "benchmark" ]; - }]; - extraOptions = "auto-optimise-store = true"; - }; - nixpkgs.config = { allowUnfree = true; }; -} diff --git a/config/router.nix b/config/router.nix deleted file mode 100644 index cb2eeb2..0000000 --- a/config/router.nix +++ /dev/null @@ -1,408 +0,0 @@ -{ config, lib, pkgs, ... }: -let - wan-dev = "bond0.10"; - lan-dev = "bond0"; - # config.orbekk.nycmesh.listenPort - wireguardPorts = - [ config.orbekk.mullvad.listenPort config.orbekk.vpn.listenPort ]; - mullvadMark = 30; - heMark = 200; - # nycmeshMark = 32; - aliases = import ../data/aliases.nix; -in { - orbekk.mullvad.enable = true; - orbekk.nycmesh.enable = false; - - services.tftpd.enable = true; - services.openntpd.enable = true; - - environment.systemPackages = with pkgs; [ iptables ]; - - networking.useDHCP = false; - - networking.networkmanager.enable = lib.mkForce false; - - networking.nameservers = - [ "1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001" ]; - - networking.vlans = builtins.listToAttrs (map (id: { - name = "${lan-dev}.${toString id}"; - value = { - inherit id; - interface = lan-dev; - }; - }) [ 10 30 32 100 255 ]); - - networking.bonds.bond0 = { - interfaces = [ "eno1" "eno2" ]; - driverOptions = { - miimon = "1000"; - mode = "balance-rr"; - }; - }; - - systemd.services.update-dynamic-dns = { - description = "Update dynamic dns records"; - path = with pkgs; [ bash dnsutils nettools gawk iproute curl ]; - startLimitIntervalSec = 5; - script = toString ../tools/update-dns.sh; - }; - - networking.firewall = { - enable = lib.mkForce false; - allowedTCPPorts = lib.mkForce [ ]; - allowedUDPPorts = lib.mkForce [ ]; - allowPing = true; - logRefusedConnections = false; - checkReversePath = false; - }; - - services.ddclient = { - enable = true; - configFile = "/opt/secret/he-ddclient.conf"; - }; - # FIXME: Workaround for ddclient.conf not being available to ddclient. - systemd.services.ddclient.serviceConfig.DynamicUser = lib.mkForce false; - - services.ferm = { - enable = true; - config = '' - @def $DEV_UNTRUSTED_LAN = (${lan-dev}.30 ${lan-dev}.32); - @def $DEV_LAN = (${lan-dev}.100 vpn); - @def $DEV_ADMIN = (${lan-dev}.255); - @def $DEV_WAN = (${wan-dev} he0 mullvad); - @def $NET_LAN = (172.20.0.0/16); - @def $NET_HE = (2001:470:8e2e::/48); - - # Forward dns queries to dnsmasq on LAN interfaces. - domain (ip ip6) table nat chain PREROUTING { - interface ($DEV_LAN $DEV_UNTRUSTED_LAN) daddr $NET_LAN proto (tcp udp) dport 53 REDIRECT to-ports 2053; - } - - domain (ip ip6) table filter { - chain INPUT { - policy DROP; - - mod state state INVALID DROP; - mod state state (ESTABLISHED RELATED) ACCEPT; - - interface lo ACCEPT; - proto icmp ACCEPT; - - proto (udp udp) dport dhcpv6-client ACCEPT; - - proto 41 ACCEPT; # IPv6 sit tunnel - - interface ($DEV_WAN $DEV_LAN $DEV_UNTRUSTED_LAN) @subchain "wan_services" { - # Valheim - proto udp dport (3400 3401 3402) ACCEPT; - - proto (tcp udp) dport 2053 ACCEPT; - proto (tcp udp) dport (bootpc bootps) ACCEPT; - proto tcp dport ssh ACCEPT; - proto (tcp udp) dport domain ACCEPT; - proto tcp dport (http https) ACCEPT; - proto udp dport (${ - lib.concatStringsSep " " (map toString wireguardPorts) - }) ACCEPT; - } - - interface ($DEV_LAN $DEV_UNTRUSTED_LAN) { - proto (tcp udp) dport 1080 ACCEPT; # socks proxy - } - - interface ($DEV_LAN $DEV_ADMIN) @subchain "lan_services" { - proto (tcp udp) dport 5000 ACCEPT; # random debugging - - proto (tcp udp) dport postgresql ACCEPT; # internal network only! - - proto (tcp udp) dport (ssh domain bootpc bootps ntp) ACCEPT; - # prometheus temp rule - proto tcp dport 11112 ACCEPT; - proto (tcp udp) dport tftp ACCEPT; - - # RTMP streaming - proto (tcp udp) dport 1935 ACCEPT; - - # Chromecast - # proto udp dport 32768:61000 ACCEPT; - # proto udp dport (5353 1900) ACCEPT; - # proto tcp dport (8008 8009) ACCEPT; - - # Samba - proto tcp dport (139 445) ACCEPT; - proto udp dport (137 138) ACCEPT; - - # Project Zomboid - proto udp dport (16261 16262) ACCEPT; - - # interface $DEV_LAN jump logdrop; - } - } - - chain OUTPUT policy ACCEPT; - - chain FORWARD { - policy DROP; - - mod state state INVALID DROP; - mod state state (ESTABLISHED RELATED) ACCEPT; - - interface $DEV_UNTRUSTED_LAN outerface $DEV_WAN ACCEPT; - interface $DEV_LAN ACCEPT; - - # jump logdrop; - } - } - - domain ip6 table filter chain INPUT { - proto ipv6-icmp ACCEPT; - } - - domain (ip ip6) table filter chain logdrop { - LOG log-level warning log-prefix "dropped "; - DROP; - } - - domain (ip ip6) table filter chain INPUT { - interface $DEV_WAN DROP; - # jump logdrop; - } - - domain ip table nat { - chain POSTROUTING { - saddr $NET_LAN outerface $DEV_WAN MASQUERADE; - } - } - - domain (ip ip6) table mangle { - chain PREROUTING { - interface ${lan-dev}.30 MARK set-mark ${toString mullvadMark}; - # Route HE traffic via tunnel. - # saddr $NET_HE MARK set-mark ${toString heMark}; - # saddr 2001:470:1f06:1194::2/64 MARK set-mark ${toString heMark}; - } - } - ''; - }; - - services = { - openssh.enable = lib.mkDefault true; - openssh.settings.PasswordAuthentication = false; - }; - - boot.kernel.sysctl = { - "net.ipv4.conf.all.forwarding" = true; - "net.ipv4.conf.default.forwarding" = true; - "net.ipv6.conf.all.forwarding" = true; - "net.ipv6.conf.default.forwarding" = true; - }; - - #services.hostapd = { - # enable = true; - # # driver = "iwlwifi"; - # ssid = "2c"; - # wpaPassphrase = "mintchip"; - # interface = "${lan-dev}"; - # hwMode = "g"; - # channel = 11; - # extraConfig = '' - # country_code=US - # wpa_key_mgmt=WPA-PSK - # rsn_pairwise=CCMP - # ''; - #}; - - networking.dhcpcd = { - # Wait for v4 and v6 addresses. - # wait = "both"; - extraConfig = '' - noipv6rs - nohook resolv.conf - interface ${wan-dev} - dhcp - # ipv6rs - # iaid 0 - # ia_pd 0//56 ${lan-dev}.100/2/64 - ''; - runHook = '' - # if [[ $reason =~ BOUND6|REBIND6 ]]; then - # ip=${pkgs.iproute}/bin/ip - # $ip addr add dev $interface "''${new_dhcp6_ia_pd1_prefix1}/64" || true - # if [[ $new_dhcp6_ia_pd1_prefix1 != $old_dhcp6_ia_pd1_prefix1 ]]; then - # $ip addr delete dev $interface "''${old_dhcp6_ia_pd1_prefix1}/64" - # fi - # fi - systemctl restart update-dynamic-dns.service - ''; - }; - systemd.services.dhcpcd = { - after = [ "network-addresses-${wan-dev}.service" ]; - preStart = lib.mkAfter '' - ${pkgs.iproute}/bin/ip link set dev ${wan-dev} address ${ - config.networking.interfaces.${wan-dev}.macAddress - }; - ''; - }; - - services.dnsmasq = { - enable = true; - servers = [ "1.1.1.1" "8.8.8.8" "8.8.4.4" ]; - resolveLocalQueries = false; - extraConfig = '' - port=2053 - - no-resolv - no-hosts - - address=/localhost/::1 - address=/localhost/127.0.0.1 - - enable-ra - dhcp-authoritative - - # Null AAAA response on these domains - server=/netflix.com/# - address=/netflix.com/:: - server=/netflix.net/# - address=/netflix.net/:: - server=/nflxext.com/# - address=/nflxext.com/:: - server=/nflximg.net/# - address=/nflximg.net/:: - server=/nflxvideo.net/# - address=/nflxvideo.net/:: - server=/nflxso.net/# - address=/nflxso.net/:: - - dhcp-range=vlan30,172.20.30.50,172.20.30.254,5m - dhcp-option=net:vlan30,option:router,172.20.30.1 - dhcp-option=net:vlan30,option:dns-server,193.138.218.74 - dhcp-option=net:vlan30,option:domain-search,nyc.orbekk.com - - dhcp-range=vlan100,172.20.100.50,172.20.100.254,5m - dhcp-host=vlan100,d8:3b:bf:59:22:de,172.20.100.10 - dhcp-range=vlan100,::100,::500,constructor:bond0.100,ra-only - dhcp-option=net:vlan100,option:router,172.20.100.1 - dhcp-option=net:vlan100,option:dns-server,172.20.100.1 - dhcp-option=net:vlan100,option:domain-search,nyc.orbekk.com - - dhcp-range=vlan32,172.20.32.50,172.20.32.254,5m - dhcp-range=vlan32,::100,::500,constructor:bond0.32,ra-only - dhcp-option=net:vlan32,option:router,172.20.32.1 - dhcp-option=net:vlan32,option:dns-server,172.20.32.1 - dhcp-option=net:vlan32,option:domain-search,nyc.orbekk.com - ''; - }; - - networking.sits.he0 = { - dev = wan-dev; - remote = "209.51.161.14"; - }; - - networking.iproute2.enable = true; - # ${toString nycmeshMark} nycmesh - networking.iproute2.rttablesExtraConfig = '' - ${toString mullvadMark} mullvad - ${toString heMark} he - ''; - - systemd.services.network-route-setup = { - description = "HE tunnel route setup"; - requires = [ "network-online.target" ]; - after = [ "network.target" "network-online.target" ]; - wantedBy = [ "multi-user.target" ]; - path = [ pkgs.iproute ]; - script = '' - #ip -6 rule add from 2001:470:8e2e::/48 lookup he prio 0 || true - #ip -6 route replace default dev he0 src 2001:470:8e2e:20::d table he - ip -6 route flush cache - ip -6 rule add fwmark ${toString heMark} table he || true - ''; - }; - - networking.wireguard.interfaces.mullvad.postSetup = '' - ip rule add fwmark ${toString mullvadMark} table mullvad - ip route replace default dev mullvad table mullvad - ip route flush cache - ''; - - # networking.wireguard.interfaces.nycmesh.postSetup = '' - # ip rule add fwmark ${toString nycmeshMark} table nycmesh - # ip route replace default via 10.70.73.1 onlink dev nycmesh table nycmesh - # ip route flush cache - # ''; - - # boot.kernel.sysctl."net.ipv6.conf.${wan-dev}.disable_ipv6" = true; - - networking.interfaces.${wan-dev} = { - macAddress = "3c:97:0e:19:7e:5c"; - useDHCP = true; - }; - - networking.interfaces.he0.ipv6 = { - addresses = [ - { - address = "2001:470:1f06:1194::2"; - prefixLength = 64; - } - { - address = "2001:470:8e2e:20::d"; - prefixLength = 64; - } - ]; - routes = [ - { - address = "::"; - prefixLength = 0; - } - { - address = "::"; - prefixLength = 0; - options = { table = "he"; }; - } - ]; - }; - - networking.interfaces."${lan-dev}".useDHCP = false; - networking.interfaces."${lan-dev}.255" = { - ipv4.addresses = [{ - address = "10.10.255.3"; - prefixLength = 24; - }]; - ipv6.addresses = [{ - address = "2001:470:8e2e:ffff::3"; - prefixLength = 64; - }]; - useDHCP = false; - }; - networking.interfaces."${lan-dev}.100" = { - ipv4.addresses = [{ - address = "172.20.100.1"; - prefixLength = 24; - }]; - ipv6.addresses = [{ - address = "2001:470:8e2e:100::1"; - prefixLength = 64; - }]; - useDHCP = false; - }; - networking.interfaces."${lan-dev}.30" = { - ipv4.addresses = [{ - address = "172.20.30.1"; - prefixLength = 24; - }]; - useDHCP = false; - }; - networking.interfaces."${lan-dev}.32" = { - ipv4.addresses = [{ - address = "172.20.32.1"; - prefixLength = 23; - }]; - ipv6.addresses = [{ - address = "2001:470:8e2e:32::1"; - prefixLength = 64; - }]; - useDHCP = false; - }; -} diff --git a/data/aliases.nix b/data/aliases.nix index e04aad7..b4ea539 100644 --- a/data/aliases.nix +++ b/data/aliases.nix @@ -51,13 +51,5 @@ rec { hledger-web = { port = 11116; }; prometheus-pms7003-exporter = { host = "172.20.100.10"; port = 11117; }; keycloak = { http-port = 11118; https-port = 11119; }; - bridge = { - address = ip.dragon; - port = 11121; - }; - bridge_nightly = { - address = ip.dragon; - port = 11122; - }; }; } diff --git a/data/dns/db.orbekk.shared.zone b/data/dns/db.orbekk.shared.zone index f87bf6b..3b8ccc4 100644 --- a/data/dns/db.orbekk.shared.zone +++ b/data/dns/db.orbekk.shared.zone @@ -1,7 +1,7 @@ $TTL 600 @ IN SOA ns1.he.net. root.orbekk.com. ( $serial; serial - 617; refresh + 618; refresh 900; retry 2419200; expire 3600; @@ -34,7 +34,6 @@ grafana IN CNAME dragon.dynamic.orbekk.com. nextcloud IN CNAME dragon.dynamic.orbekk.com. money IN CNAME dragon.dynamic.orbekk.com. auth IN CNAME dragon.dynamic.orbekk.com. -bridge IN CNAME dragon.dynamic.orbekk.com. ;; Internal admin network gw.nyc IN A 10.10.255.3 diff --git a/flake.lock b/flake.lock index e6b8393..3b61d25 100644 --- a/flake.lock +++ b/flake.lock @@ -9,11 +9,11 @@ ] }, "locked": { - "lastModified": 1696775529, - "narHash": "sha256-TYlE4B0ktPtlJJF9IFxTWrEeq+XKG8Ny0gc2FGEAdj0=", + "lastModified": 1701216516, + "narHash": "sha256-jKSeJn+7hZ1dZdiH1L+NWUGT2i/BGomKAJ54B9kT06Q=", "owner": "ryantm", "repo": "agenix", - "rev": "daf42cb35b2dc614d1551e37f96406e4c4a2d3e4", + "rev": "13ac9ac6d68b9a0896e3d43a082947233189e247", "type": "github" }, "original": { @@ -73,11 +73,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1700847529, - "narHash": "sha256-jvTozEnNxaR7jvHc50eAfHoP8aN7+QPt1ETqr+raGSo=", + "lastModified": 1702143514, + "narHash": "sha256-LtDzy6lGkiJF2R+y2SMQ9vjl0yvo0fOI4yZqu1aLy1w=", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "d419c32b00f86aa2bdf56ad8e1f4516b796539b9", + "rev": "0c7b9e24eb801bb37870ce579d84b0f06ff8f5d6", "type": "github" }, "original": { @@ -107,11 +107,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1694529238, - "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", "owner": "numtide", "repo": "flake-utils", - "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", "type": "github" }, "original": { @@ -180,11 +180,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1700809851, - "narHash": "sha256-/TkZyUowBQflVQWXXd9sVkf4mwbeoKbwGazqrV7YsHA=", + "lastModified": 1701953467, + "narHash": "sha256-dpx/o701Jj7YGN+8D2ccY6gloGZ10hMSQs+ddhD+7v4=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "650ec6e90eb6dbb17c18e575099d77cd7f525c0b", + "rev": "fb984b33b033e8ed625a11c95b313eefc3ebb99e", "type": "github" }, "original": { @@ -241,11 +241,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1700559156, - "narHash": "sha256-gL4epO/qf+wo30JjC3g+b5Bs8UrpxzkhNBBsUYxpw2g=", + "lastModified": 1701656485, + "narHash": "sha256-xDFormrGCKKGqngHa2Bz1GTeKlFMMjLnHhTDRdMJ1hs=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "c3abafb01cd7045dba522af29b625bd1e170c2fb", + "rev": "fa194fc484fd7270ab324bb985593f71102e84d1", "type": "github" }, "original": { @@ -257,11 +257,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1700612854, - "narHash": "sha256-yrQ8osMD+vDLGFX7pcwsY/Qr5PUd6OmDMYJZzZi0+zc=", + "lastModified": 1701718080, + "narHash": "sha256-6ovz0pG76dE0P170pmmZex1wWcQoeiomUZGggfH9XPs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "19cbff58383a4ae384dea4d1d0c823d72b49d614", + "rev": "2c7f3c0fb7c08a0814627611d9d7d45ab6d75335", "type": "github" }, "original": { @@ -273,11 +273,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1700678569, - "narHash": "sha256-2Ki+2UvOidxEb3xB4ADqlbPQ2BZOF4uZMR094O8or2I=", + "lastModified": 1701805708, + "narHash": "sha256-hh0S14E816Img0tPaNQSEKFvSscSIrvu1ypubtfh6M4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8f1180704ac35baded1a74164365ac7cdfba6f38", + "rev": "0561103cedb11e7554cf34cea81e5f5d578a4753", "type": "github" }, "original": { @@ -289,11 +289,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1700612854, - "narHash": "sha256-yrQ8osMD+vDLGFX7pcwsY/Qr5PUd6OmDMYJZzZi0+zc=", + "lastModified": 1701718080, + "narHash": "sha256-6ovz0pG76dE0P170pmmZex1wWcQoeiomUZGggfH9XPs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "19cbff58383a4ae384dea4d1d0c823d72b49d614", + "rev": "2c7f3c0fb7c08a0814627611d9d7d45ab6d75335", "type": "github" }, "original": { @@ -337,16 +337,16 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1700678569, - "narHash": "sha256-2Ki+2UvOidxEb3xB4ADqlbPQ2BZOF4uZMR094O8or2I=", + "lastModified": 1701952659, + "narHash": "sha256-TJv2srXt6fYPUjxgLAL0cy4nuf1OZD4KuA1TrCiQqg0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8f1180704ac35baded1a74164365ac7cdfba6f38", + "rev": "b4372c4924d9182034066c823df76d6eaf1f4ec4", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-23.05", + "ref": "nixos-23.11", "repo": "nixpkgs", "type": "github" } diff --git a/flake.nix b/flake.nix index 596444f..9103c13 100644 --- a/flake.nix +++ b/flake.nix @@ -1,5 +1,10 @@ { - inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05"; + nixConfig = { + extra-substituters = "https://nix-community.cachix.org"; + extra-trusted-public-keys = "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="; + }; + + inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11"; inputs.nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; inputs.nixos-hardware.url = "github:NixOS/nixos-hardware/master"; inputs.emacs-overlay.url = "github:nix-community/emacs-overlay"; @@ -11,35 +16,15 @@ outputs = { self, nixpkgs, nixpkgs-unstable, nixos-hardware, emacs-overlay, agenix, jovian, mujmap }: let - pkgs-module = { config, ... }: - let - cfg = config.nixpkgs; - - extra-packages = final: prev: { - agenix = agenix.packages.${final.system}.default; - mujmap = mujmap.packages.${final.system}.default; - }; - - unstable-overlay = final: prev: rec { - unstable = import nixpkgs-unstable { - inherit (cfg) config localSystem crossSystem; - }; - }; - in { - nixpkgs.pkgs = import nixpkgs { - inherit (cfg) config localSystem crossSystem; - overlays = cfg.overlays - ++ [ unstable-overlay extra-packages emacs-overlay.overlay ]; - }; - }; + systems = ["x86_64-linux"]; + lib = nixpkgs.lib; + forAllSystems = lib.genAttrs systems; registry-module = { ... }: { nix.registry.nixpkgs.flake = nixpkgs; nix.registry.nixpkgs-unstable.flake = nixpkgs-unstable; }; - lib = nixpkgs.lib; - orbekk-modules = let moduleFiles = lib.attrNames (lib.filterAttrs (n: v: lib.hasSuffix ".nix" n && v == "regular") @@ -53,14 +38,23 @@ }; in lib.listToAttrs (map mkModule moduleNames); - in { - nixosModules = orbekk-modules // { inherit pkgs-module registry-module; }; + in rec { + nixosModules = orbekk-modules // { inherit registry-module; }; - packages."x86_64-linux" = - let pkgs = import nixpkgs { system = "x86_64-linux"; }; - in { }; + overlays = { + emacs-overlay = emacs-overlay.overlay; - nixosConfigurations = let + extraPackages = final: prev: { + agenix = agenix.packages.${final.system}.default; + mujmap = mujmap.packages.${final.system}.default; + unstable = import nixpkgs-unstable { + system = final.system; + config.allowUnfree = true; + }; + }; + }; + + nixosConfigurations = let mkConfig = { hostName, module ? (./. + "/machines/${hostName}.nix") , system ? "x86_64-linux" }: { name = hostName; @@ -79,6 +73,8 @@ lastModified = pkgs.lib.substring 0 8 (self.lastModifiedDate or self.lastModified or "19700101"); in "${lastModified}.${self.shortRev or "dirty"}"; + + nixpkgs.overlays = builtins.attrValues overlays; }) ] ++ lib.optional (hostName == "dex") jovian.nixosModules.jovian; }; diff --git a/machines/container-shape.nix b/machines/container-shape.nix deleted file mode 100644 index db9df2f..0000000 --- a/machines/container-shape.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - imports = [ - ../config/container.nix - ../config/common.nix - ../config/users.nix - # Services - ../config/hydra.nix - ../config/matrix.nix - ../config/cgit.nix - ../config/weechat.nix - ../config/web-server.nix - ../config/mail-server.nix - ../config/dns.nix - ../config/borg-backup.nix - ../config/systemhttpd.nix - ]; - - users.defaultUserShell = lib.mkForce pkgs.bash; - - networking = { - hostName = lib.mkForce "shape"; - }; -} diff --git a/machines/dragon.nix b/machines/dragon.nix index 409cf5f..9e5f195 100644 --- a/machines/dragon.nix +++ b/machines/dragon.nix @@ -4,8 +4,6 @@ let vpnPrefix = "2001:470:8e2e:1000"; in { imports = [ - # ../config/router.nix - # ../config/borg-backup.nix ../config/keycloak.nix ../config/dns.nix ../config/web-server.nix @@ -18,7 +16,6 @@ in { orbekk.nextcloud.enable = true; orbekk.backups.enableServer = true; orbekk.backups.enableClient = true; - orbekk.bridge.enable = false; orbekk.zomboid-server.enable = false; services.tlp.enable = true; diff --git a/machines/minideck.nix b/machines/minideck.nix index b4bb8f6..7a76936 100644 --- a/machines/minideck.nix +++ b/machines/minideck.nix @@ -11,16 +11,6 @@ with lib; services.xserver.enable = mkForce false; services.xserver.displayManager.lightdm.enable = mkForce false; - # For bridge development. - services.postgresql = { - enable = true; - ensureDatabases = [ "bridge_latest" ]; - ensureUsers = [{ - name = "orbekk"; - ensurePermissions."DATABASE bridge_latest" = "ALL PRIVILEGES"; - }]; - }; - # Fake pipewire socket activation. services.pipewire.socketActivation = false; systemd.user.services.pipewire-setup = { diff --git a/machines/x1-pincer.nix b/machines/x1-pincer.nix index 2a899bc..1b49268 100644 --- a/machines/x1-pincer.nix +++ b/machines/x1-pincer.nix @@ -21,16 +21,6 @@ let ports = { services.printing.drivers = with pkgs; [ gutenprint brlaser ]; services.openssh.enable = true; - # For bridge development. - services.postgresql = { - enable = true; - ensureDatabases = [ "bridge_latest" ]; - ensureUsers = [{ - name = "orbekk"; - ensurePermissions."DATABASE bridge_latest" = "ALL PRIVILEGES"; - }]; - }; - # Keycloak config # age.secrets."dragon-keycloak.age".file = ../secrets/dragon-keycloak.age; # services.postgresql.enable = true; diff --git a/modules/bridge.nix b/modules/bridge.nix deleted file mode 100644 index eb2a0c0..0000000 --- a/modules/bridge.nix +++ /dev/null @@ -1,71 +0,0 @@ -{ config, lib, pkgs, ... }: -let cfg = config.orbekk.bridge; -in with lib; { - options = { - orbekk.bridge = { - enable = mkEnableOption "Enable bridge service"; - - port = lib.mkOption { - type = lib.types.port; - default = (import ../data/aliases.nix).services.bridge_nightly.port; - description = "bridge local port"; - }; - }; - }; - - config = mkIf cfg.enable { - age.secrets.bridge-nightly.file = ./. + "/../secrets/bridge-nightly.age"; - - systemd.services.bridge-nightly = { - description = "Bridge Nightly backend"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - - environment = { - BIND_ADDRESS = "[::]:${toString cfg.port}"; - RUST_BACKTRACE = "1"; - AUTHENTICATOR = "oauth"; - OPENID_ISSUER_URL = "https://auth.orbekk.com/realms/test"; - OPENID_CLIENT_ID = "test-client"; - OPENID_CLIENT_SECRET = "secret"; - APP_URL = "https://bridge.orbekk.com"; - DATABASE_URL = "postgres:///bridge_nightly"; - RUST_LOG = "info"; - }; - - serviceConfig = { - User = "bridge_nightly"; - Group = "bridge_nightly"; - EnvironmentFile = config.age.secrets.bridge-nightly.path; - ExecStart = "/opt/bridge-nightly/profile/bin/server"; - }; - }; - - services.nginx.virtualHosts."bridge.orbekk.com" = { - enableACME = true; - forceSSL = true; - root = "/opt/bridge-nightly/profile"; - locations."/api".proxyPass = "http://localhost:${toString cfg.port}"; - extraConfig = '' - # Single-page application setup. - # First attempt to serve request as file, then - # as directory, then fall back to redirecting to index.html - try_files $uri $uri/ $uri.html /index.html; - ''; - }; - - services.postgresql = { - enable = true; - enableTCPIP = true; - authentication = '' - host all all 2001:470:8e2e:1000::/64 md5 - host all all 2001:470:8e2e:100::/64 md5 - ''; - ensureDatabases = [ "bridge_nightly" ]; - ensureUsers = [{ - name = "bridge_nightly"; - ensurePermissions."DATABASE bridge_nightly" = "ALL PRIVILEGES"; - }]; - }; - }; -} diff --git a/modules/common.nix b/modules/common.nix index 8ae3b06..cca04b3 100644 --- a/modules/common.nix +++ b/modules/common.nix @@ -62,7 +62,6 @@ #emacs emacs-pgtk #pkgs.unstable.emacsNativeComp - exa fd fzf git diff --git a/modules/desktop.nix b/modules/desktop.nix index a6f54b7..83d6476 100644 --- a/modules/desktop.nix +++ b/modules/desktop.nix @@ -71,8 +71,8 @@ in { }; fonts = { - enableDefaultFonts = true; - fonts = with pkgs; [ + enableDefaultPackages = true; + packages = with pkgs; [ fira-code dejavu_fonts jetbrains-mono @@ -89,7 +89,7 @@ in { }; programs.firefox.enable = true; - programs.firefox.nativeMessagingHosts.tridactyl = true; + programs.firefox.nativeMessagingHosts.packages = [ pkgs.tridactyl-native ]; environment.systemPackages = with pkgs; [ # Wayland packages diff --git a/modules/gaming.nix b/modules/gaming.nix index dc881d7..4ec92f0 100644 --- a/modules/gaming.nix +++ b/modules/gaming.nix @@ -13,190 +13,6 @@ in { }; config = lib.mkIf cfg.enable { - nixpkgs.overlays = [ - # (final: prev: { - # steamPackages = pkgs'.steamPackages; - # steam = pkgs'.steam.override { - # # nativeOnly = true; - # withJava = true; - # extraPkgs = p: - # with pkgs'; - # let - # xorgdeps = with xorg; [ - # libX11 - # libXrender - # libXrandr - # libxcb - # libXmu - # libpthreadstubs - # libXext - # libXdmcp - # libXxf86vm - # libXinerama - # libSM - # libXv - # libXaw - # libXi - # libXcursor - # libXcomposite - # ]; - # qt5Deps = with pkgs.qt5; [ qtbase qtmultimedia ]; - # gnome3Deps = with pkgs; [ - # gnome3.zenity - # gtksourceview - # gnome3.gnome-desktop - # gnome3.libgnome-keyring - # webkitgtk - # ]; - # in [ - # samba - # tdb - # glib-networking - # libxkbcommon - # fluidsynth - # hidapi - # mesa - # libdrm - # perl - # which - # p7zip - # gnused - # gnugrep - # psmisc - # opencl-headers - # cups - # lcms2 - # mpg123 - # cairo - # unixODBC - # samba4 - # sane-backends - # openldap - # ocl-icd - # utillinux - # fribidi - # libnghttp2 - # openssl - # openldap - # xorg.xrandr - # xorg.xinput - # gnome3.gtk - # zlib - # dbus - # freetype - # glib - # atk - # cairo - # gdk_pixbuf - # pango - # fontconfig - # xorg.libxcb - - # # libkrb5 - # nss - # qt4 - # qt514.full - # libjack2 - # jack2 - # jack2Full - # jack_capture - # libidn2 - # rtmpdump - # libpsl - - # # Common - # libsndfile - # libtheora - # libogg - # libvorbis - # libopus - # libGLU - # libpcap - # libpulseaudio - # libao - # libevdev - # udev - # libgcrypt - # libxml2 - # libusb-compat-0_1 - # libpng - # libmpeg2 - # libv4l - # libjpeg - # libxkbcommon - # libass - # libcdio - # libjack2 - # libsamplerate - # libzip - # libmad - # libaio - # libcap - # libtiff - # libva - # libgphoto2 - # libxslt - # libsndfile - # giflib - # zlib - # glib - # alsaLib - # zziplib - # bash - # dbus - # keyutils - # zip - # cabextract - # freetype - # unzip - # coreutils - # readline - # gcc - # SDL - # SDL2 - # curl - # graphite2 - # gtk2 - # gtk3 - # udev - # ncurses - # wayland - # libglvnd - # vulkan-loader - # xdg-utils - # sqlite - # gnutls - # p11-kit - # libbsd - # harfbuzz - - # # PCSX15 // TODO: "libgobject12.15.so.16: wrong ELF class: ELFCLASS81" - - # # WINE - # cups - # lcms2 - # mpg123 - # cairo - # unixODBC - # samba4 - # sane-backends - # openldap - # ocl-icd - # util-linux - # libkrb5 - - # # Proton - # libselinux - - # # Winetricks - # fribidi - # ] ++ xorgdeps ++ qt5Deps ++ gnome3Deps; - - # }; - # }) - ]; - - # nixpkgs.config.allowBroken = true; nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "steam" @@ -207,8 +23,12 @@ in { ]; services.flatpak.enable = true; - - programs.steam.enable = true; + programs.steam = { + enable = true; + remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play + dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server + }; + hardware.opengl.driSupport32Bit = true; # Enables support for 32bit libs that steam uses hardware.opengl.extraPackages32 = with pkgs.pkgsi686Linux; [ libva ]; hardware.steam-hardware.enable = true; diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix index 50e2e4e..c927490 100644 --- a/modules/nextcloud.nix +++ b/modules/nextcloud.nix @@ -15,7 +15,6 @@ in package = pkgs.nextcloud27; hostName = "nextcloud.orbekk.com"; home = "/storage/nextcloud"; - enableBrokenCiphersForSSE = false; config = { dbtype = "pgsql"; dbuser = "nextcloud"; @@ -34,7 +33,7 @@ in ensureDatabases = [ "nextcloud" ]; ensureUsers = [ { name = "nextcloud"; - ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; + ensureDBOwnership = true; } ]; }; diff --git a/modules/users.nix b/modules/users.nix index 07bfcf8..df0e567 100644 --- a/modules/users.nix +++ b/modules/users.nix @@ -116,16 +116,6 @@ in { home = "/var/lib/hledger-web"; group = "hledger"; }; - bridge = { - group = "bridge"; - createHome = false; - isNormalUser = true; - }; - bridge_nightly = { - group = "bridge_nightly"; - createHome = false; - isSystemUser = true; - }; }; extraGroups = { fcgi = { @@ -153,8 +143,6 @@ in { gid = 505; }; readonly = { gid = 506; }; - bridge = {}; - bridge_nightly = {}; hledger = lib.mkIf config.orbekk.hledger-web.enable { }; minecraft = { }; builder = { }; diff --git a/secrets/bridge-nightly.age b/secrets/bridge-nightly.age deleted file mode 100644 index e7b81b7..0000000 --- a/secrets/bridge-nightly.age +++ /dev/null @@ -1,22 +0,0 @@ -age-encryption.org/v1 --> ssh-rsa xgQQbQ -jmalflI/oqIdFCGVWC8jSArYBFCD9lRxQN/WODuW57GsC9wJ8O7lCWNjLO9cX/aj -PlWuGI3tOfubCppQfZDkbOaMOPCzYIyXbDW+NG1XCSZ+rq0wjSfvJwYfF0RlBAk1 -kpfu+5cn5UYCBC5OiVq6ewfVw7fAFqlWxecZ6s3SBMZmfnwWTPAGbiC/PvQBWRdf -5L20bHEgVWQrDpeL2z9kizGdt9WfA3E5GADyZGKoY/JrAWN8e66hRd5D6vT6Edkt -4XeYI2l39h6oUBwEKQqiPrzfqMlK2zR7VKa0y6RqGMzzTXixRAIzFsrU3NjJpkhG -e48ygOrVyD1pvRz6PUf79UIFzuSwK0XWGAd2qVmEymWZlsqtz0UE1TFuWpI4oegZ -O/67v8Ch3+NevoPVTWBuEvnNsqbo8AaFeBMn+8V/TMVV8gTyvsSUiFVKoy78reK9 -CpLoeJpe4eLWmwdpuiRR4CB7UsKF9BqvQ7MgAsopudnO4liI7UMoxXKKj8MT5nDp -heH+pgzANunRvGHWW9YqGnWh8oWk7aQ7Jixs7ej0rBvQyz2a7pZqWXjPhDQmzJvL -mNvKiiGNr1lig39w5GTS/W9TkDAhJjVRHSq+aLqDwZHmd/PUvXFYsLxSJ3hCi/lJ -+PipBm12RhDb2zT9UWRH6WpXBkVUz8uMfQd41jg4qyk --> ssh-ed25519 lwHmDQ 0oBWzy6Bx5KpvKiDswRA7n4iMPCeR9a166ljR1bgsEs -uOHcfIkbx8cl7NdZc6MRXz+Uq910yQI79BS17aIT1nA --> ssh-ed25519 Yx9stw Fjkr4mygPE1LsSw17jEQXqDr7OWtgN9DPkHBWoPvohA -eJ4vpqNytmOU8WOs7LA3qbl6oIEddLKWGmUZINxmVO0 --> #HsP*-grease |%Js})w( -jBXQOI3K/tLeNePU1ANswFiMaqdtbogTbiDyZM2+pelzz2KxR41ampg2yiBvEZPq -WCjCsrsVWyP4pIIp2ug ---- Sz78jk9zW3mDlkyTVHqi1+weYwRW7mrONEU94wTKtsU -…vjV¿ï<š­#7DÁ=ZZ`—ƒK¨Ã]A©Ü/SK6ýy]µ