diff options
Diffstat (limited to 'lass/1systems')
| -rw-r--r-- | lass/1systems/aergia/config.nix | 1 | ||||
| -rw-r--r-- | lass/1systems/aergia/disk.nix | 2 | ||||
| -rw-r--r-- | lass/1systems/aergia/physical.nix | 11 | ||||
| -rw-r--r-- | lass/1systems/green/config.nix | 1 | ||||
| -rw-r--r-- | lass/1systems/neoprism/physical.nix | 39 | ||||
| -rw-r--r-- | lass/1systems/prism/backup.nix | 37 | ||||
| -rw-r--r-- | lass/1systems/prism/config.nix | 157 | ||||
| -rw-r--r-- | lass/1systems/prism/physical.nix | 8 | ||||
| -rw-r--r-- | lass/1systems/shodan/config.nix | 6 | ||||
| -rw-r--r-- | lass/1systems/skynet/physical.nix | 16 | ||||
| -rw-r--r-- | lass/1systems/styx/config.nix | 2 | ||||
| -rw-r--r-- | lass/1systems/styx/physical.nix | 1 | ||||
| -rw-r--r-- | lass/1systems/wizard/config.nix | 3 | ||||
| -rw-r--r-- | lass/1systems/xerxes/config.nix | 21 |
14 files changed, 101 insertions, 204 deletions
diff --git a/lass/1systems/aergia/config.nix b/lass/1systems/aergia/config.nix index 618938ce8..3e0ae23f7 100644 --- a/lass/1systems/aergia/config.nix +++ b/lass/1systems/aergia/config.nix @@ -112,7 +112,6 @@ environment.systemPackages = with pkgs; [ brain - bank l-gen-secrets generate-secrets nixpkgs-review diff --git a/lass/1systems/aergia/disk.nix b/lass/1systems/aergia/disk.nix index 848157729..233b320e4 100644 --- a/lass/1systems/aergia/disk.nix +++ b/lass/1systems/aergia/disk.nix @@ -45,9 +45,11 @@ # Mountpoints inferred from subvolume name "/home" = { mountOptions = []; + mountpoint = "/home"; }; "/nix" = { mountOptions = []; + mountpoint = "/nix"; }; }; }; diff --git a/lass/1systems/aergia/physical.nix b/lass/1systems/aergia/physical.nix index 9f06dccdc..e76460d20 100644 --- a/lass/1systems/aergia/physical.nix +++ b/lass/1systems/aergia/physical.nix @@ -16,7 +16,7 @@ efiInstallAsRemovable = true; }; - boot.kernelPackages = pkgs.linuxPackages_latest; + # boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelParams = [ # use less power with pstate @@ -70,8 +70,6 @@ }; users.users.mainUser.extraGroups = [ "corectrl" ]; - # use newer ryzenadj - # keyboard quirks services.xserver.displayManager.sessionCommands = '' ${pkgs.xorg.xmodmap}/bin/xmodmap -e 'keycode 96 = F12 Insert F12 F12' # rebind shift + F12 to shift + insert @@ -102,9 +100,16 @@ services.logind.extraConfig = '' HandlePowerKey=hibernate ''; + # systemd.sleep.extraConfig = '' + # HibernateDelaySec=1800 + # ''; # firefox touchscreen support environment.sessionVariables.MOZ_USE_XINPUT2 = "1"; + + # enable thunderbolt + services.hardware.bolt.enable = true; + # reinit usb after docking station connect services.udev.extraRules = '' SUBSYSTEM=="drm", ACTION=="change", RUN+="${pkgs.dash}/bin/dash -c 'echo 0 > /sys/bus/usb/devices/usb9/authorized; echo 1 > /sys/bus/usb/devices/usb9/authorized'" diff --git a/lass/1systems/green/config.nix b/lass/1systems/green/config.nix index c232be9bd..81b8b909b 100644 --- a/lass/1systems/green/config.nix +++ b/lass/1systems/green/config.nix @@ -15,7 +15,6 @@ with import <stockholm/lib>; <stockholm/lass/2configs/weechat.nix> <stockholm/lass/2configs/bitlbee.nix> - <stockholm/lass/2configs/muchsync.nix> <stockholm/lass/2configs/pass.nix> <stockholm/lass/2configs/git-brain.nix> diff --git a/lass/1systems/neoprism/physical.nix b/lass/1systems/neoprism/physical.nix index f2092d9aa..cc7734f39 100644 --- a/lass/1systems/neoprism/physical.nix +++ b/lass/1systems/neoprism/physical.nix @@ -13,7 +13,10 @@ boot.loader.grub.enable = true; boot.loader.grub.version = 2; boot.loader.grub.efiSupport = true; - boot.loader.grub.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ]; + boot.loader.grub.devices = [ + config.disko.devices.disk."/dev/nvme0n1".device + config.disko.devices.disk."/dev/nvme1n1".device + ]; boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "sd_mod" ]; boot.kernelModules = [ "kvm-amd" ]; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; @@ -56,21 +59,21 @@ }; networking.useDHCP = false; - boot.initrd.network = { - enable = true; - ssh = { - enable = true; - authorizedKeys = [ config.krebs.users.lass.pubkey ]; - port = 2222; - hostKeys = [ - (toString <secrets/ssh.id_ed25519>) - (toString <secrets/ssh.id_rsa>) - ]; - }; - }; - boot.kernelParams = [ - "net.ifnames=0" - "ip=dhcp" - "boot.trace" - ]; + # boot.initrd.network = { + # enable = true; + # ssh = { + # enable = true; + # authorizedKeys = [ config.krebs.users.lass.pubkey ]; + # port = 2222; + # hostKeys = [ + # (<secrets/ssh.id_ed25519>) + # (<secrets/ssh.id_rsa>) + # ]; + # }; + # }; + # boot.kernelParams = [ + # "net.ifnames=0" + # "ip=dhcp" + # "boot.trace" + # ]; } diff --git a/lass/1systems/prism/backup.nix b/lass/1systems/prism/backup.nix new file mode 100644 index 000000000..52b4142b9 --- /dev/null +++ b/lass/1systems/prism/backup.nix @@ -0,0 +1,37 @@ +{ config, lib, pkgs, ... }: +{ + services.postgresqlBackup.enable = true; + + systemd.services.borgbackup-job-hetzner.serviceConfig.ReadWritePaths = [ "/var/log/telegraf" ]; + + services.borgbackup.jobs.hetzner = { + paths = [ + "/var/backup" + ]; + exclude = [ + "*.pyc" + ]; + repo = "u364341@u364341.your-storagebox.de:/./hetzner"; + encryption.mode = "none"; + compression = "auto,zstd"; + startAt = "daily"; + # TODO: change backup key + environment.BORG_RSH = "ssh -oPort=23 -i ${toString <secrets> + "/borgbackup.ssh.id25519"}"; + preHook = '' + set -x + ''; + + postHook = '' + cat > /var/log/telegraf/borgbackup-job-hetzner.service <<EOF + task,frequency=daily last_run=$(date +%s)i,state="$([[ $exitStatus == 0 ]] && echo ok || echo fail)" + EOF + ''; + + prune.keep = { + within = "1d"; # Keep all archives from the last day + daily = 7; + weekly = 4; + monthly = 0; + }; + }; +} diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 1faa23ec3..990dac091 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -3,12 +3,13 @@ with import <stockholm/lib>; { imports = [ + ./backup.nix <stockholm/lass> <stockholm/lass/2configs/retiolum.nix> <stockholm/lass/2configs/libvirt.nix> <stockholm/lass/2configs/tv.nix> <stockholm/lass/2configs/websites/lassulus.nix> - <stockholm/lass/2configs/telegraf.nix> + <stockholm/lass/2configs/monitoring/telegraf.nix> { services.nginx.enable = true; imports = [ @@ -80,24 +81,6 @@ with import <stockholm/lib>; }; } { - #hotdog - systemd.services."container@hotdog".reloadIfChanged = mkForce false; - containers.hotdog = { - config = { ... }: { - environment.systemPackages = [ pkgs.git ]; - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey - ]; - }; - autoStart = false; - enableTun = true; - privateNetwork = true; - hostAddress = "10.233.2.1"; - localAddress = "10.233.2.2"; - }; - } - { services.nginx.virtualHosts."radio.lassul.us" = { enableACME = true; addSSL = true; @@ -159,40 +142,6 @@ with import <stockholm/lib>; }; } { - users.users.jeschli = { - uid = genid_uint31 "jeschli"; - isNormalUser = true; - openssh.authorizedKeys.keys = with config.krebs.users; [ - jeschli.pubkey - jeschli-bln.pubkey - jeschli-bolide.pubkey - jeschli-brauerei.pubkey - ]; - }; - krebs.git.rules = [ - { - user = with config.krebs.users; [ - jeschli - jeschli-bln - jeschli-bolide - jeschli-brauerei - ]; - repo = [ config.krebs.git.repos.xmonad-stockholm ]; - perm = with git; push "refs/heads/jeschli*" [ fast-forward non-fast-forward create delete merge ]; - } - { - user = with config.krebs.users; [ - jeschli - jeschli-bln - jeschli-bolide - jeschli-brauerei - ]; - repo = [ config.krebs.git.repos.stockholm ]; - perm = with git; push "refs/heads/staging/jeschli*" [ fast-forward non-fast-forward create delete merge ]; - } - ]; - } - { krebs.repo-sync.repos.stockholm.timerConfig = { OnBootSec = "5min"; OnUnitInactiveSec = "2min"; @@ -201,43 +150,8 @@ with import <stockholm/lib>; } <stockholm/lass/2configs/minecraft.nix> <stockholm/lass/2configs/codimd.nix> - <stockholm/lass/2configs/searx.nix> - { - services.taskserver = { - enable = true; - fqdn = "lassul.us"; - listenHost = "::"; - listenPort = 53589; - organisations.lass.users = [ "lass" "android" ]; - }; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 53589"; target = "ACCEPT"; } - ]; - } <stockholm/lass/2configs/go.nix> { - environment.systemPackages = [ pkgs.cryptsetup ]; - systemd.services."container@red".reloadIfChanged = mkForce false; - containers.red = { - config = { ... }: { - environment.systemPackages = [ pkgs.git ]; - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey - ]; - }; - autoStart = false; - enableTun = true; - privateNetwork = true; - hostAddress = "10.233.2.3"; - localAddress = "10.233.2.4"; - }; - } - { - users.users.download.openssh.authorizedKeys.keys = [ - ]; - } - { lass.nichtparasoup.enable = true; services.nginx = { enable = true; @@ -255,7 +169,7 @@ with import <stockholm/lib>; <stockholm/lass/2configs/wiregrill.nix> ]; krebs.iptables.tables.nat.PREROUTING.rules = mkOrder 999 [ - { v6 = false; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } + { v6 = false; predicate = "-s 10.244.0.0/16"; target = "ACCEPT"; } { v4 = false; predicate = "-s 42:1::/32"; target = "ACCEPT"; } ]; krebs.iptables.tables.filter.FORWARD.rules = mkBefore [ @@ -264,16 +178,16 @@ with import <stockholm/lib>; ]; krebs.iptables.tables.nat.POSTROUTING.rules = [ { v4 = false; predicate = "-s 42:1::/32 ! -d 42:1::/48"; target = "MASQUERADE"; } - { v6 = false; predicate = "-s 10.244.1.0/24 ! -d 10.244.1.0/24"; target = "MASQUERADE"; } + { v6 = false; predicate = "-s 10.244.0.0/16 ! -d 10.244.0.0/16"; target = "MASQUERADE"; } ]; services.dnsmasq = { enable = true; resolveLocalQueries = false; extraConfig= '' - listen-address=42:1:ce16::1,10.244.1.103 - except-interface=lo + bind-interfaces interface=wiregrill + interface=retiolum ''; }; } @@ -285,33 +199,15 @@ with import <stockholm/lib>; <stockholm/lass/2configs/services/coms/murmur.nix> <stockholm/lass/2configs/docker.nix> { - systemd.services."container@yellow".reloadIfChanged = mkForce false; - containers.yellow = { - config = { ... }: { - environment.systemPackages = [ pkgs.git ]; - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey - ]; - }; - autoStart = false; - enableTun = true; - privateNetwork = true; - hostAddress = "10.233.2.13"; - localAddress = "10.233.2.14"; - }; - services.nginx.virtualHosts."jelly.r" = { - locations."/".extraConfig = '' - proxy_pass http://10.233.2.14:8096/; - proxy_set_header Accept-Encoding ""; - ''; - }; - services.nginx.virtualHosts."flix.r" = { - locations."/".extraConfig = '' - proxy_pass http://10.233.2.14:80/; - proxy_set_header Accept-Encoding ""; - ''; + services.nginx.virtualHosts."flix.lassul.us" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://yellow.r:8096"; + proxyWebsockets = true; + recommendedProxySettings = true; + }; }; services.nginx.virtualHosts."lassul.us" = { locations."^~ /flix/".extraConfig = '' @@ -322,7 +218,7 @@ with import <stockholm/lib>; auth_basic_user_file ${pkgs.writeText "flix-user-pass" '' krebs:$apr1$1Fwt/4T0$YwcUn3OBmtmsGiEPlYWyq0 ''}; - proxy_pass http://10.233.2.14:80/; + proxy_pass http://yellow.r:80/; proxy_set_header Accept-Encoding ""; sub_filter "https://lassul.us/" "https://lassul.us/flix/"; sub_filter_once off; @@ -396,7 +292,7 @@ with import <stockholm/lib>; netbios name = PRISM server string = ${config.networking.hostName} # only allow retiolum addresses - hosts allow = 42::/16 10.243.0.0/16 + hosts allow = 42::/16 10.243.0.0/16 10.244.0.0/16 # Use sendfile() for performance gain use sendfile = true @@ -438,13 +334,13 @@ with import <stockholm/lib>; krebs.iptables.tables.filter.INPUT.rules = [ # smbd { predicate = "-i retiolum -p tcp --dport 445"; target = "ACCEPT"; } - { predicate = "-i retiolum -p tcp --dport 111"; target = "ACCEPT"; } { predicate = "-i retiolum -p udp --dport 111"; target = "ACCEPT"; } { predicate = "-i retiolum -p tcp --dport 2049"; target = "ACCEPT"; } { predicate = "-i retiolum -p udp --dport 2049"; target = "ACCEPT"; } { predicate = "-i retiolum -p tcp --dport 4000:4002"; target = "ACCEPT"; } { predicate = "-i retiolum -p udp --dport 4000:4002"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p tcp --dport 445"; target = "ACCEPT"; } { predicate = "-i wiregrill -p tcp --dport 111"; target = "ACCEPT"; } { predicate = "-i wiregrill -p udp --dport 111"; target = "ACCEPT"; } { predicate = "-i wiregrill -p tcp --dport 2049"; target = "ACCEPT"; } @@ -453,25 +349,6 @@ with import <stockholm/lib>; { predicate = "-i wiregrill -p udp --dport 4000:4002"; target = "ACCEPT"; } ]; } - { - users.users.shannan = { - uid = genid_uint31 "shannan"; - isNormalUser = true; - openssh.authorizedKeys.keys = [ - config.krebs.users.shannan.pubkey - ]; - }; - } - { - nix.trustedUsers = [ "mic92" ]; - users.users.mic92 = { - uid = genid_uint31 "mic92"; - isNormalUser = true; - openssh.authorizedKeys.keys = [ - config.krebs.users.mic92.pubkey - ]; - }; - } ]; krebs.build.host = config.krebs.hosts.prism; diff --git a/lass/1systems/prism/physical.nix b/lass/1systems/prism/physical.nix index ebc80411b..2260aa648 100644 --- a/lass/1systems/prism/physical.nix +++ b/lass/1systems/prism/physical.nix @@ -9,6 +9,7 @@ boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "sd_mod" ]; boot.kernelModules = [ "kvm-intel" ]; + boot.swraid.enable = true; fileSystems."/" = { device = "rpool/root/nixos"; @@ -60,11 +61,6 @@ fsType = "zfs"; }; - fileSystems."/home/xanf" = { - device = "/dev/disk/by-id/wwn-0x500a07511becb076"; - fsType = "ext4"; - }; - # silence mdmonitor.service failures # https://github.com/NixOS/nixpkgs/issues/72394 environment.etc."mdadm.conf".text = '' @@ -80,7 +76,7 @@ # we don't pay for power there and this might solve a problem we observed at least once # https://www.thomas-krenn.com/de/wiki/PCIe_Bus_Error_Status_00001100_beheben - boot.kernelParams = [ "pcie_aspm=off" "net.ifnames=0" ]; + boot.kernelParams = [ "pcie_aspm=off" "net.ifnames=0" "nomodeset" ]; networking.dhcpcd.enable = false; diff --git a/lass/1systems/shodan/config.nix b/lass/1systems/shodan/config.nix index 5e48c216a..0bea37e5c 100644 --- a/lass/1systems/shodan/config.nix +++ b/lass/1systems/shodan/config.nix @@ -13,13 +13,9 @@ <stockholm/lass/2configs/programs.nix> <stockholm/lass/2configs/wine.nix> <stockholm/lass/2configs/bitcoin.nix> - <stockholm/lass/2configs/blue-host.nix> - <stockholm/lass/2configs/green-host.nix> - <stockholm/krebs/2configs/news-host.nix> <stockholm/lass/2configs/yellow-mounts/samba.nix> <stockholm/lass/2configs/fetchWallpaper.nix> <stockholm/lass/2configs/consul.nix> - <stockholm/lass/2configs/red-host.nix> <stockholm/lass/2configs/snapclient.nix> ]; @@ -27,4 +23,6 @@ services.logind.lidSwitch = "ignore"; services.logind.lidSwitchDocked = "ignore"; + nix.trustedUsers = [ "root" "lass" ]; + system.stateVersion = "22.05"; } diff --git a/lass/1systems/skynet/physical.nix b/lass/1systems/skynet/physical.nix index e3451293f..1ac9708c7 100644 --- a/lass/1systems/skynet/physical.nix +++ b/lass/1systems/skynet/physical.nix @@ -12,15 +12,15 @@ networking.hostId = "06442b9a"; - fileSystems."/" = - { device = "rpool/root"; - fsType = "zfs"; - }; + fileSystems."/" = { + device = "rpool/root"; + fsType = "zfs"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/0876-B308"; - fsType = "vfat"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/0876-B308"; + fsType = "vfat"; + }; services.udev.extraRules = '' SUBSYSTEM=="net", ATTR{address}=="10:0b:a9:a6:44:04", NAME="wl0" diff --git a/lass/1systems/styx/config.nix b/lass/1systems/styx/config.nix index 6c054abfe..988cbca75 100644 --- a/lass/1systems/styx/config.nix +++ b/lass/1systems/styx/config.nix @@ -22,11 +22,11 @@ with import <stockholm/lib>; <stockholm/lass/2configs/fetchWallpaper.nix> <stockholm/lass/2configs/home-media.nix> <stockholm/lass/2configs/syncthing.nix> - <stockholm/lass/2configs/sync/sync.nix> # <stockholm/lass/2configs/idc.nix> <stockholm/lass/2configs/ppp/umts-stick.nix> <stockholm/lass/2configs/snapserver.nix> <stockholm/lass/2configs/snapclient.nix> + <stockholm/lass/2configs/consul.nix> ]; krebs.build.host = config.krebs.hosts.styx; diff --git a/lass/1systems/styx/physical.nix b/lass/1systems/styx/physical.nix index ae0cdf489..284bbb333 100644 --- a/lass/1systems/styx/physical.nix +++ b/lass/1systems/styx/physical.nix @@ -16,7 +16,6 @@ boot.loader.grub.device = "/dev/disk/by-id/ata-SanDisk_SSD_G5_BICS4_20248F446514"; boot.loader.grub.efiInstallAsRemovable = true; - fileSystems."/" = { device = "/dev/disk/by-uuid/ee5c9099-17fa-401e-852e-67cb4ae068f4"; fsType = "ext4"; diff --git a/lass/1systems/wizard/config.nix b/lass/1systems/wizard/config.nix index e158fa728..5e69171ce 100644 --- a/lass/1systems/wizard/config.nix +++ b/lass/1systems/wizard/config.nix @@ -183,7 +183,7 @@ in { #style most - rxvt_unicode.terminfo + rxvt-unicode-unwrapped.terminfo #monitoring tools htop @@ -192,6 +192,7 @@ in { #network iptables iftop + nm-dmenu #stuff for dl aria2 diff --git a/lass/1systems/xerxes/config.nix b/lass/1systems/xerxes/config.nix index 6972567d7..d1ee4cf71 100644 --- a/lass/1systems/xerxes/config.nix +++ b/lass/1systems/xerxes/config.nix @@ -7,16 +7,15 @@ <stockholm/lass/2configs/retiolum.nix> <stockholm/lass/2configs/exim-retiolum.nix> <stockholm/lass/2configs/baseX.nix> + <stockholm/lass/2configs/pipewire.nix> <stockholm/lass/2configs/browsers.nix> <stockholm/lass/2configs/programs.nix> <stockholm/lass/2configs/network-manager.nix> <stockholm/lass/2configs/syncthing.nix> <stockholm/lass/2configs/sync/sync.nix> - <stockholm/lass/2configs/games.nix> <stockholm/lass/2configs/steam.nix> <stockholm/lass/2configs/wine.nix> <stockholm/lass/2configs/fetchWallpaper.nix> - <stockholm/lass/2configs/nfs-dl.nix> <stockholm/lass/2configs/pass.nix> <stockholm/lass/2configs/mail.nix> ]; @@ -60,24 +59,6 @@ services.logind.lidSwitch = "suspend"; lass.screenlock.enable = lib.mkForce false; - systemd.services.suspend-again = { - after = [ "suspend.target" ]; - requiredBy = [ "suspend.target" ]; - # environment = { - # DISPLAY = ":${toString config.services.xserver.display}"; - # }; - serviceConfig = { - ExecStart = pkgs.writeDash "suspend-again" '' - ${pkgs.gnugrep}/bin/grep -q closed /proc/acpi/button/lid/LID0/state - if [ "$?" -eq 0 ]; then - echo 'wakeup with closed lid' - ${pkgs.systemd}/bin/systemctl suspend - fi - ''; - Type = "simple"; - }; - }; - hardware.bluetooth = { enable = true; powerOnBoot = true; |