diff options
Diffstat (limited to 'lass')
70 files changed, 1304 insertions, 502 deletions
diff --git a/lass/1systems/aergia/config.nix b/lass/1systems/aergia/config.nix index 618938ce8..3e0ae23f7 100644 --- a/lass/1systems/aergia/config.nix +++ b/lass/1systems/aergia/config.nix @@ -112,7 +112,6 @@ environment.systemPackages = with pkgs; [ brain - bank l-gen-secrets generate-secrets nixpkgs-review diff --git a/lass/1systems/aergia/disk.nix b/lass/1systems/aergia/disk.nix index 848157729..233b320e4 100644 --- a/lass/1systems/aergia/disk.nix +++ b/lass/1systems/aergia/disk.nix @@ -45,9 +45,11 @@ # Mountpoints inferred from subvolume name "/home" = { mountOptions = []; + mountpoint = "/home"; }; "/nix" = { mountOptions = []; + mountpoint = "/nix"; }; }; }; diff --git a/lass/1systems/aergia/physical.nix b/lass/1systems/aergia/physical.nix index 9f06dccdc..e76460d20 100644 --- a/lass/1systems/aergia/physical.nix +++ b/lass/1systems/aergia/physical.nix @@ -16,7 +16,7 @@ efiInstallAsRemovable = true; }; - boot.kernelPackages = pkgs.linuxPackages_latest; + # boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelParams = [ # use less power with pstate @@ -70,8 +70,6 @@ }; users.users.mainUser.extraGroups = [ "corectrl" ]; - # use newer ryzenadj - # keyboard quirks services.xserver.displayManager.sessionCommands = '' ${pkgs.xorg.xmodmap}/bin/xmodmap -e 'keycode 96 = F12 Insert F12 F12' # rebind shift + F12 to shift + insert @@ -102,9 +100,16 @@ services.logind.extraConfig = '' HandlePowerKey=hibernate ''; + # systemd.sleep.extraConfig = '' + # HibernateDelaySec=1800 + # ''; # firefox touchscreen support environment.sessionVariables.MOZ_USE_XINPUT2 = "1"; + + # enable thunderbolt + services.hardware.bolt.enable = true; + # reinit usb after docking station connect services.udev.extraRules = '' SUBSYSTEM=="drm", ACTION=="change", RUN+="${pkgs.dash}/bin/dash -c 'echo 0 > /sys/bus/usb/devices/usb9/authorized; echo 1 > /sys/bus/usb/devices/usb9/authorized'" diff --git a/lass/1systems/green/config.nix b/lass/1systems/green/config.nix index c232be9bd..81b8b909b 100644 --- a/lass/1systems/green/config.nix +++ b/lass/1systems/green/config.nix @@ -15,7 +15,6 @@ with import <stockholm/lib>; <stockholm/lass/2configs/weechat.nix> <stockholm/lass/2configs/bitlbee.nix> - <stockholm/lass/2configs/muchsync.nix> <stockholm/lass/2configs/pass.nix> <stockholm/lass/2configs/git-brain.nix> diff --git a/lass/1systems/neoprism/physical.nix b/lass/1systems/neoprism/physical.nix index f2092d9aa..cc7734f39 100644 --- a/lass/1systems/neoprism/physical.nix +++ b/lass/1systems/neoprism/physical.nix @@ -13,7 +13,10 @@ boot.loader.grub.enable = true; boot.loader.grub.version = 2; boot.loader.grub.efiSupport = true; - boot.loader.grub.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ]; + boot.loader.grub.devices = [ + config.disko.devices.disk."/dev/nvme0n1".device + config.disko.devices.disk."/dev/nvme1n1".device + ]; boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "sd_mod" ]; boot.kernelModules = [ "kvm-amd" ]; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; @@ -56,21 +59,21 @@ }; networking.useDHCP = false; - boot.initrd.network = { - enable = true; - ssh = { - enable = true; - authorizedKeys = [ config.krebs.users.lass.pubkey ]; - port = 2222; - hostKeys = [ - (toString <secrets/ssh.id_ed25519>) - (toString <secrets/ssh.id_rsa>) - ]; - }; - }; - boot.kernelParams = [ - "net.ifnames=0" - "ip=dhcp" - "boot.trace" - ]; + # boot.initrd.network = { + # enable = true; + # ssh = { + # enable = true; + # authorizedKeys = [ config.krebs.users.lass.pubkey ]; + # port = 2222; + # hostKeys = [ + # (<secrets/ssh.id_ed25519>) + # (<secrets/ssh.id_rsa>) + # ]; + # }; + # }; + # boot.kernelParams = [ + # "net.ifnames=0" + # "ip=dhcp" + # "boot.trace" + # ]; } diff --git a/lass/1systems/prism/backup.nix b/lass/1systems/prism/backup.nix new file mode 100644 index 000000000..52b4142b9 --- /dev/null +++ b/lass/1systems/prism/backup.nix @@ -0,0 +1,37 @@ +{ config, lib, pkgs, ... }: +{ + services.postgresqlBackup.enable = true; + + systemd.services.borgbackup-job-hetzner.serviceConfig.ReadWritePaths = [ "/var/log/telegraf" ]; + + services.borgbackup.jobs.hetzner = { + paths = [ + "/var/backup" + ]; + exclude = [ + "*.pyc" + ]; + repo = "u364341@u364341.your-storagebox.de:/./hetzner"; + encryption.mode = "none"; + compression = "auto,zstd"; + startAt = "daily"; + # TODO: change backup key + environment.BORG_RSH = "ssh -oPort=23 -i ${toString <secrets> + "/borgbackup.ssh.id25519"}"; + preHook = '' + set -x + ''; + + postHook = '' + cat > /var/log/telegraf/borgbackup-job-hetzner.service <<EOF + task,frequency=daily last_run=$(date +%s)i,state="$([[ $exitStatus == 0 ]] && echo ok || echo fail)" + EOF + ''; + + prune.keep = { + within = "1d"; # Keep all archives from the last day + daily = 7; + weekly = 4; + monthly = 0; + }; + }; +} diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 1faa23ec3..990dac091 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -3,12 +3,13 @@ with import <stockholm/lib>; { imports = [ + ./backup.nix <stockholm/lass> <stockholm/lass/2configs/retiolum.nix> <stockholm/lass/2configs/libvirt.nix> <stockholm/lass/2configs/tv.nix> <stockholm/lass/2configs/websites/lassulus.nix> - <stockholm/lass/2configs/telegraf.nix> + <stockholm/lass/2configs/monitoring/telegraf.nix> { services.nginx.enable = true; imports = [ @@ -80,24 +81,6 @@ with import <stockholm/lib>; }; } { - #hotdog - systemd.services."container@hotdog".reloadIfChanged = mkForce false; - containers.hotdog = { - config = { ... }: { - environment.systemPackages = [ pkgs.git ]; - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey - ]; - }; - autoStart = false; - enableTun = true; - privateNetwork = true; - hostAddress = "10.233.2.1"; - localAddress = "10.233.2.2"; - }; - } - { services.nginx.virtualHosts."radio.lassul.us" = { enableACME = true; addSSL = true; @@ -159,40 +142,6 @@ with import <stockholm/lib>; }; } { - users.users.jeschli = { - uid = genid_uint31 "jeschli"; - isNormalUser = true; - openssh.authorizedKeys.keys = with config.krebs.users; [ - jeschli.pubkey - jeschli-bln.pubkey - jeschli-bolide.pubkey - jeschli-brauerei.pubkey - ]; - }; - krebs.git.rules = [ - { - user = with config.krebs.users; [ - jeschli - jeschli-bln - jeschli-bolide - jeschli-brauerei - ]; - repo = [ config.krebs.git.repos.xmonad-stockholm ]; - perm = with git; push "refs/heads/jeschli*" [ fast-forward non-fast-forward create delete merge ]; - } - { - user = with config.krebs.users; [ - jeschli - jeschli-bln - jeschli-bolide - jeschli-brauerei - ]; - repo = [ config.krebs.git.repos.stockholm ]; - perm = with git; push "refs/heads/staging/jeschli*" [ fast-forward non-fast-forward create delete merge ]; - } - ]; - } - { krebs.repo-sync.repos.stockholm.timerConfig = { OnBootSec = "5min"; OnUnitInactiveSec = "2min"; @@ -201,43 +150,8 @@ with import <stockholm/lib>; } <stockholm/lass/2configs/minecraft.nix> <stockholm/lass/2configs/codimd.nix> - <stockholm/lass/2configs/searx.nix> - { - services.taskserver = { - enable = true; - fqdn = "lassul.us"; - listenHost = "::"; - listenPort = 53589; - organisations.lass.users = [ "lass" "android" ]; - }; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 53589"; target = "ACCEPT"; } - ]; - } <stockholm/lass/2configs/go.nix> { - environment.systemPackages = [ pkgs.cryptsetup ]; - systemd.services."container@red".reloadIfChanged = mkForce false; - containers.red = { - config = { ... }: { - environment.systemPackages = [ pkgs.git ]; - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey - ]; - }; - autoStart = false; - enableTun = true; - privateNetwork = true; - hostAddress = "10.233.2.3"; - localAddress = "10.233.2.4"; - }; - } - { - users.users.download.openssh.authorizedKeys.keys = [ - ]; - } - { lass.nichtparasoup.enable = true; services.nginx = { enable = true; @@ -255,7 +169,7 @@ with import <stockholm/lib>; <stockholm/lass/2configs/wiregrill.nix> ]; krebs.iptables.tables.nat.PREROUTING.rules = mkOrder 999 [ - { v6 = false; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } + { v6 = false; predicate = "-s 10.244.0.0/16"; target = "ACCEPT"; } { v4 = false; predicate = "-s 42:1::/32"; target = "ACCEPT"; } ]; krebs.iptables.tables.filter.FORWARD.rules = mkBefore [ @@ -264,16 +178,16 @@ with import <stockholm/lib>; ]; krebs.iptables.tables.nat.POSTROUTING.rules = [ { v4 = false; predicate = "-s 42:1::/32 ! -d 42:1::/48"; target = "MASQUERADE"; } - { v6 = false; predicate = "-s 10.244.1.0/24 ! -d 10.244.1.0/24"; target = "MASQUERADE"; } + { v6 = false; predicate = "-s 10.244.0.0/16 ! -d 10.244.0.0/16"; target = "MASQUERADE"; } ]; services.dnsmasq = { enable = true; resolveLocalQueries = false; extraConfig= '' - listen-address=42:1:ce16::1,10.244.1.103 - except-interface=lo + bind-interfaces interface=wiregrill + interface=retiolum ''; }; } @@ -285,33 +199,15 @@ with import <stockholm/lib>; <stockholm/lass/2configs/services/coms/murmur.nix> <stockholm/lass/2configs/docker.nix> { - systemd.services."container@yellow".reloadIfChanged = mkForce false; - containers.yellow = { - config = { ... }: { - environment.systemPackages = [ pkgs.git ]; - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey - ]; - }; - autoStart = false; - enableTun = true; - privateNetwork = true; - hostAddress = "10.233.2.13"; - localAddress = "10.233.2.14"; - }; - services.nginx.virtualHosts."jelly.r" = { - locations."/".extraConfig = '' - proxy_pass http://10.233.2.14:8096/; - proxy_set_header Accept-Encoding ""; - ''; - }; - services.nginx.virtualHosts."flix.r" = { - locations."/".extraConfig = '' - proxy_pass http://10.233.2.14:80/; - proxy_set_header Accept-Encoding ""; - ''; + services.nginx.virtualHosts."flix.lassul.us" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://yellow.r:8096"; + proxyWebsockets = true; + recommendedProxySettings = true; + }; }; services.nginx.virtualHosts."lassul.us" = { locations."^~ /flix/".extraConfig = '' @@ -322,7 +218,7 @@ with import <stockholm/lib>; auth_basic_user_file ${pkgs.writeText "flix-user-pass" '' krebs:$apr1$1Fwt/4T0$YwcUn3OBmtmsGiEPlYWyq0 ''}; - proxy_pass http://10.233.2.14:80/; + proxy_pass http://yellow.r:80/; proxy_set_header Accept-Encoding ""; sub_filter "https://lassul.us/" "https://lassul.us/flix/"; sub_filter_once off; @@ -396,7 +292,7 @@ with import <stockholm/lib>; netbios name = PRISM server string = ${config.networking.hostName} # only allow retiolum addresses - hosts allow = 42::/16 10.243.0.0/16 + hosts allow = 42::/16 10.243.0.0/16 10.244.0.0/16 # Use sendfile() for performance gain use sendfile = true @@ -438,13 +334,13 @@ with import <stockholm/lib>; krebs.iptables.tables.filter.INPUT.rules = [ # smbd { predicate = "-i retiolum -p tcp --dport 445"; target = "ACCEPT"; } - { predicate = "-i retiolum -p tcp --dport 111"; target = "ACCEPT"; } { predicate = "-i retiolum -p udp --dport 111"; target = "ACCEPT"; } { predicate = "-i retiolum -p tcp --dport 2049"; target = "ACCEPT"; } { predicate = "-i retiolum -p udp --dport 2049"; target = "ACCEPT"; } { predicate = "-i retiolum -p tcp --dport 4000:4002"; target = "ACCEPT"; } { predicate = "-i retiolum -p udp --dport 4000:4002"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p tcp --dport 445"; target = "ACCEPT"; } { predicate = "-i wiregrill -p tcp --dport 111"; target = "ACCEPT"; } { predicate = "-i wiregrill -p udp --dport 111"; target = "ACCEPT"; } { predicate = "-i wiregrill -p tcp --dport 2049"; target = "ACCEPT"; } @@ -453,25 +349,6 @@ with import <stockholm/lib>; { predicate = "-i wiregrill -p udp --dport 4000:4002"; target = "ACCEPT"; } ]; } - { - users.users.shannan = { - uid = genid_uint31 "shannan"; - isNormalUser = true; - openssh.authorizedKeys.keys = [ - config.krebs.users.shannan.pubkey - ]; - }; - } - { - nix.trustedUsers = [ "mic92" ]; - users.users.mic92 = { - uid = genid_uint31 "mic92"; |