commit ceeed0c4df5475087ee13b55f8f6b4645b060136 Author: Xe Date: Tue Dec 21 16:48:41 2021 -0500 logos skeleton Signed-off-by: Xe diff --git a/common/default.nix b/common/default.nix new file mode 100644 index 0000000..4e5ee2a --- /dev/null +++ b/common/default.nix @@ -0,0 +1,44 @@ +{ config, lib, pkgs, ... }: { + imports = [ ../users ]; + + boot.cleanTmpDir = true; + boot.kernelModules = [ "wireguard" ]; + + environment.systemPackages = with pkgs; [ age minisign tmate jq nfs-utils ]; + + nix = { + autoOptimiseStore = true; + useSandbox = true; + package = pkgs.nixFlakes; + + extraOptions = '' + experimental-features = nix-command flakes + ''; + + binaryCaches = + [ "https://xe.cachix.org" "https://nix-community.cachix.org" ]; + binaryCachePublicKeys = [ + "xe.cachix.org-1:kT/2G09KzMvQf64WrPBDcNWTKsA79h7+y2Fn2N7Xk2Y=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + + trustedUsers = [ "root" "cadey" ]; + }; + + security.pam.loginLimits = [{ + domain = "*"; + type = "soft"; + item = "nofile"; + value = "unlimited"; + }]; + + services.journald.extraConfig = '' + SystemMaxUse=100M + MaxFileSec=7day + ''; + + services.resolved = { + enable = true; + dnssec = "false"; + }; +} diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..8f1ac04 --- /dev/null +++ b/flake.lock @@ -0,0 +1,144 @@ +{ + "nodes": { + "deploy-rs": { + "inputs": { + "flake-compat": "flake-compat", + "nixpkgs": "nixpkgs", + "utils": "utils" + }, + "locked": { + "lastModified": 1638665590, + "narHash": "sha256-nhtfL3z4TizWHemyZvgLvq11FhYX5Ya4ke+t6Np5PKQ=", + "owner": "serokell", + "repo": "deploy-rs", + "rev": "715e92a13018bc1745fb680b5860af0c5641026a", + "type": "github" + }, + "original": { + "owner": "serokell", + "repo": "deploy-rs", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1627913399, + "narHash": "sha256-hY8g6H2KFL8ownSiFeMOjwPC8P0ueXpCVEbxgda3pko=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "12c64ca55c1014cdc1b16ed5a804aa8576601ff2", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1640115895, + "narHash": "sha256-Z4IuhiwQfHOaReDdLsQAK//PYObrSOW/QvLOiEN3zOc=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "7ec50b1f77e62c79f07ed200853c07894195f544", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1632086102, + "narHash": "sha256-wVTcf0UclFS+zHtfPToB13jIO7n0U9N50MuRbPjQViE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "e0ce3c683ae677cf5aab597d645520cddd13392b", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1640090545, + "narHash": "sha256-6qiF46uBGoSQmjDTFl8ilT+d1DuK39IRHlj0jE5gqZE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "1dd151f0c0c216f416e9553af08f724a2499c795", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1640053112, + "narHash": "sha256-7C0UQssCdAMyCNSv8szLJfZ5xYMBr9mh27zYUmo8wHQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c478eaf416411a7dedf773185b6d5bfc966a80ae", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "deploy-rs": "deploy-rs", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs_3", + "utils": "utils_2" + } + }, + "utils": { + "locked": { + "lastModified": 1631561581, + "narHash": "sha256-3VQMV5zvxaVLvqqUrNz3iJelLw30mIVSfZmAaauM3dA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "7e5bf3925f6fbdfaf50a2a7ca0be2879c4261d19", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "utils_2": { + "locked": { + "lastModified": 1638122382, + "narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "74f7e4319258e287b0f9cb95426c9853b282730b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..edb8ceb --- /dev/null +++ b/flake.nix @@ -0,0 +1,34 @@ +{ + description = "My deploy-rs config for logos"; + + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + home-manager.url = "github:nix-community/home-manager"; + deploy-rs.url = "github:serokell/deploy-rs"; + utils.url = "github:numtide/flake-utils"; + }; + + outputs = { self, nixpkgs, deploy-rs, home-manager, utils, ... }: + let pkgs = nixpkgs.legacyPackages."x86_64-linux"; + in { + devShell.x86_64-linux = pkgs.mkShell { + buildInputs = [ deploy-rs.packages.x86_64-linux.deploy-rs ]; + }; + + nixosConfigurations.logos = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ ./hosts/logos ]; + }; + + deploy.nodes.some-random-system.profiles.system = { + hostname = "192.168.2.35"; + user = "root"; + path = deploy-rs.lib.x86_64-linux.activate.nixos + self.nixosConfigurations.logos; + }; + + # This is highly advised, and will prevent many possible mistakes + checks = builtins.mapAttrs + (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; + }; +} diff --git a/hardware/alrest/default.nix b/hardware/alrest/default.nix new file mode 100644 index 0000000..7227f9b --- /dev/null +++ b/hardware/alrest/default.nix @@ -0,0 +1,45 @@ +{ config, pkgs, ... }: + +let metadata = pkgs.callPackage ../../../ops/metadata/peers.nix { }; +in { + imports = [ + ./hardware-configuration.nix + ./solanum.nix + ./zfs.nix + ]; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.supportedFilesystems = [ "zfs" ]; + boot.zfs.devNodes = "/dev/disk/by-partuuid"; + boot.kernelParams = [ "zfs.zfs_arc_max=1073741824" ]; + + networking.interfaces.enp2s0.useDHCP = true; + + nixpkgs.config.allowUnfree = true; + + networking.firewall.enable = false; + + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = 1; + "net.ipv6.conf.all.forwarding" = 1; + }; + + services.openssh.enable = true; + + environment.systemPackages = with pkgs; [ wget vim zfs ]; + + services.zfs.autoScrub.enable = true; + services.zfs.autoSnapshot.enable = true; + services.zfs.trim.enable = true; + + cadey.cpu = { + enable = true; + vendor = "intel"; + }; + + security.sudo.wheelNeedsPassword = false; + + services.tailscale.enable = true; + virtualisation.libvirtd.enable = true; +} diff --git a/hardware/alrest/hardware-configuration.nix b/hardware/alrest/hardware-configuration.nix new file mode 100644 index 0000000..59cc521 --- /dev/null +++ b/hardware/alrest/hardware-configuration.nix @@ -0,0 +1,35 @@ +{ config, pkgs, modulesPath, lib, ... }: { + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; + + boot.initrd.availableKernelModules = + [ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "rpool/safe/root"; + fsType = "zfs"; + }; + + fileSystems."/nix" = { + device = "rpool/local/nix"; + fsType = "zfs"; + }; + + fileSystems."/home" = { + device = "rpool/safe/home"; + fsType = "zfs"; + }; + + fileSystems."/boot" = { + device = "/dev/nvme0n1p3"; + fsType = "vfat"; + }; + + swapDevices = [{ device = "/dev/nvme0n1p2"; }]; + + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + # high-resolution display + hardware.video.hidpi.enable = lib.mkDefault true; +} diff --git a/hardware/alrest/solanum.nix b/hardware/alrest/solanum.nix new file mode 100644 index 0000000..bf5562d --- /dev/null +++ b/hardware/alrest/solanum.nix @@ -0,0 +1,213 @@ +{config, pkgs, lib, ...}: + +let + metadata = pkgs.callPackage ../../../ops/metadata/peers.nix { }; + info = metadata.raw."${config.networking.hostName}".solanum; +in { + services.solanum = { + enable = true; + motd = '' + NmmN Nmmmd.:mm + NmmmN NmmydmmmmmN + Nm/:mN Nmms /mmmmm + Nmm:-dm NmmmmdsdmmmmN + mmmmmmmN NmmdhhddhhmNN Nmy:hmmmmmmmm + Nm++mmmmN mdyo/::.........-:/sdN Nmmms`smmmmmmmN + md.-dmmmm mhs/-....................-+dN Nmmmmmmmmmmmmmm + Nmmmmmmmmho:-...........................:sN NmmmmmmmmmmmmmmmN Nmdd + Nmd+ydhs/-.................................-sNmmmmmmmmmmmmmmmdhyssss + NNh+`........................................:dmmmmmmmmmmmmmmmyssssss + NNdhy+:-...........................................+dmmmmmmmmmmmmmmmdsssssss + N+-...............................................-smmmmmmmmmmmmmmmmmysyyhdmN + Nho:::-.--::-.......................----------..:hmmmmmmmmmmmmmmmmmmmN + NNNmmdo:......................--------------:ymmmmmmmmmmmmmmmmmmm + ds+........................-----------------+dmmmmmmmmmmmmmmmmm + h+........................--------------------:smmmmmmmmmmmmmmN + Ny/........................-------------::--------/hmmmmmmmmmmmN Nmd + d/........................--------------so----------odmmmmmmmm Nmdhhysss + m/........................--------------+mh-----------:ymmmmdhhyysssssssss + o.......................---------------:dmmo------------+dmdysssssssssssss + yhdmNh:......................---------------:dmmmm+------------:sssssssssssyhhdm + sssssy.......................--------------:hmmmmmmos++:---------/sssyyhdmN + ssssso......................--------------:hmmmNNN Ndddysso:------:yNN + ysssss.....................--------------/dmNyy/m d``d/------------sN + Nmdhy-...................--------------ommmh`o/N /. smh+-----------:yN + N+...................------------/hmmss: `-//-.smmmmd+----------:h + d:..................----------:smmmmhy+oosyysdmmy+:. `.--------/d + h-................---------:smmmmmmmmmmmmmmmh/` `/s:-------s + ms:...............-------/ymmmmmmmmmmmmmmmd/ :d Ny/-----+m + myss/..............------ommmmmmmmmmmmmmmmd. :y Ns:---+m + Ndssssso-............----..odmmmmmmmmmmmmmmh:.` .sN d/--s + mysssssssh/................` -odmmmmmmmmmh+. `om h/+m + Ndyssssssym Ny-.............. `/sssso+:. `+m dN + NhssssssshN No:............/.` `+d + ysssssssd m+-..........+ddy/.` -om + ssssssym h/.........-oN Nmy+--` `-+dN + ssssydN Ny:........-h Nmdm + sssym m+....-..:h + symN No.../-/d + dN h:.:hyN + ''; + config = '' + loadmodule "extensions/chm_adminonly"; + loadmodule "extensions/chm_nonotice"; + loadmodule "extensions/chm_operonly"; + loadmodule "extensions/chm_sslonly"; + #loadmodule "extensions/chm_operpeace"; + #loadmodule "extensions/createauthonly"; + loadmodule "extensions/extb_account"; + loadmodule "extensions/extb_canjoin"; + loadmodule "extensions/extb_channel"; + loadmodule "extensions/extb_combi"; + loadmodule "extensions/extb_extgecos"; + loadmodule "extensions/extb_hostmask"; + loadmodule "extensions/extb_oper"; + loadmodule "extensions/extb_realname"; + loadmodule "extensions/extb_server"; + loadmodule "extensions/extb_ssl"; + loadmodule "extensions/extb_usermode"; + #loadmodule "extensions/helpops"; + #loadmodule "extensions/hurt"; + loadmodule "extensions/ip_cloaking_4.0"; + #loadmodule "extensions/ip_cloaking"; + #loadmodule "extensions/m_extendchans"; + #loadmodule "extensions/m_findforwards"; + #loadmodule "extensions/m_identify"; + #loadmodule "extensions/m_locops"; + #loadmodule "extensions/no_oper_invis"; + loadmodule "extensions/sno_farconnect"; + loadmodule "extensions/sno_globalnickchange"; + loadmodule "extensions/sno_globaloper"; + #loadmodule "extensions/sno_whois"; + loadmodule "extensions/override"; + loadmodule "extensions/no_kill_services"; + + serverinfo { + name = "${config.networking.hostName}.alrest"; + sid = "${info.sid}"; + description = "${info.description}"; + network_name = "akua"; + }; + + listen { + host = "0.0.0.0"; + port = 6667; + }; + + class "users" { + ping_time = 2 minutes; + number_per_ident = 10; + number_per_ip = 10; + number_per_ip_global = 50; + cidr_ipv4_bitlen = 24; + cidr_ipv6_bitlen = 64; + number_per_cidr = 200; + max_number = 3000; + sendq = 400 kbytes; + }; + + class "opers" { + ping_time = 5 minutes; + number_per_ip = 10; + max_number = 1000; + sendq = 1 megabyte; + }; + + class "server" { + ping_time = 5 minutes; + connectfreq = 5 minutes; + max_number = 420; + sendq = 4 megabytes; + }; + + auth { + user = "*@*"; + class = "users"; + flags = exceed_limit; + }; + + channel { + default_split_user_count = 0; + }; + + privset "local_op" { + privs = oper:general, oper:privs, oper:testline, oper:kill, oper:operwall, oper:message, + usermode:servnotice, auspex:oper, auspex:hostname, auspex:umodes, auspex:cmodes; + }; + + privset "server_bot" { + /* extends: a privset to inherit in this privset */ + extends = "local_op"; + privs = oper:kline, oper:remoteban, snomask:nick_changes; + }; + + privset "global_op" { + extends = "local_op"; + privs = oper:routing, oper:kline, oper:unkline, oper:xline, + oper:resv, oper:cmodes, oper:mass_notice, oper:wallops, + oper:remoteban; + }; + + privset "admin" { + extends = "global_op"; + privs = oper:admin, oper:die, oper:rehash, oper:spy, oper:grant, oper:privs; + }; + + operator "Mara" { + user = "*@*"; + password = "L/b5FCMZ1DUc2"; + snomask = "+Zbfkrsuy"; + flags = encrypted; + privset = "admin"; + }; + + connect "kos-mos.alrest" { + host = "100.72.50.9"; + send_password = "hunter2"; + accept_password = "hunter2"; + port = 6667; + class = "server"; + flags = topicburst, autoconn; + }; + + connect "logos.alrest" { + host = "100.106.69.58"; + send_password = "hunter2"; + accept_password = "hunter2"; + port = 6667; + class = "server"; + flags = topicburst, autoconn; + }; + + connect "ontos.alrest" { + host = "100.66.226.109"; + send_password = "hunter2"; + accept_password = "hunter2"; + port = 6667; + class = "server"; + flags = topicburst, autoconn; + }; + + connect "pneuma.alrest" { + host = "100.120.235.118"; + send_password = "hunter2"; + accept_password = "hunter2"; + port = 6667; + class = "server"; + flags = topicburst, autoconn; + }; + + connect "services." { + host = "100.67.184.57"; + send_password = "hunter2"; + accept_password = "hunter2"; + class = "server"; + }; + + service { + name = "services."; + }; + ''; + openFilesLimit = 65536; + }; +} diff --git a/hardware/alrest/zfs.nix b/hardware/alrest/zfs.nix new file mode 100644 index 0000000..da4b35c --- /dev/null +++ b/hardware/alrest/zfs.nix @@ -0,0 +1,26 @@ +{ config, ... }: + +{ + boot = { + initrd = { + kernelModules = [ "r8169" ]; + network = { + enable = true; + ssh = { + enable = true; + port = 2222; + authorizedKeys = config.users.users.cadey.openssh.authorizedKeys.keys; + hostKeys = [ + "/etc/secrets/initrd/ssh_host_rsa_key" + "/etc/secrets/initrd/ssh_host_ed25519_key" + ]; + }; + postCommands = '' + echo "zfs load-key -a; killall zfs" >> /root/.profile + ''; + }; + }; + }; + + services.nfs.server.enable = true; +} diff --git a/hosts/logos/default.nix b/hosts/logos/default.nix new file mode 100755 index 0000000..4189605 --- /dev/null +++ b/hosts/logos/default.nix @@ -0,0 +1,8 @@ +{ config, pkgs, ... }: + +{ + users.motd = builtins.readFile ./motd; + + networking.hostName = "logos"; + networking.hostId = "aeace675"; +} diff --git a/hosts/logos/motd b/hosts/logos/motd new file mode 100644 index 0000000..4366d95 --- /dev/null +++ b/hosts/logos/motd @@ -0,0 +1,9 @@ + █████ +███████ +███████ + █████ + █████ + █████ + █████ +"What are we, in the end? This hunger I feel, this thirst... Is it my own? + Or is it someone else? Sometimes I can't tell." diff --git a/users/default.nix b/users/default.nix new file mode 100644 index 0000000..d7e90ad --- /dev/null +++ b/users/default.nix @@ -0,0 +1,32 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let cfg = config.within.users.mkOthers "Make users other than cadey"; + +in { + users.users.cadey = { + isNormalUser = true; + extraGroups = + [ "wheel" "docker" "audio" "plugdev" "libvirtd" "adbusers" "dialout" "within" ]; + shell = pkgs.fish; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDK1sv1j0XAuHkcUB78D1S0Gv1mvJDjpCcZSTSgR5j3vxFoONctnb1BtnV75zR5YRkAfDNs00qeL+nyWA1s2VR9onaYRTQYO5TRsJhOgSijthn8qT8uK1ws1tWWui/sPzxbLu34nW8IsoQm3iFLD9yQCR7GK9e4WOU5itqLNMyh5jS7LTRKCSC2mi9IvYyTfFMggtuF3u7yFTksR02FOoox2YPzB8bHM3xBqPK46Z+fq+/mWaulnoXWcC3SZgjwpRmcEOAmTEQuk67jlpeumGqRU3lO6UFY3FDvQ8W1VYv2O1ZwPmV87S1pIEulX3WG+r7lO73bPT420PdoQehS/pY7" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDsviqiUuN6t4YM2H+ApQtGAFx6TWJbWCqDDhInIh3X40ZAxtTmryRwAXdtHJ+v6HuGFU5XH3chDX1WSRbwVIrlxkX1hJIEZO379YSIHkORSrAmxF/2lsrW2zSjufZ6IS9yI7nsxe2mJf3GEiFjoAh2iGrSKnOACK2Y+o/SiO0BtDkOUIabofuAxf/RNOpn/HSPh/MabOxYuNOMO2bl+quYN7C1idyvVcNp0llfrnGGTCk5g3rDpR+CDQ0P2Ebg1hf4j2i/6XJmHL52Zg4b8hkoS9BzRcb2vOjGYZVR4lOMqR9ZcNMUBwMboJeQtsAib9DYaGjhMWgMQ76brXwE65sX" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPrz5T/RdragJF6StZm92JZKPMJinYdw5fYnV4osiY8Q" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH6BhO4roUnnppgf4GPDonhu0DOaA60dZ+JaFBZUa+IW" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPg9gYKVglnO2HQodSJt4z4mNrUSUiyJQ7b+J798bwD9" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAv/8Iprp3f+THr9txqoWKTO5KxnYVpiKI7e4mdTO2+b" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBp8WiNUFK6mbehvO94LAzIA4enTuWxugABC79tiQSHT" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC1e4qhGYEUCNoCYHUqfvPSkBfVdlIjmwQI7q8eibeWw" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMOyr7PjUfbALe3+zgygnL0fQz4GhQ7qT9b0Lw+1Gzwk" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMQAQCZLLbbrMTsR1NYqFRftXM2Dm8V83uaOrAxIy7zZ" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL46usOZyZD+CYa5wNBSpPxNWwF3EMeeAytPq6iVPO2X" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN76Ol48QNvRjjjIaAa3WPqVWB/ryFMmOUJpszEz13TO" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPYr9hiLtDHgd6lZDgQMkJzvYeAXmePOrgFaWHAjJvNU" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICmEyBV301bq2VMa0cm4aE4peh57TcmNq4jHVN3Clufp cadey@la-tahorskami" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJHpoa7MSKy50Jv0cKjb1B/6jh/VtB71v8OGrt+lw3P cadey@genza" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK4mrGB2aTjHkp3r3Q7l8FHgtDPCCDqBUp9DykRWjcMA mara@blink" + ]; + }; +}