diff --git a/home/scripts/default.nix b/home/scripts/default.nix index 1cfb2e5..f86d9f9 100644 --- a/home/scripts/default.nix +++ b/home/scripts/default.nix @@ -60,7 +60,7 @@ in rpaste = pkgs.writers.writeBashBin "rpaste" '' export $(cat ${config.age.secrets.rustypaste.path} | xargs) - curl -F "file=@$1" -H "Authorization: $AUTH_TOKEN" http://rusty.ccnlc.eu/ + curl -F "file=@$1" -H "Authorization: $AUTH_TOKEN" https://rusty.ccnlc.eu/ ''; gentest = nixos-rebuild "gentest" "test"; diff --git a/hosts/brontes/home.nix b/hosts/brontes/home.nix index fb8bf08..da6edd1 100644 --- a/hosts/brontes/home.nix +++ b/hosts/brontes/home.nix @@ -74,6 +74,7 @@ scripts.nixedit scripts.set-background scripts.fishl + scripts.nrun scripts.rpaste scripts.genswitch scripts.gentest diff --git a/hosts/default.nix b/hosts/default.nix index ddd05ec..40e6ae8 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -7,11 +7,13 @@ in marr = lib.my.mkSystem { hostname = "marr"; system = "x86_64-linux"; + extraModules = [ inputs.agenix.nixosModules.default ]; }; brontes = lib.my.mkSystem { hostname = "brontes"; system = "x86_64-linux"; + extraModules = [ inputs.agenix.nixosModules.default ]; }; styrak = lib.my.mkSystem { diff --git a/hosts/marr/configuration.nix b/hosts/marr/configuration.nix index fe3719e..f717087 100644 --- a/hosts/marr/configuration.nix +++ b/hosts/marr/configuration.nix @@ -47,6 +47,8 @@ }; }; + age.identityPaths = [ "/home/nico/.ssh/id_ed25519" ]; + programs = { dconf.enable = true; steam.enable = true; diff --git a/hosts/marr/home.nix b/hosts/marr/home.nix index fd72134..d836b1c 100644 --- a/hosts/marr/home.nix +++ b/hosts/marr/home.nix @@ -75,6 +75,7 @@ scripts.nixedit scripts.set-background scripts.rpaste + scripts.nrun scripts.genswitch scripts.gentest ]; diff --git a/hosts/raptus/configuration.nix b/hosts/raptus/configuration.nix index 117d6c0..0c3bbde 100644 --- a/hosts/raptus/configuration.nix +++ b/hosts/raptus/configuration.nix @@ -4,15 +4,26 @@ pkgs, ... }: +let + sshAccess = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMvPqWPXEUOSMGMIRmirQfbrzq//NkPlEI2TmFpIkSfw" # brontes + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGwlScEmVbdc0EH93XLX+K8yP5FKUKzMf/bWTSO+rMiO" # marr + ]; +in { imports = [ (modulesPath + "/profiles/qemu-guest.nix") ./disk-config.nix - ./docker-compose.nix + ./container-root.nix + ./rustypaste + ./obsidian-livesync ../../modules/nix ]; - age.secrets.couchdb.file = ../../secrets/couchdb.age; + age.secrets = { + couchdb.file = ../../secrets/couchdb.age; + rustypaste.file = ../../secrets/rustypaste.age; + }; device.type = { vm.enable = true; @@ -27,18 +38,40 @@ networking.firewall = lib.mkForce { enable = true; allowedTCPPorts = [ - 80 22 + 443 5984 # couchdb ]; }; + # User account to run remote builds + users.users.remote-build = { + isSystemUser = true; + hashedPassword = ""; # Only allow login via ssh + openssh.authorizedKeys.keys = sshAccess; + shell = pkgs.bash; + group = "remote-build"; + extraGroups = [ "wheel" ]; + }; + + security.sudo.wheelNeedsPassword = false; + + users.groups.remote-build = { }; + + # Ensure the user can build derivations + nix.settings.trusted-users = [ "remote-build" ]; + + security.acme.defaults.email = "admin@ccnlc.eu"; + security.acme.acceptTerms = true; + services.nginx = { enable = true; recommendedProxySettings = true; recommendedTlsSettings = true; + clientMaxBodySize = "50M"; virtualHosts."rusty.ccnlc.eu" = { - # TODO: Enable https + enableACME = true; + forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:8000"; @@ -56,10 +89,7 @@ pkgs.gitMinimal ]; - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMvPqWPXEUOSMGMIRmirQfbrzq//NkPlEI2TmFpIkSfw" # brontes - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGwlScEmVbdc0EH93XLX+K8yP5FKUKzMf/bWTSO+rMiO" # marr - ]; + users.users.root.openssh.authorizedKeys.keys = sshAccess; system.stateVersion = "24.11"; } diff --git a/hosts/raptus/container-root.nix b/hosts/raptus/container-root.nix new file mode 100644 index 0000000..e3c6a85 --- /dev/null +++ b/hosts/raptus/container-root.nix @@ -0,0 +1,40 @@ +{ pkgs, ... }: + +{ + # Runtime + virtualisation.podman = { + enable = true; + autoPrune.enable = true; + dockerCompat = true; + defaultNetwork.settings = { + # Required for container networking to be able to use names. + dns_enabled = true; + }; + }; + virtualisation.oci-containers.backend = "podman"; + + # Networks + systemd.services."podman-network-test_default" = { + path = [ pkgs.podman ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStop = "podman network rm -f test_default"; + }; + script = '' + podman network inspect test_default || podman network create test_default + ''; + partOf = [ "podman-compose-test-root.target" ]; + wantedBy = [ "podman-compose-test-root.target" ]; + }; + + # Root service + # When started, this will automatically create all resources and start + # the containers. When stopped, this will teardown all resources. + systemd.targets."podman-compose-test-root" = { + unitConfig = { + Description = "Root target generated by compose2nix."; + }; + wantedBy = [ "multi-user.target" ]; + }; +} diff --git a/hosts/raptus/docker-compose.nix b/hosts/raptus/docker-compose.nix deleted file mode 100644 index a563c13..0000000 --- a/hosts/raptus/docker-compose.nix +++ /dev/null @@ -1,136 +0,0 @@ -# Auto-generated using compose2nix v0.2.2-pre. -{ - pkgs, - lib, - config, - ... -}: - -{ - # Runtime - virtualisation.podman = { - enable = true; - autoPrune.enable = true; - dockerCompat = true; - defaultNetwork.settings = { - # Required for container networking to be able to use names. - dns_enabled = true; - }; - }; - virtualisation.oci-containers.backend = "podman"; - - # Containers - virtualisation.oci-containers.containers."obsidian-livesync" = { - image = "couchdb"; - environmentFiles = [ config.age.secrets.couchdb.path ]; - volumes = [ - "${./local.ini}:/opt/couchdb/etc/local.ini:rw" - "test_dbdata:/opt/couchdb/data:rw" - ]; - ports = [ "5984:5984/tcp" ]; - log-driver = "journald"; - extraOptions = [ - "--network-alias=couchserver" - "--network=test_default" - ]; - }; - systemd.services."podman-obsidian-livesync" = { - serviceConfig = { - Restart = lib.mkOverride 500 "always"; - }; - after = [ - "podman-network-test_default.service" - "podman-volume-test_dbdata.service" - ]; - requires = [ - "podman-network-test_default.service" - "podman-volume-test_dbdata.service" - ]; - partOf = [ "podman-compose-test-root.target" ]; - wantedBy = [ "podman-compose-test-root.target" ]; - }; - virtualisation.oci-containers.containers."rustypaste" = { - image = "orhunp/rustypaste:latest"; - environment = { - "RUST_LOG" = "debug"; - }; - volumes = [ - "${ - (pkgs.formats.toml { }).generate "conf" (import ./rustypaste.nix { inherit config; }) - }:/app/config.toml:ro" - "test_rustypaste-data:/app/upload:rw" - ]; - ports = [ "8000:8000/tcp" ]; - log-driver = "journald"; - extraOptions = [ - "--network-alias=rustypaste" - "--network=test_default" - ]; - }; - systemd.services."podman-rustypaste" = { - serviceConfig = { - Restart = lib.mkOverride 500 "always"; - }; - after = [ - "podman-network-test_default.service" - "podman-volume-test_rustypaste-data.service" - ]; - requires = [ - "podman-network-test_default.service" - "podman-volume-test_rustypaste-data.service" - ]; - partOf = [ "podman-compose-test-root.target" ]; - wantedBy = [ "podman-compose-test-root.target" ]; - }; - - # Networks - systemd.services."podman-network-test_default" = { - path = [ pkgs.podman ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - ExecStop = "podman network rm -f test_default"; - }; - script = '' - podman network inspect test_default || podman network create test_default - ''; - partOf = [ "podman-compose-test-root.target" ]; - wantedBy = [ "podman-compose-test-root.target" ]; - }; - - # Volumes - systemd.services."podman-volume-test_dbdata" = { - path = [ pkgs.podman ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - script = '' - podman volume inspect test_dbdata || podman volume create test_dbdata - ''; - partOf = [ "podman-compose-test-root.target" ]; - wantedBy = [ "podman-compose-test-root.target" ]; - }; - systemd.services."podman-volume-test_rustypaste-data" = { - path = [ pkgs.podman ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - script = '' - podman volume inspect test_rustypaste-data || podman volume create test_rustypaste-data - ''; - partOf = [ "podman-compose-test-root.target" ]; - wantedBy = [ "podman-compose-test-root.target" ]; - }; - - # Root service - # When started, this will automatically create all resources and start - # the containers. When stopped, this will teardown all resources. - systemd.targets."podman-compose-test-root" = { - unitConfig = { - Description = "Root target generated by compose2nix."; - }; - wantedBy = [ "multi-user.target" ]; - }; -} diff --git a/hosts/raptus/docker-compose.yml b/hosts/raptus/docker-compose.yml deleted file mode 100644 index 8d2bb07..0000000 --- a/hosts/raptus/docker-compose.yml +++ /dev/null @@ -1,28 +0,0 @@ -services: - couchserver: - image: couchdb - container_name: obsidian-livesync - restart: always - ports: - - 5984:5984 - environment: - - COUCHDB_USER=USERNAME - - COUCHDB_PASSWORD=PASSWORD - volumes: - - dbdata:/opt/couchdb/data - - ./local.ini:/opt/couchdb/etc/local.ini - rustypaste: - image: orhunp/rustypaste:${IMAGE_TAG:-latest} - build: . - container_name: rustypaste - restart: always - environment: - - RUST_LOG=debug - ports: - - "8000:8000" - volumes: - - rustypaste-data:/app/upload - - ./rusty.toml:/app/config.toml -volumes: - dbdata: - rustypaste-data: diff --git a/hosts/raptus/obsidian-livesync/default.nix b/hosts/raptus/obsidian-livesync/default.nix new file mode 100644 index 0000000..ce67d4d --- /dev/null +++ b/hosts/raptus/obsidian-livesync/default.nix @@ -0,0 +1,52 @@ +{ + config, + lib, + pkgs, + ... +}: +{ + virtualisation.oci-containers.containers."obsidian-livesync" = { + image = "couchdb"; + environmentFiles = [ config.age.secrets.couchdb.path ]; + volumes = [ + "${./local.ini}:/opt/couchdb/etc/local.ini:rw" + "test_dbdata:/opt/couchdb/data:rw" + ]; + ports = [ "5984:5984/tcp" ]; + log-driver = "journald"; + extraOptions = [ + "--network-alias=couchserver" + "--network=test_default" + ]; + }; + systemd.services."podman-obsidian-livesync" = { + serviceConfig = { + Restart = lib.mkOverride 500 "always"; + }; + after = [ + "podman-network-test_default.service" + "podman-volume-test_dbdata.service" + ]; + requires = [ + "podman-network-test_default.service" + "podman-volume-test_dbdata.service" + ]; + partOf = [ "podman-compose-test-root.target" ]; + wantedBy = [ "podman-compose-test-root.target" ]; + }; + + # Volumes + systemd.services."podman-volume-test_dbdata" = { + path = [ pkgs.podman ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + podman volume inspect test_dbdata || podman volume create test_dbdata + ''; + partOf = [ "podman-compose-test-root.target" ]; + wantedBy = [ "podman-compose-test-root.target" ]; + }; + +} diff --git a/hosts/raptus/local.ini b/hosts/raptus/obsidian-livesync/local.ini similarity index 100% rename from hosts/raptus/local.ini rename to hosts/raptus/obsidian-livesync/local.ini diff --git a/hosts/raptus/rusty.toml b/hosts/raptus/rusty.toml deleted file mode 100644 index 694d483..0000000 --- a/hosts/raptus/rusty.toml +++ /dev/null @@ -1,67 +0,0 @@ -[config] -refresh_rate = "1s" - -[server] -address = "127.0.0.1:8000" -url = "http://rusty.ccnlc.eu" -workers = 4 -max_content_length = "50MB" -upload_path = "./upload" -timeout = "30s" -expose_version = false -expose_list = false -auth_tokens = ["super_secret_token1", "super_secret_token2"] -#delete_tokens = [ -# "super_secret_token1", -# "super_secret_token3", -#] -handle_spaces = "replace" # or "encode" - -[landing_page] -text = """ -┬─┐┬ ┬┌─┐┌┬┐┬ ┬┌─┐┌─┐┌─┐┌┬┐┌─┐ -├┬┘│ │└─┐ │ └┬┘├─┘├─┤└─┐ │ ├┤ -┴└─└─┘└─┘ ┴ ┴ ┴ ┴ ┴└─┘ ┴ └─┘ - -Submit files via HTTP POST here: - curl -F 'file=@example.txt' -This will return the URL of the uploaded file. - -The server administrator might remove any pastes that they do not personally -want to host. - -If you are the server administrator and want to change this page, just go -into your config file and change it! If you change the expiry time, it is -recommended that you do. - -By default, pastes expire every hour. The server admin may or may not have -changed this. - -Check out the GitHub repository at https://github.com/orhun/rustypaste -Command line tool is available at https://github.com/orhun/rustypaste-cli -""" -#file = "index.txt" -content_type = "text/plain; charset=utf-8" - -[paste] -random_url = { type = "petname", words = 2, separator = "-" } -#random_url = { type = "alphanumeric", length = 8 } -#random_url = { type = "alphanumeric", length = 6, suffix_mode = true } -default_extension = "txt" -mime_override = [ - { mime = "image/jpeg", regex = "^.*\\.jpg$" }, - { mime = "image/png", regex = "^.*\\.png$" }, - { mime = "image/svg+xml", regex = "^.*\\.svg$" }, - { mime = "video/webm", regex = "^.*\\.webm$" }, - { mime = "video/x-matroska", regex = "^.*\\.mkv$" }, - { mime = "application/octet-stream", regex = "^.*\\.bin$" }, - { mime = "text/plain", regex = "^.*\\.(log|txt|diff|sh|rs|toml)$" }, -] -mime_blacklist = [ - "application/x-dosexec", - "application/java-archive", - "application/java-vm", -] -duplicate_files = false -default_expiry = "1h" -delete_expired_files = { enabled = true, interval = "1h" } diff --git a/hosts/raptus/rustypaste.nix b/hosts/raptus/rustypaste/conf.nix similarity index 97% rename from hosts/raptus/rustypaste.nix rename to hosts/raptus/rustypaste/conf.nix index ad765a6..942e944 100644 --- a/hosts/raptus/rustypaste.nix +++ b/hosts/raptus/rustypaste/conf.nix @@ -1,11 +1,10 @@ -{ config, ... }: { config = { refresh_rate = "1s"; }; server = { address = "127.0.0.1:8000"; - url = "http://rusty.ccnlc.eu"; + url = "https://rusty.ccnlc.eu"; workers = 4; max_content_length = "50MB"; upload_path = "./upload"; diff --git a/hosts/raptus/rustypaste/default.nix b/hosts/raptus/rustypaste/default.nix new file mode 100644 index 0000000..054d156 --- /dev/null +++ b/hosts/raptus/rustypaste/default.nix @@ -0,0 +1,53 @@ +{ + pkgs, + config, + lib, + ... +}: +{ + virtualisation.oci-containers.containers."rustypaste" = { + image = "orhunp/rustypaste:latest"; + environment = { + "RUST_LOG" = "debug"; + }; + environmentFiles = [ config.age.secrets.rustypaste.path ]; + volumes = [ + "${(pkgs.formats.toml { }).generate "conf" (import ./conf.nix)}:/app/config.toml:ro" + "test_rustypaste-data:/app/upload:rw" + ]; + ports = [ "8000:8000/tcp" ]; + log-driver = "journald"; + extraOptions = [ + "--network-alias=rustypaste" + "--network=test_default" + ]; + }; + systemd.services."podman-rustypaste" = { + serviceConfig = { + Restart = lib.mkOverride 500 "always"; + }; + after = [ + "podman-network-test_default.service" + "podman-volume-test_rustypaste-data.service" + ]; + requires = [ + "podman-network-test_default.service" + "podman-volume-test_rustypaste-data.service" + ]; + partOf = [ "podman-compose-test-root.target" ]; + wantedBy = [ "podman-compose-test-root.target" ]; + }; + + systemd.services."podman-volume-test_rustypaste-data" = { + path = [ pkgs.podman ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + podman volume inspect test_rustypaste-data || podman volume create test_rustypaste-data + ''; + partOf = [ "podman-compose-test-root.target" ]; + wantedBy = [ "podman-compose-test-root.target" ]; + }; +} diff --git a/modules/default.nix b/modules/default.nix index f5a7f6b..6bf43b8 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -18,5 +18,6 @@ ./env.nix ./system/printing.nix ./system/audio.nix + ./secrets.nix ]; } diff --git a/modules/secrets.nix b/modules/secrets.nix new file mode 100644 index 0000000..d349f96 --- /dev/null +++ b/modules/secrets.nix @@ -0,0 +1,6 @@ +{ + age.secrets.rustypaste = { + file = ../secrets/rustypaste.age; + owner = "nico"; + }; +} diff --git a/options/default.nix b/options/default.nix index 1d4b57f..ac736a6 100644 --- a/options/default.nix +++ b/options/default.nix @@ -1,15 +1,25 @@ { lib, ... }: +let + inherit (lib.types) bool array string; + +in + { options = { device = { + pubKeys = lib.mkOption { + type = array string; + default = [ ]; + }; + type = { gaming.enable = lib.mkEnableOption { - type = lib.types.bool; + type = bool; default = false; }; graphical.enable = lib.mkEnableOption { - type = lib.types.bool; + type = bool; default = false; };