diff options
62 files changed, 1077 insertions, 373 deletions
diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index d63277132..b0bd83248 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -129,6 +129,7 @@ in { aliases = [ "omo.r" "dcpp.omo.r" + "backup.makefu.r" "torrent.omo.r" ]; }; @@ -153,9 +154,6 @@ in { extraZones = { "krebsco.de" = '' latte.euer IN A ${nets.internet.ip4.addr} - rss.euer IN A ${nets.internet.ip4.addr} - o.euer IN A ${nets.internet.ip4.addr} - bw.euer IN A ${nets.internet.ip4.addr} ''; }; cores = 4; @@ -194,6 +192,9 @@ in { ci = true; extraZones = { "krebsco.de" = '' + rss.euer IN A ${nets.internet.ip4.addr} + o.euer IN A ${nets.internet.ip4.addr} + bw.euer IN A ${nets.internet.ip4.addr} bookmark.euer IN A ${nets.internet.ip4.addr} boot IN A ${nets.internet.ip4.addr} boot.euer IN A ${nets.internet.ip4.addr} @@ -263,7 +264,6 @@ in { aliases = [ "gum.r" - "backup.makefu.r" "blog.gum.r" "blog.makefu.r" "cache.gum.r" diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix index 540106004..ff0c18795 100644 --- a/makefu/1systems/gum/config.nix +++ b/makefu/1systems/gum/config.nix @@ -32,8 +32,6 @@ in { # <stockholm/makefu/2configs/stats/netdata-server.nix> <stockholm/makefu/2configs/headless.nix> - <stockholm/makefu/2configs/smart-monitor.nix> - { services.smartd.devices = builtins.map (x: { device = x; }) allDisks; } # Security <stockholm/makefu/2configs/sshd-totp.nix> @@ -135,6 +133,27 @@ in { # <stockholm/makefu/2configs/urlwatch> # Removed until move: avoid letsencrypt ban ### Web + + <stockholm/makefu/2configs/bitwarden.nix> # postgres backend + <stockholm/makefu/2configs/deployment/rss/rss.euer.krebsco.de.nix> # postgres backend + <stockholm/makefu/2configs/deployment/rss/ratt.nix> + + <stockholm/makefu/2configs/deployment/owncloud.nix> #postgres backend + ### Moving owncloud data dir to /media/cloud/nextcloud-data + { + users.users.nextcloud.extraGroups = [ "download" ]; + # nextcloud-setup fails as it cannot set permissions for nextcloud + systemd.services.nextcloud-setup.serviceConfig.SuccessExitStatus = "0 1"; + fileSystems."/var/lib/nextcloud/data" = { + device = "/media/cloud/nextcloud-data"; + options = [ "bind" ]; + }; + fileSystems."/var/backup" = { + device = "/media/cloud/gum-backup"; + options = [ "bind" ]; + }; + } + <stockholm/makefu/2configs/nginx/dl.euer.krebsco.de.nix> #<stockholm/makefu/2configs/nginx/euer.test.nix> <stockholm/makefu/2configs/nginx/euer.mon.nix> @@ -150,7 +169,7 @@ in { # <stockholm/makefu/2configs/deployment/photostore.krebsco.de.nix> <stockholm/makefu/2configs/deployment/graphs.nix> #<stockholm/makefu/2configs/deployment/owncloud.nix> - <stockholm/makefu/2configs/deployment/board.euer.krebsco.de.nix> + # <stockholm/makefu/2configs/deployment/board.euer.krebsco.de.nix> #<stockholm/makefu/2configs/deployment/feed.euer.krebsco.de> <stockholm/makefu/2configs/deployment/boot-euer.nix> <stockholm/makefu/2configs/deployment/gecloudpad> diff --git a/makefu/1systems/gum/hardware-config.nix b/makefu/1systems/gum/hetzner/default.nix index 1881329ce..7d445879a 100644 --- a/makefu/1systems/gum/hardware-config.nix +++ b/makefu/1systems/gum/hetzner/default.nix @@ -18,6 +18,9 @@ let ext-if = "et0"; # gets renamed on the fly in { imports = [ + <stockholm/makefu/2configs/smart-monitor.nix> + { services.smartd.devices = builtins.map (x: { device = x; }) allDisks; } + ]; makefu.server.primary-itf = ext-if; services.udev.extraRules = '' diff --git a/makefu/1systems/iso/config.nix b/makefu/1systems/iso/config.nix index 6c4f62310..207121236 100644 --- a/makefu/1systems/iso/config.nix +++ b/makefu/1systems/iso/config.nix @@ -9,17 +9,22 @@ with import <stockholm/lib>; # <stockholm/makefu/2configs/tools/core.nix> ./justdoit.nix { + environment.systemPackages = [ (pkgs.writeScriptBin "network-setup" '' + #!/bin/sh + ip addr add 178.254.30.202/255.255.252.0 dev ens3 + ip route add default via 178.254.28.1 + echo nameserver 1.1.1.1 > /etc/resolv.conf + '')]; kexec.justdoit = { - # bootSize = 512; - rootDevice = "/dev/sdb"; - swapSize = 1024; + bootSize = 512; + rootDevice = "/dev/vda"; bootType = "vfat"; - luksEncrypt = true; - uefi = true; + luksEncrypt = false; + uefi = false; }; } ]; - boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; + # boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; # TODO: NIX_PATH and nix.nixPath are being set by default.nix right now # cd ~/stockholm ; nix-build -A config.system.build.isoImage -I nixos-config=makefu/1systems/iso/config.nix -I secrets=/home/makefu/secrets/iso /var/src/nixpkgs/nixos #krebs.build.host = { cores = 0; }; @@ -33,7 +38,6 @@ with import <stockholm/lib>; EDITOR=vim ''; # iso-specific - boot.kernelParams = [ "copytoram" ]; services.openssh = { enable = true; hostKeys = [ diff --git a/makefu/1systems/iso/justdoit.nix b/makefu/1systems/iso/justdoit.nix index 7947953f9..0ce90494b 100644 --- a/makefu/1systems/iso/justdoit.nix +++ b/makefu/1systems/iso/justdoit.nix @@ -67,29 +67,22 @@ in { unit: sectors ${lib.optionalString (cfg.bootType != "zfs") "1 : size=${toString (2048 * cfg.bootSize)}, type=0FC63DAF-8483-4772-8E79-3D69D8477DE4"} ${lib.optionalString (! cfg.uefi) "4 : size=4096, type=21686148-6449-6E6F-744E-656564454649"} - 2 : size=${toString (2048 * cfg.swapSize)}, type=0657FD6D-A4AB-43C4-84E5-0933C84B4F4F - 3 : type=0FC63DAF-8483-4772-8E79-3D69D8477DE4 + 2 : type=0FC63DAF-8483-4772-8E79-3D69D8477DE4 EOF ${if cfg.luksEncrypt then '' cryptsetup luksFormat ${cfg.rootDevice}${x}2 - cryptsetup open --type luks ${cfg.rootDevice}${x}2 swap - cryptsetup luksFormat ${cfg.rootDevice}${x}3 - cryptsetup open --type luks ${cfg.rootDevice}${x}3 root + cryptsetup open --type luks ${cfg.rootDevice}${x}2 root export ROOT_DEVICE=/dev/mapper/root - export SWAP_DEVICE=/dev/mapper/swap '' else '' - export ROOT_DEVICE=${cfg.rootDevice}${x}3 - export SWAP_DEVICE=${cfg.rootDevice}${x}2 + export ROOT_DEVICE=${cfg.rootDevice}${x}2 ''} ${lib.optionalString (cfg.bootType != "zfs") "export NIXOS_BOOT=${cfg.rootDevice}${x}1"} mkdir -p /mnt ${mkBootTable.${cfg.bootType}} - mkswap $SWAP_DEVICE -L NIXOS_SWAP zpool create -o ashift=12 -o altroot=/mnt ${cfg.poolName} $ROOT_DEVICE zfs create -o mountpoint=legacy ${cfg.poolName}/root zfs create -o mountpoint=legacy ${cfg.poolName}/home zfs create -o mountpoint=legacy ${cfg.poolName}/nix - swapon $SWAP_DEVICE mount -t zfs ${cfg.poolName}/root /mnt/ mkdir /mnt/{home,nix,boot} mount -t zfs ${cfg.poolName}/home /mnt/home/ @@ -111,8 +104,7 @@ in { networking.hostId = "$hostId"; # required for zfs use ${lib.optionalString cfg.luksEncrypt '' boot.initrd.luks.devices = [ - { name = "swap"; device = "${cfg.rootDevice}${x}2"; preLVM = true; } - { name = "root"; device = "${cfg.rootDevice}${x}3"; preLVM = true; } + { name = "root"; device = "${cfg.rootDevice}${x}2"; preLVM = true; } ]; ''} } @@ -120,9 +112,9 @@ in { nixos-install umount /mnt/home /mnt/nix ${lib.optionalString (cfg.bootType != "zfs") "/mnt/boot"} /mnt zpool export ${cfg.poolName} - swapoff $SWAP_DEVICE ''; environment.systemPackages = [ config.system.build.justdoit ]; boot.supportedFilesystems = [ "zfs" ]; + users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl3RTOHd5DLiVeUbUr/GSiKoRWknXQnbkIf+uNiFO+XxiqZVojPlumQUVhasY8UzDzj9tSDruUKXpjut50FhIO5UFAgsBeMJyoZbgY/+R+QKU00Q19+IiUtxeFol/9dCO+F4o937MC0OpAC10LbOXN/9SYIXueYk3pJxIycXwUqhYmyEqtDdVh9Rx32LBVqlBoXRHpNGPLiswV2qNe0b5p919IGcslzf1XoUzfE3a3yjk/XbWh/59xnl4V7Oe7+iQheFxOT6rFA30WYwEygs5As//ZYtxvnn0gA02gOnXJsNjOW9irlxOUeP7IOU6Ye3WRKFRR0+7PS+w8IJLag2xb" ]; }; } diff --git a/makefu/1systems/iso/target-config.nix b/makefu/1systems/iso/target-config.nix index 6915e4137..59d2960bc 100644 --- a/makefu/1systems/iso/target-config.nix +++ b/makefu/1systems/iso/target-config.nix @@ -1,12 +1,12 @@ -{ lib, ... }: +{ pkgs, lib, ... }: { imports = [ ./hardware-configuration.nix ./generated.nix ]; boot.loader.grub.enable = true; boot.loader.grub.version = 2; boot.zfs.devNodes = "/dev"; # fixes some virtualmachine issues - boot.zfs.forceImportRoot = false; - boot.zfs.forceImportAll = false; + #boot.zfs.forceImportRoot = false; + #boot.zfs.forceImportAll = false; boot.kernelParams = [ "boot.shell_on_fail" "panic=30" "boot.panic_on_fail" # reboot the machine upon fatal boot issues @@ -18,8 +18,15 @@ SystemMaxUse=1G RuntimeMaxUse=128M ''; + environment.systemPackages = [ (pkgs.writeScriptBin "network-setup" '' + #!/bin/sh + ip addr add 178.254.30.202/255.255.252.0 dev ens3 + ip route add default via 178.254.28.1 + echo nameserver 1.1.1.1 > /etc/resolv.conf + '')]; # minimal + boot.supportedFilesystems = [ "zfs" ]; programs.command-not-found.enable = false; time.timeZone = "Europe/Berlin"; programs.ssh.startAgent = false; @@ -36,5 +43,4 @@ "net.ipv6.conf.all.use_tempaddr" = lib.mkDefault "2"; "net.ipv6.conf.default.use_tempaddr" = lib.mkDefault "2"; }; - services.nscd.enable = false; } diff --git a/makefu/1systems/latte/config.nix b/makefu/1systems/latte/config.nix index 2828aea08..69e401d97 100644 --- a/makefu/1systems/latte/config.nix +++ b/makefu/1systems/latte/config.nix @@ -34,20 +34,11 @@ in { # Services: <stockholm/makefu/2configs/nix-community/mediawiki-matrix-bot.nix> - <stockholm/makefu/2configs/torrent/rtorrent.nix> + + # torrent is managed by gum + # <stockholm/makefu/2configs/torrent/rtorrent.nix> + ## Web - <stockholm/makefu/2configs/deployment/rss.euer.krebsco.de.nix> - <stockholm/makefu/2configs/deployment/owncloud.nix> - ### Moving owncloud data dir to /media/cloud/nextcloud-data - { - users.users.nextcloud.extraGroups = [ "download" ]; - # nextcloud-setup fails as it cannot set permissions for nextcloud - systemd.services.nextcloud-setup.serviceConfig.SuccessExitStatus = "0 1"; - fileSystems."/var/lib/nextcloud/data" = { - device = "/media/cloud/nextcloud-data"; - options = [ "bind" ]; - }; - } # local usage: <stockholm/makefu/2configs/mosh.nix> diff --git a/makefu/1systems/omo/config.nix b/makefu/1systems/omo/config.nix index 42f335264..ee29c03d2 100644 --- a/makefu/1systems/omo/config.nix +++ b/makefu/1systems/omo/config.nix @@ -28,7 +28,7 @@ in { <stockholm/makefu/2configs/home-manager> <stockholm/makefu/2configs/home-manager/cli.nix> <stockholm/makefu/2configs/editor/neovim> - <stockholm/makefu/2configs/storj/client.nix> + # <stockholm/makefu/2configs/storj/client.nix> <stockholm/makefu/2configs/backup/state.nix> @@ -98,6 +98,7 @@ in { <stockholm/makefu/2configs/virtualisation/docker.nix> <stockholm/makefu/2configs/bluetooth-mpd.nix> + <stockholm/makefu/2configs/home/jellyfin.nix> <stockholm/makefu/2configs/home/music.nix> <stockholm/makefu/2configs/home/photoprism.nix> <stockholm/makefu/2configs/home/tonie.nix> diff --git a/makefu/1systems/omo/hw/omo.nix b/makefu/1systems/omo/hw/omo.nix index ae5b778bf..eaedbb779 100644 --- a/makefu/1systems/omo/hw/omo.nix +++ b/makefu/1systems/omo/hw/omo.nix @@ -39,7 +39,9 @@ let in { imports = [ # TODO: unlock home partition via ssh - <stockholm/makefu/2configs/fs/sda-crypto-root.nix> ]; + ./vaapi.nix + <stockholm/makefu/2configs/fs/sda-crypto-root.nix> ]; + makefu.server.primary-itf = primaryInterface; system.activationScripts.createCryptFolders = '' ${lib.concatMapStringsSep "\n" diff --git a/makefu/1systems/omo/hw/vaapi.nix b/makefu/1systems/omo/hw/vaapi.nix new file mode 100644 index 000000000..8250d4110 --- /dev/null +++ b/makefu/1systems/omo/hw/vaapi.nix @@ -0,0 +1,17 @@ +{ pkgs, ... }: +{ + nixpkgs.config.packageOverrides = pkgs: { + vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; + }; + hardware.opengl = { + enable = true; + extraPackages = with pkgs; [ + intel-media-driver # LIBVA_DRIVER_NAME=iHD + vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium) + vaapiVdpau + libvdpau-va-gl + ]; + }; + hardware.opengl.extraPackages32 = with pkgs.pkgsi686Linux; [ vaapiIntel ]; + environment.systemPackages = [ pkgs.libva-utils ]; +} diff --git a/makefu/1systems/x/config.nix b/makefu/1systems/x/config.nix index 3edfcecc1..a4aa0cbab 100644 --- a/makefu/1systems/x/config.nix +++ b/makefu/1systems/x/config.nix @@ -13,7 +13,7 @@ # ./x230 # Common Hardware Components - + <nix-ld/modules/nix-ld.nix> # <stockholm/makefu/2configs/hw/mceusb.nix> # <stockholm/makefu/2configs/hw/rtl8812au.nix> <stockholm/makefu/2configs/hw/network-manager.nix> diff --git a/makefu/1systems/x/source.nix b/makefu/1systems/x/source.nix index 050fd39f7..05b74a014 100644 --- a/makefu/1systems/x/source.nix +++ b/makefu/1systems/x/source.nix @@ -7,5 +7,6 @@ mic92 = true; clever_kexec = true; home-manager = true; + nix-ld = true; # torrent = true; } diff --git a/makefu/1systems/x/x13/default.nix b/makefu/1systems/x/x13/default.nix index 9a407a575..7e9f4a6ac 100644 --- a/makefu/1systems/x/x13/default.nix +++ b/makefu/1systems/x/x13/default.nix @@ -28,6 +28,7 @@ environment.variables.VK_ICD_FILENAMES = "/run/opengl-driver/share/vulkan/icd.d/amd_icd64.json"; + services.fwupd.enable = true; programs.light.enable = true; diff --git a/makefu/1systems/x/x13/zfs.nix b/makefu/1systems/x/x13/zfs.nix index d6b99df41..ba341ef50 100644 --- a/makefu/1systems/x/x13/zfs.nix +++ b/makefu/1systems/x/x13/zfs.nix @@ -29,5 +29,6 @@ fsType = "zfs"; }; - swapDevices = [ ]; + swapDevices = [ ]; + services.zfs.autoScrub.enable = true; } diff --git a/makefu/2configs/bgt/download.binaergewitter.de.nix b/makefu/2configs/bgt/download.binaergewitter.de.nix index 6ce0606a8..1cf21f213 100644 --- a/makefu/2configs/bgt/download.binaergewitter.de.nix +++ b/makefu/2configs/bgt/download.binaergewitter.de.nix @@ -5,22 +5,37 @@ let ident = (builtins.readFile ./auphonic.pub); bgtaccess = "/var/spool/nginx/logs/binaergewitter.access.log"; bgterror = "/var/spool/nginx/logs/binaergewitter.error.log"; + + # TODO: only when the data is stored somewhere else + wwwdir = "/var/www/binaergewitter"; + storedir = "/media/cloud/www/binaergewitter"; in { + fileSystems."${wwwdir}" = { + device = storedir; + options = [ "bind" ]; + }; + services.openssh = { allowSFTP = true; sftpFlags = [ "-l VERBOSE" ]; extraConfig = '' + HostkeyAlgorithms +ssh-rsa + Match User auphonic ForceCommand internal-sftp AllowTcpForwarding no X11Forwarding no PasswordAuthentication no + PubkeyAcceptedAlgorithms +ssh-rsa + ''; }; users.users.auphonic = { uid = genid "auphonic"; group = "nginx"; + # for storedir + extraGroups = [ "download" ]; useDefaultShell = true; isSystemUser = true; openssh.authorizedKeys.keys = [ ident config.krebs.users.makefu.pubkey ]; diff --git a/makefu/2configs/bgt/template.md b/makefu/2configs/bgt/template.md index fdc0e2585..8413e0b8b 100644 --- a/makefu/2configs/bgt/templ |