summaryrefslogtreecommitdiffstats
path: root/lass/1systems/green/config.nix
blob: 5cf7d9242b020f0eeaf5f08339dc42c7c10462b0 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
with import <stockholm/lib>;
{ config, lib, pkgs, ... }:
{
  imports = [
    <stockholm/lass>
    <stockholm/lass/2configs>
    <stockholm/lass/2configs/retiolum.nix>
    <stockholm/lass/2configs/exim-retiolum.nix>
    <stockholm/lass/2configs/mail.nix>

    <stockholm/lass/2configs/syncthing.nix>
    <stockholm/lass/2configs/sync/sync.nix>
    <stockholm/lass/2configs/sync/decsync.nix>
    <stockholm/lass/2configs/sync/weechat.nix>

    <stockholm/lass/2configs/bitlbee.nix>
    <stockholm/lass/2configs/IM.nix>
    <stockholm/lass/2configs/muchsync.nix>
    <stockholm/lass/2configs/pass.nix>

    <stockholm/lass/2configs/git-brain.nix>
  ];

  krebs.build.host = config.krebs.hosts.green;

  users.users.mainUser.openssh.authorizedKeys.keys = [
    config.krebs.users.lass-android.pubkey
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0rn3003CkJMk3jZrh/3MC6nVorHRymlFSI4x1brCKY" # weechat ssh tunnel
  ];

  krebs.bindfs = {
    "/home/lass/.weechat" = {
      source = "/var/state/lass_weechat";
      options = [
        "-M ${concatMapStringsSep ":" (u: toString config.users.users.${u}.uid) [ "syncthing" "mainUser" ]}"
        "--create-for-user=${toString config.users.users.syncthing.uid}"
      ];
    };
    "/home/lass/Maildir" = {
      source = "/var/state/lass_mail";
      options = [
        "-M ${toString config.users.users.mainUser.uid}"
      ];
    };
    "/var/lib/bitlbee" = {
      source = "/var/state/bitlbee";
      options = [
        "-M ${toString config.users.users.bitlbee.uid}"
      ];
      clearTarget = true;
    };
    "/home/lass/.ssh" = {
      source = "/var/state/lass_ssh";
      options = [
        "-M ${toString config.users.users.mainUser.uid}"
      ];
      clearTarget = true;
    };
    "/home/lass/.gnupg" = {
      source = "/var/state/lass_gnupg";
      options = [
        "-M ${toString config.users.users.mainUser.uid}"
      ];
      clearTarget = true;
    };
    "/var/lib/git" = {
      source = "/var/state/git";
      options = [
        "-M ${toString config.users.users.git.uid}"
      ];
      clearTarget = true;
    };
  };

  systemd.services."bindfs-_home_lass_Maildir".serviceConfig.ExecStartPost = pkgs.writeDash "symlink-notmuch" ''
    sleep 1
    mkdir -p /home/lass/notmuch
    chown lass: /home/lass/notmuch
    ln -sfTr /home/lass/notmuch /home/lass/Maildir/.notmuch

    mkdir -p /home/lass/notmuch/muchsync
    chown lass: /home/lass/notmuch/muchsync
    mkdir -p /home/lass/Maildir/.muchsync
    ln -sfTr /home/lass/Maildir/.muchsync /home/lass/notmuch/muchsync/tmp
  '';

  krebs.iptables.tables.nat.PREROUTING.rules = [
    { predicate = "-i eth0 -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; }
  ];

  # workaround for ssh access from yubikey via android
  services.openssh.extraConfig = ''
    HostKeyAlgorithms +ssh-rsa
    PubkeyAcceptedAlgorithms +ssh-rsa
  '';
}