diff options
author | Azat Bahawi <azat@bahawi.net> | 2022-08-12 22:53:53 +0300 |
---|---|---|
committer | Azat Bahawi <azat@bahawi.net> | 2022-08-12 22:53:53 +0300 |
commit | 61b94f0dd06cac0f7dcd38cce80f2a7ab8376098 (patch) | |
tree | b703a9fe11eae6c4cae4e4682f02caf0caa171d0 /configurations |
2022-08-12
Diffstat (limited to 'configurations')
-rw-r--r-- | configurations/default.nix | 139 | ||||
-rw-r--r-- | configurations/manwe/default.nix | 171 | ||||
-rw-r--r-- | configurations/manwe/mailserver.nix | 96 | ||||
-rw-r--r-- | configurations/manwe/webserver.nix | 21 | ||||
-rw-r--r-- | configurations/melian/default.nix | 288 | ||||
-rw-r--r-- | configurations/test-headful/default.nix | 27 | ||||
-rw-r--r-- | configurations/test-headless/default.nix | 22 | ||||
-rw-r--r-- | configurations/varda/default.nix | 95 | ||||
-rw-r--r-- | configurations/yavanna/default.nix | 101 |
9 files changed, 960 insertions, 0 deletions
diff --git a/configurations/default.nix b/configurations/default.nix new file mode 100644 index 0000000..e0741dc --- /dev/null +++ b/configurations/default.nix @@ -0,0 +1,139 @@ +{ + inputs, + lib, +}: +with lib; { + # TODO Make a generic wrapper for all hosts. + melian = let + system = "x86_64-linux"; + in + nixosSystem { + inherit system; + + modules = + attrValues inputs.self.nixosModules + ++ [./melian] + ++ (with inputs; + (with nixos-hardware.nixosModules; [ + common-pc-laptop-ssd + lenovo-thinkpad-t480 + ]) + ++ [nixpkgs.nixosModules.notDetected]); + + specialArgs = rec { + inherit inputs lib; + this = my.configurations.melian; + }; + }; + + manwe = let + system = "x86_64-linux"; + in + nixosSystem { + inherit system; + + modules = + attrValues inputs.self.nixosModules + ++ [./manwe] + ++ (with inputs; + (with nixos-hardware.nixosModules; [common-cpu-amd common-pc-ssd]) + ++ [ + nixpkgs.nixosModules.notDetected + "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix" + ]); + + specialArgs = rec { + inherit inputs lib; + this = my.configurations.manwe; + }; + }; + + varda = let + system = "x86_64-linux"; + in + nixosSystem { + inherit system; + + modules = + attrValues inputs.self.nixosModules + ++ [./varda] + ++ (with inputs; + (with nixos-hardware.nixosModules; [common-cpu-amd common-pc-ssd]) + ++ [ + nixpkgs.nixosModules.notDetected + "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix" + ]); + + specialArgs = rec { + inherit inputs lib; + this = my.configurations.varda; + }; + }; + + yavanna = let + system = "x86_64-linux"; + in + nixosSystem { + inherit system; + + modules = + attrValues inputs.self.nixosModules + ++ [./yavanna] + ++ (with inputs; + (with nixos-hardware.nixosModules; [common-cpu-intel common-pc-hdd]) + ++ [nixpkgs.nixosModules.notDetected]); + + specialArgs = rec { + inherit inputs lib; + this = my.configurations.yavanna; + }; + }; + + test-headless = let + system = "x86_64-linux"; + in + nixosSystem { + inherit system; + + modules = + attrValues inputs.self.nixosModules + ++ [./test-headless] + ++ (with inputs; [ + nixpkgs.nixosModules.notDetected + "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix" + ]); + + specialArgs = rec { + inherit inputs lib; + this = { + hostname = "test-headless"; + isHeadless = true; + isHeadful = false; + }; + }; + }; + + test-headful = let + system = "x86_64-linux"; + in + nixosSystem { + inherit system; + + modules = + attrValues inputs.self.nixosModules + ++ [./test-headful] + ++ (with inputs; [ + nixpkgs.nixosModules.notDetected + "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix" + ]); + + specialArgs = rec { + inherit inputs lib; + this = { + hostname = "test-headful"; + isHeadful = true; + isHeadless = false; + }; + }; + }; +} diff --git a/configurations/manwe/default.nix b/configurations/manwe/default.nix new file mode 100644 index 0000000..50acacd --- /dev/null +++ b/configurations/manwe/default.nix @@ -0,0 +1,171 @@ +{ + config, + inputs, + lib, + this, + ... +}: +with lib; { + imports = [ + ./mailserver.nix + ./webserver.nix + ]; + + secrets.wireguard-private-key-manwe.file = "${inputs.self}/secrets/wireguard-private-key-manwe"; + + nixfiles.modules = { + nsd = { + enable = true; + fqdn = "ns1.${config.networking.domain}"; + }; + unbound.enable = true; + + wireguard = { + privateKeyFile = config.secrets.wireguard-private-key-manwe.path; + server.enable = true; + }; + + acme.enable = true; + + monitoring.enable = true; + + gotify.enable = true; + matrix.dendrite = { + enable = true; + domain = my.domain.azahi; + }; + soju = { + enable = true; + domain = my.domain.azahi; + }; + }; + + services.prometheus = { + # TODO Make this generic. + scrapeConfigs = with my.configurations; + with config.services.prometheus.exporters; [ + { + job_name = "endlessh-go"; + static_configs = [ + { + targets = with config.nixfiles.modules.endlessh-go; [ + "${manwe.hostname}:${toString prometheusPort}" + "${varda.hostname}:${toString prometheusPort}" + "${yavanna.hostname}:${toString prometheusPort}" + ]; + } + ]; + } + { + job_name = "nginx"; + static_configs = [ + { + targets = with nginx; [ + "${manwe.hostname}:${toString port}" + "${varda.hostname}:${toString port}" + "${yavanna.hostname}:${toString port}" + ]; + } + ]; + } + { + job_name = "node"; + static_configs = [ + { + targets = with node; [ + "${manwe.hostname}:${toString port}" + "${varda.hostname}:${toString port}" + "${yavanna.hostname}:${toString port}" + ]; + } + ]; + } + { + job_name = "postgres"; + static_configs = [ + { + targets = with postgres; [ + "${manwe.hostname}:${toString port}" + "${varda.hostname}:${toString port}" + ]; + } + ]; + } + { + job_name = "unbound"; + static_configs = [ + { + targets = with unbound; ["${manwe.hostname}:${toString port}"]; + } + ]; + } + # { + # job_name = "wireguard"; + # static_configs = [{ + # targets = with wireguard; [ + # "${manwe.hostname}:${toString port}" + # ]; + # }]; + # } + ]; + }; + + networking = let + interface = "eth0"; + in { + interfaces.${interface} = { + ipv4.addresses = [ + { + inherit (this.ipv4) address; + prefixLength = 22; + } + ]; + + ipv6.addresses = [ + { + inherit (this.ipv6) address; + prefixLength = 64; + } + ]; + }; + + defaultGateway = { + inherit interface; + address = this.ipv4.gateway; + }; + + defaultGateway6 = { + inherit interface; + address = this.ipv6.gateway; + }; + + nat.externalInterface = interface; + }; + + boot = { + loader.grub = { + enable = true; + device = "/dev/sda"; + }; + + initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"]; + }; + + fileSystems = { + "/boot" = { + device = "/dev/sda1"; + fsType = "xfs"; + options = ["noatime"]; + }; + + "/" = { + device = "/dev/sda2"; + fsType = "xfs"; + options = ["noatime"]; + }; + }; + + swapDevices = [{device = "/dev/sda3";}]; + + system.stateVersion = "22.05"; +} diff --git a/configurations/manwe/mailserver.nix b/configurations/manwe/mailserver.nix new file mode 100644 index 0000000..60a917b --- /dev/null +++ b/configurations/manwe/mailserver.nix @@ -0,0 +1,96 @@ +{ + config, + inputs, + lib, + ... +}: +with lib; { + imports = [inputs.simple-nixos-mailserver.nixosModule]; + + config = { + secrets = { + dkim-key-azahi-cc = { + file = "${inputs.self}/secrets/dkim-key-azahi-cc"; + path = "/var/dkim/${my.domain.azahi}.${config.mailserver.dkimSelector}.key"; + owner = "opendkim"; + group = "opendkim"; + }; + dkim-key-rohan-net = { + file = "${inputs.self}/secrets/dkim-key-rohan-net"; + path = "/var/dkim/${my.domain.rohan}.${config.mailserver.dkimSelector}.key"; + owner = "opendkim"; + group = "opendkim"; + }; + dkim-key-gondor-net = { + file = "${inputs.self}/secrets/dkim-key-gondor-net"; + path = "/var/dkim/${my.domain.gondor}.${config.mailserver.dkimSelector}.key"; + owner = "opendkim"; + group = "opendkim"; + }; + dkim-key-shire-me = { + file = "${inputs.self}/secrets/dkim-key-shire-me"; + path = "/var/dkim/${my.domain.shire}.${config.mailserver.dkimSelector}.key"; + owner = "opendkim"; + group = "opendkim"; + }; + }; + + nixfiles.modules.acme.enable = true; + + mailserver = let + cert = config.certs.${my.domain.shire}; + in { + enable = true; + + fqdn = config.networking.domain; + domains = with my.domain; [azahi gondor rohan shire]; + + localDnsResolver = false; + + certificateScheme = 1; + certificateFile = "${cert.directory}/fullchain.pem"; + keyFile = "${cert.directory}/key.pem"; + + lmtpSaveToDetailMailbox = "no"; + + loginAccounts = with my.domain; { + "azahi@${shire}" = { + hashedPassword = "[REDACTED]"; + aliases = [ + "@${azahi}" + "@${rohan}" + "@${gondor}" + "abuse@${shire}" + "admin@${shire}" + "ceo@${shire}" + "postmaster@${shire}" + ]; + }; + "samwise@${shire}" = { + hashedPassword = "[REDACTED]"; + aliases = ["chad@${shire}"]; + quota = "1G"; + }; + "pippin@${shire}" = { + hashedPassword = "[REDACTED]"; + quota = "1G"; + }; + "meriadoc@${shire}" = { + hashedPassword = "[REDACTED]"; + quota = "1G"; + }; + }; + }; + + services.fail2ban.jails = { + dovecot = '' + enabled = true + mode = aggressive + ''; + postfix = '' + enabled = true + mode = aggressive + ''; + }; + }; +} diff --git a/configurations/manwe/webserver.nix b/configurations/manwe/webserver.nix new file mode 100644 index 0000000..fd23432 --- /dev/null +++ b/configurations/manwe/webserver.nix @@ -0,0 +1,21 @@ +{ + inputs, + lib, + ... +}: +with lib; { + config.nixfiles.modules.nginx.virtualHosts = with my.domain; + { + ${shire}.locations."/".return = "301 https://www.youtube.com/watch?v=dQw4w9WgXcQ"; + ${azahi} = { + serverAliases = ["frodo.${gondor}" "frodo.${rohan}"]; + locations."/".root = inputs.azahi-cc; + }; + } + // (let + frodo = "301 https://frodo."; + in { + ${gondor}.locations."/".return = concatStrings [frodo gondor]; + ${rohan}.locations."/".return = concatStrings [frodo rohan]; + }); +} diff --git a/configurations/melian/default.nix b/configurations/melian/default.nix new file mode 100644 index 0000000..2f3da98 --- /dev/null +++ b/configurations/melian/default.nix @@ -0,0 +1,288 @@ +{ + config, + inputs, + lib, + pkgs, + ... +}: +with lib; { + secrets = { + wireguard-private-key-melian.file = "${inputs.self}/secrets/wireguard-private-key-melian"; + + syncthing-cert-melian = with config.services.syncthing; { + file = "${inputs.self}/secrets/syncthing-cert-melian"; + owner = user; + inherit group; + }; + + syncthing-key-melian = with config.services.syncthing; { + file = "${inputs.self}/secrets/syncthing-key-melian"; + owner = user; + inherit group; + }; + }; + + nixfiles.modules = { + profiles.dev = { + containers.enable = true; + sql.enable = true; + }; + + games = { + lutris.enable = true; + steam.enable = true; + }; + + wireguard = { + privateKeyFile = config.secrets.wireguard-private-key-melian.path; + client.enable = true; + }; + + syncthing = with config.secrets; { + enable = true; + key = syncthing-key-melian.path; + cert = syncthing-cert-melian.path; + }; + # ipfs.enable = true; # High CPU usage is really anoying. + + beets.enable = true; + bluetooth.enable = true; + chromium.enable = true; + libvirtd.enable = true; + mpd.enable = true; + qutebrowser.enable = true; + + throttled.enable = true; + }; + + hm = { + home.packages = with pkgs; [ + (aspellWithDicts (p: with p; [en ru])) + calibre + iaito + kotatogram-desktop + nheko + tor-browser + ]; + + accounts.email = { + maildirBasePath = "${config.my.home}/mail"; + + # TODO Move to my.nix. + accounts = let + base = { + mbsync = { + enable = true; + create = "both"; + expunge = "both"; + patterns = ["*"]; + }; + msmtp.enable = true; + mu.enable = true; + }; + + pass = path: "${pkgs.pass}/bin/pass show ${path}"; + in { + shire = + base + // { + address = my.email; + gpg = { + inherit (my.pgp) key; + signByDefault = true; + encryptByDefault = false; + }; + + primary = true; + + imap.host = "shire.me"; + smtp.host = "shire.me"; + userName = "azahi@shire.me"; + passwordCommand = pass "email/shire.me/azahi"; + }; + + yahoo = + base + // { + address = "a.gondor@yahoo.com"; + + imap.host = "imap.yahoo.com"; + smtp.host = "smtp.yahoo.com"; + userName = "a.gondor@yahoo.com"; + passwordCommand = pass "email/yahoo.com/a.gondor"; + }; + }; + }; + + programs = { + mbsync.enable = true; + msmtp.enable = true; + mu.enable = true; + + ssh.matchBlocks = let + mkBlock = { + hostname, + port ? 22022, + user ? "azahi", + }: { + inherit hostname port user; + identityFile = "${config.my.home}/.ssh/id_ed25519"; + }; + mkInternalHostname = hostname: "${hostname}.${my.domain.shire}"; + in + with my.configurations; { + # TODO Wrap this. + manwe = mkBlock {hostname = mkInternalHostname "manwe";}; + manwe-init = mkBlock {hostname = manwe.ipv4.address;}; + varda = mkBlock {hostname = mkInternalHostname "varda";}; + varda-init = mkBlock {hostname = varda.ipv4.address;}; + yavanna = mkBlock {hostname = mkInternalHostname "yavanna";}; + yavanna-init = mkBlock {hostname = yavanna.ipv4.address;}; + }; + }; + }; + + networking = { + interfaces = { + eth0.useDHCP = true; + wlan0.useDHCP = true; + }; + + wireless = { + enable = false; + iwd.enable = true; + userControlled.enable = true; + allowAuxiliaryImperativeNetworks = true; + }; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/bb8b09dc-cc67-47e5-8280-532b17a9e62a"; + fsType = "xfs"; + options = ["noatime"]; + }; + + "/boot" = { + device = "/dev/disk/by-uuid/1083-C8A0"; + fsType = "vfat"; + }; + }; + + # Hibernation is not enabled because I don't use it. + swapDevices = [ + { + device = "/swapfile"; + size = 8 * 1024; + } + ]; + + boot = { + kernelPackages = mkForce pkgs.linuxPackages_xanmod_latest; + + # https://www.phoronix.com/scan.php?page=article&item=spectre-meltdown-2&num=11 + kernelParams = ["mitigations=off"]; + + # Just to make Lutris/Wine logs happy. + kernel.sysctl."dev.i915.perf_stream_paranoid" = 0; + + extraModprobeConfig = '' + options iwlwifi 11n_disable=1 + ''; + + initrd = { + kernelModules = []; + availableKernelModules = ["ahci" "nvme" "sd_mod" "usb_storage" "usbhid" "xhci_pci"]; + + luks.devices."root" = { + device = "/dev/disk/by-uuid/c1b46f24-eec0-47d2-a142-75ddfd7bb218"; + allowDiscards = true; + bypassWorkqueues = true; + }; + }; + kernelModules = ["kvm-intel"]; + + loader = { + efi.canTouchEfiVariables = true; + + systemd-boot = { + enable = true; + configurationLimit = 10; + }; + }; + }; + + hardware = { + trackpoint = { + enable = true; + speed = 500; + sensitivity = 250; + }; + + opengl.extraPackages = with pkgs; [ + intel-media-driver + libvdpau-va-gl + vaapiIntel + vaapiVdpau + ]; + }; + + powerManagement = let + modprobe = "${pkgs.kmod}/bin/modprobe"; + in { + enable = true; + + # This fixes an issue with not being able to suspend or wake up from suspend + # due to a kernel bug[1]. + # + # [1]: https://bbs.archlinux.org/viewtopic.php?id=270964 + # [1]: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/522998 + # [1]: https://bugs.launchpad.net/ubuntu/+source/pm-utils/+bug/562484/comments/3 + # [1]: https://gist.github.com/ioggstream/8f380d398aef989ac455b93b92d42048 + powerDownCommands = "${modprobe} -r xhci_pci"; + powerUpCommands = "${modprobe} xhci_pci"; + }; + + services = { + tlp = { + enable = false; + settings = { + START_CHARGE_THRESH_BAT0 = 75; + STOP_CHARGE_THRESH_BAT0 = 80; + RESTORE_THRESHOLDS_ON_BAT = 1; + }; + }; + + throttled.enable = mkForce false; + + thinkfan = { + enable = true; + + # Old-style configuration should be nullified because it does not support + # hwmon search and appends to valid configuration resulting in conflicts + # and crash. I probably should make a PR to remove what was introduced[1] + # before. + # + # [1]: https://github.com/NixOS/nixpkgs/commit/02b872310d6a6503639f5a71a14f00441f961bc9 + sensors = mkForce null; + fans = mkForce null; + levels = mkForce null; + + settings = { + sensors = [ + { + hwmon = "/sys/class/hwmon"; + name = "coretemp"; + indices = [1]; + } + ]; + fans = [{tpacpi = "/proc/acpi/ibm/fan";}]; + levels = [["level auto" 0 50] ["level disengaged" 50 32767]]; + }; + }; + + xserver.videoDrivers = ["intel" "modesetting"]; + }; + + system.stateVersion = "22.05"; +} diff --git a/configurations/test-headful/default.nix b/configurations/test-headful/default.nix new file mode 100644 index 0000000..fb3c276 --- /dev/null +++ b/configurations/test-headful/default.nix @@ -0,0 +1,27 @@ +{ + lib, + modulesPath, + ... +}: +with lib; { + imports = ["${modulesPath}/profiles/qemu-guest.nix"]; + + nixfiles.modules = { + dwm.enable = true; + kde.enable = false; + xmonad.enable = false; + }; + + boot.loader.systemd-boot.enable = true; + fileSystems."/".device = "/dev/null"; + + documentation = { + enable = mkForce false; + man = { + enable = mkForce false; + man-db.enable = mkForce false; + }; + }; + + system.stateVersion = "22.05"; +} diff --git a/configurations/test-headless/default.nix b/configurations/test-headless/default.nix new file mode 100644 index 0000000..c085e63 --- /dev/null +++ b/configurations/test-headless/default.nix @@ -0,0 +1,22 @@ +{ + lib, + modulesPath, + ... +}: +with lib; { + imports = ["${modulesPath}/profiles/qemu-guest.nix"]; + + # This will allow `nix flake check` tests to pass. + nixfiles.modules = { + endlessh-go.enable = mkForce false; + node-exporter.enable = mkForce false; + promtail.enable = mkForce false; + }; + + boot.loader.systemd-boot.enable = true; + fileSystems."/".device = "/dev/null"; + + documentation.enable = mkForce false; + + system.stateVersion = "22.05"; +} diff --git a/configurations/varda/default.nix b/configurations/varda/default.nix new file mode 100644 index 0000000..b9d84f7 --- /dev/null +++ b/configurations/varda/default.nix @@ -0,0 +1,95 @@ +{ + config, + inputs, + lib, + this, + ... +}: +with lib; { + secrets.wireguard-private-key-varda.file = "${inputs.self}/secrets/wireguard-private-key-varda"; + + nixfiles.modules = { + wireguard = { + privateKeyFile = config.secrets.wireguard-private-key-varda.path; + client.enable = true; + }; + + acme.enable = true; + + rss-bridge.enable = true; + radicale.enable = true; + }; + + networking = let + interface = "eth0"; + in { + interfaces.${interface} = { + ipv4.addresses = [ + { + inherit (this.ipv4) address; + prefixLength = 22; + } + ]; + + ipv6.addresses = [ + { + inherit (this.ipv6) address; + prefixLength = 64; + } + ]; + }; + + defaultGateway = { + inherit interface; + address = this.ipv4.gateway; + }; + + defaultGateway6 = { + inherit interface; + address = this.ipv6.gateway; + }; + }; + + boot = { + loader.grub = { + enable = true; + device = "/dev/sda"; + }; + + initrd = { + luks.devices.nixos = { + device = "/dev/sda2"; + allowDiscards = true; + bypassWorkqueues = true; + }; + + network = { + enable = true; + ssh = { + enable = true; + port = head config.services.openssh.ports; + hostKeys = map (k: k.path) config.services.openssh.hostKeys; + authorizedKeys = config.my.openssh.authorizedKeys.keys; + }; + }; + + availableKernelModules = ["ata_piix" "sd_mod" "sr_mod" "uhci_hcd" "virtio_pci" "virtio_scsi"]; + }; + }; + + fileSystems = { + "/boot" = { + device = "LABEL=boot"; + fsType = "xfs"; + options = ["noatime"]; + }; + + "/" = { + device = "LABEL=nixos"; + fsType = "xfs"; + options = ["noatime"]; + }; + }; + + system.stateVersion = "22.05"; +} diff --git a/configurations/yavanna/default.nix b/configurations/yavanna/default.nix new file mode 100644 index 0000000..b740da3 --- /dev/null +++ b/configurations/yavanna/default.nix @@ -0,0 +1,101 @@ +{ + config, + inputs, + lib, + this, + ... +}: +with lib; { + secrets = { + wireguard-private-key-yavanna.file = "${inputs.self}/secrets/wireguard-private-key-yavanna"; + + syncthing-cert-yavanna = with config.services.syncthing; { + file = "${inputs.self}/secrets/syncthing-cert-yavanna"; + owner = user; + inherit group; + }; + + syncthing-key-yavanna = with config.services.syncthing; { + file = "${inputs.self}/secrets/syncthing-key-yavanna"; + owner = user; + inherit group; + }; + }; + + nixfiles.modules = { + wireguard = { + privateKeyFile = config.secrets.wireguard-private-key-yavanna.path; + client.enable = true; + }; + + syncthing = with config.secrets; { + enable = true; + key = syncthing-key-yavanna.path; + cert = syncthing-cert-yavanna.path; + }; + + acme.enable = true; + + rtorrent = { + enable = true; + flood.enable = true; + }; + }; + + networking = let + interface = "eth0"; + in { + interfaces.${interface} = { + ipv4.addresses = [ + { + inherit (this.ipv4) address; + prefixLength = 24; + } + ]; + + ipv6.addresses = [ + { + inherit (this.ipv6) address; + prefixLength = 128; + } + ]; + }; + + defaultGateway = { + inherit interface; + address = this.ipv4.gateway; + }; + + defaultGateway6 = { + inherit interface; + address = this.ipv6.gateway; + }; + }; + + boot = { + loader.grub = { + enable = true; + device = "/dev/sda"; + }; + + initrd = { + availableKernelModules = ["uhci_hcd" "ahci"]; + kernelModules = ["nvme"]; + }; + }; + + fileSystems."/" = { + device = "/dev/sda1"; + fsType = "ext4"; + options = ["noatime"]; + }; + + swapDevices = [ + { + device = "/swapfile"; + size = 4 * 1024; + } + ]; + + system.stateVersion = "22.05"; +} |