From 4eac965b885db54d5a565ed10bdbbb474e0d71ba Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 5 Jun 2024 19:26:05 +0100 Subject: [PATCH 01/12] Modularise nginx and openssh config --- hosts/yevaud/configuration.nix | 57 +++++----------------------------- services/nginx.nix | 33 ++++++++++++++++++++ services/openssh.nix | 20 ++++++++++++ 3 files changed, 60 insertions(+), 50 deletions(-) create mode 100644 services/nginx.nix create mode 100644 services/openssh.nix diff --git a/hosts/yevaud/configuration.nix b/hosts/yevaud/configuration.nix index 06a3d29..c4bb9d1 100644 --- a/hosts/yevaud/configuration.nix +++ b/hosts/yevaud/configuration.nix @@ -5,6 +5,8 @@ [ ./hardware-configuration.nix ../../users/qenya.nix + ../../services/nginx.nix + ../../services/openssh.nix ]; boot.loader.systemd-boot.enable = true; @@ -15,59 +17,14 @@ time.timeZone = "Etc/UTC"; - services.openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - PermitRootLogin = "no"; + services.nginx.virtualHosts = { + "git.katherina.rocks" = { + forceSSL = true; + enableACME = true; + locations."/".proxyPass = "http://[::1]:3000/"; }; }; - # Allow remote root login only from home network - # TODO: Find a less hacky way of doing remote deployment - users.users.root.openssh.authorizedKeys.keys = config.users.users.qenya.openssh.authorizedKeys.keys; - services.openssh.extraConfig = "Match Address 45.14.17.200\n PermitRootLogin prohibit-password"; - - networking.firewall.allowedTCPPorts = [ 22 80 443 ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - - services.fail2ban.enable = true; - - services.nginx = { - enable = true; - - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - - sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; - - appendHttpConfig = '' - map $scheme $hsts_header { - https "max-age=31536000; includeSubdomains; preload"; - } - add_header Strict-Transport-Security $hsts_header; - #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; - add_header 'Referrer-Policy' 'strict-origin-when-cross-origin'; - add_header X-Frame-Options SAMEORIGIN; - add_header X-Content-Type-Options nosniff; - proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; - ''; - - virtualHosts = { - "git.katherina.rocks" = { - forceSSL = true; - enableACME = true; - locations."/".proxyPass = "http://[::1]:3000/"; - }; - }; - }; - security.acme = { - acceptTerms = true; - defaults.email = "accounts@katherina.rocks"; - }; - services.forgejo = { enable = true; stateDir = "/data/forgejo"; diff --git a/services/nginx.nix b/services/nginx.nix new file mode 100644 index 0000000..a5a91c6 --- /dev/null +++ b/services/nginx.nix @@ -0,0 +1,33 @@ +{ config, lib, pkgs, ... }: + +{ + services.nginx = { + enable = true; + + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + + appendHttpConfig = '' + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + add_header 'Referrer-Policy' 'strict-origin-when-cross-origin'; + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + ''; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "accounts@katherina.rocks"; # TODO: replace with more appropriate email + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; +} \ No newline at end of file diff --git a/services/openssh.nix b/services/openssh.nix new file mode 100644 index 0000000..5e9651a --- /dev/null +++ b/services/openssh.nix @@ -0,0 +1,20 @@ +{ config, lib, pkgs, ... }: + +{ + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "no"; + }; + }; + + services.fail2ban.enable = true; + + networking.firewall.allowedTCPPorts = [ 22 ]; + + # Allow remote root login only from home network + # TODO: Find a less hacky way of doing remote deployment + users.users.root.openssh.authorizedKeys.keys = config.users.users.qenya.openssh.authorizedKeys.keys; + services.openssh.extraConfig = "Match Address 45.14.17.200\n PermitRootLogin prohibit-password"; +} \ No newline at end of file From 7b87bdbc2f0e153de39a29c6839e696c425698de Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 5 Jun 2024 20:31:13 +0100 Subject: [PATCH 02/12] More deduplication --- hive.nix | 33 ++++++++++++++++++++++++--------- hosts/tohru/configuration.nix | 7 ------- hosts/yevaud/configuration.nix | 6 ------ 3 files changed, 24 insertions(+), 22 deletions(-) diff --git a/hive.nix b/hive.nix index f331dc7..2775603 100644 --- a/hive.nix +++ b/hive.nix @@ -2,30 +2,45 @@ let sources = import ./npins; in { meta.nixpkgs = sources.nixpkgs; - defaults = { pkgs, ... }: { - imports = [ - (import "${sources.home-manager}/nixos") - ]; + defaults = { name, pkgs, ... }: { deployment.replaceUnknownProfiles = false; - + networking.hostName = name; + + environment.systemPackages = with pkgs; [ + git + wget + ]; + # Make point systemwide to the pinned nixpkgs above # https://jade.fyi/blog/pinning-nixos-with-npins/ nix.settings.experimental-features = "nix-command flakes"; nixpkgs.flake.source = sources.nixpkgs; - nix.nixPath = ["nixpkgs=flake:nixpkgs"]; + nix.nixPath = [ "nixpkgs=flake:nixpkgs" ]; + + imports = [ + (import "${sources.home-manager}/nixos") + ./users/qenya.nix + ]; }; - tohru = { name, nodes, ... }: { + tohru = { deployment = { allowLocalDeployment = true; targetHost = null; }; + networking.hostId = "31da19c1"; + time.timeZone = "Europe/London"; + imports = [ ./hosts/tohru/configuration.nix ]; }; - yevaud = { - deployment.targetHost = "yevaud.birdsong.network"; + yevaud = { name, ... }: { + deployment.targetHost = "${name}.birdsong.network"; + + networking.hostId = "09673d65"; + time.timeZone = "Etc/UTC"; + imports = [ ./hosts/yevaud/configuration.nix ]; }; } diff --git a/hosts/tohru/configuration.nix b/hosts/tohru/configuration.nix index b39db2f..7ca7e19 100644 --- a/hosts/tohru/configuration.nix +++ b/hosts/tohru/configuration.nix @@ -4,7 +4,6 @@ imports = [ ./hardware-configuration.nix - ../../users/qenya.nix ./home.nix ]; @@ -12,12 +11,8 @@ boot.loader.efi.canTouchEfiVariables = true; boot.loader.systemd-boot.editor = false; - networking.hostName = "tohru"; - networking.hostId = "31da19c1"; networking.networkmanager.enable = true; - time.timeZone = "Europe/London"; - i18n.defaultLocale = "en_GB.UTF-8"; console.keyMap = "uk"; @@ -34,9 +29,7 @@ environment.systemPackages = with pkgs; [ colmena - git npins - wget ]; programs.steam = { diff --git a/hosts/yevaud/configuration.nix b/hosts/yevaud/configuration.nix index c4bb9d1..e8c073f 100644 --- a/hosts/yevaud/configuration.nix +++ b/hosts/yevaud/configuration.nix @@ -4,7 +4,6 @@ imports = [ ./hardware-configuration.nix - ../../users/qenya.nix ../../services/nginx.nix ../../services/openssh.nix ]; @@ -12,11 +11,6 @@ boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - networking.hostName = "yevaud"; - networking.hostId = "09673d65"; - - time.timeZone = "Etc/UTC"; - services.nginx.virtualHosts = { "git.katherina.rocks" = { forceSSL = true; From f1dff74fa558a7f8cd8c396e774e483758fb672d Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 5 Jun 2024 20:43:04 +0100 Subject: [PATCH 03/12] Move pin to separate file --- hive.nix | 7 +------ pinning.nix | 10 ++++++++++ 2 files changed, 11 insertions(+), 6 deletions(-) create mode 100644 pinning.nix diff --git a/hive.nix b/hive.nix index 2775603..fe52c2a 100644 --- a/hive.nix +++ b/hive.nix @@ -11,14 +11,9 @@ in { wget ]; - # Make point systemwide to the pinned nixpkgs above - # https://jade.fyi/blog/pinning-nixos-with-npins/ - nix.settings.experimental-features = "nix-command flakes"; - nixpkgs.flake.source = sources.nixpkgs; - nix.nixPath = [ "nixpkgs=flake:nixpkgs" ]; - imports = [ (import "${sources.home-manager}/nixos") + ./pinning.nix ./users/qenya.nix ]; }; diff --git a/pinning.nix b/pinning.nix new file mode 100644 index 0000000..9ac8584 --- /dev/null +++ b/pinning.nix @@ -0,0 +1,10 @@ +{ config, lib, pkgs, ... }: + +let sources = import ./npins; +in { + # Make point systemwide to the pinned nixpkgs + # https://jade.fyi/blog/pinning-nixos-with-npins/ + nix.settings.experimental-features = "nix-command flakes"; + nixpkgs.flake.source = sources.nixpkgs; + nix.nixPath = [ "nixpkgs=flake:nixpkgs" ]; +} From 0f824bc28471d827481357766342317af8afe754 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 5 Jun 2024 21:07:45 +0100 Subject: [PATCH 04/12] [tohru] Modularise vscode config --- home/vscode.nix | 40 ++++++++++++++++++++++++++++++++++++++++ hosts/tohru/home.nix | 38 ++++---------------------------------- 2 files changed, 44 insertions(+), 34 deletions(-) create mode 100644 home/vscode.nix diff --git a/home/vscode.nix b/home/vscode.nix new file mode 100644 index 0000000..8d6efee --- /dev/null +++ b/home/vscode.nix @@ -0,0 +1,40 @@ +{ config, lib, pkgs, ... }: + +{ + programs.vscode = + let + system = builtins.currentSystem; + sources = import ../npins; + extensions = (import sources.nix-vscode-extensions).extensions.${system}; + in + { + enable = true; + enableExtensionUpdateCheck = false; + enableUpdateCheck = false; + package = pkgs.vscodium; + extensions = (with pkgs.vscode-extensions; [ + jnoortheen.nix-ide + ms-python.python + ]) ++ (with extensions.open-vsx; [ + robbowen.synthwave-vscode + ]); + mutableExtensionsDir = false; + userSettings = { + "extensions.autoUpdate" = false; + "git.autofetch" = true; + "nix.enableLanguageServer" = true; + "nix.serverPath" = "nil"; + "nix.serverSettings".nil = { + diagnostics.ignored = [ "unused_binding" "unused_with" ]; + formatting.command = [ "nixpkgs-fmt" ]; + }; + "workbench.colorTheme" = "SynthWave '84"; + }; + }; + + # Language servers etc + home.packages = with pkgs; [ + nil + nixpkgs-fmt + ]; +} diff --git a/hosts/tohru/home.nix b/hosts/tohru/home.nix index 44eb80b..332aa97 100644 --- a/hosts/tohru/home.nix +++ b/hosts/tohru/home.nix @@ -2,6 +2,10 @@ { home-manager.users.qenya = { pkgs, ... }: { + imports = [ + ../../home/vscode.nix + ]; + home.homeDirectory = config.users.users.qenya.home; home.packages = with pkgs; [ @@ -11,9 +15,6 @@ bitwarden tor-browser-bundle-bin - - nil - nixpkgs-fmt ]; dconf = { @@ -47,37 +48,6 @@ userEmail = "git@katherina.rocks"; }; - programs.vscode = - let - system = builtins.currentSystem; - sources = import ../../npins; - extensions = (import sources.nix-vscode-extensions).extensions.${system}; - in - { - enable = true; - enableExtensionUpdateCheck = false; - enableUpdateCheck = false; - package = pkgs.vscodium; - extensions = (with pkgs.vscode-extensions; [ - jnoortheen.nix-ide - ms-python.python - ]) ++ (with extensions.open-vsx; [ - robbowen.synthwave-vscode - ]); - mutableExtensionsDir = false; - userSettings = { - "extensions.autoUpdate" = false; - "git.autofetch" = true; - "nix.enableLanguageServer" = true; - "nix.serverPath" = "nil"; - "nix.serverSettings".nil = { - diagnostics.ignored = [ "unused_binding" "unused_with" ]; - formatting.command = [ "nixpkgs-fmt" ]; - }; - "workbench.colorTheme" = "SynthWave '84"; - }; - }; - home.stateVersion = "23.11"; }; } From 331d4006c298714dd7d667a1f7fe99e83ad55d22 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 5 Jun 2024 21:15:54 +0100 Subject: [PATCH 05/12] [tohru] Modularise GNOME config --- home/gnome/appearance.nix | 25 ++++++++++++++++++ .../tohru => home/gnome}/background-image.jpg | Bin home/gnome/default.nix | 8 ++++++ hosts/tohru/home.nix | 23 +--------------- 4 files changed, 34 insertions(+), 22 deletions(-) create mode 100644 home/gnome/appearance.nix rename {hosts/tohru => home/gnome}/background-image.jpg (100%) create mode 100644 home/gnome/default.nix diff --git a/home/gnome/appearance.nix b/home/gnome/appearance.nix new file mode 100644 index 0000000..129aa1a --- /dev/null +++ b/home/gnome/appearance.nix @@ -0,0 +1,25 @@ +{ config, lib, pkgs, ... }: + +{ + dconf = { + enable = true; + settings = + let + backgroundOptions = { + color-shading-type = "solid"; + picture-options = "zoom"; + picture-uri = "${config.home.homeDirectory}/.background-image"; + primary-color = "#3a4ba0"; + secondary-color = "#2f302f"; + }; + in + { + "org/gnome/desktop/background" = backgroundOptions // { + picture-uri-dark = backgroundOptions.picture-uri; + }; + "org/gnome/desktop/screensaver" = backgroundOptions; + "org/gnome/desktop/interface".color-scheme = "prefer-dark"; + }; + }; + home.file.".background-image".source = ./background-image.jpg; +} diff --git a/hosts/tohru/background-image.jpg b/home/gnome/background-image.jpg similarity index 100% rename from hosts/tohru/background-image.jpg rename to home/gnome/background-image.jpg diff --git a/home/gnome/default.nix b/home/gnome/default.nix new file mode 100644 index 0000000..9e5a1ee --- /dev/null +++ b/home/gnome/default.nix @@ -0,0 +1,8 @@ +{ config, lib, pkgs, ... }: + +{ + imports = [ + # TODO: nix-ify other parts of GNOME config + ./appearance.nix + ]; +} diff --git a/hosts/tohru/home.nix b/hosts/tohru/home.nix index 332aa97..4727942 100644 --- a/hosts/tohru/home.nix +++ b/hosts/tohru/home.nix @@ -3,6 +3,7 @@ { home-manager.users.qenya = { pkgs, ... }: { imports = [ + ../../home/gnome ../../home/vscode.nix ]; @@ -17,28 +18,6 @@ tor-browser-bundle-bin ]; - dconf = { - enable = true; - settings = - let - backgroundOptions = { - color-shading-type = "solid"; - picture-options = "zoom"; - picture-uri = "${config.users.users.qenya.home}/.background-image"; - primary-color = "#3a4ba0"; - secondary-color = "#2f302f"; - }; - in - { - "org/gnome/desktop/background" = backgroundOptions // { - picture-uri-dark = backgroundOptions.picture-uri; - }; - "org/gnome/desktop/screensaver" = backgroundOptions; - "org/gnome/desktop/interface".color-scheme = "prefer-dark"; - }; - }; - home.file.".background-image".source = ./background-image.jpg; - programs.chromium.enable = true; programs.firefox.enable = true; From 050fe2d1a73bcd848d650b7e7f2cdd61f59e04e4 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 5 Jun 2024 21:23:22 +0100 Subject: [PATCH 06/12] Sync Git identity across all hosts (and also home directory location, but that's sort of standard anyway) --- hosts/tohru/home.nix | 8 -------- users/qenya.nix | 14 +++++++++++++- 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/hosts/tohru/home.nix b/hosts/tohru/home.nix index 4727942..f3b9d0f 100644 --- a/hosts/tohru/home.nix +++ b/hosts/tohru/home.nix @@ -7,8 +7,6 @@ ../../home/vscode.nix ]; - home.homeDirectory = config.users.users.qenya.home; - home.packages = with pkgs; [ fortune htop @@ -21,12 +19,6 @@ programs.chromium.enable = true; programs.firefox.enable = true; - programs.git = { - enable = true; - userName = "Katherina Walshe-Grey"; - userEmail = "git@katherina.rocks"; - }; - home.stateVersion = "23.11"; }; } diff --git a/users/qenya.nix b/users/qenya.nix index 9310f7b..7d10ede 100644 --- a/users/qenya.nix +++ b/users/qenya.nix @@ -13,4 +13,16 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEmkV9arotms79lJPsLHkdzAac4eu3pYS08ym0sB/on qenya@tohru" ]; }; -} \ No newline at end of file + + home-manager.users.qenya = { config, lib, pkgs, osConfig, ... }: { + home.homeDirectory = osConfig.users.users.qenya.home; + + programs.git = { + enable = true; + userName = "Katherina Walshe-Grey"; + userEmail = "git@katherina.rocks"; # TODO: update email + }; + + home.stateVersion = "23.11"; + }; +} From c6809078942c58975fa5562b61dc9b37c32b8910 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 5 Jun 2024 22:14:32 +0100 Subject: [PATCH 07/12] Sync CLI tools across all hosts --- home/btop.nix | 5 +++++ home/cli.nix | 12 ++++++++++++ hosts/tohru/home.nix | 6 ++---- hosts/yevaud/configuration.nix | 1 + hosts/yevaud/home.nix | 12 ++++++++++++ 5 files changed, 32 insertions(+), 4 deletions(-) create mode 100644 home/btop.nix create mode 100644 home/cli.nix create mode 100644 hosts/yevaud/home.nix diff --git a/home/btop.nix b/home/btop.nix new file mode 100644 index 0000000..6d4f49b --- /dev/null +++ b/home/btop.nix @@ -0,0 +1,5 @@ +{ config, lib, pkgs, ... }: + +{ + programs.btop.enable = true; +} diff --git a/home/cli.nix b/home/cli.nix new file mode 100644 index 0000000..b23d81f --- /dev/null +++ b/home/cli.nix @@ -0,0 +1,12 @@ +{ config, lib, pkgs, ... }: + +{ + home.packages = with pkgs; [ + tree # like `ls -R` but nicer + + # Extremely important + fortune + cowsay + lolcat + ]; +} diff --git a/hosts/tohru/home.nix b/hosts/tohru/home.nix index f3b9d0f..3067b81 100644 --- a/hosts/tohru/home.nix +++ b/hosts/tohru/home.nix @@ -3,15 +3,13 @@ { home-manager.users.qenya = { pkgs, ... }: { imports = [ + ../../home/btop.nix + ../../home/cli.nix ../../home/gnome ../../home/vscode.nix ]; home.packages = with pkgs; [ - fortune - htop - tree - bitwarden tor-browser-bundle-bin ]; diff --git a/hosts/yevaud/configuration.nix b/hosts/yevaud/configuration.nix index e8c073f..bd49606 100644 --- a/hosts/yevaud/configuration.nix +++ b/hosts/yevaud/configuration.nix @@ -4,6 +4,7 @@ imports = [ ./hardware-configuration.nix + ./home.nix ../../services/nginx.nix ../../services/openssh.nix ]; diff --git a/hosts/yevaud/home.nix b/hosts/yevaud/home.nix new file mode 100644 index 0000000..d5bb904 --- /dev/null +++ b/hosts/yevaud/home.nix @@ -0,0 +1,12 @@ +{ config, lib, pkgs, ... }: + +{ + home-manager.users.qenya = { pkgs, ... }: { + imports = [ + ../../home/btop.nix + ../../home/cli.nix + ]; + + home.stateVersion = "23.11"; + }; +} From c8da705e4bf56648a6dc0fc9e3b4b871570fb6ea Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 5 Jun 2024 22:23:45 +0100 Subject: [PATCH 08/12] [yevaud] Modularise forgejo config --- hosts/yevaud/configuration.nix | 45 +++++----------------------------- hosts/yevaud/forgejo.nix | 43 ++++++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+), 39 deletions(-) create mode 100644 hosts/yevaud/forgejo.nix diff --git a/hosts/yevaud/configuration.nix b/hosts/yevaud/configuration.nix index bd49606..9ab4405 100644 --- a/hosts/yevaud/configuration.nix +++ b/hosts/yevaud/configuration.nix @@ -1,49 +1,16 @@ { config, lib, pkgs, ... }: { - imports = - [ - ./hardware-configuration.nix - ./home.nix - ../../services/nginx.nix - ../../services/openssh.nix - ]; + imports = [ + ./hardware-configuration.nix + ./home.nix + ../../services/openssh.nix + ./forgejo.nix + ]; boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - services.nginx.virtualHosts = { - "git.katherina.rocks" = { - forceSSL = true; - enableACME = true; - locations."/".proxyPass = "http://[::1]:3000/"; - }; - }; - - services.forgejo = { - enable = true; - stateDir = "/data/forgejo"; - settings = { - DEFAULT.APP_NAME = "git.katherina.rocks"; - cache = { - ADAPTER = "twoqueue"; - HOST = ''{"size": 100, "recent_ratio": 0.25, "ghost_ratio": 0.5}''; - }; - database = { - DB_TYPE = "sqlite3"; - SQLITE_JOURNAL_MODE = "WAL"; - }; - security.LOGIN_REMEMBER_DAYS = 365; - server = { - DOMAIN = "git.katherina.rocks"; - HTTP_PORT = 3000; - ROOT_URL = "https://git.katherina.rocks/"; - }; - service.DISABLE_REGISTRATION = true; - }; - }; - system.stateVersion = "23.11"; - } diff --git a/hosts/yevaud/forgejo.nix b/hosts/yevaud/forgejo.nix new file mode 100644 index 0000000..fa5f6d8 --- /dev/null +++ b/hosts/yevaud/forgejo.nix @@ -0,0 +1,43 @@ +{ config, lib, pkgs, ... }: + +{ + imports = [ + ../../services/nginx.nix + ]; + + # TODO: ssh access + # TODO: email out + # TODO: interface customisation + + services.nginx.virtualHosts = { + # TODO: move to new domain + "git.katherina.rocks" = { + forceSSL = true; + enableACME = true; + locations."/".proxyPass = "http://[::1]:3000/"; + }; + }; + + services.forgejo = { + enable = true; + stateDir = "/data/forgejo"; + settings = { + DEFAULT.APP_NAME = "git.katherina.rocks"; + cache = { + ADAPTER = "twoqueue"; + HOST = ''{"size": 100, "recent_ratio": 0.25, "ghost_ratio": 0.5}''; + }; + database = { + DB_TYPE = "sqlite3"; + SQLITE_JOURNAL_MODE = "WAL"; + }; + security.LOGIN_REMEMBER_DAYS = 365; + server = { + DOMAIN = "git.katherina.rocks"; + HTTP_PORT = 3000; + ROOT_URL = "https://git.katherina.rocks/"; + }; + service.DISABLE_REGISTRATION = true; + }; + }; +} From 104d995dd28718956f287c0f0f0ad33442163023 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 5 Jun 2024 22:38:13 +0100 Subject: [PATCH 09/12] [tohru] Modularise firefox config (such as it is) --- home/firefox.nix | 6 ++++++ hosts/tohru/home.nix | 3 +-- 2 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 home/firefox.nix diff --git a/home/firefox.nix b/home/firefox.nix new file mode 100644 index 0000000..95e399e --- /dev/null +++ b/home/firefox.nix @@ -0,0 +1,6 @@ +{ config, lib, pkgs, ... }: + +{ + # TODO: nix-ify Firefox config + programs.firefox.enable = true; +} diff --git a/hosts/tohru/home.nix b/hosts/tohru/home.nix index 3067b81..6451627 100644 --- a/hosts/tohru/home.nix +++ b/hosts/tohru/home.nix @@ -5,6 +5,7 @@ imports = [ ../../home/btop.nix ../../home/cli.nix + ../../home/firefox.nix ../../home/gnome ../../home/vscode.nix ]; @@ -13,9 +14,7 @@ bitwarden tor-browser-bundle-bin ]; - programs.chromium.enable = true; - programs.firefox.enable = true; home.stateVersion = "23.11"; }; From 433930bde613d481336746a023663444b7c57656 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 5 Jun 2024 23:03:25 +0100 Subject: [PATCH 10/12] Simplify build-related config --- colmena/local.nix | 14 ++++++++++++++ colmena/remote.nix | 12 ++++++++++++ hive.nix | 30 +++++++++++++----------------- hosts/tohru/configuration.nix | 6 ------ 4 files changed, 39 insertions(+), 23 deletions(-) create mode 100644 colmena/local.nix create mode 100644 colmena/remote.nix diff --git a/colmena/local.nix b/colmena/local.nix new file mode 100644 index 0000000..a610670 --- /dev/null +++ b/colmena/local.nix @@ -0,0 +1,14 @@ +{ name, nodes, config, lib, pkgs, ... }: + +{ + deployment = { + allowLocalDeployment = true; + targetHost = null; + tags = [ "local" ]; + }; + + environment.systemPackages = with pkgs; [ + colmena + npins + ]; +} diff --git a/colmena/remote.nix b/colmena/remote.nix new file mode 100644 index 0000000..a82923c --- /dev/null +++ b/colmena/remote.nix @@ -0,0 +1,12 @@ +{ name, nodes, config, lib, pkgs, ... }: + +{ + deployment = { + targetHost = "${name}.birdsong.network"; + tags = [ "remote" ]; + }; + + imports = [ + ../services/openssh.nix + ]; +} diff --git a/hive.nix b/hive.nix index fe52c2a..6c0d560 100644 --- a/hive.nix +++ b/hive.nix @@ -2,14 +2,11 @@ let sources = import ./npins; in { meta.nixpkgs = sources.nixpkgs; - defaults = { name, pkgs, ... }: { + defaults = { name, nodes, ... }: { deployment.replaceUnknownProfiles = false; networking.hostName = name; - environment.systemPackages = with pkgs; [ - git - wget - ]; + nixpkgs.config.allowUnfree = true; imports = [ (import "${sources.home-manager}/nixos") @@ -18,24 +15,23 @@ in { ]; }; - tohru = { - deployment = { - allowLocalDeployment = true; - targetHost = null; - }; - + tohru = { name, nodes, ... }: { networking.hostId = "31da19c1"; time.timeZone = "Europe/London"; - imports = [ ./hosts/tohru/configuration.nix ]; + imports = [ + ./colmena/local.nix + ./hosts/tohru/configuration.nix + ]; }; - yevaud = { name, ... }: { - deployment.targetHost = "${name}.birdsong.network"; - + yevaud = { name, nodes, ... }: { networking.hostId = "09673d65"; time.timeZone = "Etc/UTC"; - - imports = [ ./hosts/yevaud/configuration.nix ]; + + imports = [ + ./colmena/remote.nix + ./hosts/yevaud/configuration.nix + ]; }; } diff --git a/hosts/tohru/configuration.nix b/hosts/tohru/configuration.nix index 7ca7e19..d9ad02f 100644 --- a/hosts/tohru/configuration.nix +++ b/hosts/tohru/configuration.nix @@ -27,18 +27,12 @@ sound.enable = true; hardware.pulseaudio.enable = true; - environment.systemPackages = with pkgs; [ - colmena - npins - ]; - programs.steam = { enable = true; remotePlay.openFirewall = true; dedicatedServer.openFirewall = true; }; - nixpkgs.config.allowUnfree = true; hardware.enableAllFirmware = true; services.fwupd.enable = true; services.fstrim.enable = true; From 1ca847cd91d291dd52d2126e362f8dd4b12e05bd Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 5 Jun 2024 23:22:51 +0100 Subject: [PATCH 11/12] [tohru] Modularise steam config --- hosts/tohru/configuration.nix | 8 +------- services/steam.nix | 9 +++++++++ 2 files changed, 10 insertions(+), 7 deletions(-) create mode 100644 services/steam.nix diff --git a/hosts/tohru/configuration.nix b/hosts/tohru/configuration.nix index d9ad02f..a233258 100644 --- a/hosts/tohru/configuration.nix +++ b/hosts/tohru/configuration.nix @@ -5,6 +5,7 @@ [ ./hardware-configuration.nix ./home.nix + ../../services/steam.nix ]; boot.loader.systemd-boot.enable = true; @@ -19,7 +20,6 @@ services.xserver.enable = true; services.xserver.displayManager.gdm.enable = true; services.xserver.desktopManager.gnome.enable = true; - services.xserver.xkb.layout = "gb"; services.printing.enable = true; @@ -27,12 +27,6 @@ sound.enable = true; hardware.pulseaudio.enable = true; - programs.steam = { - enable = true; - remotePlay.openFirewall = true; - dedicatedServer.openFirewall = true; - }; - hardware.enableAllFirmware = true; services.fwupd.enable = true; services.fstrim.enable = true; diff --git a/services/steam.nix b/services/steam.nix new file mode 100644 index 0000000..e03ca13 --- /dev/null +++ b/services/steam.nix @@ -0,0 +1,9 @@ +{ config, lib, pkgs, ... }: + +{ + programs.steam = { + enable = true; + remotePlay.openFirewall = true; + dedicatedServer.openFirewall = true; + }; +} \ No newline at end of file From bf2d7f7f10918a0d976008102390f473226dd236 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 5 Jun 2024 23:30:24 +0100 Subject: [PATCH 12/12] Rename services directory to common --- colmena/remote.nix | 2 +- {services => common}/nginx.nix | 0 {services => common}/openssh.nix | 0 {services => common}/steam.nix | 0 hosts/tohru/configuration.nix | 2 +- hosts/yevaud/configuration.nix | 1 - hosts/yevaud/forgejo.nix | 2 +- 7 files changed, 3 insertions(+), 4 deletions(-) rename {services => common}/nginx.nix (100%) rename {services => common}/openssh.nix (100%) rename {services => common}/steam.nix (100%) diff --git a/colmena/remote.nix b/colmena/remote.nix index a82923c..efe4e6e 100644 --- a/colmena/remote.nix +++ b/colmena/remote.nix @@ -7,6 +7,6 @@ }; imports = [ - ../services/openssh.nix + ../common/openssh.nix ]; } diff --git a/services/nginx.nix b/common/nginx.nix similarity index 100% rename from services/nginx.nix rename to common/nginx.nix diff --git a/services/openssh.nix b/common/openssh.nix similarity index 100% rename from services/openssh.nix rename to common/openssh.nix diff --git a/services/steam.nix b/common/steam.nix similarity index 100% rename from services/steam.nix rename to common/steam.nix diff --git a/hosts/tohru/configuration.nix b/hosts/tohru/configuration.nix index a233258..637d9cb 100644 --- a/hosts/tohru/configuration.nix +++ b/hosts/tohru/configuration.nix @@ -5,7 +5,7 @@ [ ./hardware-configuration.nix ./home.nix - ../../services/steam.nix + ../../common/steam.nix ]; boot.loader.systemd-boot.enable = true; diff --git a/hosts/yevaud/configuration.nix b/hosts/yevaud/configuration.nix index 9ab4405..289bff2 100644 --- a/hosts/yevaud/configuration.nix +++ b/hosts/yevaud/configuration.nix @@ -4,7 +4,6 @@ imports = [ ./hardware-configuration.nix ./home.nix - ../../services/openssh.nix ./forgejo.nix ]; diff --git a/hosts/yevaud/forgejo.nix b/hosts/yevaud/forgejo.nix index fa5f6d8..31e8494 100644 --- a/hosts/yevaud/forgejo.nix +++ b/hosts/yevaud/forgejo.nix @@ -2,7 +2,7 @@ { imports = [ - ../../services/nginx.nix + ../../common/nginx.nix ]; # TODO: ssh access