lukas/puter
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

improvements

Browse source
This commit is contained in:
Lukas Wurzinger 2024-04-13 20:41:18 +02:00
parent 8eac2df40e
commit 41ef809bf9
20 changed files with 73 additions and 234 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
class/desktop/plasma.nix
View file

@ -5,13 +5,9 @@
}: {
services = {
desktopManager.plasma6.enable = true;
xserver = {
displayManager.sddm = {
enable = true;
excludePackages = [pkgs.xterm];
displayManager.sddm = {
enable = true;
wayland.enable = true;
};
wayland.enable = true;
};
};

8
class/desktop/users.nix
View file

@ -1,11 +1,15 @@
{
{config, ...}: {
age.secrets.user-guest.file = ../../secrets/user-guest.age;
users = {
groups.guest = {};
users.guest = {
isNormalUser = true;
password = "guest";
hashedPasswordFile = config.age.secrets.user-guest.path;
extraGroups = ["wheel" "networkmanager" "gamemode"];
};
};
services.displayManager.hiddenUsers = ["guest"];
}

3
common/users.nix
View file

@ -14,11 +14,12 @@
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK4U9RzV/gVGBfrCOye7BlS11g5BS7SmuZ36n2ZIJyAX lukas@glacier"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAztZgcRBHqX8Wb2nAlP1qCKF205M3un/D1YnREcO7Dy lukas@flamingo"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMC6vIcPgOHiAnG1be8IQVePlrsxN/X9PEFJghS6EcOb lukas@scenery"
];
extraGroups = ["wheel" "networkmanager" "gamemode"];
linger = true;
};
};
};
services.displayManager.sddm.settings.Autologin.User = "lukas";
}

12
flake.lock
View file

@ -247,11 +247,11 @@
},
"hardware": {
"locked": {
"lastModified": 1711352745,
"narHash": "sha256-luvqik+i3HTvCbXQZgB6uggvEcxI9uae0nmrgtXJ17U=",
"lastModified": 1712909959,
"narHash": "sha256-7/5ubuwdEbQ7Z+Vqd4u0mM5L2VMNDsBh54visp27CtQ=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "9a763a7acc4cfbb8603bb0231fec3eda864f81c0",
"rev": "f58b25254be441cd2a9b4b444ed83f1e51244f1f",
"type": "github"
},
"original": {
@ -482,11 +482,11 @@
},
"nixpkgs_5": {
"locked": {
"lastModified": 1712163089,
"narHash": "sha256-Um+8kTIrC19vD4/lUCN9/cU9kcOsD1O1m+axJqQPyMM=",
"lastModified": 1712791164,
"narHash": "sha256-3sbWO1mbpWsLepZGbWaMovSO7ndZeFqDSdX0hZ9nVyw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "fd281bd6b7d3e32ddfa399853946f782553163b5",
"rev": "1042fd8b148a9105f3c0aca3a6177fd1d9360ba5",
"type": "github"
},
"original": {

2
flake.nix
View file

@ -31,7 +31,6 @@
inputs.agenix.nixosModules.default
inputs.mailserver.nixosModule
./modules
./common
./class/${class}
./hosts/${name}
@ -43,7 +42,6 @@
nixosConfigurations = builtins.mapAttrs commonNixosSystem {
glacier = "desktop";
flamingo = "desktop";
scenery = "desktop";
abacus = "server";
vessel = "server";
};

2
hosts/abacus/default.nix
View file

@ -1,6 +1,6 @@
{modulesPath, ...}: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
"${modulesPath}/profiles/qemu-guest.nix"
./atuin.nix
./conduit.nix

67
hosts/abacus/hiraeth.nix
View file

@ -1,67 +0,0 @@
{
config,
lib,
...
}: {
# TODO
age.secrets = {
hiraeth-jwt-sign-key = {
file = ../../secrets/hiraeth-jwt-sign-key.age;
owner = "hiraeth";
group = "hiraeth";
};
hiraeth-jwt-verify-key = {
file = ../../secrets/hiraeth-jwt-verify-key.age;
owner = "hiraeth";
group = "hiraeth";
};
};
services = {
postgresql = {
enable = lib.mkDefault true;
ensureDatabases = ["hiraeth"];
ensureUsers = [
{
name = "hiraeth";
ensureDBOwnership = true;
}
];
};
hiraeth = {
enable = true;
settings = {
address = "127.0.0.1:8040";
name = "hiraeth";
db_type = "postgres";
datadir = "/var/lib/hiraeth";
dsn = "host=/run/postgresql user=hiraeth";
jwt_sign_key_file = config.age.secrets.hiraeth-jwt-sign-key.path;
jwt_verify_key_file = config.age.secrets.hiraeth-jwt-verify-key.path;
chunk_size = 1024 * 1024 * 128;
timeout = 60;
inline_types = [
"application/pdf"
"audio/mpeg"
"audio/flac"
"audio/vorbis"
"image/jpeg"
"image/png"
"text/plain"
"video/mp4"
];
};
};
nginx.virtualHosts."share.${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
quic = true;
locations."/".proxyPass = "http://${config.services.hiraeth.settings.address}";
};
};
}

2
hosts/flamingo/default.nix
View file

@ -4,7 +4,7 @@
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
"${modulesPath}/installer/scan/not-detected.nix"
inputs.hardware.nixosModules.lenovo-thinkpad-t480
];

2
hosts/glacier/default.nix
View file

@ -4,7 +4,7 @@
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
"${modulesPath}/installer/scan/not-detected.nix"
inputs.hardware.nixosModules.common-cpu-amd
inputs.hardware.nixosModules.common-gpu-amd

25
hosts/scenery/default.nix
View file

@ -1,25 +0,0 @@
{
inputs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
inputs.hardware.nixosModules.lenovo-thinkpad-x260
];
nixpkgs.hostPlatform = "x86_64-linux";
boot = {
initrd.availableKernelModules = ["xhci_pci" "nvme" "usb_storage" "sd_mod"];
kernelModules = ["kvm-intel"];
};
system.stateVersion = "24.05";
powerManagement.cpuFreqGovernor = "powersave";
console.keyMap = "de";
services.xserver.layout = "de";
}

2
hosts/vessel/default.nix
View file

@ -4,7 +4,7 @@
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
"${modulesPath}/installer/scan/not-detected.nix"
inputs.hardware.nixosModules.common-cpu-intel
inputs.hardware.nixosModules.common-gpu-intel

5
modules/default.nix
View file

@ -1,5 +0,0 @@
{
imports = [
./hiraeth.nix
];
}

75
modules/hiraeth.nix
View file

@ -1,75 +0,0 @@
{
config,
lib,
pkgs,
...
}: let
cfg = config.services.hiraeth;
settingsFormat = pkgs.formats.toml {};
in {
options.services.hiraeth = {
enable = lib.mkEnableOption "hiraeth";
package = lib.mkPackageOption pkgs "hiraeth" {};
settings = lib.mkOption {
type = settingsFormat.type;
default = {};
};
};
config = lib.mkIf cfg.enable {
systemd.services.hiraeth = {
description = "Hiraeth File Sharing Service";
after = ["network.target"];
wantedBy = ["multi-user.target"];
serviceConfig = {
Type = "simple";
User = config.users.users.hiraeth.name;
Group = config.users.groups.hiraeth.name;
StateDirectory = "hiraeth";
StateDirectoryMode = "0700";
UMask = "0077";
WorkingDirectory = "/var/lib/hiraeth";
ExecStart = "${pkgs.getExe' cfg.package "hiraeth"} run";
Restart = "always";
TimeoutSec = 10;
ReadOnlyPaths = "/etc/hiraeth/hiraeth.toml";
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
ProtectHome = "read-only";
PrivateTmp = true;
PrivateUsers = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = ["AF_INET" "AF_INET6"];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
};
};
users = {
users.hiraeth = {
isSystemUser = true;
group = config.users.groups.hiraeth.name;
};
groups.hiraeth = {};
};
environment.etc."hiraeth/hiraeth.toml" = {
source = settingsFormat.generate "hiraeth.toml" cfg.settings;
mode = "0440";
user = config.users.users.hiraeth.name;
group = config.users.users.hiraeth.group;
};
};
}

18
secrets/mail-lukas.age
View file

@ -1,11 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 SFHVrw 3JZ4vApGhqF9iRQvfhkg8gIonZLGrBp9i9E1RZM7zn8
3v08N6zWIuEIs+bt2GeWF60it9sDE4E2+hgoTbayv4k
-> ssh-ed25519 S+dwQQ NfiaomfNXA5cJKzdPWJmJlHK4r2ZN24E2tymgROlogM
29EKJivtkdnWOtTee56peTOgEjBM4gXVSlzUekBUKZU
-> ssh-ed25519 5IO6QQ DifPg5bQ5C0h2URSfei3NV+sfBkeNs6tz/OSJzACcDw
yV4UkgUsUUdZOpPoLgmJy9sJIrHIN/5esobFFJfsMC8
-> ssh-ed25519 ffmsLw 1/Ur807TPTjuapdynnicK8k2ACiMRDZ4CQpgAyiAql0
9/4FKZqBnk2Q/VY6j/UOCuwUpbwmOMrhNh7zIdRTvqk
--- PXMswgq0lbERBdFOFPnc48j3r2t9aR3+SPenu0karWg
ª‹ð~指2¼0¥<30>Ž“£ö(º©Å(C•¤ÊΡ_W#å™äýW˜¾ŒÊNâIs·Rpý´4JÔ<4A><C394>¢Û ïÕ>Äc—p"C8¿+7:µ¡¯îCÆ“ìJÈj»
-> ssh-ed25519 SFHVrw LiDCAhLHNnb0AbtKaSxP32Erwaqpm9rkVqqTYsg7VX4
rgZBcTW88Zynex2AWXHpJ5VdlLAe3MtNN4vRhV03/yw
-> ssh-ed25519 S+dwQQ b1tjzc5ipNB1O5+sj+NTdPquv842V1SNfVLwlhllpmo
q0KI/Rb1D359bRSsrwJrG0Sfy7YFe1y2qZZY6e5SySE
-> ssh-ed25519 ffmsLw OLoQCT99w3kM1wyzCWGeh6tO7fH46GbIzLSWJNxA+V8
+hfzOs8JPE5/Paag/7PkIYmRG8ppJMouvxDcyyfrzv4
--- Q2ZHMtaw0pwEOOGBxnRRNzjfEbcQqzP82QNFPRgazGw
°Dź$|dtÚSł}NŮŠ{ß`vçÓb«Ű†şfĚȡnü¤5””‹ő<>ßťR*O@ŚŢ€Xw óyŐ×ĺj?Oë4b¸łÔ  Č÷©±Á]8N|+%

19
secrets/nextcloud-lukas.age
View file

@ -1,12 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 SFHVrw F1EZXe0gnSNWIhPqxkSPLUpU7yROj8mSClFjFjpvdV8
4McyaDtxvEOI9CBLNMEimnFTtXGoUcVzfQ3zfmMl3o8
-> ssh-ed25519 S+dwQQ WT+jOjytoIKg2cPlD1bchFYaKxTJ63nixignaTNOqBM
kf5FYspdW859XaZL+mbnkchoUg4mFONuV8axas7RuLI
-> ssh-ed25519 5IO6QQ b8cU+T+50PZ24o2YflQ9EEojxHDdnB9hlPdcggruhHM
qPjpL4q6+0osKkseBlY0ACSZbnhHoPo7RMP31t7l/T4
-> ssh-ed25519 ffmsLw 3Y8iqWTYOJUCNexfOkd3QfG4P5onmanDbh7gdUPYwzE
smKtEI17pzGvXkiJT9jC4hoECCHm1sEd7rEu92BUBSY
--- BEki7iC6CxE/6NEdkkjAVkBKgO5nuxqLxRu4JiGBcaY
äè\zésGÆž˜Œ¥<C592>­z—Á¬¬˜3òVR®Ó”Ý
¯ •&ÖXq0 ;TK
-> ssh-ed25519 SFHVrw jUO5Z4j1ADd4QMPziuvNDh0iUirvrV32Z1+xbnkoVks
FJGle7Kr6knbPrgCg6Lk1ge+jV7Im4Z8FAmkQKlP6Ik
-> ssh-ed25519 S+dwQQ wKH3jZM/aruNPE5tYSROFGUdXw2o3lws76OvAXubhxk
Jhv2kqxgHM26iuvDs0LTf4ahlaiRacN6wpH7iHuknF4
-> ssh-ed25519 ffmsLw kNKHrTEm4pFyC1r6Kjah3pl+0xnTuFt9ccha0uh0Z3Q
bLP4RrHR5gUm2ZuFNcK2m6tnC24PiGdevnuNTQ9Kb0g
--- FznEfHzpAG79LYYxIBJYgCFeUrb9Tn9yS5wXfJVeeEU
µ+łß†cä8:vbT]4$\<5C>)Đ„şš[TŻ@W;”FfĎĚÂNâčFÖG

BIN
secrets/restic-vessel.age
View file

Binary file not shown.

11
secrets/secrets.nix
View file

@ -2,18 +2,25 @@ let
users = {
"lukas@flamingo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAztZgcRBHqX8Wb2nAlP1qCKF205M3un/D1YnREcO7Dy";
"lukas@glacier" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK4U9RzV/gVGBfrCOye7BlS11g5BS7SmuZ36n2ZIJyAX";
"lukas@scenery" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMC6vIcPgOHiAnG1be8IQVePlrsxN/X9PEFJghS6EcOb";
};
hosts = {
glacier = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHrKpoDV/ImivtTZVbSsQ59IbGYVvSsKls4av2Zc9Nk8";
abacus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHoUgClpkOlBEffQOb9KkVn970RwnIhU0OiVr7P2WVzg";
scenery = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHDS4LGl73WhC7NSzFe0ghZ0EwLjuP/43GGS65pPpu0";
vessel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKkYcOb1JPNLTJtob1TcuC08cH9P2APAhLR26RYd573d";
flamingo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIInV+UpCZhoTwgkgnCzCPEu3TD5b5mu6tagRslljrFJ/";
};
desktops = {
inherit (hosts) glacier flamingo;
};
servers = {
inherit (hosts) abacus vessel;
};
in {
"user-lukas.age".publicKeys = (builtins.attrValues users) ++ (builtins.attrValues hosts);
"user-guest.age".publicKeys = (builtins.attrValues users) ++ (builtins.attrValues desktops);
"mail-lukas.age".publicKeys = (builtins.attrValues users) ++ [hosts.abacus];
"vaultwarden.age".publicKeys = (builtins.attrValues users) ++ [hosts.abacus];
"nextcloud-lukas.age".publicKeys = (builtins.attrValues users) ++ [hosts.abacus];

12
secrets/user-guest.age Normal file
View file

@ -0,0 +1,12 @@
age-encryption.org/v1
-> ssh-ed25519 SFHVrw XwFbvZ91rDE2Ux6BOxWqa0tpmp9W93n6c15WewMd83g
bHU1wwzxwEc2Ie6KcGBWhRv2IeQDKEtzWpRSujPvzLk
-> ssh-ed25519 S+dwQQ O9Nd+LXDcf7fP8xgqcmVpM44LEk1KaB8p9RHRfp+6Bw
LOmhTxVX93XgM6lmr26MrNOMG2jf0ZAOAMiYR7KxRro
-> ssh-ed25519 d2fKsw 5jpAhGTQ7VqJrT7SWfaAudYrVtIFYRRv1R5FgL8FeCs
rRJe5oiSVtjPBGTJOdgFTXOzld0SxKpqAtXz7hHgB6c
-> ssh-ed25519 US6ATA jol1HBmQUl3qjxLkSOZ17r9dqxu7lB/dDBqrccuq4Qk
EyPFGHi1jI2fIRCourzGvvMJGQYsAjttEGiOUachi9Q
--- lhZyqOVkSJS/30/cyWdLTVNMltAIHYF4DOIyK32VR/0
ò›¨ 50 0
=0ëþôMÃKÇF¡ë<TEãtK$?üÀ/QÊ~/0i¦:è}Ò3×X<6C>P¼QåZe*ëŠ<C3AB>çg8<67>_|¥ËíHã0;ê³°'êpS3ð˯V”)p_>Øu

34
secrets/user-lukas.age
View file

@ -1,19 +1,17 @@
age-encryption.org/v1
-> ssh-ed25519 SFHVrw /QFzbfKzJnpIMXadEiDJyQJneVbQWwaoQlQ8B85mFiQ
0pH7idWoz/hQFa9lsdJoc3vN36znranVkOtiGaQpCxs
-> ssh-ed25519 S+dwQQ /4ZF8giAG2BGML1Fy73ucSb4jZK0EDgAmgj05ymbJzA
lVi9ad3aPL4G/GFS6eAcxdJ9jDHWco0m+UHTOfkfNbQ
-> ssh-ed25519 5IO6QQ mPE6sTVXzyVe6UdKhhmFifaETPcgTcNtn2Ybwf+nQyY
Zh2PzFw2zP/MiVpqRLANXe9jGj4GdtnyOxBsDemgoM4
-> ssh-ed25519 ffmsLw rj8FVCxSa49C30ZNW+gKlHXj5fOiTfHuecfumr0TTWo
JqzlRhRXMgdzmn8mic7CFzLfMHPHbH0q7Vo1dB4byaY
-> ssh-ed25519 d2fKsw +jbHllavLuC5zykfwzCe3r7c+4mEn3D6FmFdgAKWCz0
lkwdDPkFxlXlwwZ6cvJ+AxgtGqMvNtO9/PdNPjhYvRM
-> ssh-ed25519 US6ATA PKNAfoRfY6MfnRLSOUAhX1EDpXNbPC8EVTtNZ1KoIEA
6rYHtwcdt0qXJr9S8UZ/q3xmTo416sY2unOlnN+/oa0
-> ssh-ed25519 2ktApw uDF57fuv7fq+LlQm93McI8xsBlZPDimeI7uXajXC9iM
gr7aVLkhgZmyv0Q7KlHEJt370NeWXH22A0Avns7mN6U
-> ssh-ed25519 Sm0lOA t0uGXeSo6JhBQh5FsH6Z3ZRR/eEm+MVwSyS8TVDj+kg
2aSkF1Hk8NGdNh2RNlBByGgBasKvLPhhdDQRmHe/fUc
--- x+N3g8ekH9yUa3vXP/2u4PtCeVKMEJLlEaLf2Nb1vHo
-3ÉOïIgÕ)ÿM7c©yÿ9(¥õi,Ezr¡,ÂaKºÔ°zb<7A>àU­3<C2AD>t]"™{Åô*t!Ó‡á(‡3Üà…`×yêlU;Ô[<5B>8fá—>E”ÉmUä2{+ÝTk¹^áWýàúÙN,]d¦ƒÖ<C692>íºQõ» ©û:°ì» ШÝ_ò•àuú
-> ssh-ed25519 SFHVrw RbCDTFm8etGA6wAA26l52Ezrj5g151L/uYmkCC57rh0
az9uaQvCJy8ocB0ij+qmu1MayhkFYVK2NHvlB0+8RhA
-> ssh-ed25519 S+dwQQ xUmmLtRfmdxSWv9sU2OIgced3+hn6H2fvHxtlrThF3Q
hr3tB+uqcv3JNBFyjf2O6xanN2hnlbCdHH5wLidcbfk
-> ssh-ed25519 ffmsLw NxXG3+tjYTxrAnZ/gIy/E08ozfSkl2GbUaaCAextd1E
fKwGEIu4I1sczSvu2bsGcMZSkuYuO5gWFRyg1PoLfV4
-> ssh-ed25519 d2fKsw glKuNTvDZxE7SsxBKP+0P4Ldl/a4MwvpzwkgbqFNuEM
8XqemFkix1MjVJm42fQ0vtWaxiFGZWOer+OoRaVLccg
-> ssh-ed25519 US6ATA J5l4UYEZVCUS4J69YTwEyTdFvPRoWlpp88iWgEEDe0Y
ogUa74Vg22CN2zyDZzIoxUokMVPXzllfb1Vj53/CbmM
-> ssh-ed25519 Sm0lOA 5YoOeiPiEfqT9mWUTSUusm9h5CceeeCVJS1iofooTHw
A47tIbHSaQzaxrBatwqQEE2JIa67sqMlstkDyWIuE7Q
--- QzbsNPZn7A5mPNUXOkkSZYt/mx/KrLiBHtI4wi2ynLE
¨pç<GûÌþ¿èÅUlûäC&ux‡
òÏFËä­éðKw“í7 jv|¿·T\œ„ ¾®˜Äà ;R®ƒD¶—`ÂQ|\ˆë:
v5ÑcõŸÆärDxáÔ«Š`à4#ñ,åè¦,Ϭ#óo•Ùkl²¢a¡Øtu*úËPÎÜée=6‰e®âS

BIN
secrets/vaultwarden.age
View file

Binary file not shown.