diff options
Diffstat (limited to 'nix/machines')
| -rw-r--r-- | nix/machines/common/network.nix | 41 | ||||
| -rw-r--r-- | nix/machines/darwin-shared.nix | 111 | ||||
| -rw-r--r-- | nix/machines/darwin/aarch64-darwin/hq-kwny2vh41p.nix | 96 | ||||
| -rw-r--r-- | nix/machines/darwin/aarch64-darwin/mba-m2.nix | 98 | ||||
| -rw-r--r-- | nix/machines/hq-kwny2vh41p/default.nix | 6 | ||||
| -rw-r--r-- | nix/machines/mba-m2/default.nix | 11 | ||||
| -rw-r--r-- | nix/machines/nixos/x86_64-linux/vm-synology.nix (renamed from nix/machines/vm-synology/default.nix) | 49 | ||||
| -rw-r--r-- | nix/machines/vm-synology/backups.nix | 73 | ||||
| -rw-r--r-- | nix/machines/vm-synology/disk.nix | 55 | ||||
| -rw-r--r-- | nix/machines/vm-synology/git.nix | 25 | ||||
| -rw-r--r-- | nix/machines/vm-synology/hardware.nix | 32 | ||||
| -rw-r--r-- | nix/machines/vm-synology/ingress.nix | 16 | ||||
| -rw-r--r-- | nix/machines/vm-synology/nginx.nix | 10 |
13 files changed, 206 insertions, 417 deletions
diff --git a/nix/machines/common/network.nix b/nix/machines/common/network.nix deleted file mode 100644 index fb31099..0000000 --- a/nix/machines/common/network.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ - lib, - pkgs, - config, - ... -}: -{ - networking.firewall.allowPing = true; - - # Default to systemd-networkd usage. - networking.useNetworkd = lib.mkDefault true; - systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP; - - # Use systemd-resolved for DoT support. - services.resolved = { - enable = true; - dnssec = "false"; - extraConfig = '' - DNSOverTLS=yes - ''; - }; - - # Used by systemd-resolved, not directly by resolv.conf. - networking.nameservers = [ - "8.8.8.8#dns.google" - "1.0.0.1#cloudflare-dns.com" - ]; - - networking.firewall.logRefusedConnections = false; - - boot.kernel.sysctl = { - "net.ipv4.tcp_fastopen" = 3; - "net.ipv4.tcp_tw_reuse" = 1; - }; - - environment.systemPackages = with pkgs; [ - mtr - tcpdump - traceroute - ]; -} diff --git a/nix/machines/darwin-shared.nix b/nix/machines/darwin-shared.nix deleted file mode 100644 index 978b43a..0000000 --- a/nix/machines/darwin-shared.nix +++ /dev/null @@ -1,111 +0,0 @@ -{ pkgs, ... }: -{ - nix = { - extraOptions = '' - tarball-ttl = 900 - ''; - gc = { - automatic = true; - interval = { - Weekday = 0; - Hour = 0; - Minute = 0; - }; - options = "--delete-older-than 30d"; - }; - package = pkgs.nixVersions.stable; - settings = { - substituters = [ - "https://cache.nixos.org" - "https://nix-community.cachix.org" - ]; - trusted-public-keys = [ - "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - ]; - trusted-users = [ - "@admin" - "fcuny" - ]; - experimental-features = [ - "nix-command" - "flakes" - ]; - }; - }; - - system.primaryUser = "fcuny"; - - system.defaults = { - dock = { - autohide = true; - dashboard-in-overlay = false; - launchanim = false; # Don't animate opening applications. - mru-spaces = false; # don’t rearrange spaces based on the most recent use - orientation = "left"; - show-recents = false; - showhidden = false; - tilesize = 60; # Default is 64. - wvous-br-corner = 1; # Disable Notes hot corner. - }; - finder.AppleShowAllExtensions = true; - - CustomUserPreferences = { - "com.apple.desktopservices" = { - # Avoid creating .DS_Store files on network or USB volumes - DSDontWriteNetworkStores = true; - DSDontWriteUSBStores = true; - }; - }; - - # Requires the directory to already exist. - # See system.activationScripts.postUserActivation - screencapture.location = "~/Documents/screenshots"; - SoftwareUpdate.AutomaticallyInstallMacOSUpdates = true; - }; - - # TODO: - The `system.activationScripts.postUserActivation` option has - # been removed, as all activation now takes place as `root`. Please - # restructure your custom activation scripts appropriately, - # potentially using `sudo` if you need to run commands as a user. - # system.activationScripts.postUserActivation.text = '' - # mkdir -p ~/Documents/screenshots - # ''; - - fonts.packages = with pkgs; [ - source-code-pro - ]; - - system.keyboard = { - enableKeyMapping = true; - remapCapsLockToControl = true; - }; - - # Touch ID for sudo auth - security.pam.services.sudo_local.touchIdAuth = true; - - environment.shells = [ pkgs.fish ]; - - programs.fish.enable = true; - programs.fish.shellInit = '' - # Nix - if test -e '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.fish' - source '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.fish' - end - # End Nix - ''; - - ## this sets the PATH for GUI apps - ## needs a restart - launchd.user.agents = { - user-paths = { - command = "/bin/launchctl config user path '/opt/homebrew/bin:/Users/fcuny/.nix-profile/bin:/etc/profiles/per-user/fcuny/bin:/run/current-system/sw/bin:/nix/var/nix/profiles/default/bin:/usr/local/bin:/usr/bin:/usr/sbin:/bin:/sbin'"; - serviceConfig.RunAtLoad = true; - }; - }; - - programs.ssh.knownHosts = { - "github.com".publicKey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl"; - }; -} diff --git a/nix/machines/darwin/aarch64-darwin/hq-kwny2vh41p.nix b/nix/machines/darwin/aarch64-darwin/hq-kwny2vh41p.nix new file mode 100644 index 0000000..c44ccaf --- /dev/null +++ b/nix/machines/darwin/aarch64-darwin/hq-kwny2vh41p.nix @@ -0,0 +1,96 @@ +{ + adminUser, + pkgs, + self, + ... +}: +{ + + imports = [ + "${self}/nix/profiles/home-manager.nix" + "${self}/nix/profiles/darwin.nix" + ]; + + nix = { + extraOptions = '' + tarball-ttl = 900 + ''; + gc = { + automatic = true; + interval = { + Weekday = 0; + Hour = 0; + Minute = 0; + }; + options = "--delete-older-than 30d"; + }; + package = pkgs.nixVersions.stable; + settings = { + substituters = [ + "https://cache.nixos.org" + "https://nix-community.cachix.org" + ]; + trusted-public-keys = [ + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + trusted-users = [ + "@admin" + "fcuny" + ]; + experimental-features = [ + "nix-command" + "flakes" + ]; + }; + }; + + system.primaryUser = adminUser.name; + + # https://github.com/nix-darwin/nix-darwin/issues/1339 + ids.gids.nixbld = 30000; + + networking.hostName = "mba-m2"; + + fonts.packages = with pkgs; [ + source-code-pro + ]; + + # The user should already exist, but we need to set this up so Nix knows + # what our home directory is (https://github.com/LnL7/nix-darwin/issues/423). + users = { + users.${adminUser.name} = { + home = "/Users/${adminUser.name}"; + shell = pkgs.fish; + }; + }; + + environment.shells = [ pkgs.fish ]; + + programs.fish.enable = true; + programs.fish.shellInit = '' + # Nix + if test -e '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.fish' + source '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.fish' + end + # End Nix + ''; + + programs.ssh.knownHosts = { + "github.com".publicKey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl"; + }; + + home-manager.users.${adminUser.name} = { + home.stateVersion = "23.05"; + home.username = "${adminUser.name}"; + home.homeDirectory = "/Users/${adminUser.name}"; + home.packages = with pkgs; [ grpcurl ]; + imports = [ + ../../../users/profiles/mac.nix + ../../../users/profiles/work.nix + ]; + inherit (adminUser) userinfo; + programs.git.userEmail = "fcuny@roblox.com"; + }; +} diff --git a/nix/machines/darwin/aarch64-darwin/mba-m2.nix b/nix/machines/darwin/aarch64-darwin/mba-m2.nix new file mode 100644 index 0000000..59fd21b --- /dev/null +++ b/nix/machines/darwin/aarch64-darwin/mba-m2.nix @@ -0,0 +1,98 @@ +{ + adminUser, + pkgs, + self, + ... +}: +{ + imports = [ + "${self}/nix/profiles/home-manager.nix" + "${self}/nix/profiles/darwin.nix" + ]; + + nix = { + extraOptions = '' + tarball-ttl = 900 + ''; + gc = { + automatic = true; + interval = { + Weekday = 0; + Hour = 0; + Minute = 0; + }; + options = "--delete-older-than 30d"; + }; + package = pkgs.nixVersions.stable; + settings = { + substituters = [ + "https://cache.nixos.org" + "https://nix-community.cachix.org" + ]; + trusted-public-keys = [ + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + trusted-users = [ + "@admin" + "fcuny" + ]; + experimental-features = [ + "nix-command" + "flakes" + ]; + }; + }; + + system.primaryUser = adminUser.name; + + # https://github.com/nix-darwin/nix-darwin/issues/1339 + ids.gids.nixbld = 30000; + + networking.hostName = "mba-m2"; + + fonts.packages = with pkgs; [ + source-code-pro + ]; + + # The user should already exist, but we need to set this up so Nix knows + # what our home directory is (https://github.com/LnL7/nix-darwin/issues/423). + users = { + users.${adminUser.name} = { + home = "/Users/${adminUser.name}"; + shell = pkgs.fish; + }; + }; + + environment.shells = [ pkgs.fish ]; + + programs.fish.enable = true; + programs.fish.shellInit = '' + # Nix + if test -e '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.fish' + source '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.fish' + end + # End Nix + ''; + + programs.ssh.knownHosts = { + "github.com".publicKey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl"; + }; + + home-manager.users.${adminUser.name} = { + home.stateVersion = "23.05"; + home.username = "${adminUser.name}"; + home.homeDirectory = "/Users/${adminUser.name}"; + home.packages = with pkgs; [ + element-desktop + vlc-bin + zoom-us + ]; + imports = [ + ../../../users/profiles/mac.nix + ../../../users/profiles/media.nix + ]; + inherit (adminUser) userinfo; + }; +} diff --git a/nix/machines/hq-kwny2vh41p/default.nix b/nix/machines/hq-kwny2vh41p/default.nix deleted file mode 100644 index 1ae15f2..0000000 --- a/nix/machines/hq-kwny2vh41p/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - imports = [ ../darwin-shared.nix ]; - - system.stateVersion = 5; -} diff --git a/nix/machines/mba-m2/default.nix b/nix/machines/mba-m2/default.nix deleted file mode 100644 index 565360c..0000000 --- a/nix/machines/mba-m2/default.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ ... }: -{ - imports = [ ../darwin-shared.nix ]; - - # https://github.com/nix-darwin/nix-darwin/issues/1339 - ids.gids.nixbld = 30000; - - system.stateVersion = 5; - - networking.hostName = "mba-m2"; -} diff --git a/nix/machines/vm-synology/default.nix b/nix/machines/nixos/x86_64-linux/vm-synology.nix index ec508d8..02030fc 100644 --- a/nix/machines/vm-synology/default.nix +++ b/nix/machines/nixos/x86_64-linux/vm-synology.nix @@ -1,36 +1,35 @@ -{ pkgs, ... }: +{ self, pkgs, ... }: { age = { secrets = { restic_gcs_credentials = { - file = ../../../secrets/restic_gcs_credentials.age; + file = "${self}/secrets/restic_gcs_credentials.age"; }; restic_password = { - file = ../../../secrets/restic_password.age; + file = "${self}/secrets/restic_password.age"; }; cloudflared-tunnel = { - file = ../../../secrets/cloudflared_cragmont.age; + file = "${self}/secrets/cloudflared_cragmont.age"; }; cloudflared-cert = { - file = ../../../secrets/cloudflared_cert.age; + file = "${self}/secrets/cloudflared_cert.age"; }; }; }; imports = [ - ./backups.nix - ./git.nix - ./hardware.nix - ./ingress.nix - ./nginx.nix - ../common/network.nix + "${self}/nix/profiles/git-server.nix" + "${self}/nix/profiles/hardware/synology.nix" + "${self}/nix/profiles/disk/vm.nix" + "${self}/nix/profiles/server.nix" + # ./backups.nix + # ./ingress.nix + # ./nginx.nix ]; # Use the systemd-boot EFI boot loader. - boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; networking.hostName = "vm-synology"; - boot.kernelPackages = pkgs.linuxPackages_latest; nix = { package = pkgs.nixVersions.latest; @@ -46,31 +45,9 @@ }; }; - time.timeZone = "America/Los_Angeles"; - - # Don't require password for sudo - security.sudo.wheelNeedsPassword = false; - - # Virtualization settings - virtualisation.docker.enable = true; - - # Select internationalisation properties. - i18n = { - defaultLocale = "en_US.UTF-8"; - }; - # Define a user account. Don't forget to set a password with ‘passwd’. users.mutableUsers = false; - # List packages installed in system profile. To search, run: - # $ nix search wget - environment.systemPackages = with pkgs; [ - curl - git - vim - jq - ]; - # Enable the OpenSSH daemon. services.openssh.enable = true; services.openssh.settings.PasswordAuthentication = true; @@ -80,8 +57,6 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi" ]; - networking.firewall.enable = false; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/nix/machines/vm-synology/backups.nix b/nix/machines/vm-synology/backups.nix deleted file mode 100644 index cf3c65b..0000000 --- a/nix/machines/vm-synology/backups.nix +++ /dev/null @@ -1,73 +0,0 @@ -{ - config, - pkgs, - ... -}: -let - environmentFile = toString ( - pkgs.writeText "restic-gcs-env" '' - GOOGLE_PROJECT_ID=fcuny-infra - GOOGLE_APPLICATION_CREDENTIALS=${config.age.secrets.restic_gcs_credentials.path} - '' - ); -in -{ - services.restic.backups.local = { - passwordFile = config.age.secrets.restic_password.path; - repository = "/srv/data/backups/"; - initialize = true; - paths = [ "/var/lib/gitolite" ]; - exclude = [ - "/var/lib/gitolite/.bash_history" - "/var/lib/gitolite/.ssh" - "/var/lib/gitolite/.viminfo" - ]; - extraBackupArgs = [ - "--exclude-caches" - "--compression=max" - ]; - timerConfig = { - OnCalendar = "daily"; - }; - pruneOpts = [ - "--keep-daily 7" - "--keep-weekly 4" - "--keep-monthly 3" - ]; - }; - - services.restic.backups.gcs = { - passwordFile = config.age.secrets.restic_password.path; - environmentFile = environmentFile; - repository = "gs:fcuny-infra-backups:/vm-synology/"; - initialize = true; - paths = [ "/var/lib/gitolite" ]; - exclude = [ - "/var/lib/gitolite/.bash_history" - "/var/lib/gitolite/.ssh" - "/var/lib/gitolite/.viminfo" - ]; - extraBackupArgs = [ - "--exclude-caches" - "--compression=max" - ]; - timerConfig = { - OnCalendar = "daily"; - }; - pruneOpts = [ - "--keep-daily 7" - "--keep-weekly 4" - "--keep-monthly 3" - ]; - }; - - environment = { - sessionVariables = { - RESTIC_REPOSITORY = "/srv/data/backups"; - RESTIC_PASSWORD_FILE = config.age.secrets.restic_password.path; - }; - systemPackages = with pkgs; [ - restic - ]; - }; -} diff --git a/nix/machines/vm-synology/disk.nix b/nix/machines/vm-synology/disk.nix deleted file mode 100644 index 1641339..0000000 --- a/nix/machines/vm-synology/disk.nix +++ /dev/null @@ -1,55 +0,0 @@ -{ lib, ... }: -{ - disko.devices = { - disk.disk1 = { - device = lib.mkDefault "/dev/sda"; - type = "disk"; - content = { - type = "gpt"; - partitions = { - boot = { - name = "boot"; - size = "1M"; - type = "EF02"; - }; - esp = { - name = "ESP"; - size = "500M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - }; - }; - root = { - name = "root"; - size = "100%"; - content = { - type = "lvm_pv"; - vg = "pool"; - }; - }; - }; - }; - }; - lvm_vg = { - pool = { - type = "lvm_vg"; - lvs = { - root = { - size = "100%FREE"; - content = { - type = "filesystem"; - format = "ext4"; - mountpoint = "/"; - mountOptions = [ - "defaults" - ]; - }; - }; - }; - }; - }; - }; -} diff --git a/nix/machines/vm-synology/git.nix b/nix/machines/vm-synology/git.nix deleted file mode 100644 index 27eebc7..0000000 --- a/nix/machines/vm-synology/git.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ pkgs, ... }: -{ - services.gitolite = { - enable = true; - adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"; - user = "git"; - group = "git"; - extraGitoliteRc = '' - # Make dirs/files group readable, needed for webserver/cgit. (Default - # setting is 0077.) - $RC{UMASK} = 0027; - $RC{GIT_CONFIG_KEYS} = 'cgit.desc cgit.hide cgit.ignore cgit.owner'; - $RC{LOCAL_CODE} = "$rc{GL_ADMIN_BASE}/local"; - push( @{$RC{ENABLE}}, 'symbolic-ref' ); - ''; - }; - - # let's make sure the default branch is `main'. - systemd.tmpfiles.rules = [ - "C /var/lib/gitolite/.gitconfig - git git 0644 ${pkgs.writeText "gitolite-gitconfig" '' - [init] - defaultBranch = main - ''}" - ]; -} diff --git a/nix/machines/vm-synology/hardware.nix b/nix/machines/vm-synology/hardware.nix deleted file mode 100644 index c894a80..0000000 --- a/nix/machines/vm-synology/hardware.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ lib, modulesPath, ... }: - -{ - imports = [ - (modulesPath + "/profiles/qemu-guest.nix") - (modulesPath + "/installer/scan/not-detected.nix") - ./disk.nix - ]; - - boot.initrd.availableKernelModules = [ - "ata_piix" - "uhci_hcd" - "virtio_pci" - "virtio_scsi" - "sd_mod" - "sr_mod" - ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.ens3.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/nix/machines/vm-synology/ingress.nix b/nix/machines/vm-synology/ingress.nix deleted file mode 100644 index b6ae596..0000000 --- a/nix/machines/vm-synology/ingress.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ config, ... }: -{ - services.cloudflared = { - enable = true; - certificateFile = config.age.secrets.cloudflared-cert.path; - tunnels = { - "cragmont" = { - credentialsFile = config.age.secrets.cloudflared-tunnel.path; - default = "http_status:404"; - ingress = { - "git.fcuny.net".service = "ssh://127.0.0.1:22"; - }; - }; - }; - }; -} diff --git a/nix/machines/vm-synology/nginx.nix b/nix/machines/vm-synology/nginx.nix deleted file mode 100644 index 2c3b7fb..0000000 --- a/nix/machines/vm-synology/nginx.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ - ... -}: -{ - services.fcuny-net = { - enable = true; - domain = "fcuny.net"; - enableSSL = false; # Enable if you want HTTPS - }; -} |