diff --git a/flake.lock b/flake.lock index 6f3a0f9..b1fc420 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,78 @@ { "nodes": { + "conduit": { + "inputs": { + "crane": "crane", + "fenix": "fenix", + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1691686916, + "narHash": "sha256-TpNssMHvSKcxJMas5lQNWEbIv09u4/niBN2C27Mp0JY=", + "owner": "famedly", + "repo": "conduit", + "rev": "0c2cfda3ae923d9e922d5edf379e4d8976a52d4e", + "type": "gitlab" + }, + "original": { + "owner": "famedly", + "ref": "v0.6.0", + "repo": "conduit", + "type": "gitlab" + } + }, + "crane": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils": [ + "conduit", + "flake-utils" + ], + "nixpkgs": [ + "conduit", + "nixpkgs" + ], + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1688772518, + "narHash": "sha256-ol7gZxwvgLnxNSZwFTDJJ49xVY5teaSvF7lzlo3YQfM=", + "owner": "ipetkov", + "repo": "crane", + "rev": "8b08e96c9af8c6e3a2b69af5a7fa168750fcf88e", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "fenix": { + "inputs": { + "nixpkgs": [ + "conduit", + "nixpkgs" + ], + "rust-analyzer-src": "rust-analyzer-src" + }, + "locked": { + "lastModified": 1689488573, + "narHash": "sha256-diVASflKCCryTYv0djvMnP2444mFsIG0ge5pa7ahauQ=", + "owner": "nix-community", + "repo": "fenix", + "rev": "39096fe3f379036ff4a5fa198950b8e79defe939", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "fenix", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -16,6 +89,22 @@ "type": "github" } }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems" @@ -38,6 +127,24 @@ "inputs": { "systems": "systems_2" }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { + "inputs": { + "systems": "systems_3" + }, "locked": { "lastModified": 1681202837, "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", @@ -52,7 +159,7 @@ "type": "github" } }, - "flake-utils_3": { + "flake-utils_4": { "locked": { "lastModified": 1638122382, "narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=", @@ -111,7 +218,7 @@ }, "nixos-cn": { "inputs": { - "flake-utils": "flake-utils_3", + "flake-utils": "flake-utils_4", "nixpkgs": [ "nixpkgs" ] @@ -227,7 +334,8 @@ }, "root": { "inputs": { - "flake-utils": "flake-utils", + "conduit": "conduit", + "flake-utils": "flake-utils_2", "home-manager": "home-manager", "nix-vscode-extensions": "nix-vscode-extensions", "nixos-cn": "nixos-cn", @@ -238,6 +346,50 @@ "sops-nix": "sops-nix" } }, + "rust-analyzer-src": { + "flake": false, + "locked": { + "lastModified": 1689441253, + "narHash": "sha256-4MSDZaFI4DOfsLIZYPMBl0snzWhX1/OqR/QHir382CY=", + "owner": "rust-lang", + "repo": "rust-analyzer", + "rev": "996e054f1eb1dbfc8455ecabff0f6ff22ba7f7c8", + "type": "github" + }, + "original": { + "owner": "rust-lang", + "ref": "nightly", + "repo": "rust-analyzer", + "type": "github" + } + }, + "rust-overlay": { + "inputs": { + "flake-utils": [ + "conduit", + "crane", + "flake-utils" + ], + "nixpkgs": [ + "conduit", + "crane", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1688351637, + "narHash": "sha256-CLTufJ29VxNOIZ8UTg0lepsn3X03AmopmaLTTeHDCL4=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "f9b92316727af9e6c7fee4a761242f7f46880329", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "sops-nix": { "inputs": { "nixpkgs": "nixpkgs_2", @@ -286,6 +438,21 @@ "repo": "default", "type": "github" } + }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index ce335c2..c8c02e2 100644 --- a/flake.nix +++ b/flake.nix @@ -19,13 +19,25 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - nur.url = "github:nix-community/NUR"; + nur = { + url = "github:nix-community/NUR"; + }; - nixos-hardware.url = "github:NixOS/nixos-hardware/master"; + nixos-hardware = { + url = "github:NixOS/nixos-hardware/master"; + }; - sops-nix.url = "github:Mic92/sops-nix"; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; - flake-utils.url = "github:numtide/flake-utils"; + flake-utils = { + url = "github:numtide/flake-utils"; + }; + + conduit.url = "gitlab:famedly/conduit/v0.6.0"; + conduit.inputs.nixpkgs.follows = "nixpkgs"; }; @@ -69,6 +81,9 @@ }; massicot = { name, nodes, pkgs, ... }: with inputs; { + deployment.targetHost = "***REMOVED***"; + deployment.targetUser = "root"; + imports = [ { nixpkgs.system = "aarch64-linux"; } machines/massicot @@ -111,7 +126,13 @@ system = "aarch64-linux"; modules = [ machines/massicot - (mkHome "xin" "gold") + ]; + }; + + nixosConfigurations.dolomite = mkNixos { + system = "x86_64-linux"; + modules = [ + machines/dolomite ]; }; diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index 81fd528..9b1dcd7 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -4,6 +4,7 @@ imports = [ ./hardware-configuration.nix ./networking.nix + ./services.nix ]; boot.loader.efi.canTouchEfiVariables = true; @@ -11,7 +12,6 @@ boot.loader.grub = { enable = true; efiSupport = true; - device = "/dev/sda"; }; environment.systemPackages = with pkgs; [ @@ -19,16 +19,26 @@ ]; nix.settings.experimental-features = [ "nix-command" "flakes" ]; + nix.gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 7d"; + }; + nix.optimise.automatic = true; + nix.settings.auto-optimise-store = true; + system.stateVersion = "22.11"; networking = { hostName = "massicot"; - useDHCP = false; }; services.openssh = { enable = true; + settings = { + PasswordAuthentication = false; + }; }; systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ]; @@ -39,8 +49,15 @@ openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPBcSvUQnmMFtpftFKIsDqeyUyZHzRg5ewgn3VEcLnss" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIInPn+7cMbH7zCEPJArU/Ot6oq8NHo8a2rYaCfTp7zgd" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPeNQ43f/ce4VxVPsAaKPPTp8rokQpmwNIsOX7JBZq4A" ]; hashedPassword = "$y$j9T$JOJn97hZndiDamUmmT.iq.$ue7gNZz/b14ur8GhyutOCvFjsv.3rcsHmk7m.WRk6u7"; }; + + security.sudo.extraRules = [ + { users = [ "xin" ]; + commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; + } + ]; -} \ No newline at end of file +} diff --git a/machines/massicot/hardware-configuration.nix b/machines/massicot/hardware-configuration.nix index 5d6574a..89358f7 100644 --- a/machines/massicot/hardware-configuration.nix +++ b/machines/massicot/hardware-configuration.nix @@ -1,36 +1,13 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - +{ modulesPath, ... }: { - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/934bc9cd-c80f-4af0-a446-e92c3b21ad9e"; - fsType = "ext4"; - }; - - fileSystems."/boot/efi" = - { device = "/dev/disk/by-uuid/06F4-7777"; - fsType = "vfat"; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.eth0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; -} \ No newline at end of file + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.grub = { + efiSupport = true; + device = "nodev"; + }; + fileSystems."/boot" = { device = "/dev/disk/by-uuid/AC27-D9D6"; fsType = "vfat"; }; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ]; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; + +} diff --git a/machines/massicot/networking.nix b/machines/massicot/networking.nix index fd5bf27..4aadb44 100644 --- a/machines/massicot/networking.nix +++ b/machines/massicot/networking.nix @@ -1,6 +1,7 @@ { networking = { interfaces = { + eth0.useDHCP = true; eth0.ipv6.addresses = [{ address = "2a01:4f8:c17:345f::1"; prefixLength = 64; @@ -10,6 +11,6 @@ address = "fe80::1"; interface = "eth0"; }; - nameservers = [ "2a00:1098:2b::1" "2a00:1098:2c::1" "2a01:4f9:c010:3f02::1"]; + nameservers = [ ]; }; -} \ No newline at end of file +} diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix new file mode 100644 index 0000000..84322c1 --- /dev/null +++ b/machines/massicot/services.nix @@ -0,0 +1,135 @@ +{ config, pkgs, inputs, ... }: +let + kanidm_listen_port = 5324; +in +{ + security.acme = { + acceptTerms = true; + certs."auth.xinyang.life" = { + email = "lixinyang411@gmail.com"; + listenHTTP = "127.0.0.1:1360"; + group = "kanidm"; + }; + }; + services.kanidm = { + enableServer = true; + serverSettings = { + domain = "auth.xinyang.life"; + origin = "https://auth.xinyang.life"; + bindaddress = "[::]:${toString kanidm_listen_port}"; + tls_key = ''${config.security.acme.certs."auth.xinyang.life".directory}/key.pem''; + tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem''; + # db_path = "/var/lib/kanidm/kanidm.db"; + }; + }; + services.matrix-conduit = { + enable = true; + # package = inputs.conduit.packages.${pkgs.system}.default; + package = pkgs.matrix-conduit; + settings.global = { + server_name = "xinyang.life"; + port = 6167; + # database_path = "/var/lib/matrix-conduit/"; + database_backend = "rocksdb"; + allow_registration = false; + }; + }; + + services.gotosocial = { + enable = true; + settings = { + log-level = "debug"; + host = "xinyang.life"; + letsencrypt-enabled = false; + bind-address = "localhost"; + instance-expose-public-timeline = true; + oidc-enabled = true; + oidc-idp-name = "Kanidm"; + oidc-issuer = "https://auth.xinyang.life/oauth2/openid/gts"; + oidc-client-id = "gts"; + oidc-client-secret = "QkqhD6kWj8QLACa51YyFttTfyGMkFyESPsSKzvGVT8WTs3J5"; + oidc-link-existing = true; + }; + }; + + services.forgejo = { + enable = true; + settings = { + service.DISABLE_REGISTRATION = true; + server = { + ROOT_URL = "https://git.xinyang.life/"; + START_SSH_SERVER = true; + BUILTIN_SSH_SERVER_USER = "git"; + SSH_DOMAIN = "ssh.xinyang.life"; + SSH_PORT = 2222; + }; + repository = { + ENABLE_PUSH_CREATE_USER = true; + }; + service = { + ENABLE_BASIC_AUTHENTICATION = false; + }; + oauth2 = { + ENABLE = false; # Disable forgejo as oauth2 provider + }; + oauth2_client = { + ACCOUNT_LINKING = "auto"; + ENABLE_AUTO_REGISTRATION = true; + UPDATE_AVATAR = true; + OPENID_CONNECT_SCOPES = "openid profile email"; + }; + other = { + SHOW_FOOTER_VERSION = false; + }; + }; + }; + + services.caddy = { + enable = true; + virtualHosts."xinyang.life:443".extraConfig = '' + tls internal + encode zstd gzip + reverse_proxy /_matrix/* localhost:6167 + handle_path /.well-known/matrix/client { + header Content-Type "application/json" + header Access-Control-Allow-Origin "*" + header Content-Disposition attachment; filename="client" + respond `{"m.homeserver":{"base_url":"https://xinyang.life/"}, "org.matrix.msc3575.proxy":{"url":"https://xinyang.life/"}}` + } + handle_path /.well-known/matrix/server { + header Content-Type "application/json" + header Access-Control-Allow-Origin "*" + respond `{"m.server": "xinyang.life:443"}` + } + reverse_proxy * http://localhost:8080 { + flush_interval -1 + } + ''; + virtualHosts."git.xinyang.life:443".extraConfig = '' + reverse_proxy http://${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT} + ''; + + virtualHosts."http://auth.xinyang.life:80".extraConfig = '' + reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP} + route { + reverse_proxy * ${config.security.acme.certs."auth.xinyang.life".listenHTTP} order first + abort + } + ''; + virtualHosts."https://auth.xinyang.life:443".extraConfig = '' + reverse_proxy https://auth.xinyang.life:${toString kanidm_listen_port} { + header_up Host {upstream_hostport} + header_down Access-Control-Allow-Origin "*" + transport http { + tls_server_name ${config.services.kanidm.serverSettings.domain} + } + } + ''; + # + # respond `Hello World` + + }; + + networking.firewall.allowedTCPPorts = [ 80 443 2222 8448 ]; + networking.firewall.allowedUDPPorts = [ 80 443 8448 ]; +} diff --git a/machines/raspite/configuration.nix b/machines/raspite/configuration.nix index b178e9e..72b7978 100644 --- a/machines/raspite/configuration.nix +++ b/machines/raspite/configuration.nix @@ -10,13 +10,11 @@ ]; imports = [ - ../clash.nix ../sops.nix ]; environment.systemPackages = with pkgs; [ git - clash ]; # Use mirror for binary cache @@ -59,4 +57,4 @@ hashedPassword = "$y$j9T$KEOMZBlXtudOYWq/elAdI.$Vd3X8rjEplbuRBeZPp.8/gpL3zthpBNjhBR47wFc8D4"; }; -} \ No newline at end of file +}