From 9f8d4dbf1b7ba011147816c3b886f6fb97158730 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cyryl=20P=C5=82otnicki?= Date: Mon, 31 May 2021 09:15:44 +0100 Subject: [PATCH] add agenix --- flake.lock | 52 +++++++++++++++- flake.nix | 89 +++++++++++++++++----------- nixos/boxes/brix/brix-boot.nix | 41 +++++++++++++ nixos/boxes/brix/cli.nix | 6 ++ nixos/boxes/brix/default.nix | 26 ++++++++ nixos/boxes/brix/i2p.nix | 9 +++ nixos/boxes/brix/matrix-server.nix | 42 +++++++++++++ nixos/boxes/brix/print-server.nix | 49 +++++++++++++++ nixos/boxes/brix/prometheus-node.nix | 8 +++ nixos/boxes/brix/real-hardware.nix | 11 ++++ nixos/boxes/brix/restic-server.nix | 12 ++++ nixos/boxes/brix/security.nix | 43 ++++++++++++++ nixos/boxes/brix/vpn.nix | 16 +++++ 13 files changed, 369 insertions(+), 35 deletions(-) create mode 100644 nixos/boxes/brix/brix-boot.nix create mode 100644 nixos/boxes/brix/cli.nix create mode 100644 nixos/boxes/brix/default.nix create mode 100644 nixos/boxes/brix/i2p.nix create mode 100644 nixos/boxes/brix/matrix-server.nix create mode 100644 nixos/boxes/brix/print-server.nix create mode 100644 nixos/boxes/brix/prometheus-node.nix create mode 100644 nixos/boxes/brix/real-hardware.nix create mode 100644 nixos/boxes/brix/restic-server.nix create mode 100644 nixos/boxes/brix/security.nix create mode 100644 nixos/boxes/brix/vpn.nix diff --git a/flake.lock b/flake.lock index 0c90d311..8fe8922e 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,24 @@ { "nodes": { + "agenix": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1620877075, + "narHash": "sha256-XvgTqtmQZHegu9UMDSR50gK5cHEM2gbnRH0qecmdN54=", + "owner": "ryantm", + "repo": "agenix", + "rev": "e543aa7d68f222e1e771165da9e9a64b5bf7b3e3", + "type": "github" + }, + "original": { + "owner": "ryantm", + "ref": "master", + "repo": "agenix", + "type": "github" + } + }, "bisq": { "locked": { "lastModified": 1620344115, @@ -54,6 +73,35 @@ } }, "nixpkgs": { + "locked": { + "lastModified": 1618628710, + "narHash": "sha256-9xIoU+BrCpjs5nfWcd/GlU7XCVdnNKJPffoNTxgGfhs=", + "path": "/nix/store/z1rf17q0fxj935cmplzys4gg6nxj1as0-source", + "rev": "7919518f0235106d050c77837df5e338fb94de5d", + "type": "path" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1622364474, + "narHash": "sha256-bRupByHizbCba3/AgaETL+YySowmfssqWl7+p0jwcPU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "eae0cabc124702e04bb2098070ca46d661543d29", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-20.09", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { "locked": { "lastModified": 1622282707, "narHash": "sha256-+GOrUDsdneUqrOm9d+9bHXjEVoVcU8tm14WGVzbt6gg=", @@ -87,10 +135,12 @@ }, "root": { "inputs": { + "agenix": "agenix", "bisq": "bisq", "flake-utils": "flake-utils", "home-manager": "home-manager", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", + "nixpkgs-stable": "nixpkgs-stable", "nur": "nur" } } diff --git a/flake.nix b/flake.nix index 36134494..3616c018 100644 --- a/flake.nix +++ b/flake.nix @@ -1,5 +1,47 @@ { description = "NixOS configuration with flakes"; + outputs = { self, flake-utils, home-manager, nixpkgs, nixpkgs-stable, nur, bisq, agenix } @ inputs: { + nixosConfigurations = { + foureighty = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + (import ./nixos/boxes/foureighty) + + home-manager.nixosModules.home-manager + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.users.cyryl = import ./nixos/home-manager; + } + + ]; + specialArgs = { inherit inputs; }; + }; + skinnyv = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + (import ./nixos/boxes/skinnyv) + + home-manager.nixosModules.home-manager + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.users.cyryl = import ./nixos/home-manager; + } + + ]; + specialArgs = { inherit inputs; }; + }; + brix = nixpkgs-stable.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + (import ./nixos/boxes/brix) + agenix.nixosModules.age + ]; + specialArgs = { inherit inputs; }; + }; + }; + }; inputs = { nixpkgs = { type = "github"; @@ -8,6 +50,13 @@ ref = "nixos-unstable"; }; + nixpkgs-stable = { + type = "github"; + owner = "NixOS"; + repo = "nixpkgs"; + ref = "nixos-20.09"; + }; + home-manager = { type = "github"; owner = "nix-community"; @@ -38,42 +87,14 @@ repo = "nixpkgs"; ref = "3a681b0daaed9841cbd3ea2ebd51f9cca4c836f2"; }; - }; - outputs = { self, flake-utils, home-manager, nixpkgs, nur, bisq } @ inputs: { - - nixosConfigurations = { - foureighty = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - (import ./nixos/boxes/foureighty) - - home-manager.nixosModules.home-manager - { - home-manager.useGlobalPkgs = true; - home-manager.useUserPackages = true; - home-manager.users.cyryl = import ./nixos/home-manager; - } - - ]; - specialArgs = { inherit inputs; }; - }; - skinnyv = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - (import ./nixos/boxes/skinnyv) - - home-manager.nixosModules.home-manager - { - home-manager.useGlobalPkgs = true; - home-manager.useUserPackages = true; - home-manager.users.cyryl = import ./nixos/home-manager; - } - - ]; - specialArgs = { inherit inputs; }; - }; + agenix = { + type = "github"; + owner = "ryantm"; + repo = "agenix"; + ref = "master"; }; }; + } diff --git a/nixos/boxes/brix/brix-boot.nix b/nixos/boxes/brix/brix-boot.nix new file mode 100644 index 00000000..6a01ce8f --- /dev/null +++ b/nixos/boxes/brix/brix-boot.nix @@ -0,0 +1,41 @@ +{ config, pkgs, ... }: +{ + + boot = { + kernelPackages = pkgs.linuxPackages_latest_hardened; + initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" "btrfs" ]; + initrd.kernelModules = [ "dm-snapshot" ]; + kernelModules = [ "kvm-intel" ]; + extraModulePackages = [ ]; + loader.systemd-boot.enable = true; + loader.efi.canTouchEfiVariables = false; + }; + + services.btrfs.autoScrub.enable = true; + fileSystems."/data" = + { device = "/dev/disk/by-uuid/78e8e5b5-9068-4381-8e85-b4297607f9ea"; + fsType = "btrfs"; + options = [ "autodefrag" "space_cache" "inode_cache" "noatime" "nodiratime" ]; + }; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/68bb21bd-90da-4da4-b97e-c6da3b1f8235"; + fsType = "ext4"; + options = [ "noatime" "nodiratime" ]; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/0129-8152"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/5f635052-a940-466e-a7cf-4799adace60e"; } + ]; + + zramSwap = { + enable = true; + algorithm = "zstd"; + memoryPercent = 50; + }; +} diff --git a/nixos/boxes/brix/cli.nix b/nixos/boxes/brix/cli.nix new file mode 100644 index 00000000..22e54870 --- /dev/null +++ b/nixos/boxes/brix/cli.nix @@ -0,0 +1,6 @@ +{ config, pkgs, ... }: +{ + environment.systemPackages = with pkgs; [ + vim tmux atop btrfs-progs + ]; +} diff --git a/nixos/boxes/brix/default.nix b/nixos/boxes/brix/default.nix new file mode 100644 index 00000000..ed653e07 --- /dev/null +++ b/nixos/boxes/brix/default.nix @@ -0,0 +1,26 @@ +{ config, pkgs, inputs, lib, ... }: +{ + imports = [ + ./brix-boot.nix + ./real-hardware.nix + ./security.nix + ./cli.nix + ./vpn.nix + ./prometheus-node.nix + ./restic-server.nix + ./i2p.nix + ./print-server.nix + ./matrix-server.nix + ]; + networking = { + hostName = "brix"; + useDHCP = false; + interfaces.enp3s0.useDHCP = true; + }; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + + security.allowUserNamespaces = true; + + time.timeZone = "Europe/London"; + +} diff --git a/nixos/boxes/brix/i2p.nix b/nixos/boxes/brix/i2p.nix new file mode 100644 index 00000000..6d4eed31 --- /dev/null +++ b/nixos/boxes/brix/i2p.nix @@ -0,0 +1,9 @@ +{ config, pkgs, ... }: +{ + services.i2pd = { + enable = true; + bandwidth = 1024; # kb/s + proto.http.enable = true; + proto.httpProxy.enable = true; + }; +} diff --git a/nixos/boxes/brix/matrix-server.nix b/nixos/boxes/brix/matrix-server.nix new file mode 100644 index 00000000..1030a2c6 --- /dev/null +++ b/nixos/boxes/brix/matrix-server.nix @@ -0,0 +1,42 @@ +{ config, pkgs, inputs, ... }: +{ + services.postgresql = { + enable = true; + initialScript = pkgs.writeText "synapse-init.sql" '' + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; + }; + + services.matrix-synapse = { + enable = true; + server_name = "cyplo.dev"; + enable_registration = false; + listeners = [ + { + port = 8008; + bind_address = "brix.vpn"; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { + names = [ "client" "federation" ]; + compress = false; + } + ]; + } + ]; + app_service_config_files = [ + ]; + extraConfig = '' + experimental_features: { spaces_enabled: true } + ''; + package = inputs.nixpkgs.legacyPackages."x86_64-linux".matrix-synapse; + }; + + networking.firewall.allowedTCPPorts = [ 8008 ]; +} diff --git a/nixos/boxes/brix/print-server.nix b/nixos/boxes/brix/print-server.nix new file mode 100644 index 00000000..88b50277 --- /dev/null +++ b/nixos/boxes/brix/print-server.nix @@ -0,0 +1,49 @@ +{ config, pkgs, ... }: +{ + + networking.firewall.enable = true; + networking.firewall.allowedTCPPorts = [ 631 6566 ]; + networking.firewall.allowedUDPPorts = [ 631 6566 ]; + services.printing = { + enable = true; + drivers = with pkgs; [ epson-escpr ]; + listenAddresses = [ "*:631" ]; + defaultShared = true; + browsing = true; + allowFrom = [ "all" ]; + extraConf = '' + ServerAlias * + DefaultEncryption Never + ''; + }; + + hardware.printers.ensurePrinters = [{ + description = "Epson XP-540"; + location = "connected to brix"; + name = "epson_xp540"; + deviceUri = "usb://EPSON/XP-540%20Series?serial=583245393030303936&interface=1"; + model = "raw"; + ppdOptions = { PageSize = "A4"; }; + }]; + + hardware.sane = { + enable = true; + extraBackends = with pkgs; [ epkowa utsushi sane-airscan gawk ]; + snapshot = true; + }; + + services.udev.packages = [ pkgs.utsushi ]; + + environment.systemPackages = with pkgs; [ gawk ]; + services.saned = { + enable = true; + extraConfig = '' + 10.0.0.0/24 + 172.23.153.159 + 172.23.28.139 + 172.23.206.88 + [fd77:8f2a:9a44::1]/60 + ''; + }; + +} diff --git a/nixos/boxes/brix/prometheus-node.nix b/nixos/boxes/brix/prometheus-node.nix new file mode 100644 index 00000000..64d400a1 --- /dev/null +++ b/nixos/boxes/brix/prometheus-node.nix @@ -0,0 +1,8 @@ +{ config, pkgs, lib, ... }: +{ + networking.firewall.allowedTCPPorts = [ 9100 ]; + services.prometheus = { + enable = true; + exporters.node.enable = true; + }; +} diff --git a/nixos/boxes/brix/real-hardware.nix b/nixos/boxes/brix/real-hardware.nix new file mode 100644 index 00000000..9a2f7775 --- /dev/null +++ b/nixos/boxes/brix/real-hardware.nix @@ -0,0 +1,11 @@ +{ config, pkgs, lib, ... }: +{ + hardware.enableRedistributableFirmware = true; + services.smartd.enable = true; + services.fstrim.enable = true; + environment.systemPackages = with pkgs; [ + smartmontools + ]; + services.fwupd.enable = true; + services.thermald.enable = true; +} diff --git a/nixos/boxes/brix/restic-server.nix b/nixos/boxes/brix/restic-server.nix new file mode 100644 index 00000000..c9b9ac79 --- /dev/null +++ b/nixos/boxes/brix/restic-server.nix @@ -0,0 +1,12 @@ +{ config, pkgs, ... }: +{ + + networking.firewall.allowedTCPPorts = [ 8000 ]; + services.restic.server = { + enable = true; + dataDir = "/data/restic"; + appendOnly = true; + prometheus = true; + }; + +} diff --git a/nixos/boxes/brix/security.nix b/nixos/boxes/brix/security.nix new file mode 100644 index 00000000..d8a1df51 --- /dev/null +++ b/nixos/boxes/brix/security.nix @@ -0,0 +1,43 @@ +{ config, pkgs, ... }: +{ + imports = [ + ]; + security.acme.email = "admin@cyplo.dev"; + security.acme.acceptTerms = true; + security.forcePageTableIsolation = true; + security.protectKernelImage = true; + security.apparmor.enable = true; + security.lockKernelModules = true; + + services.haveged.enable = true; + services.fail2ban.enable = true; + + environment.systemPackages = with pkgs; [ + knockknock + ]; + + services.openssh = { + enable = true; + permitRootLogin = "prohibit-password"; + passwordAuthentication = false; + }; + + users.extraUsers.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJlCoSJ/2BHt0RqQUn2L9DPcCEJBJQWpq+74cpmeaGJL cyryl@foureighty" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDN/2C59i+ucvSa9FLCHlVPJp0zebLOcw0+hnBYwy0cY cyryl@skinnyv" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJwZ4M6lT2yzg8iarCzsLADAuXS4BUkLTt1+mKCECczk nix-builder@brix" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALNEUIxbENTdhSWzYupGFn/q+AGe0diBOTMyiZAmv7F nix-builder@vultr1" + ]; + + users.users.nix-builder = { + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJlCoSJ/2BHt0RqQUn2L9DPcCEJBJQWpq+74cpmeaGJL cyryl@foureighty" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDN/2C59i+ucvSa9FLCHlVPJp0zebLOcw0+hnBYwy0cY cyryl@skinnyv" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJwZ4M6lT2yzg8iarCzsLADAuXS4BUkLTt1+mKCECczk nix-builder@brix" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALNEUIxbENTdhSWzYupGFn/q+AGe0diBOTMyiZAmv7F nix-builder@vultr1" + ]; + }; + + nix.trustedUsers = [ "root" "nix-builder" ]; +} diff --git a/nixos/boxes/brix/vpn.nix b/nixos/boxes/brix/vpn.nix new file mode 100644 index 00000000..7c3ce406 --- /dev/null +++ b/nixos/boxes/brix/vpn.nix @@ -0,0 +1,16 @@ +{ config, pkgs, ... }: +{ + nixpkgs.config = { + allowUnfree = true; + }; + + services.zerotierone = { + enable = true; + joinNetworks = [ "d3ecf5726d580b5a" ]; + }; + + networking.hosts = { + "172.23.153.159" = [ "brix.vpn" ]; + "172.23.28.139" = [ "vultr1.vpn" ]; + }; +}