chandlerswift/machine-config
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Compare commits

base: chandlerswift:cdc6b0cb2a0c62a7dcb6e9255f57b1759a901a84
Branches Tags
chandlerswift:main
..
compare: chandlerswift:98524cf76e0fc2ec8e108eea4beb5f02896c0cc2
Branches Tags
chandlerswift:main

No commits in common. "cdc6b0cb2a0c62a7dcb6e9255f57b1759a901a84" and "98524cf76e0fc2ec8e108eea4beb5f02896c0cc2" have entirely different histories.
cdc6b0cb2a ... 98524cf76e

27 changed files with 181 additions and 1460 deletions
Show stats Expand all files Collapse all files

1
.envrc
View file

@ -1 +0,0 @@
use nix;

1
.gitignore vendored
View file

@ -1,2 +1 @@
keys.toml keys.toml
.direnv

3
animal/Makefile Normal file
View file

@ -0,0 +1,3 @@
.PHONY: deploy
deploy:
nixos-rebuild switch --fast -I nixos-config=./configuration.nix --build-host root@animal.chandlerswift.com --target-host root@animal.chandlerswift.com

75
animal/configuration.nix Normal file
View file

@ -0,0 +1,75 @@
{ config, lib, pkgs, ... }: {
# config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
# "minecraft-server"
# ];
imports = [
./hardware-configuration.nix
./web.nix
./monitoring.nix
./kathe.nix
./eric.nix
];
networking.hostName = "animal";
time.timeZone = "America/Chicago";
i18n.defaultLocale = "en_US.UTF-8";
fileSystems."/mnt/nas" = {
device = "//home.chandlerswift.com/chandlerpublic";
fsType = "cifs";
options = [ "guest" "port=55445" ];
};
# services.minecraft-server = {
# enable = true;
# declarative = true;
# eula = true;
# dataDir = "/srv/minecraft";
# openFirewall = true;
# whitelist = {
# chandlerswift = "04095aeb-edec-3c3f-b0d5-d703fab53c9c";
# villlater = "90b7fcd6-9f43-38c5-8ea2-163f13b092f0";
# LarryHorton = "de963636-138f-3ef4-8c52-a2dcf9a328f4";
# IsaacSwift = "88e17365-4b63-3385-a4b6-b2c4864b0b98";
# Mayornnaise = "be25bf89-ef07-3fa3-926b-20b939df62f1";
# Ripptide66 = "a94051cb-5769-3726-86b5-bc9fe4cbe5f5";
# };
# };
services.murmur = {
# TODO https://nixos.org/manual/nixos/stable/options#opt-services.murmur.enable
# TODO https://github.com/azlux/botamusique
#enable = true;
};
environment.systemPackages = with pkgs; [ rsync ];
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEhPyyqS3BGYor3zLbjc8hZuhem3mS8TNmvWogXcnz/b chandler@chandlerswift.com'' ];
# services.jitsi-meet = {
# enable = true;
# hostName = "meet.animal.chandlerswift.com";
# nginx.enable = false;
# caddy.enable = true;
# };
# services.jitsi-videobridge.openFirewall = true;
networking.firewall.allowedTCPPorts = [
80 # Caddy
443 # Caddy
];
# networking.firewall.allowedUDPPorts = [ ... ];
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
#
# Most users should NEVER change this value after the initial install, for any reason,
# even if you've upgraded your system to a new NixOS release.
system.stateVersion = "24.05";
}

17
animal/eric.nix Normal file
View file

@ -0,0 +1,17 @@
{
# users.users.eric = {
# isNormalUser = true;
# description = "Eric Villnow";
# openssh.authorizedKeys.keys = [
# # TODO
# ];
# };
services.caddy.virtualHosts."nas.ericvillnow.com" = {
serverAliases = ["nas.vill.how"];
extraConfig = ''
reverse_proxy http://192.168.10.11:80
'';
};
}

19
animal/hardware-configuration.nix Normal file
View file

@ -0,0 +1,19 @@
{ modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.loader.grub = {
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
};
fileSystems."/boot" = { device = "/dev/disk/by-uuid/FDD2-F69B"; fsType = "vfat"; };
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { device = "/dev/vda2"; fsType = "ext4"; };
swapDevices = [{
device = "/swapfile";
size = 4 * 1024; # 4GB
}];
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
}

26
animal/kathe.nix Normal file
View file

@ -0,0 +1,26 @@
{
users.users.kathe = {
isNormalUser = true;
description = "Käthe Swift";
openssh.authorizedKeys.keys = [
# TODO: ed25519
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDTORULg2qqAJs5i9V7YpavlDaQBdPsEtj7s23B50qRz+VjP9rNQC8F2bVgI1BbI7CqQho2IFCG2nAiBqciLAMxTqaihI6OlNyhVJvkVSXxy2ru8NEKTPA2UnciepxeyQGfgstv8d+8mLiDbcytWDbtNoTymhy5DjCwki8gnQQTO1XVcJr5N12OsvoaCcikYQwTcxgXG0rVxlg/DUQJeaV1hZdHwpgr1cbdX2JxMONo8wcW5Ox5ZJs/+Zz72iOfoa9DXJChfdOQ5dMC+WVGwd3JbHQLWQmnCepYBKiUv8JMN7ZkDBcyIFJ+dc7F/CwBrPAF9g93GEauEilWulKV4AmbqdxY+lK/hp0fSr69H4bkqLmeAeXTHIlTge1FuQKNSKHeBhQ4y7OxDc0IEzDCE7OXT04fn6etsZcFb2JIYhFZWKGxiwSYWAjfdkmVnC48sC6Q3Heonk/IxZwbKVOUlo7B0q43A4PzTWiOWFcFKDGXn3KrNRCXuLfaYxYDyTEc2ss="
];
};
services.caddy.virtualHosts."piano.animal.chandlerswift.com".extraConfig = ''
encode gzip
file_server
root /srv/piano.animal.chandlerswift.com
# hide .git # ???
'';
systemd.tmpfiles.settings."10-piano-animal-chandlerswift-com" = {
"/srv/piano.animal.chandlerswift.com" = {
d = {
user = "kathe";
mode = "0755";
};
};
};
}

20
animal/monitoring.nix Normal file
View file

@ -0,0 +1,20 @@
{
services.grafana = {
enable = true;
settings = {
server = {
http_addr = "127.0.0.1";
http_port = 3000;
domain = "monitoring.animal.chandlerswift.com";
};
};
};
services.prometheus = {
enable = true;
};
services.caddy.virtualHosts."monitoring.animal.chandlerswift.com".extraConfig = ''
reverse_proxy :3000
'';
}

20
animal/web.nix Normal file
View file

@ -0,0 +1,20 @@
{
services.caddy = {
enable = true;
virtualHosts."animal.chandlerswift.com".extraConfig = ''
respond "Hello, world!"
'';
};
services.caddy.virtualHosts."maps.animal.chandlerswift.com".extraConfig = ''
encode gzip
file_server
root /srv/maps.animal.chandlerswift.com
# hide .git # ???
'';
systemd.tmpfiles.settings."10-maps-animal-chandlerswift-com" = {
"/srv/maps.animal.chandlerswift.com" = {
d = {};
};
};
}

16
bert/Makefile
View file

@ -1,16 +0,0 @@
# https://stackoverflow.com/a/23324703
current_dir:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
.PHONY: deploy
deploy:
rsync -avz $(current_dir)/ root@bert:config/
ssh root@bert nixos-rebuild switch --fast -I nixos-config=/root/config/configuration.nix
.PHONY: local-build-deploy
local-build-deploy:
nixos-rebuild switch --fast -I nixos-config=./configuration.nix --build-host root@bert --target-host root@bert
.PHONY: deploy-upgrade
deploy-upgrade:
rsync -avz $(current_dir)/ root@bert:config/
ssh root@bert nixos-rebuild switch --upgrade-all --fast -I nixos-config=/root/config/configuration.nix

23
bert/README.md
View file

@ -1,23 +0,0 @@
# Installation
1. Install NixOS minimal
2. `ssh-keygen -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key`
2. Enable SSH server and add root SSH key
3. Deploy updated config with `make`
4. Set up [Remote Disk Unlocking](https://nixos.wiki/wiki/Remote_disk_unlocking)
1. mkdir -p /etc/secrets/initrd && ssh-keygen -N "" -f /etc/secrets/initrd/ssh_host_25519_key
5. Deploy content to web services
# Notes on Caddy
Until 2.8 is released with 24.11, Caddy has a pretty limited sense of what
content-types should be compressed:
https://github.com/caddyserver/caddy/blob/v2.7.6/modules/caddyhttp/encode/encode.go#L85-L101
Specifically, this doesn't include GeoJSON, which is a bit of a shame for
maps.chandlerswift.com. That said, I'll probably be upgrading to 24.11 as soon
as it comes out, so in the intervening time I'm just not going to worry about
it.
The list was expanded in this PR:
https://github.com/caddyserver/caddy/pull/6081

70
bert/configuration.nix
View file

@ -1,70 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports =
[
./hardware-configuration.nix
./services/factorio.nix
./services/http/index.nix
./services/monitoring.nix
./services/forgejo.nix
];
# Bootloader
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.timeout = 1;
# Set up SSH unlocking
boot.kernelParams = [ "ip=dhcp" ];
boot.initrd = {
availableKernelModules = [ "e1000e" ];
network = {
enable = true;
flushBeforeStage2 = true; # Without this, stage2 IPv6 config is messed up?
ssh = {
enable = true;
port = 22;
authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEhPyyqS3BGYor3zLbjc8hZuhem3mS8TNmvWogXcnz/b chandler@chandlerswift.com" ];
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
shell = "/bin/cryptsetup-askpass";
};
};
};
boot.initrd.luks.devices."luks-48836129-1aa0-45c7-9fd1-6b053fa620b1".device = "/dev/disk/by-uuid/48836129-1aa0-45c7-9fd1-6b053fa620b1";
networking.hostName = "bert";
# Enable networking
networking.networkmanager.enable = true;
time.timeZone = "America/Chicago";
i18n.defaultLocale = "en_US.UTF-8";
services.xserver.xkb = {
layout = "us";
variant = "";
};
environment.systemPackages = with pkgs; [
rsync
];
# Enable the OpenSSH daemon.
services.openssh.enable = true;
services.openssh.settings.PasswordAuthentication = false;
users.users.root.openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEhPyyqS3BGYor3zLbjc8hZuhem3mS8TNmvWogXcnz/b chandler@chandlerswift.com'' ];
networking.firewall.allowedTCPPorts = [
80 # Caddy
443 # Caddy
];
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "24.05"; # Did you read the comment?
}

42
bert/hardware-configuration.nix
View file

@ -1,42 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/5abc0802-3969-460c-8089-5fec9f985c18";
fsType = "ext4";
};
boot.initrd.luks.devices."luks-da40f6d2-49d7-4a55-8a2e-94fa5f28dbbc".device = "/dev/disk/by-uuid/da40f6d2-49d7-4a55-8a2e-94fa5f28dbbc";
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/B684-07FB";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/f5d7bb99-03aa-4f7c-9d4a-e264ceb514c6"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

17
bert/services/factorio.nix
View file

@ -1,17 +0,0 @@
{
# nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
# "factorio-headless"
# ];
services.factorio = let
factorio-nixpkgs = import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/7e35ac30ea1d236419653182559367ecd8a30675.tar.gz") {
config.allowUnfree = true;
};
in {
enable = true;
package = factorio-nixpkgs.factorio-headless;
openFirewall = true;
nonBlockingSaving = true;
game-name = "Chandler's Factorio Server";
description = "Job 28:2";
};
}

19
bert/services/forgejo.nix
View file

@ -1,19 +0,0 @@
{
services.forgejo = {
enable = true;
settings = {
DEFAULT = {
APP_NAME = "Forgejo: Beyond coding. We Forge."; # TODO
};
server = {
# USE_PROXY_PROTOCOL = true;
DOMAIN = "git.chandlerswift.com";
#SSH_DOMAIN = "git.chandlerswift.com";
ROOT_URL = "https://git.chandlerswift.com/";
HTTP_PORT = 3001;
LANDING_PAGE = "/chandlerswift";
};
service.DISABLE_REGISTRATION = true;
};
};
}

1068
bert/services/http/caddy-browse-template.html
View file

File diff suppressed because it is too large Load diff

13
bert/services/http/files.chandlerswift.com.nix
View file

@ -1,13 +0,0 @@
{
services.caddy.virtualHosts."files.chandlerswift.com".extraConfig = ''
encode zstd gzip
file_server
root * /srv/www/files.chandlerswift.com
'';
systemd.tmpfiles.settings."10-files-chandlerswift-com" = {
"/srv/www/files.chandlerswift.com" = {
d = {};
};
};
}

5
bert/services/http/git.chandlerswift.com.nix
View file

@ -1,5 +0,0 @@
{config, ...}: {
services.caddy.virtualHosts."git.chandlerswift.com".extraConfig = ''
reverse_proxy localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}
'';
}

15
bert/services/http/home.chandlerswift.com.nix
View file

@ -1,15 +0,0 @@
{
services.caddy.virtualHosts."home.chandlerswift.com".extraConfig = ''
encode zstd gzip
file_server
root * /srv/www/home.chandlerswift.com
reverse_proxy /grafana/* localhost:3000
# hide .git # ???
'';
systemd.tmpfiles.settings."10-home-chandlerswift-com" = {
"/srv/www/home.chandlerswift.com" = {
d = {};
};
};
}

21
bert/services/http/index.nix
View file

@ -1,21 +0,0 @@
{
imports = [
./files.chandlerswift.com.nix
./git.chandlerswift.com.nix
./home.chandlerswift.com.nix
./katherineandchandler.com.nix
./maps.chandlerswift.com.nix
./stjohnscccc.org.nix
./swiftgang.net.nix
];
services.caddy = {
enable = true;
email = "chandler@chandlerswift.com";
globalConfig = ''
servers {
metrics # Enable Prometheus monitoring
}
'';
};
}

14
bert/services/http/katherineandchandler.com.nix
View file

@ -1,14 +0,0 @@
{
services.caddy.virtualHosts."katherineandchandler.com".extraConfig = ''
encode zstd gzip
file_server
root * /srv/www/katherineandchandler.com
# hide .git # ???
'';
systemd.tmpfiles.settings."10-katherineandchandler-com" = {
"/srv/www/katherineandchandler.com" = {
d = {};
};
};
}

14
bert/services/http/maps.chandlerswift.com.nix
View file

@ -1,14 +0,0 @@
{
services.caddy.virtualHosts."maps.chandlerswift.com".extraConfig = ''
encode zstd gzip
file_server
root * /srv/www/maps.chandlerswift.com
# hide .git # ???
'';
systemd.tmpfiles.settings."10-maps-chandlerswift-com" = {
"/srv/www/maps.chandlerswift.com" = {
d = {};
};
};
}

54
bert/services/http/stjohnscccc.org.nix
View file

@ -1,54 +0,0 @@
{ pkgs, lib, config, ... }:
let
app = "stjohnscccc";
domain = "${app}.chandlerswift.com"; # TODO
dataDir = "/srv/www/stjohnscccc.org";
in {
services.phpfpm.pools.${app} = {
user = app;
settings = {
"listen.owner" = config.services.caddy.user;
"pm" = "dynamic";
"pm.max_children" = 32;
# "pm.max_requests" = 500;
"pm.start_servers" = 1;
"pm.min_spare_servers" = 1;
"pm.max_spare_servers" = 4;
"php_admin_value[error_log]" = "stderr";
"php_admin_flag[log_errors]" = true;
"catch_workers_output" = true;
};
# phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
};
services.caddy.virtualHosts.${domain}.extraConfig = ''
root * ${dataDir}/public
handle /downloads/* {
file_server {
browse ${./caddy-browse-template.html}
hide .gitignore
}
}
handle {
encode zstd gzip
php_fastcgi unix/${config.services.phpfpm.pools.${app}.socket}
file_server
}
handle_errors {
respond "{err.status_code} {err.status_text}"
}
'';
users.users.${app} = {
isSystemUser = true;
home = dataDir;
group = app;
};
users.groups.${app} = {};
systemd.tmpfiles.settings."10-stjohnscccc.org" = {
"/srv/www/stjohnscccc.org" = {
d = {};
};
};
}

13
bert/services/http/swiftgang.net.nix
View file

@ -1,13 +0,0 @@
{
services.caddy.virtualHosts."swiftgang.net".extraConfig = ''
encode zstd gzip
file_server
root * /srv/www/swiftgang.net
'';
systemd.tmpfiles.settings."10-swiftgang-net" = {
"/srv/www/swiftgang.net" = {
d = {};
};
};
}

41
bert/services/monitoring.nix
View file

@ -1,41 +0,0 @@
{
services.prometheus = {
enable = true;
scrapeConfigs = [
{
job_name = "caddy";
static_configs = [{
targets = [
"localhost:2019"
];
}];
}
{
job_name = "node";
static_configs = [{
targets = [
"localhost:9100"
];
}];
}
];
exporters.node = {
enable = true;
# https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/monitoring/prometheus/exporters.nix
enabledCollectors = [ "systemd" ];
# /nix/store/zgsw0yx18v10xa58psanfabmg95nl2bb-node_exporter-1.8.1/bin/node_exporter --help
# extraFlags = [ "--collector.ethtool" "--collector.softirqs" "--collector.tcpstat" "--collector.wifi" ];
};
};
services.grafana = {
enable = true;
settings = {
server = {
root_url = "https://home.chandlerswift.com/grafana/";
serve_from_sub_path = true;
};
};
};
}

3
oscar/configuration.nix
View file

@ -138,6 +138,7 @@
libreoffice-qt libreoffice-qt
prismlauncher prismlauncher
qgis qgis
thunderbird
# command line applications # command line applications
beets beets
@ -162,8 +163,6 @@
factorio factorio
]; ];
programs.thunderbird.enable = true;
programs.bash.enable = true; programs.bash.enable = true;
programs.direnv = { programs.direnv = {

11
shell.nix
View file

@ -1,11 +0,0 @@
let
# nixpkgs = fetchTarball "https://github.com/NixOS/nixpkgs/tarball/nixos-24.05";
pkgs = import <nixpkgs> { config = {}; overlays = []; };
in
pkgs.mkShellNoCC {
packages = with pkgs; [
# nixd
gnumake
];
}