diff --git a/flake.nix b/flake.nix index cdc51c6..c6e944f 100644 --- a/flake.nix +++ b/flake.nix @@ -26,59 +26,70 @@ }; outputs = { self, nixpkgs, home-manager, ... }@inputs: let - inherit (nixpkgs) lib; - system = "x86_64-linux"; - pkgs = import nixpkgs { + systems = [ "x86_64-linux" "aarch64-linux" ]; + + forSystems = nixpkgs.lib.genAttrs systems; + + nixpkgsFor = system: import nixpkgs { inherit system; }; - deploy-rs-lib = inputs.deploy-rs.lib.${system}; - agenixModule = inputs.agenix.nixosModules.age; + inherit (nixpkgs) lib; aspect = import ./modules inputs; hosts = import ./hosts; + + nixosHosts' = lib.filterAttrs (_: host: host ? nixos) hosts; + + nixosHosts = lib.attrNames nixosHosts'; + + meta = import ./tools/meta.nix; + specialArgs = { inherit inputs hosts aspect; toolsets = import ./tools; }; - mkNixOS' = lib: name: lib.nixosSystem { - inherit system; + mkNixOS' = lib: name: let host = hosts.${name}; in lib.nixosSystem { inherit specialArgs; - modules = [ hosts."${name}".nixos ./tools/inject.nix ]; + system = "${host.arch}-linux"; + modules = [ host.nixos ./tools/inject.nix ]; }; mkNixOS = mkNixOS' lib; - in { - nixosModules = aspect.modules; - nixosConfigurations = lib.genAttrs [ - "VEGAS" - ] mkNixOS; - deploy.nodes = with deploy-rs-lib; { - VEGAS = { - hostname = "vegas.backbone.privatevoid.net"; - profiles.system = { - user = "root"; - sshUser = "deploy"; - path = activate.nixos self.nixosConfigurations.VEGAS; - }; + mkDeploy = name: let + host = hosts.${name}; + subdomain = host.enterprise.subdomain or "services"; + deploy-rs = inputs.deploy-rs.lib."${host.arch}-linux"; + in { + hostname = "${lib.toLower name}.${subdomain}.${meta.domain}"; + profiles.system = { + user = "root"; + sshUser = "deploy"; + path = deploy-rs.activate.nixos self.nixosConfigurations.${name}; }; }; - packages.${system} = import ./packages { - inherit pkgs inputs; - }; + mkDeployments = hosts: overrides: lib.genAttrs hosts + (host: mkDeploy host // (overrides.${host} or {}) ); - apps.${system} = { + in { + nixosModules = aspect.modules; + + nixosConfigurations = lib.genAttrs nixosHosts mkNixOS; + + deploy.nodes = mkDeployments nixosHosts {}; + + packages = forSystems (system: import ./packages { + inherit inputs; + pkgs = nixpkgsFor system; + }); + + apps = forSystems (system: { dream2nix = inputs.dream2nix.defaultApp.${system}; - }; - - defaultApp.${system} = { - type = "app"; - program = self.packages.${system}.flake-installer.outPath; - }; + }); hydraJobs = { - systems.${system} = lib.mapAttrs (_: x: x.config.system.build.toplevel) self.nixosConfigurations; + systems = lib.mapAttrs (_: x: x.config.system.build.toplevel) self.nixosConfigurations; packages = self.packages; }; }; diff --git a/hosts/VEGAS/default.nix b/hosts/VEGAS/default.nix index 5c2d52c..b6c66ca 100644 --- a/hosts/VEGAS/default.nix +++ b/hosts/VEGAS/default.nix @@ -25,5 +25,6 @@ tools: { subdomain = "backbone"; }; + arch = "x86_64"; nixos = import ./system.nix; } diff --git a/hosts/VEGAS/services/ipfs/default.nix b/hosts/VEGAS/services/ipfs/default.nix index f12097a..62aef9c 100644 --- a/hosts/VEGAS/services/ipfs/default.nix +++ b/hosts/VEGAS/services/ipfs/default.nix @@ -1,75 +1,14 @@ -{ config, lib, pkgs, tools, ... }: +{ aspect, config, lib, pkgs, tools, ... }: with tools.nginx; let inherit (tools.meta) domain; cfg = config.services.ipfs; - apiAddress = "/unix/run/ipfs/ipfs-api.sock"; - ipfsApi = pkgs.writeTextDir "api" apiAddress; gwPort = config.portsStr.ipfsGateway; in { - reservePortsFor = [ "ipfsGateway" ]; - - networking.firewall = { - allowedTCPPorts = [ 4001 ]; - allowedUDPPorts = [ 4001 ]; - }; - - services.ipfs = { - enable = true; - startWhenNeeded = false; - autoMount = true; - - inherit apiAddress; - gatewayAddress = "/ip4/127.0.0.1/tcp/${gwPort}"; - dataDir = "/srv/storage/ipfs/repo"; - localDiscovery = false; - - extraConfig = { - Bootstrap = [ - "/ip4/168.235.67.108/tcp/4001/p2p/QmRMA5pWXtfuW1y5w2t9gYxrDDD6bPRLKdWAYnHTeCxZMm" - "/ip4/51.38.87.150/tcp/4001/p2p/12D3KooWDUgNsoLVauCDpRAo54mc4whoBudgeXQnZZK2iVYhBLCN" - ]; - API.HTTPHeaders = { - Access-Control-Allow-Origin = [ - "https://ipfs.admin.${domain}" - "http://127.0.0.1:5001" - ]; - Access-Control-Allow-Methods = [ "PUT" "POST" ]; - }; - Gateway = { - Writable = false; - APICommands = []; - HTTPHeaders = { - Access-Control-Allow-Headers = [ - "X-Requested-With" - "Range" - "User-Agent" - ]; - Access-Control-Allow-Methods = [ - "GET" - ]; - Access-Control-Allow-Origin = [ - "*" - ]; - }; - }; - }; - }; - - systemd.sockets = { - ipfs-api.enable = false; - ipfs-gateway.enable = false; - }; - - systemd.tmpfiles.rules = [ "d '/run/ipfs' 0750 ${cfg.user} ${cfg.group} - -" ]; - - - systemd.services.ipfs = { - environment.LIBP2P_FORCE_PNET = "1"; - serviceConfig.Slice = "remotefshost.slice"; - postStart = "chmod 660 /run/ipfs/ipfs-api.sock"; - }; + imports = [ + aspect.modules.ipfs + ]; systemd.slices.remotefshost.sliceConfig = { IOWeight = 5; @@ -87,12 +26,6 @@ in ]; }; - environment.variables.IPFS_PATH = lib.mkForce "${ipfsApi}"; - - environment.shellAliases = { - ipfs-admin = "sudo -u ${cfg.user} env IPFS_PATH=${cfg.dataDir} ipfs"; - }; - users.users.nginx.extraGroups = [ cfg.group ]; services.nginx.virtualHosts = { diff --git a/hosts/VEGAS/system.nix b/hosts/VEGAS/system.nix index 03eab5e..264a786 100644 --- a/hosts/VEGAS/system.nix +++ b/hosts/VEGAS/system.nix @@ -27,7 +27,6 @@ ./services/hyprspace ./services/ipfs ./services/jokes - ./services/meet ./services/nextcloud ./services/nfs ./services/mail diff --git a/hosts/default.nix b/hosts/default.nix index 67bc32d..6b27a0e 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -4,6 +4,7 @@ in with tools.dns; { # NixOS machines VEGAS = import ./VEGAS tools; + prophet = import ./prophet tools; # Non-NixOS machine metadata AnimusAlpha = let hostNames = [ "alpha.animus.com" "animus.com" ]; in { diff --git a/hosts/prophet/default.nix b/hosts/prophet/default.nix new file mode 100644 index 0000000..fb65bbf --- /dev/null +++ b/hosts/prophet/default.nix @@ -0,0 +1,26 @@ +tools: { + ssh.id = with tools.dns; { + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJZ4FyGi69MksEn+UJZ87vw1APqiZmPNlEYIr0CbEoGv"; + hostNames = subResolve "prophet" "node"; + }; + + interfaces = { + primary = { + addr = "10.0.0.92"; + addrPublic = "152.67.76.138"; + link = "enp0s3"; + }; + }; + +# hypr = { +# id = ""; +# addr = "10.100.3.9"; +# }; + + enterprise = { + subdomain = "node"; + }; + + arch = "aarch64"; + nixos = import ./system.nix; +} diff --git a/hosts/prophet/hardware-configuration.nix b/hosts/prophet/hardware-configuration.nix new file mode 100644 index 0000000..3b47d1f --- /dev/null +++ b/hosts/prophet/hardware-configuration.nix @@ -0,0 +1,25 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "virtio_pci" "usbhid" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/68a66c53-17c1-402f-b0e0-5f9c3c1628a4"; + fsType = "xfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/A368-4D28"; + fsType = "vfat"; + }; +} diff --git a/hosts/prophet/modules/nginx/default.nix b/hosts/prophet/modules/nginx/default.nix new file mode 100644 index 0000000..7ff77d7 --- /dev/null +++ b/hosts/prophet/modules/nginx/default.nix @@ -0,0 +1,39 @@ +{ lib, config, tools, ... }: + +let + inherit (tools.meta) domain adminEmail; +in + with tools.nginx.vhosts; + with tools.nginx.mappers; +{ + security.acme.email = adminEmail; + security.acme.acceptTerms = true; + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + proxyResolveWhileRunning = false; + resolver = { + addresses = [ "127.0.0.1" ]; + valid = "30s"; + }; + appendHttpConfig = '' + server_names_hash_bucket_size 128; + proxy_headers_hash_max_size 4096; + proxy_headers_hash_bucket_size 128; + ''; + }; + services.phpfpm.pools.www = { + inherit (config.services.nginx) user group; + settings = { + pm = "ondemand"; + "pm.max_children" = 16; + "listen.owner" = config.services.nginx.user; + "listen.group" = config.services.nginx.group; + }; + }; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + systemd.services.nginx.after = [ "network-online.target" ]; +} diff --git a/hosts/VEGAS/services/meet/default.nix b/hosts/prophet/services/meet/default.nix similarity index 62% rename from hosts/VEGAS/services/meet/default.nix rename to hosts/prophet/services/meet/default.nix index fe208a9..528bfd8 100644 --- a/hosts/VEGAS/services/meet/default.nix +++ b/hosts/prophet/services/meet/default.nix @@ -1,4 +1,10 @@ -{ lib, tools, ... }: +{ config, lib, hosts, tools, ... }: +let + host = hosts.${config.networking.hostName}; + inherit (host) interfaces; + + isNAT = interfaces.primary ? addrPublic; +in { services.jitsi-meet = { enable = true; @@ -24,4 +30,11 @@ }; }); boot.kernel.sysctl."net.core.rmem_max" = lib.mkForce 10485760; + + environment.etc."jitsi/videobridge/sip-communicator.properties" = lib.optionalAttrs isNAT { + text = '' + org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=${interfaces.primary.addr} + org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=${interfaces.primary.addrPublic} + ''; + }; } diff --git a/hosts/prophet/system.nix b/hosts/prophet/system.nix new file mode 100644 index 0000000..1ac9275 --- /dev/null +++ b/hosts/prophet/system.nix @@ -0,0 +1,44 @@ +{ aspect, inputs, config, pkgs, ... }: + +{ + imports = + [ + # Hardware + ./hardware-configuration.nix + + ./modules/nginx + inputs.agenix.nixosModules.age + + ./services/meet + aspect.modules.ipfs + + + ] + ++ aspect.sets.server; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "prophet"; + + time.timeZone = "Europe/Zurich"; + + networking.useDHCP = false; + networking.interfaces.enp0s3.useDHCP = true; + + i18n.defaultLocale = "en_US.UTF-8"; + + users.users.opc = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + }; + + security.sudo.wheelNeedsPassword = false; + + services.openssh.enable = true; + + system.stateVersion = "21.11"; + +} + diff --git a/modules/default.nix b/modules/default.nix index f2f07c2..b98c04d 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -7,7 +7,7 @@ let enterprise = import ./enterprise; fail2ban = import ./fail2ban; hydra = import ./hydra; - ipfs-lain = import ./ipfs-lain; + ipfs = import ./ipfs; nix-builder = import ./nix-builder; nix-config = import ./nix-config; nix-config-server = import ./nix-config/server.nix; diff --git a/modules/enterprise/default.nix b/modules/enterprise/default.nix index 44666df..45f459b 100644 --- a/modules/enterprise/default.nix +++ b/modules/enterprise/default.nix @@ -16,7 +16,7 @@ in { rdns = false; forwardable = true; default_ccache_name = "KEYRING:persistent:%{uid}"; - pkinit_anchors = "FILE:${inputs.self.packages.x86_64-linux.privatevoid-smart-card-ca-bundle}"; + pkinit_anchors = "FILE:${inputs.self.packages.${pkgs.system}.privatevoid-smart-card-ca-bundle}"; }; realms = { "${orgRealm}" = rec { diff --git a/modules/ipfs-lain/default.nix b/modules/ipfs-lain/default.nix deleted file mode 100644 index 1c7bb2e..0000000 --- a/modules/ipfs-lain/default.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ pkgs, config, ... }: -{ - services.ipfs = { - enable = true; - extraConfig = { - Bootstrap = [ - "/ip4/95.216.8.12/tcp/4001/p2p/Qmd7QHZU8UjfYdwmjmq1SBh9pvER9AwHpfwQvnvNo3HBBo" - "/ip4/34.75.66.204/tcp/4001/p2p/QmUDwdaJthQkxgoHN1QQFvj4jR12A2nGQMXxYJEqtPMsYJ" - "/ip4/35.233.49.84/tcp/4001/p2p/QmTuZN9VtqiVWjcqTkRAUnRWYurwFbC6j9E2gvnMs5XEFy" - ]; - }; - }; - - systemd.services.ipfs.environment.LIBP2P_FORCE_PNET = "1"; - - environment.shellAliases = { - ipfs = - "doas -u ${config.services.ipfs.user} env IPFS_PATH=${config.services.ipfs.dataDir} ipfs"; - f = - "doas -u ${config.services.ipfs.user} env IPFS_PATH=${config.services.ipfs.dataDir} ipfs files"; - }; -} diff --git a/modules/ipfs/default.nix b/modules/ipfs/default.nix new file mode 100644 index 0000000..c779b1a --- /dev/null +++ b/modules/ipfs/default.nix @@ -0,0 +1,90 @@ +{ config, lib, pkgs, tools, ... }: +let + inherit (tools.meta) domain; + cfg = config.services.ipfs; + apiAddress = "/unix/run/ipfs/ipfs-api.sock"; + ipfsApi = pkgs.writeTextDir "api" apiAddress; + gwPort = config.portsStr.ipfsGateway; +in +{ + age.secrets.ipfs-swarm-key = { + file = ../../secrets/ipfs-swarm-key.age; + mode = "0400"; + owner = cfg.user; + inherit (cfg) group; + }; + + reservePortsFor = [ "ipfsGateway" ]; + + networking.firewall = { + allowedTCPPorts = [ 4001 ]; + allowedUDPPorts = [ 4001 ]; + }; + + services.ipfs = { + enable = true; + startWhenNeeded = false; + autoMount = true; + + inherit apiAddress; + gatewayAddress = "/ip4/127.0.0.1/tcp/${gwPort}"; + dataDir = "/srv/storage/ipfs/repo"; + localDiscovery = false; + + extraConfig = { + Bootstrap = [ + "/ip4/168.235.67.108/tcp/4001/p2p/QmRMA5pWXtfuW1y5w2t9gYxrDDD6bPRLKdWAYnHTeCxZMm" + "/ip4/51.38.87.150/tcp/4001/p2p/12D3KooWDUgNsoLVauCDpRAo54mc4whoBudgeXQnZZK2iVYhBLCN" + "/ip4/77.54.95.19/tcp/12104/p2p/12D3KooWC1RZxLvAeEFNTZWk1FWc1sZZ3yemF4FNNRYa3X854KJ8" + "/ip4/95.216.8.12/tcp/4001/p2p/Qmd7QHZU8UjfYdwmjmq1SBh9pvER9AwHpfwQvnvNo3HBBo" + ]; + API.HTTPHeaders = { + Access-Control-Allow-Origin = [ + "https://ipfs.admin.${domain}" + "http://127.0.0.1:5001" + ]; + Access-Control-Allow-Methods = [ "PUT" "POST" ]; + }; + Gateway = { + Writable = false; + APICommands = []; + HTTPHeaders = { + Access-Control-Allow-Headers = [ + "X-Requested-With" + "Range" + "User-Agent" + ]; + Access-Control-Allow-Methods = [ + "GET" + ]; + Access-Control-Allow-Origin = [ + "*" + ]; + }; + }; + }; + }; + + systemd.sockets = { + ipfs-api.enable = false; + ipfs-gateway.enable = false; + }; + + systemd.tmpfiles.rules = [ + "d '/run/ipfs' 0750 ${cfg.user} ${cfg.group} - -" + "L+ '${cfg.dataDir}/swarm.key' - - - - ${config.age.secrets.ipfs-swarm-key.path}" + ]; + + + systemd.services.ipfs = { + environment.LIBP2P_FORCE_PNET = "1"; + serviceConfig.Slice = "remotefshost.slice"; + postStart = "chmod 660 /run/ipfs/ipfs-api.sock"; + }; + + environment.variables.IPFS_PATH = lib.mkForce "${ipfsApi}"; + + environment.shellAliases = { + ipfs-admin = "sudo -u ${cfg.user} env IPFS_PATH=${cfg.dataDir} ipfs"; + }; +} diff --git a/modules/nix-config/default.nix b/modules/nix-config/default.nix deleted file mode 100644 index e8bc156..0000000 --- a/modules/nix-config/default.nix +++ /dev/null @@ -1,71 +0,0 @@ -{ pkgs, config, inputs, ... }: - -let - builder = { - systems = [ "x86_64-linux" "i686-linux" ]; - speedFactor = 500; - supportedFeatures = [ "benchmark" "nixos-test" ]; - sshKey = config.age.secrets.nixBuilderKey.path; - }; - bigBuilder = builder // { - speedFactor = 1000; - supportedFeatures = builder.supportedFeatures ++ [ "kvm" "big-parallel" ]; - }; -in { - age.secrets.nixBuilderKey = { - file = ../../secrets/builder_key.age; - mode = "0400"; - }; - nixpkgs.overlays = [ - (self: super: { - nixSuperUnstable = inputs.self.packages.x86_64-linux.nix-super-unstable; - }) - ]; - nix = { - package = pkgs.nixSuperUnstable; - - trustedUsers = [ "root" "@wheel" ]; - - extraOptions = '' - experimental-features = nix-command flakes ca-references - warn-dirty = false - builders-use-substitutes = true - flake-registry = ${ - pkgs.writeText "null-registry.json" ''{"flakes":[],"version":2}'' - } - ''; - - binaryCaches = [ "https://cache.privatevoid.net" ]; - binaryCachePublicKeys = [ "cache.privatevoid.net:SErQ8bvNWANeAvtsOESUwVYr2VJynfuc9JRwlzTTkVg=" ]; - - autoOptimiseStore = true; - - gc = { - automatic = true; - dates = "weekly"; - options = "--delete-older-than 30d"; - }; - - distributedBuilds = true; - - buildMachines = [ - (bigBuilder // { - sshUser = "root"; - hostName = "styx.services.private.void"; - speedFactor = 2000; - maxJobs = 2; - }) - (bigBuilder // { - sshUser = "nix"; - hostName = "wired.titan.find.private.void"; - maxJobs = 12; - }) - (bigBuilder // { - sshUser = "nixbuilder"; - hostName = "animus.com"; - speedFactor = 3000; - maxJobs = 4; - }) - ]; - }; -} diff --git a/packages/patched-inputs.nix b/packages/patched-inputs.nix index d00c137..66ac535 100644 --- a/packages/patched-inputs.nix +++ b/packages/patched-inputs.nix @@ -1,9 +1,9 @@ let tools = import ./lib/tools.nix; in with tools; { inputs, pkgs, ... }: rec { - deploy-rs = inputs.deploy-rs.packages.x86_64-linux.deploy-rs; + deploy-rs = inputs.deploy-rs.packages.${pkgs.system}.deploy-rs; - nix-super = inputs.nix-super.defaultPackage.x86_64-linux; + nix-super = inputs.nix-super.defaultPackage.${pkgs.system}; - agenix = inputs.agenix.packages.x86_64-linux.agenix.override { nix = nix-super; }; + agenix = inputs.agenix.packages.${pkgs.system}.agenix.override { nix = nix-super; }; } diff --git a/secrets/ipfs-swarm-key.age b/secrets/ipfs-swarm-key.age new file mode 100644 index 0000000..03e0cd5 --- /dev/null +++ b/secrets/ipfs-swarm-key.age @@ -0,0 +1,13 @@ +age-encryption.org/v1 +-> ssh-ed25519 NO562A M3tf8OUR0EYa4UQDTd0U1gHJDrGKNjRbnGBePHA3nH0 +6FftIih0/S8jNv94bRiJPb4V+P7jOtGHQFZbGcj2cqE +-> ssh-ed25519 5/zT0w o4eVLMXyfImHYXmnPo7qDQyDOcB4s85gPMr8IAuvVE4 +bY7L3YihZytZ1XrYbHPxR1FRGNA8W5qsYKNIkwmF2r0 +-> ssh-ed25519 d3WGuA iFH+ntVIDTmMUzgLLrNFHyPhSvTPsLcjNH+QTR4yfDk +Q54Nwc6fwPan62XX70WkG5mrmRlhE/rcHfyV8xMim3E +-> ssh-ed25519 6YMlxg tbaiMLpardsaNZOlCF7FAmKOlqZfIM6cVvOxQQjn2kU +gmu1AVuMzENxbs73dxRFWjxSCUeFjb4bMdgyYaikSOs +-> Wdm-grease +8TLtQ/rdFCG5Yo3nYsAuPjPD0+HZwPO02rnPdlczJkDYPNmepWgt01Wf3VdbYko +--- r4yb3tN9yWRCAxraKDJohDTA0BRvpxQN86Qr+M64jic +k psꊛ]