diff options
| author | Vincent Ambo <mail@tazj.in> | 2020-06-13T20·52+0100 |
|---|---|---|
| committer | tazjin <mail@tazj.in> | 2020-06-13T23·52+0000 |
| commit | 268729083eb80c93aa402883085c37e32c8a08cf (patch) | |
| tree | 0916bace8073d30976ec752bb9de8c19a06027ae /ops/nixos | |
| parent | 9658e96a87178e972b656db0acf3219937013b88 (diff) | |
refactor(ops/nixos): Move my NixOS configurations to //users/tazjin r/941
NixOS modules move one level up because it's unlikely that //ops/nixos will contain actual systems at this point (they're user-specific). This is the first users folder, so it is also added to the root readTree invocation for the repository. Change-Id: I546c701145fa204b7ba7518a8a56a783588629e0 Reviewed-on: https://cl.tvl.fyi/c/depot/+/244 Reviewed-by: tazjin <mail@tazj.in>
Diffstat (limited to 'ops/nixos')
| -rw-r--r-- | ops/nixos/.skip-subtree | 1 | ||||
| -rw-r--r-- | ops/nixos/README.md | 23 | ||||
| -rw-r--r-- | ops/nixos/camden/default.nix | 464 | ||||
| -rw-r--r-- | ops/nixos/default.nix | 47 | ||||
| -rw-r--r-- | ops/nixos/depot.nix (renamed from ops/nixos/modules/depot.nix) | 2 | ||||
| -rw-r--r-- | ops/nixos/dotfiles/config.fish | 40 | ||||
| -rw-r--r-- | ops/nixos/dotfiles/msmtprc | 16 | ||||
| -rw-r--r-- | ops/nixos/dotfiles/notmuch-config | 21 | ||||
| -rw-r--r-- | ops/nixos/dotfiles/offlineimaprc | 39 | ||||
| -rw-r--r-- | ops/nixos/frog/default.nix | 254 | ||||
| -rw-r--r-- | ops/nixos/hound.nix (renamed from ops/nixos/modules/hound.nix) | 0 | ||||
| -rw-r--r-- | ops/nixos/mail.nix | 77 | ||||
| -rw-r--r-- | ops/nixos/modules/.skip-subtree | 1 | ||||
| -rw-r--r-- | ops/nixos/monorepo-gerrit.nix (renamed from ops/nixos/modules/monorepo-gerrit.nix) | 0 | ||||
| -rw-r--r-- | ops/nixos/nugget/default.nix | 280 | ||||
| -rw-r--r-- | ops/nixos/smtprelay.nix (renamed from ops/nixos/modules/smtprelay.nix) | 0 | ||||
| -rw-r--r-- | ops/nixos/tvl-slapd/contents.ldif (renamed from ops/nixos/modules/tvl-slapd/contents.ldif) | 0 | ||||
| -rw-r--r-- | ops/nixos/tvl-slapd/default.nix (renamed from ops/nixos/modules/tvl-slapd/default.nix) | 0 | ||||
| -rw-r--r-- | ops/nixos/tvl-slapd/genpasswd.rb (renamed from ops/nixos/modules/tvl-slapd/genpasswd.rb) | 0 | ||||
| -rw-r--r-- | ops/nixos/v4l2loopback.nix (renamed from ops/nixos/modules/v4l2loopback.nix) | 0 |
20 files changed, 7 insertions, 1258 deletions
diff --git a/ops/nixos/.skip-subtree b/ops/nixos/.skip-subtree new file mode 100644 index 000000000000..09520f8c831f --- /dev/null +++ b/ops/nixos/.skip-subtree @@ -0,0 +1 @@ +NixOS modules are not readTree compatible. diff --git a/ops/nixos/README.md b/ops/nixos/README.md index fc90cb4b4301..595b4c3344c6 100644 --- a/ops/nixos/README.md +++ b/ops/nixos/README.md @@ -1,20 +1,7 @@ -NixOS configuration -=================== +NixOS modules +============= -My NixOS configuration! It configures most of the packages I require -on my systems, sets up Emacs the way I need and does a bunch of other -interesting things. +This folder contains various NixOS modules shared by our NixOS +configurations. -System configuration lives in folders for each machine and a custom -fixed point evaluation (similar to standard NixOS module -configuration) is used to combine configuration together. - -Building `ops.nixos.rebuilder` yields a script that will automatically -build and activate the newest configuration based on the current -hostname. - -## Configured hosts: - -* `frog` - weapon of mass computation at home -* `nugget` - desktop computer at home -* ~~`urdhva` - T470s~~ (currently with edef) +It is not read by `readTree`. diff --git a/ops/nixos/camden/default.nix b/ops/nixos/camden/default.nix deleted file mode 100644 index 32d75147b7a1..000000000000 --- a/ops/nixos/camden/default.nix +++ /dev/null @@ -1,464 +0,0 @@ -# This file configures camden.tazj.in, my homeserver. -{ depot, pkgs, lib, ... }: - -config: let - nixpkgs = import depot.third_party.nixpkgsSrc { - config.allowUnfree = true; - }; - - nginxRedirect = { from, to, acmeHost }: { - serverName = from; - useACMEHost = acmeHost; - forceSSL = true; - - extraConfig = "return 301 https://${to}$request_uri;"; - }; -in lib.fix(self: { - imports = [ - ../modules/depot.nix - ../modules/hound.nix - ../modules/monorepo-gerrit.nix - ../modules/smtprelay.nix - ../modules/tvl-slapd/default.nix - "${pkgs.nixpkgsSrc}/nixos/modules/services/web-apps/gerrit.nix" - ]; - depot = depot; - - # camden is intended to boot unattended, despite having an encrypted - # root partition. - # - # The below configuration uses an externally connected USB drive - # that contains a LUKS key file to unlock the disk automatically at - # boot. - # - # TODO(tazjin): Configure LUKS unlocking via SSH instead. - boot = { - initrd = { - availableKernelModules = [ - "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" - "rtsx_usb_sdmmc" "r8169" - ]; - - kernelModules = [ "dm-snapshot" ]; - - luks.devices.camden-crypt = { - fallbackToPassword = true; - device = "/dev/disk/by-label/camden-crypt"; - keyFile = "/dev/sdb"; - keyFileSize = 4096; - }; - }; - - loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; - - cleanTmpDir = true; - }; - - fileSystems = { - "/" = { - device = "/dev/disk/by-label/camden-root"; - fsType = "ext4"; - }; - - "/home" = { - device = "/dev/disk/by-label/camden-home"; - fsType = "ext4"; - }; - - "/boot" = { - device = "/dev/disk/by-label/BOOT"; - fsType = "vfat"; - }; - }; - - nix = { - maxJobs = lib.mkDefault 4; - - nixPath = [ - "depot=/home/tazjin/depot" - "nixpkgs=${depot.third_party.nixpkgsSrc}" - ]; - - trustedUsers = [ "root" "tazjin" ]; - - binaryCaches = [ - "https://tazjin.cachix.org" - ]; - - binaryCachePublicKeys = [ - "tazjin.cachix.org-1:IZkgLeqfOr1kAZjypItHMg1NoBjm4zX9Zzep8oRSh7U=" - ]; - }; - nixpkgs.pkgs = nixpkgs; - - powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; - - networking = { - hostName = "camden"; - interfaces.enp1s0.useDHCP = true; - interfaces.enp1s0.ipv6.addresses = [ - { - address = "2a01:4b00:821a:ce02::5"; - prefixLength = 64; - } - ]; - - firewall.enable = false; - }; - - time.timeZone = "UTC"; - - # System-wide application setup - programs.fish.enable = true; - programs.mosh.enable = true; - - environment.systemPackages = - # programs from the depot - (with depot; [ - fun.idual.script - fun.idual.setAlarm - third_party.pounce - ]) ++ - - # programs from nixpkgs - (with nixpkgs; [ - bat - curl - direnv - emacs26-nox - gnupg - git - htop - jq - pass - pciutils - ripgrep - ]); - - users = { - # Set up my own user for logging in and doing things ... - users.tazjin = { - isNormalUser = true; - uid = 1000; - extraGroups = [ "git" "wheel" ]; - shell = nixpkgs.fish; - }; - - # Set up a user & group for general git shenanigans - groups.git = {}; - users.git = { - group = "git"; - isNormalUser = false; - }; - }; - - # Services setup - services.openssh.enable = true; - services.haveged.enable = true; - - # Join Tailscale into home network - services.tailscale.enable = true; - - # Allow sudo-ing via the forwarded SSH agent. - security.pam.enableSSHAgentAuth = true; - - # Run cgit for the depot. The onion here is nginx(thttpd(cgit)). - systemd.services.cgit = { - wantedBy = [ "multi-user.target" ]; - script = "${depot.web.cgit-taz}/bin/cgit-launch"; - - serviceConfig = { - Restart = "on-failure"; - User = "git"; - Group = "git"; - }; - }; - - # Run honk as the ActivityPub server, using all the fancy systemd - # magic. - systemd.services.honk = { - wantedBy = [ "multi-user.target" ]; - script = lib.concatStringsSep " " [ - "${depot.third_party.honk}/bin/honk" - "-datadir /var/lib/honk" - "-viewdir ${depot.third_party.honk.src}" - ]; - - serviceConfig = { - Restart = "always"; - DynamicUser = true; - StateDirectory = "honk"; - WorkingDirectory = "/var/lib/honk"; - }; - }; - - # NixOS 20.03 broke nginx and I can't be bothered to debug it - # anymore, all solution attempts have failed, so here's a - # brute-force fix. - systemd.services.fix-nginx = { - script = "${nixpkgs.coreutils}/bin/chown -R nginx: /var/spool/nginx /var/cache/nginx"; - - serviceConfig = { - User = "root"; - Type = "oneshot"; - }; - }; - - systemd.timers.fix-nginx = { - wantedBy = [ "multi-user.target" ]; - timerConfig = { - OnCalendar = "minutely"; - }; - }; - - # Provision a TLS certificate outside of nginx to avoid - # nixpkgs#38144 - security.acme = { - acceptTerms = true; - email = "mail@tazj.in"; - - certs."tazj.in" = { - user = "nginx"; - group = "nginx"; - webroot = "/var/lib/acme/acme-challenge"; - extraDomains = { - "cs.tazj.in" = null; - "git.tazj.in" = null; - "www.tazj.in" = null; - - # Local domains (for this machine only) - "camden.tazj.in" = null; - }; - postRun = "systemctl reload nginx"; - }; - - certs."tvl.fyi" = { - user = "nginx"; - group = "nginx"; - webroot = "/var/lib/acme/acme-challenge"; - postRun = "systemctl reload nginx"; - extraDomains = { - "cl.tvl.fyi" = null; - "code.tvl.fyi" = null; - "cs.tvl.fyi" = null; - }; - }; - }; - - # Forward logs to Google Cloud Platform - services.journaldriver = { - enable = true; - logStream = "home"; - googleCloudProject = "tazjins-infrastructure"; - applicationCredentials = "/etc/gcp/key.json"; - }; - - # Serve a code search (hound) instance - services.depot.hound = { - enable = true; - title = "tazjin's depot"; - repos.depot = { - url = "file:///var/lib/gerrit/git/depot.git"; - vcs = "git"; - url-pattern = { - base-url = "https://code.tvl.fyi/tree/{path}{anchor}"; - anchor = "#n{line}"; - }; - }; - repos.nixpkgs = { - url = "file:///var/git/nixpkgs"; - vcs = "git"; - url-pattern = { - base-url = "https://github.com/NixOS/nixpkgs/blob/${pkgs.nixpkgsCommit}/{path}{anchor}"; - anchor = "#L{line}"; - }; - }; - }; - - # Start a local SMTP relay to Gmail (used by gerrit) - services.depot.smtprelay = { - enable = true; - args = { - listen = ":2525"; - remote_host = "smtp.gmail.com:587"; - remote_auth = "plain"; - remote_user = "tvlbot@tazj.in"; - }; - }; - - # serve my website(s) - services.nginx = { - enable = true; - enableReload = true; - package = with nixpkgs; nginx.override { - modules = [ nginxModules.rtmp ]; - }; - - recommendedTlsSettings = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - - - appendConfig = '' - rtmp_auto_push on; - rtmp { - server { - listen 1935; - chunk_size 4000; - - application tvl { - live on; - - allow publish 88.98.195.213; - allow publish 10.0.1.0/24; - deny publish all; - - allow play all; - } - } - } - ''; - - commonHttpConfig = '' - log_format json_combined escape=json - '{' - '"remote_addr":"$remote_addr",' - '"method":"$request_method",' - '"uri":"$request_uri",' - '"status":$status,' - '"request_size":$request_length,' - '"response_size":$body_bytes_sent,' - '"response_time":$request_time,' - '"referrer":"$http_referer",' - '"user_agent":"$http_user_agent"' - '}'; - - access_log syslog:server=unix:/dev/log,nohostname json_combined; - ''; - - virtualHosts.homepage = { - serverName = "tazj.in"; - serverAliases = [ "camden.tazj.in" ]; - default = true; - useACMEHost = "tazj.in"; - root = depot.web.homepage; - forceSSL = true; - - extraConfig = '' - ${depot.web.blog.oldRedirects} - - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - - location ~* \.(webp|woff2)$ { - add_header Cache-Control "public, max-age=31536000"; - } - - location /blog/ { - alias ${depot.web.blog.rendered}/; - - if ($request_uri ~ ^/(.*)\.html$) { - return 302 /$1; - } - - try_files $uri $uri.html $uri/ =404; - } - - location /blobs/ { - alias /var/www/blobs/; - } - ''; - }; - - virtualHosts.tvl = { - serverName = "tvl.fyi"; - useACMEHost = "tvl.fyi"; - root = depot.web.tvl; - forceSSL = true; - - extraConfig = '' - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - - rewrite ^/builds/?$ https://builds.sr.ht/~tazjin/depot last; - rewrite ^/meet/?$ https://meet.google.com/mng-biyw-xbb last; - - rewrite ^/monorepo-doc/?$ https://docs.google.com/document/d/1nnyByXcH0F6GOmEezNOUa2RFelpeRpDToBLYD_CtjWE/edit?usp=sharing last; - - rewrite ^/irc/?$ ircs://chat.freenode.net:6697/##tvl last; - - location ~* \.(webp|woff2)$ { - add_header Cache-Control "public, max-age=31536000"; - } - ''; - }; - - virtualHosts.cgit = { - serverName = "code.tvl.fyi"; - useACMEHost = "tvl.fyi"; - forceSSL = true; - - extraConfig = '' - # Static assets must always hit the root. - location ~ ^/(favicon\.ico|cgit\.(css|png))$ { - proxy_pass http://localhost:2448; - } - - # Everything else hits the depot directly. - location / { - proxy_pass http://localhost:2448/cgit.cgi/depot/; - } - ''; - }; - - virtualHosts.hound = { - serverName = "cs.tvl.fyi"; - useACMEHost = "tvl.fyi"; - forceSSL = true; - - extraConfig = '' - location / { - proxy_pass http://localhost:6080; - } - ''; - }; - - virtualHosts.gerrit = { - serverName = "cl.tvl.fyi"; - useACMEHost = "tvl.fyi"; - forceSSL = true; - - extraConfig = '' - location / { - proxy_pass http://localhost:4778; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header Host $host; - } - ''; - }; - - virtualHosts.cgit-old = nginxRedirect { - from = "git.tazj.in"; - to = "code.tvl.fyi"; - acmeHost = "tazj.in"; - }; - - virtualHosts.cs-old = nginxRedirect { - from = "cs.tazj.in"; - to = "cs.tvl.fyi"; - acmeHost = "tazj.in"; - }; - }; - - # Timer units that can be started with systemd-run to set my alarm. - systemd.user.services.light-alarm = { - script = "${depot.fun.idual.script}/bin/idualctl wakey"; - postStart = "${pkgs.systemd}/bin/systemctl --user stop light-alarm.timer"; - serviceConfig = { - Type = "oneshot"; - }; - }; - - system.stateVersion = "19.09"; -}) diff --git a/ops/nixos/default.nix b/ops/nixos/default.nix deleted file mode 100644 index 6f0655f34e08..000000000000 --- a/ops/nixos/default.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ depot, lib, ... }: - -let - inherit (builtins) foldl'; - - systemFor = configs: (depot.third_party.nixos { - configuration = lib.fix(config: - foldl' lib.recursiveUpdate {} (map (c: c config) configs) - ); - }).system; - - rebuilder = depot.third_party.writeShellScriptBin "rebuilder" '' - set -ue - if [[ $EUID -ne 0 ]]; then - echo "Oh no! Only root is allowed to rebuild the system!" >&2 - exit 1 - fi - - case $HOSTNAME in - nugget) - echo "Rebuilding NixOS for //ops/nixos/nugget" - system=$(nix-build -E '(import <depot> {}).ops.nixos.nuggetSystem' --no-out-link) - ;; - camden) - echo "Rebuilding NixOS for //ops/nixos/camden" - system=$(nix-build -E '(import <depot> {}).ops.nixos.camdenSystem' --no-out-link) - ;; - frog) - echo "Rebuilding NixOS for //ops/nixos/frog" - system=$(nix-build -E '(import <depot> {}).ops.nixos.frogSystem' --no-out-link) - ;; - *) - echo "$HOSTNAME is not a known NixOS host!" >&2 - exit 1 - ;; - esac - - nix-env -p /nix/var/nix/profiles/system --set $system - $system/bin/switch-to-configuration switch - ''; -in { - inherit rebuilder; - - nuggetSystem = systemFor [ depot.ops.nixos.nugget ]; - camdenSystem = systemFor [ depot.ops.nixos.camden ]; - frogSystem = systemFor [ depot.ops.nixos.frog ]; -} diff --git a/ops/nixos/modules/depot.nix b/ops/nixos/depot.nix index 20220e9f57fe..2c1b71a2da9b 100644 --- a/ops/nixos/modules/depot.nix +++ b/ops/nixos/depot.nix @@ -4,7 +4,7 @@ # It needs to be included and configured in each system like this: # # { -# imports = [ ../modules/depot.nix ]; +# imports = [ "${depot.depotPath}/ops/nixos/depot.nix" ]; # inherit depot; # } { lib, ... }: diff --git a/ops/nixos/dotfiles/config.fish b/ops/nixos/dotfiles/config.fish deleted file mode 100644 index de2c99ae6007..000000000000 --- a/ops/nixos/dotfiles/config.fish +++ /dev/null @@ -1,40 +0,0 @@ -# Configure classic prompt -set fish_color_user --bold blue -set fish_color_cwd --bold white - -# Enable colour hints in VCS prompt: -set __fish_git_prompt_showcolorhints yes -set __fish_git_prompt_color_prefix purple -set __fish_git_prompt_color_suffix purple - -# Fish configuration -set fish_greeting "" -set PATH $HOME/.local/bin $HOME/.cargo/bin $PATH - -# Editor configuration -set -gx EDITOR "emacsclient" -set -gx ALTERNATE_EDITOR "emacs -q -nw" -set -gx VISUAL "emacsclient" - -# Miscellaneous -eval (direnv hook fish) - -# Useful command aliases -alias gpr 'git pull --rebase' -alias gco 'git checkout' -alias gf 'git fetch' -alias gap 'git add -p' -alias pbcopy 'xclip -selection clipboard' -alias edit 'emacsclient -n' -alias servedir 'nix-shell -p haskellPackages.wai-app-static --run warp' - -# Old habits die hard (also ls is just easier to type): -alias ls 'exa' - -# Fix up nix-env & friends for Nix 2.0 -export NIX_REMOTE=daemon - -# Fix display of fish in emacs' term-mode: -function fish_title - true -end diff --git a/ops/nixos/dotfiles/msmtprc b/ops/nixos/dotfiles/msmtprc deleted file mode 100644 index 624b6a77fc4b..000000000000 --- a/ops/nixos/dotfiles/msmtprc +++ /dev/null @@ -1,16 +0,0 @@ -defaults - -port 587 -tls on -tls_trust_file /etc/ssl/certs/ca-certificates.crt - -# Runbox mail -account runbox -from mail@tazj.in -host mail.runbox.com -auth on -user mail@tazj.in -passwordeval pass show general/runbox-tazjin - -# Use Runbox as default -account default : runbox diff --git a/ops/nixos/dotfiles/notmuch-config b/ops/nixos/dotfiles/notmuch-config deleted file mode 100644 index a490774e635f..000000000000 --- a/ops/nixos/dotfiles/notmuch-config +++ /dev/null @@ -1,21 +0,0 @@ -# .notmuch-config - Configuration file for the notmuch mail system -# -# For more information about notmuch, see https://notmuchmail.org - -[database] -path=/home/vincent/mail - -[user] -name=Vincent Ambo -primary_email=mail@tazj.in -other_email=tazjin@gmail.com; - -[new] -tags=unread;inbox; -ignore= - -[search] -exclude_tags=deleted;spam;draft; - -[maildir] -synchronize_flags=true diff --git a/ops/nixos/dotfiles/offlineimaprc b/ops/nixos/dotfiles/offlineimaprc deleted file mode 100644 index 78315447e4bd..000000000000 --- a/ops/nixos/dotfiles/offlineimaprc +++ /dev/null @@ -1,39 +0,0 @@ -[general] -accounts = tazjin, gmail - -[DEFAULT] -ssl = yes -sslcacertfile = /etc/ssl/certs/ca-certificates.crt - -# Private GMail account (old): -[Account gmail] -maxage = 90 -localrepository = gmail-local -remoterepository = gmail-remote -synclabels = yes - -[Repository gmail-local] -type = GmailMaildir -localfolders = ~/mail/gmail - -[Repository gmail-remote] -type = Gmail -remoteuser = tazjin@gmail.com -remotepassfile = ~/.config/mail/gmail-pass -folderfilter = lambda folder: folder == 'INBOX' - -# Main private account: -[Account tazjin] -localrepository = tazjin-local -remoterepository = tazjin-remote - -[Repository tazjin-local] -type = Maildir -localfolders = ~/mail/tazjin - -[Repository tazjin-remote] -type = IMAP -remotehost = mail.runbox.com -remoteuser = mail@tazj.in -remotepassfile = ~/.config/mail/tazjin-pass -auth_mechanisms = LOGIN diff --git a/ops/nixos/frog/default.nix b/ops/nixos/frog/default.nix deleted file mode 100644 index 72b1c9ed3612..000000000000 --- a/ops/nixos/frog/default.nix +++ /dev/null @@ -1,254 +0,0 @@ -{ depot, lib, ... }: - -config: let - nixpkgs = import depot.third_party.nixpkgsSrc { - config.allowUnfree = true; - }; - - lieer = depot.third_party.lieer {}; - - # add google-c-style here because other machines get it from, eh, - # elsewhere. - frogEmacs = (depot.tools.emacs.overrideEmacs(epkgs: epkgs ++ [ - depot.third_party.emacsPackages.google-c-style - ])); -in depot.lib.fix(self: { - # TODO(tazjin): v4l2loopback - - boot = { - tmpOnTmpfs = true; - kernelModules = [ "kvm-amd" ]; - - loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; - - initrd = { - luks.devices.frog-crypt.device = "/dev/disk/by-label/frog-crypt"; - availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ]; - kernelModules = [ "dm-snapshot" ]; - }; - - kernelPackages = nixpkgs.linuxPackages_latest; - kernel.sysctl = { - "kernel.perf_event_paranoid" = 1; - }; - }; - - hardware = { - cpu.amd.updateMicrocode = true; - enableRedistributableFirmware = true; - pulseaudio.enable = true; - u2f.enable = true; - opengl = { - enable = true; - driSupport = true; - }; - }; - - nix = { - maxJobs = 48; - nixPath = [ - "depot=/depot" - "nixpkgs=${depot.third_party.nixpkgsSrc}" - ]; - }; - - nixpkgs.pkgs = nixpkgs; - - networking = { - hostName = "frog"; - useDHCP = false; - interfaces.enp67s0.useDHCP = true; - - # Don't use ISP's DNS servers: - nameservers = [ - "8.8.8.8" - "8.8.4.4" - ]; - - firewall.enable = false; - }; - - # Generate an immutable /etc/resolv.conf from the nameserver settings - # above (otherwise DHCP overwrites it): - environment.etc."resolv.conf" = with lib; { - source = depot.third_party.writeText "resolv.conf" '' - ${concatStringsSep "\n" (map (ns: "nameserver ${ns}") self.networking.nameservers)} - options edns0 - ''; - }; - - time.timeZone = "Europe/London"; - - fileSystems = { - "/".device = "/dev/disk/by-label/frog-root"; - "/boot".device = "/dev/disk/by-label/BOOT"; - "/home".device = "/dev/disk/by-label/frog-home"; - }; - - # Configure user account - users.extraUsers.tazjin = { - extraGroups = [ "wheel" "audio" ]; - isNormalUser = true; - uid = 1000; - shell = nixpkgs.fish; - }; - - security.sudo = { - enable = true; - extraConfig = "wheel ALL=(ALL:ALL) SETENV: ALL"; - }; - - fonts = { - fonts = with nixpkgs; [ - corefonts - dejavu_fonts - jetbrains-mono - noto-fonts-cjk - noto-fonts-emoji - ]; - - fontconfig = { - hinting.enable = true; - subpixel.lcdfilter = "light"; - - defaultFonts = { - monospace = [ "JetBrains Mono" ]; - }; - }; - }; - - # Configure location (Vauxhall, London) for services that need it. - location = { - latitude = 51.4819109; - longitude = -0.1252998; - }; - - programs.fish.enable = true; - programs.ssh.startAgent = true; - - services.redshift.enable = true; - services.openssh.enable = true; - services.fstrim.enable = true; - - # Required for Yubikey usage as smartcard - services.pcscd.enable = true; - services.udev.packages = [ - nixpkgs.yubikey-personalization - ]; - - services.xserver = { - enable = true; - layout = "us"; - xkbOptions = "caps:super"; - exportConfiguration = true; - displayManager = { - # Give EXWM permission to control the session. - sessionCommands = "${nixpkgs.xorg.xhost}/bin/xhost +SI:localuser:$USER"; - - lightdm.enable = true; - lightdm.greeters.gtk.clock-format = "%H·%M"; # TODO(tazjin): TZ? - }; - - windowManager.session = lib.singleton { - name = "exwm"; - start = "${frogEmacs}/bin/tazjins-emacs"; - }; - }; - - # Do not restart the display manager automatically - systemd.services.display-manager.restartIfChanged = lib.mkForce false; - - # clangd needs more than ~2GB in the runtime directory to start up - services.logind.extraConfig = '' - RuntimeDirectorySize=16G - ''; - - # Configure email setup - systemd.user.services.lieer-tazjin = { - description = "Synchronise mail@tazj.in via lieer"; - script = "${lieer}/bin/gmi sync"; - - serviceConfig = { - WorkingDirectory = "%h/mail/account.tazjin"; - Type = "oneshot"; - }; - }; - - systemd.user.timers.lieer-tazjin = { - wantedBy = [ "timers.target" ]; - - timerConfig = { - OnActiveSec = "1"; - OnUnitActiveSec = "180"; - }; - }; - - environment.systemPackages = - # programs from the depot - (with depot; [ - fun.idual.script - lieer - frogEmacs - ops.kontemplate - third_party.ffmpeg - third_party.git - ]) ++ - - # programs from nixpkgs - (with nixpkgs; [ - age - bat - chromium - clang-manpages - clang-tools - clang_10 - curl - direnv - dnsutils - emacs26 # mostly for emacsclient - exa - fd - gnupg - go - google-chrome - google-cloud-sdk - htop - hyperfine - i3lock - imagemagick - jq - kubectl - linuxPackages.perf - miller - msmtp - nix-prefetch-github - notmuch - openssh - openssl - pass - pavucontrol - pinentry - pinentry-emacs - pwgen - ripgrep - rr - rustup - scrot - spotify - steam - tokei - tree - unzip - vlc - xclip - yubico-piv-tool - yubikey-personalization - zoxide - ]); - - # ... and other nonsense. - system.stateVersion = "20.03"; -}) diff --git a/ops/nixos/modules/hound.nix b/ops/nixos/hound.nix index 690055bde3b6..690055bde3b6 100644 --- a/ops/nixos/modules/hound.nix +++ b/ops/nixos/hound.nix diff --git a/ops/nixos/mail.nix b/ops/nixos/mail.nix deleted file mode 100644 index ba4ebfa06026..000000000000 --- a/ops/nixos/mail.nix +++ /dev/null @@ -1,77 +0,0 @@ -# This file configures offlineimap, notmuch and MSMTP. -# -# Some manual configuration is required the first time this is -# applied: -# -# 1. Credential setup. -# 2. Linking of MSMTP config (ln -s /etc/msmtprc ~/.msmtprc) -# 3. Linking of notmuch config (ln -s /etc/notmuch-config ~/.notmuch-config) - -{ config, lib, pkgs, ... }: - -let offlineImapConfig = pkgs.writeText "offlineimaprc" - (builtins.readFile ./dotfiles/offlineimaprc); - -msmtpConfig = pkgs.writeText "msmtprc" - (builtins.readFile ./dotfiles/msmtprc); - -notmuchConfig = pkgs.writeText "notmuch-config" - (builtins.readFile ./dotfiles/notmuch-config); - -tagConfig = pkgs.writeText "notmuch-tags" '' - # Tag emacs-devel mailing list: - -inbox +emacs-devel -- to:emacs-devel@gnu.org OR cc:emacs-devel@gnu.org - - # Tag nix-devel mailing list & discourse: - -inbox +nix-devel -- to:nix-devel@googlegroups.com OR from:nixos1@discoursemail.com - - # Tag my own mail (from other devices) as sent: - -inbox +sent -- from:mail@tazj.in - - # Drafts are always read, duh. - -unread -- tag:draft -''; - -notmuchIndex = pkgs.writeShellScriptBin "notmuch-index" '' - echo "Indexing new mails in notmuch" - - # Index new mail - ${pkgs.notmuch}/bin/notmuch new - - # Apply tags - cat ${tagConfig} | ${pkgs.notmuch}/bin/notmuch tag --batch - - echo "Done indexing new mails" -''; -in { - # Enable OfflineIMAP timer & service: - systemd.user.timers.offlineimap = { - description = "OfflineIMAP timer"; - wantedBy = [ "timers.target" ]; - - timerConfig = { - Unit = "offlineimap.service"; - OnCalendar = "*:0/2"; # every 2 minutes - Persistent = "true"; # persist timer state after reboots - }; - }; - - systemd.user.services.offlineimap = { - description = "OfflineIMAP service"; - path = with pkgs; [ pass notmuch ]; - - serviceConfig = { - Type = "oneshot"; - ExecStart = "${pkgs.offlineimap}/bin/offlineimap -u syslog -o -c ${offlineImapConfig}"; - ExecStartPost = "${notmuchIndex}/bin/notmuch-index"; - TimeoutStartSec = "2min"; - }; - }; - - # Link configuration files to /etc/ (from where they will be linked - # further): - environment.etc = { - "msmtprc".source = msmtpConfig; - "notmuch-config".source = notmuchConfig; - }; -} diff --git a/ops/nixos/modules/.skip-subtree b/ops/nixos/modules/.skip-subtree deleted file mode 100644 index 80d92f2eb485..000000000000 --- a/ops/nixos/modules/.skip-subtree +++ /dev/null @@ -1 +0,0 @@ -The files in this folder are NixOS modules, not readTree-importables. diff --git a/ops/nixos/modules/monorepo-gerrit.nix b/ops/nixos/monorepo-gerrit.nix index 58fbb8d206ac..58fbb8d206ac 100644 --- a/ops/nixos/modules/monorepo-gerrit.nix +++ b/ops/nixos/monorepo-gerrit.nix diff --git a/ops/nixos/nugget/default.nix b/ops/nixos/nugget/default.nix deleted file mode 100644 index 7c9530072d41..000000000000 --- a/ops/nixos/nugget/default.nix +++ /dev/null @@ -1,280 +0,0 @@ -# This file configures nugget, my home desktop machine. -{ depot, lib, ... }: - -config: let - nixpkgs = import depot.third_party.stableNixpkgsSrc { - config.allowUnfree = true; - }; - - unstable = import depot.third_party.nixpkgsSrc {}; - lieer = (depot.third_party.lieer {}); - - # google-c-style is installed only on nugget because other - # machines get it from, eh, elsewhere. - nuggetEmacs = (depot.tools.emacs.overrideEmacs(epkgs: epkgs ++ [ - depot.third_party.emacsPackages.google-c-style - ])); -in depot.lib.fix(self: { - imports = [ - ../modules/v4l2loopback.nix - ]; - - hardware = { - pulseaudio.enable = true; - cpu.intel.updateMicrocode = true; - u2f.enable = true; - }; - - boot = { - cleanTmpDir = true; - kernelModules = [ "kvm-intel" ]; - - loader = { - timeout = 3; - systemd-boot.enable = true; - efi.canTouchEfiVariables = false; - }; - - initrd = { - luks.devices.nugget-crypt.device = "/dev/disk/by-label/nugget-crypt"; - availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; - kernelModules = [ "dm-snapshot" ]; - }; - - kernel.sysctl = { - "kernel.perf_event_paranoid" = 1; - }; - }; - - nix = { - package = depot.third_party.nix; - nixPath = [ - "depot=/home/tazjin/depot" - "nixpkgs=${depot.third_party.nixpkgsSrc}" - ]; - }; - - nixpkgs.pkgs = nixpkgs; - - networking = { - hostName = "nugget"; - useDHCP = false; - interfaces.eno1.useDHCP = true; - interfaces.wlp7s0.useDHCP = true; - - # Don't use ISP's DNS servers: - nameservers = [ - "8.8.8.8" - "8.8.4.4" - ]; - - # Open Chromecast-related ports & servedir - firewall.enable = false; - firewall.allowedTCPPorts = [ 4242 5556 5558 ]; - - # Connect to the WiFi to let the Chromecast work. - wireless.enable = true; - wireless.networks = { - "How do I computer?" = { - psk = "washyourface"; - }; - }; - }; - - # Generate an immutable /etc/resolv.conf from the nameserver settings - # above (otherwise DHCP overwrites it): - environment.etc."resolv.conf" = with lib; { - source = depot.third_party.writeText "resolv.conf" '' - ${concatStringsSep "\n" (map (ns: "nameserver ${ns}") self.networking.nameservers)} - options edns0 - ''; - }; - - time.timeZone = "Europe/London"; - - environment.systemPackages = - # programs from the depot - (with depot; [ - fun.idual.script - lieer - nuggetEmacs - ops.kontemplate - third_party.ffmpeg - third_party.git - ]) ++ - - # programs from nixpkgs - (with nixpkgs; [ - age - bat - cachix - chromium - clang-manpages - clang-tools - clang_10 - curl - direnv - dnsutils - exa - fd - gnupg - go - google-chrome - google-cloud-sdk - guile - htop - hyperfine - i3lock - imagemagick - jq - keybase-gui - kubectl - linuxPackages.perf - meson - miller - msmtp - nix-prefetch-github - notmuch - openssh - openssl - pass - pavucontrol - pinentry - pinentry-emacs - pwgen - ripgrep - rr - rustup - sbcl - scrot - spotify - steam - tokei - tree - unzip - vlc - xclip - yubico-piv-tool - yubikey-personalization - ]) ++ - - # programs from unstable nixpkgs - (with unstable; [ - zoxide - ]); - - fileSystems = { - "/".device = "/dev/disk/by-label/nugget-root"; - "/boot".device = "/dev/disk/by-label/EFI"; - "/home".device = "/dev/disk/by-label/nugget-home"; - }; - - # Configure user account - users.extraUsers.tazjin = { - extraGroups = [ "wheel" "audio" ]; - isNormalUser = true; - uid = 1000; - shell = nixpkgs.fish; - }; - - security.sudo = { - enable = true; - extraConfig = "wheel ALL=(ALL:ALL) SETENV: ALL"; - }; - - fonts = { - fonts = with nixpkgs; [ - corefonts - dejavu_fonts - jetbrains-mono - noto-fonts-cjk - noto-fonts-emoji - ]; - - fontconfig = { - hinting.enable = true; - subpixel.lcdfilter = "light"; - - defaultFonts = { - monospace = [ "JetBrains Mono" ]; - }; - }; - }; - - # Configure location (Vauxhall, London) for services that need it. - location = { - latitude = 51.4819109; - longitude = -0.1252998; - }; - - programs.fish.enable = true; - programs.ssh.startAgent = true; - - services.redshift.enable = true; - services.openssh.enable = true; - services.keybase.enable = true; - - # Required for Yubikey usage as smartcard - services.pcscd.enable = true; - services.udev.packages = [ - nixpkgs.yubikey-personalization - ]; - - services.xserver = { - enable = true; - layout = "us"; - xkbOptions = "caps:super"; - exportConfiguration = true; - videoDrivers = [ "nvidia" ]; - - displayManager = { - # Give EXWM permission to control the session. - sessionCommands = "${nixpkgs.xorg.xhost}/bin/xhost +SI:localuser:$USER"; - - lightdm.enable = true; - lightdm.greeters.gtk.clock-format = "%H·%M"; - }; - - windowManager.session = lib.singleton { - name = "exwm"; - start = "${nuggetEmacs}/bin/tazjins-emacs"; - }; - }; - - # Do not restart the display manager automatically - systemd.services.display-manager.restartIfChanged = lib.mkForce false; - - # Configure email setup - systemd.user.services.lieer-tazjin = { - description = "Synchronise mail@tazj.in via lieer"; - script = "${lieer}/bin/gmi sync"; - - serviceConfig = { - WorkingDirectory = "%h/mail/account.tazjin"; - Type = "oneshot"; - }; - }; - - systemd.user.timers.lieer-tazjin = { - wantedBy = [ "timers.target" ]; - - timerConfig = { - OnActiveSec = "1"; - OnUnitActiveSec = "180"; - }; - }; - - # Use Tailscale \o/ - services.tailscale.enable = true; - - # nugget has an SSD - services.fstrim.enable = true; - - # clangd needs more than ~2GB in the runtime directory to start up - services.logind.extraConfig = '' - RuntimeDirectorySize=4G - ''; - - # ... and other nonsense. - system.stateVersion = "19.09"; -}) diff --git a/ops/nixos/modules/smtprelay.nix b/ops/nixos/smtprelay.nix index ca960f5190a8..ca960f5190a8 100644 --- a/ops/nixos/modules/smtprelay.nix +++ b/ops/nixos/smtprelay.nix diff --git a/ops/nixos/modules/tvl-slapd/contents.ldif b/ops/nixos/tvl-slapd/contents.ldif index 4ac5bcecdf01..4ac5bcecdf01 100644 --- a/ops/nixos/modules/tvl-slapd/contents.ldif +++ b/ops/nixos/tvl-slapd/contents.ldif diff --git a/ops/nixos/modules/tvl-slapd/default.nix b/ops/nixos/tvl-slapd/default.nix index 294a6636d719..294a6636d719 100644 --- a/ops/nixos/modules/tvl-slapd/default.nix +++ b/ops/nixos/tvl-slapd/default.nix diff --git a/ops/nixos/modules/tvl-slapd/genpasswd.rb b/ops/nixos/tvl-slapd/genpasswd.rb index 8f6f8d75842e..8f6f8d75842e 100644 --- a/ops/nixos/modules/tvl-slapd/genpasswd.rb +++ b/ops/nixos/tvl-slapd/genpasswd.rb diff --git a/ops/nixos/modules/v4l2loopback.nix b/ops/nixos/v4l2loopback.nix index 636b2ff6cf27..636b2ff6cf27 100644 --- a/ops/nixos/modules/v4l2loopback.nix +++ b/ops/nixos/v4l2loopback.nix |