From 3fc1143a04da49a92c3663813c6a0c1e8ccd477f Mon Sep 17 00:00:00 2001 From: Griffin Smith Date: Tue, 29 Sep 2020 23:42:59 -0400 Subject: feat(gs/system): Init mugwump Init the config for mugwump, a NUC that I bought from ncl and which I'm going to use as a simple home server and ssh bastion box. Since this is the first time I've set up a server using my nixos config, this also moves a bunch of desktop (xserver, audio, etc.) related config out of modules/common.nix and into a new modules/desktop.nix. Coming soon: nixos-rebuild switch --target, but in the depot! Change-Id: I67bd5ba6e3c26f80f77058af186fd41cc245d5d2 Reviewed-on: https://cl.tvl.fyi/c/depot/+/2016 Reviewed-by: glittershark Tested-by: BuildkiteCI --- users/glittershark/system/home/modules/common.nix | 19 ++++++ users/glittershark/system/system/default.nix | 8 +++ .../system/system/machines/chupacabra.nix | 12 ++++ .../system/system/machines/mugwump.nix | 74 ++++++++++++++++++++++ .../glittershark/system/system/modules/common.nix | 67 ++------------------ .../glittershark/system/system/modules/desktop.nix | 25 ++++++++ 6 files changed, 144 insertions(+), 61 deletions(-) create mode 100644 users/glittershark/system/system/machines/mugwump.nix create mode 100644 users/glittershark/system/system/modules/desktop.nix diff --git a/users/glittershark/system/home/modules/common.nix b/users/glittershark/system/home/modules/common.nix index 5d3d485bc0a1..b28b2dbca6ba 100644 --- a/users/glittershark/system/home/modules/common.nix +++ b/users/glittershark/system/home/modules/common.nix @@ -45,4 +45,23 @@ nix-review cachix ]; + + programs.ssh = { + enable = true; + + matchBlocks = { + "dobharchu" = { + host = "dobharchu"; + hostname = "172.16.0.4"; + forwardAgent = true; + user = "griffin"; + }; + + "mugwump" = { + host = "mugwump"; + hostname = "172.16.0.5"; + forwardAgent = true; + }; + }; + }; } diff --git a/users/glittershark/system/system/default.nix b/users/glittershark/system/system/default.nix index 12cde445fe0b..2223f33ce3e0 100644 --- a/users/glittershark/system/system/default.nix +++ b/users/glittershark/system/system/default.nix @@ -7,11 +7,19 @@ rec { configuration = chupacabra; }).system; + mugwump = import ./machines/mugwump.nix; + + mugwumpSystem = (pkgs.nixos { + configuration = mugwump; + }).system; + iso = import ./iso.nix args; # Build chupacabra in CI meta.targets = [ "chupacabraSystem" + "mugwumpSystem" + "iso" ]; diff --git a/users/glittershark/system/system/machines/chupacabra.nix b/users/glittershark/system/system/machines/chupacabra.nix index 5d9414309676..242c2865601c 100644 --- a/users/glittershark/system/system/machines/chupacabra.nix +++ b/users/glittershark/system/system/machines/chupacabra.nix @@ -7,6 +7,7 @@ ../modules/tvl.nix ../modules/urbint.nix ../modules/fcitx.nix + ../modules/rtlsdr.nix ../../../../../ops/nixos/v4l2loopback.nix ]; @@ -101,4 +102,15 @@ libvdpau-va-gl intel-media-driver ]; + + services.udev.extraRules = '' + # UDEV rules for Teensy USB devices + ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", ENV{ID_MM_DEVICE_IGNORE}="1" + ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789A]?", ENV{MTP_NO_PROBE}="1" + SUBSYSTEMS=="usb", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789ABCD]?", MODE:="0666" + KERNEL=="ttyACM*", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", MODE:="0666" + ''; + + # Necessary to get steam working + hardware.opengl.driSupport32Bit = true; } diff --git a/users/glittershark/system/system/machines/mugwump.nix b/users/glittershark/system/system/machines/mugwump.nix new file mode 100644 index 000000000000..9521f578846d --- /dev/null +++ b/users/glittershark/system/system/machines/mugwump.nix @@ -0,0 +1,74 @@ +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ + ../modules/common.nix + ../modules/tvl.nix + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + networking.hostName = "mugwump"; + + boot = { + loader.systemd-boot.enable = true; + + kernelModules = [ "kvm-intel" ]; + extraModulePackages = [ ]; + + initrd = { + availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; + kernelModules = [ + "uas" "usbcore" "usb_storage" "vfat" "nls_cp437" "nls_iso8859_1" + ]; + + postDeviceCommands = pkgs.lib.mkBefore '' + mkdir -m 0755 -p /key + sleep 2 + mount -n -t vfat -o ro `findfs UUID=9048-A9D5` /key + ''; + + luks.devices."cryptroot" = { + device = "/dev/disk/by-uuid/803a9028-339c-4617-a213-4fe138161f6d"; + keyFile = "/key/keyfile"; + preLVM = false; + }; + }; + }; + + fileSystems = { + "/" = { + device = "/dev/mapper/cryptroot"; + fsType = "btrfs"; + }; + "/boot" = { + device = "/dev/disk/by-uuid/7D74-0E4B"; + fsType = "vfat"; + }; + }; + + networking.interfaces = { + enp0s25.useDHCP = false; + wlp2s0.useDHCP = false; + }; + + networking.firewall.enable = true; + networking.firewall.allowedTCPPorts = [ 22 ]; + + security.sudo.extraRules = [{ + groups = ["wheel"]; + commands = [{ command = "ALL"; options = ["NOPASSWD"]; }]; + }]; + + services.fail2ban = { + enable = true; + ignoreIP = [ + "172.16.0.0/16" + ]; + }; + + services.openssh = { + allowSFTP = false; + passwordAuthentication = false; + permitRootLogin = "no"; + }; +} diff --git a/users/glittershark/system/system/modules/common.nix b/users/glittershark/system/system/modules/common.nix index 884f0a9a7d13..a3f2a06d38a5 100644 --- a/users/glittershark/system/system/modules/common.nix +++ b/users/glittershark/system/system/modules/common.nix @@ -6,30 +6,19 @@ let in -{ - imports = - [ - ./xserver.nix - ./fonts.nix - ./sound.nix - ./kernel.nix - ./rtlsdr.nix - ]; +with lib; +{ boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; networking.useDHCP = false; networking.networkmanager.enable = true; - # Select internationalisation properties. - # i18n = { - # consoleFont = "Lat2-Terminus16"; - # consoleKeyMap = "us"; - # defaultLocale = "en_US.UTF-8"; - # }; + i18n = { + defaultLocale = "en_US.UTF-8"; + }; - # Set your time zone. time.timeZone = "America/New_York"; environment.systemPackages = with pkgs; [ @@ -44,30 +33,11 @@ in depot.users.glittershark.system.system.rebuilder ]; - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.mtr.enable = true; - # programs.gnupg.agent = { - # enable = true; - # enableSSHSupport = true; - # pinentryFlavor = "gnome3"; - # }; - - programs.nm-applet.enable = true; - - services.openssh.enable = true; programs.ssh.startAgent = true; - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - networking.firewall.enable = false; - - # Enable CUPS to print documents. - # services.printing.enable = true; + networking.firewall.enable = mkDefault false; users.mutableUsers = true; programs.zsh.enable = true; @@ -94,20 +64,6 @@ in nixpkgs.config.allowUnfree = true; - services.geoclue2.enable = true; - - powerManagement = { - enable = true; - cpuFreqGovernor = lib.mkDefault "powersave"; - powertop.enable = true; - }; - # Hibernate on low battery - laptop.onLowBattery = { - enable = true; - action = "hibernate"; - thresholdPercentage = 5; - }; - nix = { trustedUsers = [ "grfn" ]; autoOptimiseStore = true; @@ -139,15 +95,4 @@ in options = "--delete-older-than 30d"; }; }; - - services.udev.extraRules = '' - # UDEV rules for Teensy USB devices - ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", ENV{ID_MM_DEVICE_IGNORE}="1" - ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789A]?", ENV{MTP_NO_PROBE}="1" - SUBSYSTEMS=="usb", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789ABCD]?", MODE:="0666" - KERNEL=="ttyACM*", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", MODE:="0666" - ''; - - # Necessary to get steam working - hardware.opengl.driSupport32Bit = true; } diff --git a/users/glittershark/system/system/modules/desktop.nix b/users/glittershark/system/system/modules/desktop.nix new file mode 100644 index 000000000000..dc2847a779d6 --- /dev/null +++ b/users/glittershark/system/system/modules/desktop.nix @@ -0,0 +1,25 @@ +{ config, lib, pkgs, ... }: + +{ + imports = [ + ./xserver.nix + ./fonts.nix + ./sound.nix + ./kernel.nix + ]; + + programs.nm-applet.enable = true; + + users.users.grfn.extraGroups = [ + "audio" + "video" + ]; + + services.geoclue2.enable = true; + + powerManagement = { + enable = true; + cpuFreqGovernor = lib.mkDefault "powersave"; + powertop.enable = true; + }; +} -- cgit 1.4.1