diff options
Diffstat (limited to 'host/software')
| -rw-r--r-- | host/software/desktop/asset/T-TeleSec_GlobalRoot_Class_2.pem | 23 | ||||
| -rw-r--r-- | host/software/desktop/default.nix | 31 | ||||
| -rw-r--r-- | host/software/desktop/kit.vpn.nix | 24 | ||||
| -rw-r--r-- | host/software/desktop/teensy.nix | 11 | ||||
| -rw-r--r-- | host/software/desktop/xterm.nix | 8 | ||||
| -rw-r--r-- | host/software/server/build.nix | 16 | ||||
| -rw-r--r-- | host/software/server/git.nix | 8 | ||||
| -rw-r--r-- | host/software/server/mail.nix | 8 | ||||
| -rw-r--r-- | host/software/server/website.nix | 27 | ||||
| -rw-r--r-- | host/software/server/wireguard.nix | 22 |
10 files changed, 104 insertions, 74 deletions
diff --git a/host/software/desktop/asset/T-TeleSec_GlobalRoot_Class_2.pem b/host/software/desktop/asset/T-TeleSec_GlobalRoot_Class_2.pem deleted file mode 100644 index 374b050..0000000 --- a/host/software/desktop/asset/T-TeleSec_GlobalRoot_Class_2.pem +++ /dev/null @@ -1,23 +0,0 @@ ------BEGIN CERTIFICATE-----
-MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUx
-KzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAd
-BgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNl
-YyBHbG9iYWxSb290IENsYXNzIDIwHhcNMDgxMDAxMTA0MDE0WhcNMzMxMDAxMjM1
-OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnBy
-aXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50
-ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqX9obX+hzkeXaXPSi5kfl82hVYAUd
-AqSzm1nzHoqvNK38DcLZSBnuaY/JIPwhqgcZ7bBcrGXHX+0CfHt8LRvWurmAwhiC
-FoT6ZrAIxlQjgeTNuUk/9k9uN0goOA/FvudocP05l03Sx5iRUKrERLMjfTlH6VJi
-1hKTXrcxlkIF+3anHqP1wvzpesVsqXFP6st4vGCvx9702cu+fjOlbpSD8DT6Iavq
-jnKgP6TeMFvvhk1qlVtDRKgQFRzlAVfFmPHmBiiRqiDFt1MmUUOyCxGVWOHAD3bZ
-wI18gfNycJ5v/hqO2V81xrJvNHy+SE/iWjnX2J14np+GPgNeGYtEotXHAgMBAAGj
-QjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS/
-WSA2AHmgoCJrjNXyYdK4LMuCSjANBgkqhkiG9w0BAQsFAAOCAQEAMQOiYQsfdOhy
-NsZt+U2e+iKo4YFWz827n+qrkRk4r6p8FU3ztqONpfSO9kSpp+ghla0+AGIWiPAC
-uvxhI+YzmzB6azZie60EI4RYZeLbK4rnJVM3YlNfvNoBYimipidx5joifsFvHZVw
-IEoHNN/q/xWA5brXethbdXwFeilHfkCoMRN3zUA7tFFHei4R40cR3p1m0IvVVGb6
-g1XqfMIpiRvpb7PO4gWEyS8+eIVibslfwXhjdFjASBgMmTnrpMwatXlajRWc2BQN
-9noHV8cigwUtPJslJj0Ys6lDfMjIq2SPDqO/nBudMNva0Bkuqjzx+zOAduTNrRlP
-BSeOE6Fuwg==
------END CERTIFICATE-----
diff --git a/host/software/desktop/default.nix b/host/software/desktop/default.nix index c56cec9..da15c8f 100644 --- a/host/software/desktop/default.nix +++ b/host/software/desktop/default.nix @@ -7,17 +7,19 @@ fileSystems."/".options = [ "noatime" "nodiratime" "discard" ]; - sound.enable = true; + services.pipewire = { + enable = true; + alsa = { + enable = true; + support32Bit = true; + }; + pulse.enable = true; + }; hardware = { opengl= { driSupport32Bit = true; }; - - pulseaudio = { - enable = true; - support32Bit = true; - }; }; services = { @@ -30,17 +32,22 @@ layout = "de"; xkbOptions = "caps:escape"; - displayManager.slim = { - enable = true; - autoLogin = true; - defaultUser = "common"; + displayManager = { + autoLogin = { + enable = true; + user = "common"; + }; }; - - desktopManager.default = "none"; }; + + gvfs.enable = true; }; environment.systemPackages = with pkgs; [ ntfs3g ]; + + boot.kernel.sysctl = { + "kernel.perf_event_paranoid" = -1; # allow user to perform perf analysis + }; } diff --git a/host/software/desktop/kit.vpn.nix b/host/software/desktop/kit.vpn.nix index 726356d..9f51a42 100644 --- a/host/software/desktop/kit.vpn.nix +++ b/host/software/desktop/kit.vpn.nix @@ -3,25 +3,13 @@ { services.openvpn.servers = { KIT = { - # adapted from https://www.scc.kit.edu/scc/net/openvpn/os/debian/kit.ovpn - config = '' - client - remote 141.52.8.20 - port 1194 - dev tun - proto udp - auth-user-pass - nobind - comp-lzo no - tls-version-min 1.2 - ca ${./asset/T-TeleSec_GlobalRoot_Class_2.pem} - verify-x509-name "C=DE, ST=Baden-Wuerttemberg, L=Karlsruhe, O=Karlsruhe Institute of Technology, OU=Steinbuch Centre for Computing, CN=ovpn.scc.kit.edu" subject - cipher AES-256-CBC - auth SHA384 - verb 3 - script-security 2 - ''; autoStart = false; + config = let + path = pkgs.fetchurl { + url = "https://www.scc.kit.edu/scc/net/openvpn/conf/kit-split.ovpn"; + hash = "sha256-j4pCKyU7t1ZmwIGm5kuUgZ26Qiqa1jzoDZcP2x+A9pM="; + }; + in "config ${path}"; }; }; } diff --git a/host/software/desktop/teensy.nix b/host/software/desktop/teensy.nix new file mode 100644 index 0000000..461ad27 --- /dev/null +++ b/host/software/desktop/teensy.nix @@ -0,0 +1,11 @@ +{ pkgs, ... }: + +{ + services.udev.extraRules = '' + # UDEV rules for Teensy USB + ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", ENV{ID_MM_DEVICE_IGNORE}="1" + ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789A]?", ENV{MTP_NO_PROBE}="1" + SUBSYSTEMS=="usb", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789ABCD]?", MODE:="0666" + KERNEL=="ttyACM*", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", MODE:="0666" + ''; +} diff --git a/host/software/desktop/xterm.nix b/host/software/desktop/xterm.nix new file mode 100644 index 0000000..53fdd3e --- /dev/null +++ b/host/software/desktop/xterm.nix @@ -0,0 +1,8 @@ +{ pkgs, ... }: + +{ + services.xserver = { + displayManager.lightdm.enable = true; + desktopManager.xterm.enable = true; + }; +} diff --git a/host/software/server/build.nix b/host/software/server/build.nix new file mode 100644 index 0000000..44c4562 --- /dev/null +++ b/host/software/server/build.nix @@ -0,0 +1,16 @@ +{ + nix.buildMachines = [ { + hostName = "majestix"; + sshUser = "common"; + system = "x86_64-linux"; + maxJobs = 16; + speedFactor = 2; + } ]; + + nix = { + distributedBuilds = true; + extraOptions = '' + builders-use-substitutes = true + ''; + }; +} diff --git a/host/software/server/git.nix b/host/software/server/git.nix index 209a318..2781911 100644 --- a/host/software/server/git.nix +++ b/host/software/server/git.nix @@ -3,8 +3,8 @@ { services.uwsgi = { enable = true; - user = "nginx"; - group = "nginx"; + user = "public"; + group = "users"; plugins = [ "cgi" ]; instance = { @@ -33,7 +33,7 @@ ''; }; - users.extraUsers.nginx.extraGroups = [ "git" ]; + users.extraUsers.public.extraGroups = [ "git" ]; services.nginx.virtualHosts."code.kummerlaender.eu" = { addSSL = true; @@ -64,7 +64,7 @@ }; script = '' mkdir /run/cgit - chown -R nginx:nginx /run/cgit + chown -R public:users /run/cgit ''; }; diff --git a/host/software/server/mail.nix b/host/software/server/mail.nix index f7e498d..37c007b 100644 --- a/host/software/server/mail.nix +++ b/host/software/server/mail.nix @@ -1,8 +1,12 @@ { config, pkgs, ... }: { - imports = [ - (builtins.fetchTarball "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.2.1/nixos-mailserver-v2.2.1.tar.gz") + imports = let + release = "nixos-21.05"; + in [ + (builtins.fetchTarball { + url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${release}/nixos-mailserver-${release}.tar.gz"; + }) ]; mailserver = { diff --git a/host/software/server/website.nix b/host/software/server/website.nix index 9b2493e..8248a0b 100644 --- a/host/software/server/website.nix +++ b/host/software/server/website.nix @@ -7,6 +7,10 @@ shell = pkgs.fish; }; + services.nginx.user = "public"; + + systemd.services.nginx.serviceConfig.ProtectHome = false; + # `public` generates websites using their custom derivations via `nix-build` services.nginx.virtualHosts = let @@ -25,11 +29,11 @@ ''; }; - proxy = target: { - proxyPass = target; + proxy = server: target: { + proxyPass = server; extraConfig = '' expires off; - proxy_set_header Host code.kummerlaender.eu; + return ${target}; ''; }; in { @@ -43,11 +47,18 @@ ''; }; - "pkgs.kummerlaender.eu" = default { - "/".root = "/home/public/pkgs/result"; - "/nixexprs.tar.gz" = proxy "http://code.kummerlaender.eu/pkgs/snapshot/master.tar.gz"; - "/nixexprs.tar.xz" = proxy "http://code.kummerlaender.eu/pkgs/snapshot/master.tar.xz"; - "/nixexprs.tar.bz2" = proxy "http://code.kummerlaender.eu/pkgs/snapshot/master.tar.bz2"; + "literatelb.org" = let + sub = "literatelb"; + in default { + "/".root = "/home/public/${sub}/result"; + "/".extraConfig = '' + location ~* \.(?:html?|xml)$ { + expires -1; + } + location /tangle/ { + autoindex on; + } + ''; }; }; } diff --git a/host/software/server/wireguard.nix b/host/software/server/wireguard.nix index cc4f2fa..8ebd9f5 100644 --- a/host/software/server/wireguard.nix +++ b/host/software/server/wireguard.nix @@ -14,18 +14,26 @@ privateKeyFile = "/etc/wireguard/private"; peers = [ - { # obelix - publicKey = "RrsNZKZ17Ol1WHxZesLnenGKnqxiQlE0T8xFP6/5mBE="; - allowedIPs = [ "10.100.0.2" ]; - } - { # majestix - publicKey = "Tkoaewh9HB5rIuJVrFgClRF4x7prOtIlSJjiTYCpxis="; + { # atlas + publicKey = "uuu0Ajabq6fkSdkw7SWLAt0cSYiXX0KWyj5amqVjqQw="; allowedIPs = [ "10.100.0.3" ]; } { # athena - publicKey = "t4SzRV/olVdzAKauJOwFau3I0fTISUvbOAaKGZd6ezU="; + publicKey = "eweByJZDVxq23kJjGV5e1utRdPKo4erEnwwe13bFrkE="; allowedIPs = [ "10.100.0.4" ]; } + { # mobiltelefon + publicKey = "jUtbAF3TZDEFXlL+YTV3g26wP0IWGbpiCFGXjxo5TXE="; + allowedIPs = [ "10.100.0.6" ]; + } + { # hephaestus + publicKey = "0nd/5vZaerTCUpS6uXsulCTzI3ZsUT2N2pnh7zTo8wg="; + allowedIPs = [ "10.100.0.7" ]; + } + { # idefix + publicKey = "4Q1Glnceec8FOtkq8UnaYtlwsR1VIvs6lTalavNQp0A="; + allowedIPs = [ "10.100.0.8" ]; + } ]; }; }; |