diff options
Diffstat (limited to 'host')
-rw-r--r-- | host/asterix.nix | 2 | ||||
-rw-r--r-- | host/athena.nix | 78 | ||||
-rw-r--r-- | host/atlas.nix | 89 | ||||
-rw-r--r-- | host/automatix.nix | 31 | ||||
-rw-r--r-- | host/hardware/athena.nix | 17 | ||||
-rw-r--r-- | host/hardware/atlas.nix | 37 | ||||
-rw-r--r-- | host/hardware/hephaestus.nix | 30 | ||||
-rw-r--r-- | host/hardware/idefix.nix | 50 | ||||
-rw-r--r-- | host/hardware/majestix.nix | 31 | ||||
-rw-r--r-- | host/hephaestus.nix | 71 | ||||
-rw-r--r-- | host/idefix.nix | 75 | ||||
-rw-r--r-- | host/majestix.nix | 67 | ||||
-rw-r--r-- | host/obelix.nix | 18 | ||||
-rw-r--r-- | host/software/desktop/asset/T-TeleSec_GlobalRoot_Class_2.pem | 23 | ||||
-rw-r--r-- | host/software/desktop/default.nix | 31 | ||||
-rw-r--r-- | host/software/desktop/kit.vpn.nix | 24 | ||||
-rw-r--r-- | host/software/desktop/teensy.nix | 11 | ||||
-rw-r--r-- | host/software/desktop/xterm.nix | 8 | ||||
-rw-r--r-- | host/software/server/build.nix | 16 | ||||
-rw-r--r-- | host/software/server/git.nix | 8 | ||||
-rw-r--r-- | host/software/server/mail.nix | 8 | ||||
-rw-r--r-- | host/software/server/website.nix | 27 | ||||
-rw-r--r-- | host/software/server/wireguard.nix | 22 |
23 files changed, 566 insertions, 208 deletions
diff --git a/host/asterix.nix b/host/asterix.nix index 75b23b0..6909832 100644 --- a/host/asterix.nix +++ b/host/asterix.nix @@ -52,4 +52,6 @@ }; powerManagement.powertop.enable = true; + + system.stateVersion = "18.09"; } diff --git a/host/athena.nix b/host/athena.nix index c37318f..6a7d266 100644 --- a/host/athena.nix +++ b/host/athena.nix @@ -4,6 +4,7 @@ imports = [ ./hardware/athena.nix ./software/desktop + ./software/desktop/xterm.nix ]; boot = { @@ -12,12 +13,13 @@ efi.canTouchEfiVariables = true; }; - initrd.luks.devices = [ { - name = "encrypted"; - device = "/dev/nvme0n1p2"; - preLVM = true; - allowDiscards = true; - } ]; + initrd.luks.devices = { + encrypted = { + device = "/dev/nvme0n1p2"; + preLVM = true; + allowDiscards = true; + }; + }; }; networking = { @@ -51,7 +53,7 @@ acpid.enable = true; xserver = { - videoDrivers = [ "intel" ]; + videoDrivers = [ "nvidia" ]; synaptics = { enable = true; @@ -61,9 +63,49 @@ minSpeed = "1.5"; }; }; + + printing = { + enable = true; + drivers = [ pkgs.hplip ]; + }; + + avahi = { + enable = true; + nssmdns = true; + }; + }; + + hardware.nvidia = { + package = pkgs.linuxPackages.nvidia_x11; + prime = { + offload.enable = true; + + intelBusId = "PCI:0:2:0"; + nvidiaBusId = "PCI:1:0:0"; + }; + powerManagement.enable = true; }; - virtualisation.libvirtd.enable = true; + environment.systemPackages = [ + pkgs.zenith-nvidia + pkgs.virt-manager + (pkgs.writeScriptBin "nvidia-offload" '' + export __NV_PRIME_RENDER_OFFLOAD=1 + export __NV_PRIME_RENDER_OFFLOAD_PROVIDER=NVIDIA-G0 + export __GLX_VENDOR_LIBRARY_NAME=nvidia + export __VK_LAYER_NV_optimus=NVIDIA_only + exec -a "$0" "$@" + '') + ]; + + virtualisation = { + libvirtd.enable = true; + docker = { + enable = true; + enableNvidia = true; + }; + }; + users.users.common.extraGroups = [ "docker" ]; hardware.trackpoint = { enable = true; @@ -73,22 +115,18 @@ hardware.bluetooth.enable = true; - hardware.opengl.extraPackages = [ pkgs.intel-ocl ]; - services.tlp = { enable = true; - extraConfig = '' - RESTORE_DEVICE_STATE_ON_STARTUP=1 - DEVICES_TO_DISABLE_ON_STARTUP="wwan" - ''; + settings = { + RESTORE_DEVICE_STATE_ON_STARTUP = 1; + START_CHARGE_THRESH_BAT0 = 75; + STOP_CHARGE_THRESH_BAT0 = 85; + CPU_SCALING_GOVERNOR_ON_BAT = "powersave"; + ENERGY_PERF_POLICY_ON_BAT = "powersave"; + }; }; powerManagement.powertop.enable = true; - i18n = { - consoleFont = "ter-132n"; - consolePackages = [ pkgs.terminus_font ]; - }; - - boot.earlyVconsoleSetup = true; + system.stateVersion = "21.11"; } diff --git a/host/atlas.nix b/host/atlas.nix new file mode 100644 index 0000000..4611ed7 --- /dev/null +++ b/host/atlas.nix @@ -0,0 +1,89 @@ +{ pkgs, ... }: + +{ + imports = [ + ./hardware/atlas.nix + ./software/desktop + ./software/desktop/xterm.nix + ]; + + networking = { + hostName = "atlas"; + networkmanager.enable = true; + }; + + services.xserver = { + videoDrivers = [ "nvidia" ]; + }; + + hardware.nvidia.package = pkgs.linuxPackages.nvidia_x11; + + environment.systemPackages = with pkgs; [ + nvtop + ]; + + virtualisation.docker = { + enable = true; + enableNvidia = true; + autoPrune = { + enable = true; + dates = "daily"; + }; + }; + users.users.common.extraGroups = [ "docker" ]; + + networking.wireguard.interfaces = { + wg0 = { + ips = [ "10.100.0.3/24" ]; + + privateKeyFile = "/etc/wireguard/private"; + + peers = [ + { # automatix + publicKey = "B0tkjq+5SfECKx1gWEP5JVWOIaRWL2JNE7iSpMmN4F0="; + allowedIPs = [ "10.100.0.0/24" ]; + endpoint = "kummerlaender.eu:54321"; + persistentKeepalive = 10; + } + ]; + }; + }; + + networking.firewall = { + enable = true; + interfaces."wg0".allowedTCPPorts = [ 5900 8080 8888 ]; + }; + + services.printing = { + enable = true; + drivers = [ pkgs.hplip ]; + }; + + services.gitlab-runner = { + enable = true; + services = { + openlb-ci = { + executor = "shell"; + registrationConfigFile = "/etc/gitlab-runner.conf"; + tagList = [ "nix" "has-gpu" ]; + limit = 1; + }; + openlb-ci-extra = { + executor = "shell"; + registrationConfigFile = "/etc/gitlab-runner.conf"; + tagList = [ "nix" "gcc" "clang" "mpi" "cuda" "has-flake" ]; + limit = 4; + }; + }; + }; + + systemd.services.gitlab-runner.serviceConfig = { + CPUQuota = "400%"; + MemoryHigh = "8G"; + }; + + users.users.gitlab-runner.isNormalUser = true; + nix.settings.allowed-users = [ "gitlab-runner" ]; + + system.stateVersion = "23.11"; +} diff --git a/host/automatix.nix b/host/automatix.nix index d95f12e..7c6edd0 100644 --- a/host/automatix.nix +++ b/host/automatix.nix @@ -12,10 +12,11 @@ boot.loader.grub = { enable = true; - version = 2; device = "/dev/sda"; }; + nix.settings.allowed-users = [ "public" ]; + networking = { hostName = "automatix"; @@ -53,4 +54,32 @@ openDefaultPorts = true; }; }; + + systemd.timers."generate-ical-of-org-agenda" = { + enable = true; + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = "daily"; + Persistent = true; + Unit = "generate-ical-of-org-agenda.service"; + }; + }; + + systemd.services."generate-ical-of-org-agenda" = { + enable = true; + script = "${pkgs.emacs-nox}/bin/emacs -batch -l /var/lib/syncthing/org-cal-export.el"; + serviceConfig = { + Type = "oneshot"; + User = "syncthing"; + }; + }; + + users.users.syncthing.shell = pkgs.bash; + + security.acme = { + acceptTerms = true; + defaults.email = "key@kummerlaender.eu"; + }; + + system.stateVersion = "18.09"; } diff --git a/host/hardware/athena.nix b/host/hardware/athena.nix index 0682645..508507a 100644 --- a/host/hardware/athena.nix +++ b/host/hardware/athena.nix @@ -1,31 +1,32 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, modulesPath, ... }: { imports = - [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> + [ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; - boot.kernelModules = [ "kvm-intel" ]; + boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod" "sdhci_pci" ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ "kvm-intel" "fuse" ]; boot.extraModulePackages = [ ]; fileSystems."/" = - { device = "/dev/disk/by-uuid/a382b969-52d6-4946-ae8a-5da3f612410c"; + { device = "/dev/disk/by-uuid/3af135f5-9bfe-4ab4-abb3-2e93caad08ea"; fsType = "ext4"; }; fileSystems."/boot" = - { device = "/dev/disk/by-uuid/CC5B-E0DA"; + { device = "/dev/disk/by-uuid/6290-9BB5"; fsType = "vfat"; }; swapDevices = - [ { device = "/dev/disk/by-uuid/96edaf95-23ce-4859-b82f-048711d2a8d2"; } + [ { device = "/dev/disk/by-uuid/b3845af4-030a-4bba-bad8-89c548bde40f"; } ]; - nix.maxJobs = lib.mkDefault 4; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/host/hardware/atlas.nix b/host/hardware/atlas.nix new file mode 100644 index 0000000..61bca06 --- /dev/null +++ b/host/hardware/atlas.nix @@ -0,0 +1,37 @@ +{ config, lib, pkgs, modulesPath, ... }: + +{ + boot = { + initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ]; + initrd.kernelModules = [ ]; + kernelModules = [ "kvm-intel" ]; + extraModulePackages = [ ]; + + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + }; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/34f1948d-36a7-4c1f-95fe-5dc7dd53a46e"; + fsType = "ext4"; + }; + + boot.initrd.luks.devices = { + "luks-f6c3a1a8-bc09-4fcd-a979-4fe82dc4dc71".device = "/dev/disk/by-uuid/f6c3a1a8-bc09-4fcd-a979-4fe82dc4dc71"; + "luks-49b6b8ab-1d8f-43d3-ba58-d548316f197a".device = "/dev/disk/by-uuid/49b6b8ab-1d8f-43d3-ba58-d548316f197a"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/D45E-0E82"; + fsType = "vfat"; + }; + + swapDevices = [ { device = "/dev/disk/by-uuid/f198c957-dc39-4973-86c0-8fde06672ff9"; } ]; + + networking.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/host/hardware/hephaestus.nix b/host/hardware/hephaestus.nix new file mode 100644 index 0000000..69a69cf --- /dev/null +++ b/host/hardware/hephaestus.nix @@ -0,0 +1,30 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/4137e9a6-a4cd-4758-a9db-ae684d17e4de"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/0CF7-ED16"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/b4d536f0-9b83-44a8-84f3-f44c1deee870"; } + ]; + +} diff --git a/host/hardware/idefix.nix b/host/hardware/idefix.nix new file mode 100644 index 0000000..73795f8 --- /dev/null +++ b/host/hardware/idefix.nix @@ -0,0 +1,50 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot = { + initrd = { + availableKernelModules = [ "ahci" "xhci_pci" "usb_storage" "sd_mod" "rtsx_usb_sdmmc" ]; + kernelModules = [ ]; + secrets = { + "/crypto_keyfile.bin" = null; + }; + # Enable swap on luks + luks.devices."luks-d66399c9-3eb8-4ebc-9855-9aae346feabf".device = "/dev/disk/by-uuid/d66399c9-3eb8-4ebc-9855-9aae346feabf"; + luks.devices."luks-d66399c9-3eb8-4ebc-9855-9aae346feabf".keyFile = "/crypto_keyfile.bin"; + luks.devices."luks-1747c7bf-b0e6-4202-8e00-393c0e5a01f2".device = "/dev/disk/by-uuid/1747c7bf-b0e6-4202-8e00-393c0e5a01f2"; + }; + kernelModules = [ "kvm-intel" ]; + extraModulePackages = [ ]; + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + efi.efiSysMountPoint = "/boot/efi"; + }; + }; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/a368ee22-54d1-45ff-b61b-529b9b438e52"; + fsType = "ext4"; + }; + + + fileSystems."/boot/efi" = + { device = "/dev/disk/by-uuid/F393-BC14"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/51ac8775-7ff6-4869-addb-fe139198e7c8"; } + ]; + + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + + hardware.bluetooth.enable = true; +} diff --git a/host/hardware/majestix.nix b/host/hardware/majestix.nix deleted file mode 100644 index 5c78ed8..0000000 --- a/host/hardware/majestix.nix +++ /dev/null @@ -1,31 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, ... }: - -{ - imports = - [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> - ]; - - boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "sd_mod" "sr_mod" ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/6eb9a8c7-0384-4c47-9e4e-24d2ed57fc2e"; - fsType = "ext4"; - }; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/e8a055f9-4293-4a55-9974-9ca39bf209cd"; - fsType = "ext2"; - }; - - swapDevices = - [ { device = "/dev/disk/by-uuid/b27d07d6-bc07-4e7c-bd14-2b67c89dbf20"; } - ]; - - nix.maxJobs = lib.mkDefault 8; - powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; -} diff --git a/host/hephaestus.nix b/host/hephaestus.nix new file mode 100644 index 0000000..3c22dbe --- /dev/null +++ b/host/hephaestus.nix @@ -0,0 +1,71 @@ +{ pkgs, ... }: + +{ + imports = [ + ./hardware/hephaestus.nix + ./software/desktop + ./software/desktop/xterm.nix + ./software/desktop/teensy.nix + ]; + + boot = { + loader = { + systemd-boot = { + enable = true; + configurationLimit = 3; + }; + efi.canTouchEfiVariables = true; + }; + + initrd.luks.devices = { + encrypted = { + device = "/dev/nvme0n1p5"; + preLVM = true; + allowDiscards = true; + }; + }; + }; + + networking = { + hostName = "hephaestus"; + firewall.enable = false; + networkmanager.enable = true; + }; + + services.xserver = { + videoDrivers = [ "nvidia" ]; + }; + + hardware.nvidia.package = pkgs.linuxPackages.nvidia_x11; + + hardware.bluetooth.enable = true; + services.blueman.enable = true; + + virtualisation.docker = { + enable = true; + enableNvidia = true; + }; + users.users.common.extraGroups = [ "docker" ]; + + networking.wireguard.interfaces = { + wg0 = { + ips = [ "10.100.0.7/24" ]; + + privateKeyFile = "/etc/wireguard/private"; + + peers = [ + { # automatix + publicKey = "B0tkjq+5SfECKx1gWEP5JVWOIaRWL2JNE7iSpMmN4F0="; + allowedIPs = [ "10.100.0.0/24" ]; + endpoint = "kummerlaender.eu:54321"; + + persistentKeepalive = 10; + } + ]; + }; + }; + + console.earlySetup = true; + + system.stateVersion = "21.05"; +} diff --git a/host/idefix.nix b/host/idefix.nix new file mode 100644 index 0000000..017aa1d --- /dev/null +++ b/host/idefix.nix @@ -0,0 +1,75 @@ +{ pkgs, ... }: + +{ + imports = [ + ./hardware/idefix.nix + ./software/desktop + ]; + + console.keyMap = pkgs.lib.mkForce "us"; + + networking = { + hostName = "idefix"; + firewall.enable = false; + networkmanager.enable = true; + }; + + users.extraUsers.common.extraGroups = [ "networkmanager" ]; + + services = { + upower.enable = true; + acpid.enable = true; + blueman.enable = true; + }; + + powerManagement.powertop.enable = true; + + services.xserver = { + layout = pkgs.lib.mkForce "us"; + xkbVariant = pkgs.lib.mkForce ""; + + libinput.enable = true; + + displayManager.gdm.enable = true; + desktopManager.gnome.enable = true; + }; + + environment.gnome.excludePackages = (with pkgs; [ + gnome-photos + gnome-tour + ]) ++ (with pkgs.gnome; [ + cheese + gnome-music + simple-scan + geary + tali + iagno + hitori + atomix + ]); + + environment.systemPackages = with pkgs.gnomeExtensions; [ + gesture-improvements + pop-shell + ]; + + networking.wireguard.interfaces = { + wg0 = { + ips = [ "10.100.0.8/24" ]; + + privateKeyFile = "/etc/wireguard/private"; + + peers = [ + { # automatix + publicKey = "B0tkjq+5SfECKx1gWEP5JVWOIaRWL2JNE7iSpMmN4F0="; + allowedIPs = [ "10.100.0.0/24" ]; + endpoint = "kummerlaender.eu:54321"; + + persistentKeepalive = 10; + } + ]; + }; + }; + + system.stateVersion = "22.05"; +} diff --git a/host/majestix.nix b/host/majestix.nix deleted file mode 100644 index da855d6..0000000 --- a/host/majestix.nix +++ /dev/null @@ -1,67 +0,0 @@ -{ pkgs, ... }: - -{ - imports = [ - ./hardware/majestix.nix - ./software/desktop - ]; - - boot = { - loader.grub = { - enable = true; - version = 2; - device = "/dev/sda"; - }; - - initrd.luks.devices = [ { - name = "encrypted"; - device = "/dev/sda2"; - preLVM = true; - } ]; - }; - - networking = { - hostName = "majestix"; - firewall.enable = false; - networkmanager.enable = true; - }; - - users.extraUsers.common.extraGroups = [ "networkmanager" ]; - - services = { - acpid.enable = true; - - xserver = { - videoDrivers = [ "intel" ]; - }; - - printing = { - enable = true; - drivers = [ pkgs.brgenml1cupswrapper ]; - }; - - avahi = { - enable = true; - nssmdns = true; - }; - }; - - hardware.opengl.extraPackages = [ pkgs.intel-ocl ]; - - networking.wireguard.interfaces = { - wg0 = { - ips = [ "10.100.0.3/24" ]; - - privateKeyFile = "/etc/wireguard/private"; - - peers = [ - { # automatix - publicKey = "B0tkjq+5SfECKx1gWEP5JVWOIaRWL2JNE7iSpMmN4F0="; - allowedIPs = [ "10.100.0.0/24" ]; - endpoint = "kummerlaender.eu:54321"; - persistentKeepalive = 10; - } - ]; - }; - }; -} diff --git a/host/obelix.nix b/host/obelix.nix index c922cea..4d3a5a7 100644 --- a/host/obelix.nix +++ b/host/obelix.nix @@ -4,24 +4,26 @@ imports = [ ./hardware/obelix.nix ./software/desktop + ./software/server/build.nix ]; boot = { loader.grub = { enable = true; version = 2; - device = "/dev/sdb"; + device = "/dev/sda"; extraConfig = '' set gfxpayload=1920x1200x32 ''; }; - initrd.luks.devices = [ { - name = "root"; - device = "/dev/disk/by-uuid/6205da24-b1b2-402c-b175-4036e678dea9"; - preLVM = true; - allowDiscards = true; - } ]; + initrd.luks.devices = { + root = { + device = "/dev/disk/by-uuid/6205da24-b1b2-402c-b175-4036e678dea9"; + preLVM = true; + allowDiscards = true; + }; + }; }; networking = { @@ -48,4 +50,6 @@ ]; }; }; + + system.stateVersion = "18.09"; } diff --git a/host/software/desktop/asset/T-TeleSec_GlobalRoot_Class_2.pem b/host/software/desktop/asset/T-TeleSec_GlobalRoot_Class_2.pem deleted file mode 100644 index 374b050..0000000 --- a/host/software/desktop/asset/T-TeleSec_GlobalRoot_Class_2.pem +++ /dev/null @@ -1,23 +0,0 @@ ------BEGIN CERTIFICATE-----
-MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUx
-KzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAd
-BgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNl
-YyBHbG9iYWxSb290IENsYXNzIDIwHhcNMDgxMDAxMTA0MDE0WhcNMzMxMDAxMjM1
-OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnBy
-aXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50
-ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqX9obX+hzkeXaXPSi5kfl82hVYAUd
-AqSzm1nzHoqvNK38DcLZSBnuaY/JIPwhqgcZ7bBcrGXHX+0CfHt8LRvWurmAwhiC
-FoT6ZrAIxlQjgeTNuUk/9k9uN0goOA/FvudocP05l03Sx5iRUKrERLMjfTlH6VJi
-1hKTXrcxlkIF+3anHqP1wvzpesVsqXFP6st4vGCvx9702cu+fjOlbpSD8DT6Iavq
-jnKgP6TeMFvvhk1qlVtDRKgQFRzlAVfFmPHmBiiRqiDFt1MmUUOyCxGVWOHAD3bZ
-wI18gfNycJ5v/hqO2V81xrJvNHy+SE/iWjnX2J14np+GPgNeGYtEotXHAgMBAAGj
-QjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS/
-WSA2AHmgoCJrjNXyYdK4LMuCSjANBgkqhkiG9w0BAQsFAAOCAQEAMQOiYQsfdOhy
-NsZt+U2e+iKo4YFWz827n+qrkRk4r6p8FU3ztqONpfSO9kSpp+ghla0+AGIWiPAC
-uvxhI+YzmzB6azZie60EI4RYZeLbK4rnJVM3YlNfvNoBYimipidx5joifsFvHZVw
-IEoHNN/q/xWA5brXethbdXwFeilHfkCoMRN3zUA7tFFHei4R40cR3p1m0IvVVGb6
-g1XqfMIpiRvpb7PO4gWEyS8+eIVibslfwXhjdFjASBgMmTnrpMwatXlajRWc2BQN
-9noHV8cigwUtPJslJj0Ys6lDfMjIq2SPDqO/nBudMNva0Bkuqjzx+zOAduTNrRlP
-BSeOE6Fuwg==
------END CERTIFICATE-----
diff --git a/host/software/desktop/default.nix b/host/software/desktop/default.nix index c56cec9..da15c8f 100644 --- a/host/software/desktop/default.nix +++ b/host/software/desktop/default.nix @@ -7,17 +7,19 @@ fileSystems."/".options = [ "noatime" "nodiratime" "discard" ]; - sound.enable = true; + services.pipewire = { + enable = true; + alsa = { + enable = true; + support32Bit = true; + }; + pulse.enable = true; + }; hardware = { opengl= { driSupport32Bit = true; }; - - pulseaudio = { - enable = true; - support32Bit = true; - }; }; services = { @@ -30,17 +32,22 @@ layout = "de"; xkbOptions = "caps:escape"; - displayManager.slim = { - enable = true; - autoLogin = true; - defaultUser = "common"; + displayManager = { + autoLogin = { + enable = true; + user = "common"; + }; }; - - desktopManager.default = "none"; }; + + gvfs.enable = true; }; environment.systemPackages = with pkgs; [ ntfs3g ]; + + boot.kernel.sysctl = { + "kernel.perf_event_paranoid" = -1; # allow user to perform perf analysis + }; } diff --git a/host/software/desktop/kit.vpn.nix b/host/software/desktop/kit.vpn.nix index 726356d..9f51a42 100644 --- a/host/software/desktop/kit.vpn.nix +++ b/host/software/desktop/kit.vpn.nix @@ -3,25 +3,13 @@ { services.openvpn.servers = { KIT = { - # adapted from https://www.scc.kit.edu/scc/net/openvpn/os/debian/kit.ovpn - config = '' - client - remote 141.52.8.20 - port 1194 - dev tun - proto udp - auth-user-pass - nobind - comp-lzo no - tls-version-min 1.2 - ca ${./asset/T-TeleSec_GlobalRoot_Class_2.pem} - verify-x509-name "C=DE, ST=Baden-Wuerttemberg, L=Karlsruhe, O=Karlsruhe Institute of Technology, OU=Steinbuch Centre for Computing, CN=ovpn.scc.kit.edu" subject - cipher AES-256-CBC - auth SHA384 - verb 3 - script-security 2 - ''; autoStart = false; + config = let + path = pkgs.fetchurl { + url = "https://www.scc.kit.edu/scc/net/openvpn/conf/kit-split.ovpn"; + hash = "sha256-j4pCKyU7t1ZmwIGm5kuUgZ26Qiqa1jzoDZcP2x+A9pM="; + }; + in "config ${path}"; }; }; } diff --git a/host/software/desktop/teensy.nix b/host/software/desktop/teensy.nix new file mode 100644 index 0000000..461ad27 --- /dev/null +++ b/host/software/desktop/teensy.nix @@ -0,0 +1,11 @@ +{ pkgs, ... }: + +{ + services.udev.extraRules = '' + # UDEV rules for Teensy USB + ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", ENV{ID_MM_DEVICE_IGNORE}="1" + ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789A]?", ENV{MTP_NO_PROBE}="1" + SUBSYSTEMS=="usb", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789ABCD]?", MODE:="0666" + KERNEL=="ttyACM*", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", MODE:="0666" + ''; +} diff --git a/host/software/desktop/xterm.nix b/host/software/desktop/xterm.nix new file mode 100644 index 0000000..53fdd3e --- /dev/null +++ b/host/software/desktop/xterm.nix @@ -0,0 +1,8 @@ +{ pkgs, ... }: + +{ + services.xserver = { + displayManager.lightdm.enable = true; + desktopManager.xterm.enable = true; + }; +} diff --git a/host/software/server/build.nix b/host/software/server/build.nix new file mode 100644 index 0000000..44c4562 --- /dev/null +++ b/host/software/server/build.nix @@ -0,0 +1,16 @@ +{ + nix.buildMachines = [ { + hostName = "majestix"; + sshUser = "common"; + system = "x86_64-linux"; + maxJobs = 16; + speedFactor = 2; + } ]; + + nix = { + distributedBuilds = true; + extraOptions = '' + builders-use-substitutes = true + ''; + }; +} diff --git a/host/software/server/git.nix b/host/software/server/git.nix index 209a318..2781911 100644 --- a/host/software/server/git.nix +++ b/host/software/server/git.nix @@ -3,8 +3,8 @@ { services.uwsgi = { enable = true; - user = "nginx"; - group = "nginx"; + user = "public"; + group = "users"; plugins = [ "cgi" ]; instance = { @@ -33,7 +33,7 @@ ''; }; - users.extraUsers.nginx.extraGroups = [ "git" ]; + users.extraUsers.public.extraGroups = [ "git" ]; services.nginx.virtualHosts."code.kummerlaender.eu" = { addSSL = true; @@ -64,7 +64,7 @@ }; script = '' mkdir /run/cgit - chown -R nginx:nginx /run/cgit + chown -R public:users /run/cgit ''; }; diff --git a/host/software/server/mail.nix b/host/software/server/mail.nix index f7e498d..37c007b 100644 --- a/host/software/server/mail.nix +++ b/host/software/server/mail.nix @@ -1,8 +1,12 @@ { config, pkgs, ... }: { - imports = [ - (builtins.fetchTarball "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.2.1/nixos-mailserver-v2.2.1.tar.gz") + imports = let + release = "nixos-21.05"; + in [ + (builtins.fetchTarball { + url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${release}/nixos-mailserver-${release}.tar.gz"; + }) ]; mailserver = { diff --git a/host/software/server/website.nix b/host/software/server/website.nix index 9b2493e..8248a0b 100644 --- a/host/software/server/website.nix +++ b/host/software/server/website.nix @@ -7,6 +7,10 @@ shell = pkgs.fish; }; + services.nginx.user = "public"; + + systemd.services.nginx.serviceConfig.ProtectHome = false; + # `public` generates websites using their custom derivations via `nix-build` services.nginx.virtualHosts = let @@ -25,11 +29,11 @@ ''; }; - proxy = target: { - proxyPass = target; + proxy = server: target: { + proxyPass = server; extraConfig = '' expires off; - proxy_set_header Host code.kummerlaender.eu; + return ${target}; ''; }; in { @@ -43,11 +47,18 @@ ''; }; - "pkgs.kummerlaender.eu" = default { - "/".root = "/home/public/pkgs/result"; - "/nixexprs.tar.gz" = proxy "http://code.kummerlaender.eu/pkgs/snapshot/master.tar.gz"; - "/nixexprs.tar.xz" = proxy "http://code.kummerlaender.eu/pkgs/snapshot/master.tar.xz"; - "/nixexprs.tar.bz2" = proxy "http://code.kummerlaender.eu/pkgs/snapshot/master.tar.bz2"; + "literatelb.org" = let + |