summaryrefslogtreecommitdiff
path: root/host
diff options
context:
space:
mode:
Diffstat (limited to 'host')
-rw-r--r--host/asterix.nix2
-rw-r--r--host/athena.nix78
-rw-r--r--host/atlas.nix89
-rw-r--r--host/automatix.nix31
-rw-r--r--host/hardware/athena.nix17
-rw-r--r--host/hardware/atlas.nix37
-rw-r--r--host/hardware/hephaestus.nix30
-rw-r--r--host/hardware/idefix.nix50
-rw-r--r--host/hardware/majestix.nix31
-rw-r--r--host/hephaestus.nix71
-rw-r--r--host/idefix.nix75
-rw-r--r--host/majestix.nix67
-rw-r--r--host/obelix.nix18
-rw-r--r--host/software/desktop/asset/T-TeleSec_GlobalRoot_Class_2.pem23
-rw-r--r--host/software/desktop/default.nix31
-rw-r--r--host/software/desktop/kit.vpn.nix24
-rw-r--r--host/software/desktop/teensy.nix11
-rw-r--r--host/software/desktop/xterm.nix8
-rw-r--r--host/software/server/build.nix16
-rw-r--r--host/software/server/git.nix8
-rw-r--r--host/software/server/mail.nix8
-rw-r--r--host/software/server/website.nix27
-rw-r--r--host/software/server/wireguard.nix22
23 files changed, 566 insertions, 208 deletions
diff --git a/host/asterix.nix b/host/asterix.nix
index 75b23b0..6909832 100644
--- a/host/asterix.nix
+++ b/host/asterix.nix
@@ -52,4 +52,6 @@
};
powerManagement.powertop.enable = true;
+
+ system.stateVersion = "18.09";
}
diff --git a/host/athena.nix b/host/athena.nix
index c37318f..6a7d266 100644
--- a/host/athena.nix
+++ b/host/athena.nix
@@ -4,6 +4,7 @@
imports = [
./hardware/athena.nix
./software/desktop
+ ./software/desktop/xterm.nix
];
boot = {
@@ -12,12 +13,13 @@
efi.canTouchEfiVariables = true;
};
- initrd.luks.devices = [ {
- name = "encrypted";
- device = "/dev/nvme0n1p2";
- preLVM = true;
- allowDiscards = true;
- } ];
+ initrd.luks.devices = {
+ encrypted = {
+ device = "/dev/nvme0n1p2";
+ preLVM = true;
+ allowDiscards = true;
+ };
+ };
};
networking = {
@@ -51,7 +53,7 @@
acpid.enable = true;
xserver = {
- videoDrivers = [ "intel" ];
+ videoDrivers = [ "nvidia" ];
synaptics = {
enable = true;
@@ -61,9 +63,49 @@
minSpeed = "1.5";
};
};
+
+ printing = {
+ enable = true;
+ drivers = [ pkgs.hplip ];
+ };
+
+ avahi = {
+ enable = true;
+ nssmdns = true;
+ };
+ };
+
+ hardware.nvidia = {
+ package = pkgs.linuxPackages.nvidia_x11;
+ prime = {
+ offload.enable = true;
+
+ intelBusId = "PCI:0:2:0";
+ nvidiaBusId = "PCI:1:0:0";
+ };
+ powerManagement.enable = true;
};
- virtualisation.libvirtd.enable = true;
+ environment.systemPackages = [
+ pkgs.zenith-nvidia
+ pkgs.virt-manager
+ (pkgs.writeScriptBin "nvidia-offload" ''
+ export __NV_PRIME_RENDER_OFFLOAD=1
+ export __NV_PRIME_RENDER_OFFLOAD_PROVIDER=NVIDIA-G0
+ export __GLX_VENDOR_LIBRARY_NAME=nvidia
+ export __VK_LAYER_NV_optimus=NVIDIA_only
+ exec -a "$0" "$@"
+ '')
+ ];
+
+ virtualisation = {
+ libvirtd.enable = true;
+ docker = {
+ enable = true;
+ enableNvidia = true;
+ };
+ };
+ users.users.common.extraGroups = [ "docker" ];
hardware.trackpoint = {
enable = true;
@@ -73,22 +115,18 @@
hardware.bluetooth.enable = true;
- hardware.opengl.extraPackages = [ pkgs.intel-ocl ];
-
services.tlp = {
enable = true;
- extraConfig = ''
- RESTORE_DEVICE_STATE_ON_STARTUP=1
- DEVICES_TO_DISABLE_ON_STARTUP="wwan"
- '';
+ settings = {
+ RESTORE_DEVICE_STATE_ON_STARTUP = 1;
+ START_CHARGE_THRESH_BAT0 = 75;
+ STOP_CHARGE_THRESH_BAT0 = 85;
+ CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
+ ENERGY_PERF_POLICY_ON_BAT = "powersave";
+ };
};
powerManagement.powertop.enable = true;
- i18n = {
- consoleFont = "ter-132n";
- consolePackages = [ pkgs.terminus_font ];
- };
-
- boot.earlyVconsoleSetup = true;
+ system.stateVersion = "21.11";
}
diff --git a/host/atlas.nix b/host/atlas.nix
new file mode 100644
index 0000000..4611ed7
--- /dev/null
+++ b/host/atlas.nix
@@ -0,0 +1,89 @@
+{ pkgs, ... }:
+
+{
+ imports = [
+ ./hardware/atlas.nix
+ ./software/desktop
+ ./software/desktop/xterm.nix
+ ];
+
+ networking = {
+ hostName = "atlas";
+ networkmanager.enable = true;
+ };
+
+ services.xserver = {
+ videoDrivers = [ "nvidia" ];
+ };
+
+ hardware.nvidia.package = pkgs.linuxPackages.nvidia_x11;
+
+ environment.systemPackages = with pkgs; [
+ nvtop
+ ];
+
+ virtualisation.docker = {
+ enable = true;
+ enableNvidia = true;
+ autoPrune = {
+ enable = true;
+ dates = "daily";
+ };
+ };
+ users.users.common.extraGroups = [ "docker" ];
+
+ networking.wireguard.interfaces = {
+ wg0 = {
+ ips = [ "10.100.0.3/24" ];
+
+ privateKeyFile = "/etc/wireguard/private";
+
+ peers = [
+ { # automatix
+ publicKey = "B0tkjq+5SfECKx1gWEP5JVWOIaRWL2JNE7iSpMmN4F0=";
+ allowedIPs = [ "10.100.0.0/24" ];
+ endpoint = "kummerlaender.eu:54321";
+ persistentKeepalive = 10;
+ }
+ ];
+ };
+ };
+
+ networking.firewall = {
+ enable = true;
+ interfaces."wg0".allowedTCPPorts = [ 5900 8080 8888 ];
+ };
+
+ services.printing = {
+ enable = true;
+ drivers = [ pkgs.hplip ];
+ };
+
+ services.gitlab-runner = {
+ enable = true;
+ services = {
+ openlb-ci = {
+ executor = "shell";
+ registrationConfigFile = "/etc/gitlab-runner.conf";
+ tagList = [ "nix" "has-gpu" ];
+ limit = 1;
+ };
+ openlb-ci-extra = {
+ executor = "shell";
+ registrationConfigFile = "/etc/gitlab-runner.conf";
+ tagList = [ "nix" "gcc" "clang" "mpi" "cuda" "has-flake" ];
+ limit = 4;
+ };
+ };
+ };
+
+ systemd.services.gitlab-runner.serviceConfig = {
+ CPUQuota = "400%";
+ MemoryHigh = "8G";
+ };
+
+ users.users.gitlab-runner.isNormalUser = true;
+ nix.settings.allowed-users = [ "gitlab-runner" ];
+
+ system.stateVersion = "23.11";
+}
diff --git a/host/automatix.nix b/host/automatix.nix
index d95f12e..7c6edd0 100644
--- a/host/automatix.nix
+++ b/host/automatix.nix
@@ -12,10 +12,11 @@
boot.loader.grub = {
enable = true;
- version = 2;
device = "/dev/sda";
};
+ nix.settings.allowed-users = [ "public" ];
+
networking = {
hostName = "automatix";
@@ -53,4 +54,32 @@
openDefaultPorts = true;
};
};
+
+ systemd.timers."generate-ical-of-org-agenda" = {
+ enable = true;
+ wantedBy = [ "timers.target" ];
+ timerConfig = {
+ OnCalendar = "daily";
+ Persistent = true;
+ Unit = "generate-ical-of-org-agenda.service";
+ };
+ };
+
+ systemd.services."generate-ical-of-org-agenda" = {
+ enable = true;
+ script = "${pkgs.emacs-nox}/bin/emacs -batch -l /var/lib/syncthing/org-cal-export.el";
+ serviceConfig = {
+ Type = "oneshot";
+ User = "syncthing";
+ };
+ };
+
+ users.users.syncthing.shell = pkgs.bash;
+
+ security.acme = {
+ acceptTerms = true;
+ defaults.email = "key@kummerlaender.eu";
+ };
+
+ system.stateVersion = "18.09";
}
diff --git a/host/hardware/athena.nix b/host/hardware/athena.nix
index 0682645..508507a 100644
--- a/host/hardware/athena.nix
+++ b/host/hardware/athena.nix
@@ -1,31 +1,32 @@
# Do not modify this file! It was generated by ‘nixos-generate-config’
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, modulesPath, ... }:
{
imports =
- [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+ [ (modulesPath + "/installer/scan/not-detected.nix")
];
- boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
- boot.kernelModules = [ "kvm-intel" ];
+ boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod" "sdhci_pci" ];
+ boot.initrd.kernelModules = [ "dm-snapshot" ];
+ boot.kernelModules = [ "kvm-intel" "fuse" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
- { device = "/dev/disk/by-uuid/a382b969-52d6-4946-ae8a-5da3f612410c";
+ { device = "/dev/disk/by-uuid/3af135f5-9bfe-4ab4-abb3-2e93caad08ea";
fsType = "ext4";
};
fileSystems."/boot" =
- { device = "/dev/disk/by-uuid/CC5B-E0DA";
+ { device = "/dev/disk/by-uuid/6290-9BB5";
fsType = "vfat";
};
swapDevices =
- [ { device = "/dev/disk/by-uuid/96edaf95-23ce-4859-b82f-048711d2a8d2"; }
+ [ { device = "/dev/disk/by-uuid/b3845af4-030a-4bba-bad8-89c548bde40f"; }
];
- nix.maxJobs = lib.mkDefault 4;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+ hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}
diff --git a/host/hardware/atlas.nix b/host/hardware/atlas.nix
new file mode 100644
index 0000000..61bca06
--- /dev/null
+++ b/host/hardware/atlas.nix
@@ -0,0 +1,37 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+ boot = {
+ initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
+ initrd.kernelModules = [ ];
+ kernelModules = [ "kvm-intel" ];
+ extraModulePackages = [ ];
+
+ loader = {
+ systemd-boot.enable = true;
+ efi.canTouchEfiVariables = true;
+ };
+ };
+
+ fileSystems."/" = {
+ device = "/dev/disk/by-uuid/34f1948d-36a7-4c1f-95fe-5dc7dd53a46e";
+ fsType = "ext4";
+ };
+
+ boot.initrd.luks.devices = {
+ "luks-f6c3a1a8-bc09-4fcd-a979-4fe82dc4dc71".device = "/dev/disk/by-uuid/f6c3a1a8-bc09-4fcd-a979-4fe82dc4dc71";
+ "luks-49b6b8ab-1d8f-43d3-ba58-d548316f197a".device = "/dev/disk/by-uuid/49b6b8ab-1d8f-43d3-ba58-d548316f197a";
+ };
+
+ fileSystems."/boot" = {
+ device = "/dev/disk/by-uuid/D45E-0E82";
+ fsType = "vfat";
+ };
+
+ swapDevices = [ { device = "/dev/disk/by-uuid/f198c957-dc39-4973-86c0-8fde06672ff9"; } ];
+
+ networking.useDHCP = lib.mkDefault true;
+
+ nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+ hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/host/hardware/hephaestus.nix b/host/hardware/hephaestus.nix
new file mode 100644
index 0000000..69a69cf
--- /dev/null
+++ b/host/hardware/hephaestus.nix
@@ -0,0 +1,30 @@
+# Do not modify this file! It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations. Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+ imports =
+ [ (modulesPath + "/installer/scan/not-detected.nix")
+ ];
+
+ boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
+ boot.initrd.kernelModules = [ "dm-snapshot" ];
+ boot.kernelModules = [ "kvm-amd" ];
+ boot.extraModulePackages = [ ];
+
+ fileSystems."/" =
+ { device = "/dev/disk/by-uuid/4137e9a6-a4cd-4758-a9db-ae684d17e4de";
+ fsType = "ext4";
+ };
+
+ fileSystems."/boot" =
+ { device = "/dev/disk/by-uuid/0CF7-ED16";
+ fsType = "vfat";
+ };
+
+ swapDevices =
+ [ { device = "/dev/disk/by-uuid/b4d536f0-9b83-44a8-84f3-f44c1deee870"; }
+ ];
+
+}
diff --git a/host/hardware/idefix.nix b/host/hardware/idefix.nix
new file mode 100644
index 0000000..73795f8
--- /dev/null
+++ b/host/hardware/idefix.nix
@@ -0,0 +1,50 @@
+# Do not modify this file! It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations. Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+ imports =
+ [ (modulesPath + "/installer/scan/not-detected.nix")
+ ];
+
+ boot = {
+ initrd = {
+ availableKernelModules = [ "ahci" "xhci_pci" "usb_storage" "sd_mod" "rtsx_usb_sdmmc" ];
+ kernelModules = [ ];
+ secrets = {
+ "/crypto_keyfile.bin" = null;
+ };
+ # Enable swap on luks
+ luks.devices."luks-d66399c9-3eb8-4ebc-9855-9aae346feabf".device = "/dev/disk/by-uuid/d66399c9-3eb8-4ebc-9855-9aae346feabf";
+ luks.devices."luks-d66399c9-3eb8-4ebc-9855-9aae346feabf".keyFile = "/crypto_keyfile.bin";
+ luks.devices."luks-1747c7bf-b0e6-4202-8e00-393c0e5a01f2".device = "/dev/disk/by-uuid/1747c7bf-b0e6-4202-8e00-393c0e5a01f2";
+ };
+ kernelModules = [ "kvm-intel" ];
+ extraModulePackages = [ ];
+ loader = {
+ systemd-boot.enable = true;
+ efi.canTouchEfiVariables = true;
+ efi.efiSysMountPoint = "/boot/efi";
+ };
+ };
+
+ fileSystems."/" =
+ { device = "/dev/disk/by-uuid/a368ee22-54d1-45ff-b61b-529b9b438e52";
+ fsType = "ext4";
+ };
+
+
+ fileSystems."/boot/efi" =
+ { device = "/dev/disk/by-uuid/F393-BC14";
+ fsType = "vfat";
+ };
+
+ swapDevices =
+ [ { device = "/dev/disk/by-uuid/51ac8775-7ff6-4869-addb-fe139198e7c8"; }
+ ];
+
+ hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+
+ hardware.bluetooth.enable = true;
+}
diff --git a/host/hardware/majestix.nix b/host/hardware/majestix.nix
deleted file mode 100644
index 5c78ed8..0000000
--- a/host/hardware/majestix.nix
+++ /dev/null
@@ -1,31 +0,0 @@
-# Do not modify this file! It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations. Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, ... }:
-
-{
- imports =
- [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
- ];
-
- boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "sd_mod" "sr_mod" ];
- boot.kernelModules = [ "kvm-intel" ];
- boot.extraModulePackages = [ ];
-
- fileSystems."/" =
- { device = "/dev/disk/by-uuid/6eb9a8c7-0384-4c47-9e4e-24d2ed57fc2e";
- fsType = "ext4";
- };
-
- fileSystems."/boot" =
- { device = "/dev/disk/by-uuid/e8a055f9-4293-4a55-9974-9ca39bf209cd";
- fsType = "ext2";
- };
-
- swapDevices =
- [ { device = "/dev/disk/by-uuid/b27d07d6-bc07-4e7c-bd14-2b67c89dbf20"; }
- ];
-
- nix.maxJobs = lib.mkDefault 8;
- powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
-}
diff --git a/host/hephaestus.nix b/host/hephaestus.nix
new file mode 100644
index 0000000..3c22dbe
--- /dev/null
+++ b/host/hephaestus.nix
@@ -0,0 +1,71 @@
+{ pkgs, ... }:
+
+{
+ imports = [
+ ./hardware/hephaestus.nix
+ ./software/desktop
+ ./software/desktop/xterm.nix
+ ./software/desktop/teensy.nix
+ ];
+
+ boot = {
+ loader = {
+ systemd-boot = {
+ enable = true;
+ configurationLimit = 3;
+ };
+ efi.canTouchEfiVariables = true;
+ };
+
+ initrd.luks.devices = {
+ encrypted = {
+ device = "/dev/nvme0n1p5";
+ preLVM = true;
+ allowDiscards = true;
+ };
+ };
+ };
+
+ networking = {
+ hostName = "hephaestus";
+ firewall.enable = false;
+ networkmanager.enable = true;
+ };
+
+ services.xserver = {
+ videoDrivers = [ "nvidia" ];
+ };
+
+ hardware.nvidia.package = pkgs.linuxPackages.nvidia_x11;
+
+ hardware.bluetooth.enable = true;
+ services.blueman.enable = true;
+
+ virtualisation.docker = {
+ enable = true;
+ enableNvidia = true;
+ };
+ users.users.common.extraGroups = [ "docker" ];
+
+ networking.wireguard.interfaces = {
+ wg0 = {
+ ips = [ "10.100.0.7/24" ];
+
+ privateKeyFile = "/etc/wireguard/private";
+
+ peers = [
+ { # automatix
+ publicKey = "B0tkjq+5SfECKx1gWEP5JVWOIaRWL2JNE7iSpMmN4F0=";
+ allowedIPs = [ "10.100.0.0/24" ];
+ endpoint = "kummerlaender.eu:54321";
+
+ persistentKeepalive = 10;
+ }
+ ];
+ };
+ };
+
+ console.earlySetup = true;
+
+ system.stateVersion = "21.05";
+}
diff --git a/host/idefix.nix b/host/idefix.nix
new file mode 100644
index 0000000..017aa1d
--- /dev/null
+++ b/host/idefix.nix
@@ -0,0 +1,75 @@
+{ pkgs, ... }:
+
+{
+ imports = [
+ ./hardware/idefix.nix
+ ./software/desktop
+ ];
+
+ console.keyMap = pkgs.lib.mkForce "us";
+
+ networking = {
+ hostName = "idefix";
+ firewall.enable = false;
+ networkmanager.enable = true;
+ };
+
+ users.extraUsers.common.extraGroups = [ "networkmanager" ];
+
+ services = {
+ upower.enable = true;
+ acpid.enable = true;
+ blueman.enable = true;
+ };
+
+ powerManagement.powertop.enable = true;
+
+ services.xserver = {
+ layout = pkgs.lib.mkForce "us";
+ xkbVariant = pkgs.lib.mkForce "";
+
+ libinput.enable = true;
+
+ displayManager.gdm.enable = true;
+ desktopManager.gnome.enable = true;
+ };
+
+ environment.gnome.excludePackages = (with pkgs; [
+ gnome-photos
+ gnome-tour
+ ]) ++ (with pkgs.gnome; [
+ cheese
+ gnome-music
+ simple-scan
+ geary
+ tali
+ iagno
+ hitori
+ atomix
+ ]);
+
+ environment.systemPackages = with pkgs.gnomeExtensions; [
+ gesture-improvements
+ pop-shell
+ ];
+
+ networking.wireguard.interfaces = {
+ wg0 = {
+ ips = [ "10.100.0.8/24" ];
+
+ privateKeyFile = "/etc/wireguard/private";
+
+ peers = [
+ { # automatix
+ publicKey = "B0tkjq+5SfECKx1gWEP5JVWOIaRWL2JNE7iSpMmN4F0=";
+ allowedIPs = [ "10.100.0.0/24" ];
+ endpoint = "kummerlaender.eu:54321";
+
+ persistentKeepalive = 10;
+ }
+ ];
+ };
+ };
+
+ system.stateVersion = "22.05";
+}
diff --git a/host/majestix.nix b/host/majestix.nix
deleted file mode 100644
index da855d6..0000000
--- a/host/majestix.nix
+++ /dev/null
@@ -1,67 +0,0 @@
-{ pkgs, ... }:
-
-{
- imports = [
- ./hardware/majestix.nix
- ./software/desktop
- ];
-
- boot = {
- loader.grub = {
- enable = true;
- version = 2;
- device = "/dev/sda";
- };
-
- initrd.luks.devices = [ {
- name = "encrypted";
- device = "/dev/sda2";
- preLVM = true;
- } ];
- };
-
- networking = {
- hostName = "majestix";
- firewall.enable = false;
- networkmanager.enable = true;
- };
-
- users.extraUsers.common.extraGroups = [ "networkmanager" ];
-
- services = {
- acpid.enable = true;
-
- xserver = {
- videoDrivers = [ "intel" ];
- };
-
- printing = {
- enable = true;
- drivers = [ pkgs.brgenml1cupswrapper ];
- };
-
- avahi = {
- enable = true;
- nssmdns = true;
- };
- };
-
- hardware.opengl.extraPackages = [ pkgs.intel-ocl ];
-
- networking.wireguard.interfaces = {
- wg0 = {
- ips = [ "10.100.0.3/24" ];
-
- privateKeyFile = "/etc/wireguard/private";
-
- peers = [
- { # automatix
- publicKey = "B0tkjq+5SfECKx1gWEP5JVWOIaRWL2JNE7iSpMmN4F0=";
- allowedIPs = [ "10.100.0.0/24" ];
- endpoint = "kummerlaender.eu:54321";
- persistentKeepalive = 10;
- }
- ];
- };
- };
-}
diff --git a/host/obelix.nix b/host/obelix.nix
index c922cea..4d3a5a7 100644
--- a/host/obelix.nix
+++ b/host/obelix.nix
@@ -4,24 +4,26 @@
imports = [
./hardware/obelix.nix
./software/desktop
+ ./software/server/build.nix
];
boot = {
loader.grub = {
enable = true;
version = 2;
- device = "/dev/sdb";
+ device = "/dev/sda";
extraConfig = ''
set gfxpayload=1920x1200x32
'';
};
- initrd.luks.devices = [ {
- name = "root";
- device = "/dev/disk/by-uuid/6205da24-b1b2-402c-b175-4036e678dea9";
- preLVM = true;
- allowDiscards = true;
- } ];
+ initrd.luks.devices = {
+ root = {
+ device = "/dev/disk/by-uuid/6205da24-b1b2-402c-b175-4036e678dea9";
+ preLVM = true;
+ allowDiscards = true;
+ };
+ };
};
networking = {
@@ -48,4 +50,6 @@
];
};
};
+
+ system.stateVersion = "18.09";
}
diff --git a/host/software/desktop/asset/T-TeleSec_GlobalRoot_Class_2.pem b/host/software/desktop/asset/T-TeleSec_GlobalRoot_Class_2.pem
deleted file mode 100644
index 374b050..0000000
--- a/host/software/desktop/asset/T-TeleSec_GlobalRoot_Class_2.pem
+++ /dev/null
@@ -1,23 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUx
-KzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAd
-BgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNl
-YyBHbG9iYWxSb290IENsYXNzIDIwHhcNMDgxMDAxMTA0MDE0WhcNMzMxMDAxMjM1
-OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnBy
-aXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50
-ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqX9obX+hzkeXaXPSi5kfl82hVYAUd
-AqSzm1nzHoqvNK38DcLZSBnuaY/JIPwhqgcZ7bBcrGXHX+0CfHt8LRvWurmAwhiC
-FoT6ZrAIxlQjgeTNuUk/9k9uN0goOA/FvudocP05l03Sx5iRUKrERLMjfTlH6VJi
-1hKTXrcxlkIF+3anHqP1wvzpesVsqXFP6st4vGCvx9702cu+fjOlbpSD8DT6Iavq
-jnKgP6TeMFvvhk1qlVtDRKgQFRzlAVfFmPHmBiiRqiDFt1MmUUOyCxGVWOHAD3bZ
-wI18gfNycJ5v/hqO2V81xrJvNHy+SE/iWjnX2J14np+GPgNeGYtEotXHAgMBAAGj
-QjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS/
-WSA2AHmgoCJrjNXyYdK4LMuCSjANBgkqhkiG9w0BAQsFAAOCAQEAMQOiYQsfdOhy
-NsZt+U2e+iKo4YFWz827n+qrkRk4r6p8FU3ztqONpfSO9kSpp+ghla0+AGIWiPAC
-uvxhI+YzmzB6azZie60EI4RYZeLbK4rnJVM3YlNfvNoBYimipidx5joifsFvHZVw
-IEoHNN/q/xWA5brXethbdXwFeilHfkCoMRN3zUA7tFFHei4R40cR3p1m0IvVVGb6
-g1XqfMIpiRvpb7PO4gWEyS8+eIVibslfwXhjdFjASBgMmTnrpMwatXlajRWc2BQN
-9noHV8cigwUtPJslJj0Ys6lDfMjIq2SPDqO/nBudMNva0Bkuqjzx+zOAduTNrRlP
-BSeOE6Fuwg==
------END CERTIFICATE-----
diff --git a/host/software/desktop/default.nix b/host/software/desktop/default.nix
index c56cec9..da15c8f 100644
--- a/host/software/desktop/default.nix
+++ b/host/software/desktop/default.nix
@@ -7,17 +7,19 @@
fileSystems."/".options = [ "noatime" "nodiratime" "discard" ];
- sound.enable = true;
+ services.pipewire = {
+ enable = true;
+ alsa = {
+ enable = true;
+ support32Bit = true;
+ };
+ pulse.enable = true;
+ };
hardware = {
opengl= {
driSupport32Bit = true;
};
-
- pulseaudio = {
- enable = true;
- support32Bit = true;
- };
};
services = {
@@ -30,17 +32,22 @@
layout = "de";
xkbOptions = "caps:escape";
- displayManager.slim = {
- enable = true;
- autoLogin = true;
- defaultUser = "common";
+ displayManager = {
+ autoLogin = {
+ enable = true;
+ user = "common";
+ };
};
-
- desktopManager.default = "none";
};
+
+ gvfs.enable = true;
};
environment.systemPackages = with pkgs; [
ntfs3g
];
+
+ boot.kernel.sysctl = {
+ "kernel.perf_event_paranoid" = -1; # allow user to perform perf analysis
+ };
}
diff --git a/host/software/desktop/kit.vpn.nix b/host/software/desktop/kit.vpn.nix
index 726356d..9f51a42 100644
--- a/host/software/desktop/kit.vpn.nix
+++ b/host/software/desktop/kit.vpn.nix
@@ -3,25 +3,13 @@
{
services.openvpn.servers = {
KIT = {
- # adapted from https://www.scc.kit.edu/scc/net/openvpn/os/debian/kit.ovpn
- config = ''
- client
- remote 141.52.8.20
- port 1194
- dev tun
- proto udp
- auth-user-pass
- nobind
- comp-lzo no
- tls-version-min 1.2
- ca ${./asset/T-TeleSec_GlobalRoot_Class_2.pem}
- verify-x509-name "C=DE, ST=Baden-Wuerttemberg, L=Karlsruhe, O=Karlsruhe Institute of Technology, OU=Steinbuch Centre for Computing, CN=ovpn.scc.kit.edu" subject
- cipher AES-256-CBC
- auth SHA384
- verb 3
- script-security 2
- '';
autoStart = false;
+ config = let
+ path = pkgs.fetchurl {
+ url = "https://www.scc.kit.edu/scc/net/openvpn/conf/kit-split.ovpn";
+ hash = "sha256-j4pCKyU7t1ZmwIGm5kuUgZ26Qiqa1jzoDZcP2x+A9pM=";
+ };
+ in "config ${path}";
};
};
}
diff --git a/host/software/desktop/teensy.nix b/host/software/desktop/teensy.nix
new file mode 100644
index 0000000..461ad27
--- /dev/null
+++ b/host/software/desktop/teensy.nix
@@ -0,0 +1,11 @@
+{ pkgs, ... }:
+
+{
+ services.udev.extraRules = ''
+ # UDEV rules for Teensy USB
+ ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", ENV{ID_MM_DEVICE_IGNORE}="1"
+ ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789A]?", ENV{MTP_NO_PROBE}="1"
+ SUBSYSTEMS=="usb", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789ABCD]?", MODE:="0666"
+ KERNEL=="ttyACM*", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", MODE:="0666"
+ '';
+}
diff --git a/host/software/desktop/xterm.nix b/host/software/desktop/xterm.nix
new file mode 100644
index 0000000..53fdd3e
--- /dev/null
+++ b/host/software/desktop/xterm.nix
@@ -0,0 +1,8 @@
+{ pkgs, ... }:
+
+{
+ services.xserver = {
+ displayManager.lightdm.enable = true;
+ desktopManager.xterm.enable = true;
+ };
+}
diff --git a/host/software/server/build.nix b/host/software/server/build.nix
new file mode 100644
index 0000000..44c4562
--- /dev/null
+++ b/host/software/server/build.nix
@@ -0,0 +1,16 @@
+{
+ nix.buildMachines = [ {
+ hostName = "majestix";
+ sshUser = "common";
+ system = "x86_64-linux";
+ maxJobs = 16;
+ speedFactor = 2;
+ } ];
+
+ nix = {
+ distributedBuilds = true;
+ extraOptions = ''
+ builders-use-substitutes = true
+ '';
+ };
+}
diff --git a/host/software/server/git.nix b/host/software/server/git.nix
index 209a318..2781911 100644
--- a/host/software/server/git.nix
+++ b/host/software/server/git.nix
@@ -3,8 +3,8 @@
{
services.uwsgi = {
enable = true;
- user = "nginx";
- group = "nginx";
+ user = "public";
+ group = "users";
plugins = [ "cgi" ];
instance = {
@@ -33,7 +33,7 @@
'';
};
- users.extraUsers.nginx.extraGroups = [ "git" ];
+ users.extraUsers.public.extraGroups = [ "git" ];
services.nginx.virtualHosts."code.kummerlaender.eu" = {
addSSL = true;
@@ -64,7 +64,7 @@
};
script = ''
mkdir /run/cgit
- chown -R nginx:nginx /run/cgit
+ chown -R public:users /run/cgit
'';
};
diff --git a/host/software/server/mail.nix b/host/software/server/mail.nix
index f7e498d..37c007b 100644
--- a/host/software/server/mail.nix
+++ b/host/software/server/mail.nix
@@ -1,8 +1,12 @@
{ config, pkgs, ... }:
{
- imports = [
- (builtins.fetchTarball "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.2.1/nixos-mailserver-v2.2.1.tar.gz")
+ imports = let
+ release = "nixos-21.05";
+ in [
+ (builtins.fetchTarball {
+ url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${release}/nixos-mailserver-${release}.tar.gz";
+ })
];
mailserver = {
diff --git a/host/software/server/website.nix b/host/software/server/website.nix
index 9b2493e..8248a0b 100644
--- a/host/software/server/website.nix
+++ b/host/software/server/website.nix
@@ -7,6 +7,10 @@
shell = pkgs.fish;
};
+ services.nginx.user = "public";
+
+ systemd.services.nginx.serviceConfig.ProtectHome = false;
+
# `public` generates websites using their custom derivations via `nix-build`
services.nginx.virtualHosts = let
@@ -25,11 +29,11 @@
'';
};
- proxy = target: {
- proxyPass = target;
+ proxy = server: target: {
+ proxyPass = server;
extraConfig = ''
expires off;
- proxy_set_header Host code.kummerlaender.eu;
+ return ${target};
'';
};
in {
@@ -43,11 +47,18 @@
'';
};
- "pkgs.kummerlaender.eu" = default {
- "/".root = "/home/public/pkgs/result";
- "/nixexprs.tar.gz" = proxy "http://code.kummerlaender.eu/pkgs/snapshot/master.tar.gz";
- "/nixexprs.tar.xz" = proxy "http://code.kummerlaender.eu/pkgs/snapshot/master.tar.xz";
- "/nixexprs.tar.bz2" = proxy "http://code.kummerlaender.eu/pkgs/snapshot/master.tar.bz2";
+ "literatelb.org" = let
+