From 39481b42c19f91ee714987176937c089d2c170cb Mon Sep 17 00:00:00 2001 From: Ben Sima Date: Mon, 9 Oct 2023 15:12:06 -0400 Subject: Add beryllium and connect via VPN I finally got everything setup for the new dev machine, but I ran into a networking problem: I can't tell my home router to expose the ssh port 22 to multiple hosts. I could have made beryllium use a different port, but instead I decided to use tailscale, and this seems to work well. I still don't have hostname routing working, but maybe that's a simple config in tailscale somewhere. Eventually I will get all intra-networking stuff to use a vpn, but for now just using it for beryllium is fine. --- Biz/Bild.hs | 2 + Biz/Cloud/Ports.nix | 1 + Biz/Dev.nix | 28 ----- Biz/Dev/Beryllium.nix | 14 +++ Biz/Dev/Beryllium/Configuration.nix | 134 +++++++++++++++++++++++ Biz/Dev/Beryllium/Hardware.nix | 38 +++++++ Biz/Dev/Configuration.nix | 213 ------------------------------------ Biz/Dev/Hardware.nix | 36 ------ Biz/Dev/Lithium.nix | 28 +++++ Biz/Dev/Lithium/Configuration.nix | 213 ++++++++++++++++++++++++++++++++++++ Biz/Dev/Lithium/Hardware.nix | 36 ++++++ Biz/Dev/Networking.nix | 5 - Biz/Dev/Vpn.nix | 33 ++++++ Biz/Dev/Wireguard.nix | 72 ------------ Biz/OsBase.nix | 2 +- 15 files changed, 500 insertions(+), 355 deletions(-) delete mode 100644 Biz/Dev.nix create mode 100644 Biz/Dev/Beryllium.nix create mode 100644 Biz/Dev/Beryllium/Configuration.nix create mode 100644 Biz/Dev/Beryllium/Hardware.nix delete mode 100644 Biz/Dev/Configuration.nix delete mode 100644 Biz/Dev/Hardware.nix create mode 100644 Biz/Dev/Lithium.nix create mode 100644 Biz/Dev/Lithium/Configuration.nix create mode 100644 Biz/Dev/Lithium/Hardware.nix create mode 100644 Biz/Dev/Vpn.nix delete mode 100644 Biz/Dev/Wireguard.nix (limited to 'Biz') diff --git a/Biz/Bild.hs b/Biz/Bild.hs index a3b8856..66a0ae4 100644 --- a/Biz/Bild.hs +++ b/Biz/Bild.hs @@ -426,6 +426,8 @@ isBuildableNs = \case ["Biz", "Que"], ["Biz", "Cloud"], ["Biz", "Dev"], + ["Biz", "Dev", "Lithium"], + ["Biz", "Dev", "Beryllium"], ["Biz", "Dragons", "Analysis"] ] diff --git a/Biz/Cloud/Ports.nix b/Biz/Cloud/Ports.nix index 9320240..a5839f7 100644 --- a/Biz/Cloud/Ports.nix +++ b/Biz/Cloud/Ports.nix @@ -12,6 +12,7 @@ gerrit = 8081; gerrit-ssh = 2222; git = 9418; + headscale = 8844; hoogle = 8008; http = 80; httpdev = { from = 8000; to = 8099; }; diff --git a/Biz/Dev.nix b/Biz/Dev.nix deleted file mode 100644 index 245e58c..0000000 --- a/Biz/Dev.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ nixpkgs ? import ./Bild.nix {} }: -with nixpkgs; -# Dev machine for work and building stuff. - -bild.os { - imports = [ - ./OsBase.nix - ./Packages.nix - ./Users.nix - ./Dev/Configuration.nix - ./Dev/Hardware.nix - ./Dev/Hoogle.nix - ./Dev/Networking.nix - ./Dev/Dns.nix - #./Dev/Wireguard.nix # this changed in the upgrade and I can't find docs - ./Dragons.nix - # ./Dev/Guix.nix # I need to package a bunch of guile libs first - ]; - networking.hostName = "lithium"; - networking.domain = "dev.simatime.com"; - services.dragons = { - enable = true; - port = 8095; - package = bild.run ./Dragons.hs; - keep = "/var/dragons/keep"; - depo = "/var/dragons/depo"; - }; -} diff --git a/Biz/Dev/Beryllium.nix b/Biz/Dev/Beryllium.nix new file mode 100644 index 0000000..b2dad1e --- /dev/null +++ b/Biz/Dev/Beryllium.nix @@ -0,0 +1,14 @@ +{ nixpkgs ? import ../Bild.nix {} }: +with nixpkgs; +bild.os { + imports = [ + ../OsBase.nix + ../Packages.nix + ../Users.nix + ./Beryllium/Configuration.nix + ./Beryllium/Hardware.nix + ./Vpn.nix + ]; + networking.hostName = "beryllium"; + networking.domain = "beryl.simatime.com"; +} diff --git a/Biz/Dev/Beryllium/Configuration.nix b/Biz/Dev/Beryllium/Configuration.nix new file mode 100644 index 0000000..de88078 --- /dev/null +++ b/Biz/Dev/Beryllium/Configuration.nix @@ -0,0 +1,134 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./Hardware.nix + ]; + + # Bootloader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + # Enable networking + networking.networkmanager.enable = true; + + # Set your time zone. + time.timeZone = "America/New_York"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + i18n.extraLocaleSettings = { + LC_ADDRESS = "en_US.UTF-8"; + LC_IDENTIFICATION = "en_US.UTF-8"; + LC_MEASUREMENT = "en_US.UTF-8"; + LC_MONETARY = "en_US.UTF-8"; + LC_NAME = "en_US.UTF-8"; + LC_NUMERIC = "en_US.UTF-8"; + LC_PAPER = "en_US.UTF-8"; + LC_TELEPHONE = "en_US.UTF-8"; + LC_TIME = "en_US.UTF-8"; + }; + + # Enable the X11 windowing system. + services.xserver.enable = true; + + # Enable the KDE Plasma Desktop Environment. + services.xserver.displayManager.sddm.enable = true; + services.xserver.desktopManager.plasma5.enable = true; + + # Configure keymap in X11 + services.xserver = { + layout = "us"; + xkbVariant = ""; + }; + + # Enable CUPS to print documents. + services.printing.enable = true; + + # Enable sound with pipewire. + sound.enable = true; + hardware.pulseaudio.enable = false; + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + # If you want to use JACK applications, uncomment this + #jack.enable = true; + + # use the example session manager (no others are packaged yet so this is enabled by default, + # no need to redefine it in your config for now) + #media-session.enable = true; + }; + + # Enable touchpad support (enabled default in most desktopManager). + # services.xserver.libinput.enable = true; + + #services.xserver.videoDrivers = [ "nvidia" ]; + #hardware.nvidia.nvidiaPersistenced = true; + #hardware.nvidia.modesetting.enable = true; + #hardware.nvidia.powerManagement.enable = false; + #hardware.nvidia.open = true; + #hardware.nvidia.nvidiaSettings = true; + + # Define a user account. Don't forget to set a password with ‘passwd’. + #users.users.ben = { + # isNormalUser = true; + # description = "Ben Sima"; + # extraGroups = [ "networkmanager" "wheel" ]; + # packages = with pkgs; [ + # firefox + # kate + # # thunderbird + # ]; + #}; + + # Enable automatic login for the user. + services.xserver.displayManager.autoLogin.enable = true; + services.xserver.displayManager.autoLogin.user = "ben"; + + # Allow unfree packages + nixpkgs.config.allowUnfree = true; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. + # wget + ]; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + # services.openssh.enable = true; + + # Open ports in the firewall. + networking.firewall.allowedTCPPorts = [ 24800 ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.05"; # Did you read the comment? + +} diff --git a/Biz/Dev/Beryllium/Hardware.nix b/Biz/Dev/Beryllium/Hardware.nix new file mode 100644 index 0000000..8c74e10 --- /dev/null +++ b/Biz/Dev/Beryllium/Hardware.nix @@ -0,0 +1,38 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/f96eaa16-d0e2-4230-aece-131ce7b630da"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/A34A-6527"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp97s0.useDHCP = lib.mkDefault true; + # networking.interfaces.enp99s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/Biz/Dev/Configuration.nix b/Biz/Dev/Configuration.nix deleted file mode 100644 index 7fdefa4..0000000 --- a/Biz/Dev/Configuration.nix +++ /dev/null @@ -1,213 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - ghcCompiler = (import ../Bild/Constants.nix).ghcCompiler; - ports = import ../Cloud/Ports.nix; -in { - # Use the systemd-boot EFI boot loader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - boot.enableContainers = true; - - powerManagement.enable = false; - - time.timeZone = "America/New_York"; - - fonts.fonts = with pkgs; [ - google-fonts mononoki source-code-pro fantasque-sans-mono hack-font - fira fira-code fira-code-symbols - ]; - - environment.systemPackages = [ - pkgs.nvtop # - pkgs.k3s - pkgs.wemux - pkgs.tmux - pkgs.wireguard-tools - ]; - - nixpkgs = { - config = { - allowUnfree = true; - allowBroken = true; - }; - }; - - hardware = { - opengl.enable = true; - pulseaudio = { - enable = true; - extraConfig = '' - load-module module-loopback - ''; - }; - }; - - #hardware.nvidia.nvidiaPersistenced = true; - - programs.bash.enableCompletion = true; - programs.command-not-found.enable = true; - programs.gnupg.agent.enable = true; - programs.gnupg.agent.enableSSHSupport = true; - programs.mosh.enable = true; - - virtualisation.docker.enable = true; - virtualisation.docker.liveRestore = false; - virtualisation.libvirtd.enable = false; - virtualisation.virtualbox.host.enable = false; - virtualisation.virtualbox.host.headless = false; - virtualisation.virtualbox.host.addNetworkInterface = false; - virtualisation.virtualbox.guest.enable = false; - virtualisation.virtualbox.guest.x11 = false; - - services.my-hoogle.enable = true; - services.my-hoogle.port = ports.hoogle; - services.my-hoogle.home = "//hoogle.simatime.com"; - services.my-hoogle.packages = pkgset: lib.attrsets.attrVals (import ../Bild/Deps/Haskell.nix) pkgset; - services.my-hoogle.haskellPackages = pkgs.haskell.packages.${ghcCompiler}; - services.my-hoogle.host = "0.0.0.0"; - - services.eternal-terminal.enable = true; - - services.k3s.enable = false; - services.k3s.role = "server"; - - services.syncthing.enable = true; - services.syncthing.guiAddress = "127.0.0.1:${toString ports.syncthing-gui}"; - services.syncthing.openDefaultPorts = true; - services.syncthing.systemService = true; - - services.tor.enable = true; - services.tor.client.enable = true; - services.tor.relay.role = "bridge"; - services.tor.settings.ORPort = ports.tor; - services.tor.settings.Nickname = "ydeee3q1cjo83tsuqcz"; - services.tor.settings.AccountingMax = "10 GBytes"; - services.tor.settings.AccountingStart = "month 1 1:00"; - services.tor.settings.ContactInfo = "ContactInfo pgp:66A6AD150399D970DCA4C4E6C8218B7D0BFDECCD ciissversion:2"; - - services.bitcoind.mainnet.enable = true; - services.bitcoind.mainnet.dataDir = "/mnt/campbell/bitcoind-mainnet/data"; - services.bitcoind.mainnet.configFile = "/mnt/campbell/bitcoind-mainnet/bitcoin.conf"; - services.bitcoind.mainnet.prune = 10000; - - services.pcscd.enable = true; - services.logind.lidSwitch = "ignore"; - services.logind.extraConfig = "IdleAction=ignore"; - - services.deluge.enable = true; - services.deluge.openFilesLimit = 10240; - services.deluge.web.enable = true; - - services.printing.enable = true; - - services.murmur.enable = true; - services.murmur.registerName = "simatime"; - services.murmur.password = "simatime"; - services.murmur.port = ports.murmur; - - services.xserver.enable = true; - services.xserver.autorun = true; - services.xserver.layout = "us"; - services.xserver.xkbOptions = "caps:ctrl_modifier"; - services.xserver.videoDrivers = [ "nvidia" ]; - services.xserver.serverFlagsSection = '' - Option "BlankTime" "0" - Option "StandbyTime" "0" - Option "SuspendTime" "0" - Option "OffTime" "0" - ''; - services.xserver.displayManager.sddm.enable = true; - services.xserver.displayManager.sddm.enableHidpi = true; - # Some of these have conflicting definitions, which might be the source of my - # problems with the display. Start here for debugging. - #services.xserver.displayManager.session.manage = "desktop"; - #services.xserver.displayManager.session.name = "home-manager"; - #services.xserver.displayManager.session.start = '' - # ${pkgs.runtimeShell} $HOME/.hm-xsession & - # waitPID=$! - #''; - #services.xserver.desktopManager.kodi.enable = false; - #services.xserver.desktopManager.plasma5.enable = false; - services.xserver.desktopManager.xterm.enable = true; - services.xserver.windowManager.xmonad.enable = true; - services.xserver.libinput.enable = true; - services.xserver.libinput.touchpad.tapping = true; - services.xserver.modules = [ pkgs.xf86_input_wacom ]; - services.xserver.wacom.enable = true; - - services.jupyter.enable = true; - services.jupyter.port = ports.jupyter; - services.jupyter.ip = "*"; - users.users.jupyter.group = "jupyter"; - users.groups.jupyter = {}; - services.jupyter.password = "'argon2:$argon2id$v=19$m=10240,t=10,p=8$nvQhgk+htbIYi961YYAf1w$ekpwiTT5L4+OAods0K7EDw'"; - services.jupyter.kernels.python3 = let - env = (pkgs.python3.withPackages (p: with p; [ - ipykernel pandas scikitlearn numpy matplotlib sympy ipywidgets - ])); - in { - displayName = "py3"; - argv = [ - "${env.interpreter}" - "-m" - "ipykernel_launcher" - "-f" - "{connection_file}" - ]; - language = "python"; - # error: must be of type 'null or path' - #logo32 = "${env.sitePackages}/ipykernel/resources/logo-32x32.png"; - #logo64 = "${env.sitePackages}/ipykernel/resources/logo-64x64.png"; - }; - - # previously emby - services.jellyfin.enable = true; - services.jellyfin.user = "jellyfin"; - services.jellyfin.group = "jellyfin"; - - services.minidlna.enable = true; - services.minidlna.settings.notify_interval = 60; - services.minidlna.settings.friendly_name = "Sima Media"; - services.minidlna.settings.media_dir = [ - "V,/mnt/campbell/ben/youtube" - "A,/mnt/campbell/ben/music" - "V,/mnt/campbell/ben/torrents/done" - ]; - - services.vnstat.enable = true; - - documentation.enable = true; - documentation.dev.enable = true; - documentation.doc.enable = true; - documentation.info.enable = true; - documentation.man.enable = true; - documentation.nixos.enable = true; - - nix.settings.auto-optimise-store = true; - nix.settings.cores = 0; # use all available cores - # Since this is the dev machine, we can turn these on at the expense - # of extra disk space. - nix.extraOptions = '' - keep-outputs = true - keep-derivations = true - ''; - # 1 job * 2 cores = 2 maximum cores used at any one time - nix.settings.max-jobs = 1; - nix.sshServe.enable = true; - nix.sshServe.keys = lib.trivial.pipe ../Keys/Ben.pub [ - builtins.readFile - (lib.strings.splitString "\n") - (lib.filter (s: s != "")) - ]; - nix.settings.trusted-users = [ "root" "ben" ]; - - # This value determines the NixOS release with which your system is to be - # compatible, in order to avoid breaking some software such as database - # servers. You should change this only after NixOS release notes say you - # should. - system.stateVersion = "20.09"; # Did you read the comment? - - # TODO: is this still necessary? Check nixpkgs upstream - users.users.jupyter.isSystemUser = true; -} diff --git a/Biz/Dev/Hardware.nix b/Biz/Dev/Hardware.nix deleted file mode 100644 index 4d835aa..0000000 --- a/Biz/Dev/Hardware.nix +++ /dev/null @@ -1,36 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ lib, modulesPath, ... }: - -{ - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ - "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" - ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ - ]; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/f08dd8f9-787c-4e2a-a0cc-7019edc2ce2b"; - fsType = "ext4"; - }; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/C67C-D7B5"; - fsType = "vfat"; - }; - - fileSystems."/mnt/campbell" = { - device = "/dev/disk/by-uuid/037df3ae-4609-402c-ab1d-4593190d0ee7"; - fsType = "ext4"; - }; - - swapDevices = [ ]; - - powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; -} diff --git a/Biz/Dev/Lithium.nix b/Biz/Dev/Lithium.nix new file mode 100644 index 0000000..d3b17b7 --- /dev/null +++ b/Biz/Dev/Lithium.nix @@ -0,0 +1,28 @@ +{ nixpkgs ? import ../Bild.nix {} }: +with nixpkgs; +# Dev machine for work and building stuff. + +bild.os { + imports = [ + ../OsBase.nix + ../Packages.nix + ../Users.nix + ./Lithium/Configuration.nix + ./Lithium/Hardware.nix + ./Hoogle.nix + ./Networking.nix + ./Dns.nix + ../Dragons.nix + #./Guix.nix # I need to package a bunch of guile libs first + ./Vpn.nix + ]; + networking.hostName = "lithium"; + networking.domain = "dev.simatime.com"; + services.dragons = { + enable = true; + port = 8095; + package = bild.run ../Dragons.hs; + keep = "/var/dragons/keep"; + depo = "/var/dragons/depo"; + }; +} diff --git a/Biz/Dev/Lithium/Configuration.nix b/Biz/Dev/Lithium/Configuration.nix new file mode 100644 index 0000000..7434b3f --- /dev/null +++ b/Biz/Dev/Lithium/Configuration.nix @@ -0,0 +1,213 @@ +{ config, lib, pkgs, ... }: + +let + ghcCompiler = (import ../../Bild/Constants.nix).ghcCompiler; + ports = import ../../Cloud/Ports.nix; +in { + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.enableContainers = true; + + powerManagement.enable = false; + + time.timeZone = "America/New_York"; + + fonts.fonts = with pkgs; [ + google-fonts mononoki source-code-pro fantasque-sans-mono hack-font + fira fira-code fira-code-symbols + ]; + + environment.systemPackages = [ + pkgs.nvtop # + pkgs.k3s + pkgs.wemux + pkgs.tmux + pkgs.wireguard-tools + ]; + + nixpkgs = { + config = { + allowUnfree = true; + allowBroken = true; + }; + }; + + hardware = { + opengl.enable = true; + pulseaudio = { + enable = true; + extraConfig = '' + load-module module-loopback + ''; + }; + }; + + #hardware.nvidia.nvidiaPersistenced = true; + + programs.bash.enableCompletion = true; + programs.command-not-found.enable = true; + programs.gnupg.agent.enable = true; + programs.gnupg.agent.enableSSHSupport = true; + programs.mosh.enable = true; + + virtualisation.docker.enable = true; + virtualisation.docker.liveRestore = false; + virtualisation.libvirtd.enable = false; + virtualisation.virtualbox.host.enable = false; + virtualisation.virtualbox.host.headless = false; + virtualisation.virtualbox.host.addNetworkInterface = false; + virtualisation.virtualbox.guest.enable = false; + virtualisation.virtualbox.guest.x11 = false; + + services.my-hoogle.enable = true; + services.my-hoogle.port = ports.hoogle; + services.my-hoogle.home = "//hoogle.simatime.com"; + services.my-hoogle.packages = pkgset: lib.attrsets.attrVals (import ../../Bild/Deps/Haskell.nix) pkgset; + services.my-hoogle.haskellPackages = pkgs.haskell.packages.${ghcCompiler}; + services.my-hoogle.host = "0.0.0.0"; + + services.eternal-terminal.enable = true; + + services.k3s.enable = false; + services.k3s.role = "server"; + + services.syncthing.enable = true; + services.syncthing.guiAddress = "127.0.0.1:${toString ports.syncthing-gui}"; + services.syncthing.openDefaultPorts = true; + services.syncthing.systemService = true; + + services.tor.enable = true; + services.tor.client.enable = true; + services.tor.relay.role = "bridge"; + services.tor.settings.ORPort = ports.tor; + services.tor.settings.Nickname = "ydeee3q1cjo83tsuqcz"; + services.tor.settings.AccountingMax = "10 GBytes"; + services.tor.settings.AccountingStart = "month 1 1:00"; + services.tor.settings.ContactInfo = "ContactInfo pgp:66A6AD150399D970DCA4C4E6C8218B7D0BFDECCD ciissversion:2"; + + services.bitcoind.mainnet.enable = true; + services.bitcoind.mainnet.dataDir = "/mnt/campbell/bitcoind-mainnet/data"; + services.bitcoind.mainnet.configFile = "/mnt/campbell/bitcoind-mainnet/bitcoin.conf"; + services.bitcoind.mainnet.prune = 10000; + + services.pcscd.enable = true; + services.logind.lidSwitch = "ignore"; + services.logind.extraConfig = "IdleAction=ignore"; + + services.deluge.enable = true; + services.deluge.openFilesLimit = 10240; + services.deluge.web.enable = true; + + services.printing.enable = true; + + services.murmur.enable = true; + services.murmur.registerName = "simatime"; + services.murmur.password = "simatime"; + services.murmur.port = ports.murmur; + + services.xserver.enable = true; + services.xserver.autorun = true; + services.xserver.layout = "us"; + services.xserver.xkbOptions = "caps:ctrl_modifier"; + services.xserver.videoDrivers = [ "nvidia" ]; + services.xserver.serverFlagsSection = '' + Option "BlankTime" "0" + Option "StandbyTime" "0" + Option "SuspendTime" "0" + Option "OffTime" "0" + ''; + services.xserver.displayManager.sddm.enable = true; + services.xserver.displayManager.sddm.enableHidpi = true; + # Some of these have conflicting definitions, which might be the source of my + # problems with the display. Start here for debugging. + #services.xserver.displayManager.session.manage = "desktop"; + #services.xserver.displayManager.session.name = "home-manager"; + #services.xserver.displayManager.session.start = '' + # ${pkgs.runtimeShell} $HOME/.hm-xsession & + # waitPID=$! + #''; + #services.xserver.desktopManager.kodi.enable = false; + #services.xserver.desktopManager.plasma5.enable = false; + services.xserver.desktopManager.xterm.enable = true; + services.xserver.windowManager.xmonad.enable = true; + services.xserver.libinput.enable = true; + services.xserver.libinput.touchpad.tapping = true; + services.xserver.modules = [ pkgs.xf86_input_wacom ]; + services.xserver.wacom.enable = true; + + services.jupyter.enable = true; + services.jupyter.port = ports.jupyter; + services.jupyter.ip = "*"; + users.users.jupyter.group = "jupyter"; + users.groups.jupyter = {}; + services.jupyter.password = "'argon2:$argon2id$v=19$m=10240,t=10,p=8$nvQhgk+htbIYi961YYAf1w$ekpwiTT5L4+OAods0K7EDw'"; + services.jupyter.kernels.python3 = let + env = (pkgs.python3.withPackages (p: with p; [ + ipykernel pandas scikitlearn numpy matplotlib sympy ipywidgets + ])); + in { + displayName = "py3"; + argv = [ + "${env.interpreter}" + "-m" + "ipykernel_launcher" + "-f" + "{connection_file}" + ]; + language = "python"; + # error: must be of type 'null or path' + #logo32 = "${env.sitePackages}/ipykernel/resources/logo-32x32.png"; + #logo64 = "${env.sitePackages}/ipykernel/resources/logo-64x64.png"; + }; + + # previously emby + services.jellyfin.enable = true; + services.jellyfin.user = "jellyfin"; + services.jellyfin.group = "jellyfin"; + + services.minidlna.enable = true; + services.minidlna.settings.notify_interval = 60; + services.minidlna.settings.friendly_name = "Sima Media"; + services.minidlna.settings.media_dir = [ + "V,/mnt/campbell/ben/youtube" + "A,/mnt/campbell/ben/music" + "V,/mnt/campbell/ben/torrents/done" + ]; + + services.vnstat.enable = true; + + documentation.enable = true; + documentation.dev.enable = true; + documentation.doc.enable = true; + documentation.info.enable = true; + documentation.man.enable = true; + documentation.nixos.enable = true; + + nix.settings.auto-optimise-store = true; + nix.settings.cores = 0; # use all available cores + # Since this is the dev machine, we can turn these on at the expense + # of extra disk space. + nix.extraOptions = '' + keep-outputs = true + keep-derivations = true + ''; + # 1 job * 2 cores = 2 maximum cores used at any one time + nix.settings.max-jobs = 1; + nix.sshServe.enable = true; + nix.sshServe.keys = lib.trivial.pipe ../../Keys/Ben.pub [ + builtins.readFile + (lib.strings.splitString "\n") + (lib.filter (s: s != "")) + ]; + nix.settings.trusted-users = [ "root" "ben" ]; + + # This value determines the NixOS release with which your system is to be + # compatible, in order to avoid breaking some software such as database + # servers. You should change this only after NixOS release notes say you + # should. + system.stateVersion = "20.09"; # Did you read the comment? + + # TODO: is this still necessary? Check nixpkgs upstream + users.users.jupyter.isSystemUser = true; +} diff --git a/Biz/Dev/Lithium/Hardware.nix b/Biz/Dev/Lithium/Hardware.nix new file mode 100644 index 0000000..4d835aa --- /dev/null +++ b/Biz/Dev/Lithium/Hardware.nix @@ -0,0 +1,36 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ lib, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ + "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" + ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ + ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/f08dd8f9-787c-4e2a-a0cc-7019edc2ce2b"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/C67C-D7B5"; + fsType = "vfat"; + }; + + fileSystems."/mnt/campbell" = { + device = "/dev/disk/by-uuid/037df3ae-4609-402c-ab1d-4593190d0ee7"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; +} diff --git a/Biz/Dev/Networking.nix b/Biz/Dev/Networking.nix index ac80b71..1a28b56 100644 --- a/Biz/Dev/Networking.nix +++ b/Biz/Dev/Networking.nix @@ -44,11 +44,6 @@ in { allowedUDPPortRanges = [ ports.torrents ]; - checkReversePath = false; - #extraCommands = lib.mkMerge [ (lib.mkAfter '' - # iptables -w -t filter -A nixos-fw -s 192.168.0.0/24 -p udp --dport 53 -i enp1s0 -j nixos-fw-accept - # iptables -w -t filter -A nixos-fw -s 192.168.0.0/24 -p tcp --dport 53 -i enp1s0 -j nixos-fw-accept - #'') ]; }; # The global useDHCP flag is deprecated, therefore explicitly set to false here. diff --git a/Biz/Dev/Vpn.nix b/Biz/Dev/Vpn.nix new file mode 100644 index 0000000..5a3c3e6 --- /dev/null +++ b/Biz/Dev/Vpn.nix @@ -0,0 +1,33 @@ +{ config, ... }: + +let + ports = import ../Cloud/Ports.nix; + domain = "headscale.simatime.com"; +in { + services.headscale = { + enable = true; + address = "0.0.0.0"; + port = ports.headscale; + settings = {}; + }; + + services.nginx.virtualHosts.${domain} = { + forceSSL = true; + enableAcme = true; + locations."/" = { + proxyPass = "http://localhost:${toString ports.headscale}"; + proxyWebsockets = true; + }; + }; + + environment.systemPackages = [ config.services.headscale.package ]; + + services.tailscale.enable = true; + + networking.firewall = { + checkReversePath = "loose"; + trustedInterfaces = [ "tailscale0" ]; + allowedUDPPorts = [ config.services.tailscale.port ]; + }; + +} diff --git a/Biz/Dev/Wireguard.nix b/Biz/Dev/Wireguard.nix deleted file mode 100644 index 90f425e..0000000 --- a/Biz/Dev/Wireguard.nix +++ /dev/null @@ -1,72 +0,0 @@ -{ lib, pkgs, ... }: - -/* -Wireguard VPN server - -References: - -- https://nixos.wiki/wiki/WireGuard -- https://wireguard.how/client/ios/ -*/ - -let - ports = import ../Cloud/Ports.nix; - ips = "10.100.0.1/24"; - - # a micro-library for creating iptables rules - iptables = rec { - bin = "${pkgs.iptables/bin/iptables}"; - append = {source}: lib.concatSep " " [ - bin - "--table" "nat" - "--append" "POSTROUTING" - "--source" source - "--out-interface" "eth0" - "--jump" "MASQUERADE" - ]; - delete = {source}: lib.concatSep " " [ - bin - "--table" "nat" - "--delete" "POSTROUTING" - "--source" source - "--out-interface" "eth0" - "--jump" "MASQUERADE" - ]; - - }; -in { - networking.nat.enable = true; - networking.nat.externalInterface = "eth0"; - networking.nat.internalInterfaces = [ "wg0" ]; - networking.firewall.allowedUDPPorts = [ ports.wireguard ]; - - networking.wireguard-tools.enable = true; - - networking.wireguard-tools.interfaces = { - wg0 = { - ips = [ ips ]; - allowedIPsAsRoutes = true; - listenPort = ports.wireguard; - postSetup = '' - ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${ips} -o eth0 -j MASQUERADE - ''; - - postShutdown = '' - ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${ips} -o eth0 -j MASQUERADE - ''; - - privateKeyFile = "/var/wireguard/private"; - - peers = [ - #{ # helium - # publicKey = ""; - # allowedIPs = [ "10.100.0.2/32" ]; - #} - { # ben's iPhone - publicKey = "SIBIfPLhzuV1S1FZtm5JQtDbl0ehnH+Y3CpoZ2eZ3gc="; - allowedIPs = [ "10.100.0.3/32" ]; - } - ]; - }; - }; -} diff --git a/Biz/OsBase.nix b/Biz/OsBase.nix index 29c87bf..c82b935 100644 --- a/Biz/OsBase.nix +++ b/Biz/OsBase.nix @@ -4,7 +4,7 @@ let in { boot.cleanTmpDir = true; networking.firewall.allowPing = true; - nix.settings.substituters = [ "https://cache.nixos.org" "ssh://dev.simatime.com" ]; + nix.settings.substituters = [ "https://cache.nixos.org" ]; # "ssh://dev.simatime.com" ]; nix.gc.automatic = true; nix.gc.dates = "Sunday 02:15"; nix.optimise.automatic = true; -- cgit v1.2.3