walkah/athens
1
0
Fork 0
Code Issues 9 Pull Requests Projects Releases Wiki Activity

♻️ consolidate nix configs

Browse Source
This commit is contained in:
James Walker
2024-09-02 10:47:02 -04:00
parent 49884d40e5
commit 06ddc96680
49 changed files with 26 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
nix/darwin.nix
View File

@ -17,6 +17,6 @@ let
};
in
{
epicurus = mkDarwin "epicurus" [ ../hosts/epicurus/darwin-configuration.nix ];
heraclitus = mkDarwin "heraclitus" [ ../hosts/heraclitus/darwin-configuration.nix ];
epicurus = mkDarwin "epicurus" [ ./hosts/epicurus/darwin-configuration.nix ];
heraclitus = mkDarwin "heraclitus" [ ./hosts/heraclitus/darwin-configuration.nix ];
}

37
nix/hosts/aristotle/configuration.nix Normal file
View File

@ -0,0 +1,37 @@
{ pkgs, nixos-hardware, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
nixos-hardware.nixosModules.raspberry-pi-4
../../modules/base/nixos.nix
../../modules/ipfs/cluster.nix
../../modules/sops
];
hardware = {
raspberry-pi."4".poe-hat.enable = true;
};
time.timeZone = "America/Toronto";
networking = {
# networking.hostName = "nixos"; # Define your hostname.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
useDHCP = false;
interfaces.eth0.useDHCP = true;
interfaces.wlan0.useDHCP = true;
firewall.enable = false;
};
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ0mE4MyMnfd1b2nlBJT7kpZ6Vov+ILuGNfzdp5ZBNQe walkah@walkah.net"
];
environment.systemPackages = with pkgs; [ libraspberrypi raspberrypi-eeprom ];
}

18
nix/hosts/aristotle/hardware-configuration.nix Normal file
View File

@ -0,0 +1,18 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ lib, modulesPath, ... }:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
fileSystems."/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
options = [ "noatime" ];
};
swapDevices = [ ];
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
}

25
nix/hosts/epicurus/darwin-configuration.nix Normal file
View File

@ -0,0 +1,25 @@
{ ... }:
{
imports = [
./homebrew.nix
../../modules/base/darwin.nix
../../modules/builder
../../modules/dev
];
# List packages installed in system profile. To search by name, run:
# $ nix-env -qaP | grep wget
# environment.systemPackages = with pkgs; [ emacs-nox ];
# Use a custom configuration.nix location.
# $ darwin-rebuild switch -I darwin-config=$HOME/.config/nixpkgs/darwin/configuration.nix
# environment.darwinConfig = "$HOME/.config/nixpkgs/darwin/configuration.nix";
# Auto upgrade nix package and the daemon service.
services.nix-daemon.enable = true;
users.users.walkah.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ0mE4MyMnfd1b2nlBJT7kpZ6Vov+ILuGNfzdp5ZBNQe walkah@walkah.net"
];
}

29
nix/hosts/epicurus/homebrew.nix Normal file
View File

@ -0,0 +1,29 @@
_:
{
homebrew = {
taps = [
"homebrew/cask"
"homebrew/cask-fonts"
"homebrew/services"
];
brews = [ "code-server" "coreutils" "mosh" ];
casks = [
"1password"
"docker"
"font-jetbrains-mono"
"font-jetbrains-mono-nerd-font"
"gpg-suite"
"plex-media-server"
"stats"
"synology-drive"
];
masApps = {
Tailscale = 1475387142;
Xcode = 497799835;
};
};
}

29
nix/hosts/heraclitus/darwin-configuration.nix Normal file
View File

@ -0,0 +1,29 @@
{ pkgs, ... }:
{
imports = [
./homebrew.nix
../../modules/base/darwin.nix
../../modules/dev
../../modules/builder
];
nixpkgs.config.allowBroken = true;
# List packages installed in system profile. To search by name, run:
# $ nix-env -qaP | grep wget
# environment.systemPackages = with pkgs; [ emacs ];
environment.systemPackages = with pkgs; [ emacs-macport ];
# Auto upgrade nix package and the daemon service.
services.nix-daemon.enable = true;
system = {
defaults = {
dock = {
autohide = true;
orientation = "left";
};
};
};
}

68
nix/hosts/heraclitus/homebrew.nix Normal file
View File

@ -0,0 +1,68 @@
_:
{
homebrew = {
taps = [
"homebrew/cask"
"homebrew/cask-fonts"
"homebrew/cask-versions"
"homebrew/services"
"1password/tap"
"fission-codes/fission"
];
brews = [ "coreutils" "fontconfig" "ipfs" ];
casks = [
"1password"
"1password-cli"
"android-studio"
"balenaetcher"
"beeper"
"brave-browser"
"bunch"
"calibre"
"discord"
"docker"
"element"
"fantastical"
"figma"
"firefox@developer-edition"
"font-jetbrains-mono"
"font-jetbrains-mono-nerd-font"
"google-chrome"
"gpg-suite"
"hazel"
"iterm2"
"jordanbaird-ice"
"logi-options+"
"logitech-camera-settings"
"microsoft-edge"
"microsoft-office"
"minecraft"
"obsidian"
"opal-composer"
"plexamp"
"raycast"
"slack"
"sonos"
"spotify"
"stats"
"steam"
"synology-drive"
"todoist"
"visual-studio-code"
"zoom"
];
masApps = {
OnePasswordSafari = 1569813296;
Bumpr = 1166066070;
DayOne = 1055511498;
Drafts = 1435957248;
HomeAssistant = 1099568401;
Tailscale = 1475387142;
Xcode = 497799835;
};
};
}

187
nix/hosts/plato/configuration.nix Normal file
View File

@ -0,0 +1,187 @@
{ pkgs, config, ... }:
let
automount_opts = "uid=1000,gid=1000,x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
inherit (config.sops) secrets;
in
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
../../users
../../modules/base/nixos.nix
../../modules/coredns
../../modules/drone
../../modules/drone/runner-docker.nix
../../modules/gitea
../../modules/matrix
../../modules/minecraft
../../modules/postgresql
../../modules/sops
../../modules/traefik
];
boot = {
binfmt.emulatedSystems = [ "aarch64-linux" ];
loader = {
efi.canTouchEfiVariables = true;
systemd-boot = {
# Use the systemd-boot EFI boot loader.
enable = true;
configurationLimit = 3;
};
};
tmp.cleanOnBoot = true;
};
# Set your time zone.
time.timeZone = "America/Toronto";
networking = {
hostName = "plato"; # Define your hostname.
useDHCP = false;
interfaces = {
enp10s0.useDHCP = true;
enp9s0.useDHCP = true;
};
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
firewall.enable = false;
};
security.sudo.wheelNeedsPassword = false;
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ0mE4MyMnfd1b2nlBJT7kpZ6Vov+ILuGNfzdp5ZBNQe walkah@walkah.net"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC5spf4diguK+w7iYLFr565++6DjHukWfvpN2ru9dCRk nixbuild"
];
environment.systemPackages = with pkgs; [ cifs-utils pinentry weechat ];
fileSystems = {
"/mnt/downloads" = {
device = "//parthenon/Downloads";
fsType = "cifs";
options = [
"${automount_opts},credentials=${secrets.filesystems-parthenon.path}"
];
};
"/mnt/music" = {
device = "//parthenon/Music";
fsType = "cifs";
options = [
"${automount_opts},credentials=${secrets.filesystems-parthenon.path}"
];
};
"/mnt/video" = {
device = "//parthenon/Video";
fsType = "cifs";
options = [
"${automount_opts},credentials=${secrets.filesystems-parthenon.path}"
];
};
};
power.ups = {
enable = true;
mode = "netserver";
ups."cyberpower" = {
description = "Cyberpower EC650LCD";
driver = "usbhid-ups";
port = "auto";
};
upsd = {
enable = true;
listen = [
{ address = "0.0.0.0"; }
];
};
users.upsmon = {
passwordFile = secrets.upsmon.path;
upsmon = "primary";
};
upsmon.monitor."cyberpower".user = "upsmon";
};
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
sops.secrets = {
filesystems-parthenon = { };
upsmon = { };
};
services = {
borgbackup.jobs."borgbase" = {
paths = [
"/var/backup"
];
repo = "ssh://fk0o7077@fk0o7077.repo.borgbase.com/./repo";
encryption = {
mode = "repokey-blake2";
passCommand = "cat /root/borgbackup/passphrase";
};
environment.BORG_RSH = "ssh -i /root/borgbackup/ssh_key";
compression = "auto,lzma";
startAt = "daily";
};
grafana = {
enable = true;
settings = {
server = {
domain = "plato.walkah.lab";
http_port = 2342;
http_addr = "0.0.0.0";
};
};
};
prometheus = {
scrapeConfigs = [
{
job_name = "node";
static_configs = [{
targets = [
"plato:9100"
"agent:9100"
"form:9100"
"matter:9100"
"purpose:9100"
"socrates:9100"
];
}];
}
{
job_name = "coredns";
static_configs = [{ targets = [ "plato:9153" ]; }];
}
{
job_name = "ipfs";
metrics_path = "/debug/metrics/prometheus";
static_configs = [{
targets = [ "agent:5001" "form:5001" "matter:5001" "purpose:5001" ];
}];
}
];
};
tailscale = {
useRoutingFeatures = "server";
};
};
walkah.coredns = { enable = true; };
virtualisation.docker = {
enable = true;
# Clean docker images periodically
autoPrune = {
enable = true;
flags = [ "--all" ];
};
};
}

38
nix/hosts/plato/hardware-configuration.nix Normal file
View File

@ -0,0 +1,38 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, modulesPath, ... }:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
initrd.availableKernelModules = [
"uhci_hcd"
"ehci_pci"
"ahci"
"xhci_pci"
"firewire_ohci"
"usb_storage"
"usbhid"
"sd_mod"
"sr_mod"
];
initrd.kernelModules = [ ];
kernelModules = [ "kvm-intel" "wl" ];
extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ];
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/ea3c68ac-e822-4b71-a8f5-65d9e452a3c2";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/FB06-AB48";
fsType = "vfat";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/3a812874-3def-4e46-b20d-cd55fa7bdd5f"; }];
}

66
nix/hosts/socrates/configuration.nix Normal file
View File

@ -0,0 +1,66 @@
{ pkgs, ... }: {
imports = [
./hardware-configuration.nix
./networking.nix # generated at runtime by nixos-infect
../../users
../../modules/base/nixos.nix
../../modules/akkoma
../../modules/akkoma/nginx.nix
../../modules/coredns
../../modules/code-server/nginx.nix
../../modules/drone/nginx.nix
../../modules/gitea/nginx.nix
../../modules/home-assistant/nginx.nix
../../modules/ipfs/gateway.nix
../../modules/matrix/nginx.nix
../../modules/minecraft/proxy.nix
../../modules/sops
];
boot.tmp.cleanOnBoot = true;
# Set your time zone.
time.timeZone = "America/Toronto";
networking = {
hostName = "socrates";
firewall = {
allowPing = true;
allowedTCPPorts = [ 80 443 ];
trustedInterfaces = [ "tailscale0" ];
checkReversePath = "loose";
};
};
nix = {
settings.trusted-users = [ "@wheel" "root" ];
};
security = {
sudo.wheelNeedsPassword = false;
acme.acceptTerms = true;
acme.defaults.email = "walkah@walkah.net";
};
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ0mE4MyMnfd1b2nlBJT7kpZ6Vov+ILuGNfzdp5ZBNQe walkah@walkah.net"
];
environment.systemPackages = with pkgs; [ ipfs-migrator ];
walkah.coredns = {
enable = true;
addr = "100.103.57.96";
};
services = {
nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
};
};
}

6
nix/hosts/socrates/hardware-configuration.nix Normal file
View File

@ -0,0 +1,6 @@
{ modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.loader.grub.device = "/dev/vda";
fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; };
}

47
nix/hosts/socrates/networking.nix Normal file
View File

@ -0,0 +1,47 @@
{ lib, ... }: {
# This file was populated at runtime with the networking
# details gathered from the active system.
networking = {
defaultGateway = "167.99.176.1";
defaultGateway6 = "2604:a880:cad:d0::1";
dhcpcd.enable = false;
usePredictableInterfaceNames = lib.mkForce true;
interfaces = {
eth0 = {
ipv4.addresses = [
{
address = "167.99.176.10";
prefixLength = 20;
}
{
address = "10.20.0.5";
prefixLength = 16;
}
];
ipv6.addresses = [
{
address = "2604:a880:cad:d0::cda:5001";
prefixLength = 64;
}
{
address = "fe80::b885:79ff:fe71:134e";
prefixLength = 64;
}
];
ipv4.routes = [{
address = "167.99.176.1";
prefixLength = 32;
}];
ipv6.routes = [{
address = "2604:a880:cad:d0::1";
prefixLength = 32;
}];
};
};
};
services.udev.extraRules = ''
ATTR{address}=="ba:85:79:71:13:4e", NAME="eth0"
ATTR{address}=="3e:02:2b:ed:5d:22", NAME="eth1"
'';
}

99
nix/modules/akkoma/default.nix Normal file
View File

@ -0,0 +1,99 @@
{ config, pkgs, ... }:
let
inherit (config.services) akkoma;
inherit (config.sops) secrets;
inherit ((pkgs.formats.elixirConf { }).lib) mkRaw;
in
{
services = {
akkoma = {
enable = true;
config = {
":pleroma" = {
":instance" = {
name = "walkah.social";
email = "walkah@walkah.net";
notify_email = "walkah@walkah.net";
description = "James Walker's personal Akkoma instance";
registrations_open = false;
invites_enabled = true;
federating = true;
federation_incoming_replies_max_depth = null;
allow_relay = true;
safe_dm_mentions = true;
external_user_synchronization = true;
cleanup_attachments = true;
};
":media_proxy" = {
enabled = false;
redirect_on_failure = true;
};
"Pleroma.Repo" = {
adapter = mkRaw "Ecto.Adapters.Postgres";
socket_dir = "/run/postgresql";
username = config.services.akkoma.user;
database = "akkoma";
prepare = mkRaw ":named";
parameters.plan_cache_mode = "force_custom_plan";
};
"Pleroma.Web.Endpoint" = {
secret_key_base = { _secret = secrets.akkoma-secret-key-base.path; };
signing_salt = { _secret = secrets.akkoma-signing-salt.path; };
live_view.signing_salt = { _secret = secrets.akkoma-signing-salt.path; };
url = {
host = "walkah.social";
scheme = "https";
port = 443;
};
http = {
ip = "127.0.0.1";
port = 4000;
};
};
};
":web_push_encryption" = {
":vapid_details" = {
private_key = { _secret = secrets.akkoma-vapid-private-key.path; };
public_key = { _secret = secrets.akkoma-vapid-public-key.path; };
};
};
":joken" = {
":default_signer" = { _secret = secrets.akkoma-joken-signer.path; };
};
};
nginx = null; # doing this manually
};
postgresql = {
enable = true;
};
postgresqlBackup = {
enable = true;
databases = [ "akkoma" ];
};
};
sops = {
secrets = {
akkoma-secret-key-base = {
owner = akkoma.user;
};
akkoma-signing-salt = {
owner = akkoma.user;
};
akkoma-vapid-private-key = {
owner = akkoma.user;
};
akkoma-vapid-public-key = {
owner = akkoma.user;
};
akkoma-joken-signer = {
owner = akkoma.user;
};
};
};
}

16
nix/modules/akkoma/nginx.nix Normal file
View File

@ -0,0 +1,16 @@
_:
{
services.nginx = {
enable = true;
virtualHosts = {
"walkah.social" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:4000";
proxyWebsockets = true;
};
};
};
};
}

39
nix/modules/base/common.nix Normal file
View File

@ -0,0 +1,39 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
dogdns
htop
inetutils
vim
];
nix = {
extraOptions = ''
experimental-features = nix-command flakes
'';
gc = {
automatic = true;
};
settings = {
substituters = [
"https://walkah.cachix.org"
"https://cache.garnix.io"
];
trusted-public-keys = [
"walkah.cachix.org-1:D8cO78JoJC6UPV1ZMgd1V5znpk3jNUERGIeAKN15hxo="
"cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
];
};
};
programs = {
zsh = {
enable = true;
promptInit = "";
};
};
}

57
nix/modules/base/darwin.nix Normal file
View File

@ -0,0 +1,57 @@
{ pkgs, dotfiles, ... }: {
imports = [ ./common.nix ];
nix = {
configureBuildUsers = true;
extraOptions = ''
extra-platforms = x86_64-darwin aarch64-darwin
'';
gc = {
interval = {
Hour = 3;
Minute = 16;
Weekday = 6;
};
options = "--delete-older-than 30d";
};
settings = {
trusted-users = [ "root" "@admin" ];
};
};
environment.etc = {
"sudoers.d/walkah".text = ''
walkah ALL = (ALL) NOPASSWD: ALL
'';
};
homebrew = {
enable = true;
brewPrefix = "/opt/homebrew/bin";
global = {
brewfile = true;
lockfiles = false;
};
onActivation = {
autoUpdate = true;
cleanup = "zap";
upgrade = true;
};
};
home-manager = {
useGlobalPkgs = true;
useUserPackages = true;
users.walkah = import "${dotfiles}/home.nix";
};
users.users.walkah = {
home = "/Users/walkah";
shell = pkgs.zsh;
};
system.stateVersion = 4;
}

37
nix/modules/base/nixos.nix Normal file
View File

@ -0,0 +1,37 @@
{ config, ... }: {
imports = [ ./common.nix ../monitoring ];
nix = {
gc = {
persistent = true;
dates = "weekly";
options = "--delete-older-than 30d";
};
settings = {
auto-optimise-store = true;
trusted-users = [ "root" "walkah" ];
};
};
programs = {
mosh.enable = true;
};
services = {
openssh.enable = true;
tailscale.enable = true;
};
system = {
autoUpgrade = {
enable = true;
flake = "github:walkah/athens#${config.networking.hostName}";
dates = "daily";
randomizedDelaySec = "5m";
};
stateVersion = "23.05";
};
}

30
nix/modules/builder/default.nix Normal file
View File

@ -0,0 +1,30 @@
_: {
nix = {
distributedBuilds = true;
buildMachines = [
{
hostName = "plato";
systems = [ "x86_64-linux" "aarch64-linux" ];
maxJobs = 6;
supportedFeatures = [ "benchmark" "big-parallel" "kvm" ];
}
];
extraOptions = ''
builders-use-substitutes = true
'';
linux-builder = {
enable = true;
ephemeral = true;
maxJobs = 4;
speedFactor = 2;
config = {
virtualisation = {
darwin-builder = {
memorySize = 8 * 1024;
};
cores = 4;
};
};
};
};
}

5
nix/modules/code-server/default.nix Normal file
View File

@ -0,0 +1,5 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [ code-server ];
}

17
nix/modules/code-server/nginx.nix Normal file
View File

@ -0,0 +1,17 @@
_:
{
services.nginx = {
enable = true;
virtualHosts = {
"walkah.codes" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://100.66.26.116:8080";
proxyWebsockets = true;
};
};
};
};
}

45
nix/modules/coredns/default.nix Normal file
View File

@ -0,0 +1,45 @@
{ config, lib, ... }:
with lib;
let cfg = config.walkah.coredns;
in
{
options.walkah.coredns = {
enable = mkEnableOption "";
addr = mkOption {
type = types.str;
default = "0.0.0.0";
example = "192.168.6.1";
};
};
config = mkIf cfg.enable {
services.coredns = {
enable = true;
config = ''
. {
bind 127.0.0.1
bind ${cfg.addr}
prometheus ${cfg.addr}:9153
log
errors
cache
dnssec
forward . tls://1.1.1.1 tls://1.0.0.1 {
tls_servername cloudflare-dns.com
}
}
walkah.lab {
bind ${cfg.addr}
file ${./walkah.lab.zone}
}
'';
};
networking = {
nameservers = [ "127.0.0.1" ];
search = [ "walkah.lab" ];
};
};
}

19
nix/modules/coredns/walkah.lab.zone Normal file
View File

@ -0,0 +1,19 @@
$ORIGIN walkah.lab.
@ 3600 IN SOA plato.walkah.lab. walkah.walkah.net. (
2023091000 ; serial
7200 ; refresh (2 hours)
3600 ; retry (1 hour)
1209600 ; expire (2 weeks)
3600 ; minimum (1 hour)
)
socrates IN A 100.103.57.96
plato IN A 100.111.208.75
; aristotle
agent IN A 100.95.167.126
form IN A 100.87.220.71
matter IN A 100.126.255.109
purpose IN A 100.74.59.80
parthenon IN A 100.106.65.39
epicurus IN A 100.66.26.116

39
nix/modules/dev/default.nix Normal file
View File

@ -0,0 +1,39 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
# Cloud
awscli2
google-cloud-sdk
doppler
# Git / CI
drone-cli
mr
tea
# NodeJS
bun
nodejs
pnpm
# Golang
go
# k8s
chart-testing
k9s
kind
kubectl
kubernetes-helm
# Nix
cachix
nixd
nixf
nixpkgs-fmt
# My stuff
workon
];
}

46
nix/modules/drone/default.nix Normal file
View File

@ -0,0 +1,46 @@
{ pkgs, config, ... }: {
sops.secrets.drone = {
owner = "drone";
};
services = {
postgresql = {
ensureDatabases = [ "drone" ];
ensureUsers = [
{
name = "drone";
ensureDBOwnership = true;
}
];
};
postgresqlBackup.databases = [ "drone" ];
};
systemd.services.drone = {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
EnvironmentFile = [
config.sops.secrets.drone.path
];
Environment = [
"DRONE_GITEA_SERVER=https://walkah.dev"
"DRONE_DATABASE_DATASOURCE=postgres:///drone?host=/run/postgresql"
"DRONE_DATABASE_DRIVER=postgres"
"DRONE_SERVER_HOST=https://drone.walkah.dev"
"DRONE_SERVER_PORT=:3030"
"DRONE_SERVER_PROTO=https"
"DRONE_USER_CREATE=username:walkah,admin:true"
];
ExecStart = "${pkgs.drone}/bin/drone-server";
User = "drone";
Group = "drone";
};
};
users.users.drone = {
isSystemUser = true;
createHome = true;
group = "drone";
};
users.groups.drone = { };
}

17
nix/modules/drone/nginx.nix Normal file
View File

@ -0,0 +1,17 @@
_:
{
services.nginx = {
enable = true;
virtualHosts = {
"drone.walkah.dev" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://100.111.208.75:3030";
proxyWebsockets = true;
};
};
};
};
}

22
nix/modules/drone/runner-docker.nix Normal file
View File

@ -0,0 +1,22 @@
{ pkgs, config, ... }: {
systemd.services.drone-runner-docker = {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Environment = [
];
EnvironmentFile = [
config.sops.secrets.drone.path
];
ExecStart = "${pkgs.drone-runner-docker}/bin/drone-runner-docker";
User = "drone-runner-docker";
Group = "drone-runner-docker";
};
};
users.users.drone-runner-docker = {
isSystemUser = true;
group = "drone-runner-docker";
extraGroups = [ "docker" ];
};
users.groups.drone-runner-docker = { };
}

65
nix/modules/drone/runner-exec.nix Normal file
View File

@ -0,0 +1,65 @@
{ pkgs, config, ... }:
{
nix.settings.allowed-users = [ "drone-runner-exec" ];
systemd.services.drone-runner-exec = {
wantedBy = [ "multi-user.target" ];
# might break deployment
restartIfChanged = false;
confinement.enable = true;
confinement.packages = [
pkgs.git
pkgs.gnutar
pkgs.bash
pkgs.nix
pkgs.gzip
];
path = [
pkgs.git
pkgs.gnutar
pkgs.bash
pkgs.nix
pkgs.gzip
];
serviceConfig = {
Environment = [
"DRONE_RUNNER_CAPACITY=10"
"CLIENT_DRONE_RPC_HOST=127.0.0.1:3030"
"NIX_REMOTE=daemon"
"PAGER=cat"
];
BindPaths = [
"/nix/var/nix/daemon-socket/socket"
"/run/nscd/socket"
"/var/lib/drone"
];
BindReadOnlyPaths = [
"/etc/passwd:/etc/passwd"
"/etc/group:/etc/group"
"/nix/var/nix/profiles/system/etc/nix:/etc/nix"
"${config.environment.etc."ssl/certs/ca-certificates.crt".source}:/etc/ssl/certs/ca-certificates.crt"
"${config.environment.etc."ssh/ssh_known_hosts".source}:/etc/ssh/ssh_known_hosts"
"${
builtins.toFile "ssh_config" ''
Host eve.thalheim.io
ForwardAgent yes
''
}:/etc/ssh/ssh_config"
"/etc/machine-id"
# channels are dynamic paths in the nix store, therefore we need to bind mount the whole thing
"/nix/"
];
EnvironmentFile = [
config.sops.secrets.drone.path
];
ExecStart = "${pkgs.drone-runner-exec}/bin/drone-runner-exec";
User = "drone-runner-exec";
Group = "drone-runner-exec";
};
};
users.users.drone-runner-exec = {
isSystemUser = true;
group = "drone-runner-exec";
};
users.groups.drone-runner-exec = { };
}

57
nix/modules/gitea/default.nix Normal file
View File

@ -0,0 +1,57 @@
{ config, ... }:
let cfg = config.services.gitea;
in
{
users.users.git = {
description = "Gitea Service";
home = cfg.stateDir;
useDefaultShell = true;
group = "git";
isSystemUser = true;
};
users.groups.git = { };
services = {
gitea = {
enable = true;
user = "git";
appName = "walkah forge";
lfs.enable = true;
settings = {
log = { LEVEL = "Error"; };
other = { SHOW_FOOTER_VERSION = false; };
repository = { DEFAULT_BRANCH = "main"; };
server = {
DOMAIN = "walkah.dev";
HTTP_ADDR = "0.0.0.0";
HTTP_PORT = 8003;
ROOT_URL = "https://walkah.dev/";
SSH_DOMAIN = "git.walkah.dev";
};
service = { DISABLE_REGISTRATION = true; };
session = { COOKIE_SECURE = true; };
};
dump.enable = false;
database = {
createDatabase = false;
type = "postgres";
name = "gitea";
socket = "/run/postgresql";
user = "git";
};
};
postgresql = {
ensureDatabases = [ "gitea" ];
ensureUsers = [
{
name = "git";
}
];
};
postgresqlBackup.databases = [ "gitea" ];
};
}

20
nix/modules/gitea/nginx.nix Normal file
View File

@ -0,0 +1,20 @@
_:
{
services.nginx = {
enable = true;
virtualHosts = {
"walkah.dev" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://100.111.208.75:8003";
proxyWebsockets = true;
extraConfig = ''
client_max_body_size 0;
'';
};
};
};
};
}

17
nix/modules/home-assistant/nginx.nix Normal file
View File

@ -0,0 +1,17 @@
_:
{
services.nginx = {
enable = true;
virtualHosts = {
"hass.nerdhaus.ca" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://100.72.37.46:8123";
proxyWebsockets = true;
};
};
};
};
}

913231
nix/modules/ipfs/badbits.deny Normal file
View File

File diff suppressed because it is too large Load Diff

36
nix/modules/ipfs/cluster.nix Normal file
View File

@ -0,0 +1,36 @@
{ config, ... }:
{
imports = [
./default.nix
../../services/ipfs-cluster.nix
];
services = {
kubo = {
enable = true;
settings = {
Discovery = { MDNS = { Enabled = true; }; };
Swarm = {
AddrFilters = null;
ConnMgr = {
Type = "basic";
LowWater = 25;
HighWater = 50;
GracePeriod = "1m0s";
};
};
};
};
ipfs-cluster = {
enable = true;
consensus = "crdt";
secretFile = config.sops.secrets.ipfs-cluster-secret.path;
};
};
sops.secrets.ipfs-cluster-secret = {
owner = "ipfs";
};
}

25
nix/modules/ipfs/default.nix Normal file
View File

@ -0,0 +1,25 @@
_:
{
services = {
kubo = {
enable = true;
settings = {
Addresses = {
Announce = [ ];
API = "/ip4/0.0.0.0/tcp/5001";
Gateway = "/ip4/0.0.0.0/tcp/8080";
NoAnnounce = [ ];
Swarm = [
"/ip4/0.0.0.0/tcp/4001"
"/ip6/::/tcp/4001"
"/ip4/0.0.0.0/udp/4001/quic"
"/ip6/::/udp/4001/quic"
];
};
API = { HTTPHeaders = { Access-Control-Allow-Origin = [ "*" ]; }; };
Routing = { Type = "dht"; };
};
};
};
}

67
nix/modules/ipfs/gateway.nix Normal file
View File

@ -0,0 +1,67 @@
{ pkgs, ... }:
let
peers = [
{
ID = "12D3KooWMQSgdfa4tUrDhkFx4zP3ZpgT1ryj9KH5RGUae62Vsc7y";
Addrs = [ "/ip4/100.95.167.126/tcp/4001" ];
}
{
ID = "12D3KooWMqSiDukubKNKrK7J4PaF3mfNnZFVAd3Lh7qj3Y3e5bcN";
Addrs = [ "/ip4/100.87.220.71/tcp/4001" ];
}
{
ID = "12D3KooWGmNRyqP969QbyP8NLVRZNK2i6yCcP6N6N2r2DCG4H34v";
Addrs = [ "/ip4/100.126.255.109/tcp/4001" ];
}
{
ID = "12D3KooWFkR8nsG5pzffoAfMzmwBcSakXxnogVa6inRxUbpfN5ua";
Addrs = [ "/ip4/100.74.59.80/tcp/4001" ];
}
];
in
{
imports = [ ./default.nix ];
environment.systemPackages = with pkgs; [ ipfs-migrator ];
environment.etc = {
"ipfs/denylists/badbits.deny".source = ./badbits.deny;
};
networking.firewall = {
allowedTCPPorts = [ 4001 ];
allowedUDPPorts = [ 4001 ];
};
services = {
kubo = {
enable = true;
settings = {
Discovery = { MDNS = { Enabled = false; }; };
Peering = { Peers = peers; };
Swarm = { AddrFilters = null; };
};
};
nginx = {
# IPFS Gateway
virtualHosts."walkah.cloud" = {
forceSSL = true;
enableACME = true;
locations."/" = { proxyPass = "http://127.0.0.1:8080"; };
};
# Hosted Sites
virtualHosts."walkah.net" = {
forceSSL = true;
enableACME = true;
locations."/" = { proxyPass = "http://127.0.0.1:8080"; };
serverAliases = [
"www.walkah.net"
];
};
};
};
}

67
nix/modules/matrix/default.nix Normal file
View File

@ -0,0 +1,67 @@
{ config, pkgs, ... }:
{
environment.systemPackages = with pkgs; [
matrix-synapse-tools.synadm
];
services = {
postgresql = {
enable = true;
initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse";
CREATE DATABASE "matrix" WITH OWNER "matrix-synapse"
TEMPLATE template0
ENCODING 'UTF8'
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
};
postgresqlBackup.databases = [ "matrix" "matrix-syncv3" ];
matrix-synapse = {
enable = true;
settings = {
server_name = "walkah.chat";
public_baseurl = "https://matrix.walkah.chat";
enable_metrics = true;
enable_registration = false;
database = {
name = "psycopg2";
args = { database = "matrix"; };
};
listeners = [{
bind_addresses = [
"0.0.0.0"
];
port = 8008;
type = "http";
tls = false;
x_forwarded = true;
resources = [{
compress = false;
names = [ "client" "federation" ];
}];
}];
};
extraConfigFiles = [
config.sops.secrets.matrix-registration-secret.path
];
};
matrix-sliding-sync = {
enable = true;
settings = {
SYNCV3_SERVER = "https://matrix.walkah.chat";
SYNCV3_BINDADDR = "0.0.0.0:8088";
};
environmentFile = config.sops.secrets.matrix-sliding-sync-secret.path;
};
};
sops.secrets.matrix-registration-secret = {
owner = "matrix-synapse";
};
sops.secrets.matrix-sliding-sync-secret = { };
}

48
nix/modules/matrix/nginx.nix Normal file
View File

@ -0,0 +1,48 @@
{ pkgs, ... }:
{
services.nginx = {
enable = true;
virtualHosts = {
"matrix.walkah.chat" = {
forceSSL = true;
enableACME = true;
locations."/" = { proxyPass = "http://100.111.208.75:8008"; };
};
"syncv3.walkah.chat" = {
forceSSL = true;
enableACME = true;
locations."/" = { proxyPass = "http://100.111.208.75:8088"; };
};
"walkah.chat" = {
forceSSL = true;
enableACME = true;
locations = {
"= /.well-known/matrix/server".extraConfig =
let server = { "m.server" = "matrix.walkah.chat:443"; };
in
''
default_type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON server}';
'';
"= /.well-known/matrix/client".extraConfig =
let
client = {
"m.homeserver" = { "base_url" = "https://matrix.walkah.chat"; };
"org.matrix.msc3575.proxy" = { "url" = "https://syncv3.walkah.chat"; };
};
in
''
default_type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON client}';
'';
"/" = { root = pkgs.element-web; };
};
};
};
};
}

26
nix/modules/minecraft/default.nix Normal file
View File

@ -0,0 +1,26 @@
_: {
services.minecraft-server = {
enable = true;
eula = true;
declarative = true;
# see here for more info: https://minecraft.gamepedia.com/Server.properties#server.properties
serverProperties = {
server-port = 25565;
enable-query = true;
gamemode = "survival";
motd = "Vanilla Survival";
max-players = 20;
white-list = true;
};
# Grab UUIDs from https://mcuuid.net/
whitelist = {
walkahj = "7209094c-b3ef-4c89-b8cd-0aef7c1d57a6";
puffpuffpassion = "72e0d040-fa54-47e8-a6e7-162fdaa0cac5";
rafadoodle = "9a7c860e-e269-4c38-b2f7-ca5533c27e98";
camylamb = "c9fcbfa1-89da-4cf9-97fe-b9e5290a4eb4";
};
};
}

32
nix/modules/minecraft/proxy.nix Normal file
View File

@ -0,0 +1,32 @@
_:
let
dest_ip = "100.111.208.75";
dest_port = 25565;
in
{
networking = {
firewall = {
enable = true;
allowedTCPPorts = [ dest_port ];
};
nat = {
enable = true;
internalInterfaces = [ "tailscale0" ];
externalInterface = "eth0";
forwardPorts = [
{
sourcePort = dest_port;
proto = "tcp";
destination = "${dest_ip}:${toString dest_port}";
}
];
};
};
services = {
tailscale = {
useRoutingFeatures = "server";
extraUpFlags = [ "--stateful-filtering=false" ];
};
};
}

17
nix/modules/monitoring/default.nix Normal file
View File

@ -0,0 +1,17 @@
_:
{
services = {
prometheus = {
enable = true;
port = 9090;
exporters = {
node = {
enable = true;
enabledCollectors = [ "systemd" ];
port = 9100;
};
};
};
};
}

44
nix/modules/postgresql/default.nix Normal file
View File

@ -0,0 +1,44 @@
{ pkgs, config, ... }: {
services = {
postgresql = {
enable = true;
package = pkgs.postgresql_14;
};
postgresqlBackup = {
enable = true;
};
};
# Postgres upgrades: https://nixos.org/manual/nixos/stable/index.html#module-services-postgres-upgrading
environment.systemPackages = [
(
let
# XXX specify the postgresql package you'd like to upgrade to.
# Do not forget to list the extensions you need.
newPostgres = pkgs.postgresql_15;
in
pkgs.writeScriptBin "upgrade-pg-cluster" ''
set -eux
# XXX it's perhaps advisable to stop all services that depend on postgresql
systemctl stop postgresql
export NEWDATA="/var/lib/postgresql/${newPostgres.psqlSchema}"
export NEWBIN="${newPostgres}/bin"
export OLDDATA="${config.services.postgresql.dataDir}"
export OLDBIN="${config.services.postgresql.package}/bin"
install -d -m 0700 -o postgres -g postgres "$NEWDATA"
cd "$NEWDATA"
sudo -u postgres $NEWBIN/initdb -D "$NEWDATA"
sudo -u postgres $NEWBIN/pg_upgrade \
--old-datadir "$OLDDATA" --new-datadir "$NEWDATA" \
--old-bindir $OLDBIN --new-bindir $NEWBIN \
"$@"
''
)
];
}

6
nix/modules/sops/default.nix Normal file
View File

@ -0,0 +1,6 @@
{ sops-nix, ... }:
{
imports = [ sops-nix.nixosModules.sops ];
sops.defaultSopsFile = ../../secrets/secrets.yaml;
}

51
nix/modules/traefik/default.nix Normal file
View File

@ -0,0 +1,51 @@
{ config, ... }:
{
services.traefik = {
enable = true;
group = "docker";
environmentFiles = [
config.sops.secrets.traefik.path
];
staticConfigOptions = {
api = {
dashboard = true;
insecure = true;
};
certificatesResolvers = {
myresolver = {
acme = {
email = "walkah@walkah.net";
storage = "/var/lib/traefik/acme.json";
dnsChallenge = {
provider = "cloudflare";
};
};
};
};
entryPoints = {
web = {
address = ":80";
http = {
redirections = {
entryPoint = {
to = "websecure";
scheme = "https";
};
};
};
};
websecure = {
address = ":443";
};
};
providers = {
docker = { };
};
};
};
sops.secrets.traefik = {
owner = "traefik";
};
}

12
nix/nixos.nix
View File

@ -19,11 +19,11 @@ let
in
{
# Aristotle
agent = mkSystem "agent" [ ../hosts/aristotle/configuration.nix ];
form = mkSystem "form" [ ../hosts/aristotle/configuration.nix ];
matter = mkSystem "matter" [ ../hosts/aristotle/configuration.nix ];
purpose = mkSystem "purpose" [ ../hosts/aristotle/configuration.nix ];
agent = mkSystem "agent" [ ./hosts/aristotle/configuration.nix ];
form = mkSystem "form" [ ./hosts/aristotle/configuration.nix ];
matter = mkSystem "matter" [ ./hosts/aristotle/configuration.nix ];
purpose = mkSystem "purpose" [ ./hosts/aristotle/configuration.nix ];
plato = mkSystem "plato" [ ../hosts/plato/configuration.nix ];
socrates = mkSystem "socrates" [ ../hosts/socrates/configuration.nix ];
plato = mkSystem "plato" [ ./hosts/plato/configuration.nix ];
socrates = mkSystem "socrates" [ ./hosts/socrates/configuration.nix ];
}

1
nix/overlays/default.nix Normal file
View File

@ -0,0 +1 @@
_self: _super: { }

86
nix/secrets/secrets.yaml Normal file
View File

@ -0,0 +1,86 @@
matrix-registration-secret: ENC[AES256_GCM,data:Sn3pGBq4U3Tgw0pYaetnBLRiNdFGnMxAxyfrxhF9kFDMFijKSy9XBj71M5XxV4shYQyPvu2WDnPR1YvyoQVlv8cEoXhX7++JlYsp/2ZfKIzp4iMxh24z57Cw8vg=,iv:/zxlIeI9gWWCHbejYgz8pjjOrukKome0/bmcXuG3/yE=,tag:3fc3c96H3pO1FUO7p3T4gw==,type:str]
matrix-sliding-sync-secret: ENC[AES256_GCM,data:jZvU3VhOLhM7bU3DkITB+TXROcImaKCcqoECGVQ63fADVrs42mGwnzLeQ9HxI6jLCuNMLKm0juXslUATA51wP3ta0z/1KiwX7q2Fwj4D/w==,iv:BYn7DAcpFOeTQNz9KnkAMIppmypFTllPLfK35n7hB9A=,tag:K6+fSRkMdSOHvrb+spVI3w==,type:str]
ipfs-cluster-secret: ENC[AES256_GCM,data:fmZ1USrJlR8fbulr1Kn8LDkMl/c6OkIN5M5q4X0MLO77K8zPwTXm0+M8ZHfq36rnuxBV0gsTiYBn47DSQLaDkONOPuEu99EGuIYZ9qZQVaZ/RC12ej6bpHaaX3m3j48szOXwJdoyDWlP32ZFanMznO8+EwAz5ccNV03ck/Rh/qpq9pWt/QjNhqtAkwFkooGB0aWRdHlillsB/SGQJk/moweIQk3qz2Ya4cN21Cxfssd08TDacjNCUekIgZ/xuXV7j8dCV/qiAOJEfaHn,iv:bAEDTTeQvg+sE67nEuSZhxqJBZVXFRNIPOZGkPYy9dY=,tag:82eBLePaqu7tYu0MtefMOQ==,type:str]
drone: ENC[AES256_GCM,data:UKh2qyZq5eTiEpdbGve+fCQZzSx/j+wUv9eHT/ToU9b51rwA7XJQC4g3rvljBL9X7DFVVdsWOdG6y1eRGImdelJ5hwxa8oK5CBpaGLGjd9+Hm8SS+Q+PAFDW6fdsPtDDgK5jjykcIlJ7u9mjCffFsCGw3UWfHxnniCnIba9e499XU+VR6l96U3oGOsrr0XO/d2zwrOm3mvXQL1P3cE+se4/UDKrdABGfKWyGqZ9xgi6Q7PTSmRv4AtpwpgF1URBvPVqs6yoexWetksLv+Xk5H50EeucbMOA+oUSJ06fUMECFRF9thRrdUbtK,iv:CiZz6NSksNMGmZxWS7uE69O6UnvTkRWbeBwC1bUqR9o=,tag:qcLmseQgkjMVv2uNXPFHzw==,type:str]
traefik: ENC[AES256_GCM,data:SEjgraDDpdJnaOEZVi/0Vtr3J/jQ3zC2kZaMmMRKhRd77EkXC6eeSbOaORv30QSXcfipm8INT45TKZfRSdbnoV6XbgAqLyLmef3LkmMt+eA=,iv:bbns12ZiqeBha0eWEARMixFfPDHzF8PBjUEeEdkwf6Q=,tag:ft2k2CQk7VmfWiGhhyHVfQ==,type:str]
akkoma-secret-key-base: ENC[AES256_GCM,data:OQBGkyjhDeNz40bBMMqLU7S6s4r6CtatOxJ5RNdba5m5NQO+JJ5/sEuOjJrJ29oRGjHFYwmUcAB9vptWdGZdcA==,iv:oYh9fh12cNYJOgC8DAxyYxw8dp1Fmd1CijNpgmn/AV8=,tag:E9W/5TWPjIgjE3o/QAky0A==,type:str]
akkoma-signing-salt: ENC[AES256_GCM,data:KtOdcHM8XLY=,iv:RXvLlSyPzK6HYFxwyKEnDw1llmfNC5ambqvGiAkVxnA=,tag:LLna293WAYoBlr0j3U6zkg==,type:str]
akkoma-vapid-private-key: ENC[AES256_GCM,data:D8Dh53yOgKrcsttJ36xyV1locXBV2BB2EG/rOfIctCbOItdsodtpMCAwRg==,iv:xzheaTo0b3szYGvZmc3ucPi9lYXJStznAUyWNQ9TATE=,tag:tHV5DUFuvq2F9yRFmHrQXQ==,type:str]
akkoma-vapid-public-key: ENC[AES256_GCM,data:HnUAyTq7dwa+A9L1X3YyxkiJ71BoZis5TdEPHJZkFRoiU5ZYu21xJW4R1H8xsCUDTaFTKLzdSNImVStIg1A+ex6UXLvsJwqM55P8ZnUm87V5KIsCimEm,iv:vVNoYubajEgqZIg6j9k6HjY/j4ib8A7MHGWPrJnkpCw=,tag:GBr2z4EGbn5vmFMWtY013w==,type:str]
akkoma-joken-signer: ENC[AES256_GCM,data:6GbXC7teDXxr0z7eBLm9EvJv59Bvd1FqRuBGntAH9YzM79MVUMsx4JnCZ+bPR9hLiIVgITeAc5djk2tiJewh6w==,iv:q7A8f7kocb1Go7acFkVSxdmhObPxpGlfbPgfrOXHEjg=,tag:lS4UNS1ivVZdmm8AMS/1MQ==,type:str]
filesystems-parthenon: ENC[AES256_GCM,data:dYO+QjvWhR3oXrDfAEaUvTLx147NIDFcPUa7p3Jv558ynqmmEnVZ3+fVMUQVIw==,iv:ASmXqNA8/TZvSRo31CFAzt6StsZzZpVFvz15LN5+QmQ=,tag:Wx6kDCXqZ1iSmxpggBKVxA==,type:str]
upsmon: ENC[AES256_GCM,data:Rlqkhh7w8S9jD3mwUdkt3g==,iv:hiMkbAhea1f6r5gGTRw49ebepMtTYBVyH+bHwp/T61Q=,tag:cbaxIDuD4JNeCC5MiMGl6w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age16yv7atd8n880ja98pksqqvunu2yw00660lkh4n0sg39j5vt3dujshyu95j
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPZlFKbFY4YjNnN3hhNTNw
V1N0ZVh6ZDJrSng4M1pBMWxqZTJmcUJLWUdNCm55K2RpVSs0NHNGK1F4K28xTk9q
UHVESitPSEs2eEZCT3RreWpVam80ZmMKLS0tIHJ4Q3pHOFVTOStBUGprR0FvRHhl
VzhmT3BzYy8veHhaZUtUSmxCZDh5V1kKsjFBNoqtUD44d8ImP/DcvS+gBkQJi/Vt
0NlkRRhWndFGss6gkcf7aIObHw9kAlU6RsspJt5Wte6ZLHj3eATkfA==
-----END AGE ENCRYPTED FILE-----
- recipient: age12m47c7xvqttncps0e79pwamzqa4nmnxekwumtwcv5ju6q74fufaqp9d0xh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTbVlQY1kzb3RxZG90RWlG
eUNBZlZPNUhEZXBqcFFUdTVXWUgyOFllMjB3Cm9lS09tdXZuYmpzUWJDSnI1OTlG
NDBlcWFBSDg3UnB2YVlMRUduTXZsaUUKLS0tIFkwTWxRNnVER3g1VVYzbURKM2ha
b09tcStFNWlrRVdBSFhZMVRaYkFGSE0KeHfPNNADsP6v0H9PihaKEDXWjun8ORsb
uQKLTz8wKTUk8JIFfY1g5iUqNxG+XvOQrSx/8Cepz+h/2sn3sAcaXw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1vc8svd5277rjkgzg7frf04uaa45w3crhfvg628rqyrqmxul3q9nsjz6yxk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuWFYzS1B1NVZBZDFNTXRv
TS9EOUd5Umw2c2pmUmhzb0ViUUsrZTBNQ0JnClZvajN4ODNYME11aXFiSmxZUlV3
eDlhTWFxSkF1UWlGVS9jZkk2SmlsKzQKLS0tIGE0TmNucGNiV2VJV1FnZmw4TEJy
aHpTLzdFeGZ6MVkzTmRjZit0U1I0Zk0Kd6DJlpqsqwwlAXC8Tl0AhijCQ8gHtFwX
VeTC0PsUdMxEoTq3mg4aM0M5AML4txDKRpFH4XkH9G6lgU9hNebXUA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ulmzprdmcd8r0w47a0nrrlg8melkjk6evl2rc54yh6lxkcfas36q6wrsv9
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyS21pT3U4R3pjU255QVdV
NXgrTDhVT3IvVVQ4N051TkdFT3NJMWozRFhvCnloNmRROTdMZHpkSDB6L25vVWlX
RWNTM2czYmNKcUI5NTVZdmwvRWhmQ00KLS0tIElJTmI4aC9xVHk4dHF4cWtEQ0RQ
VTJzUUtIaklZVVVNS3JLOWZSbXJYWDgKHcnC1EQ9qSfCgnoNPUa1/fTWJd8zhSAA
+5aMUt6Ff4FF3I3e+CIbbTHZdpjgLoO3BgAYFMwn7iImjGDYTuSHQA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1lfjkch3pqaq3uwmjxyucpm2tws6llxqqjglj4yn49jkwkf50xvmqrl974e
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiR1JnZzhpQzdYTll5cFhQ
em83Zjh0TjhIZmhRd3hHTVkwendPNzFNMUZJClNqb08vQjVTdjgvblN2YTJsOGZM
VU1udXh1NmFOS284ZFJQanNQN1JGbUkKLS0tICtla1RRdHo0TE54bm1YUGJ0R3Jw
WTdQMXdFMFJidTFyY3o3a080MUU0c3MKtG/7ruQyF9g++O3YHAhJO8MzflCtjYw3
HgzCF68X14ow/47/oKOPjlM19L8lO4a/sDtQ5RevDWn/+RQLY8mUlQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jnf94uq5ap96vk7nfk3qkr38ylhletc6pskj0ypc470d7gmt0qeqskdy5z
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPKzB6a0pyUTRWeExLaUFu
NzlsaEFDNFdkUFZQbmFiTDRObFIrZjBmd1dnCnBqa2l5N01CZ3Voay9vTTgyRmtk
V0JYM3NwVVlBVWwxS2o1QVpKSE9SRk0KLS0tIGNaWGxoczh0UG4wOGY1azlnWEtm
VGh2SVVSMDh5VnBoOWc1Mi92R1hPLzAKaCkUGHbc1rR6vMZX97cqH4OLhyM+MmMc
jPJ2pbrmdZwjHmBVhZUHb+Ow8x8lyERW6Z1mbr1F6eEd5of6dVJ23w==
-----END AGE ENCRYPTED FILE-----
- recipient: age12wakcnv487c5rkgv7z6umzywrqwcy6dgguq0dug6lxp64scjsq6sspkmgz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4UzQ0OFBPZ1BFY0VGSHNF
V0tpTFZIdkVtbHE2RkVSZ2lqYi95eGwzbW5jCm9BS0tLZDhwRGhIRExNTjVvVDNy
RzUwWmdBMEUyMUpQSWhKK21ZWUNPeEUKLS0tIG9KdlpXaDFLckVhVlBQaWJxeVJm
dFZacUhiZDFxK0xZMDJJeCtQUmtuSGcKVz2TOsyw5F4mpFgbZnkWPjQPB7nSKkzd
96r8RHs8CrlSpBUP6TG6Q+Tz77G1XIgcZrN9EVyYCQB7zOukIdZ5zw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-25T17:15:30Z"
mac: ENC[AES256_GCM,data:ZvvD8D4Lv3vbz4Le5/aUjlRbKA3Iqr7f6hSPBRg7t4+3ohBkOn1HMV8UjXUt8ixnUBTAw4/FfT0nzGKB9p2dzRGif8mPB85y//ZPUfQ6DDfUp7gZkMlo5Dnr2rvNQDoFH3bb+L99UDqh9UYUp3SkGnR0VXF1TfUOoCfu0hfzzDo=,iv:onc7AXgH9K6Qxjur6MBRdCdtJcrP6TGtTNdZll9grrQ=,tag:7PjPlc4W4Xrk3M1WckXoqg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0

120
nix/services/ipfs-cluster.nix Normal file
View File

@ -0,0 +1,120 @@
## From https://github.com/NixOS/nixpkgs/pull/100871
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.ipfs-cluster;
# secret is by envvar, not flag
initFlags = toString [
(optionalString (cfg.initPeers != [ ]) "--peers")
(lib.strings.concatStringsSep "," cfg.initPeers)
];
in
{
###### interface
options = {
services.ipfs-cluster = {
enable = mkEnableOption
"Pinset orchestration for IPFS - requires ipfs daemon to be useful";
user = mkOption {
type = types.str;
default = "ipfs";
description = "User under which the ipfs-cluster daemon runs.";
};
group = mkOption {
type = types.str;
default = "ipfs";
description = "Group under which the ipfs-cluster daemon runs.";
};
consensus = mkOption {
type = types.enum [ "raft" "crdt" ];
description = "Consensus protocol - 'raft' or 'crdt'. https://cluster.ipfs.io/documentation/guides/consensus/";
};
dataDir = mkOption {
type = types.str;
default = "/var/lib/ipfs-cluster";
description = "The data dir for ipfs-cluster.";
};
initPeers = mkOption {
type = types.listOf types.str;
default = [ ];
description = "Peer addresses to initialize with on first run.";
};
openSwarmPort = mkOption {
type = types.bool;
description = "Open swarm port, secured by the cluster secret. This does not expose the API or proxy. https://cluster.ipfs.io/documentation/guides/security/";
};
secretFile = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
File containing the cluster secret in the format of EnvironmentFile as described by
<citerefentry><refentrytitle>systemd.exec</refentrytitle>
<manvolnum>5</manvolnum></citerefentry>. For example:
<programlisting>
CLUSTER_SECRET=<replaceable>...</replaceable>
</programlisting>
if null, a new secret will be generated on first run.
A secret in the correct format can also be generated by: openssl rand -hex 32
'';
};
};
};
###### implementation
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.ipfs-cluster ];
systemd = {
tmpfiles.rules =
[ "d '${cfg.dataDir}' - ${cfg.user} ${cfg.group} - -" ];
services.ipfs-cluster-init = {
path = [ "/run/wrappers" pkgs.ipfs-cluster ];
environment.IPFS_CLUSTER_PATH = cfg.dataDir;
wantedBy = [ "default.target" ];
serviceConfig = {
# "" clears exec list (man systemd.service -> execStart)
ExecStart = [
""
"${pkgs.ipfs-cluster}/bin/ipfs-cluster-service init --consensus ${cfg.consensus} ${initFlags}"
];
Type = "oneshot";
RemainAfterExit = true;
User = cfg.user;
Group = cfg.group;
} // optionalAttrs (cfg.secretFile != null) {
EnvironmentFile = cfg.secretFile;
};
unitConfig.ConditionDirectoryNotEmpty = "!${cfg.dataDir}";
};
services.ipfs-cluster = {
environment.IPFS_CLUSTER_PATH = cfg.dataDir;
wantedBy = [ "multi-user.target" ];
wants = [ "ipfs-cluster-init.service" ];
after = [ "ipfs-cluster-init.service" ];
serviceConfig = {
ExecStart =
[ "" "${pkgs.ipfs-cluster}/bin/ipfs-cluster-service daemon" ];
User = cfg.user;
Group = cfg.group;
} // optionalAttrs (cfg.secretFile != null) {
EnvironmentFile = cfg.secretFile;
};
};
};
networking.firewall.allowedTCPPorts = mkIf cfg.openSwarmPort [ 9094 9096 ];
};
}

5
nix/users/default.nix Normal file
View File

@ -0,0 +1,5 @@
{ ... }:
{
imports = [ ./walkah.nix ];
}

18
nix/users/walkah.nix Normal file
View File

@ -0,0 +1,18 @@
{ pkgs, dotfiles, ... }:
{
users.users.walkah = {
isNormalUser = true;
shell = pkgs.zsh;
extraGroups = [ "wheel" "docker" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ0mE4MyMnfd1b2nlBJT7kpZ6Vov+ILuGNfzdp5ZBNQe walkah@walkah.net"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM8YMax7PGIrcPNIHkpuNRFgn3HJK6Wepm+ycZWO6jfR walkah@walkah-ipadpro11"
];
};
home-manager = {
useGlobalPkgs = true;
useUserPackages = true;
users.walkah = import "${dotfiles}/home.nix";
};
}