move hosts into a submodule
This commit is contained in:
parent
1557612209
commit
b1c275ad64
12 changed files with 4 additions and 508 deletions
3
.gitmodules
vendored
3
.gitmodules
vendored
|
@ -5,3 +5,6 @@
|
|||
[submodule "secrets"]
|
||||
path = secrets
|
||||
url = git@git.cherrykitten.dev:sammy/secret-store
|
||||
[submodule "hosts"]
|
||||
path = hosts
|
||||
url = git@git.cherrykitten.dev:sammy/nix-hosts
|
||||
|
|
1
hosts
Submodule
1
hosts
Submodule
|
@ -0,0 +1 @@
|
|||
Subproject commit f75c0b5d2238ad0d2c792328f8bae07a6157170e
|
|
@ -1,16 +0,0 @@
|
|||
{ ... }: {
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
../../profiles/desktop
|
||||
];
|
||||
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
|
||||
networking.networkmanager.enable = true;
|
||||
|
||||
services.printing.enable = true;
|
||||
|
||||
hardware.pulseaudio.enable = true;
|
||||
|
||||
system.stateVersion = "23.11"; # Did you read the comment?
|
||||
}
|
|
@ -1,34 +0,0 @@
|
|||
{ config, lib, modulesPath, ... }: {
|
||||
imports = [
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-amd" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" = {
|
||||
device = "/dev/disk/by-uuid/7a713df7-7027-4ae6-b1a3-839dda62dcbc";
|
||||
fsType = "btrfs";
|
||||
};
|
||||
|
||||
boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/fbd8d597-8cdb-4c6b-9fa0-b05f4cbfce86";
|
||||
|
||||
fileSystems."/boot" = {
|
||||
device = "/dev/disk/by-uuid/B4A7-702B";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
swapDevices = [{ device = "/dev/disk/by-uuid/8cca600e-735e-4486-92e3-01ff6c0b7599"; }];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp4s0.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
}
|
|
@ -1,85 +0,0 @@
|
|||
{ pkgs, ... }: {
|
||||
imports = [
|
||||
../../profiles/desktop
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
networking.wireless.iwd.enable = true;
|
||||
|
||||
# Enable CUPS to print documents.
|
||||
services.printing.enable = true;
|
||||
|
||||
users.users.sammy.packages = with pkgs; [
|
||||
picard
|
||||
];
|
||||
|
||||
home-manager.users.sammy.programs.ssh.includes = [
|
||||
"./famedly-config"
|
||||
];
|
||||
home-manager.users.sammy.programs.git.includes = [
|
||||
{
|
||||
path = "~/famedly/.gitconfig";
|
||||
condition = "gitdir:~/famedly/";
|
||||
}
|
||||
];
|
||||
|
||||
fileSystems."/mnt/Media" = {
|
||||
device = "192.168.0.3:/mnt/user/Media";
|
||||
fsType = "nfs";
|
||||
options = [ "x-systemd.automount" "noauto" "x-systemd.idle-timeout=600" "noatime" ]; # disconnects after 10 minutes (i.e. 600 seconds)
|
||||
};
|
||||
|
||||
system.stateVersion = "23.11"; # Did you read the comment?
|
||||
|
||||
# Famedly compliance foo - stolen from evelyn :3
|
||||
|
||||
systemd.user.services.usbguard-notifier.enable = true;
|
||||
|
||||
services.clamav = {
|
||||
daemon = {
|
||||
enable = true;
|
||||
};
|
||||
updater = {
|
||||
enable = true;
|
||||
frequency = 24;
|
||||
interval = "hourly";
|
||||
};
|
||||
};
|
||||
|
||||
deployment.keys."osquery-secret.txt" = {
|
||||
keyCommand = [ "pass" "work/osquery-secret" ];
|
||||
|
||||
destDir = "/etc/osquery/";
|
||||
uploadAt = "pre-activation";
|
||||
};
|
||||
|
||||
services.osquery = {
|
||||
enable = true;
|
||||
flags = {
|
||||
tls_hostname = "fleet.famedly.de";
|
||||
host_identifier = "instance";
|
||||
enroll_secret_path = "/etc/osquery/osquery-secret.txt";
|
||||
enroll_tls_endpoint = "/api/osquery/enroll";
|
||||
config_plugin = "tls";
|
||||
config_tls_endpoint = "/api/v1/osquery/config";
|
||||
config_refresh = "10";
|
||||
disable_distributed = "false";
|
||||
distributed_plugin = "tls";
|
||||
distributed_interval = "10";
|
||||
distributed_tls_max_attempts = "3";
|
||||
distributed_tls_read_endpoint = "/api/v1/osquery/distributed/read";
|
||||
distributed_tls_write_endpoint = "/api/v1/osquery/distributed/write";
|
||||
logger_plugin = "tls";
|
||||
logger_tls_endpoint = "/api/v1/osquery/log";
|
||||
logger_tls_period = "10";
|
||||
disable_carver = "false";
|
||||
carver_start_endpoint = "/api/v1/osquery/carve/begin";
|
||||
carver_continue_endpoint = "/api/v1/osquery/carve/block";
|
||||
carver_block_size = "2000000";
|
||||
tls_server_certs = "/etc/ssl/certs/ca-certificates.crt";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,76 +0,0 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/a3e601e7-7005-4513-8dff-748d9f384646";
|
||||
fsType = "btrfs";
|
||||
options = [ "subvol=root" ];
|
||||
};
|
||||
|
||||
boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/73e8faf4-a250-4edb-9583-a16dcfff621b";
|
||||
boot.initrd.luks.devices."swap".device = "/dev/disk/by-uuid/4bd4ac67-74a8-4a67-b5eb-e8ebf814d5d7";
|
||||
|
||||
fileSystems."/home" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/a3e601e7-7005-4513-8dff-748d9f384646";
|
||||
fsType = "btrfs";
|
||||
options = [ "subvol=home" ];
|
||||
};
|
||||
|
||||
fileSystems."/nix" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/a3e601e7-7005-4513-8dff-748d9f384646";
|
||||
fsType = "btrfs";
|
||||
options = [ "subvol=nix" ];
|
||||
};
|
||||
|
||||
fileSystems."/persist" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/a3e601e7-7005-4513-8dff-748d9f384646";
|
||||
fsType = "btrfs";
|
||||
options = [ "subvol=persist" ];
|
||||
};
|
||||
|
||||
fileSystems."/var/log" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/a3e601e7-7005-4513-8dff-748d9f384646";
|
||||
fsType = "btrfs";
|
||||
options = [ "subvol=log" ];
|
||||
neededForBoot = true;
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/6891-5A39";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
swapDevices =
|
||||
[{ device = "/dev/disk/by-uuid/65f4c4dd-57e7-4709-a017-2277874d3917"; }];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.wlp0s20f3.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.wwp0s20f0u2.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
}
|
|
@ -1,61 +0,0 @@
|
|||
{ lib, config, ... }: {
|
||||
imports = [
|
||||
./gotosocial.nix
|
||||
../../profiles/hcloud
|
||||
./website.nix
|
||||
];
|
||||
fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
|
||||
fileSystems."/mnt/gts" = { device = "/dev/sdb1"; fsType = "ext4"; };
|
||||
services.restic.backups.default.paths = ["/mnt/gts"];
|
||||
cherrykitten.backups.enable = true;
|
||||
cherrykitten.network = {
|
||||
public_IPv4 = "128.140.109.125";
|
||||
public_IPv6 = "2a01:4f8:c2c:bd32::1";
|
||||
internal_IPv4 = "10.69.0.5";
|
||||
internal_IPv6 = "fe80::8400:ff:fe8e:470d";
|
||||
};
|
||||
cherrykitten.prometheus.client.enable = true;
|
||||
|
||||
networking = {
|
||||
nameservers = [
|
||||
"8.8.8.8"
|
||||
];
|
||||
defaultGateway = "172.31.1.1";
|
||||
defaultGateway6 = {
|
||||
address = "fe80::1";
|
||||
interface = "eth0";
|
||||
};
|
||||
dhcpcd.enable = false;
|
||||
usePredictableInterfaceNames = lib.mkForce false;
|
||||
interfaces = {
|
||||
eth0 = {
|
||||
ipv4.addresses = [
|
||||
{ address = config.cherrykitten.network.public_IPv4; prefixLength = 32; }
|
||||
];
|
||||
ipv6.addresses = [
|
||||
{ address = config.cherrykitten.network.public_IPv6; prefixLength = 64; }
|
||||
];
|
||||
ipv4.routes = [{ address = "172.31.1.1"; prefixLength = 32; }];
|
||||
ipv6.routes = [{ address = "fe80::1"; prefixLength = 128; }];
|
||||
};
|
||||
eth1 = {
|
||||
ipv4.addresses = [
|
||||
{ address = config.cherrykitten.network.internal_IPv4; prefixLength = 32; }
|
||||
];
|
||||
ipv6.addresses = [
|
||||
{ address = config.cherrykitten.network.internal_IPv6; prefixLength = 64; }
|
||||
];
|
||||
ipv4.routes = [
|
||||
{ address = "10.69.0.1"; prefixLength = 32; }
|
||||
{ address = "10.69.0.0"; prefixLength = 24; via = "10.69.0.1"; }
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
services.udev.extraRules = ''
|
||||
ATTR{address}=="96:00:03:24:67:7a", NAME="eth0"
|
||||
ATTR{address}=="86:00:00:8e:47:0d", NAME="eth1"
|
||||
'';
|
||||
|
||||
system.stateVersion = "23.11";
|
||||
}
|
|
@ -1,57 +0,0 @@
|
|||
{ ... }:
|
||||
let
|
||||
bind-address = "127.0.0.1";
|
||||
host = "cherrykitten.gay";
|
||||
port = 8553;
|
||||
in
|
||||
{
|
||||
services.gotosocial = {
|
||||
enable = true;
|
||||
setupPostgresqlDB = true;
|
||||
settings = {
|
||||
inherit bind-address host port;
|
||||
application-name = "CherryKitten";
|
||||
landing-page-user = "sammy";
|
||||
|
||||
instance-expose-suspended = true;
|
||||
instance-expose-suspended-web = true;
|
||||
accounts-registration-open = false;
|
||||
|
||||
media-image-max-size = 41943040;
|
||||
media-video-max-size = 83886080;
|
||||
media-description-max-chars = 3000;
|
||||
media-remote-cache-days = 14;
|
||||
media-emoji-local-max-size = 204800;
|
||||
media-emoji-remote-max-size = 204800;
|
||||
|
||||
statuses-max-chars = 69420;
|
||||
statuses-cw-max-chars = 200;
|
||||
statuses-poll-max-options = 10;
|
||||
statuses-poll-option-max-chars = 150;
|
||||
statuses-media-max-files = 16;
|
||||
|
||||
storage-backend = "local";
|
||||
storage-local-base-path = "/mnt/gts";
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
clientMaxBodySize = "80M";
|
||||
virtualHosts = {
|
||||
"${host}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations = {
|
||||
"/" = {
|
||||
recommendedProxySettings = true;
|
||||
proxyWebsockets = true;
|
||||
proxyPass = "http://${bind-address}:${toString port}";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -1,17 +0,0 @@
|
|||
{ inputs, ... }: {
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts = {
|
||||
"cherrykitten.dev" = {
|
||||
extraConfig = "error_page 404 /404.html;";
|
||||
addSSL = true;
|
||||
enableACME = true;
|
||||
locations = {
|
||||
"/" = {
|
||||
root = "${inputs.cherrykitten-website.packages.x86_64-linux.website}/var/www/cherrykitten.dev";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,65 +0,0 @@
|
|||
{ lib, config, ... }: {
|
||||
imports = [ ../../profiles/hcloud ];
|
||||
|
||||
fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
|
||||
cherrykitten.backups.enable = true;
|
||||
cherrykitten.prometheus = {
|
||||
server.enable = true;
|
||||
client.enable = true;
|
||||
};
|
||||
cherrykitten.grafana = {
|
||||
enable = true;
|
||||
hostname = "graph.cherrykitten.dev";
|
||||
};
|
||||
cherrykitten.network = {
|
||||
public_IPv4 = "116.203.116.228";
|
||||
public_IPv6 = "2a01:4f8:1c1b:5db9::1";
|
||||
internal_IPv4 = "10.69.0.2";
|
||||
internal_IPv6 = "fe80::8400:ff:fe8e:e0a0";
|
||||
};
|
||||
|
||||
networking = {
|
||||
nameservers = [
|
||||
"2a01:4ff:ff00::add:2"
|
||||
"2a01:4ff:ff00::add:1"
|
||||
"185.12.64.2"
|
||||
];
|
||||
defaultGateway = "172.31.1.1";
|
||||
defaultGateway6 = {
|
||||
address = "fe80::1";
|
||||
interface = "eth0";
|
||||
};
|
||||
dhcpcd.enable = false;
|
||||
usePredictableInterfaceNames = lib.mkForce false;
|
||||
interfaces = {
|
||||
eth0 = {
|
||||
ipv4.addresses = [
|
||||
{ address = config.cherrykitten.network.public_IPv4; prefixLength = 32; }
|
||||
];
|
||||
ipv6.addresses = [
|
||||
{ address = config.cherrykitten.network.public_IPv6; prefixLength = 64; }
|
||||
];
|
||||
ipv4.routes = [{ address = "172.31.1.1"; prefixLength = 32; }];
|
||||
ipv6.routes = [{ address = "fe80::1"; prefixLength = 128; }];
|
||||
};
|
||||
ens10 = {
|
||||
ipv4.addresses = [
|
||||
{ address = config.cherrykitten.network.internal_IPv4; prefixLength = 32; }
|
||||
];
|
||||
ipv6.addresses = [
|
||||
{ address = config.cherrykitten.network.internal_IPv6; prefixLength = 64; }
|
||||
];
|
||||
ipv4.routes = [
|
||||
{ address = "10.69.0.1"; prefixLength = 32; }
|
||||
{ address = "10.69.0.0"; prefixLength = 24; via = "10.69.0.1"; }
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
services.udev.extraRules = ''
|
||||
ATTR{address}=="96:00:03:60:ec:55", NAME="eth0"
|
||||
ATTR{address}=="86:00:00:8e:e0:a0", NAME="ens10"
|
||||
'';
|
||||
|
||||
system.stateVersion = "23.11";
|
||||
}
|
|
@ -1,52 +0,0 @@
|
|||
# Edit this configuration file to define what should be installed on
|
||||
# your system. Help is available in the configuration.nix(5) man page, on
|
||||
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
|
||||
|
||||
{ pkgs, pkgs-unstable, lib, inputs, ... }: {
|
||||
imports = [
|
||||
../../profiles/desktop
|
||||
./hardware-configuration.nix
|
||||
inputs.nixos-hardware.nixosModules.framework-16-7040-amd
|
||||
];
|
||||
|
||||
services.hardware.bolt.enable = true;
|
||||
cherrykitten.impermanence.enable = true;
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
networking.wireless.iwd.enable = true;
|
||||
|
||||
fileSystems."/mnt/Media" = {
|
||||
device = "192.168.0.3:/mnt/user/Media";
|
||||
fsType = "nfs";
|
||||
options = [ "x-systemd.automount" "noauto" "x-systemd.idle-timeout=600" "noatime" ]; # disconnects after 10 minutes (i.e. 600 seconds)
|
||||
};
|
||||
|
||||
# Enable CUPS to print documents.
|
||||
services.printing.enable = true;
|
||||
|
||||
services.fwupd.enable = true;
|
||||
|
||||
services.xserver.xkb.layout = lib.mkForce "us";
|
||||
|
||||
users.users.sammy.packages = with pkgs; [
|
||||
picard
|
||||
discord
|
||||
inkscape
|
||||
pkgs-unstable.osu-lazer-bin
|
||||
];
|
||||
|
||||
programs.steam = {
|
||||
enable = true;
|
||||
};
|
||||
|
||||
hardware.steam-hardware.enable = true;
|
||||
services.usbmuxd.enable = true;
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
libimobiledevice
|
||||
ifuse # optional, to mount using 'ifuse'
|
||||
];
|
||||
|
||||
system.stateVersion = "24.05"; # Did you read the comment?
|
||||
}
|
|
@ -1,45 +0,0 @@
|
|||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usbhid" "uas" "sd_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-amd" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{
|
||||
device = "none";
|
||||
fsType = "tmpfs";
|
||||
options = [ "defaults" "size=50%" "mode=755" ];
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/7BD4-96D5";
|
||||
fsType = "vfat";
|
||||
options = [ "fmask=0022" "dmask=0022" ];
|
||||
};
|
||||
|
||||
fileSystems."/nix" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/b1377283-89a6-434b-8315-60314dcd56ab";
|
||||
fsType = "btrfs";
|
||||
neededForBoot = true;
|
||||
};
|
||||
|
||||
boot.initrd.luks.devices."nix".device = "/dev/disk/by-uuid/51f9bf11-5b38-4753-b927-2ff3e01dd5e0";
|
||||
boot.initrd.luks.devices."swap".device = "/dev/disk/by-uuid/2c2f9f9d-0eca-4375-b284-108564c48af8";
|
||||
|
||||
swapDevices =
|
||||
[{ device = "/dev/mapper/swap"; }];
|
||||
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
}
|
Loading…
Reference in a new issue