From 65c2b30a288385cf3df4027d50080ac595bbcf83 Mon Sep 17 00:00:00 2001
From: Ben Sima <ben@bsima.me>
Date: Thu, 2 Apr 2020 23:45:04 -0700
Subject: Reorganize and comment some of the nix code
---
Com/Simatime/Cloud/chat.nix | 100 +++++++++++++++++
Com/Simatime/Cloud/git.nix | 18 ++++
Com/Simatime/Cloud/hardware.nix | 6 ++
Com/Simatime/Cloud/mail.nix | 43 ++++++++
Com/Simatime/Cloud/networking.nix | 36 +++++++
Com/Simatime/Cloud/web.nix | 41 +++++++
Com/Simatime/Cloud/znc.nix | 66 ++++++++++++
Com/Simatime/Dev/configuration.nix | 203 ++++++++++++++++++++++++++++++++++
Com/Simatime/Dev/hardware.nix | 34 ++++++
Com/Simatime/buildOS.nix | 5 +-
Com/Simatime/chat.nix | 100 -----------------
Com/Simatime/dev/configuration.nix | 215 -------------------------------------
Com/Simatime/dev/hardware.nix | 34 ------
Com/Simatime/git.nix | 18 ----
Com/Simatime/hardware.nix | 6 --
Com/Simatime/mail.nix | 43 --------
Com/Simatime/networking.nix | 37 -------
Com/Simatime/users.nix | 61 ++++++-----
Com/Simatime/web.nix | 41 -------
Com/Simatime/znc.nix | 66 ------------
20 files changed, 584 insertions(+), 589 deletions(-)
create mode 100644 Com/Simatime/Cloud/chat.nix
create mode 100644 Com/Simatime/Cloud/git.nix
create mode 100644 Com/Simatime/Cloud/hardware.nix
create mode 100644 Com/Simatime/Cloud/mail.nix
create mode 100644 Com/Simatime/Cloud/networking.nix
create mode 100644 Com/Simatime/Cloud/web.nix
create mode 100644 Com/Simatime/Cloud/znc.nix
create mode 100644 Com/Simatime/Dev/configuration.nix
create mode 100644 Com/Simatime/Dev/hardware.nix
delete mode 100644 Com/Simatime/chat.nix
delete mode 100644 Com/Simatime/dev/configuration.nix
delete mode 100644 Com/Simatime/dev/hardware.nix
delete mode 100644 Com/Simatime/git.nix
delete mode 100644 Com/Simatime/hardware.nix
delete mode 100644 Com/Simatime/mail.nix
delete mode 100644 Com/Simatime/networking.nix
delete mode 100644 Com/Simatime/web.nix
delete mode 100644 Com/Simatime/znc.nix
(limited to 'Com')
diff --git a/Com/Simatime/Cloud/chat.nix b/Com/Simatime/Cloud/chat.nix
new file mode 100644
index 0000000..e23b73e
--- /dev/null
+++ b/Com/Simatime/Cloud/chat.nix
@@ -0,0 +1,100 @@
+{ config, pkgs, ... }:
+#
+# a homeserver for matrix.org.
+#
+# - nixos manual: https://nixos.org/nixos/manual/index.html#module-services-matrix
+#
+# to create new users:
+#
+# nix run nixpkgs.matrix-synapse
+# register_new_matrix_user -k <registration_shared_secret> http://localhost:<matrix_port>
+#
+let
+ fqdn = "matrix.${config.networking.domain}";
+ riot = "chat.${config.networking.domain}";
+ matrix_port = 8448;
+in {
+ # matrix-synapse server. for what the settings mean, see:
+ # https://nixos.org/nixos/manual/index.html#module-services-matrix
+ #
+ services.matrix-synapse = {
+ enable = true;
+ server_name = config.networking.domain;
+ registration_shared_secret = "AkGRWSQLga3RoKRFnHhKoeCEIeZzu31y4TRzMRkMyRbBnETkVTSxilf24qySLzQn";
+ listeners = [
+ {
+ port = matrix_port;
+ bind_address = "::1";
+ type = "http";
+ tls = false;
+ x_forwarded = true;
+ resources = [
+ {
+ names = [ "client" "federation" ];
+ compress = false;
+ }
+ ];
+ }
+ ];
+ };
+ # matrix needs a database
+ #
+ services.postgresql.enable = true;
+ # web proxy for the matrix server
+ #
+ services.nginx = {
+ enable = true;
+ recommendedTlsSettings = true;
+ recommendedOptimisation = true;
+ recommendedGzipSettings = true;
+ recommendedProxySettings = true;
+ virtualHosts = {
+ # route to matrix-synapse
+ "${config.networking.domain}" = {
+ locations."= /.well-known/matrix/server".extraConfig =
+ let
+ server = { "m.server" = "${fqdn}:443"; };
+ in ''
+ add_header Content-Type application/json;
+ return 200 '${builtins.toJSON server}';
+ '';
+ locations."= /.well-known/matrix/client".extraConfig =
+ let
+ client = {
+ "m.homeserver" = { "base_url" = "https://${fqdn}"; } ;
+ "m.identity_server" = { "base_url" = "https://vector.im"; };
+ };
+ in ''
+ add_header Content-Type application/json;
+ add_header Access-Control-Allow-Origin *;
+ return 200 '${builtins.toJSON client}';
+ '';
+ };
+ # reverse proxy for matrix client-server and server-server communication
+ "${fqdn}" = {
+ enableACME = true;
+ forceSSL = true;
+ locations."/".extraConfig = ''
+ return 404;
+ '';
+ locations."/_matrix" = {
+ proxyPass = "http://[::1]:${toString matrix_port}";
+ };
+ };
+ };
+ };
+ # riot client, available at chat.simatime.com
+ #
+ # note that riot and matrix-synapse must be on separate fqdn's to
+ # protect from XSS attacks:
+ # https://github.com/vector-im/riot-web#important-security-note
+ #
+ services.nginx.virtualHosts."${riot}" = {
+ enableACME = true;
+ forceSSL = true;
+ serverAliases = [
+ "chat.${config.networking.domain}"
+ ];
+ root = pkgs.riot-web;
+ };
+}
diff --git a/Com/Simatime/Cloud/git.nix b/Com/Simatime/Cloud/git.nix
new file mode 100644
index 0000000..4cdaa28
--- /dev/null
+++ b/Com/Simatime/Cloud/git.nix
@@ -0,0 +1,18 @@
+{ pkgs, ... }:
+
+{
+ services = {
+ gitolite = {
+ enable = true;
+ enableGitAnnex = true;
+ # TODO: change this to /var/lib/gitolite?
+ dataDir = "/srv/git";
+ user = "git";
+ group = "git";
+ extraGitoliteRc = ''
+ $RC{SITE_INFO} = 'a computer is a bicycle for the mind.';
+ '';
+ adminPubkey = builtins.readFile ../keys/ben.pub;
+ };
+ };
+}
diff --git a/Com/Simatime/Cloud/hardware.nix b/Com/Simatime/Cloud/hardware.nix
new file mode 100644
index 0000000..8c88cb7
--- /dev/null
+++ b/Com/Simatime/Cloud/hardware.nix
@@ -0,0 +1,6 @@
+{ ... }:
+{
+ imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ];
+ boot.loader.grub.device = "/dev/vda";
+ fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; };
+}
diff --git a/Com/Simatime/Cloud/mail.nix b/Com/Simatime/Cloud/mail.nix
new file mode 100644
index 0000000..81bddc2
--- /dev/null
+++ b/Com/Simatime/Cloud/mail.nix
@@ -0,0 +1,43 @@
+{ ... }:
+
+{
+ mailserver = {
+ enable = true;
+ monitoring = {
+ enable = false;
+ alertAddress = "bsima@me.com";
+ };
+ fqdn = "simatime.com";
+ domains = [ "simatime.com" "bsima.me" ];
+ certificateScheme = 3; # let's encrypt
+ enableImap = true;
+ enablePop3 = true;
+ enableImapSsl = true;
+ enablePop3Ssl = true;
+ enableManageSieve = true;
+ virusScanning = false; # ur on ur own
+ localDnsResolver = true;
+
+ loginAccounts = {
+ "ben@simatime.com" = {
+ hashedPassword = "$6$Xr180W0PqprtaFB0$9S/Ug1Yz11CaWO7UdVJxQLZWfRUE3/rarB0driXkXALugEeQDLIjG2STGQBLU23//JtK3Mz8Kwsvg1/Zo0vD2/";
+ aliases = [
+ # my default email
+ "ben@bsima.me"
+ # admin stuff
+ "postmaster@simatime.com"
+ "abuse@simatime.com"
+ ];
+ catchAll = [ "simatime.com" "bsima.me" ];
+ quota = "5G";
+ };
+ "nick@simatime.com" = {
+ hashedPassword = "$6$31P/Mg8k8Pezy1e$Fn1tDyssf.1EgxmLYFsQpSq6RP4wbEvP/UlBlXQhyKA9FnmFtJteXsbJM1naa8Kyylo8vZM9zmeoSthHS1slA1";
+ aliases = [
+ "nicolai@simatime.com"
+ ];
+ quota = "1G";
+ };
+ };
+ };
+}
diff --git a/Com/Simatime/Cloud/networking.nix b/Com/Simatime/Cloud/networking.nix
new file mode 100644
index 0000000..0df42e3
--- /dev/null
+++ b/Com/Simatime/Cloud/networking.nix
@@ -0,0 +1,36 @@
+{ lib, config, ... }:
+
+{
+ networking = {
+
+ firewall = {
+ allowedTCPPorts = [ 22 80 443 ];
+ allowPing = true;
+ };
+
+ # This following was populated at runtime with the networking details
+ # gathered from the active system.
+ nameservers = [
+ "67.207.67.2"
+ "67.207.67.3"
+ ];
+ defaultGateway = "159.89.128.1";
+ defaultGateway6 = "";
+ dhcpcd.enable = false;
+ usePredictableInterfaceNames = lib.mkForce true;
+ interfaces = {
+ eth0 = {
+ ipv4.addresses = [
+ { address="159.89.128.69"; prefixLength=20; }
+ { address="10.46.0.6"; prefixLength=16; }
+ ];
+ ipv6.addresses = [
+ { address="fe80::e899:c0ff:fe9c:e194"; prefixLength=64; }
+ ];
+ };
+ };
+ };
+ services.udev.extraRules = ''
+ ATTR{address}=="ea:99:c0:9c:e1:94", NAME="eth0"
+ '';
+}
diff --git a/Com/Simatime/Cloud/web.nix b/Com/Simatime/Cloud/web.nix
new file mode 100644
index 0000000..22d7199
--- /dev/null
+++ b/Com/Simatime/Cloud/web.nix
@@ -0,0 +1,41 @@
+{ ... }:
+
+let
+ bensIp = "73.222.221.62";
+in
+{
+ services = {
+ nginx = {
+ enable = true;
+ recommendedGzipSettings = true;
+ recommendedOptimisation = true;
+ recommendedProxySettings = true;
+ recommendedTlsSettings = true;
+ virtualHosts = {
+ "bsima.me".root = "/home/ben/public_html/";
+ "www.bsima.me".root = "/home/ben/public_html/";
+ "simatime.com".locations."/".root = "/srv/www/";
+ "firefoxsync.simatime.com".locations."/".proxyPass = "http://localhost:5001";
+ "hero.simatime.com".locations."/".proxyPass = "http://${bensIp}:3001";
+ "tv.simatime.com".locations."/".proxyPass = "http://${bensIp}:8096"; # emby runs on port 8096
+ "deluge.simatime.com".locations."/".proxyPass = "http://${bensIp}:8112";
+
+ "notebook.simatime.com".locations = {
+ "/" = {
+ proxyPass = "http://${bensIp}:3099";
+ proxyWebsockets = true;
+ extraConfig = ''
+ proxy_buffering off;
+ proxy_read_timeout 86400;
+
+ '';
+ };
+ "/(api/kernels/[^/]+/channels|terminals/websocket)/" = {
+ proxyPass = "http://${bensIp}:3099";
+ proxyWebsockets = true;
+ };
+ };
+ };
+ };
+ };
+}
diff --git a/Com/Simatime/Cloud/znc.nix b/Com/Simatime/Cloud/znc.nix
new file mode 100644
index 0000000..9b1a28d
--- /dev/null
+++ b/Com/Simatime/Cloud/znc.nix
@@ -0,0 +1,66 @@
+/*
+
+N.B.: generate znc passwords with 'nix-shell -p znc --command "znc --makepass"'
+
+- https://wiki.znc.in/Configuration
+
+*/
+
+{ ... }:
+
+{
+ services = {
+ znc = {
+ enable = true;
+ mutable = false;
+ useLegacyConfig = false;
+ openFirewall = true;
+ config = {
+ LoadModule = [ "adminlog" ];
+ User.bsima = {
+ Admin = true;
+ Nick = "bsima";
+ AltNick = "bsima1";
+ LoadModule = [ "chansaver" "controlpanel" "log" ];
+ Network.freenode = {
+ Server = "chat.freenode.net +6697";
+ LoadModule = [ "simple_away" "nickserv" "sasl" ];
+ Chan = {
+ "#ai" = {};
+ "#biz" = { Modes = "+Sp"; };
+ "#bsima" = { Modes = "+Sp"; };
+ "##categorytheory" = { Detached = true; };
+ "#clojure" = { Detached = true; };
+ "#coq" = { Detached = true; };
+ "#emacs" = { Detached = true; };
+ "#guile" = { Detached = true; };
+ "#guix" = { Detached = true; };
+ "#haskell" = {};
+ "#haskell-miso" = { Detached = true; };
+ "#hledger" = {};
+ "#hnix" = { Detached = true; };
+ "#home-manager" = { Detached = true; };
+ "#ledger" = {};
+ "#nix-darwin" = { Detached = true; };
+ "#nixos" = {};
+ "#org-mode" = {};
+ "#scheme" = { Detached = true; };
+ "#servant" = { Detached = true; };
+ "#sr.ht" = { Detached = true; };
+ "#xmonad" = { Detached = true; };
+ };
+ };
+ Network.efnet = {
+ Server = "irc.efnet.info +6697";
+ LoadModule = [ "simple_away" ];
+ };
+ Pass.password = {
+ Method = "sha256";
+ Hash = "bead16d806e7bf5cbbc31d572b20f01e2b253eb60e2497ce465df56306becd02";
+ Salt = "/GhmBMc+E6b7qd8muFEe";
+ };
+ };
+ };
+ };
+ };
+}
diff --git a/Com/Simatime/Dev/configuration.nix b/Com/Simatime/Dev/configuration.nix
new file mode 100644
index 0000000..1322de7
--- /dev/null
+++ b/Com/Simatime/Dev/configuration.nix
@@ -0,0 +1,203 @@
+{ config, lib, pkgs, ... }:
+
+let
+ murmurPort = 64738;
+ torrents = { from = 6000; to = 6999; }
+in {
+ networking = {
+ hosts = {
+ "::1" = [ "localhost" "ipv6-localhost" "ipv6-loopback" ];
+ };
+
+ firewall = {
+ allowedTCPPorts = [
+ 22 8000 8443 443 8080 8081 # standard ports
+ 500 10000 # no idea
+ 8096 # emby/jellyfin
+ 8112 # deluge
+ murmurPort
+ ];
+ allowedTCPPortRanges = [
+ { from = 3000; to = 3100; } # dev stuff
+ torrents
+ ];
+ allowedUDPPorts = [ murmurPort ];
+ allowedUDPPortRanges = [
+ torrents
+ ];
+ checkReversePath = false;
+ };
+
+ };
+
+ # Use the systemd-boot EFI boot loader.
+ boot.loader.systemd-boot.enable = true;
+ boot.loader.efi.canTouchEfiVariables = true;
+ boot.enableContainers = true;
+
+ boot.initrd.luks.devices = {
+ root = {
+ device = "/dev/disk/by-uuid/a0160f25-e0e3-4af0-8236-3e298eac957a";
+ preLVM = true;
+ };
+ };
+
+ powerManagement.enable = false;
+
+ time.timeZone = "America/Los_Angeles";
+
+ fonts.fonts = with pkgs; [
+ google-fonts mononoki source-code-pro fantasque-sans-mono hack-font
+ fira fira-code fira-code-symbols
+ ];
+
+ nixpkgs = {
+ config = {
+ allowUnfree = true;
+ allowBroken = true;
+ };
+ };
+
+ hardware = {
+ opengl.enable = true;
+ pulseaudio = {
+ enable = true;
+ extraConfig = ''
+ load-module module-loopback
+ '';
+ };
+ };
+
+ programs = {
+ bash.enableCompletion = true;
+ command-not-found.enable = true;
+ gnupg.agent = {
+ enable = true;
+ enableSSHSupport = true;
+ };
+ mosh.enable = true;
+ };
+
+ virtualisation = {
+ docker = {
+ enable = true;
+ liveRestore = false;
+ };
+ libvirtd.enable = true;
+ virtualbox = {
+ host = {
+ enable = false;
+ headless = false;
+ addNetworkInterface = false;
+ };
+ guest = {
+ enable = false;
+ x11 = false;
+ };
+ };
+ };
+
+ services = {
+ pcscd.enable = true;
+ logind = {
+ lidSwitch = "ignore";
+ extraConfig = "IdleAction=ignore";
+ };
+
+ deluge = {
+ enable = true;
+ openFilesLimit = 10240;
+ web.enable = true;
+ };
+
+ printing.enable = true;
+
+ murmur = {
+ enable = true;
+ registerName = "simatime";
+ password = "simatime";
+ port = murmurPort;
+ };
+
+ xserver = {
+ enable = true;
+ layout = "us";
+ xkbOptions = "caps:ctrl_modifier";
+ displayManager.sddm.enable = true;
+ desktopManager = {
+ kodi.enable = true;
+ plasma5.enable = true;
+ xterm.enable = true;
+ };
+ };
+
+ jupyter = {
+ enable = false;
+ port = 3099;
+ ip = "*";
+ password = "'sha1:4b14a407cabe:fbab8e5400f3f4f3ffbdb00e996190d6a84bf51e'";
+ kernels = {
+ python3 = let
+ env = (pkgs.python3.withPackages (p: with p; [
+ ipykernel pandas scikitlearn numpy matplotlib sympy ipywidgets
+ ]));
+ in {
+ displayName = "py3";
+ argv = [
+ "${env.interpreter}"
+ "-m"
+ "ipykernel_launcher"
+ "-f"
+ "{connection_file}"
+ ];
+ language = "python";
+ #logo32 = "${env.sitePackages}/lib/python3.6/site-packages/ipykernel/resources/logo-32x32.png";
+ #logo64 = "${env.sitePackages}/lib/python3.6/site-packages/ipykernel/resources/logo-64x64.png";
+ };
+ };
+ };
+
+ jellyfin = { # previously emby
+ enable = true;
+ user = "emby";
+ group = "emby";
+ };
+
+ vnstat.enable = true;
+
+ postgresql = {
+ enable = true;
+ package = pkgs.postgresql_10;
+ authentication = ''
+ local all pprjam md5
+ local all pprjam_test md5
+ '';
+ enableTCPIP = true;
+ };
+ redis = {
+ enable = true;
+ };
+ };
+
+ documentation = {
+ enable = true;
+ dev.enable = true;
+ doc.enable = true;
+ info.enable = true;
+ man.enable = true;
+ nixos.enable = true;
+ };
+
+ # Since this is the dev machine, we can turn these on at the expense of extra
+ # disk space.
+ nix.extraOptions = ''
+ keep-outputs = true
+ keep-derivations = true
+ '';
+
+ # This value determines the NixOS release with which your system is to be
+ # compatible, in order to avoid breaking some software such as database
+ # servers. You should change this only after NixOS release notes say you
+ # should.
+ system.stateVersion = "17.09"; # Did you read the comment?
+}
diff --git a/Com/Simatime/Dev/hardware.nix b/Com/Simatime/Dev/hardware.nix
new file mode 100644
index 0000000..fc0e7a0
--- /dev/null
+++ b/Com/Simatime/Dev/hardware.nix
@@ -0,0 +1,34 @@
+# Do not modify this file! It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations. Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, ... }:
+
+{
+ imports =
+ [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+ ];
+
+ boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
+ boot.kernelModules = [ "kvm-intel" ];
+ boot.extraModulePackages = [ ];
+
+ fileSystems."/" =
+ { device = "/dev/disk/by-uuid/0d8b0e52-10de-4af2-bcd9-b36278352e77";
+ fsType = "ext4";
+ };
+
+ fileSystems."/boot" =
+ { device = "/dev/disk/by-uuid/9B89-85C7";
+ fsType = "vfat";
+ };
+
+ fileSystems."/mnt/lake" =
+ { device = "/dev/disk/by-uuid/037df3ae-4609-402c-ab1d-4593190d0ee7";
+ fsType = "ext4";
+ };
+
+ swapDevices = [ ];
+
+ nix.maxJobs = lib.mkDefault 4;
+ powerManagement.cpuFreqGovernor = "powersave";
+}
diff --git a/Com/Simatime/buildOS.nix b/Com/Simatime/buildOS.nix
index 52aa51a..b2fc928 100644
--- a/Com/Simatime/buildOS.nix
+++ b/Com/Simatime/buildOS.nix
@@ -29,6 +29,8 @@ let
nix.optimise.automatic = true;
nix.optimise.dates = [ "Sunday 02:30" ];
nixpkgs.overlays = [ bizpkgs ];
+ programs.mosh.enable = true;
+ programs.mosh.withUtempter = true;
security.acme.email = "ben@bsima.me";
security.acme.acceptTerms = true;
security.sudo.wheelNeedsPassword = false;
@@ -44,9 +46,6 @@ let
#services.tinc.networks.simatime-vpn.interfaceType = "tap";
#services.tinc.networks.simatime-vpn.hosts = import ./vpnHosts.nix;
system.autoUpgrade.enable = false; # 'true' breaks our nixpkgs pin
- users.motd = "\n\n\twelcome to the simatime network\n\n\n";
- users.users = import ./users.nix;
- users.mutableUsers = false;
};
os = nixos {
system = "x86_64-linux";
diff --git a/Com/Simatime/chat.nix b/Com/Simatime/chat.nix
deleted file mode 100644
index e23b73e..0000000
--- a/Com/Simatime/chat.nix
+++ /dev/null
@@ -1,100 +0,0 @@
-{ config, pkgs, ... }:
-#
-# a homeserver for matrix.org.
-#
-# - nixos manual: https://nixos.org/nixos/manual/index.html#module-services-matrix
-#
-# to create new users:
-#
-# nix run nixpkgs.matrix-synapse
-# register_new_matrix_user -k <registration_shared_secret> http://localhost:<matrix_port>
-#
-let
- fqdn = "matrix.${config.networking.domain}";
- riot = "chat.${config.networking.domain}";
- matrix_port = 8448;
-in {
- # matrix-synapse server. for what the settings mean, see:
- # https://nixos.org/nixos/manual/index.html#module-services-matrix
- #
- services.matrix-synapse = {
- enable = true;
- server_name = config.networking.domain;
- registration_shared_secret = "AkGRWSQLga3RoKRFnHhKoeCEIeZzu31y4TRzMRkMyRbBnETkVTSxilf24qySLzQn";
- listeners = [
- {
- port = matrix_port;
- bind_address = "::1";
- type = "http";
- tls = false;
- x_forwarded = true;
- resources = [
- {
- names = [ "client" "federation" ];
- compress = false;
- }
- ];
- }
- ];
- };
- # matrix needs a database
- #
- services.postgresql.enable = true;
- # web proxy for the matrix server
- #
- services.nginx = {
- enable = true;
- recommendedTlsSettings = true;
- recommendedOptimisation = true;
- recommendedGzipSettings = true;
- recommendedProxySettings = true;
- virtualHosts = {
- # route to matrix-synapse
- "${config.networking.domain}" = {
- locations."= /.well-known/matrix/server".extraConfig =
- let
- server = { "m.server" = "${fqdn}:443"; };
- in ''
- add_header Content-Type application/json;
- return 200 '${builtins.toJSON server}';
- '';
- locations."= /.well-known/matrix/client".extraConfig =
- let
- client = {
- "m.homeserver" = { "base_url" = "https://${fqdn}"; } ;
- "m.identity_server" = { "base_url" = "https://vector.im"; };
- };
- in ''
- add_header Content-Type application/json;
- add_header Access-Control-Allow-Origin *;
- return 200 '${builtins.toJSON client}';
- '';
- };
- # reverse proxy for matrix client-server and server-server communication
- "${fqdn}" = {
- enableACME = true;
- forceSSL = true;
- locations."/".extraConfig = ''
- return 404;
- '';
- locations."/_matrix" = {
- proxyPass = "http://[::1]:${toString matrix_port}";
- };
- };
- };
- };
- # riot client, available at chat.simatime.com
- #
- # note that riot and matrix-synapse must be on separate fqdn's to
- # protect from XSS attacks:
- # https://github.com/vector-im/riot-web#important-security-note
- #
- services.nginx.virtualHosts."${riot}" = {
- enableACME = true;
- forceSSL = true;
- serverAliases = [
- "chat.${config.networking.domain}"
- ];
- root = pkgs.riot-web;
- };
-}
diff --git a/Com/Simatime/dev/configuration.nix b/Com/Simatime/dev/configuration.nix
deleted file mode 100644
index 3b69f6f..0000000
--- a/Com/Simatime/dev/configuration.nix
+++ /dev/null
@@ -1,215 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
- murmurPort = 64738;
-in {
- networking = {
- hostName = "lithium";
- hosts = {
- "::1" = [ "localhost" "ipv6-localhost" "ipv6-loopback" ];
- };
-
- firewall = {
- allowedTCPPorts = [
- 22 8000 8443 443 8080 8081 # std
- 500 10000 # no idea
- 8096 # emby
- 8112 # deluge
- murmurPort
- ];
- allowedTCPPortRanges = [
- { from = 3000; to = 3100; } # dev stuff
- { from = 6000; to = 6999; } # torrents
- ];
- allowedUDPPorts = [ murmurPort ];
- allowedUDPPortRanges = [
- { from = 6000; to = 6999; } # torrents
- ];
- checkReversePath = false;
- };
-
- };
-
- # Use the systemd-boot EFI boot loader.
- boot.loader.systemd-boot.enable = true;
- boot.loader.efi.canTouchEfiVariables = true;
- boot.enableContainers = true;
-
- boot.initrd.luks.devices = {
- root = {
- device = "/dev/disk/by-uuid/a0160f25-e0e3-4af0-8236-3e298eac957a";
- preLVM = true;
- };
- };
-
- powerManagement.enable = false;
-
- time.timeZone = "America/Los_Angeles";
-
- fonts.fonts = with pkgs; [
- google-fonts mononoki source-code-pro fantasque-sans-mono hack-font
- fira fira-code fira-code-symbols
- ];
-
- nixpkgs = {
- config = {
- allowUnfree = true;
- allowBroken = true;
- };
- };
-
- hardware = {
- opengl.enable = true;
- pulseaudio = {
- enable = true;
- extraConfig = ''
- load-module module-loopback
- '';
- };
- };
-
- programs = {
- bash.enableCompletion = true;
- command-not-found.enable = true;
- gnupg.agent = {
- enable = true;
- enableSSHSupport = true;
- };
- mosh.enable = true;
- };
-
- virtualisation = {
- docker = {
- enable = true;
- liveRestore = false;
- };
- libvirtd.enable = true;
- virtualbox = {
- host = {
- enable = false;
- headless = false;
- addNetworkInterface = false;
- };
- guest = {
- enable = false;
- x11 = false;
- };
- };
- };
-
- # https://github.com/NixOS/nixpkgs/issues/53985
- systemd.services.gitlab-runner.path = ["/run/wrappers"];
-
- services = {
- pcscd.enable = true;
- logind = {
- lidSwitch = "ignore";
- extraConfig = "IdleAction=ignore";
- };
-
- # runner for hero ci
- gitlab-runner = {
- packages = [ pkgs.bash pkgs.git pkgs.python3 ];
- enable = true;
- gracefulTimeout = "2min";
- gracefulTermination = true;
- configFile = "/home/ben/gitlab-runner.toml";
- };
-
- deluge = {
- enable = true;
- openFilesLimit = 10240;
- web.enable = true;
- };
-
- printing.enable = true;
-
- murmur = {
- enable = true;
- registerName = "simatime";
- password = "simatime";
- port = murmurPort;
- };
-
- xserver = {
- enable = true;
- layout = "us";
- xkbOptions = "caps:ctrl_modifier";
- displayManager.sddm.enable = true;
- desktopManager = {
- kodi.enable = true;
- plasma5.enable = true;
- xterm.enable = true;
- };
- };
-
- jupyter = {
- enable = false;
- port = 3099;
- ip = "*";
- password = "'sha1:4b14a407cabe:fbab8e5400f3f4f3ffbdb00e996190d6a84bf51e'";
- kernels = {
- python3 = let
- env = (pkgs.python3.withPackages (p: with p; [
- ipykernel pandas scikitlearn numpy matplotlib sympy ipywidgets
- ]));
- in {
- displayName = "py3";
- argv = [
- "${env.interpreter}"
- "-m"
- "ipykernel_launcher"
- "-f"
- "{connection_file}"
- ];
- language = "python";
- #logo32 = "${env.sitePackages}/lib/python3.6/site-packages/ipykernel/resources/logo-32x32.png";
- #logo64 = "${env.sitePackages}/lib/python3.6/site-packages/ipykernel/resources/logo-64x64.png";
- };
- };
- };
-
- jellyfin = { # previously emby
- enable = true;
- user = "emby";
- group = "emby";
- };
-
- vnstat.enable = true;
-
- postgresql = {
- enable = true;
- package = pkgs.postgresql_10;
- authentication = ''
- local all pprjam md5
- local all pprjam_test md5
- '';
- enableTCPIP = true;
- };
- redis = {
- enable = true;
- };
- };
-
- documentation = {
- enable = true;
- dev.enable = true;
- doc.enable = true;
- info.enable = true;
- man.enable = true;
- nixos.enable = true;
- };
-
- # Since this is the dev machine, we can turn these on at the expense of extra
- # disk space.
- nix.extraOptions = ''
- keep-outputs = true
- keep-derivations = true
- '';
-
- # This value determines the NixOS release with which your system is to be
- # compatible, in order to avoid breaking some software such as database
- # servers. You should change this only after NixOS release notes say you
- # should.
- system.stateVersion = "17.09"; # Did you read the comment?
-}
diff --git a/Com/Simatime/dev/hardware.nix b/Com/Simatime/dev/hardware.nix
deleted file mode 100644
index fc0e7a0..0000000
--- a/Com/Simatime/dev/hardware.nix
+++ /dev/null
@@ -1,34 +0,0 @@
-# Do not modify this file! It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations. Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, ... }:
-
-{
- imports =
- [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
- ];
-
- boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
- boot.kernelModules = [ "kvm-intel" ];
- boot.extraModulePackages = [ ];
-
- fileSystems."/" =
- { device = "/dev/disk/by-uuid/0d8b0e52-10de-4af2-bcd9-b36278352e77";
- fsType = "ext4";
- };
-
- fileSystems."/boot" =
- { device = "/dev/disk/by-uuid/9B89-85C7";
- fsType = "vfat";
- };
-
- fileSystems."/mnt/lake" =
- { device = "/dev/disk/by-uuid/037df3ae-4609-402c-ab1d-4593190d0ee7";
- fsType = "ext4";
- };
-
- swapDevices = [ ];
-
- nix.maxJobs = lib.mkDefault 4;
- powerManagement.cpuFreqGovernor = "powersave";
-}
diff --git a/Com/Simatime/git.nix b/Com/Simatime/git.nix
deleted file mode 100644
index 51e46b6..0000000
--- a/Com/Simatime/git.nix
+++ /dev/null
@@ -1,18 +0,0 @@
-{ pkgs, ... }:
-
-{
- services = {
- gitolite = {
- enable = true;
- enableGitAnnex = true;
- # TODO: change this to /var/lib/gitolite?
- dataDir = "/srv/git";
- user = "git";
- group = "git";
- extraGitoliteRc = ''
- $RC{SITE_INFO} = 'a computer is a bicycle for the mind.';
- '';
- adminPubkey = builtins.readFile ./keys/ben.pub;
- };
- };
-}
diff --git a/Com/Simatime/hardware.nix b/Com/Simatime/hardware.nix
deleted file mode 100644
index 8c88cb7..0000000
--- a/Com/Simatime/hardware.nix
+++ /dev/null
@@ -1,6 +0,0 @@
-{ ... }:
-{
- imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ];
- boot.loader.grub.device = "/dev/vda";
- fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; };
-}
diff --git a/Com/Simatime/mail.nix b/Com/Simatime/mail.nix
deleted file mode 100644
index 81bddc2..0000000
--- a/Com/Simatime/mail.nix
+++ /dev/null
@@ -1,43 +0,0 @@
-{ ... }:
-
-{
- mailserver = {
- enable = true;
- monitoring = {
- enable = false;
- alertAddress = "bsima@me.com";
- };
- fqdn = "simatime.com";
- domains = [ "simatime.com" "bsima.me" ];
- certificateScheme = 3; # let's encrypt
- enableImap = true;
- enablePop3 = true;
- enableImapSsl = true;
- enablePop3Ssl = true;
- enableManageSieve = true;
- virusScanning = false; # ur on ur own
- localDnsResolver = true;
-
- loginAccounts = {
- "ben@simatime.com" = {
- hashedPassword = "$6$Xr180W0PqprtaFB0$9S/Ug1Yz11CaWO7UdVJxQLZWfRUE3/rarB0driXkXALugEeQDLIjG2STGQBLU23//JtK3Mz8Kwsvg1/Zo0vD2/";
- aliases = [
- # my default email
- "ben@bsima.me"
- # admin stuff
- "postmaster@simatime.com"
- "abuse@simatime.com"
- ];
- catchAll = [ "simatime.com" "bsima.me" ];
- quota = "5G";
- };
- "nick@simatime.com" = {
- hashedPassword = "$6$31P/Mg8k8Pezy1e$Fn1tDyssf.1EgxmLYFsQpSq6RP4wbEvP/UlBlXQhyKA9FnmFtJteXsbJM1naa8Kyylo8vZM9zmeoSthHS1slA1";
- aliases = [
- "nicolai@simatime.com"
- ];
- quota = "1G";
- };
- };
- };
-}
diff --git a/Com/Simatime/networking.nix b/Com/Simatime/networking.nix
deleted file mode 100644
index 60d8ebf..0000000
--- a/Com/Simatime/networking.nix
+++ /dev/null
@@ -1,37 +0,0 @@
-{ lib, config, ... }:
-
-{
- networking = {
- hostName = "simatime";
- domain = "simatime.com";
- firewall = {
- allowedTCPPorts = [ 22 80 443 ];
- allowPing = true;
- };
-
- # This following was populated at runtime with the networking details
- # gathered from the active system.
- nameservers = [
- "67.207.67.2"
- "67.207.67.3"
- ];
- defaultGateway = "159.89.128.1";
- defaultGateway6 = "";
- dhcpcd.enable = false;
- usePredictableInterfaceNames = lib.mkForce true;
- interfaces = {
- eth0 = {
- ipv4.addresses = [
- { address="159.89.128.69"; prefixLength=20; }
- { address="10.46.0.6"; prefixLength=16; }
- ];
- ipv6.addresses = [
- { address="fe80::e899:c0ff:fe9c:e194"; prefixLength=64; }
- ];
- };
- };
- };
- services.udev.extraRules = ''
- ATTR{address}=="ea:99:c0:9c:e1:94", NAME="eth0"
- '';
-}
diff --git a/Com/Simatime/users.nix b/Com/Simatime/users.nix
index c951c8e..ea2ef74 100644
--- a/Com/Simatime/users.nix
+++ b/Com/Simatime/users.nix
@@ -1,28 +1,37 @@
-{ #
- # bots
- #
- deploy = {
- isNormalUser = true;
- home = "/home/deploy";
- openssh.authorizedKeys.keyFiles = [ ./keys/deploy.pub ];
- extraGroups = [ "wheel" ];
- };
- #
- # humans
- #
- root.openssh.authorizedKeys.keyFiles = [ ./keys/ben.pub ];
- ben = {
- description = "Ben Sima";
- isNormalUser = true;
- home = "/home/ben";
- openssh.authorizedKeys.keyFiles = [ ./keys/ben.pub ];
- extraGroups = [ "wheel" "networkmanager" "docker" ];
- };
- nick = {
- description = "Nick Sima";
- isNormalUser = true;
- home = "/home/nick";
- openssh.authorizedKeys.keyFiles = [ ./keys/nick.pub ];
- extraGroups = [ "docker" ];
+{ config, ... }:
+
+{
+ users.motd = '''
+ welcome to the simatime network
+ ${config.networking.hostName}
+ '';
+ users.mutableUsers = false;
+ users.users = { #
+ # bots
+ #
+ deploy = {
+ isNormalUser = true;
+ home = "/home/deploy";
+ openssh.authorizedKeys.keyFiles = [ ./keys/deploy.pub ];
+ extraGroups = [ "wheel" ];
+ };
+ #
+ # humans
+ #
+ root.openssh.authorizedKeys.keyFiles = [ ./keys/ben.pub ];
+ ben = {
+ description = "Ben Sima";
+ isNormalUser = true;
+ home = "/home/ben";
+ openssh.authorizedKeys.keyFiles = [ ./keys/ben.pub ];
+ extraGroups = [ "wheel" "networkmanager" "docker" ];
+ };
+ nick = {
+ description = "Nick Sima";
+ isNormalUser = true;
+ home = "/home/nick";
+ openssh.authorizedKeys.keyFiles = [ ./keys/nick.pub ];
+ extraGroups = [ "docker" ];
+ };
};
}
diff --git a/Com/Simatime/web.nix b/Com/Simatime/web.nix
deleted file mode 100644
index 22d7199..0000000
--- a/Com/Simatime/web.nix
+++ /dev/null
@@ -1,41 +0,0 @@
-{ ... }:
-
-let
- bensIp = "73.222.221.62";
-in
-{
- services = {
- nginx = {
- enable = true;
- recommendedGzipSettings = true;
- recommendedOptimisation = true;
- recommendedProxySettings = true;
- recommendedTlsSettings = true;
- virtualHosts = {
- "bsima.me".root = "/home/ben/public_html/";
- "www.bsima.me".root = "/home/ben/public_html/";
- "simatime.com".locations."/".root = "/srv/www/";
- "firefoxsync.simatime.com".locations."/".proxyPass = "http://localhost:5001";
- "hero.simatime.com".locations."/".proxyPass = "http://${bensIp}:3001";
- "tv.simatime.com".locations."/".proxyPass = "http://${bensIp}:8096"; # emby runs on port 8096
- "deluge.simatime.com".locations."/".proxyPass = "http://${bensIp}:8112";
-
- "notebook.simatime.com".locations = {
- "/" = {
- proxyPass = "http://${bensIp}:3099";
- proxyWebsockets = true;
- extraConfig = ''
- proxy_buffering off;
- proxy_read_timeout 86400;
-
- '';
- };
- "/(api/kernels/[^/]+/channels|terminals/websocket)/" = {
- proxyPass = "http://${bensIp}:3099";
- proxyWebsockets = true;
- };
- };
- };
- };
- };
-}
diff --git a/Com/Simatime/znc.nix b/Com/Simatime/znc.nix
deleted file mode 100644
index 9b1a28d..0000000
--- a/Com/Simatime/znc.nix
+++ /dev/null
@@ -1,66 +0,0 @@
-/*
-
-N.B.: generate znc passwords with 'nix-shell -p znc --command "znc --makepass"'
-
-- https://wiki.znc.in/Configuration
-
-*/
-
-{ ... }:
-
-{
- services = {
- znc = {
- enable = true;
- mutable = false;
- useLegacyConfig = false;
- openFirewall = true;
- config = {
- LoadModule = [ "adminlog" ];
- User.bsima = {
- Admin = true;
- Nick = "bsima";
- AltNick = "bsima1";
- LoadModule = [ "chansaver" "controlpanel" "log" ];
- Network.freenode = {
- Server = "chat.freenode.net +6697";
- LoadModule = [ "simple_away" "nickserv" "sasl" ];
- Chan = {
- "#ai" = {};
- "#biz" = { Modes = "+Sp"; };
- "#bsima" = { Modes = "+Sp"; };
- "##categorytheory" = { Detached = true; };
- "#clojure" = { Detached = true; };
- "#coq" = { Detached = true; };
- "#emacs" = { Detached = true; };
- "#guile" = { Detached = true; };
- "#guix" = { Detached = true; };
- "#haskell" = {};
- "#haskell-miso" = { Detached = true; };
- "#hledger" = {};
- "#hnix" = { Detached = true; };
- "#home-manager" = { Detached = true; };
- "#ledger" = {};
- "#nix-darwin" = { Detached = true; };
- "#nixos" = {};
- "#org-mode" = {};
- "#scheme" = { Detached = true; };
- "#servant" = { Detached = true; };
- "#sr.ht" = { Detached = true; };
- "#xmonad" = { Detached = true; };
- };
- };
- Network.efnet = {
- Server = "irc.efnet.info +6697";
- LoadModule = [ "simple_away" ];
- };
- Pass.password = {
- Method = "sha256";
- Hash = "bead16d806e7bf5cbbc31d572b20f01e2b253eb60e2497ce465df56306becd02";
- Salt = "/GhmBMc+E6b7qd8muFEe";
- };
- };
- };
- };
- };
-}
--
cgit v1.2.3