diff options
| -rw-r--r-- | nixos/TODO.md | 11 | ||||
| -rw-r--r-- | nixos/comet/configuration.nix | 275 | ||||
| -rw-r--r-- | nixos/comet/hardware-configuration.nix | 24 | ||||
| -rw-r--r-- | nixos/nixos-generate/.envrc | 1 | ||||
| -rw-r--r-- | nixos/nixos-generate/README.md | 23 | ||||
| -rw-r--r-- | nixos/nixos-generate/config-extra.nix | 9 | ||||
| -rw-r--r-- | nixos/nixos-generate/config-iso.nix | 34 | ||||
| -rw-r--r-- | nixos/nixos-generate/miguel-quick-install.sh | 47 | ||||
| -rw-r--r-- | nixos/nixos-generate/nixops.nix | 26 | ||||
| -rw-r--r-- | nixos/nixos-generate/shell.nix | 6 |
10 files changed, 0 insertions, 456 deletions
diff --git a/nixos/TODO.md b/nixos/TODO.md deleted file mode 100644 index 329ebea..0000000 --- a/nixos/TODO.md +++ /dev/null @@ -1,11 +0,0 @@ -# SSH -* ssh: key-only-auth - -# GIT -* selective encrypted files -* fat file storage -* gitolite: ban 'push -f' -* git-app for mobile -* lock gitolite write access and backup (once daily?) -* pull/push backups to other storage -* verify backups diff --git a/nixos/comet/configuration.nix b/nixos/comet/configuration.nix deleted file mode 100644 index 9f5a255..0000000 --- a/nixos/comet/configuration.nix +++ /dev/null @@ -1,275 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - -{ config, pkgs, ... }: - -let my_ssh_pub_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCpDKWgowf2Gl83b7LsLzwpeKteLWeEE+B3ukE23XAiPmrYnD552ufUnYmid4yItWhNRY4SVsLMCfrdQj8+wftVHNXwx+Y559djAYjkm7qmtBFTvUNPSgtHkX4eoLA79nCPXzd69SS3qkqM2oLGaNKJV9lqxUcaTo0KzKOy5wy7oxQau3w5zCN/kHtxU2ktXGKB6oGocfLi87jefelmoruxo604itpduq78cAhd5fcZy/uZLzNTWf1GdLuqy7ep68txfeRknJ3TKpbaAk+YOlv4AvA23nD7V1GAn757fwv6JpiGe6/VvzkrR8YFLA8sA3kC7Ev8QD1dAkK9S0jMuLzRdAtMWezr7SXNHVEFZ1MLXAbECVkqXOkM0toK8F5ulMfY5E40RWKkawZOr6iB+tHa199WphSgjhtm9frywBMBE/3J5i4purOhZHemmmxJyv4fmSKW42toyc+d6lj0fWBFo3QYWSZPOIpsYhAo4jRw+LHlYwJr7bNIPxKEjutSM5sbacM2Om0GYU+SfHnX4+P5GYaSoFY5SfsjWCpSaK98ngKuKHlBuK2oQczhmFJAFQsBQinpoTF63qfzDpUyfmquvOaDtV9GVMn3AsZemVS+yVXWHHT4ZdXYvSsbgujlM/bUyH/eGLBQnkWBU74W2OxusyFkyp8k7zLwxgj0/hfWew== Miguel_User@DESKTOP-4NH8M69"; -in -{ - - # HARDWARE SCAN RESULTS - imports = - [ - ./hardware-configuration.nix - ]; - - - # SYS PACKAGES - environment.systemPackages = with pkgs; [mc highlight adminer icinga2 monitoring-plugins tmux]; - - - # compare with nginx etc and publish this shit (along instructions how to run with mariadb+icingaweb2 admin - environment.etc = with pkgs; - let defaultIcinga2Const= builtins.readFile "${icinga2}/etc/icinga2/constants.conf"; - in - { - "icinga2/features-available".source="${icinga2}/etc/icinga2/features-available"; - "icinga2/scripts".source="${icinga2}/etc/icinga2/scripts"; - "icinga2/zones.d".source="${icinga2}/etc/icinga2/zones.d"; - "icinga2/conf.d".source="${icinga2}/etc/icinga2/conf.d"; - "icinga2/constants.conf".text=builtins.replaceStrings ["bin"] ["${monitoring-plugins}/bin"] defaultIcinga2Const; - "icinga2/icinga2.conf".source="${icinga2}/etc/icinga2/icinga2.conf"; - "icinga2/zones.conf".source="${icinga2}/etc/icinga2/zones.conf"; - "icinga2/features-enabled/checker.conf".source="${icinga2}/etc/icinga2/features-available/checker.conf"; - "icinga2/features-enabled/mainlog.conf".source="${icinga2}/etc/icinga2/features-available/mainlog.conf"; - "icinga2/features-enabled/notification.conf".source="${icinga2}/etc/icinga2/features-available/notification.conf"; - "icinga2/features-enabled/ido-mysql.conf".text='' object IdoMysqlConnection "ido-mysql" { user = "icinga", password = "8fg$1%X58G4geX", host = "comet.softwarefools.com", database = "ICINGA_IDO" } ''; - }; - systemd.services.icinga2 = { - enable = true; - description = "Icinga host/service/network monitoring system"; - #After=postgresql.service mariadb.service carbon-cache.service mysql.service yslog.target - - serviceConfig = with pkgs; { - Type="simple"; - User="icinga2"; - Group="icinga2"; - UMask=0007; #what is this good for? - ExecStart="${icinga2}/bin/icinga2 daemon -c /etc/icinga2/icinga2.conf"; - ExecReload="${icinga2}/lib/icinga2/safe-reload /usr/lib/icinga2/icinga2"; - PIDFile="/run/icinga2/icinga2.pid"; - RuntimeDirectory="icinga2"; - CacheDirectory="icinga2"; - LogsDirectory="icinga2"; - StateDirectory="icinga2"; - }; - - wantedBy=[ "multi-user.target" ]; - }; - - # AUTOMATIC uPGRADES - system.autoUpgrade.enable = true; - system.autoUpgrade.allowReboot = true; - - # USERS / GROUPS / SSH - services.openssh = { - enable = true; - permitRootLogin = "yes"; - passwordAuthentication = false; - }; - - users.mutableUsers = false; - - users.users.miguel = { - isNormalUser = true; - home = "/home/miguel"; - description = "Miguel"; - extraGroups = [ "wheel" "networkmanager" ]; - openssh.authorizedKeys.keys = [ my_ssh_pub_key ]; - uid = 1000; - }; - - security.sudo.wheelNeedsPassword = false; - - users.extraUsers.root.openssh.authorizedKeys.keys = [ my_ssh_pub_key ]; - - users.groups.icinga2 = {}; - users.users.icinga2 = { - isSystemUser = true; - extraGroups = ["icinga2"]; - }; - - # NEOVIM - programs.neovim.enable = true; - programs.neovim.vimAlias = true; - programs.neovim.viAlias = true; - - # MARIADB - services.mysql.enable = true; - services.mysql.package = pkgs.mariadb; - services.mysql.bind = "0.0.0.0"; - - # XMPP - services.ejabberd.enable = true; - services.ejabberd.configFile = "/etc/ejabberd.yaml"; - - # GITOLITE - services.gitolite.enable = true; - services.gitolite.extraGitoliteRc = "$RC{UMASK} = 0027; - push( @{$RC{ENABLE}}, 'D' ); - "; - services.gitolite.adminPubkey = my_ssh_pub_key; - - # GITWEB - services.gitweb.projectroot = "/var/lib/gitolite/repositories"; - services.gitweb.gitwebTheme = true; - services.gitweb.extraConfig = '' - $site_name = "Gitweb of the Fools"; - $logo_label = "Gitweb of the Fools"; - $logo_url = "./"; - $feature{'highlight'}{'default'} = [1]; - $projects_list = "/var/lib/gitolite/projects.list"; - $strict_export = true; - $per_request_config = 1; - our %highlight_basename; - $highlight_basename{'Dockerfile'} = 'Dockerfile'; - $highlight_basename{'Makefile'} = 'Makefile'; - our %highlight_ext; - $highlight_ext{'hs'} = 'haskell'; - $highlight_ext{'go'} = 'go'; - $highlight_ext{'yaml'} = 'yaml'; - $highlight_ext{'md'} = 'markdown'; - $highlight_ext{'lua'} = 'lua'; - $highlight_ext{'modinfo'} = 'xml'; - push @stylesheets, "https://comet.softwarefools.com/highlight.css"; - ''; - - # CERTS - security.acme.acceptTerms = true; - security.acme.email = "m.i@gmx.at"; - - # NGINX - services.nginx.enable = true; - services.nginx.appendHttpConfig = "server_names_hash_bucket_size 64;"; - - services.nginx.virtualHosts."comet.softwarefools.com" = { - forceSSL = true; - enableACME = true; - root = "/var/www/comet.softwarefools.com"; - }; - - # ICINGA - services.icingaweb2.enable = true; - services.icingaweb2.modules.monitoring.enable = false; - services.icingaweb2.virtualHost = "icinga.softwarefools.com"; - services.nginx.virtualHosts."icinga.softwarefools.com" = { - forceSSL = true; - enableACME = true; - }; - - - # DOKUWIKI - services.dokuwiki."dokuwiki.softwarefools.com" = { - enable = true; - nginx = { - forceSSL = true; - enableACME = true; - }; - }; - services.nginx.virtualHosts."dokuwiki.softwarefools.com" = { - forceSSL = true; - enableACME = true; - root = "/var/www/dokuwiki.softwarefools.com"; - }; - - # GITWEB - services.nginx.gitweb.enable = true; - services.nginx.gitweb.group = "gitolite"; - services.nginx.gitweb.virtualHost = "gitweb.softwarefools.com"; - services.nginx.gitweb.location = ""; - - services.nginx.virtualHosts."gitweb.softwarefools.com" = { - forceSSL = true; - enableACME = true; - locations."/static/" = { - extraConfig = "expires 5m;"; - }; - }; - - # Use the GRUB 2 boot loader. - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; - # boot.loader.grub.efiSupport = true; - # boot.loader.grub.efiInstallAsRemovable = true; - # boot.loader.efi.efiSysMountPoint = "/boot/efi"; - # Define on which hard drive you want to install Grub. - boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only - - networking.hostName = "comet"; # Define your hostname. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - - # The global useDHCP flag is deprecated, therefore explicitly set to false here. - # Per-interface useDHCP will be mandatory in the future, so this generated config - # replicates the default behaviour. - networking.useDHCP = false; - networking.interfaces.ens3.useDHCP = true; - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Select internationalisation properties. - # i18n.defaultLocale = "en_US.UTF-8"; - # console = { - # font = "Lat2-Terminus16"; - # keyMap = "us"; - # }; - - # Set your time zone. - time.timeZone = "Europe/Warsaw"; - - # List packages installed in system profile. To search, run: - # $ nix search wget - # environment.systemPackages = with pkgs; [ - # wget vim - # ]; - - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.mtr.enable = true; - # programs.gnupg.agent = { - # enable = true; - # enableSSHSupport = true; - # pinentryFlavor = "gnome3"; - # }; - - # FIREWALL - networking.firewall.enable = true; - networking.firewall.allowedTCPPorts = [ 80 443 5222 5223 5269 3306 ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - - # Enable CUPS to print documents. - # services.printing.enable = true; - - # Enable sound. - # sound.enable = true; - # hardware.pulseaudio.enable = true; - - # Enable the X11 windowing system. - # services.xserver.enable = true; - # services.xserver.layout = "us"; - # services.xserver.xkbOptions = "eurosign:e"; - - # Enable touchpad support. - # services.xserver.libinput.enable = true; - - # Enable the KDE Desktop Environment. - # services.xserver.displayManager.sddm.enable = true; - # services.xserver.desktopManager.plasma5.enable = true; - - # Define a user account. Don't forget to set a password with ‘passwd’. - # users.users.jane = { - # isNormalUser = true; - # extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. - # }; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "20.03"; # Did you read the comment? -} diff --git a/nixos/comet/hardware-configuration.nix b/nixos/comet/hardware-configuration.nix deleted file mode 100644 index 7f5eb56..0000000 --- a/nixos/comet/hardware-configuration.nix +++ /dev/null @@ -1,24 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, ... }: - -{ - imports = - [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> - ]; - - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/3c4969ad-b9cb-4265-8e14-92145f8a133a"; - fsType = "ext4"; - }; - - swapDevices = [ ]; - - nix.maxJobs = lib.mkDefault 4; -} diff --git a/nixos/nixos-generate/.envrc b/nixos/nixos-generate/.envrc deleted file mode 100644 index 1d953f4..0000000 --- a/nixos/nixos-generate/.envrc +++ /dev/null @@ -1 +0,0 @@ -use nix diff --git a/nixos/nixos-generate/README.md b/nixos/nixos-generate/README.md deleted file mode 100644 index ce2ae46..0000000 --- a/nixos/nixos-generate/README.md +++ /dev/null @@ -1,23 +0,0 @@ -WARNING: Be careful about assumptions made by this script, -as /dev/sda beeing the target disk etc.. - -nix-shell -p nixos-generators nixops - -Adapt config-iso.nix/ config-extra.nix (public key & /dev/sdX) - -cp $(nixos-generate -c config-iso.nix -f iso) my-nixos.iso - -boot the iso in fresh vm (e.g. 25G HDD, 1024 RAM) - -ssh into vm - -run : miguel-quick-install [desired-hostname] -reboot into new nixos - -back on host: -adapt nixops.nix - -run: (optionally with "-d label" after each) - nixops create nixops.nix # only first time - nixops deploy .. etc - nixops ssh-for-each -- uptime diff --git a/nixos/nixos-generate/config-extra.nix b/nixos/nixos-generate/config-extra.nix deleted file mode 100644 index 92b2f33..0000000 --- a/nixos/nixos-generate/config-extra.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ - imports = [./config-iso.nix]; - fileSystems."/" = { - device="/dev/sda1"; - fsType="ext4"; - }; - - boot.loader.grub.enable = true; -} # no newline afer this ! diff --git a/nixos/nixos-generate/config-iso.nix b/nixos/nixos-generate/config-iso.nix deleted file mode 100644 index e31915b..0000000 --- a/nixos/nixos-generate/config-iso.nix +++ /dev/null @@ -1,34 +0,0 @@ -# This config generates a basic NixOS ISO meant to quickly bootstrap a NixOs -# system with a single custom command: miguel-quick-install [hostname] -# -# Build ISO like that: cp ${nixos-generate -c config-iso.nix -f iso} my-nixos.iso -# - -{config,pkgs,...}: - -# FIXME: use proper derivation instead of this custom mess. -let miguel-quick-installer = - with pkgs; derivation{ name = "miguel-quick-install"; - builder = "${bash}/bin/bash"; - bash = bash; - args = [./miguel-quick-install.sh]; - coreutils = coreutils; - configextra = ./config-extra.nix; - configiso = ./config-iso.nix; - system = builtins.currentSystem; }; -in { - boot.initrd.availableKernelModules = ["ata_piix" "floppy" "sd_mod" "sr_mod"]; - virtualisation.hypervGuest.enable = true; - - boot.loader.grub.version = 2; - boot.loader.grub.device = "/dev/sda"; - - environment.systemPackages = with pkgs; [mc vim miguel-quick-installer parted]; - - services.openssh = { - enable = true; - permitRootLogin = "prohibit-password"; - passwordAuthentication = false; - }; - users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCpDKWgowf2Gl83b7LsLzwpeKteLWeEE+B3ukE23XAiPmrYnD552ufUnYmid4yItWhNRY4SVsLMCfrdQj8+wftVHNXwx+Y559djAYjkm7qmtBFTvUNPSgtHkX4eoLA79nCPXzd69SS3qkqM2oLGaNKJV9lqxUcaTo0KzKOy5wy7oxQau3w5zCN/kHtxU2ktXGKB6oGocfLi87jefelmoruxo604itpduq78cAhd5fcZy/uZLzNTWf1GdLuqy7ep68txfeRknJ3TKpbaAk+YOlv4AvA23nD7V1GAn757fwv6JpiGe6/VvzkrR8YFLA8sA3kC7Ev8QD1dAkK9S0jMuLzRdAtMWezr7SXNHVEFZ1MLXAbECVkqXOkM0toK8F5ulMfY5E40RWKkawZOr6iB+tHa199WphSgjhtm9frywBMBE/3J5i4purOhZHemmmxJyv4fmSKW42toyc+d6lj0fWBFo3QYWSZPOIpsYhAo4jRw+LHlYwJr7bNIPxKEjutSM5sbacM2Om0GYU+SfHnX4+P5GYaSoFY5SfsjWCpSaK98ngKuKHlBuK2oQczhmFJAFQsBQinpoTF63qfzDpUyfmquvOaDtV9GVMn3AsZemVS+yVXWHHT4ZdXYvSsbgujlM/bUyH/eGLBQnkWBU74W2OxusyFkyp8k7zLwxgj0/hfWew== Miguel_User@DESKTOP-4NH8M69" ]; -} diff --git a/nixos/nixos-generate/miguel-quick-install.sh b/nixos/nixos-generate/miguel-quick-install.sh deleted file mode 100644 index 3c3e7cb..0000000 --- a/nixos/nixos-generate/miguel-quick-install.sh +++ /dev/null @@ -1,47 +0,0 @@ -PATH="$coreutils/bin" -mkdir -p $out/bin -cat >> $out/bin/miguel-quick-install << EOL -#!$bash/bin/bash - -set -e # stop on error -set -u # stop on undefined var - -echo -echo ========================================================================= -echo == Welcome to Miguels Custom NixOS Quick Install ... Please Standby == -echo ========================================================================= -echo - -echo desired hosname = \$1 -echo - -echo 1. Create Target Partitions -parted /dev/sda -- mklabel msdos -parted /dev/sda -- mkpart primary 1MiB -8GiB -mkfs.ext4 -L nixos /dev/sda1 - -echo 2. Mount Target Partitions -mkdir -p /mnt -mount /dev/sda1 /mnt - -echo 3. Update Nix Channel -nix-channel --update - -echo 4. Generate Configs -nixos-generate-config --root /mnt -cp $configextra /mnt/etc/nixos/config-extra.nix -cp $configiso /mnt/etc/nixos/config-iso.nix -cp $0 /mnt/etc/nixos/miguel-quick-install.sh -cat $configextra | head -n -1 > /mnt/etc/nixos/configuration.nix -echo "networking.hostName=\"\$1\";}" >> /mnt/etc/nixos/configuration.nix - -echo 5. Start NixOS Installer! -nixos-install --no-root-passwd - -echo 6. Finished -echo Please remove the installation media and reboot into your fresh NixOS! - -#reboot - -EOL -chmod +x $out/bin/miguel-quick-install diff --git a/nixos/nixos-generate/nixops.nix b/nixos/nixos-generate/nixops.nix deleted file mode 100644 index 03384eb..0000000 --- a/nixos/nixos-generate/nixops.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ - network.description = "My first NixOS cluster"; - network.enableRollback = true; - - comet = { - imports = [ ../comet/configuration.nix ]; - deployment.targetHost = "comet.softwarefools.com"; - }; - - nixos-01 = {config, pkgs,...}: - { - imports = [ ./config-extra.nix ]; - environment.systemPackages = with pkgs; [mc]; - deployment.targetHost = "nixos-01"; - }; - - nixos-02 = { - imports = [ ./config-extra.nix ]; - deployment.targetHost = "nixos-02"; - }; - - nixos-03 = { - imports = [ ./config-extra.nix ]; - deployment.targetHost = "nixos-03"; - }; -} diff --git a/nixos/nixos-generate/shell.nix b/nixos/nixos-generate/shell.nix deleted file mode 100644 index b1b4b16..0000000 --- a/nixos/nixos-generate/shell.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ pkgs ? import <nixpkgs> {} }: -with pkgs; -mkShell { - # nativeBuildInputs is usually what you want -- tools you need to run - nativeBuildInputs = [ nixops nixos-generators ]; -} |