diff --git a/flake.lock b/flake.lock index 9b14742..7079933 100644 --- a/flake.lock +++ b/flake.lock @@ -20,6 +20,55 @@ "url": "https://git.dodsorf.as/Dandellion/NUR.git" } }, + "dan_2": { + "inputs": { + "nixpkgs": [ + "wack-server-conf", + "dandellion", + "unstable" + ] + }, + "locked": { + "lastModified": 1656687988, + "narHash": "sha256-2ywoy3wUvFAyxDTw7VPlz5TGh9mk/um2AWOjhJqJxNQ=", + "ref": "refs/heads/master", + "rev": "7e85f62e40cd585ce81fa1f3debd5385bb0cad03", + "revCount": 160, + "type": "git", + "url": "https://git.dodsorf.as/Dandellion/NUR.git" + }, + "original": { + "type": "git", + "url": "https://git.dodsorf.as/Dandellion/NUR.git" + } + }, + "dandellion": { + "inputs": { + "dan": "dan_2", + "home-manager": "home-manager_2", + "nixgl": "nixgl_2", + "nixpkgs": [ + "wack-server-conf", + "nixpkgs" + ], + "nur": "nur_2", + "unstable": "unstable_2" + }, + "locked": { + "lastModified": 1699137267, + "narHash": "sha256-cBusl45B1nj9vpwYVLZamNYmSbHeama1IdWMlBl14Jo=", + "ref": "23.05", + "rev": "760228bcc60e27c94bb295106b7d470b0ebd9feb", + "revCount": 241, + "type": "git", + "url": "https://git.dodsorf.as/Dandellion/dotfiles.git" + }, + "original": { + "ref": "23.05", + "type": "git", + "url": "https://git.dodsorf.as/Dandellion/dotfiles.git" + } + }, "flake-utils": { "locked": { "lastModified": 1659877975, @@ -35,6 +84,21 @@ "type": "github" } }, + "flake-utils_2": { + "locked": { + "lastModified": 1659877975, + "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "greg-clients": { "inputs": { "nixpkgs": [ @@ -76,6 +140,51 @@ "type": "github" } }, + "home-manager_2": { + "inputs": { + "nixpkgs": [ + "wack-server-conf", + "dandellion", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1695108154, + "narHash": "sha256-gSg7UTVtls2yO9lKtP0yb66XBHT1Fx5qZSZbGMpSn2c=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "07682fff75d41f18327a871088d20af2710d4744", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-23.05", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_3": { + "inputs": { + "nixpkgs": [ + "wack-server-conf", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1695108154, + "narHash": "sha256-gSg7UTVtls2yO9lKtP0yb66XBHT1Fx5qZSZbGMpSn2c=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "07682fff75d41f18327a871088d20af2710d4744", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-23.05", + "repo": "home-manager", + "type": "github" + } + }, "nixgl": { "inputs": { "flake-utils": "flake-utils", @@ -97,6 +206,29 @@ "type": "github" } }, + "nixgl_2": { + "inputs": { + "flake-utils": "flake-utils_2", + "nixpkgs": [ + "wack-server-conf", + "dandellion", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1685908677, + "narHash": "sha256-E4zUPEUFyVWjVm45zICaHRpfGepfkE9Z2OECV9HXfA4=", + "owner": "guibou", + "repo": "nixGL", + "rev": "489d6b095ab9d289fe11af0219a9ff00fe87c7c5", + "type": "github" + }, + "original": { + "owner": "guibou", + "repo": "nixGL", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1723688146, @@ -113,13 +245,44 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1698544399, + "narHash": "sha256-vhRmPyEyoPkrXF2iykBsWHA05MIaOSmMRLMF7Hul6+s=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d87c5d8c41c9b3b39592563242f3a448b5cc4bc9", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, "nur": { "locked": { - "lastModified": 1723849682, - "narHash": "sha256-uu7U8afWM5+fpg3ox073GcrCHFXNE5mLg6IpfG2Vr3E=", + "lastModified": 1723859387, + "narHash": "sha256-1a4zDw0wIH/7Yg0tvIusrkBAZlcQkpQBkqZtPYnBsCw=", "owner": "nix-community", "repo": "NUR", - "rev": "401628ec50d326030e81aa44a37adf8ca876b72a", + "rev": "b43ecc46a848d0107b17091e2cd74cb442e28885", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "NUR", + "type": "github" + } + }, + "nur_2": { + "locked": { + "lastModified": 1699131694, + "narHash": "sha256-dKWORPD0ODREKihqCZqEqc1zJ3wACmoMmuf2BGg3DbE=", + "owner": "nix-community", + "repo": "NUR", + "rev": "6226a48fb329802a63da2babbdd2d375713af333", "type": "github" }, "original": { @@ -136,7 +299,30 @@ "nixgl": "nixgl", "nixpkgs": "nixpkgs", "nur": "nur", - "unstable": "unstable" + "unstable": "unstable", + "wack-server-conf": "wack-server-conf" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "wack-server-conf", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1699021419, + "narHash": "sha256-oy2j2OHXYcckifASMeZzpmbDLSvobMGt0V/RvoDotF4=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "275b28593ef3a1b9d05b6eeda3ddce2f45f5c06f", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } }, "unstable": { @@ -154,6 +340,62 @@ "repo": "nixpkgs", "type": "github" } + }, + "unstable_2": { + "locked": { + "lastModified": 1699094435, + "narHash": "sha256-YLZ5/KKZ1PyLrm2MO8UxRe4H3M0/oaYqNhSlq6FDeeA=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "9d5d25bbfe8c0297ebe85324addcb5020ed1a454", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "unstable_3": { + "locked": { + "lastModified": 1698924604, + "narHash": "sha256-GCFbkl2tj8fEZBZCw3Tc0AkGo0v+YrQlohhEGJ/X4s0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "fa804edfb7869c9fb230e174182a8a1a7e512c40", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "wack-server-conf": { + "inputs": { + "dandellion": "dandellion", + "home-manager": "home-manager_3", + "nixpkgs": [ + "nixpkgs" + ], + "sops-nix": "sops-nix", + "unstable": "unstable_3" + }, + "locked": { + "lastModified": 1699656973, + "narHash": "sha256-csFw6I3dhPR9seG+mRnonlWCYm32mfLYb3Ga+vjS9Ak=", + "owner": "WackAttackCTF", + "repo": "wack-server-conf", + "rev": "77551a8f183a503653db3118a97f856af5301ec5", + "type": "github" + }, + "original": { + "owner": "WackAttackCTF", + "repo": "wack-server-conf", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 6c08853..cd79784 100644 --- a/flake.nix +++ b/flake.nix @@ -17,6 +17,9 @@ dan.url = "git+https://git.dodsorf.as/Dandellion/NUR.git"; #"git+https://git.dodsorf.as/Dandellion/NUR"; dan.inputs.nixpkgs.follows = "unstable"; + wack-server-conf.url = "github:WackAttackCTF/wack-server-conf"; + wack-server-conf.inputs.nixpkgs.follows = "nixpkgs"; + greg-clients.url = "git+https://git.pvv.ntnu.no/Projects/grzegorz-clients"; greg-clients.inputs.nixpkgs.follows = "unstable"; @@ -63,6 +66,18 @@ // mkHomes [ "desktop" ] { username = "dan"; } // mkHomes [ "pvv-terminal" ] { username = "danio"; homeDirectory = "/home/pvv/d/danio"; }; + nixosConfigurations = { + soryu = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = { + inherit inputs; + }; + modules = [ + ./hosts/soryu/configuration.nix + ]; + }; + }; + nixosModules = { home-manager = nixlib.genAttrs allMachines (machine: import ./home/machines/${machine}.nix); }; diff --git a/hosts/soryu/0001-gnunet-fs-log.patch b/hosts/soryu/0001-gnunet-fs-log.patch new file mode 100644 index 0000000..1f3e476 --- /dev/null +++ b/hosts/soryu/0001-gnunet-fs-log.patch @@ -0,0 +1,14 @@ +diff --git a/src/fs/gnunet-service-fs.c b/src/fs/gnunet-service-fs.c +index 597e89e..aaade99 100644 +--- a/src/fs/gnunet-service-fs.c ++++ b/src/fs/gnunet-service-fs.c +@@ -1234,7 +1234,8 @@ peer_init_handler (void *cls, + my_identity)) + { + GNUNET_log (GNUNET_ERROR_TYPE_ERROR, +- "Peer identity mismatch, refusing to start!\n"); ++ "Peer identity mismatch, refusing to start! Core delivered %s.\n", ++ GNUNET_i2s (my_identity)); + GNUNET_SCHEDULER_shutdown (); + } + } diff --git a/hosts/soryu/ai.nix b/hosts/soryu/ai.nix new file mode 100644 index 0000000..8578ea7 --- /dev/null +++ b/hosts/soryu/ai.nix @@ -0,0 +1,40 @@ +{ config, lib, pkgs, ... }: + +{ + systemd.nspawn.ubuntu-ai = { + execConfig = { + Boot = true; + }; + networkConfig = { + Private = false; + }; + filesConfig = { + BindReadOnly = [ + "/etc/resolv.conf:/etc/resolv.conf" + ]; + Bind = [ + "/dev/dri:/dev/dri" + "/dev/kfd:/dev/kfd" + "/mnt/human/llama:/llama" + "/mnt/human/sd:/sd" + ]; + }; + }; + + systemd.services."systemd-nspawn@ubuntu-ai" = { + environment = { + SYSTEMD_NSPAWN_TMPFS_TMP = "0"; + }; + serviceConfig = { + CPUQuota = "300%"; + MemoryHigh = "14G"; + MemoryMax = "15G"; + MemorySwapMax = "25G"; + ExecStart = "systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-veth -U --settings=override --machine=%i -D /mnt/human/machines/ubuntu-ai"; + }; + # overrideStrategy = "asDropin"; + }; + + + +} diff --git a/hosts/soryu/configuration.nix b/hosts/soryu/configuration.nix new file mode 100644 index 0000000..1efe62c --- /dev/null +++ b/hosts/soryu/configuration.nix @@ -0,0 +1,231 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, lib, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ./tahoe.nix + ./gnunet-module.nix + ./wack.nix + ./ai.nix + ]; + +# programs.adb.enable = true; + + systemd.enableEmergencyMode = false; + + networking.hostName = "soryu"; + networking.extraHosts = '' + 127.0.0.1 modules-cdn.eac-prod.on.epicgames.com #Star Citizen EAC workaround + ''; + + # Star Citizen resource limits + boot.kernel.sysctl = { + "vm.max_map_count" = 16777216; + "fs.file-max" = 524288; + }; + + + disabledModules = [ + "services/network-filesystems/tahoe.nix" + "services/networking/gnunet.nix" + ]; + + services.resolved.enable = true; + services.resolved.dnssec = "false"; + + services.gnome.gnome-keyring.enable = true; + +# services.tahoe.nodes.pvv-danio-desktop = { +# settings = { +# storage.enabled = true; +# storage.storage_dir = "/mnt/human/tahoe-lafs/pvv"; +# client."shares.total" = 10; +# client."shares.needed" = 4; +# client."shares.happy" = 1; +# }; +# }; + + +# services.gnunet = { +# enable = true; +# package = pkgs.callPackage ./gnunet.nix { }; +# settings = { +# hostlist = { +# OPTIONS = "-b -e"; +# SERVERS = "http://v15.gnunet.org/hostlist https://gnunet.io/hostlist"; +# }; +## nat = { +## BEHIND_NAT = "YES"; +## ENABLE_UPNP = "NO"; +## DISABLEV6 = "YES"; +## }; +# ats = { +# WAN_QUOTA_IN = "unlimited"; +# WAN_QUOTA_OUT = "unlimited"; +# }; +# }; +# }; + + ids.gids.gnunetdns = 327; + + + # services.gnunet = { + # enable = true; + # extraOptions = '' + # [hostlist] + # OPTIONS = -b -e + # SERVERS = http://v11.gnunet.org:58080/ + # HTTPPORT = 8080 + # HOSTLISTFILE = $SERVICEHOME/hostlists.file + # [arm] + # START_SYSTEM_SERVICES = YES + # START_USER_SERVICES = NO + # ''; + # }; + + + services.murmur = { + enable = true; + # registerName = "DODSORFAS"; + welcometext = "Dans PC at singsaker smh backup mumble server"; + }; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + #boot.kernelParams = ["radeon.cik_support=0" "amdgpu.cik_support=1"]; + boot.extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ]; + boot.kernelPackages = pkgs.linuxPackages_latest; + boot.kernelModules = [ "kvm-intel" ]; + + + programs.steam = { + enable = true; + remotePlay.openFirewall = false; # Open ports in the firewall for Steam Remote Play + dedicatedServer.openFirewall = false; # Open ports in the firewall for Source Dedicated Server + }; + + nixpkgs.config = { + allowUnfree = true; + }; + + services.tailscale.enable = true; + + networking.firewall.interfaces."tailscale0" = let + all = { from = 0; to = 65535; }; + in { + allowedUDPPortRanges = [ all ]; + allowedTCPPortRanges = [ all ]; + }; + + # Select internationalisation properties. + console.keyMap = "no-latin1"; + + time.timeZone = "Europe/Oslo"; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + wget vim git + ]; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { enable = true; enableSSHSupport = true; }; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + networking.firewall.enable = true; + networking.firewall.allowedTCPPorts = [ 8000 6007 5001 config.services.murmur.port ]; + networking.firewall.allowedUDPPorts = [ 5001 21977 config.services.murmur.port ]; + + + + # Enable CUPS to print documents. + # services.printing.enable = true; + + + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + jack.enable = true; + }; + + + +# systemd.tmpfiles.rules = [ +# "L+ /opt/rocm/hip - - - - ${pkgs.hip}" +# ]; + + + hardware.opengl.driSupport = true; + hardware.opengl.driSupport32Bit = true; + hardware.opengl.extraPackages = with pkgs; [ + libva + rocmPackages.clr.icd + ]; + + # Enable the X11 windowing system. + services.xserver.enable = true; + services.xserver.layout = "no"; + # services.xserver.xkbOptions = "eurosign:e"; + + services.xserver.displayManager.lightdm.enable = true; + services.xserver.videoDrivers = ["amdgpu"]; + + + + programs.zsh.enable = true; + + virtualisation.docker.enable = true; + virtualisation.libvirtd.enable = true; + + +# networking.nameservers = lib.mkForce [ "192.168.0.25" ]; + + + +# services.ipfs.enable = true; +# services.ipfs.gatewayAddress = "/ip4/127.0.0.1/tcp/5002"; + + nix.trustedUsers = [ "dan" ]; + nix.extraOptions = '' + experimental-features = nix-command flakes + ''; + + users.users.dan = { + isNormalUser = true; + uid = 1001; + shell = pkgs.zsh; + extraGroups = [ "wheel" "networkmanager" "docker" "video" "gnunet" "libvirtd" ]; + initialPassword = "Abc123"; + }; + + programs.dconf.enable = true; + services.dbus.packages = with pkgs; [ dconf ]; + + # This value determines the NixOS release with which your system is to be + # compatible, in order to avoid breaking some software such as database + # servers. You should change this only after NixOS release notes say you + # should. + system.stateVersion = "19.03"; # Did you read the comment? + +} + diff --git a/hosts/soryu/gnunet-module.nix b/hosts/soryu/gnunet-module.nix new file mode 100644 index 0000000..a66afb1 --- /dev/null +++ b/hosts/soryu/gnunet-module.nix @@ -0,0 +1,109 @@ +{config, lib, pkgs, ...}: +let + cfg = config.services.gnunet; + format = pkgs.formats.ini { }; + + configFile = format.generate "gnunet-config.conf" cfg.settings; +in +{ + options = { + services.gnunet = { + enable = lib.mkEnableOption "GNUnet daemon"; + package = lib.mkPackageOption pkgs "gnunet" { }; + settings = lib.mkOption { + type = lib.types.submodule { + freeformType = format.type; + options = { + transport-udp.PORT = lib.mkOption { + default = 2086; + type = lib.types.port; + description = "The UDP port for use by GNUnet."; + }; + }; + }; + }; + }; + }; + + config = lib.mkIf cfg.enable { + users.users.gnunet = { + group = "gnunet"; + description = "GNUnet User"; + uid = config.ids.uids.gnunet; + }; + users.groups.gnunet.gid = config.ids.gids.gnunet; + users.groups.gnunetdns.gid = config.ids.gids.gnunetdns; + + # TODO: Avoid putting these in $PATH + security.wrappers = let + mkGnunetSuid = source: { + setuid = true; + owner = "root"; + group = "gnunet"; + permissions = "o+rx,o-w,g+rx,g-w,o-rwx"; + inherit source; + }; + helpers = b: "${cfg.package}/lib/gnunet/libexec/${b}"; + in { + gnunet-helper-vpn = mkGnunetSuid (helpers "gnunet-helper-vpn"); + # These don't exist + #gnunet-helper-transport-wlan = mkGnunetSuid (helpers "gnunet-helper-transport-wlan"); + #gnunet-helper-transport-bluetooth = mkGnunetSuid (helpers "gnunet-helper-transport-bluetooth"); + gnunet-helper-exit = mkGnunetSuid (helpers "gnunet-helper-exit"); + gnunet-helper-nat-server = mkGnunetSuid (helpers "gnunet-helper-nat-server"); + gnunet-helper-nat-client = mkGnunetSuid (helpers "gnunet-helper-nat-client"); + # > The binary should then be owned by root and be in group "gnunetdns" + # > and be installed SUID and only be group-executable (2750). + # But logically it should be 4750 + gnunet-helper-dns = { + setuid = true; + owner = "root"; + group = "gnunetdns"; + permissions = "o+rx,o-w,g+rx,g-w,o-rwx"; + source = (helpers "gnunet-helper-dns"); + }; + gnunet-service-dns = { + setgid = true; + owner = "root"; + group = "gnunetdns"; + permissions = "o+rx,o-w,g-rwx,o-rwx"; + source = (helpers "gnunet-service-dns"); + }; + }; + + services.gnunet.settings = { + arm = { + START_SYSTEM_SERVICES = lib.mkDefault "YES"; + START_USER_SERVICES = lib.mkDefault "NO"; + }; + dns = { + BINARY = lib.mkDefault "/run/wrappers/bin/gnunet-service-dns"; + }; + PATHS = { + SUID_BINARY_PATH = lib.mkDefault "/run/wrappers/bin"; + GNUNET_HOME = lib.mkDefault "/var/lib/gnunet"; + GNUNET_RUNTIME_DIR = lib.mkDefault "/run/gnunet"; + GNUNET_USER_RUNTIME_DIR = lib.mkDefault "/run/gnunet"; + GNUNET_DATA_HOME = lib.mkDefault "/var/lib/gnunet/data"; + }; + }; + + systemd.services.gnunet = { + description = "GNUnet system deamon"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ cfg.package pkgs.miniupnpc ]; + serviceConfig = { + ExecStart = "${cfg.package}/lib/gnunet/libexec/gnunet-service-arm -c ${configFile}"; + User = "gnunet"; + Group = "gnunet"; + StateDirectory = "gnunet"; + StateDirectoryMode = "0700"; + WorkingDirectory = "/var/lib/gnunet"; + RuntimeDirectory = "gnunet"; + }; + }; + + environment.systemPackages = [ cfg.package ]; + }; +} diff --git a/hosts/soryu/gnunet.nix b/hosts/soryu/gnunet.nix new file mode 100644 index 0000000..9a5fd6a --- /dev/null +++ b/hosts/soryu/gnunet.nix @@ -0,0 +1,82 @@ +{ lib, stdenv, fetchurl, adns, curlWithGnuTls, gettext, gmp, gnutls, libextractor +, libgcrypt, libgnurl, libidn, libmicrohttpd, libtool, libunistring +, makeWrapper, ncurses, pkg-config, libxml2, sqlite, zlib +, libpulseaudio, libopus, libogg, jansson, libsodium + +, postgresqlSupport ? true, postgresql }: + +stdenv.mkDerivation rec { + pname = "gnunet"; + version = "0.19.4"; + + src = fetchurl { + url = "mirror://gnu/gnunet/${pname}-${version}.tar.gz"; + sha256 = "sha256-AKY99AjVmH9bqaUEQfKncYK9n7MvHjAq5WOslOesAJs="; + }; + + patches = [ + ./0001-gnunet-fs-log.patch + ]; + + enableParallelBuilding = true; + + nativeBuildInputs = [ pkg-config libtool makeWrapper ]; + buildInputs = [ + adns curlWithGnuTls gmp gnutls libextractor libgcrypt libgnurl libidn + libmicrohttpd libunistring libxml2 ncurses gettext libsodium + sqlite zlib libpulseaudio libopus libogg jansson + ] ++ lib.optional postgresqlSupport postgresql; + + + configureFlags = ["--enable-logging=verbose"]; + + preConfigure = '' + # Brute force: since nix-worker chroots don't provide + # /etc/{resolv.conf,hosts}, replace all references to `localhost' + # by their IPv4 equivalent. + find . \( -name \*.c -or -name \*.conf \) | \ + xargs sed -ie 's|\|127.0.0.1|g' + + # Make sure the tests don't rely on `/tmp', for the sake of chroot + # builds. + find . \( -iname \*test\*.c -or -name \*.conf \) | \ + xargs sed -ie "s|/tmp|$TMPDIR|g" + + sed -ie 's|@LDFLAGS@|@LDFLAGS@ $(Z_LIBS)|g' \ + src/regex/Makefile.in \ + src/fs/Makefile.in + ''; + + # unfortunately, there's still a few failures with impure tests + doCheck = false; + checkPhase = '' + export GNUNET_PREFIX="$out" + export PATH="$out/bin:$PATH" + make -k check + ''; + + meta = with lib; { + description = "GNU's decentralized anonymous and censorship-resistant P2P framework"; + + longDescription = '' + GNUnet is a framework for secure peer-to-peer networking that + does not use any centralized or otherwise trusted services. A + first service implemented on top of the networking layer + allows anonymous censorship-resistant file-sharing. Anonymity + is provided by making messages originating from a peer + indistinguishable from messages that the peer is routing. All + peers act as routers and use link-encrypted connections with + stable bandwidth utilization to communicate with each other. + GNUnet uses a simple, excess-based economic model to allocate + resources. Peers in GNUnet monitor each others behavior with + respect to resource usage; peers that contribute to the + network are rewarded with better service. + ''; + + homepage = "https://gnunet.org/"; + license = licenses.agpl3Plus; + maintainers = with maintainers; [ pstn vrthra ]; + platforms = platforms.gnu ++ platforms.linux; + changelog = "https://git.gnunet.org/gnunet.git/tree/ChangeLog?h=v${version}"; + }; +} diff --git a/hosts/soryu/hardware-configuration.nix b/hosts/soryu/hardware-configuration.nix new file mode 100644 index 0000000..36a3461 --- /dev/null +++ b/hosts/soryu/hardware-configuration.nix @@ -0,0 +1,53 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/ea6aa4dc-47bd-499c-8b51-c5d99a5a5a5e"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/EE37-4B85"; + fsType = "vfat"; + }; + + fileSystems."/mnt/henning" = + { device = "/dev/disk/by-uuid/0c16a107-fe7a-472e-881d-a28bc305988b"; + fsType = "ext4"; + }; + + fileSystems."/mnt/human" = + { device = "/dev/disk/by-uuid/2d2b84b2-58b4-47a9-b328-cd4984927e48"; + fsType = "ext4"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/9969ac13-32c6-4f44-a706-cc810fe8339b"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.docker0.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + # networking.interfaces.tailscale0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + # high-resolution display +} diff --git a/hosts/soryu/tahoe.nix b/hosts/soryu/tahoe.nix new file mode 100644 index 0000000..042f249 --- /dev/null +++ b/hosts/soryu/tahoe.nix @@ -0,0 +1,293 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.tahoe; + format = pkgs.formats.ini { }; +in + { + options.services.tahoe = { + introducers = mkOption { + default = {}; + type = with types; attrsOf (submodule { + options = { + settings = mkOption { + type = types.submodule { + freeformType = format.type; + options = { + node.nickname = mkOption { + type = types.str; + description = "The nickname of this Tahoe introducer."; + }; + node."tub.port" = mkOption { + default = 3458; + type = types.port; + description = "The port on which the introducer will listen."; + }; + node."tub.location" = mkOption { + type = types.nullOr types.str; + description = '' + The external location that the introducer should listen on. + If specified, the port should be included. + ''; + }; + }; + }; + description = "Freeform settings for the introducer"; + }; + package = mkOption { + default = pkgs.tahoe-lafs; + defaultText = literalExpression "pkgs.tahoe-lafs"; + type = types.package; + description = "The package to use for the Tahoe LAFS daemon."; + }; + }; + }); + description = lib.mdDoc "The Tahoe introducers."; + }; + nodes = mkOption { + default = {}; + type = with types; attrsOf (submodule ({name, config, ...}: { + options = { + settings = mkOption { + type = types.submodule { + freeformType = format.type; + options = { + node.nickname = mkOption { + type = types.str; + description = "Value to display in management tools."; + default = name; + }; + node."tub.port" = mkOption { + type = types.oneOf [ types.str types.port (types.enum [ "disabled" null ]) ]; + description = "A twisted server endpoint specification for receiving connections from other nodes."; + example = "tcp:12345:interface=127.0.0.1"; + default = 3457; + }; + node."tub.location" = mkOption { + type = types.either types.str (types.enum [ "disabled" null ]); + description = "comma separated connection strings that can be reached publically."; + example = "tcp:mynode.example.com:3457,AUTO"; + default = "AUTO"; + }; + node."web.port" = mkOption { + type = types.nullOr (types.either types.str types.port); + description = "Twisted strport specification for webui and REST-api."; + example = "tcp:3456:interface=127.0.0.1"; + default = 3456; + }; + client."shares.needed" = mkOption { + type = types.ints.between 1 256; + description = "Default amount of shares needed to reconstruct an uploaded file."; + default = 3; + }; + client."shares.total" = mkOption { + type = types.ints.between 1 256; + description = "Default amount of shares a file is split into."; + default = 10; + }; + client."shares.happy" = mkOption { + type = types.ints.positive; + description = '' + How spread out should your shares be. + Can be smaller than needed, but not more than amount of servers available."; + ''; + default = 7; + }; + client."mutable.format" = mkOption { + type = types.enum [ "sdmf" "mdmf" ]; + description = '' + What format to save mutable files in. + SDMF is useful when some nodes on your network run an older version of Tahoe-LAFS. + MDMF supports inplace modification and streaming downloads. + ''; + default = "sdmf"; + }; + storage.enabled = mkEnableOption "storage service"; + storage.anonymous = mkOption { + type = types.bool; + description = "Whether to expose storage with just the FURL and no other authentication."; + default = true; + }; + storage.reserved_space = mkOption { + type = types.str; + description = "The minimum amount of free disk space to keep."; + default = "1G"; + }; + helper.enabled = mkEnableOption "helper service"; + sftpd.enabled = mkEnableOption "sftpd service"; + sftpd.port = mkOption { + type = types.nullOr types.str; + description = "A twisted connection string to listen on for the sftpd service."; + example = "tcp:8022:interface=127.0.0.1"; + default = null; + }; + sftpd.host_pubkey_file = mkOption { + type = types.nullOr types.path; + description = "Path to ssh public key to use for the service."; + default = null; + }; + sftpd.host_privkey_file = mkOption { + type = types.nullOr types.path; + description = "Path to ssh private key to use for the service."; + default = null; + }; + }; + }; + description = "freeform options for a normal tahoe-lafs node"; + }; + client.introducersFile = mkOption { + type = types.nullOr types.path; + description = "Path to a secret file containing introducers, will be placed in private/introducers.yaml"; + default = null; + }; + client.helperFile = mkOption { + type = types.nullOr types.path; + description = "Secret file containing a furl to use as a helper."; + default = null; + }; + sftpd.accountsFile = mkOption { + type = types.nullOr types.path; + description = "Path to the accounts file. Will be copied to private/accounts"; + default = null; + }; + package = mkOption { + default = pkgs.tahoe-lafs; + defaultText = literalExpression "pkgs.tahoelafs"; + type = types.package; + description = lib.mdDoc '' + The package to use for the Tahoe LAFS daemon. + ''; + }; + }; + })); + description = "The Tahoe nodes."; + }; + }; + config = mkMerge [ + (mkIf (cfg.introducers != {}) { + environment = { + etc = flip mapAttrs' cfg.introducers (node: settings: + nameValuePair "tahoe-lafs/introducer-${node}.cfg" { + mode = "0444"; + source = format.generate "tahoe-lafs-introducer" settings.settings; + }); + # Actually require Tahoe, so that we will have it installed. + systemPackages = flip mapAttrsToList cfg.introducers (node: settings: + settings.package + ); + }; + systemd.services = flip mapAttrs' cfg.introducers (node: settings: + let + pidfile = "/run/tahoe.introducer-${node}.pid"; + # This is a directory, but it has no trailing slash. Tahoe commands + # get antsy when there's a trailing slash. + nodedir = "/var/db/tahoe-lafs/introducer-${node}"; + in nameValuePair "tahoe.introducer-${node}" { + description = "Tahoe LAFS node ${node}"; + wantedBy = [ "multi-user.target" ]; + path = [ settings.package ]; + restartTriggers = [ + config.environment.etc."tahoe-lafs/introducer-${node}.cfg".source ]; + serviceConfig = { + Type = "simple"; + PIDFile = pidfile; + # Believe it or not, Tahoe is very brittle about the order of + # arguments to $(tahoe run). The node directory must come first, + # and arguments which alter Twisted's behavior come afterwards. + ExecStart = '' + ${settings.package}/bin/tahoe run ${lib.escapeShellArg nodedir} --pidfile=${lib.escapeShellArg pidfile} + ''; + }; + preStart = '' + if [ ! -d ${lib.escapeShellArg nodedir} ]; then + mkdir -p /var/db/tahoe-lafs + # See https://github.com/NixOS/nixpkgs/issues/25273 + tahoe create-introducer \ + --hostname="${config.networking.hostName}" \ + ${lib.escapeShellArg nodedir} + fi + + # Tahoe has created a predefined tahoe.cfg which we must now + # scribble over. + # XXX I thought that a symlink would work here, but it doesn't, so + # we must do this on every prestart. Fixes welcome. + # rm ${nodedir}/tahoe.cfg + # ln -s /etc/tahoe-lafs/introducer-${node}.cfg ${nodedir}/tahoe.cfg + cp /etc/tahoe-lafs/introducer-"${node}".cfg ${lib.escapeShellArg nodedir}/tahoe.cfg + ''; + }); + users.users = flip mapAttrs' cfg.introducers (node: _: + nameValuePair "tahoe.introducer-${node}" { + description = "Tahoe node user for introducer ${node}"; + isSystemUser = true; + group = "tahoe.introducer-${node}"; + }); + users.groups = flip mapAttrs' cfg.nodes (node: _: + nameValuePair "tahoe.introducer-${node}" { }); + }) + (mkIf (cfg.nodes != {}) { + environment = { + etc = flip mapAttrs' cfg.nodes (node: settings: + nameValuePair "tahoe-lafs/${node}.cfg" { + mode = "0444"; + source = let placeholderFile = lib.pipe settings.settings [ + (s: lib.recursiveUpdate + (lib.optionalAttrs (settings.client.helperFile != null) { client."helper.furl" = "@CLIENT_HELPER_FURL@"; }) + s) + ]; + in format.generate "tahoe-lafs-node" placeholderFile; + }); + # Actually require Tahoe, so that we will have it installed. +# systemPackages = flip mapAttrsToList cfg.nodes (node: settings: +# settings.package +# ); + }; + systemd.services = flip mapAttrs' cfg.nodes (node: settings: + let + pidfile = "/run/tahoe.${node}.pid"; + # This is a directory, but it has no trailing slash. Tahoe commands + # get antsy when there's a trailing slash. + nodedir = "/var/db/tahoe-lafs/${node}"; + in nameValuePair "tahoe.${node}" { + description = "Tahoe LAFS node ${node}"; + wantedBy = [ "multi-user.target" ]; + path = [ settings.package ]; + restartTriggers = [ + config.environment.etc."tahoe-lafs/${node}.cfg".source ]; + serviceConfig = { + Type = "simple"; + PIDFile = pidfile; + # Believe it or not, Tahoe is very brittle about the order of + # arguments to $(tahoe run). The node directory must come first, + # and arguments which alter Twisted's behavior come afterwards. + ExecStart = '' + ${settings.package}/bin/tahoe run ${lib.escapeShellArg nodedir} --pidfile=${lib.escapeShellArg pidfile} + ''; + }; + preStart = '' + if [ ! -d ${lib.escapeShellArg nodedir} ]; then + mkdir -p /var/db/tahoe-lafs + tahoe create-node --hostname=localhost ${lib.escapeShellArg nodedir} + fi + + cp /etc/tahoe-lafs/${lib.escapeShellArg node}.cfg ${lib.escapeShellArg nodedir}/tahoe.cfg + '' + lib.optionalString (settings.client.helperFile != null) '' + ${pkgs.replace-secret}/bin/replace-secret '@CLIENT_HELPER_FURL@' ${settings.client.helperFile} ${lib.escapeShellArg nodedir}/tahoe.cfg + '' + lib.optionalString (settings.client.introducersFile != null) '' + cp "${config.settings.client.introducersFile}" ${lib.escapeShellArg nodedir}/private/introducers.yaml + '' + lib.optionalString (settings.sftpd.accountsFile != null) '' + cp "${config.settings.client.introducersFile}" ${lib.escapeShellArg nodedir}/private/accounts + ''; + }); + users.users = flip mapAttrs' cfg.nodes (node: _: + nameValuePair "tahoe.${node}" { + description = "Tahoe node user for node ${node}"; + isSystemUser = true; + group = "tahoe.${node}"; + }); + users.groups = flip mapAttrs' cfg.nodes (node: _: + nameValuePair "tahoe.${node}" { }); + }) + ]; + } diff --git a/hosts/soryu/wack.nix b/hosts/soryu/wack.nix new file mode 100644 index 0000000..8fd336f --- /dev/null +++ b/hosts/soryu/wack.nix @@ -0,0 +1,72 @@ +{ config, lib, pkgs, inputs, ... }: + +{ + + networking.firewall.allowedTCPPorts = [ 1337 ]; + + networking.nat.forwardPorts = [ + { + destination = "${config.containers.ireul.hostAddress}:1337"; + proto = "tcp"; + sourcePort = 1337; + } + ]; + + containers.ireul = { + bindMounts."/wordlists" = { + hostPath = "/mnt/human/wordlists"; + isReadOnly = false; + }; + privateNetwork = true; + hostAddress = "192.168.10.1"; + localAddress = "192.168.10.2"; + forwardPorts = [ + { containerPort = 1337; + hostPort = 1337; + protocol = "tcp"; + } + ]; + + bindMounts."/dev/dri" = { + hostPath = "/dev/dri"; + isReadOnly = false; + }; + bindMounts."/dev/kfd" = { + hostPath = "/dev/kfd"; + isReadOnly = false; + }; + bindMounts."/run/opengl-driver" = { + hostPath = "/run/opengl-driver"; + isReadOnly = false; + }; + + allowedDevices = [ + { node = "/dev/dri/card0"; modifier = "rw"; } + { node = "/dev/dri/renderD128"; modifier = "rw"; } + { node = "/dev/kfd"; modifier = "rw"; } + ]; + + config = { config, pkgs, ... }: { + services.openssh.enable = true; + services.openssh.ports = [ 1337 ]; + + environment.systemPackages = with pkgs; [ + hashcat + hashcat-utils + john + + kitty.terminfo + ]; + + users.groups.video.members = builtins.attrNames config.users.users; + + + programs.zsh.enable = true; + imports = [ (inputs.wack-server-conf + /users/default.nix) ]; + + system.stateVersion = "23.05"; + }; + }; + +} +