From 019c139a5cb3b2fccca8e7b64c3f10d2f20b918d Mon Sep 17 00:00:00 2001 From: Peder Bergebakken Sundt Date: Fri, 24 Feb 2023 21:36:30 +0100 Subject: [PATCH] Initial commit --- cachix.nix | 13 + cachix/cuda-maintainers.nix | 13 + configuration.nix | 278 +++++-------------- hardware-configuration.nix | 33 +++ overlays/default.nix | 55 ++-- profiles/autossh-reverse-tunnels/default.nix | 37 +++ profiles/code-remote/default.nix | 90 ++++-- profiles/code-remote/default.nix.bak | 113 ++++++++ profiles/nas/default.nix | 117 ++++---- profiles/nfs-reidun/default.nix | 62 +++++ profiles/remote-builders/default.nix | 94 +++++++ profiles/todos.md | 5 + profiles/websites/default.nix | 5 +- profiles/websites/services/pdoc.nix | 10 +- profiles/xrdp/default.nix | 21 ++ users/pbsds/home/default.nix | 50 +++- 16 files changed, 657 insertions(+), 339 deletions(-) create mode 100644 cachix.nix create mode 100644 cachix/cuda-maintainers.nix create mode 100644 hardware-configuration.nix create mode 100644 profiles/autossh-reverse-tunnels/default.nix create mode 100644 profiles/code-remote/default.nix.bak create mode 100644 profiles/nfs-reidun/default.nix create mode 100644 profiles/remote-builders/default.nix create mode 100644 profiles/todos.md create mode 100644 profiles/xrdp/default.nix diff --git a/cachix.nix b/cachix.nix new file mode 100644 index 0000000..ecd2d39 --- /dev/null +++ b/cachix.nix @@ -0,0 +1,13 @@ + +# WARN: this file will get overwritten by $ cachix use +{ pkgs, lib, ... }: + +let + folder = ./cachix; + toImport = name: value: folder + ("/" + name); + filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key; + imports = lib.mapAttrsToList toImport (lib.filterAttrs filterCaches (builtins.readDir folder)); +in { + inherit imports; + nix.settings.substituters = ["https://cache.nixos.org/"]; +} diff --git a/cachix/cuda-maintainers.nix b/cachix/cuda-maintainers.nix new file mode 100644 index 0000000..b1d70d6 --- /dev/null +++ b/cachix/cuda-maintainers.nix @@ -0,0 +1,13 @@ + +{ + nix = { + settings = { + substituters = [ + "https://cuda-maintainers.cachix.org" + ]; + trusted-public-keys = [ + "cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E=" + ]; + }; + }; +} diff --git a/configuration.nix b/configuration.nix index 30efedb..a21b23c 100644 --- a/configuration.nix +++ b/configuration.nix @@ -6,57 +6,42 @@ nixpkgs.config.allowUnfree = true; system.autoUpgrade.enable = true; # daily nixos-rebuild switch, no reboot by default - nix.distributedBuilds = true; - # useful when the builder has a faster internet connection than i do + # TODO: can i make this non-string? nix.extraOptions = '' experimental-features = nix-command flakes - builders-use-substitutes = true ''; - nix.buildMachines = [ - /**/ - { - system = "x86_64-linux"; # can be a list - hostName = "rocm.pbsds.net"; - sshUser = "pbsds"; - maxJobs = 2; - speedFactor = 2; - #supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; - #mandatoryFeatures = [ ]; - } - /**/ - /**/ - { - system = "x86_64-linux"; # can be a list - hostName = "isvegg.pvv.ntnu.no"; - sshUser = "pederbs"; - maxJobs = 1; - speedFactor = 1; - #supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; - #mandatoryFeatures = [ ]; - } - /**/ - ]; + + # TODO: move to pbsds home + programs.ssh.extraConfig = '' + Host *.ntnu.no *.pvv.org + User pederbs + ''; # deduplicate with hardlinks, expensive. Alternative: nix-store --optimise nix.settings.auto-optimise-store = true; #nix.optimize.automatic = true; # periodic optimization - nix.gc = { - automatic = true; - dates = "weekly"; - options = "--delete-older-than 30d"; - }; - - - # How to override package used by module - # https://github.com/NixOS/nixpkgs/issues/55366 + nix.gc.automatic = true; + nix.gc.dates = "weekly"; + nix.gc.options = "--delete-older-than 30d"; imports = [ ./hardware-configuration.nix # results of hardware scan + ./cachix.nix + ./profiles/nas # add NAS services ./profiles/websites ./profiles/code-remote - ./users + ./profiles/remote-builders # + ./profiles/nfs-reidun # NFS mounts + ./profiles/autossh-reverse-tunnels + #./profiles/xrdp + ./users + #./users/pbsds # todo: <- make this possible + + # How to override package used by module + # https://github.com/NixOS/nixpkgs/issues/55366 + # TODO: move to where relevant ]; @@ -64,20 +49,18 @@ "services/misc/jellyfin.nix" "services/web-apps/invidious.nix" ]; - services.jellyfin.package = pkgs.unstable.jellyfin; + services.jellyfin.package = pkgs.unstable.jellyfin; services.invidious.package = pkgs.unstable.invidious; - nixpkgs.overlays = [ - (import ./overlays) - ]; - - + # TODO: remove? Move to where relevant + nixpkgs.overlays = [ (import ./overlays) ]; # Allow unstable packages. nixpkgs.config.packageOverrides = pkgs: { unstable = import { config = config.nixpkgs.config; }; + # TODO: nur }; # enable opengl (headless) @@ -85,15 +68,19 @@ #hardware.opengl.extraPackages = [ pkgs.mesa.drivers ]; hardware.opengl.extraPackages = with pkgs; [ mesa.drivers vaapiIntel libvdpau-va-gl vaapiVdpau intel-ocl ]; - # run/build weird binaries boot.binfmt.emulatedSystems = [ "wasm32-wasi" + "wasm64-wasi" "x86_64-windows" "aarch64-linux" "riscv64-linux" + #"x86_64-darwin" + #"aarch64-darwin" ]; + services.thermald.enable = true; + # Bootloader boot.loader.grub.enable = true; @@ -106,6 +93,7 @@ #services.docker.enable = true; virtualisation = { podman.enable = true; + # TODO: are these default since 22.11? podman.dockerCompat = true; # alias docker to podman oci-containers.backend = "podman"; }; @@ -117,6 +105,7 @@ # Enable networking networkmanager.enable = true; #wireless.enable = true; # Enables wireless support via wpa_supplicant. + #iwd.enable = true hostName = "noximilien"; # Define your hostname. domain = "pbsds.net"; @@ -135,78 +124,15 @@ }; #useDHCP = true; - - # Configure network proxy if necessary - #proxy.default = "http://user:password@proxy:port/"; - #proxy.noProxy = "127.0.0.1,localhost,internal.domain"; }; - # Open ports in the firewall. + # firewall + services.fail2ban.enable = true; + networking.firewall.enable = true; # default #networking.firewall.allowedTCPPorts = [ ... ]; #networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - networking.firewall.enable = false; # default is true, TEMP - # NFS mounts - - fileSystems = let - mkMount = mountpoint: server: subdir: { - "${mountpoint}${subdir}" = { - device = "${server}${subdir}"; - fsType = "nfs"; - #options = [ "nfsvers=4.2" ]; - }; - }; - # TODO: combine nameValuePair and listToAttrs - joinSets = sets: builtins.foldl' (l: r: l // r) {} sets; - in joinSets ( - (map (mkMount "/mnt/reidun" "192.168.1.3:/Reidun/shared") [ - "" - "/Backups" - "/Comics" - "/Downloads" - "/Games" - "/Games/Installable" - "/Games/Portable" - "/Games/ROMs" - "/ISO" - "/Images" - "/Images/Collections" - "/Images/Memes" - "/Images/Pictures" - "/Images/Wallpapers" - "/Music" - "/Music/Albums" - "/Music/Kancolle" - "/Music/OST" - "/Music/Old" - "/Music/Touhou" - "/Music/Vocaloid" - "/Music/dojin.co" - "/Various" - "/Various/Zotero" - "/Various/resilio" - "/Video" - "/Video/Anime" - "/Video/Concerts" - "/Video/Documentaries" - "/Video/Movies" - "/Video/Musicvideos" - "/Video/Series" - "/Video/Talks" - "/Work" - "/Work/Documents" - #"/Work/FL Studio" # broken, maybe due to the space? - "/Work/Programming" - "/Work/School" - "/pub" - ]) ++ (map (mkMount "/mnt/meconium" "192.168.1.3:/Meconium" ) [ - "" - "/beets_music" - ]) - ); - # Time zone and internationalisation properties. @@ -223,18 +149,16 @@ LC_TELEPHONE = "nb_NO.utf8"; LC_TIME = "nb_NO.utf8"; }; - services.xserver = { - # Configure X11 keymap - layout = "no"; - xkbVariant = ""; - }; - console.keyMap = "no";# Configure console keymap + services.xserver.layout = "no"; + services.xserver.xkbVariant = ""; + console.keyMap = "no"; # Installed system packages # $ nix search FOOBAR + # TODO: prune this, make home-manager deal with the majority environment.systemPackages = with pkgs; [ lsof lshw @@ -262,6 +186,7 @@ curl wget strace + killall zip unrar @@ -317,6 +242,7 @@ gh hub + cachix nix-output-monitor nix-prefetch nix-top @@ -336,16 +262,12 @@ ''; # TODO: make this root only? - programs.bash.shellAliases = { - ed = "micro"; # TODO: ${EDITOR:-micro} - }; - environment.variables = { - EDITOR = "micro"; - }; + programs.bash.shellAliases."ed" = "micro"; # TODO: ${EDITOR:-micro} + environment.variables."EDITOR" = "micro"; + # TODO: remove? Move? programs.dconf.enable = true; - # System fonts # Nice to have when X-forwading on headless machines @@ -372,110 +294,34 @@ services.openssh.forwardX11 = true; - # AutoSSH reverse tunnels - - services.autossh.sessions = let - mkSshSession = user: name: host: rport: monitoringPort: { - user = user; # local user - name = "ssh-reverse-tunnel-${name}-${toString rport}"; - monitoringPort = monitoringPort; - extraArguments = lib.concatStringsSep " " [ - "-N" # no remote command - "-o ServerAliveInterval=10" # check if still alive - "-o ServerAliveCountMax=3" # check if still alive - "-o ExitOnForwardFailure=yes" # reverse tunnel critical - "-R ${toString rport}:127.0.0.1:22" # reverse tunnel - host - ]; - }; - in [ - #(mkSshSession "pbsds" "p7pi" "pi@p7.pbsds.net" 10023 20000) # no mutual signature algorithm - (mkSshSession "pbsds" "pbuntu" "pbsds@pbuntu.pbsds.net -p 23" 10023 20002) - (mkSshSession "pbsds" "hildring" "pederbs@hildring.pvv.ntnu.no" 25775 20004) - ]; - - - # auto domain update - # TODO: use the dyndns endpoint + curl instead - - /**/ systemd.services.domeneshop-updater = { description = "domene.shop domain updater"; #after = [ "something?.service" ]; #wants = [ "something?.service" ]; serviceConfig = let - env = pkgs.python3.withPackages (ps: with ps; [ pkgs.python3Packages.domeneshop httpx toml ]); - prog = pkgs.writeScript "domain-updater.py" '' - #!${env}/bin/python - from domeneshop import Client - import os, httpx, pprint, toml - - def get_pub_ip() -> str: - for endpoint, getter in { - "http://myip.tf": lambda resp: resp.text, - "https://ipinfo.io/json": lambda resp: resp.json()["ip"], - "https://api.ipify.org": lambda resp: resp.text, - "http://ip.42.pl/raw": lambda resp: resp.text, - }.items(): - resp = httpx.get(endpoint) - if not resp.is_success: continue - try: - return resp.json()["ip"] - except: - pass - else: - raise Exception("Could not find external IP") - - # https://www.domeneshop.no/admin?view=api - with open("/var/lib/secrets/domeneshop.toml") as f: - c = toml.load(f) - DOMENESHOP_TOKEN = os.environ.get("DOMENESHOP_TOKEN", c["secrets"]["DOMENESHOP_TOKEN"]) - DOMENESHOP_SECRET = os.environ.get("DOMENESHOP_SECRET", c["secrets"]["DOMENESHOP_SECRET"]) - IP_ADDRESS = get_pub_ip() # TODO: both ipv4 and ipv6 - DOMAINS = { - "pbsds.net": { - "olavtr": ["A"], - }, - } - - client = Client(DOMENESHOP_TOKEN, DOMENESHOP_SECRET) - for domain in client.get_domains(): - if domain["domain"] not in DOMAINS: - continue - RECORDS = DOMAINS[domain["domain"]] - for record in client.get_records(domain["id"]): - if record["host"] in RECORDS \ - and record["type"] in RECORDS[record["host"]]: - print("Found: ", end="") - pprint.pprint(record) - if record["data"] != IP_ADDRESS: - record["data"] = IP_ADDRESS - print("Push: ", end="") - pprint.pprint(record) - client.modify_record(domain_id=domain["id"], record_id=record.pop("id"), record=record) - else: - print("Nothing done") - RECORDS[record["host"]].remove(record["type"]) - for k, v in list(RECORDS.items()): - if not v: RECORDS.pop(k) - if not RECORDS: DOMAINS.pop(domain["domain"]) - if DOMAINS: - print("ERROR: The following records were not found:") - pprint.pprint(DOMAINS) - exit(1) - else: - print("Success") - ''; + prog = pkgs.writeShellApplication { + name = "domeneshop-dyndns-updater.sh"; + runtimeInputs = with pkgs; [ curl yq ]; + text = '' + test -s /var/lib/secrets/domeneshop.toml || { + >&2 echo "ERROR: /var/lib/secrets/domeneshop.toml not found!" + exit 1 + } + DOMENESHOP_TOKEN="$(tomlq .secrets.DOMENESHOP_TOKEN /var/lib/secrets/domeneshop.toml --raw-output)" + DOMENESHOP_SECRET="$(tomlq .secrets.DOMENESHOP_SECRET /var/lib/secrets/domeneshop.toml --raw-output)" + curl https://"$DOMENESHOP_TOKEN":"$DOMENESHOP_SECRET"@api.domeneshop.no/v0/dyndns/update?hostname=olavtr.pbsds.net + ''; + }; in { User = "domeneshop"; Group = "domeneshop"; DynamicUser = true; - ExecStart = prog; + ExecStart = "${prog}/bin/domeneshop-dyndns-updater.sh"; PrivateTmp = true; }; }; - systemd.timers.domeneshop-updater = let interval = "1d"; in { + systemd.timers.domeneshop-updater = let interval = "5h"; in { description = "Update domene.shop every ${interval}"; wantedBy = [ "timers.target" ]; timerConfig = { @@ -484,7 +330,6 @@ Unit = "domeneshop-updater.service"; }; }; - /**/ # This value determines the NixOS release from which the default @@ -493,6 +338,7 @@ # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "22.05"; # Did you read the comment? + system.stateVersion = "22.11"; # Did you read the comment? + #system.stateVersion = "22.05"; # Did you read the comment? } diff --git a/hardware-configuration.nix b/hardware-configuration.nix new file mode 100644 index 0000000..9beaa22 --- /dev/null +++ b/hardware-configuration.nix @@ -0,0 +1,33 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/fa5f2e24-ab42-4a5f-bf8c-be699b980457"; + fsType = "ext4"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/5b00f5ca-f7a8-4a69-a93b-8e68d9e369e7"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/overlays/default.nix b/overlays/default.nix index f191ba4..df2caa9 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -1,47 +1,46 @@ # https://nixos.wiki/wiki/Overlays -self: super: # final: prev: let + # WARNING: this works for nixos-rebuild, but not for the nix-build trick shown on the bottom - testing = import (fetchTarball { - name = "pr-180823"; - url = "https://github.com/r-ryantm/nixpkgs/archive/cfe56470cb641985d43adba690d5bca5453110fe.tar.gz"; - sha256 = "0rbncjp2a99l6i4z7w2m86l40m33b3dl9qficfny47kqcfpgyx0b"; - }) { - #config = super.config; - }; + #testing = import (fetchTarball { + # name = "pr-180823"; + # url = "https://github.com/r-ryantm/nixpkgs/archive/cfe56470cb641985d43adba690d5bca5453110fe.tar.gz"; + # sha256 = "0rbncjp2a99l6i4z7w2m86l40m33b3dl9qficfny47kqcfpgyx0b"; + #}) { + # #config = prev.config; + #}; overridePythonPackages = old: { - overrides = self: super: { + overrides = final: prev: { - pdoc = self.callPackage /home/pbsds/repos/nixpkgs-pdoc/pkgs/development/python-modules/pdoc {}; + #pdoc = final.callPackage /home/pbsds/repos/nixpkgs-pdoc/pkgs/development/python-modules/pdoc { }; - domeneshop = self.callPackage /home/pbsds/repos/nixpkgs-domemeshop/pkgs/development/python-modules/domeneshop {}; + #domeneshop = final.callPackage /home/pbsds/repos/nixpkgs-domemeshop/pkgs/development/python-modules/domeneshop { }; - shap = self.callPackage /home/pbsds/repos/nixpkgs-catboost/pkgs/development/python-modules/shap {}; - catboost = self.callPackage /home/pbsds/repos/nixpkgs-catboost/pkgs/development/python-modules/catboost {}; - analytics-python = self.callPackage /home/pbsds/repos/nixpkgs-gradio/pkgs/development/python-modules/analytics-python {}; - ffmpy = self.callPackage /home/pbsds/repos/nixpkgs-gradio/pkgs/development/python-modules/ffmpy {}; - markdown-it-py = self.callPackage /home/pbsds/repos/nixpkgs-gradio/pkgs/development/python-modules/markdown-it-py {}; - gradio = self.callPackage /home/pbsds/repos/nixpkgs-gradio/pkgs/development/python-modules/gradio {}; + #shap = final.callPackage /home/pbsds/repos/nixpkgs-catboost/pkgs/development/python-modules/shap { }; + #catboost = final.callPackage /home/pbsds/repos/nixpkgs-catboost/pkgs/development/python-modules/catboost { }; + analytics-python = final.callPackage /home/pbsds/repos/nixpkgs-gradio/pkgs/development/python-modules/analytics-python { }; + ffmpy = final.callPackage /home/pbsds/repos/nixpkgs-gradio/pkgs/development/python-modules/ffmpy { }; + markdown-it-py = final.callPackage /home/pbsds/repos/nixpkgs-gradio/pkgs/development/python-modules/markdown-it-py { }; + gradio = final.callPackage /home/pbsds/repos/nixpkgs-gradio/pkgs/development/python-modules/gradio { }; - trivial-gradios = self.callPackage ./trivial-gradios {}; + trivial-gradios = final.callPackage ./trivial-gradios { }; }; }; -in { # "final" and "prev" +in final: prev: { - #kukkee = super.callPackage ./kukkee {}; - #rallly = super.callPackage ./rallly {}; + #kukkee = prev.callPackage ./kukkee { }; + #rallly = prev.callPackage ./rallly { }; - #inherit (testing) polaris polaris-web; - polaris = super.callPackage /home/pbsds/repos/nixpkgs-polaris/pkgs/servers/polaris {}; - polaris-web = super.callPackage /home/pbsds/repos/nixpkgs-polaris/pkgs/servers/polaris/web.nix {}; + #polaris = prev.callPackage /home/pbsds/repos/nixpkgs-polaris/pkgs/servers/polaris { }; + #polaris-web = prev.callPackage /home/pbsds/repos/nixpkgs-polaris/pkgs/servers/polaris/web.nix { }; - mapcrafter = super.callPackage /home/pbsds/repos/nixpkgs-mapcrafter/pkgs/tools/games/minecraft/mapcrafter/default.nix {}; - mapcrafter-world112 = super.callPackage /home/pbsds/repos/nixpkgs-mapcrafter/pkgs/tools/games/minecraft/mapcrafter/default.nix {world="world112";}; + mapcrafter = prev.callPackage /home/pbsds/repos/nixpkgs-mapcrafter/pkgs/tools/games/minecraft/mapcrafter/default.nix { }; + mapcrafter-world112 = prev.callPackage /home/pbsds/repos/nixpkgs-mapcrafter/pkgs/tools/games/minecraft/mapcrafter/default.nix { world="world112"; }; - #python3.pkgs = super.python3.pkgs.override overridePythonPackages; - python3Packages = super.python3Packages.override overridePythonPackages; + #python3.pkgs = prev.python3.pkgs.override overridePythonPackages; + python3Packages = prev.python3Packages.override overridePythonPackages; } diff --git a/profiles/autossh-reverse-tunnels/default.nix b/profiles/autossh-reverse-tunnels/default.nix new file mode 100644 index 0000000..c557fab --- /dev/null +++ b/profiles/autossh-reverse-tunnels/default.nix @@ -0,0 +1,37 @@ +{ config, pkgs, lib, ... }: +{ + # AutoSSH reverse tunnels + + services.autossh.sessions = let + mkSshSession = {user, name, host, rport, monitoringPort}: { + user = user; # local user + name = "ssh-reverse-tunnel-${name}-${toString rport}"; + monitoringPort = monitoringPort; + extraArguments = lib.concatStringsSep " " [ + "-N" # no remote command + "-o ServerAliveInterval=10" # check if still alive + "-o ServerAliveCountMax=3" # check if still alive + "-o ExitOnForwardFailure=yes" # reverse tunnel critical + "-R ${toString rport}:127.0.0.1:22" # reverse tunnel + host + ]; + }; + in [ + #(mkSshSession {user="root"; name="p7rpi"; host="pi@p7.pbsds.net"; rport=10023; monitoringPort=20000; }) # no mutual signature algorithm + (mkSshSession {user="root"; name="pbuntu"; host="pbsds@pbuntu.pbsds.net -p 23"; rport=10023; monitoringPort=20002; }) + (mkSshSession {user="root"; name="hildring"; host="pederbs@hildring.pvv.ntnu.no"; rport=25775; monitoringPort=20004; }) + ]; + + programs.ssh.knownHosts = { + # fetch with `ssh-keyscan` + "[pbuntu.pbsds.net]:23".publicKey + = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFiAq96DANRP90fBTknL9VagN0HB8O+S6qD17iC8caE3uZ6Wq5a3gpCr/s0T/Cbf8exNYn3zpdLUUUSngN6gMeA="; + "p7.pbsds.net".publicKey + = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMn1GtMCK2T3LoSfwer0VKCTDO2DHYcf7L41YmWda4fObMZk1VJtjV7wn7EsYkpbHUwkeZCd9DcOb7aYwr0OHLU="; + "hildring.pvv.ntnu.no".publicKey + = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGurF7rdnrDP/VgIK2Tx38of+bX/QGCGL+alrWnZ1Ca5llGneMulUt1RB9xZzNLHiaWIE+HOP0i4spEaeZhilfU="; + }; + #programs.ssh.extraConfig = '' + #''; + +} diff --git a/profiles/code-remote/default.nix b/profiles/code-remote/default.nix index e31142a..8366aca 100644 --- a/profiles/code-remote/default.nix +++ b/profiles/code-remote/default.nix @@ -1,14 +1,24 @@ { config, pkgs, lib, ... }: +# TODO: +# * [ ] fix network sandboxing, so the container cant access localhost services on host +# * [ ] automatically pull the repo on boot, do i need keys for that? +# * [ ] generate a ssh key if not existing +# * [ ] attempt to pull, otherwise print the ssh-pubkey +# * [ ] Make vscode default to our repo +# * [ ] customize the shit out of vscode + let domain = "${config.networking.hostName}.${config.networking.domain}"; mkDomain = subname: "${subname}.${domain}"; - cnt = config.containers.code-server-theo.config; + container-name = "code-server-pandoc"; + cnt = config.containers.${container-name}.config; in { networking.nat = { enable = true; internalInterfaces = ["ve-+"]; - externalInterface = "eno1"; # TODO: can i make this dynamic? + externalInterface = "eno1"; # TODO: can i make this automatic? + #enableIPv6 = true; }; #imports = [ @@ -18,12 +28,11 @@ in { # "virtualisation/nixos-containers.nix" #]; - # data can be destroyed with `nixos-container destroy code-server-theo` - containers.code-server-theo = { + # data can be destroyed with `nixos-container destroy code-server-pandoc` + containers.${container-name} = { autoStart = true; # container has no network access - # privateNetwork = true; hostAddress = "10.240.100.2"; localAddress = "10.240.100.3"; @@ -41,7 +50,7 @@ in { # hostPath = "/var/lib/code-server"; # isReadOnly = false; #}; - config = { config, pkgs, ... }: { + config = { config, pkgs, lib, ... }: { system.stateVersion = "22.05"; #imports = [ ]; @@ -49,23 +58,54 @@ in { #home-manager.useGlobalPkgs = true; # brrr #home-manager.users.${config.services.code-server.user} = { pkgs, config, ... }: { # programs.git.enable = true; - # programs.git.userName = "Theoharis Theoharis"; + # programs.git.userName = "Noximilien code-server"; # programs.git.userEmail = "theotheo@ntnu.no"; #}; + systemd.services.initial-setup = { + wantedBy = [ "multi-user.target" ]; + # TODO: run as the correct user + serviceConfig.User = config.services.code-server.user; + serviceConfig.Group = config.services.code-server.group; + # TODO: make the ssh key comment automatic + script = '' + test -s "$HOME/.ssh/id_rsa.pub" || { + mkdir "$HOME/.ssh" + echo "" | ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -a 100 -C "code-server@noximilien" -f "$HOME/.ssh/id_ed25519" + echo + echo "You pubkey is:" + cat "$HOME/.ssh/id_ed25519.pub" + echo + exit + } + + #${pkgs.curl}/bin/curl "https://github.com/pbsds.keys" | grep "$(cat $HOME/.ssh/id_ed25519.pub | cut -d" " -f-2)" + + test -d "$HOME/repos/papers" || { + mkdir -p "$HOME/repos" + ${pkgs.git}/bin/git clone git@github.com:pbsds/papers.git + + } + ''; + }; + services.code-server = { enable = true; host = "0.0.0.0"; # container port = 53754; - # if you don't care about security: https://argon2.online/ - hashedPassword = "$argon2i$v=19$m=16,t=2,p=1$MHh5UGNtU1lWR1UySnhIZw$ITg8U7Gq2CXByuOOnrKVUg"; + #user = "code-server"; + #group = "code.server"; + # a nice tool if you don't care about security: https://argon2.online/ + hashedPassword = "$argon2i$v=19$m=16,t=2,p=1$MHh5UGNtU1lWR1UySnhIZw$ITg8U7Gq2CXByuOOnrKVUg"; # hunter2 package = pkgs.vscode-with-extensions.override { vscode = pkgs.code-server.overrideAttrs (old: { + # vscode-with-extensions compatibility + # https://github.com/NixOS/nixpkgs/pull/192889 passthru.executableName = "code-server"; passthru.longName = "Visual Studio Code Server"; }); - #vscodeExtensions = vscode-extensions; [ - vscodeExtensions = with (import {}).vscode-extensions; [ + #vscodeExtensions = with (import {}).vscode-extensions; [ + vscodeExtensions = with pkgs.vscode-extensions; [ shd101wyy.markdown-preview-enhanced sanaajani.taskrunnercode tomoki1207.pdf @@ -115,6 +155,7 @@ in { ]; }; extraPackages = with pkgs; [ + # based on https://github.com/pbsds/papers/blob/main/shell.nix (writeShellScriptBin "pandoc" '' export XDG_DATA_HOME=${pandoc-lua-filters}/share exec ${pandoc}/bin/pandoc "$@" @@ -136,11 +177,26 @@ in { ; }) + (python310.withPackages (ps: with ps; [ + python-lsp-server + numpy + matplotlib + imageio + #(callPackage ./nix-modules/pytikz.nix { }) + #(callPackage ./nix-modules/pyrender.nix { }) + ])) + pandoc-imagine haskellPackages.pandoc-crossref #haskellPackages.pandoc-plot #pandoc-plantuml-filter nodePackages.mermaid-cli + # tikz stuff + imagemagick + drawio-headless + openscad + #curv + bash git bat @@ -148,13 +204,6 @@ in { boxes graphviz #python3Packages.cairosvg - - (python3.withPackages (ps: with ps; [ - numpy - matplotlib - #python-lsp-server - ])) - ]; }; @@ -165,6 +214,8 @@ in { ]; }; + # Manually configure nameserver. Using resolved inside the container seems to fail currently + #environment.etc."resolv.conf".text = "nameserver 8.8.8.8"; }; }; @@ -174,10 +225,9 @@ in { locations."/" = { #proxyPass = "http://127.0.0.1:${toString cnt.services.code-server.port}"; #proxyPass = "http://10.240.100.3:${toString cnt.services.code-server.port}"; - proxyPass = "http://${config.containers.code-server-theo.localAddress}:${toString cnt.services.code-server.port}"; + proxyPass = "http://${config.containers.${container-name}.localAddress}:${toString cnt.services.code-server.port}"; proxyWebsockets = true; }; }; - } diff --git a/profiles/code-remote/default.nix.bak b/profiles/code-remote/default.nix.bak new file mode 100644 index 0000000..882ae6d --- /dev/null +++ b/profiles/code-remote/default.nix.bak @@ -0,0 +1,113 @@ +{ config, pkgs, lib, ... }: + +let + domain = "${config.networking.hostName}.${config.networking.domain}"; + mkDomain = subname: "${subname}.${domain}"; + cnt = config.containers.vscode-remote-test.config; +in { + networking.nat = { + enable = true; + internalInterfaces = ["ve-+"]; + externalInterface = "eno1"; # TODO: can i make this dynamic? + }; + + #imports = [ + # "/home/pbsds/repos/nixpkgs-trees/containers-mkdir/nixos/modules/virtualisation/nixos-containers.nix" + #]; + #disabledModules = [ + # "virtualisation/nixos-containers.nix" + #]; + + containers.vscode-remote-test = { + autoStart = true; + privateNetwork = true; + hostAddress = "10.240.100.2"; + localAddress = "10.240.100.3"; + #bindMounts."/home" = { + # hostPath = "/var/lib/code-server"; + # isReadOnly = false; + #}; + config = { config, pkgs, ... }: { + system.stateVersion = "22.05"; + imports = [ ]; + home-manager.useUserPackages = true; # install to /etc instead of ~/.nix-profile, needed for containers + home-manager.useGlobalPkgs = true; # brrr + + home-manager.users.${config.services.code-server.user} = { pkgs, config, ... }: { + programs.git.enable = true; + programs.git.userName = "Theoharis Theoharis"; + programs.git.userEmail = "theotheo@ntnu.no"; + programs.vscode.extensions = with pkgs.vscode-extensions; [ + shd101wyy.markdown-preview-enhanced + sanaajani.taskrunnercode + tomoki1207.pdf + ]; + }; + + services.code-server = { + enable = true; + port = 53754; + # if you don't care about security: https://argon2.online/ + hashedPassword = "$argon2i$v=19$m=16,t=2,p=1$MHh5UGNtU1lWR1UySnhIZw$ITg8U7Gq2CXByuOOnrKVUg"; + extraPackages = with pkgs; [ + (writeShellScriptBin "pandoc" '' + export XDG_DATA_HOME=${pandoc-lua-filters}/share + exec ${pandoc}/bin/pandoc "$@" + '') + + (texlive.combine { + inherit (texlive) + scheme-small + titlesec + fontaxes + supertabular + xtab + # boxed quotes + mdframed + zref + needspace + soul + atkinson + ;}) + + pandoc-imagine + haskellPackages.pandoc-crossref + #haskellPackages.pandoc-plot + #pandoc-plantuml-filter nodePackages.mermaid-cli + + bash + bat + gnumake + boxes + graphviz + #python3Packages.cairosvg + + (python3.withPackages (ps: with ps; [ + numpy + matplotlib + #python-lsp-server + ])) + + ]; + }; + + #networking.firewall = { + # enable = true; + # allowedTCPPorts = [ 80 ]; + #}; + + }; + }; + + services.nginx.virtualHosts.${mkDomain "code-remote"} = { + forceSSL = true; # addSSL = true; + enableACME = true; #useACMEHost = acmeDomain; + locations."/" = { + #proxyPass = "http://127.0.0.1:${toString cnt.services.code-server.port}"; + proxyPass = "http://10.240.100.3:${toString cnt.services.code-server.port}"; + proxyWebsockets = true; + }; + }; + + +} diff --git a/profiles/nas/default.nix b/profiles/nas/default.nix index 160a851..733858e 100644 --- a/profiles/nas/default.nix +++ b/profiles/nas/default.nix @@ -16,10 +16,20 @@ in with builtins; { imports = [ - ./modules/webhook.nix #./modules/kukkee.nix - - #/home/pbsds/repos/nixpkgs-polaris/nixos/modules/services/misc/polaris.nix + + # + #/home/pbsds/repos/nixpkgs-trees/polaris/nixos/modules/services/misc/polaris.nix + /home/pbsds/repos/nixpkgs/polaris-14/nixos/modules/services/misc/polaris.nix + ]; + disabledModules = [ + "services/misc/polaris.nix" + ]; + nixpkgs.overlays = [ + (final: prev: { + polaris = prev.callPackage /home/pbsds/repos/nixpkgs/polaris-14/pkgs/servers/polaris { }; + polaris-web = prev.callPackage /home/pbsds/repos/nixpkgs/polaris-14/pkgs/servers/polaris/web.nix { }; + }) ]; @@ -46,6 +56,7 @@ with builtins; { services.nginx.enable = true; + networking.firewall.allowedTCPPorts = [ 80 443 ]; # Website tunnel @@ -219,12 +230,12 @@ with builtins; { services.grafana = rec { #enable = true; #addr = "127.0.0.1"; - addr = "0.0.0.0"; - port = 3000; - domain = mkDomain "grafana"; + settings.server.http_addr = "0.0.0.0"; + settings.server.http_port = 3000; + settings.server.domain = mkDomain "grafana"; #rootUrl = "https://${domain}/grafana/"; # Not needed if it is `https://your.domain/` }; - services.nginx.virtualHosts."${config.services.grafana.domain}" = lib.mkIf config.services.grafana.enable { + services.nginx.virtualHosts."${config.services.grafana.settings.server.domain}" = lib.mkIf config.services.grafana.enable { forceSSL = true; # addSSL = true; enableACME = true; #useACMEHost = acmeDomain; #locations."/grafana/" = { @@ -258,7 +269,8 @@ with builtins; { # Cryptpad # A collaborative office suite that is end-to-end encrypted and open-source. - + # TODO: https://github.com/NixOS/nixpkgs/pull/180066 + /* services.cryptpad = { #enable = true; # current node version used is marked insecure # reference: https://github.com/xwiki-labs/cryptpad/blob/main/config/config.example.js @@ -305,7 +317,7 @@ with builtins; { proxyWebsockets = true; }; }; - + */ # Jellyfin @@ -320,12 +332,14 @@ with builtins; { openFirewall = false; # I do it manually below: # TODO: configure initial collections and extensions }; - # firewall - networking.firewall = lib.mkIf config.service.jellyfin.enable { + # firewall - not needed? + /* + networking.firewall = lib.mkIf config.services.jellyfin.enable { # TODO: does this overwrite rules set by other stuff? should i use ++ ? #allowedTCPPorts = [ 8096 8920 ]; allowedUDPPorts = [ 1900 7359 ]; # TODO: Only if behind a NAT? }; + */ services.nginx.virtualHosts.${mkDomain "jellyfin"} = lib.mkIf config.services.jellyfin.enable { forceSSL = true; # addSSL = true; enableACME = true; #useACMEHost = acmeDomain; @@ -335,6 +349,7 @@ with builtins; { }; }; # Hardware acceleration + # https://nixos.wiki/wiki/Jellyfin nixpkgs.config.packageOverrides = pkgs: { vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; }; @@ -345,6 +360,7 @@ with builtins; { vaapiIntel vaapiVdpau libvdpau-va-gl + intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in) ]; }; # Allow Jellyfin access to VAAPI @@ -392,20 +408,20 @@ with builtins; { #user = "pbsds"; #group = "users"; port = 7890; - package = pkgs.unstable.polaris; # instead of my overlay, TODO: move that overlay here + #package = pkgs.unstable.polaris; # instead of my overlay, TODO: move that overlay here settings = { settings.reindex_every_n_seconds = 7*24*60*60; # weekly, default is 1800, i.e. hourly settings.album_art_pattern = "([Cc]over|COVER|[Ff]older|FOLDER|[Ff]ront|FRONT)\.(jpeg|JPEG|jpg|JPG|png|PNG|bmp|BMP|gif|GIF)"; #"(?i)(cover|folder|front)\.(jpeg|jpg|png|bmp|gif)"; mount_dirs = [ - { source = "/mnt/reidun/Music/Albums"; name = "Albums"; } - { source = "/mnt/reidun/Music/dojin.co"; name = "dojin.co"; } - { source = "/mnt/reidun/Music/Vocaloid"; name = "Vocaloid"; } - { source = "/mnt/reidun/Music/Touhou"; name = "Touhou"; } - { source = "/mnt/reidun/Music/OST"; name = "OST"; } - { source = "/mnt/reidun/Music/Kancolle"; name = "Kancolle"; } - { source = "/mnt/reidun/Downloads/music"; name = "Downloads"; } + { name = "Albums"; source = "/mnt/reidun/Music/Albums"; } + { name = "dojin.co"; source = "/mnt/reidun/Music/dojin.co"; } + { name = "Vocaloid"; source = "/mnt/reidun/Music/Vocaloid"; } + { name = "Touhou"; source = "/mnt/reidun/Music/Touhou"; } + { name = "OST"; source = "/mnt/reidun/Music/OST"; } + { name = "Kancolle"; source = "/mnt/reidun/Music/Kancolle"; } + { name = "Downloads"; source = "/mnt/reidun/Downloads/music"; } ]; }; }; @@ -580,42 +596,12 @@ with builtins; { }; - # Webhook - # incoming webhook server that executes shell commands - - /**/ - services.webhook = { - enable = true; - #listenHost = "0.0.0.0"; # default is "127.0.0.1" - listenPort = 7777; # default is 8080 - urlPrefix = "spismeg"; # default is "hooks" - #httpMethods = [ "GET" "POST" ]; # default is [ "POST" ] - settings = [ - { - id = "webhook-id"; - execute-command = pkgs.writeShellScript "webhook-handler.sh" '' - echo foobar; - ''; - } - ]; - }; - services.nginx.virtualHosts.${mkDomain "webhook"} = lib.mkIf config.services.webhook.enable { - forceSSL = true; # addSSL = true; - enableACME = true; #useACMEHost = acmeDomain; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString config.services.webhook.listenPort}"; - proxyWebsockets = true; - }; - }; - /**/ - - # Gitea # Git with a cup of tea services.gitea = rec { enable = true; - disableRegistration = true; # disable after initial deploy + settings.service.DISABLE_REGISTRATION = true; # disable after initial deploy #https://docs.gitea.io/en-us/config-cheat-sheet/ #settings = { # "cron.sync_external_users" = { @@ -645,7 +631,7 @@ with builtins; { httpAddress = "127.0.0.1"; # default is "0.0.0.0" #extraConfig #database.type # default is "sqlite3" - cookieSecure = true; # default is false, only send cookies over https + settings.session.COOKIE_SECURE = true; # default is false, only send cookies over https #stateDir # default is "/var/lib/gitea" #mailerPasswordFile # Path to a file containing the SMTP password #repositoryRoot # default is "${config.services.gitea.stateDir}/repositories" @@ -1098,19 +1084,19 @@ with builtins; { services.hedgedoc = { #enable = true; # FIXME: make it load - configuration.host = "127.0.0.1"; - configuration.port = 44776; - configuration.db.dialect = "sqlite"; - configuration.db.storage = "${config.services.hedgedoc.workDir}/db.hedgedoc.sqlite"; - configuration.domain = mkDomain "hedgedoc"; - configuration.allowAnonymous = true; - configuration.allowEmailRegister = false; # default is true - configuration.allowAnonymousEdits = false; # default is false - configuration.protocolUseSSL = true; # https prefix - configuration.useSSL = false; # nginx terminates ssl - #configuration.csp = {TODO}; # content security policy - #configuration.useCDN = true; - #configuration.debug = true; + settings.host = "127.0.0.1"; + settings.port = 44776; + settings.db.dialect = "sqlite"; + settings.db.storage = "${config.services.hedgedoc.workDir}/db.hedgedoc.sqlite"; + settings.domain = mkDomain "hedgedoc"; + settings.allowAnonymous = true; + settings.allowEmailRegister = false; # default is true + settings.allowAnonymousEdits = false; # default is false + settings.protocolUseSSL = true; # https prefix + settings.useSSL = false; # nginx terminates ssl + #settings.csp = {TODO}; # content security policy + #settings.useCDN = true; + #settings.debug = true; # there are also a metric fuckton of integration services, like github, twitter, minio, mattermost, dropbox etc. # there are also auth options, like ldap, saml and oauth2 }; @@ -1118,7 +1104,7 @@ with builtins; { forceSSL = true; # addSSL = true; enableACME = true; #useACMEHost = acmeDomain; locations."/" = { - proxyPass = "http://127.0.0.1:${toString config.services.hedgedoc.configuration.port}"; + proxyPass = "http://127.0.0.1:${toString config.services.hedgedoc.settings.port}"; proxyWebsockets = true; # TODO: proxy headers: # https://docs.hedgedoc.org/guides/reverse-proxy/ @@ -1186,6 +1172,7 @@ with builtins; { }; + # vaultwarden # Unofficial Bitwarden compatible server written in Rust diff --git a/profiles/nfs-reidun/default.nix b/profiles/nfs-reidun/default.nix new file mode 100644 index 0000000..b8068b4 --- /dev/null +++ b/profiles/nfs-reidun/default.nix @@ -0,0 +1,62 @@ +{ config, pkgs, lib, ... }: + +{ + + fileSystems = let + mkMount = mountpoint: server: subdir: { + "${mountpoint}${subdir}" = { + device = "${server}${subdir}"; + fsType = "nfs"; + #options = [ "nfsvers=4.2" ]; + }; + }; + # TODO: combine nameValuePair and listToAttrs + joinSets = sets: builtins.foldl' (l: r: l // r) {} sets; + in joinSets ( + (map (mkMount "/mnt/reidun" "192.168.1.3:/Reidun/shared") [ + "" + "/Backups" + "/Comics" + "/Downloads" + "/Games" + "/Games/Installable" + "/Games/Portable" + "/Games/ROMs" + "/ISO" + "/Images" + "/Images/Collections" + "/Images/Memes" + "/Images/Pictures" + "/Images/Wallpapers" + "/Music" + "/Music/Albums" + "/Music/Kancolle" + "/Music/OST" + "/Music/Old" + "/Music/Touhou" + "/Music/Vocaloid" + "/Music/dojin.co" + "/Various" + "/Various/Zotero" + "/Various/resilio" + "/Video" + "/Video/Anime" + "/Video/Concerts" + "/Video/Documentaries" + "/Video/Movies" + "/Video/Musicvideos" + "/Video/Series" + "/Video/Talks" + "/Work" + "/Work/Documents" + #"/Work/FL Studio" # broken, maybe due to the space? + "/Work/Programming" + "/Work/School" + "/pub" + ]) ++ (map (mkMount "/mnt/meconium" "192.168.1.3:/Meconium" ) [ + "" + "/beets_music" + ]) + ); + +} diff --git a/profiles/remote-builders/default.nix b/profiles/remote-builders/default.nix new file mode 100644 index 0000000..5948205 --- /dev/null +++ b/profiles/remote-builders/default.nix @@ -0,0 +1,94 @@ +{ config, pkgs, lib, ... }: +let + #supportedFeatures: + # - "kvm" - has hypervisor + # - "nixos-test" - the same as ^? nixos? + # - "benchmark" - has "equal" performance + # - "big-parallel" - is beefy, for stuff like llvm + + # TODO: get a binfmt-misc host for cross stuff + # add noximilien, filter (hostName != fqdn) + + remotes = [ + /**/ + { + systems = ["x86_64-linux"]; + hostName = "rocm.pbsds.net"; + sshUser = "pbsds"; + maxJobs = 8; + #maxJobs = 4; + #maxJobs = 1; # at least for big-parallel + speedFactor = 2; + supportedFeatures = [ "kvm" "big-parallel" ]; + #supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; + #mandatoryFeatures = [ ]; + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGDuWdqEQ5mmVjuKi6f/Q2PFxuqB3URpgTHid06Vw7we"; + proxy.user="pederbs"; + proxy.host="isvegg.pvv.ntnu.no"; + proxy.publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGurF7rdnrDP/VgIK2Tx38of+bX/QGCGL+alrWnZ1Ca5llGneMulUt1RB9xZzNLHiaWIE+HOP0i4spEaeZhilfU="; + } + /**/ + { + systems = ["x86_64-linux"]; + hostName = "isvegg.pvv.ntnu.no"; + sshUser = "pederbs"; + maxJobs = 1; + speedFactor = 0; + publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGurF7rdnrDP/VgIK2Tx38of+bX/QGCGL+alrWnZ1Ca5llGneMulUt1RB9xZzNLHiaWIE+HOP0i4spEaeZhilfU="; + } + { + systems = ["x86_64-linux"]; + hostName = "eirin.pvv.ntnu.no"; + sshUser = "pederbs"; + maxJobs = 2; + speedFactor = 0; + publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBILGULKEzYe5kPorM0rWATv10qq6debfCuYUYqw3HWZm4Y5Pi7mVKcf8lKFNPc1DxT/dStfxxtHj/2fbezaxElk="; + } + { + systems = ["x86_64-linux"]; + hostName = "demiurgen.pvv.ntnu.no"; + sshUser = "pederbs"; + maxJobs = 2; + speedFactor = 0; + publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKw92q3eB5HZbKJN3p+80MtirqcXPu01USE9LnoGYJuDvko1udjIy4UR0wAwELqgs+r7mJyuQPeXmOZKwjHP6tM="; + } + /**/ + ]; + + mkRemoteConfig = { + publicKey,# fetch it with `ssh-keyscan` + proxy ? null, # schema: { user, host, publicKey } + ... # the rest follows nix.buildMachines. schema + }@args: + let + buildMachine = lib.filterAttrs (key: _: !builtins.elem key ["publicKey" "proxy"]) args; # this should have syntactic sugar: ...@buildMachine + in { + nix.buildMachines = [ buildMachine ]; + programs.ssh.knownHosts.${buildMachine.hostName}.publicKey = publicKey; + programs.ssh.extraConfig = '' + Host ${buildMachine.hostName} + ConnectTimeout 3 + ${lib.optionalString (proxy != null) '' + ProxyJump ${proxy.user}@${proxy.host} + ''} + ''; + programs.ssh.knownHosts.${proxy.host or "IGNORE"} = lib.mkIf (proxy != null) { publicKey = proxy.publicKey; }; + }; + +in { + + nix.distributedBuilds = true; + + # TODO: Allow setting speedFactor for local builds, as local is currently fixed to 0 + # https://github.com/NixOS/nix/issues/2457 + + # useful when the builder has a faster internet connection than i do + nix.extraOptions = '' + builders-use-substitutes = true + ''; + # TODO: can i make ^ non-string? + + # TIL: this can be a list of configurations and lambdas, not just file paths + imports = builtins.map mkRemoteConfig remotes; + +} diff --git a/profiles/todos.md b/profiles/todos.md new file mode 100644 index 0000000..3010124 --- /dev/null +++ b/profiles/todos.md @@ -0,0 +1,5 @@ +* [ ] mv nas/default.nix nas.nix +* [ ] mv website/default.nix website.nix +* [ ] move each part into web-services, and import them as modules +* [ ] make mkDomain a function +* [ ] make ACME a function diff --git a/profiles/websites/default.nix b/profiles/websites/default.nix index f5ba87a..d9ee94c 100644 --- a/profiles/websites/default.nix +++ b/profiles/websites/default.nix @@ -11,6 +11,7 @@ in { imports = [ ./services/pdoc.nix + #../services/tt-rss.nix ]; @@ -22,8 +23,8 @@ in { domain = "gitea.noximilien.pbsds.net"; owner = "pbsds"; repo = "links.pbsds.net"; - rev = "fd980f4610f8027b4fc89c506542009f09504085"; - hash = "sha256-Iz/lfLkdCLJyyZ/PM9+VCkCG5lYSb9/i4x0ZhranBxc="; + rev = "61cd605f198a22db87af087fda34c378b03d4306"; + hash = "sha256-dx19aTy8K9xkL+cO4r4huYKrlVBZMUkDcbjqxLKe8W4="; }; in { #serverAliases = map mkDomain [ "links" ]; diff --git a/profiles/websites/services/pdoc.nix b/profiles/websites/services/pdoc.nix index fd987dd..d2506be 100644 --- a/profiles/websites/services/pdoc.nix +++ b/profiles/websites/services/pdoc.nix @@ -85,14 +85,15 @@ let {name="beautifulsoup4"; literal="bs4";} "hid" #{name="hidapi"; literal="hid";} - "sanic" + #"sanic" # broken build? "paramiko" "pydub" "aiohttp" + "papermill" "rtoml" "redis" "numpy" - "domeneshop" + #"domeneshop" "munch" "migen" "amaranth" @@ -109,7 +110,7 @@ let "peewee" "parsel" "pandas" - "mutmut" + #"mutmut" # moved to toplevel from python3Packages "mlflow" "meshio" #"einops" # depends on tensorflow, which is broken ATM @@ -141,7 +142,7 @@ let "asyncpg" #"aiopg" {name="libsass"; literal="sass";} {name="pytorch"; literal="torch";} - {name="pytorch-lightning"; literal="pytorch_lightning";} + #{name="pytorch-lightning"; literal="pytorch_lightning";} # broken build? {name="pillow"; literal="PIL";} "trio" "tqdm" @@ -160,6 +161,7 @@ let "imageio" "pygments" "trimesh" + "shapely" #"faiss" #"geomloss" #"mesh_to_sdf" diff --git a/profiles/xrdp/default.nix b/profiles/xrdp/default.nix new file mode 100644 index 0000000..0446c08 --- /dev/null +++ b/profiles/xrdp/default.nix @@ -0,0 +1,21 @@ +{ config, pkgs, lib, ... }: + +{ + # https://nixos.wiki/wiki/Remote_Desktop + services.xrdp.enable = true; + services.xrdp.openFirewall = true; # TCP only + + services.xserver.enable = true; + services.xserver.virtualScreen = { x=1920; y=1080; }; # doesn't work? + services.xserver.tty = lib.mkDefault null; + + # https://nixos.wiki/wiki/GNOME + + #services.xserver.displayManager.gdm.enable = true; + services.xserver.desktopManager.gnome.enable = true; + #services.xrdp.defaultWindowManager = "gdm"; + #services.xrdp.defaultWindowManager = "gnome-shell"; + #services.xrdp.defaultWindowManager = "gnome-session"; + services.xrdp.defaultWindowManager = "${pkgs.gnome.gnome-session}/bin/gnome-session"; # remember to `systemctl restart xrdp-sesman` if you change this + programs.dconf.enable = true; +} diff --git a/users/pbsds/home/default.nix b/users/pbsds/home/default.nix index 7076b79..f2fee45 100644 --- a/users/pbsds/home/default.nix +++ b/users/pbsds/home/default.nix @@ -6,6 +6,9 @@ ./modules/jump.nix ./modules/micro.nix ]; + disabledModules = [ + "programs/micro.nix" + ]; nixpkgs.config.allowUnfree = true; @@ -73,6 +76,7 @@ vgmstream gallery-dl yt-dlp + youtube-dl ffmpeg-full git @@ -90,7 +94,7 @@ #tldr entr axel aria - bat + bat bat-extras.batman # TODO: condition on programs.bat.enable xe # xargs alternative sd # sed alternative fd # find alternative @@ -100,9 +104,12 @@ jq yq htmlq + just sysz du-dust # du alternative ncdu # Disk usage analyzer with an ncurses interface + xplr # tui file explorer + aha mesa-demos cage @@ -112,10 +119,12 @@ librespeed-cli + cachix nix-template nix-output-monitor nixpkgs-review manix + comma (python3.withPackages (python-packages: with python-packages; [ requests @@ -176,6 +185,10 @@ gfr = "git pull --rebase"; gp = "git pull --rebase --autostash"; + # bat - TODO: condition these on programs.bat.enable ? + cat = "bat --style=plain --paging=never"; + man = "batman"; + python = "ptpython"; # this has too many problems... cpython = "python"; @@ -184,6 +197,8 @@ http-server = "${pkgs.python3}/bin/python -m http.server"; manix-fzf = ''manix "" 2>/dev/null | grep '^# ' | sed 's/^# \(.*\) (.*/\1/;s/ (.*//;s/^# //' | fzf --preview="manix '{}'" | xargs manix''; + + nixpkgs-review = ''mkdir -p /dev/shm/nixpkgs-review && ln -sfn /dev/shm/nixpkgs-review $HOME/.cache/nixpkgs-review && nixpkgs-review''; }; programs.bash.enable = true; #programs.bash.enableCompletion = true; @@ -212,10 +227,28 @@ programs.exa.enable = true; programs.exa.enableAliases = true; programs.direnv.enable = true; - programs.just.enable = true; #programs.mpv.bindings #programs.mpv.config + # TODO: implement programs.bat.enableAliases + programs.bat = { + enable = true; + themes.railscast = builtins.readFile (pkgs.fetchFromGitHub { + owner = "jeromedalbert"; + repo = "sublime-text-railscasttextmate-theme"; + rev = "0a4861f35e72f9ad4cc1cac42730ea563be2ffd3"; + hash = "sha256-1Ml5vqP9r6oCfLhaNGPQJXS8e7utxQQycIm3Hk9wE3w="; + } + "/railscast-textmate.tmtheme"); + config.theme = "railscast"; + #config.style = "plain"; + config.map-syntax = [ + "poetry.toml:Toml" + "flake.lock:Json" + ]; + # only in unstable as of 22.11: + #extraPackages = with pkgs.bat-extras; [ batdiff batman batgrep batwatch ]; + }; + /**/ # TODO: upstream this programs.micro.enable = true; @@ -259,13 +292,21 @@ #xdg.desktopEntries gtk.enable = true; # TODO: only if programs.dconf is enabled - gtk.theme.name = "vimix-dark-ruby"; - gtk.theme.package = pkgs.vimix-gtk-themes; + #gtk.theme.name = "vimix-dark-ruby"; # TODO: keep vimix as gnome-shell theme? + #gtk.theme.package = pkgs.vimix-gtk-themes; + gtk.theme.name = "Colloid-Dark"; + gtk.theme.package = pkgs.colloid-gtk-theme; gtk.iconTheme.name = "Flat-Remix-Blue-Dark"; gtk.iconTheme.package = pkgs.flat-remix-icon-theme; + dconf.settings."org/gnome/desktop/background" = { + "picture-uri" = "file:///mnt/reidun/Images/Wallpapers/1575232313831.jpg"; + "picture-uri-dark" = "file:///mnt/reidun/Images/Wallpapers/1575232313831.jpg"; + }; + # TODO: upstream? programs.jump.enableBash = true; + /** / programs.beets = { enable = true; settings = { @@ -278,5 +319,6 @@ ##library = "/mnt/meconium/beets_music/data.db"; }; }; + /**/ }