pederbs/config
2
2
Fork 0
Code Issues Pull Requests Releases Activity

Initial commit

Browse Source
This commit is contained in:
Peder Bergebakken Sundt
2023-02-24 21:36:30 +01:00
parent a6a0b16300
commit 019c139a5c
16 changed files with 657 additions and 339 deletions
Download Patch File Download Diff File Expand all files Collapse all files
profiles/autossh-reverse-tunnels/default.nix
+37
View File
@@ -0,0 +1,37 @@
{ config, pkgs, lib, ... }:
{
# AutoSSH reverse tunnels
services.autossh.sessions = let
mkSshSession = {user, name, host, rport, monitoringPort}: {
user = user; # local user
name = "ssh-reverse-tunnel-${name}-${toString rport}";
monitoringPort = monitoringPort;
extraArguments = lib.concatStringsSep " " [
"-N" # no remote command
"-o ServerAliveInterval=10" # check if still alive
"-o ServerAliveCountMax=3" # check if still alive
"-o ExitOnForwardFailure=yes" # reverse tunnel critical
"-R ${toString rport}:127.0.0.1:22" # reverse tunnel
host
];
};
in [
#(mkSshSession {user="root"; name="p7rpi"; host="pi@p7.pbsds.net"; rport=10023; monitoringPort=20000; }) # no mutual signature algorithm
(mkSshSession {user="root"; name="pbuntu"; host="pbsds@pbuntu.pbsds.net -p 23"; rport=10023; monitoringPort=20002; })
(mkSshSession {user="root"; name="hildring"; host="pederbs@hildring.pvv.ntnu.no"; rport=25775; monitoringPort=20004; })
];
programs.ssh.knownHosts = {
# fetch with `ssh-keyscan`
"[pbuntu.pbsds.net]:23".publicKey
= "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFiAq96DANRP90fBTknL9VagN0HB8O+S6qD17iC8caE3uZ6Wq5a3gpCr/s0T/Cbf8exNYn3zpdLUUUSngN6gMeA=";
"p7.pbsds.net".publicKey
= "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMn1GtMCK2T3LoSfwer0VKCTDO2DHYcf7L41YmWda4fObMZk1VJtjV7wn7EsYkpbHUwkeZCd9DcOb7aYwr0OHLU=";
"hildring.pvv.ntnu.no".publicKey
= "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGurF7rdnrDP/VgIK2Tx38of+bX/QGCGL+alrWnZ1Ca5llGneMulUt1RB9xZzNLHiaWIE+HOP0i4spEaeZhilfU=";
};
#programs.ssh.extraConfig = ''
#'';
}
profiles/code-remote/default.nix
+70 -20
View File
@@ -1,14 +1,24 @@
{ config, pkgs, lib, ... }:
# TODO:
# * [ ] fix network sandboxing, so the container cant access localhost services on host
# * [ ] automatically pull the repo on boot, do i need keys for that?
# * [ ] generate a ssh key if not existing
# * [ ] attempt to pull, otherwise print the ssh-pubkey
# * [ ] Make vscode default to our repo
# * [ ] customize the shit out of vscode
let
domain = "${config.networking.hostName}.${config.networking.domain}";
mkDomain = subname: "${subname}.${domain}";
cnt = config.containers.code-server-theo.config;
container-name = "code-server-pandoc";
cnt = config.containers.${container-name}.config;
in {
networking.nat = {
enable = true;
internalInterfaces = ["ve-+"];
externalInterface = "eno1"; # TODO: can i make this dynamic?
externalInterface = "eno1"; # TODO: can i make this automatic?
#enableIPv6 = true;
};
#imports = [
@@ -18,12 +28,11 @@ in {
# "virtualisation/nixos-containers.nix"
#];
# data can be destroyed with `nixos-container destroy code-server-theo`
containers.code-server-theo = {
# data can be destroyed with `nixos-container destroy code-server-pandoc`
containers.${container-name} = {
autoStart = true;
# container has no network access
#
privateNetwork = true;
hostAddress = "10.240.100.2";
localAddress = "10.240.100.3";
@@ -41,7 +50,7 @@ in {
# hostPath = "/var/lib/code-server";
# isReadOnly = false;
#};
config = { config, pkgs, ... }: {
config = { config, pkgs, lib, ... }: {
system.stateVersion = "22.05";
#imports = [ <home-manager/nixos> ];
@@ -49,23 +58,54 @@ in {
#home-manager.useGlobalPkgs = true; # brrr
#home-manager.users.${config.services.code-server.user} = { pkgs, config, ... }: {
# programs.git.enable = true;
# programs.git.userName = "Theoharis Theoharis";
# programs.git.userName = "Noximilien code-server";
# programs.git.userEmail = "theotheo@ntnu.no";
#};
systemd.services.initial-setup = {
wantedBy = [ "multi-user.target" ];
# TODO: run as the correct user
serviceConfig.User = config.services.code-server.user;
serviceConfig.Group = config.services.code-server.group;
# TODO: make the ssh key comment automatic
script = ''
test -s "$HOME/.ssh/id_rsa.pub" || {
mkdir "$HOME/.ssh"
echo "" | ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -a 100 -C "code-server@noximilien" -f "$HOME/.ssh/id_ed25519"
echo
echo "You pubkey is:"
cat "$HOME/.ssh/id_ed25519.pub"
echo
exit
}
#${pkgs.curl}/bin/curl "https://github.com/pbsds.keys" | grep "$(cat $HOME/.ssh/id_ed25519.pub | cut -d" " -f-2)"
test -d "$HOME/repos/papers" || {
mkdir -p "$HOME/repos"
${pkgs.git}/bin/git clone git@github.com:pbsds/papers.git
}
'';
};
services.code-server = {
enable = true;
host = "0.0.0.0"; # container
port = 53754;
# if you don't care about security: https://argon2.online/
hashedPassword = "$argon2i$v=19$m=16,t=2,p=1$MHh5UGNtU1lWR1UySnhIZw$ITg8U7Gq2CXByuOOnrKVUg";
#user = "code-server";
#group = "code.server";
# a nice tool if you don't care about security: https://argon2.online/
hashedPassword = "$argon2i$v=19$m=16,t=2,p=1$MHh5UGNtU1lWR1UySnhIZw$ITg8U7Gq2CXByuOOnrKVUg"; # hunter2
package = pkgs.vscode-with-extensions.override {
vscode = pkgs.code-server.overrideAttrs (old: {
# vscode-with-extensions compatibility
# https://github.com/NixOS/nixpkgs/pull/192889
passthru.executableName = "code-server";
passthru.longName = "Visual Studio Code Server";
});
#vscodeExtensions = vscode-extensions; [
vscodeExtensions = with (import <nixos-unstable> {}).vscode-extensions; [
#vscodeExtensions = with (import <nixos-unstable> {}).vscode-extensions; [
vscodeExtensions = with pkgs.vscode-extensions; [
shd101wyy.markdown-preview-enhanced
sanaajani.taskrunnercode
tomoki1207.pdf
@@ -115,6 +155,7 @@ in {
];
};
extraPackages = with pkgs; [
# based on https://github.com/pbsds/papers/blob/main/shell.nix
(writeShellScriptBin "pandoc" ''
export XDG_DATA_HOME=${pandoc-lua-filters}/share
exec ${pandoc}/bin/pandoc "$@"
@@ -136,11 +177,26 @@ in {
;
})
(python310.withPackages (ps: with ps; [
python-lsp-server
numpy
matplotlib
imageio
#(callPackage ./nix-modules/pytikz.nix { })
#(callPackage ./nix-modules/pyrender.nix { })
]))
pandoc-imagine
haskellPackages.pandoc-crossref
#haskellPackages.pandoc-plot
#pandoc-plantuml-filter nodePackages.mermaid-cli
# tikz stuff
imagemagick
drawio-headless
openscad
#curv
bash
git
bat
@@ -148,13 +204,6 @@ in {
boxes
graphviz
#python3Packages.cairosvg
(python3.withPackages (ps: with ps; [
numpy
matplotlib
#python-lsp-server
]))
];
};
@@ -165,6 +214,8 @@ in {
];
};
# Manually configure nameserver. Using resolved inside the container seems to fail currently
#environment.etc."resolv.conf".text = "nameserver 8.8.8.8";
};
};
@@ -174,10 +225,9 @@ in {
locations."/" = {
#proxyPass = "http://127.0.0.1:${toString cnt.services.code-server.port}";
#proxyPass = "http://10.240.100.3:${toString cnt.services.code-server.port}";
proxyPass = "http://${config.containers.code-server-theo.localAddress}:${toString cnt.services.code-server.port}";
proxyPass = "http://${config.containers.${container-name}.localAddress}:${toString cnt.services.code-server.port}";
proxyWebsockets = true;
};
};
}
profiles/code-remote/default.nix.bak
+113
View File
@@ -0,0 +1,113 @@
{ config, pkgs, lib, ... }:
let
domain = "${config.networking.hostName}.${config.networking.domain}";
mkDomain = subname: "${subname}.${domain}";
cnt = config.containers.vscode-remote-test.config;
in {
networking.nat = {
enable = true;
internalInterfaces = ["ve-+"];
externalInterface = "eno1"; # TODO: can i make this dynamic?
};
#imports = [
# "/home/pbsds/repos/nixpkgs-trees/containers-mkdir/nixos/modules/virtualisation/nixos-containers.nix"
#];
#disabledModules = [
# "virtualisation/nixos-containers.nix"
#];
containers.vscode-remote-test = {
autoStart = true;
privateNetwork = true;
hostAddress = "10.240.100.2";
localAddress = "10.240.100.3";
#bindMounts."/home" = {
# hostPath = "/var/lib/code-server";
# isReadOnly = false;
#};
config = { config, pkgs, ... }: {
system.stateVersion = "22.05";
imports = [ <home-manager/nixos> ];
home-manager.useUserPackages = true; # install to /etc instead of ~/.nix-profile, needed for containers
home-manager.useGlobalPkgs = true; # brrr
home-manager.users.${config.services.code-server.user} = { pkgs, config, ... }: {
programs.git.enable = true;
programs.git.userName = "Theoharis Theoharis";
programs.git.userEmail = "theotheo@ntnu.no";
programs.vscode.extensions = with pkgs.vscode-extensions; [
shd101wyy.markdown-preview-enhanced
sanaajani.taskrunnercode
tomoki1207.pdf
];
};
services.code-server = {
enable = true;
port = 53754;
# if you don't care about security: https://argon2.online/
hashedPassword = "$argon2i$v=19$m=16,t=2,p=1$MHh5UGNtU1lWR1UySnhIZw$ITg8U7Gq2CXByuOOnrKVUg";
extraPackages = with pkgs; [
(writeShellScriptBin "pandoc" ''
export XDG_DATA_HOME=${pandoc-lua-filters}/share
exec ${pandoc}/bin/pandoc "$@"
'')
(texlive.combine {
inherit (texlive)
scheme-small
titlesec
fontaxes
supertabular
xtab
# boxed quotes
mdframed
zref
needspace
soul
atkinson
;})
pandoc-imagine
haskellPackages.pandoc-crossref
#haskellPackages.pandoc-plot
#pandoc-plantuml-filter nodePackages.mermaid-cli
bash
bat
gnumake
boxes
graphviz
#python3Packages.cairosvg
(python3.withPackages (ps: with ps; [
numpy
matplotlib
#python-lsp-server
]))
];
};
#networking.firewall = {
# enable = true;
# allowedTCPPorts = [ 80 ];
#};
};
};
services.nginx.virtualHosts.${mkDomain "code-remote"} = {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
locations."/" = {
#proxyPass = "http://127.0.0.1:${toString cnt.services.code-server.port}";
proxyPass = "http://10.240.100.3:${toString cnt.services.code-server.port}";
proxyWebsockets = true;
};
};
}
profiles/nas/default.nix
+52 -65
View File
@@ -16,10 +16,20 @@ in
with builtins; {
imports = [
./modules/webhook.nix
#./modules/kukkee.nix
<nixos-unstable/nixos/modules/services/misc/polaris.nix>
#/home/pbsds/repos/nixpkgs-polaris/nixos/modules/services/misc/polaris.nix
#<nixos-unstable/nixos/modules/services/misc/polaris.nix>
#/home/pbsds/repos/nixpkgs-trees/polaris/nixos/modules/services/misc/polaris.nix
/home/pbsds/repos/nixpkgs/polaris-14/nixos/modules/services/misc/polaris.nix
];
disabledModules = [
"services/misc/polaris.nix"
];
nixpkgs.overlays = [
(final: prev: {
polaris = prev.callPackage /home/pbsds/repos/nixpkgs/polaris-14/pkgs/servers/polaris { };
polaris-web = prev.callPackage /home/pbsds/repos/nixpkgs/polaris-14/pkgs/servers/polaris/web.nix { };
})
];
@@ -46,6 +56,7 @@ with builtins; {
services.nginx.enable = true;
networking.firewall.allowedTCPPorts = [ 80 443 ];
# Website tunnel
@@ -219,12 +230,12 @@ with builtins; {
services.grafana = rec {
#enable = true;
#addr = "127.0.0.1";
addr = "0.0.0.0";
port = 3000;
domain = mkDomain "grafana";
settings.server.http_addr = "0.0.0.0";
settings.server.http_port = 3000;
settings.server.domain = mkDomain "grafana";
#rootUrl = "https://${domain}/grafana/"; # Not needed if it is `https://your.domain/`
};
services.nginx.virtualHosts."${config.services.grafana.domain}" = lib.mkIf config.services.grafana.enable {
services.nginx.virtualHosts."${config.services.grafana.settings.server.domain}" = lib.mkIf config.services.grafana.enable {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
#locations."/grafana/" = {
@@ -258,7 +269,8 @@ with builtins; {
# Cryptpad
# A collaborative office suite that is end-to-end encrypted and open-source.
# TODO: https://github.com/NixOS/nixpkgs/pull/180066
/*
services.cryptpad = {
#enable = true; # current node version used is marked insecure
# reference: https://github.com/xwiki-labs/cryptpad/blob/main/config/config.example.js
@@ -305,7 +317,7 @@ with builtins; {
proxyWebsockets = true;
};
};
*/
# Jellyfin
@@ -320,12 +332,14 @@ with builtins; {
openFirewall = false; # I do it manually below:
# TODO: configure initial collections and extensions
};
# firewall
networking.firewall = lib.mkIf config.service.jellyfin.enable {
# firewall - not needed?
/*
networking.firewall = lib.mkIf config.services.jellyfin.enable {
# TODO: does this overwrite rules set by other stuff? should i use ++ ?
#allowedTCPPorts = [ 8096 8920 ];
allowedUDPPorts = [ 1900 7359 ]; # TODO: Only if behind a NAT?
};
*/
services.nginx.virtualHosts.${mkDomain "jellyfin"} = lib.mkIf config.services.jellyfin.enable {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
@@ -335,6 +349,7 @@ with builtins; {
};
};
# Hardware acceleration
# https://nixos.wiki/wiki/Jellyfin
nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
};
@@ -345,6 +360,7 @@ with builtins; {
vaapiIntel
vaapiVdpau
libvdpau-va-gl
intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
];
};
# Allow Jellyfin access to VAAPI
@@ -392,20 +408,20 @@ with builtins; {
#user = "pbsds";
#group = "users";
port = 7890;
package = pkgs.unstable.polaris; # instead of my overlay, TODO: move that overlay here
#package = pkgs.unstable.polaris; # instead of my overlay, TODO: move that overlay here
settings = {
settings.reindex_every_n_seconds = 7*24*60*60; # weekly, default is 1800, i.e. hourly
settings.album_art_pattern =
"([Cc]over|COVER|[Ff]older|FOLDER|[Ff]ront|FRONT)\.(jpeg|JPEG|jpg|JPG|png|PNG|bmp|BMP|gif|GIF)";
#"(?i)(cover|folder|front)\.(jpeg|jpg|png|bmp|gif)";
mount_dirs = [
{ source = "/mnt/reidun/Music/Albums"; name = "Albums"; }
{ source = "/mnt/reidun/Music/dojin.co"; name = "dojin.co"; }
{ source = "/mnt/reidun/Music/Vocaloid"; name = "Vocaloid"; }
{ source = "/mnt/reidun/Music/Touhou"; name = "Touhou"; }
{ source = "/mnt/reidun/Music/OST"; name = "OST"; }
{ source = "/mnt/reidun/Music/Kancolle"; name = "Kancolle"; }
{ source = "/mnt/reidun/Downloads/music"; name = "Downloads"; }
{ name = "Albums"; source = "/mnt/reidun/Music/Albums"; }
{ name = "dojin.co"; source = "/mnt/reidun/Music/dojin.co"; }
{ name = "Vocaloid"; source = "/mnt/reidun/Music/Vocaloid"; }
{ name = "Touhou"; source = "/mnt/reidun/Music/Touhou"; }
{ name = "OST"; source = "/mnt/reidun/Music/OST"; }
{ name = "Kancolle"; source = "/mnt/reidun/Music/Kancolle"; }
{ name = "Downloads"; source = "/mnt/reidun/Downloads/music"; }
];
};
};
@@ -580,42 +596,12 @@ with builtins; {
};
# Webhook
# incoming webhook server that executes shell commands
/**/
services.webhook = {
enable = true;
#listenHost = "0.0.0.0"; # default is "127.0.0.1"
listenPort = 7777; # default is 8080
urlPrefix = "spismeg"; # default is "hooks"
#httpMethods = [ "GET" "POST" ]; # default is [ "POST" ]
settings = [
{
id = "webhook-id";
execute-command = pkgs.writeShellScript "webhook-handler.sh" ''
echo foobar;
'';
}
];
};
services.nginx.virtualHosts.${mkDomain "webhook"} = lib.mkIf config.services.webhook.enable {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.webhook.listenPort}";
proxyWebsockets = true;
};
};
/**/
# Gitea
# Git with a cup of tea
services.gitea = rec {
enable = true;
disableRegistration = true; # disable after initial deploy
settings.service.DISABLE_REGISTRATION = true; # disable after initial deploy
#https://docs.gitea.io/en-us/config-cheat-sheet/
#settings = {
# "cron.sync_external_users" = {
@@ -645,7 +631,7 @@ with builtins; {
httpAddress = "127.0.0.1"; # default is "0.0.0.0"
#extraConfig
#database.type # default is "sqlite3"
cookieSecure = true; # default is false, only send cookies over https
settings.session.COOKIE_SECURE = true; # default is false, only send cookies over https
#stateDir # default is "/var/lib/gitea"
#mailerPasswordFile # Path to a file containing the SMTP password
#repositoryRoot # default is "${config.services.gitea.stateDir}/repositories"
@@ -1098,19 +1084,19 @@ with builtins; {
services.hedgedoc = {
#enable = true; # FIXME: make it load
configuration.host = "127.0.0.1";
configuration.port = 44776;
configuration.db.dialect = "sqlite";
configuration.db.storage = "${config.services.hedgedoc.workDir}/db.hedgedoc.sqlite";
configuration.domain = mkDomain "hedgedoc";
configuration.allowAnonymous = true;
configuration.allowEmailRegister = false; # default is true
configuration.allowAnonymousEdits = false; # default is false
configuration.protocolUseSSL = true; # https prefix
configuration.useSSL = false; # nginx terminates ssl
#configuration.csp = {TODO}; # content security policy
#configuration.useCDN = true;
#configuration.debug = true;
settings.host = "127.0.0.1";
settings.port = 44776;
settings.db.dialect = "sqlite";
settings.db.storage = "${config.services.hedgedoc.workDir}/db.hedgedoc.sqlite";
settings.domain = mkDomain "hedgedoc";
settings.allowAnonymous = true;
settings.allowEmailRegister = false; # default is true
settings.allowAnonymousEdits = false; # default is false
settings.protocolUseSSL = true; # https prefix
settings.useSSL = false; # nginx terminates ssl
#settings.csp = {TODO}; # content security policy
#settings.useCDN = true;
#settings.debug = true;
# there are also a metric fuckton of integration services, like github, twitter, minio, mattermost, dropbox etc.
# there are also auth options, like ldap, saml and oauth2
};
@@ -1118,7 +1104,7 @@ with builtins; {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.hedgedoc.configuration.port}";
proxyPass = "http://127.0.0.1:${toString config.services.hedgedoc.settings.port}";
proxyWebsockets = true;
# TODO: proxy headers:
# https://docs.hedgedoc.org/guides/reverse-proxy/
@@ -1186,6 +1172,7 @@ with builtins; {
};
# vaultwarden
# Unofficial Bitwarden compatible server written in Rust
profiles/nfs-reidun/default.nix
+62
View File
@@ -0,0 +1,62 @@
{ config, pkgs, lib, ... }:
{
fileSystems = let
mkMount = mountpoint: server: subdir: {
"${mountpoint}${subdir}" = {
device = "${server}${subdir}";
fsType = "nfs";
#options = [ "nfsvers=4.2" ];
};
};
# TODO: combine nameValuePair and listToAttrs
joinSets = sets: builtins.foldl' (l: r: l // r) {} sets;
in joinSets (
(map (mkMount "/mnt/reidun" "192.168.1.3:/Reidun/shared") [
""
"/Backups"
"/Comics"
"/Downloads"
"/Games"
"/Games/Installable"
"/Games/Portable"
"/Games/ROMs"
"/ISO"
"/Images"
"/Images/Collections"
"/Images/Memes"
"/Images/Pictures"
"/Images/Wallpapers"
"/Music"
"/Music/Albums"
"/Music/Kancolle"
"/Music/OST"
"/Music/Old"
"/Music/Touhou"
"/Music/Vocaloid"
"/Music/dojin.co"
"/Various"
"/Various/Zotero"
"/Various/resilio"
"/Video"
"/Video/Anime"
"/Video/Concerts"
"/Video/Documentaries"
"/Video/Movies"
"/Video/Musicvideos"
"/Video/Series"
"/Video/Talks"
"/Work"
"/Work/Documents"
#"/Work/FL Studio" # broken, maybe due to the space?
"/Work/Programming"
"/Work/School"
"/pub"
]) ++ (map (mkMount "/mnt/meconium" "192.168.1.3:/Meconium" ) [
""
"/beets_music"
])
);
}
profiles/remote-builders/default.nix
+94
View File
@@ -0,0 +1,94 @@
{ config, pkgs, lib, ... }:
let
#supportedFeatures:
# - "kvm" - has hypervisor
# - "nixos-test" - the same as ^? nixos?
# - "benchmark" - has "equal" performance
# - "big-parallel" - is beefy, for stuff like llvm
# TODO: get a binfmt-misc host for cross stuff
# add noximilien, filter (hostName != fqdn)
remotes = [
/**/
{
systems = ["x86_64-linux"];
hostName = "rocm.pbsds.net";
sshUser = "pbsds";
maxJobs = 8;
#maxJobs = 4;
#maxJobs = 1; # at least for big-parallel
speedFactor = 2;
supportedFeatures = [ "kvm" "big-parallel" ];
#supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
#mandatoryFeatures = [ ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGDuWdqEQ5mmVjuKi6f/Q2PFxuqB3URpgTHid06Vw7we";
proxy.user="pederbs";
proxy.host="isvegg.pvv.ntnu.no";
proxy.publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGurF7rdnrDP/VgIK2Tx38of+bX/QGCGL+alrWnZ1Ca5llGneMulUt1RB9xZzNLHiaWIE+HOP0i4spEaeZhilfU=";
}
/**/
{
systems = ["x86_64-linux"];
hostName = "isvegg.pvv.ntnu.no";
sshUser = "pederbs";
maxJobs = 1;
speedFactor = 0;
publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGurF7rdnrDP/VgIK2Tx38of+bX/QGCGL+alrWnZ1Ca5llGneMulUt1RB9xZzNLHiaWIE+HOP0i4spEaeZhilfU=";
}
{
systems = ["x86_64-linux"];
hostName = "eirin.pvv.ntnu.no";
sshUser = "pederbs";
maxJobs = 2;
speedFactor = 0;
publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBILGULKEzYe5kPorM0rWATv10qq6debfCuYUYqw3HWZm4Y5Pi7mVKcf8lKFNPc1DxT/dStfxxtHj/2fbezaxElk=";
}
{
systems = ["x86_64-linux"];
hostName = "demiurgen.pvv.ntnu.no";
sshUser = "pederbs";
maxJobs = 2;
speedFactor = 0;
publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKw92q3eB5HZbKJN3p+80MtirqcXPu01USE9LnoGYJuDvko1udjIy4UR0wAwELqgs+r7mJyuQPeXmOZKwjHP6tM=";
}
/**/
];
mkRemoteConfig = {
publicKey,# fetch it with `ssh-keyscan`
proxy ? null, # schema: { user, host, publicKey }
... # the rest follows nix.buildMachines.<NAME> schema
}@args:
let
buildMachine = lib.filterAttrs (key: _: !builtins.elem key ["publicKey" "proxy"]) args; # this should have syntactic sugar: ...@buildMachine
in {
nix.buildMachines = [ buildMachine ];
programs.ssh.knownHosts.${buildMachine.hostName}.publicKey = publicKey;
programs.ssh.extraConfig = ''
Host ${buildMachine.hostName}
ConnectTimeout 3
${lib.optionalString (proxy != null) ''
ProxyJump ${proxy.user}@${proxy.host}
''}
'';
programs.ssh.knownHosts.${proxy.host or "IGNORE"} = lib.mkIf (proxy != null) { publicKey = proxy.publicKey; };
};
in {
nix.distributedBuilds = true;
# TODO: Allow setting speedFactor for local builds, as local is currently fixed to 0
# https://github.com/NixOS/nix/issues/2457
# useful when the builder has a faster internet connection than i do
nix.extraOptions = ''
builders-use-substitutes = true
'';
# TODO: can i make ^ non-string?
# TIL: this can be a list of configurations and lambdas, not just file paths
imports = builtins.map mkRemoteConfig remotes;
}
profiles/todos.md
+5
View File
@@ -0,0 +1,5 @@
* [ ] mv nas/default.nix nas.nix
* [ ] mv website/default.nix website.nix
* [ ] move each part into web-services, and import them as modules
* [ ] make mkDomain a function
* [ ] make ACME a function
profiles/websites/default.nix
+3 -2
View File
@@ -11,6 +11,7 @@ in {
imports = [
./services/pdoc.nix
#../services/tt-rss.nix
];
@@ -22,8 +23,8 @@ in {
domain = "gitea.noximilien.pbsds.net";
owner = "pbsds";
repo = "links.pbsds.net";
rev = "fd980f4610f8027b4fc89c506542009f09504085";
hash = "sha256-Iz/lfLkdCLJyyZ/PM9+VCkCG5lYSb9/i4x0ZhranBxc=";
rev = "61cd605f198a22db87af087fda34c378b03d4306";
hash = "sha256-dx19aTy8K9xkL+cO4r4huYKrlVBZMUkDcbjqxLKe8W4=";
};
in {
#serverAliases = map mkDomain [ "links" ];
profiles/websites/services/pdoc.nix
+6 -4
View File
@@ -85,14 +85,15 @@ let
{name="beautifulsoup4"; literal="bs4";}
"hid"
#{name="hidapi"; literal="hid";}
"sanic"
#"sanic" # broken build?
"paramiko"
"pydub"
"aiohttp"
"papermill"
"rtoml"
"redis"
"numpy"
"domeneshop"
#"domeneshop"
"munch"
"migen"
"amaranth"
@@ -109,7 +110,7 @@ let
"peewee"
"parsel"
"pandas"
"mutmut"
#"mutmut" # moved to toplevel from python3Packages
"mlflow"
"meshio"
#"einops" # depends on tensorflow, which is broken ATM
@@ -141,7 +142,7 @@ let
"asyncpg" #"aiopg"
{name="libsass"; literal="sass";}
{name="pytorch"; literal="torch";}
{name="pytorch-lightning"; literal="pytorch_lightning";}
#{name="pytorch-lightning"; literal="pytorch_lightning";} # broken build?
{name="pillow"; literal="PIL";}
"trio"
"tqdm"
@@ -160,6 +161,7 @@ let
"imageio"
"pygments"
"trimesh"
"shapely"
#"faiss"
#"geomloss"
#"mesh_to_sdf"
profiles/xrdp/default.nix
+21
View File
@@ -0,0 +1,21 @@
{ config, pkgs, lib, ... }:
{
# https://nixos.wiki/wiki/Remote_Desktop
services.xrdp.enable = true;
services.xrdp.openFirewall = true; # TCP only
services.xserver.enable = true;
services.xserver.virtualScreen = { x=1920; y=1080; }; # doesn't work?
services.xserver.tty = lib.mkDefault null;
# https://nixos.wiki/wiki/GNOME
#services.xserver.displayManager.gdm.enable = true;
services.xserver.desktopManager.gnome.enable = true;
#services.xrdp.defaultWindowManager = "gdm";
#services.xrdp.defaultWindowManager = "gnome-shell";
#services.xrdp.defaultWindowManager = "gnome-session";
services.xrdp.defaultWindowManager = "${pkgs.gnome.gnome-session}/bin/gnome-session"; # remember to `systemctl restart xrdp-sesman` if you change this
programs.dconf.enable = true;
}