further catogorize profile/web, add python-docs

This commit is contained in:
Peder Bergebakken Sundt 2023-02-26 02:46:35 +01:00
parent 71ac683efa
commit 181edd92e5
65 changed files with 282 additions and 262 deletions

View File

@ -1,17 +1,34 @@
# Initial setup
# Initial setup (old)
```
nixos-generate-config
```
nixos-generate-config
# TODO:
# Reading list
* [ ] Multiple user profiles, headless, nixpkgs-dev, desktop, hpc, pvv, etc
* [ ] Split stuff into multiple files
* [ ] Some system for multiple hosts with different configs
* [ ] Make a flake
* https://nixos.wiki/wiki/Flakes
* https://teu5us.github.io/nix-lib.html
* https://ryantm.github.io/nixpkgs/builders/trivial-builders/
# TODOs:
* [x] Split stuff into multiple files
* [x] Make a flake
* [ ] Setup some remote-development flow
* [ ] users/pbsds: Support multiple profiles, like headless, nixpkgs-dev, various desktops, hpc, pvv, etc
* [ ] nixos-generate-config instructions
* [ ] zfs
* [ ] secrets
* [ ] profiles/web: make ACME/nginx helper a function
* [ ] Support multiple tlds
* [ ] Support multiple acme accounts
* [ ] Support a per-account provider?
* [ ] Support DNS auth
* [ ] Setup aliases instead of a per-subdomain cert
# How to evaluate, checking if the drv hash is equal
# Cheatsheet
### How to evaluate nixos flake/configuration.nix, checking if the drv hash is equal
nix eval .#nixosConfigurations.noximilien.config.system.build.toplevel.outPath
# or
nix-instantiate '<nixpkgs/nixos>' -A system -I nixos-config=./configuration.nix

View File

@ -1,9 +1,9 @@
{ config, pkgs, lib, ... }:
{ config, pkgs, lib, inputs, ... }:
{
imports = [
./cachix.nix
(if builtins.pathExists ./hardware-configuration.nix
then ./hardware-configuration.nix # results of hardware scan
then ./hardware-configuration.nix # results of nixos-generate-config
else {}
)
];
@ -11,9 +11,32 @@
nixpkgs.config.allowUnfree = true;
nixpkgs.config.allowUnfreePredicate = (pkg: true);
system.autoUpgrade.enable = true; # daily nixos-rebuild switch, no reboot by default
# 'nixos-rebuild switch --upgrade', by default daily with no reboot
#system.autoUpgrade.allowReboot = true; # reboot after a kernel (module) or initrd upgrade, consider also setting `rebootWindow`
# TODO: this check is not pure
system.autoUpgrade = if builtins.pathExists "/etc/nixos/flake.nix" then { #TODO: should i check for .git instead?
enable = true;
flake = "/etc/nixos";
flags = [
"--recreate-lock-file" # fetch new inputs
#"--commit-lock-file" # commit new lock to local git repo
# TODO: can i somehow first do a git pull --rebase --autostash with proper abort handling ?
"-L" # print build logs
];
} else {
enable = true;
flake = inputs.self.outPath; # a nix store path
flags = [
"--recreate-lock-file" # fetch new inputs
"--no-write-lock-file" # no write new flakelock, as the in-store flake is read-only
"-L" # print build logs
];
};
#assertions = [
# { assertion = builtins.pathExists "/etc/nixos/flake.nix"; message = "You have yet to test systems without a flake in /etc/nixos"; }
#];
nix.settings.trusted-users = [ "root" ];
nix.settings.trusted-users = [ "root" ]; # default, but will stick around after a mergins with ./users
nix.settings.auto-optimise-store = true; # deduplicate with hardlinks, expensive. Alternative: nix-store --optimise
#nix.optimize.automatic = true; # periodic optimization
nix.gc.automatic = true;
@ -52,14 +75,4 @@
services.xserver.layout = "no";
services.xserver.xkbVariant = "";
# System fonts
# Nice to have when X-forwading on headless machines
# TODO: move?
fonts.fonts = with pkgs; [
noto-fonts # includes Cousine
noto-fonts-cjk
noto-fonts-emoji
noto-fonts-extra
dejavu_fonts
];
}

View File

@ -1,6 +0,0 @@
{
import = [
./base.nix
./hosts/noximilien.nix
];
}

View File

@ -21,6 +21,21 @@
"type": "github"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1677232326,
"narHash": "sha256-rAk2/80kLvA3yIMmSV86T1B4kNvwCFMSQ1FxXndaUB0=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "2d44015779cced4eec9df5b8dab238b9f6312cb2",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixos-hardware",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1677249740,
@ -37,10 +52,44 @@
"type": "github"
}
},
"nur": {
"locked": {
"lastModified": 1677354372,
"narHash": "sha256-yJQeIxHkJO7GOvEK24hv9K59eorGTrEgfNWjlrpBfPU=",
"owner": "nix-community",
"repo": "NUR",
"rev": "4711c9bb1df2bf0fd103c46aa9465ebde8fd93c7",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "NUR",
"type": "github"
}
},
"pr-polaris14": {
"locked": {
"lastModified": 1672706949,
"narHash": "sha256-7w8ylNEmeWX7++E6vECZ4nY6I0AGA/irT7eWQ7c7aX0=",
"owner": "pbsds",
"repo": "nixpkgs",
"rev": "8d4e5e6a87684b3035a94d0e7e7c19d342448f68",
"type": "github"
},
"original": {
"owner": "pbsds",
"ref": "polaris-14",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"home-manager": "home-manager",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
"nur": "nur",
"pr-polaris14": "pr-polaris14",
"unstable": "unstable"
}
},

View File

@ -1,16 +1,22 @@
{
description = "pbsds' nix system/home profile flake";
description = "pbsds' system/home flake";
# TODO: NUR
inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11-small";
inputs.unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
inputs.nur.url = "github:nix-community/NUR";
inputs.home-manager.url = "github:nix-community/home-manager";
inputs.home-manager.inputs.nixpkgs.follows = "nixpkgs";
inputs.nixos-hardware.url = "github:NixOS/nixos-hardware";
# temp stuff
inputs.pbsds-polaris-pr = "github:pbsds/nixpkgs/polaris-14";
#TODO:
#sops-nix.url = "github:Mic92/sops-nix";
#sops-nix.inputs.nixpkgs.follows = "nixpkgs";
#matrix-next.url = "github:dali99/nixos-matrix-modules"; # see https://git.pvv.ntnu.no/Drift/pvv-nixos-config/src/main/flake.nix
outputs = { self, nixpkgs, unstable, home-manager, ... }@inputs:
# temp
inputs.pr-polaris14.url = "github:pbsds/nixpkgs/polaris-14";
outputs = { self, nixpkgs, unstable, nixos-hardware, nur, home-manager, ... }@inputs:
let
systems = [
"x86_64-linux"
@ -18,30 +24,42 @@
#"riscv64-linux"
];
forAllSystems = f: nixpkgs.lib.genAttrs systems (system: f system);
nixosOverrides = {
tmpConfig = {
disabledModules = [ "services/misc/polaris.nix" ];
imports = [ inputs.pbsds-polaris-14 + "/nixos/modules/services/misc/polaris.nix" ];
nixpkgs.overlays = [(final: prev: {
polaris = prev.callPackage (inputs.pbsds-polaris-14 + /pkgs/servers/polaris) { };
polaris-web = prev.callPackage (inputs.pbsds-polaris-14 + /pkgs/servers/polaris/web.nix) { };
imports = [ "${inputs.pr-polaris14}/nixos/modules/services/misc/polaris.nix" ];
nixpkgs.overlays = [(final: prev: { # TODO: nixpkgs.config.packageOverrides ?
polaris = prev.callPackage "${inputs.pr-polaris14}/pkgs/servers/polaris" { };
polaris-web = prev.callPackage "${inputs.pr-polaris14}/pkgs/servers/polaris/web.nix" { };
})];
};
mkConfig = system: modules: nixpkgs.lib.nixosSystem {
mkConfig = hostname: system: modules: nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = { inherit unstable inputs; };
modules = modules ++ [ ./base.nix nixosOverrides ({
specialArgs = { inherit inputs; };
modules = modules ++ [ ./base.nix "${self}/hosts/${hostname}" tmpConfig ({
networking.hostName = hostname;
networking.domain = "pbsds.net";
networking.search = [ "pbsds.net" ];
nixpkgs.overlays = [ # TODO: consider nixpkgs.config.packageOverrides
#(final: prev: self.packages.${system})
(final: prev: {
unstable = unstable.legacyPackages.${final.system};
#unstable = import unstable { inherit system; };
nur = import nur { inherit (prev) pkgs; nurpkgs = prev.pkgs; };
#nur = import nur { inherit (prev) pkgs; nurpkgs = import nixpkgs { inherit final.system: }; }; # TODO: nurpkgs?
})
];
# This makes commandline tools like 'nix run nixpkgs#hello'
# and 'nix-shell -p hello' use the same channel the system was built with
# and 'nix-shell -p hello' use the same channel as system was built with
nix.registry.nixpkgs.flake = inputs.nixpkgs;
nix.registry.unstable.flake = inputs.unstable;
nix.nixPath = [
"nixpkgs=${inputs.nixpkgs}"
"unstable=${inputs.unstable}"
"unstable=${inputs.unstable}" # TODO: needed?
];
})];
};
in {
nixosConfigurations.noximilien = mkConfig "x86_64-linux" [ ./hosts/noximilien.nix ];
nixosConfigurations.noximilien = mkConfig "noximilien" "x86_64-linux" (with nixos-hardware.nixosModules; [ common-pc common-pc-ssd common-cpu-intel ]);
homeConfigurations = forAllSystems (system: {
pbsds = home-manager.lib.homeManagerConfiguration {
pkgs = nixpkgs.legacyPackages.${system};

View File

@ -5,5 +5,4 @@
hardware.opengl.enable = true;
#hardware.opengl.extraPackages = [ pkgs.mesa.drivers ];
hardware.opengl.extraPackages = with pkgs; [ mesa.drivers vaapiIntel libvdpau-va-gl vaapiVdpau intel-ocl ];
}

View File

2
hosts/asgaut/default.nix Normal file
View File

@ -0,0 +1,2 @@
{}
# TODO: visionfive 2

View File

@ -1,62 +1,66 @@
{ config, pkgs, lib, ... }:
{
imports = [
../users
../users/pbsds
../users/jornane
#../users/all.nix # TODO: does not work?
./hardware-configuration.nix
../hardware/opengl-intel.nix
../../users # home-manager
../../users/pbsds
../../users/jornane
#../../users/all.nix # TODO: does not work?
../profiles/web
../profiles/web/index
../profiles/web/cinny
../profiles/web/element
../profiles/web/flexget
../profiles/web/gitea
../profiles/web/hydra
../profiles/web/invidious
../profiles/web/jellyfin
../profiles/web/libreddit
../profiles/web/mattermost
../profiles/web/navidrome
../profiles/web/netdata
../profiles/web/nitter
../profiles/web/ntopng
../profiles/web/owncast
../profiles/web/paperless
../profiles/web/polaris
../profiles/web/resilio
../profiles/web/roundcube
../profiles/web/thelounge
../profiles/web/vaultwarden
../profiles/web/webdav-zotero
#../profiles/web/convos
#../profiles/web/cryptpad
#../profiles/web/galene
#../profiles/web/graphana
#../profiles/web/hedgedoc
#../profiles/web/home-assistant
#../profiles/web/jitsi-meet
#../profiles/web/kukkee
#../profiles/web/matrix-synapse
#../profiles/web/shlink
#../profiles/web/sourcegraph
../../hardware/opengl-intel.nix
../profiles/web/pdoc
../profiles/web/linktree-pbsds
../profiles/web/refleksjon-no
../profiles/web/roroslyd-no
#../profiles/web/trivial-gradios
#../profiles/web/censordodge
#../profiles/web/openspeedtest
../../profiles/web
../../profiles/web/index
../../profiles/web/services/cinny
../../profiles/web/services/element
../../profiles/web/services/flexget
../../profiles/web/services/gitea
../../profiles/web/services/hydra
../../profiles/web/services/invidious
../../profiles/web/services/jellyfin
../../profiles/web/services/libreddit
../../profiles/web/services/mattermost
../../profiles/web/services/navidrome
../../profiles/web/services/netdata
../../profiles/web/services/nitter
../../profiles/web/services/ntopng
../../profiles/web/services/owncast
../../profiles/web/services/paperless
../../profiles/web/services/polaris
../../profiles/web/services/resilio
../../profiles/web/services/roundcube
../../profiles/web/services/thelounge
../../profiles/web/services/vaultwarden
../../profiles/web/services/webdav-zotero
#../../profiles/web/services/convos
#../../profiles/web/services/cryptpad
#../../profiles/web/services/galene
#../../profiles/web/services/graphana
#../../profiles/web/services/hedgedoc
#../../profiles/web/services/home-assistant
#../../profiles/web/services/jitsi-meet
#../../profiles/web/services/kukkee
#../../profiles/web/services/matrix-synapse
#../../profiles/web/services/shlink
#../../profiles/web/services/sourcegraph
#../../profiles/web/services/censordodge
#../../profiles/web/services/openspeedtest
../profiles/domeneshop-dyndns # TODO: olavtr is hardcoded...
../profiles/code-remote
../profiles/remote-builders #
../profiles/nfs/reidun.nix # NFS mounts
../profiles/autossh-reverse-tunnels
#../profiles/xrdp
../../profiles/web/docs/pdoc
../../profiles/web/docs/python-docs
../../profiles/web/sites/linktree-pbsds
../../profiles/web/sites/refleksjon-no
../../profiles/web/sites/roroslyd-no
#../../profiles/web/services/trivial-gradios
../../profiles/domeneshop-dyndns # TODO: olavtr is hardcoded...
../../profiles/code-remote
../../profiles/remote-builders #
../../profiles/nfs/reidun.nix # NFS mounts
../../profiles/autossh-reverse-tunnels
#../../profiles/xrdp
];
# TODO: remove? Move to where relevant=
@ -92,8 +96,6 @@
networking.networkmanager.enable = true;
#networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
#networking.iwd.enable = true
networking.hostName = "noximilien";
networking.domain = "pbsds.net";
networking.interfaces.eno1.ipv4.addresses = [
{ address = "192.168.1.9"; prefixLength = 24; }
];
@ -107,7 +109,7 @@
interface = "eno1";
};
#networking.useDHCP = true;
#TODO: avahi?
#TODO: avahi? resolved? https://git.pvv.ntnu.no/Drift/pvv-nixos-config/src/main/base.nix#L15-L18
# Installed system packages
# TODO: prune this, make home-manager deal with the majority
@ -223,6 +225,18 @@
# User pederbs
#'';
# System fonts
# Nice to have when X-forwading on headless machines
# TODO: move?
fonts.fonts = with pkgs; [
noto-fonts # includes Cousine
noto-fonts-cjk
noto-fonts-emoji
noto-fonts-extra
dejavu_fonts
];
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave

View File

@ -0,0 +1,33 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/fa5f2e24-ab42-4a5f-bf8c-be699b980457";
fsType = "ext4";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/5b00f5ca-f7a8-4a69-a93b-8e68d9e369e7"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

View File

@ -2,6 +2,8 @@
{
# AutoSSH reverse tunnels
# TODO: add noximilien to this list, deselect is using hostname
services.autossh.sessions = let
mkSshSession = {user, name, host, rport, monitoringPort}: {
user = user; # local user

View File

@ -4,8 +4,8 @@
systemd.services.domeneshop-updater = {
description = "domene.shop domain updater";
#after = [ "something?.service" ];
#wants = [ "something?.service" ];
after = [ "network-online.target" ]; # TODO: multi-user ?
wants = [ "network-online.target" ]; # TODO: multi-user ?
serviceConfig = let
prog = pkgs.writeShellApplication {
name = "domeneshop-dyndns-updater.sh";

View File

@ -1,140 +0,0 @@
{ lib, pkgs, config, ... }:
#with builtins;
let
lib_ = lib;
in
let
cfg = config.services.webhook;
hooksFormat = pkgs.formats.json {};
lib = lib_ // { mdDoc = x: x; }; # HACK
in {
options.services.webhook = with lib; {
enable = mkEnableOption "webhook service";
package = mkPackageOption pkgs "webhook" { };
user = mkOption {
type = types.str;
default = "webhook";
description = lib.mdDoc "User under which Webhook runs.";
};
group = mkOption {
type = types.str;
default = "webhook";
description = lib.mdDoc "Group under which Webhook runs.";
};
listenHost = mkOption {
type = types.str;
default = "127.0.0.1";
description = lib.mdDoc "Which address Webhook should listen to for HTTP.";
};
listenPort = mkOption {
type = types.port;
default = 8080;
description = lib.mdDoc "Which port Webhook should listen to for HTTP.";
};
openFirewall = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
Open the configured ports in the firewall for the Webhook server.
Preferably the Webhook server is instead put behind a reverse proxy.
'';
};
urlPrefix = mkOption {
type = types.str;
default = "hooks";
description = lib.mdDoc ''
Url prefix to use for served hooks.
`http://listen:port/PREFIX/:hook-id`
'';
};
httpMethods = mkOption {
type = types.listOf types.str;
default = ["POST"];
defaultText = literalExpression ''["POST"]'';
description = lib.mdDoc "Default allowed HTTP methods";
};
verbose = mkOption {
type = types.bool;
default = true;
description = lib.mdDoc "Whether to log events or not.";
};
extraArgs = mkOption {
type = types.listOf types.str;
default = [];
description = lib.mdDoc ''
Extra command-line arguments.
If you want to set CORS headers, you can set [ "-header" "name=value" ]
to the appropriate CORS headers to passed along with each response.
'';
};
settings = mkOption {
type = hooksFormat.type;
default = [];
example = lib.literalExpression ''
[
{
id = "my-webhook";
execute-command = pkgs.writeShellScript "handle-my-webhook.sh" '${""}'
echo "foobar"
'${""}';
}
]
'';
description = lib.mdDoc ''
The configured hooks for Webhook to serve.
Here is a collection of hook examples:
<https://github.com/adnanh/webhook#examples>
'';
};
};
config = lib.mkIf cfg.enable {
systemd.services.webhook = {
description = lib.mdDoc "Webhook Server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = let
args = [
"-ip" cfg.listenHost
"-port" cfg.listenPort
"-http-methods" (lib.strings.concatStringsSep "," cfg.httpMethods)
"-urlprefix" cfg.urlPrefix
"-hooks" (hooksFormat.generate "hooks.json" cfg.settings)
] ++ lib.optional cfg.verbose "-verbose"
++ cfg.extraArgs;
in rec {
User = cfg.user;
Group = cfg.group;
DynamicUser = cfg.user == "webhook";
ExecStart = "${cfg.package}/bin/webhook " + (lib.strings.escapeShellArgs args);
Restart = "on-failure";
};
};
networking.firewall = lib.mkIf cfg.openFirewall {
allowedTCPPorts = [ cfg.listenPort ];
};
};
meta.maintainers = with lib.maintainers; [ pbsds ];
}

View File

@ -1 +0,0 @@
* [ ] make ACME a function

View File

@ -0,0 +1,24 @@
{ config, pkgs, lib, mkDomain, ... }:
let
python-versions = (lib.attrNames pkgs.pythonDocs.html);
mkLinkFarmEntry = python-version: {
name = python-version;
path = "${builtins.toString pkgs.pythonDocs.html.${python-version}}/share/doc/${python-version}/html";
};
in
{
services.nginx.virtualHosts.${mkDomain "python-docs"} = {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
root = pkgs.linkFarm "python-docs" ([
{ name = "index.html"; path = pkgs.writeText "my-file" ''
<!DOCTYPE html>
<ul>
${lib.concatStringsSep "\n" (
builtins.map (name: ''<li><a href="${name}/">${name}/</a>'') python-versions
)}
</ul>
''; }
] ++ (builtins.map mkLinkFarmEntry python-versions));
};
}

View File

@ -1,15 +1,13 @@
{ config, pkgs, lib, unstable, mkDomain, ... }:
{ config, pkgs, lib, inputs, mkDomain, ... }:
{
# Invidious
# An open source alternative front-end to YouTube
/**/
imports = [
({ disabledModules = [ "services/web-apps/invidious.nix" ]; })
#<nixos-unstable/nixos/modules/services/web-apps/invidious.nix>
(unstable + "/nixos/modules/services/web-apps/invidious.nix")
({ services.invidious.package = unstable.invidious; })
];
disabledModules = [ "services/web-apps/invidious.nix" ];
#imports = [ <nixos-unstable/nixos/modules/services/web-apps/invidious.nix> ];
imports = [ ("${inputs.unstable}/nixos/modules/services/web-apps/invidious.nix") ];
services.invidious.package = pkgs.unstable.invidious;
/**/
services.invidious = {

View File

@ -1,14 +1,12 @@
{ config, pkgs, lib, unstable, mkDomain, ... }:
{ config, pkgs, lib, inputs, mkDomain, ... }:
{
# Jellyfin
/**/
imports = [
({ disabledModules = [ "services/misc/jellyfin.nix" ]; })
#<nixos-unstable/nixos/modules/services/misc/jellyfin.nix>
(unstable + "/nixos/modules/services/misc/jellyfin.nix")
({ services.jellyfin.package = unstable.jellyfin; })
];
disabledModules = [ "services/misc/jellyfin.nix" ];
#imports = [<nixos-unstable/nixos/modules/services/misc/jellyfin.nix> ];
imports = [ "${inputs.unstable}/nixos/modules/services/misc/jellyfin.nix" ];
services.jellyfin.package = pkgs.unstable.jellyfin;
/**/
services.jellyfin = {

View File

@ -4,7 +4,7 @@
* configure stuff to send its shit here
* [ ] https://noted.lol/2-self-hosted-alternatives-to-doodle-meeting-scheduling/
* [ ] kukkee
* [ ] rallly - https://rallly.co/
* [ ] rallly
* [ ] Rocketchat - A self-hosted discord/slack alternative
* [ ] upterm / tmate - Secure terminal-session sharing

View File

@ -2,7 +2,7 @@
{
#imports = [ <home-manager/nixos> ];
imports = [ inputs.home-manager.nixosModule ];
home-manager.useGlobalPkgs = true; # brrr
home-manager.useGlobalPkgs = true; # go brrr
#home-manager.useUserPackages = true # needed if VM
# When adding a new user accounts: Don't forget to set a password with passwd!