jade/raito-shared-public-infra
0
0
Fork 0
forked from raito/shared-public-infra
Code Pull requests Activity

infra: steal from the best

Browse source 
(Mic92's cluster TUM's infra.)
This commit is contained in:
raito 2023-06-05 17:50:07 +02:00
parent 41aead1a04
commit 107cc6e53f
22 changed files with 951 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.envrc Normal file
View file

@ -0,0 +1 @@
use flake

105
configurations.nix Normal file
View file

@ -0,0 +1,105 @@
{ self, ... }:
let
inherit
(self.inputs)
nixpkgs
home-manager
agenix
nur
colmena
flake-registry
nixos-hardware
nixpkgs-unstable
srvos
disko
;
nixosSystem = nixpkgs.lib.makeOverridable nixpkgs.lib.nixosSystem;
colmenaModules = [
colmena.nixosModules.deploymentOptions
];
commonModules = [
{
_module.args.self = self;
_module.args.inputs = self.inputs;
srvos.flake = self;
}
# only include admins here for monitoring/backup infrastructure
./modules/users/admins.nix
./modules/packages.nix
./modules/nix-daemon.nix
./modules/auto-upgrade.nix
./modules/tor-ssh.nix
./modules/hosts.nix
./modules/network.nix
./modules/zsh.nix
disko.nixosModules.disko
srvos.nixosModules.server
# srvos.nixosModules.mixins-telegraf
# srvos.nixosModules.mixins-terminfo
agenix.nixosModules.default
({ pkgs
, config
, lib
, ...
}: let
sopsFile = ./. + "/hosts/${config.networking.hostName}.yml";
in {
nix.nixPath = [
"home-manager=${home-manager}"
"nixpkgs=${pkgs.path}"
"nur=${nur}"
];
# TODO: share nixpkgs for each machine to speed up local evaluation.
#nixpkgs.pkgs = self.inputs.nixpkgs.legacyPackages.${system};
#users.withSops = builtins.pathExists sopsFile;
#sops.secrets = lib.mkIf (config.users.withSops) {
# root-password-hash.neededForUsers = true;
#};
# sops.defaultSopsFile = lib.mkIf (builtins.pathExists sopsFile) sopsFile;
nix.extraOptions = ''
flake-registry = ${flake-registry}/flake-registry.json
'';
nix.registry = {
home-manager.flake = home-manager;
nixpkgs.flake = nixpkgs;
nur.flake = nur;
};
time.timeZone = "UTC";
})
];
in
{
flake.nixosConfigurations = {
epyc = nixosSystem {
system = "x86_64-linux";
modules =
commonModules
++ colmenaModules
++ [
./hosts/epyc.nix
];
};
};
flake.colmena = {
meta.nixpkgs = import nixpkgs {
system = "x86_64-linux";
};
epyc = {
imports =
commonModules
++ [
./hosts/epyc.nix
];
};
};
}

315
flake.lock Normal file
View file

@ -0,0 +1,315 @@
{
"nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1684153753,
"narHash": "sha256-PVbWt3qrjYAK+T5KplFcO+h7aZWfEj1UtyoKlvcDxh0=",
"owner": "ryantm",
"repo": "agenix",
"rev": "db5637d10f797bb251b94ef9040b237f4702cde3",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"colmena": {
"inputs": {
"flake-compat": "flake-compat",
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
],
"stable": "stable"
},
"locked": {
"lastModified": 1685163780,
"narHash": "sha256-tMwseHtEFDpO3WKeZKWqrKRAZI6TiEULidxEbzicuFg=",
"owner": "zhaofengli",
"repo": "colmena",
"rev": "c61bebae1dc1d57237577080b1ca1e37a3fbcebf",
"type": "github"
},
"original": {
"owner": "zhaofengli",
"repo": "colmena",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1673295039,
"narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1685970051,
"narHash": "sha256-F5ZxBD2DeNd+Q0dDKYBhv76kfjVG/X0ccXjSKpa8KdI=",
"owner": "nix-community",
"repo": "disko",
"rev": "29d632d7e8fa86f937153ecdfd7d768411001d2d",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1650374568,
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "b4a34015c698c7793d592d66adbab377907a2be8",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1685662779,
"narHash": "sha256-cKDDciXGpMEjP1n6HlzKinN0H+oLmNpgeCTzYnsA2po=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "71fb97f0d875fd4de4994dfb849f2c75e17eb6c3",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-registry": {
"flake": false,
"locked": {
"lastModified": 1682423975,
"narHash": "sha256-zvOBrH3hwCedgpaWiOSHYSt+fgF/RhaJs8R5qOX6AYc=",
"owner": "NixOS",
"repo": "flake-registry",
"rev": "8054bfa00d60437297d670ab3296a117e7059a10",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "flake-registry",
"type": "github"
}
},
"flake-utils": {
"locked": {
"lastModified": 1659877975,
"narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1682203081,
"narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1667907331,
"narHash": "sha256-bHkAwkYlBjkupPUFcQjimNS8gxWSWjOTevEuwdnp5m0=",
"owner": "rycee",
"repo": "home-manager",
"rev": "6639e3a837fc5deb6f99554072789724997bc8e5",
"type": "github"
},
"original": {
"owner": "rycee",
"ref": "release-22.05",
"repo": "home-manager",
"type": "github"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1684899633,
"narHash": "sha256-NtwerXX8UFsoNy6k+DukJMriWtEjQtMU/Urbff2O2Dg=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "4cc688ee711159b9bcb5a367be44007934e1a49d",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixos-hardware",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1685952468,
"narHash": "sha256-YCOr9kttCqoa9IZMjHxX6SlwenTg7FsSmG9TaT76mSE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "70f7275b32f49bc67ae3532b758b80cb6c27f98a",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1685938391,
"narHash": "sha256-96Jw6TbWDLSopt5jqCW8w1Fc1cjQyZlhfBnJ3OZGpME=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "31cd1b4afbaf0b1e81272ee9c31d1ab606503aed",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nur": {
"locked": {
"lastModified": 1685980073,
"narHash": "sha256-7BkreZ2cH488dR1XPcdlALj+2g+NvrZdG9ZhwRt0YFI=",
"owner": "nix-community",
"repo": "NUR",
"rev": "de817406e39c1f9be28fde1d62c1f1f0c91acb09",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "NUR",
"type": "github"
}
},
"root": {
"inputs": {
"agenix": "agenix",
"colmena": "colmena",
"disko": "disko",
"flake-parts": "flake-parts",
"flake-registry": "flake-registry",
"home-manager": "home-manager_2",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable",
"nur": "nur",
"srvos": "srvos"
}
},
"srvos": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1685966850,
"narHash": "sha256-HaWNbihBIBATmSbuXLzA92C4858tNdS9Q5kRHJNagVo=",
"owner": "numtide",
"repo": "srvos",
"rev": "4f22e6fcaf17c6313c2ecdc996760c3e4b14a623",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "srvos",
"type": "github"
}
},
"stable": {
"locked": {
"lastModified": 1669735802,
"narHash": "sha256-qtG/o/i5ZWZLmXw108N2aPiVsxOcidpHJYNkT45ry9Q=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "731cc710aeebecbf45a258e977e8b68350549522",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-22.11",
"repo": "nixpkgs",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

108
flake.nix Normal file
View file

@ -0,0 +1,108 @@
{
description = "NixOS configuration with flakes";
nixConfig.extra-substituters = [
"https://newtype.cachix.org"
];
nixConfig.extra-trusted-public-keys = [
"newtype.cachix.org-1:Gd5G2EVFNJslfR3PxA2+JY7mHT6MwVJ6biv5Cg47SD0="
];
# To update all inputs:
# $ nix flake update --recreate-lock-file
inputs = {
disko.url = "github:nix-community/disko";
disko.inputs.nixpkgs.follows = "nixpkgs";
flake-parts.url = "github:hercules-ci/flake-parts";
flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
nixpkgs.url = "github:NixOS/nixpkgs/release-23.05";
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
nixos-hardware.url = "github:NixOS/nixos-hardware";
nur.url = "github:nix-community/NUR";
home-manager.url = "github:rycee/home-manager/release-22.05";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
agenix.url = "github:ryantm/agenix";
agenix.inputs.nixpkgs.follows = "nixpkgs";
colmena.url = "github:zhaofengli/colmena";
colmena.inputs.nixpkgs.follows = "nixpkgs";
srvos.url = "github:numtide/srvos";
# actually not used when using the modules but than nothing ever will try to fetch this nixpkgs variant
srvos.inputs.nixpkgs.follows = "nixpkgs";
flake-registry.url = "github:NixOS/flake-registry";
flake-registry.flake = false;
};
outputs =
{ flake-parts
, ...
} @ inputs:
(flake-parts.lib.evalFlakeModule
{ inherit inputs; }
({ self, inputs, ... }: {
systems = [ "x86_64-linux" "aarch64-linux" "aarch64-darwin" ];
imports = [
./configurations.nix
# ./modules/monitoring/flake-module.nix
# ./pkgs/flake-module.nix
# ./templates
];
perSystem = { self', pkgs, ... }: {
devShells.default = pkgs.mkShellNoCC {
buildInputs = [
pkgs.ipmitool
pkgs.colmena
pkgs.python3.pkgs.invoke
#Until nixos-anywhere is packaged
pkgs.python3.pkgs.deploykit
pkgs.mypy
pkgs.pixiecore
pkgs.dnsmasq
pkgs.python3.pkgs.netaddr
pkgs.qemu_kvm
pkgs.openssh
pkgs.gitMinimal # for git flakes
pkgs.rsync
pkgs.nix
pkgs.coreutils
pkgs.curl # when uploading tarballs
pkgs.gnugrep
pkgs.findutils
pkgs.gnused # needed by ssh-copy-id
# sops dependencies
pkgs.age
pkgs.yq-go
] ++ pkgs.lib.optional (pkgs.stdenv.isLinux) pkgs.mkpasswd;
};
packages = {
# netboot = pkgs.callPackage ./modules/netboot/netboot.nix {
# # this nixosSystem is built for x86_64 machines regardless of the host machine
# pkgs = inputs.nixpkgs.legacyPackages.x86_64-linux;
# inherit (inputs.nixpkgs.lib) nixosSystem;
# extraModules = [
# self.inputs.nur.nixosModules.nur
# { _module.args.inputs = self.inputs; }
# ];
# };
# netboot-pixie-core = pkgs.callPackage ./modules/netboot/netboot-pixie-core.nix {
# inherit (self'.packages) netboot;
# };
};
};
flake = {
hydraJobs = inputs.nixpkgs.lib.mapAttrs' (name: config: inputs.nixpkgs.lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel) self.nixosConfigurations // {
devShells = self.devShells.x86_64-linux.default;
};
};
})).config.flake;
}

13
hosts/epyc.nix Normal file
View file

@ -0,0 +1,13 @@
{
imports = [
../modules/ipmi-supermicro.nix
../modules/hardware/supermicro-H12SSL-i.nix
];
networking.hostName = "epyc";
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
simd.arch = "znver3";
system.stateVersion = "23.05";
}

25
modules/auto-upgrade.nix Normal file
View file

@ -0,0 +1,25 @@
{ pkgs, ... }: {
system.autoUpgrade.enable = true;
system.autoUpgrade.flake = "git:git.newtype.fr/newtype/newtype-org-configurations";
system.autoUpgrade.flags = [ "--option" "accept-flake-config" "true" ];
# add a random jitter so not all machines reboot at the same time.
systemd.timers.auto-reboot.timerConfig.RandomizedDelaySec = 60 * 20;
systemd.services.auto-reboot = {
path = [ pkgs.systemd pkgs.util-linux ];
# The last saturday in a month
startAt = "Sat *-*~07/1";
script = ''
booted="$(readlink /run/booted-system/{initrd,kernel,kernel-modules})"
built="$(readlink /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})"
if [ "''${booted}" = "''${built}" ]; then
echo "No kernel update... skipping reboot"
else
# reboot in 24 hours
msg=$(shutdown -r +${toString (60 * 24)} 2>&1)
echo "$msg" | wall
fi
'';
};
}

11
modules/builder.nix Normal file
View file

@ -0,0 +1,11 @@
{
users.extraUsers.nix = {
isNormalUser = true;
home = "/home/nix";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAZpEtSfB0GDwcELc5/AKNiBZJV9OVfQ0BMFzBlF+8Yd raito@everywhere"
];
uid = 5001;
};
nix.settings.trusted-users = [ "nix" ];
}

16
modules/fck-spectr.nix Normal file
View file

@ -0,0 +1,16 @@
{
# It may leak your data, but look how FAST it is!1!!
# https://make-linux-fast-again.com/
boot.kernelParams = [
"noibrs"
"noibpb"
"nopti"
"nospectre_v2"
"nospectre_v1"
"l1tf=off"
"nospec_store_bypass_disable"
"no_stf_barrier"
"mds=off"
"mitigations=off"
];
}

41
modules/hardware/supermicro-H12SSL-i.nix Normal file
View file

@ -0,0 +1,41 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.kernelParams = [ "pci=realloc" ];
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
boot.initrd.systemd.enable = lib.mkForce false;
fileSystems."/" =
{ device = "/dev/disk/by-uuid/3a81ba8f-f5bb-446c-89a3-ad77e354dae0";
fsType = "btrfs";
};
boot.initrd.luks.devices."nixroot" = {
device = "/dev/disk/by-uuid/c10d2822-cb83-4666-98f8-0aa04be259bc";
keyFile = "/dev/zero";
keyFileSize = 1;
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/AFF2-3149";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/93e251e1-1bfc-4bd4-8585-ea2eae7795bf"; }
];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

47
modules/hosts.nix Normal file
View file

@ -0,0 +1,47 @@
{ lib, config, ... }:
let
hostOptions = with lib; {
ipv4 = mkOption {
default = null;
type = types.nullOr types.str;
description = ''
own ipv4 address
'';
};
ipv6 = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
own ipv6 address
'';
};
};
in
{
options = with lib; {
networking.newtype.hosts = mkOption {
type = with types; attrsOf (submodule [{ options = hostOptions; }]);
description = "A host in our cluster";
};
networking.newtype.currentHost = mkOption {
type = with types; submodule [{ options = hostOptions; }];
default = config.networking.newtype.hosts.${config.networking.hostName};
description = "The host that is described by this configuration";
};
};
config = {
warnings =
lib.optional (!(config.networking.newtype.hosts ? ${config.networking.hostName}) &&
config.networking.hostName != "nixos" # we dont care about nixos netboot/installer images
)
"Please add network configuration for ${config.networking.hostName}. None found in ${./hosts.nix}";
# usually, for each host there is a hostname.dse.in.tum.de and hostname.r domain
networking.newtype.hosts = {
epyc = {
ipv6 = "2001:470:ca5e:dee:587c:7a50:f36c:cae8";
};
};
};
}

7
modules/ipmi-supermicro.nix Normal file
View file

@ -0,0 +1,7 @@
{
# supermicro uses ttyS1 for SOL
boot.kernelParams = [
"console=ttyS1,115200n8"
"console=tty1"
];
}

49
modules/network.nix Normal file
View file

@ -0,0 +1,49 @@
{ config
, lib
, ...
}: {
# use networkd
networking.dhcpcd.enable = false;
systemd.network.enable = true;
# add an entry to /etc/hosts for each host
networking.extraHosts = lib.concatStringsSep "\n" (lib.mapAttrsToList
(name: host: ''
${lib.optionalString (host.ipv4 != null) "${host.ipv4} ${name}"}
${lib.optionalString (host.ipv6 != null) "${host.ipv6} ${name}"}
'')
config.networking.newtype.hosts);
# leave container interfaces alone
systemd.network.networks."05-veth".extraConfig = ''
[Match]
Driver = veth
[Link]
Unmanaged = yes
'';
systemd.network.networks."10-nat-lan" = {
matchConfig.Name = "nat-lan";
linkConfig.RequiredForOnline = true;
DHCP = "yes";
};
systemd.network.links."10-nat-lan" = {
matchConfig.MACAddress = "3c:ec:ef:7e:bd:c8";
linkConfig.Name = "nat-lan";
};
systemd.network.networks."10-wan" = {
matchConfig.Name = "wan";
linkConfig.RequiredForOnline = true;
networkConfig.Address = [ config.networking.newtype.currentHost.ipv6 ];
};
systemd.network.links."10-wan" = {
matchConfig.MACAddress = "3c:ec:ef:7e:bd:c9";
linkConfig.Name = "wan";
};
deployment.targetHost = "${config.networking.hostName}.infra.newtype.fr";
}

60
modules/nix-daemon.nix Normal file
View file

@ -0,0 +1,60 @@
{ lib
, config
, pkgs
, ...
}:
let
gcc-system-features = arch: lib.optionals (arch != null) ([ "gccarch-${arch}" ]
++ map (x: "gccarch-${x}") lib.systems.architectures.inferiors.${arch});
in
{
options = {
simd.arch = lib.mkOption {
type = with lib.types; nullOr str;
default = null;
description = ''
Microarchitecture string for nixpkgs.hostPlatform.gcc.march and to generate system-features.
Can be determined with: gcc -march=native -Q --help=target | grep march
'';
};
};
imports = [ ./builder.nix ];
config = {
warnings = lib.optionals (config.simd.arch == null) [ "Please set simd.arch for ${config.networking.hostName}" ];
nix = {
gc.automatic = true;
gc.dates = "03:15";
gc.options = "--delete-older-than 30d";
# 2.11, 2.12 suffers from a bug with remote builders…
package = pkgs.nixVersions.nix_2_13;
# should be enough?
nrBuildUsers = lib.mkDefault 32;
# https://github.com/NixOS/nix/issues/719
settings = {
keep-outputs = true;
keep-derivations = true;
# in zfs we trust
fsync-metadata = lib.boolToString (!config.boot.isContainer or config.fileSystems."/".fsType != "zfs");
substituters = [
"https://nix-community.cachix.org"
"https://tum-dse.cachix.org"
];
system-features = [ "benchmark" "big-parallel" "kvm" "nixos-test" ] ++ gcc-system-features config.simd.arch;
trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"tum-dse.cachix.org-1:v67rK18oLwgO0Z4b69l30SrV1yRtqxKpiHodG4YxhNM="
];
};
};
nixpkgs.config.allowUnfree = true;
};
}

39
modules/packages.nix Normal file
View file

@ -0,0 +1,39 @@
{ pkgs, ... }: {
# this extends the list from:
# https://github.com/numtide/srvos/blob/master/server.nix#L10
environment.systemPackages = with pkgs; [
socat
whois
jq
psmisc
libarchive
sipcalc
iperf
openssl
binutils
file
wget
htop
ripgrep
lsof
tcpdump
rsync
git
tig
lazygit
python3
iotop
man-pages
netcat
mtr
(neovim.override { vimAlias = true; })
pciutils
ethtool
usbutils
ipmitool
# tries to default to soft-float due to out-dated cc-rs
] ++ lib.optional (!stdenv.hostPlatform.isRiscV) bandwhich;
}

18
modules/tor-ssh.nix Normal file
View file

@ -0,0 +1,18 @@
{
# imports = [ ./sshd ];
services.tor = {
enable = true;
relay.onionServices."ssh".map = [{ port = 22; }];
settings = {
DnsPort = 9053;
AutomapHostsOnResolve = true;
AutomapHostsSuffixes = [ ".exit" ".onion" ];
EnforceDistinctSubnets = true;
ExitNodes = "{fr}";
EntryNodes = "{fr}";
NewCircuitPeriod = 120;
DNSPort = 9053;
};
};
}

70
modules/users/admins.nix Normal file
View file

@ -0,0 +1,70 @@
{ config
, lib
, ...
}:
let
extraGroups = [ "wheel" "docker" "plugdev" "vboxusers" "adbusers" "input" ];
in
{
config = {
users.users = {
# Ryan Lahfa
raito = {
isNormalUser = true;
home = "/home/raito";
inherit extraGroups;
shell = "/run/current-system/sw/bin/zsh";
uid = 1000;
openssh.authorizedKeys.keyFiles = [ ./keys/raito.keys ];
};
# Julien Malka
luj = {
isNormalUser = true;
home = "/home/luj";
inherit (config.users.users.raito) extraGroups;
shell = "/run/current-system/sw/bin/zsh";
uid = 1001;
openssh.authorizedKeys.keyFiles = [ ./keys/luj.keys ];
};
# Gabriel Doriath Döhler
gdd = {
isNormalUser = true;
home = "/home/gdd";
inherit (config.users.users.raito) extraGroups;
shell = "/run/current-system/sw/bin/zsh";
uid = 1002;
openssh.authorizedKeys.keyFiles = [ ./keys/gdd.keys ];
};
# Samy Lahfa
akechi = {
isNormalUser = true;
home = "/home/akechi";
inherit (config.users.users.raito) extraGroups;
shell = "/run/current-system/sw/bin/zsh";
uid = 1003;
openssh.authorizedKeys.keyFiles = [ ./keys/akechi.keys ];
};
# Tom Hubrecht
tomate = {
isNormalUser = true;
home = "/home/tomate";
inherit (config.users.users.raito) extraGroups;
shell = "/run/current-system/sw/bin/zsh";
uid = 1004;
openssh.authorizedKeys.keyFiles = [ ./keys/tomate.keys ];
};
root = {
hashedPassword = "$y$j9T$LiCWsEVrg9FlcEwuDGsol.$ghfkPkQGoAt23hI6.vWNLrSdHDnVwxg8EE/2w2pRbT6";
# passwordFile = lib.mkIf config.users.withSops config.sops.secrets.root-password-hash.path;
openssh.authorizedKeys.keyFiles = lib.concatMap (user: config.users.users.${user}.openssh.authorizedKeys.keyFiles) [ "raito" "luj" "gdd" "akechi" "tomate" ];
};
};
nix.settings.trusted-users = [ "raito" "luj" "gdd" "akechi" "tomate" ];
};
}

2
modules/users/keys/akechi.keys Normal file
View file

@ -0,0 +1,2 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDmC/lBooMyJZnyuU0/f6Qufi48DCEQ1RNT1l25cbvZWCXRrAJuQUTgb7u2nl8SEiQTRbZy/FTesaoPNBRWtWXK/8M0K58DeTMdNeTV8joW+vwEzRF3LPb9gU3FqCuuFFRqhJNC16cFBxXMCyjmktl8EG9o5yVcT/6HdwvXRKlas+EqXHlZblXxYQfCjWkpd3vzIoEfPwkUpQFlvLltTBT+EUWTiysvF8cCCuBx7EXHX++fNNySDoB9bQJ+sYoAvuhtfZ5eYNePpYQCV71KMEPYBqJ7AQpvdbMa34Rx7mghGCLk580qWTuXf/vqKRD4EAsvPYtK/xJNyjrCTX99TL60NIsBgNzQvvFFIaAsD91nD13gaEvybOjIo1lbzSZhbreX1qdWeUCR32HDUH4fEVv81VSaPbH2zxWqIf8bLDMJ7pCLKncyCZD1yVFCXsDV/J8BQq0c3GtFh3eEt59bkk6iU+LXv9dvwJtCvsp087Yh4qhj0L9z2zgczeljKJtFFTZhWbY3WEKiureoI7iPEJvLB8B6pGF0qQmIjbIIx6gtBoJc891w+XUmaXfHhWsVV7eq2y/AU7BvXAZp3LigWvosmPpoYsgjS0RNp2RJo2ufN6wKBtq+qv0xM+S6JvXo5pf2Oe11qp8hxF32MNv+djFK3Qf/JMkZAQd1Y/vW/Gg8Xw==
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK5vbxUd8I+uF/OY/PpPhSzrLN14Waq82uyQXNPYpHjA

1
modules/users/keys/gdd.keys Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc

11
modules/users/keys/luj.keys Normal file
View file

@ -0,0 +1,11 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM9Uzb7szWlux7HuxLZej9cBR5MhLz/vaAPPfSoozt2k
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCKfPoMNrnyNWH6J1OvQ+n1rvSS9Sc2iZf6E1JQC+L4
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIESMWr29i3rhj32oLV3DKe57YI+jvNaKjZhhpq6dEjsn
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOCKgHRHAJDSgKqYNfWboL04mnEOM0m0K3TGxBhBNDR
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOpGHx430EpJmbtJc8+lF1CpQ1gXeHT9OeZ08O8yzohF
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEaCGndojnmS5IoqHVMEPRfKuBZotMyqo7wNkAZJWigp
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILxfFq8wx5Bet5Q0gI28/lc9ryYYFQelpZdPPdzxGBbA
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILKIDLmQQ+P+jE4zVRpdVp8fmYEe4nzPDqYZt6A4eyIi
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAkj2xsN7Qt/Ew2QO+HiF2yOjXPRucZ3SbIdPDLJoh22
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCUt5I3IgONzYsMOFnRXtvR/uLXlIs6oWsCmh6YGgnpGD4M9lFdoYAOeC1faQUnP66sNs6AoacrGlPZ1UkVUqYEoIr2hiNCDRzzLCQ2J/sSaw7Hv0PKT7MWMo8R076M3TrdunCchBJI1noez3waM9aL4b/iYVhxym28ET55QrWjyMQfZL9PXzOKZatNVcK8AmdtSbI+pFrm/tTZPa321drm9PHOo9CL+lG4YmVZcXa0bVfVtk1GXlWwNpCj2ExLmbF1rRpAa05khfnbg3sBSklwf5NRXj11KneodKRF81ji7MtBhIIfoEXSYht7yspdkkS9e9mv16VGV+2ziM8zG3MK/iUq7fg5ksN54D3DNrd9iI5WjQZsLUrK0ypxO2NtvupWGYt3rCyKA/QvynbxOWFp6cy3Evej142hsfbiOcPIgCtGdHIBevp+KmPxkHBqsJPBqb3Y7nOMT1/ggDMtvHZEZJjEI2D2RjZNEXGbq63OPAqEkgmecW0cXlrjLEGhF2E=

3
modules/users/keys/raito.keys Normal file
View file

@ -0,0 +1,3 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU

1
modules/users/keys/tomate.keys Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3

8
modules/zsh.nix Normal file
View file

@ -0,0 +1,8 @@
{ pkgs, ... }: {
programs.zsh.enable = true;
programs.zsh.enableCompletion = true;
programs.zsh.enableGlobalCompInit = false;
programs.zsh.interactiveShellInit = ''
source ${pkgs.zsh-nix-shell}/share/zsh-nix-shell/nix-shell.plugin.zsh
'';
}