commit 6c2551349ec9c31b9518d10d0743b2a8befc8571 Author: Philip Peterson <1326208+philip-peterson@users.noreply.github.com> Date: Fri Nov 15 22:00:01 2024 -0900 Publish quine-core diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..4913cd5 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +.DS_Store +terraform/.terraform diff --git a/nixos/.github/workflows/build.yml b/nixos/.github/workflows/build.yml new file mode 100644 index 0000000..181c1c6 --- /dev/null +++ b/nixos/.github/workflows/build.yml @@ -0,0 +1,15 @@ +name: 'build' + +on: + push: + pull_request: + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: DeterminateSystems/nix-installer-action@main + - uses: DeterminateSystems/magic-nix-cache-action@main + - run: ssh-keygen -t rsa -N '' -f ./id_rsa && git add id_rsa.pub + - run: nix build .#nixosConfigurations.nixos.config.system.build.toplevel diff --git a/nixos/.gitignore b/nixos/.gitignore new file mode 100644 index 0000000..d9b63dc --- /dev/null +++ b/nixos/.gitignore @@ -0,0 +1,3 @@ +.idea +result +secrets.json diff --git a/nixos/README.md b/nixos/README.md new file mode 100644 index 0000000..3dd24b6 --- /dev/null +++ b/nixos/README.md @@ -0,0 +1,10 @@ +How to install: + +nix --extra-experimental-features flakes --extra-experimental-features nix-command run --debug github:numtide/nixos-anywhere --verbose -- --flake .#nixos root@yourhost.com + +You will need to maually make these: +``` +/root/.ssh/id_rsa +/root/.ssh/id_rsa.pub +/root/.ssh/id_rsa.pem +``` diff --git a/nixos/apply.sh b/nixos/apply.sh new file mode 100755 index 0000000..50a7953 --- /dev/null +++ b/nixos/apply.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env bash + +set -e + +git pull origin main +nixos-rebuild switch --flake .#nixos --verbose --show-trace diff --git a/nixos/clean.sh b/nixos/clean.sh new file mode 100755 index 0000000..e93313d --- /dev/null +++ b/nixos/clean.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash + +set -e + +nix-store --gc +nix-collect-garbage -d +rm -rf ~/.cache/nix +rm -rf /nix/var/nix/gcroots/* diff --git a/nixos/cloned_repos/default.nix b/nixos/cloned_repos/default.nix new file mode 100644 index 0000000..f597719 --- /dev/null +++ b/nixos/cloned_repos/default.nix @@ -0,0 +1,71 @@ +{ + pullomatic, + pkgs, + lib, + ... +}: let + domainToPath = domain: lib.concatStringsSep "_" domain; + domainToRepoName = domain: lib.concatStringsSep "-" domain; + + makeConfigFile = domain: remoteUrl: branch: { + name = domainToRepoName domain; + text = '' + path: /etc/pullomatic/${domainToPath domain} + remote_url: ${remoteUrl} + remote_branch: ${branch} + interval: + interval: 10m + credentials: + private_key: /root/.ssh/id_rsa.pem + private_key_path: true + ''; + }; + + configFiles = [ + (makeConfigFile + ["com" "philippeterson"] + "git@github.com:philip-peterson/philippeterson.com.git" + "master") + (makeConfigFile + ["com" "quinefoundation" "blog"] + "git@github.com:philip-peterson/blog.git" + "master") + (makeConfigFile + ["atcsim"] + "git@github.com:philip-peterson/ATC-Sim.git" + "master") + ]; + + configDir = + pkgs.runCommand "config-dir" { + buildInputs = [pkgs.coreutils]; + } '' + mkdir -p $out + + # Loop over the config files and write each one to $out + ${lib.concatStringsSep "\n" (map (cf: '' + echo "${cf.text}" > $out/${cf.name} + chmod 0644 $out/${cf.name} + '') + configFiles)} + + chmod -R 0750 $out + ''; +in { + systemd.services.pullomatic = { + description = "Pull repositories with polling from a daemon"; + serviceConfig = { + ExecStart = "${pullomatic} -c ${configDir}"; + Restart = "always"; + RestartSec = "0"; + User = "root"; + Group = "root"; + }; + }; + + systemd.tmpfiles.rules = [ + "d /etc/pullomatic - root repo-data - -" + "Z /etc/pullomatic - root repo-data - -" + "Z /etc/pullomatic/* - root repo-data - -" + ]; +} diff --git a/nixos/disk-config.nix b/nixos/disk-config.nix new file mode 100644 index 0000000..c72a8d4 --- /dev/null +++ b/nixos/disk-config.nix @@ -0,0 +1,55 @@ +# Example to create a bios compatible gpt partition +{lib, ...}: { + disko.devices = { + disk.disk1 = { + device = lib.mkDefault "/dev/sda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + name = "boot"; + size = "1M"; + type = "EF02"; + }; + esp = { + name = "ESP"; + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + name = "root"; + size = "100%"; + content = { + type = "lvm_pv"; + vg = "pool"; + }; + }; + }; + }; + }; + lvm_vg = { + pool = { + type = "lvm_vg"; + lvs = { + root = { + size = "100%FREE"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + mountOptions = [ + "defaults" + ]; + }; + }; + }; + }; + }; + }; +} diff --git a/nixos/firewall.nix b/nixos/firewall.nix new file mode 100644 index 0000000..845d4cb --- /dev/null +++ b/nixos/firewall.nix @@ -0,0 +1,3 @@ +{pkgs, ...}: { + networking.firewall.allowedTCPPorts = [80 22 443]; +} diff --git a/nixos/flake.lock b/nixos/flake.lock new file mode 100644 index 0000000..dec861d --- /dev/null +++ b/nixos/flake.lock @@ -0,0 +1,227 @@ +{ + "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": [ + "nixpkgs" + ], + "systems": "systems" + }, + "locked": { + "lastModified": 1723293904, + "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=", + "owner": "ryantm", + "repo": "agenix", + "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1707385478, + "narHash": "sha256-xwKXoBeiwfp+jqQxt3O0mUxrBXsNfdBn15teMMWbw0U=", + "owner": "nix-community", + "repo": "disko", + "rev": "15b52c3c8a718253e66f1b92f595dc47873fdfea", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703113217, + "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1706981411, + "narHash": "sha256-cLbLPTL1CDmETVh4p0nQtvoF+FSEjsnJTFpTxhXywhQ=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "652fda4ca6dafeb090943422c34ae9145787af37", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-23.11", + "repo": "home-manager", + "type": "github" + } + }, + "nix-index-database": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1707016097, + "narHash": "sha256-V4lHr6hFQ3rK650dh64Xffxsf4kse9vUYWsM+ldjkco=", + "owner": "Mic92", + "repo": "nix-index-database", + "rev": "3e3dad2808379c522138e2e8b0eb73500721a237", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "nix-index-database", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1707347730, + "narHash": "sha256-0etC/exQIaqC9vliKhc3eZE2Mm2wgLa0tj93ZF/egvM=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "6832d0d99649db3d65a0e15fa51471537b2c56a6", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1707268954, + "narHash": "sha256-2en1kvde3cJVc3ZnTy8QeD2oKcseLFjYPLKhIGDanQ0=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "f8e2ebd66d097614d51a56a755450d4ae1632df1", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nur": { + "locked": { + "lastModified": 1707488227, + "narHash": "sha256-CJavI6VIk12u8mntxepDDinX2TX5et1I2phRm9mObtI=", + "owner": "nix-community", + "repo": "NUR", + "rev": "7401f12518027ed8ea1d8f7634a446ac3269c3c4", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "NUR", + "type": "github" + } + }, + "root": { + "inputs": { + "agenix": "agenix", + "disko": "disko", + "home-manager": "home-manager_2", + "nix-index-database": "nix-index-database", + "nixpkgs": "nixpkgs", + "nixpkgs-unstable": "nixpkgs-unstable", + "nur": "nur", + "rust-overlay": "rust-overlay" + } + }, + "rust-overlay": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1723515680, + "narHash": "sha256-nHdKymsHCVIh0Wdm4MvSgxcTTg34FJIYHRQkQYaSuvk=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "4ee3d9e9569f70d7bb40f28804d6fe950c81eab3", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nixos/flake.nix b/nixos/flake.nix new file mode 100644 index 0000000..d5b38e4 --- /dev/null +++ b/nixos/flake.nix @@ -0,0 +1,110 @@ +{ + description = "NixOS configuration"; + + # 24.05 + inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; + inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + + inputs.agenix.url = "github:ryantm/agenix"; + inputs.agenix.inputs.nixpkgs.follows = "nixpkgs"; + + inputs.rust-overlay = { + url = "github:oxalica/rust-overlay"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + inputs.home-manager.url = "github:nix-community/home-manager/release-23.11"; + inputs.home-manager.inputs.nixpkgs.follows = "nixpkgs"; + + inputs.nur.url = "github:nix-community/NUR"; + + inputs.nix-index-database.url = "github:Mic92/nix-index-database"; + inputs.nix-index-database.inputs.nixpkgs.follows = "nixpkgs"; + + inputs.disko.url = "github:nix-community/disko"; + inputs.disko.inputs.nixpkgs.follows = "nixpkgs"; + + outputs = inputs: + with inputs; let + system = "x86_64-linux"; + globals = builtins.fromJSON (builtins.readFile "${self}/globals.json"); + + config = { + allowUnfree = true; + permittedInsecurePackages = [ + # FIXME:: add any insecure packages you absolutely need here + ]; + }; + + overlays = [ + nur.overlay + (_final: prev: { + # this allows us to reference pkgs.unstable + unstable = import nixpkgs-unstable { + inherit (prev) system; + inherit config; + }; + }) + (import rust-overlay) + ]; + + nixpkgsWithOverlays = with inputs; rec { + inherit overlays config; + }; + + pkgs = nixpkgsWithOverlays; + lib = pkgs.lib; + + configurationDefaults = args: { + nixpkgs = nixpkgsWithOverlays; + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.backupFileExtension = "hm-backup"; + home-manager.extraSpecialArgs = args; + }; + + argDefaults = { + inherit + globals + inputs + self + nix-index-database + ; + channels = { + inherit nixpkgs nixpkgs-unstable; + }; + }; + + mkNixosConfiguration = { + hostname, + username, + args ? {}, + modules, + }: let + specialArgs = argDefaults // {inherit hostname username;} // args; + in + nixpkgs.lib.nixosSystem { + inherit system specialArgs; + modules = + [ + (configurationDefaults specialArgs) + home-manager.nixosModules.home-manager + ] + ++ modules; + }; + in { + nixosConfigurations.nixos = mkNixosConfiguration { + hostname = "pw-mainframe"; + username = "ironmagma"; + args = { + nixPkgs = import nixpkgs {inherit system overlays;}; + }; + modules = [ + disko.nixosModules.disko + agenix.nixosModules.age + ./hetzner.nix + ./linux.nix + ]; + }; + }; +} diff --git a/nixos/format.sh b/nixos/format.sh new file mode 100755 index 0000000..1a6c017 --- /dev/null +++ b/nixos/format.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash + +set -e + +nix-shell -p alejandra.out --run 'alejandra .' diff --git a/nixos/globals.json b/nixos/globals.json new file mode 100644 index 0000000..2c63c08 --- /dev/null +++ b/nixos/globals.json @@ -0,0 +1,2 @@ +{ +} diff --git a/nixos/hetzner.nix b/nixos/hetzner.nix new file mode 100644 index 0000000..82fab44 --- /dev/null +++ b/nixos/hetzner.nix @@ -0,0 +1,42 @@ +{modulesPath, ...}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + (modulesPath + "/profiles/qemu-guest.nix") + ./disk-config.nix + ]; + + # Fixes iotop + boot.kernel.sysctl = {"kernel.task_delayacct" = 1;}; + + boot.loader.grub = { + # no need to set devices, disko will add all devices that have a EF02 partition to the list already + # devices = [ ]; + efiSupport = true; + efiInstallAsRemovable = true; + }; + + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; + extraConfig = '' + PrintLastLog no + ''; + hostKeys = [ + { + bits = 4096; + path = "/etc/ssh/ssh_host_rsa_key"; + type = "rsa"; + } + { + path = "/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + + # For secrets + { + path = "/root/.ssh/id_rsa_nix"; + type = "ed25519"; + } + ]; + }; +} diff --git a/nixos/invoke-ddns/default.nix b/nixos/invoke-ddns/default.nix new file mode 100644 index 0000000..d3ee9bf --- /dev/null +++ b/nixos/invoke-ddns/default.nix @@ -0,0 +1,68 @@ +{pkgs ? import {}, ...}: let + # Fetch the tarball + nfsn_ddns_tarball = pkgs.fetchurl { + url = "https://files.pythonhosted.org/packages/76/15/607b52a0bfda95fd8157c1c4b3b3631aa535206b2bd8fb43f57961460402/nfsn_ddns-0.2.0.tar.gz"; + sha256 = "sha256-ijD3hrdoYNt/MHy4C6zIqgU5sj+kGg+ma8TswO5qOEk="; + }; + + # Extract the tarball + extracted_nfsn_ddns = pkgs.stdenv.mkDerivation { + name = "nfsn-ddns-extracted"; + + src = nfsn_ddns_tarball; + + buildInputs = [pkgs.gnugrep pkgs.gnumake pkgs.gzip]; # Ensure tools are available for extraction if needed + + phases = ["unpackPhase" "installPhase"]; + + unpackPhase = '' + mkdir -p $out + tar -xzf $src -C $out + ''; + + installPhase = '' + echo "Extracted files available in $out" + ''; + + meta = with pkgs.lib; { + description = "Extracted files from nfsn_ddns tarball"; + license = licenses.unlicense; + maintainers = []; + }; + }; +in + pkgs.python3Packages.buildPythonApplication rec { + pname = "invoke-ddns"; + version = "0.0.1"; + + src = ./.; + + format = "setuptools"; + + dontUseCmakeConfigure = true; + + buildInputs = with pkgs.python3Packages; [ + setuptools + extracted_nfsn_ddns + ]; + + propagatedBuildInputs = with pkgs.python3Packages; [ + tornado + requests + python-daemon + pip + pykka + pytest + ]; + + # no tests implemented + #doCheck = false; + #pythonImportsCheck = [ "mopidy_jellyfin" ]; + + meta = with pkgs.lib; { + homepage = "https://github.com/philip-peterson/invoke-ddns"; + description = "Invoke DDNS for fun and profit"; + license = licenses.unlicense; + maintainers = ["Philip Peterson"]; + }; + } diff --git a/nixos/invoke-ddns/invoke_ddns/__init__.py b/nixos/invoke-ddns/invoke_ddns/__init__.py new file mode 100644 index 0000000..ee1b4af --- /dev/null +++ b/nixos/invoke-ddns/invoke_ddns/__init__.py @@ -0,0 +1,2 @@ +if __name__ == '__main__': + pass diff --git a/nixos/invoke-ddns/invoke_ddns/command/__init__.py b/nixos/invoke-ddns/invoke_ddns/command/__init__.py new file mode 100644 index 0000000..4f023ea --- /dev/null +++ b/nixos/invoke-ddns/invoke_ddns/command/__init__.py @@ -0,0 +1,2 @@ +def main(): + pass \ No newline at end of file diff --git a/nixos/invoke-ddns/setup.py b/nixos/invoke-ddns/setup.py new file mode 100644 index 0000000..9fe0192 --- /dev/null +++ b/nixos/invoke-ddns/setup.py @@ -0,0 +1,20 @@ +#!/usr/bin/env python + +from distutils.core import setup + +setup(name='InvokeDdns', + version='1.0', + description='Checks with NearlyFreeSpeech that the dynamic dns entries are right', + author='Philip Peterson', + author_email='peterson@sent.com', + url='https://github.com/philip-peterson/invoke-ddns', + packages=['invoke_ddns', 'invoke_ddns.command'], + install_requires=[ + 'tornado>=4.4' + ], + entry_points={ + 'console_scripts': [ + 'invoke-ddns = invoke_ddns.command:main', + ], + }, + ) diff --git a/nixos/keys/authorized_keys/macbookpro-intel.pub b/nixos/keys/authorized_keys/macbookpro-intel.pub new file mode 100644 index 0000000..4ffe400 --- /dev/null +++ b/nixos/keys/authorized_keys/macbookpro-intel.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDtibpc9Zz03PvrNLfgAz4UQ58UYrxw+8AZbzuSO8Gpvu4Eu0X3dJkD90tnK2XxsqKLUqN9pvoveA/29ul0DoAe9XHUXZJw//htwkUttVae2Uu7I+YnIqre1y3I0YQt+B1FzkYEaZ6KOTAqLGlRB27nzVagoCfZ0IW1cHf4NIL91hmZBNFHMNZoDP41p0zPOvJcw8SDTYv3h6K/sY60b1QB7yu5xIfFihzvTG7M6TBluLTNtdOK/qj79dEVbHr6etCjj0CChPozxq+CaCT/Mp2V6fpNxFADWsh7oLFG/gsDFYLJAn02NwQOT+yjWqWWa3qS73HzL2MaOzwDwwwV+4PK+/dIiU8Jw21guevWrZVGvmoZb4IC/I4DrlGZBpfBz/e0Kznkf8+pRx10SGjepXQVYCIUce6ptYm2X+oPuriUjTQKa3a4bvDFSMzgK6nt5CJzZI+tk9uTpxYH2gX4D06M7cylYgywJNSIyGE8+yJ8XpWgyAoM6tf9BIppJbLJQKsbO+IuElSjQWj5pcw/KIwYAFW5mQLjnjRmQg5HX8gkT6PD9jen26JJahYcfZnvlVwl1GkU52hCGP5LhdG2dgbZHG9Jibd+aVm5IfhnaB0/jWjV0+IuB1Wns3Etkbp098rXmiG6TLfI1XdH7+xbPw4+vSvBtlzTfRUfTTaY57VR4Q== ironmagma@Philips-MBP diff --git a/nixos/keys/authorized_keys/macbookpro.pub b/nixos/keys/authorized_keys/macbookpro.pub new file mode 100644 index 0000000..d91c113 --- /dev/null +++ b/nixos/keys/authorized_keys/macbookpro.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDOqjSTQAQ2H4RD7oHWXjc6M4TcLniAsieo1hk7jl/VHxl6fVKxab5rtWpbDBN9SqNmoTHlWRSd+kCIVdg8a0Psy0NISTfSUniWh9qIJrjXTpWfJ9PkXIlVrleEz9Szn0GY5NyYUcNiZSencMszrOkJC8DcKIW8qp+17VeYpnS/hbwjIjdhgaFA8DjrHRgXuf88XBbi+XDB+Rw0vLLL1qsdT0NPe3uE1ixYCIUlVu3imMq431xJ/x3MLJoLJm3KSjO8NKWbw4PetxOd4LDhJbHkDpdA0P+D2ZewPIGYA45Z+pxZqvfrKIBnB4RIW5tCMGMeZHWS74vhXODPzf67TkScCGt/FU92yZHRpBNYwZ+dS+8YWMmo3t2/YWpPxLFXkAx6t78TdVGhhFrjWdxPB9hTdfdX1Sh51mbp9WVLYgqT+M/YROesrSwm7TKMgMLemA77ISf0LqWrGBo6fHRGmIfwe/fI9hSAObdHkARwPHD2GhZl+SxW7D9CV8jhV6KKbc0= ironmagma@Philips-MacBook-Pro.local diff --git a/nixos/keys/authorized_keys/monolith.pub b/nixos/keys/authorized_keys/monolith.pub new file mode 100644 index 0000000..3cba45d --- /dev/null +++ b/nixos/keys/authorized_keys/monolith.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC534fjfQ8PFUuyqp/3jH+tE2hq5EbbR8QcJ5ZYdm5H28d0+npxE4RnxqA82q/ZHiZT1nG5BIlRitPoIE74LFruLPBzZVfpOQxqczCAM2gsKGOY8Ug30Jl3OazsEyXYcZPdYdl/KhdrzPuJArRA7rdiI3krgVRnyG/bmU9/uQJ5fhowMJ8owYLdP4SXxh0O/vTauyNTxvddQAtGd+1DmcrFjFFNc8FeEhItMu2I9E1nIMS+lVSXOLZr1kXJa4kAhjUrWziI4nfzHESkV0hjF+DOQB/6bMFD04vkhCdK3wXKbEFkKzSBBtHQavpD7givk8mKWncdNR0bH+mB6WgiPbDAG83Q6ycAk3gX/AQAG/k/ZWo5x0u6MCN2op++JQLghdsg7T6iTJ+vTwqtEXiaWzckpEs+NR6GML8o/HCRZTTam8RIBgW5oUoqa52aDUS0WNpAGEfiUnmoKmAbxhsjtTVNPU0pWAKmon9mEmw83CzqogxAkOIgrWM58QGaGsuNgqU= root@monolith diff --git a/nixos/keys/known_hosts/one.nix b/nixos/keys/known_hosts/one.nix new file mode 100644 index 0000000..9d9f7fc --- /dev/null +++ b/nixos/keys/known_hosts/one.nix @@ -0,0 +1 @@ +"github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl" \ No newline at end of file diff --git a/nixos/keys/known_hosts/three.nix b/nixos/keys/known_hosts/three.nix new file mode 100644 index 0000000..7f953b3 --- /dev/null +++ b/nixos/keys/known_hosts/three.nix @@ -0,0 +1,2 @@ + +"github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=" \ No newline at end of file diff --git a/nixos/keys/known_hosts/two.nix b/nixos/keys/known_hosts/two.nix new file mode 100644 index 0000000..6ca2226 --- /dev/null +++ b/nixos/keys/known_hosts/two.nix @@ -0,0 +1,2 @@ + +"github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=" \ No newline at end of file diff --git a/nixos/keys/mainframe.pub b/nixos/keys/mainframe.pub new file mode 100644 index 0000000..9b4035e --- /dev/null +++ b/nixos/keys/mainframe.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5cEJLzQH5v3r4DrwZxwXOGQWaRVlyJGciXkOz6KiKI root@pw-mainframe \ No newline at end of file diff --git a/nixos/linux.nix b/nixos/linux.nix new file mode 100644 index 0000000..2d8794c --- /dev/null +++ b/nixos/linux.nix @@ -0,0 +1,186 @@ +{ + config, + username, + hostname, + pkgs, + lib, + nix-index-database, + inputs, + specialArgs, + ... +}: let + ddnsPkg = import ./invoke-ddns {inherit pkgs;}; + + startSeq = builtins.fromJSON ''"\u001b[7m"''; # Start inverted color + endSeq = builtins.fromJSON ''"\u001b[27m"''; # End inverted color + motd = "${startSeq} Welcome to the Peterson Mainframe! Look, touch, but DO NOT LICK. ${endSeq}"; + + nixPkgs = specialArgs.nixPkgs; + ourRustVersion = pkgs.rust-bin.selectLatestNightlyWith (toolchain: toolchain.complete); + + ourRustPlatform = nixPkgs.makeRustPlatform { + rustc = ourRustVersion; + cargo = ourRustVersion; + }; + + pullomaticPkg = import ./pullomatic { + inherit lib pkgs; + rustPlatform = ourRustPlatform; + specialArgs = {}; + }; + + pullomatic = "${pullomaticPkg}/bin/pullomatic"; +in { + imports = [ + (import ./cloned_repos {inherit pkgs pullomatic lib;}) + (import ./nginx.nix {inherit pkgs lib config;}) + (import ./firewall.nix {inherit pkgs;}) + (import ./system/users.nix {inherit pkgs config lib nix-index-database;}) + ]; + + time.timeZone = "America/Anchorage"; + + age.secrets.nearlyfreespeech.file = ./secrets/nearlyfreespeech.age; + age.secrets.nearlyfreespeech.owner = "root"; + + environment.systemPackages = [ + ddnsPkg + pullomaticPkg + pkgs.vim + pkgs.php + pkgs.rustc + pkgs.cargo + pkgs.util-linux + pkgs.iotop + pkgs.rust-bin.stable.latest.default + ]; + + swapDevices = [ + { + device = "/swapfile"; + size = 1 * 1024; # 1GB + } + ]; + + systemd.tmpfiles.rules = [ + "d /home/ironmagma/.config 0755 ${username} users" + "d /root/.config 0755 ${username} users" + ]; + + networking.hostName = "${hostname}"; + + # FIXME: change your shell here if you don't want zsh + programs.zsh.enable = true; + environment.pathsToLink = ["/share/zsh"]; + environment.shells = [pkgs.zsh]; + + environment.enableAllTerminfo = true; + + security.sudo.wheelNeedsPassword = false; + + users.motd = motd; + + system.stateVersion = "22.05"; + + virtualisation.docker = { + enable = true; + enableOnBoot = true; + autoPrune.enable = true; + }; + + virtualisation.oci-containers = { + backend = "docker"; + + containers = { + "hello" = { + autoStart = true; + image = "nginxdemos/hello"; + #user = "root:jellyfin"; + volumes = [ + ]; + ports = ["8081:80"]; + }; + + "navidrome" = { + autoStart = true; + environment = { + "TZ" = "America/Anchorage"; + "PUID" = "1000"; + "PGID" = "100"; + + "ND_SCANSCHEDULE" = "1h"; + "ND_LOGLEVEL" = "info"; + "ND_SESSIONTIMEOUT" = "24h"; + "ND_BASEURL" = ""; + }; + ports = ["4533:4533"]; + volumes = [ + "/var/navidrome/data:/data" + "/var/navidrome/music:/music:ro" + ]; + image = "deluan/navidrome"; + }; + + "webdav" = { + autoStart = true; + image = "dgraziotin/nginx-webdav-nononsense"; + #user = "root:jellyfin"; + volumes = [ + "/mnt/webdav/data:/data" + "/mnt/webdav/config:/config" + ]; + environment = { + "WEBDAV_USERNAME" = "foo"; + # TODO + "WEBDAV_PASSWORD" = "bar"; + "TZ" = "America/Anchorage"; + + "PUID" = "60"; # nginx user + "PGID" = "60"; # nginx group + }; + ports = ["8082:80"]; + }; + }; + }; + + nix = { + settings = { + trusted-users = [username]; + + accept-flake-config = true; + auto-optimise-store = true; + }; + + registry = { + nixpkgs = { + flake = inputs.nixpkgs; + }; + }; + + nixPath = [ + "nixpkgs=${inputs.nixpkgs.outPath}" + "nixos-config=/etc/nixos/configuration.nix" + "/nix/var/nix/profiles/per-user/root/channels" + ]; + + package = pkgs.nixFlakes; + extraOptions = ''experimental-features = nix-command flakes''; + + gc = { + automatic = true; + options = "--delete-older-than 7d"; + }; + }; + + # HTTPS + + security.acme = { + acceptTerms = true; + defaults.email = "peterson@sent.com"; + certs."philippeterson.com" = { + dnsProvider = "nearlyfreespeech"; + environmentFile = config.age.secrets."nearlyfreespeech".path; + webroot = null; + }; + }; +} diff --git a/nixos/nfsn_ddns-0.2.0-py3-none-any.whl b/nixos/nfsn_ddns-0.2.0-py3-none-any.whl new file mode 100644 index 0000000..f807258 Binary files /dev/null and b/nixos/nfsn_ddns-0.2.0-py3-none-any.whl differ diff --git a/nixos/nginx.nix b/nixos/nginx.nix new file mode 100644 index 0000000..e5ec4a0 --- /dev/null +++ b/nixos/nginx.nix @@ -0,0 +1,144 @@ +{ + lib, + pkgs, + config, + ... +}: { + services.nginx = { + enable = true; + + virtualHosts = { + "_default" = { + listen = [ + { addr = "0.0.0.0"; port = 80; } + { addr = "[::]"; port = 80; } + ]; + serverName = "_"; + extraConfig = '' + deny all; + return 444; + ''; + }; + + "philippeterson.com" = { + enableACME = true; # Enable Let's Encrypt certificate for HTTPS + forceSSL = false; # Redirect HTTP to HTTPS? + addSSL = true; + + root = "/etc/pullomatic/com_philippeterson"; + + locations."~ /.git(/.*)$ " = { + extraConfig = '' + deny all; + return 404; + ''; + }; + + locations."~ ^/games/atcsim(/[^/\\s]*)*$" = { + extraConfig = '' + index index.html index.htm; + rewrite ^/games/atcsim/?$ "/index.html" break; + rewrite ^/games/atcsim(?(/[^/\\s]*)*)$ "$query" break; + root /etc/pullomatic/atcsim; + ''; + }; + + locations."~ ^/echo(?((/[^/\\s]*)*))$" = { + extraConfig = '' + add_header Content-Type text/plain; + return 200 "$query"; + ''; + }; + + locations."/" = { + extraConfig = '' + try_files $uri $uri.php $uri/ =404; + index index.php index.html index.htm; + rewrite ^/contact$ /contact.php last; + rewrite ^/resume$ /resume.php last; + ''; + }; + + locations."~ \.php$" = { + extraConfig = '' + include ${pkgs.nginx}/conf/fastcgi.conf; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:${config.services.phpfpm.pools.main.socket}; + ''; + }; + }; + "blog.quinefoundation.com" = { + enableACME = true; + forceSSL = false; + addSSL = true; + + root = "/etc/pullomatic/com_quinefoundation_blog/markdown-blog"; + + locations."~ /.git(/.*)$ " = { + extraConfig = '' + deny all; + return 404; + ''; + }; + + locations."~ ^/static(/.*)?$" = { + extraConfig = '' + autoindex on; + root /etc/pullomatic/com_quinefoundation_blog/static; + rewrite ^/static(?(/[^/\\s]*)*)$ "$query" break; + ''; + }; + + locations."/" = { + extraConfig = '' + rewrite ^/?$ /blog-posts-list.php last; + rewrite ^/post/?$ /blog-posts-list.php last; + rewrite ^/about/?$ /about.php last; + rewrite ^/credits/?$ /credits.php last; + rewrite ^/post/([-a-zA-Z0-9]*)$ /blog-page.php?page=$1.md last; + rewrite ^/rss.xml$ /rss.php last; + try_files $uri $uri/ =404; + index index.php index.html index.htm; + ''; + }; + + locations."~ \.php$" = { + extraConfig = '' + include ${pkgs.nginx}/conf/fastcgi.conf; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:${config.services.phpfpm.pools.main.socket}; + ''; + }; + }; + }; + + # Optionally configure additional options + recommendedGzipSettings = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + }; + + services.phpfpm.pools = { + main = { + phpEnv."PATH" = lib.makeBinPath [pkgs.php]; + user = "nginx"; + group = "nginx"; + settings = { + # listen = /run/phpfpm.sock + # "listen.mode = 0660 + "listen.owner" = "nginx"; + "listen.group" = "nginx"; + "pm" = "dynamic"; + "pm.max_children" = 75; + "pm.start_servers" = 10; + "pm.min_spare_servers" = 5; + "pm.max_spare_servers" = 20; + "pm.max_requests" = 500; + + "php_admin_value[error_log]" = "stderr"; + "php_admin_flag[log_errors]" = true; + "catch_workers_output" = true; + }; + }; + }; +} diff --git a/nixos/pullomatic/default.nix b/nixos/pullomatic/default.nix new file mode 100644 index 0000000..9d60225 --- /dev/null +++ b/nixos/pullomatic/default.nix @@ -0,0 +1,41 @@ +{ + lib, + pkgs, + rustPlatform, + specialArgs, +}: +rustPlatform.buildRustPackage rec { + pname = "pullomatic"; + version = "1.0.0"; + + src = pkgs.fetchFromGitHub { + owner = "philip-peterson"; + repo = pname; + rev = "master"; + hash = "sha256-VVIhbbdHBBeodODWQq40q91uqtTrUHsCyPgTZ5VtrRc="; + }; + + cargoBuildFlags = ["--bin" "pullomatic"]; + + cargoHash = "sha256-oo0M4AlraRw2LRYzvhlbjgvSolZcuRz+2WruesEWltk="; + + nativeBuildInputs = with pkgs; [ + pkg-config + ]; + + buildInputs = with pkgs; [ + openssl + ]; + + meta = { + description = "A tool for automating GitHub pulls"; + homepage = "https://github.com/philip-peterson/pullomatic"; + license = lib.licenses.unlicense; + maintainers = [ + { + name = "Philip Peterson"; + email = "peterson@sent.com"; + } + ]; + }; +} diff --git a/nixos/refresh.sh b/nixos/refresh.sh new file mode 100755 index 0000000..4a29207 --- /dev/null +++ b/nixos/refresh.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash + +set -e + +./apply.sh diff --git a/nixos/secrets/README.md b/nixos/secrets/README.md new file mode 100644 index 0000000..9e6dbc6 --- /dev/null +++ b/nixos/secrets/README.md @@ -0,0 +1,5 @@ +To decrypt these files, you would need the Quine Foundation server's private key, +which is of course not public information. However, you could also generate your own +secrets using `age` which is an open source project used to power this server. +These would use your own private key, and therefore the encrypted versions would of +course differ from what's public in this repository. \ No newline at end of file diff --git a/nixos/secrets/default.nix b/nixos/secrets/default.nix new file mode 100644 index 0000000..819eae3 --- /dev/null +++ b/nixos/secrets/default.nix @@ -0,0 +1,8 @@ +{}: let + mainframePublicKey = builtins.toString "../keys/mainframe.pub"; +in { + # This .age file should contain the following environment variables: + # NEARLYFREESPEECH_API_KEY + # NEARLYFREESPEECH_LOGIN + "./nearlyfreespeech.age".publicKeys = [mainframePublicKey]; +} diff --git a/nixos/secrets/nearlyfreespeech.age b/nixos/secrets/nearlyfreespeech.age new file mode 100644 index 0000000..d0c4ab0 --- /dev/null +++ b/nixos/secrets/nearlyfreespeech.age @@ -0,0 +1,9 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE5GRC92ZyBteHlN +bTNkUUxaY2NwRFdSR1E4VWhkbW8yV2VrT2dJbGRFMjJoUkJHNGc0CkI0Z25jMDJK +ck1TOWM0eHFZSzJETU1sekxFVGFDOWdDWGlicVlwdGY4T2cKLS0tIEZBSnJyQVN5 +Nk1WZjM2aVdDdkNtamdBOExUSWNobEJzdFRnQ1JsbjZyNUEKpQAGd4xnEZd2JHFN +grhQ/kLePUz7W0i8epk+bu2aJiSs7sSznRI0gTf6zTwpUk1p0zOtJaK7uopPC+go +I9FPCx+rXzbmwrMcVUuzZLa8M1gikABswKSxKB/kHqH7KzrVGscQ4xz1gN+hdOS8 +5xoP +-----END AGE ENCRYPTED FILE----- diff --git a/nixos/system/home/ironmagma.nix b/nixos/system/home/ironmagma.nix new file mode 100644 index 0000000..c919235 --- /dev/null +++ b/nixos/system/home/ironmagma.nix @@ -0,0 +1,15 @@ +{ + config, + pkgs, + username, + nix-index-database, + lib, + ... +}: let + shared = import ./shared.nix { + inherit config pkgs username nix-index-database lib; + homeDirectory = "/home/ironmagma"; + }; +in { + imports = [shared]; +} diff --git a/nixos/system/home/root.nix b/nixos/system/home/root.nix new file mode 100644 index 0000000..a6fea46 --- /dev/null +++ b/nixos/system/home/root.nix @@ -0,0 +1,17 @@ +{ + config, + pkgs, + username, + nix-index-database, + lib, + ... +}: let + shared = import ./shared.nix { + inherit config pkgs username nix-index-database lib; + homeDirectory = "/root"; + }; +in { + imports = [shared]; + + home.sessionVariables.EDITOR = "vim"; +} diff --git a/nixos/system/home/shared.nix b/nixos/system/home/shared.nix new file mode 100644 index 0000000..e79560a --- /dev/null +++ b/nixos/system/home/shared.nix @@ -0,0 +1,252 @@ +{ + config, + pkgs, + username, + nix-index-database, + lib, + homeDirectory, + ... +}: let + unstable-packages = with pkgs.unstable; [ + coreutils + curl + findutils + git + git-crypt + jq + killall + tmux + unzip + vim + wget + zip + ]; + + stable-packages = with pkgs; [ + rustup + go + nodejs + python3 + alejandra # nix formatter + ]; + + dir = builtins.toString ../../keys/known_hosts; + files = builtins.attrNames (builtins.readDir dir); + pubKeys = map (file: import (dir + "/" + file)) files; + joinedString = lib.concatStringsSep " " pubKeys; +in { + imports = [ + nix-index-database.hmModules.nix-index + ]; + + home = { + stateVersion = "22.11"; + username = lib.mkDefault "${username}"; + homeDirectory = homeDirectory; + + sessionVariables.EDITOR = "vim"; + sessionVariables.SHELL = "/etc/profiles/per-user/${username}/bin/zsh"; + + packages = lib.mkDefault ( + stable-packages + ++ unstable-packages + ); + + file.".ssh/known_hosts".text = joinedString; + }; + + programs = { + home-manager.enable = true; + nix-index.enable = true; + nix-index.enableZshIntegration = true; + nix-index-database.comma.enable = true; + + # FIXME: disable this if you don't want to use the starship prompt + starship.enable = true; + starship.settings = { + aws.disabled = true; + gcloud.disabled = true; + kubernetes.disabled = false; + git_branch.style = "242"; + directory.style = "blue"; + directory.truncate_to_repo = false; + directory.truncation_length = 8; + python.disabled = true; + ruby.disabled = true; + hostname.ssh_only = false; + hostname.style = "bold green"; + }; + + # FIXME: disable whatever you don't want + fzf.enable = true; + fzf.enableZshIntegration = true; + lsd.enable = true; + lsd.enableAliases = true; + zoxide.enable = true; + zoxide.enableZshIntegration = true; + broot.enable = true; + broot.enableZshIntegration = true; + + direnv.enable = true; + direnv.enableZshIntegration = true; + direnv.nix-direnv.enable = true; + + git = { + enable = true; + package = pkgs.unstable.git; + delta.enable = true; + delta.options = { + line-numbers = true; + side-by-side = true; + navigate = true; + }; + userEmail = "1326208+philip-peterson@users.noreply.github.com"; + userName = "philip-peterson"; + extraConfig = { + push = { + default = "current"; + autoSetupRemote = true; + }; + merge = { + conflictstyle = "diff3"; + }; + diff = { + colorMoved = "default"; + }; + safe = { + directory = "/var/petersweb-infra"; + }; + }; + }; + + zsh = { + enable = true; + autocd = true; + enableAutosuggestions = true; + enableCompletion = true; + defaultKeymap = "emacs"; + history.size = 10000; + history.save = 10000; + history.expireDuplicatesFirst = true; + history.ignoreDups = true; + history.ignoreSpace = true; + historySubstringSearch.enable = true; + + plugins = [ + { + name = "fast-syntax-highlighting"; + src = "${pkgs.zsh-fast-syntax-highlighting}/share/zsh/site-functions"; + } + { + name = "zsh-nix-shell"; + file = "nix-shell.plugin.zsh"; + src = pkgs.fetchFromGitHub { + owner = "chisui"; + repo = "zsh-nix-shell"; + rev = "v0.5.0"; + sha256 = "0za4aiwwrlawnia4f29msk822rj9bgcygw6a8a6iikiwzjjz0g91"; + }; + } + ]; + + shellAliases = { + "u" = "cd .."; + "uu" = "cd ../.."; + "uuu" = "cd ../../.."; + "uuuu" = "cd ../../../.."; + gs = "git status"; + gc = "nix-collect-garbage --delete-old"; + refresh = "source ~/.zshrc"; + show_path = "echo $PATH | tr ':' '\n'"; + + gst = "git status"; + gco = "git checkout"; + }; + + envExtra = '' + export PATH=$PATH:$HOME/.local/bin + ''; + + initExtra = '' + bindkey '^p' history-search-backward + bindkey '^n' history-search-forward + bindkey '^e' end-of-line + bindkey '^w' forward-word + bindkey "^[[3~" delete-char + bindkey ";5C" forward-word + bindkey ";5D" backward-word + + zstyle ':completion:*:*:*:*:*' menu select + + # Complete . and .. special directories + zstyle ':completion:*' special-dirs true + + zstyle ':completion:*' list-colors "" + zstyle ':completion:*:*:kill:*:processes' list-colors '=(#b) #([0-9]#) ([0-9a-z-]#)*=01;34=0=01' + + # disable named-directories autocompletion + zstyle ':completion:*:cd:*' tag-order local-directories directory-stack path-directories + + # Use caching so that commands like apt and dpkg complete are useable + zstyle ':completion:*' use-cache on + zstyle ':completion:*' cache-path "$XDG_CACHE_HOME/zsh/.zcompcache" + + # Don't complete uninteresting users + zstyle ':completion:*:*:*:users' ignored-patterns \ + adm amanda apache at avahi avahi-autoipd beaglidx bin cacti canna \ + clamav daemon dbus distcache dnsmasq dovecot fax ftp games gdm \ + gkrellmd gopher hacluster haldaemon halt hsqldb ident junkbust kdm \ + ldap lp mail mailman mailnull man messagebus mldonkey mysql nagios \ + named netdump news nfsnobody nobody nscd ntp nut nx obsrun openvpn \ + operator pcap polkitd postfix postgres privoxy pulse pvm quagga radvd \ + rpc rpcuser rpm rtkit scard shutdown squid sshd statd svn sync tftp \ + usbmux uucp vcsa wwwrun xfs '_*' + # ... unless we really want to. + zstyle '*' single-ignored complete + + # https://thevaluable.dev/zsh-completion-guide-examples/ + zstyle ':completion:*' completer _extensions _complete _approximate + zstyle ':completion:*:descriptions' format '%F{green}-- %d --%f' + zstyle ':completion:*' group-name "" + zstyle ':completion:*:*:-command-:*:*' group-order alias builtins functions commands + zstyle ':completion:*' squeeze-slashes true + zstyle ':completion:*' matcher-list "" 'm:{a-zA-Z}={A-Za-z}' 'r:|[._-]=* r:|=*' 'l:|=* r:|=*' + + # mkcd is equivalent to takedir + function mkcd takedir() { + mkdir -p $@ && cd ''${@:$#} + } + + function takeurl() { + local data thedir + data="$(mktemp)" + curl -L "$1" > "$data" + tar xf "$data" + thedir="$(tar tf "$data" | head -n 1)" + rm "$data" + cd "$thedir" + } + + function takegit() { + git clone "$1" + cd "$(basename ''${1%%.git})" + } + + function take() { + if [[ $1 =~ ^(https?|ftp).*\.(tar\.(gz|bz2|xz)|tgz)$ ]]; then + takeurl "$1" + elif [[ $1 =~ ^([A-Za-z0-9]\+@|https?|git|ssh|ftps?|rsync).*\.git/?$ ]]; then + takegit "$1" + else + takedir "$@" + fi + } + + WORDCHARS='*?[]~=&;!#$%^(){}<>' + + # fixes duplication of commands when using tab-completion + export LANG=C.UTF-8 + ''; + }; + }; +} diff --git a/nixos/system/users.nix b/nixos/system/users.nix new file mode 100644 index 0000000..462ea73 --- /dev/null +++ b/nixos/system/users.nix @@ -0,0 +1,74 @@ +{ + pkgs, + config, + nix-index-database, + lib, + ... +}: let + makeUser = { + username, + home, + extraGroups, + authorizedKeys, + homeConfig ? null, + isNormalUser ? true, + }: { + extraGroups = extraGroups ++ [username]; + + home-manager.users.${username} = homeConfig; + + users.users.${username} = { + isNormalUser = isNormalUser; + shell = pkgs.zsh; + openssh.authorizedKeys.keys = authorizedKeys; + home = home; + }; + + users.groups.${username} = { + name = "${username}"; + members = ["${username}"]; + }; + }; + + dir = builtins.toString ../keys/authorized_keys; + files = builtins.attrNames (builtins.readDir dir); + authorizedKeys = map (file: builtins.readFile "${dir}/${file}") files; + + rootUser = makeUser { + isNormalUser = false; + username = "root"; + home = "/root"; + extraGroups = []; + authorizedKeys = authorizedKeys; + homeConfig = import ./home/root.nix { + username = "root"; + inherit config pkgs nix-index-database lib; + }; + }; + + ironmagmaUser = makeUser { + username = "ironmagma"; + home = "/home/ironmagma"; + extraGroups = [ + "wheel" + "docker" + ]; + authorizedKeys = [ + (builtins.readFile ../keys/authorized_keys/macbookpro.pub) + (builtins.readFile ../keys/authorized_keys/macbookpro-intel.pub) + (builtins.readFile ../keys/authorized_keys/monolith.pub) + ]; + homeConfig = import ./home/ironmagma.nix { + username = "ironmagma"; + inherit config pkgs nix-index-database lib; + }; + }; +in { + users.groups.repo-data = { + name = "repo-data"; + members = ["nginx"]; + }; + + users.users = rootUser.users.users // ironmagmaUser.users.users // {}; + home-manager.users = rootUser.home-manager.users // ironmagmaUser.home-manager.users; +} diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl new file mode 100644 index 0000000..91519f4 --- /dev/null +++ b/terraform/.terraform.lock.hcl @@ -0,0 +1,46 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/null" { + version = "3.2.2" + constraints = "3.2.2" + hashes = [ + "h1:IMVAUHKoydFrlPrl9OzasDnw/8ntZFerCC9iXw1rXQY=", + "h1:vWAsYRd7MjYr3adj8BVKRohVfHpWQdvkIwUQ2Jf5FVM=", + "zh:3248aae6a2198f3ec8394218d05bd5e42be59f43a3a7c0b71c66ec0df08b69e7", + "zh:32b1aaa1c3013d33c245493f4a65465eab9436b454d250102729321a44c8ab9a", + "zh:38eff7e470acb48f66380a73a5c7cdd76cc9b9c9ba9a7249c7991488abe22fe3", + "zh:4c2f1faee67af104f5f9e711c4574ff4d298afaa8a420680b0cb55d7bbc65606", + "zh:544b33b757c0b954dbb87db83a5ad921edd61f02f1dc86c6186a5ea86465b546", + "zh:696cf785090e1e8cf1587499516b0494f47413b43cb99877ad97f5d0de3dc539", + "zh:6e301f34757b5d265ae44467d95306d61bef5e41930be1365f5a8dcf80f59452", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:913a929070c819e59e94bb37a2a253c228f83921136ff4a7aa1a178c7cce5422", + "zh:aa9015926cd152425dbf86d1abdbc74bfe0e1ba3d26b3db35051d7b9ca9f72ae", + "zh:bb04798b016e1e1d49bcc76d62c53b56c88c63d6f2dfe38821afef17c416a0e1", + "zh:c23084e1b23577de22603cff752e59128d83cfecc2e6819edadd8cf7a10af11e", + ] +} + +provider "registry.terraform.io/hetznercloud/hcloud" { + version = "1.47.0" + constraints = "~> 1.45" + hashes = [ + "h1:B7iDacnh16TWyenN4+eledjmuZ89vYkdg5yFjlRNT7M=", + "h1:KQbtq1sXF4deoc0DKgjyyJMdIuHfhfhAPkVV0DlTMRI=", + "zh:0759f0c23d0e59baab3382320eef4eb314e0c5967b6ef67ff07135da07a97b34", + "zh:0e9ca84c4059d6d7e2c9f13d3c2b1cd91f7d9a47bedcb4b80c7c77d536eff887", + "zh:17a033ac4650a39ddacf3265a449edabaea528f81542c4e63e254272d5aac340", + "zh:2997c76a500e42b7519b24fa1f8646d9baab70c68277f80394560d3e1fd06e6d", + "zh:37f3fe7bb34cac63c69123e43e5426bab75816b3665dbe7125276a8d2ee6b2d8", + "zh:45d4b04dc470f24ad96c1c0b6636ea5422c659004f3e472c863bc50130fabf25", + "zh:46df99d972a78af6875565e53a73df66d870c474a20cd90e9e0a3092aa25197f", + "zh:4b5bb8d49366ad895c6c767efe16a1b8143802414abfe3fdb1184cbbecf424eb", + "zh:55c6199eb401c4b0a6c948ceac8b50f352e252e1c985903ed173bf26ad0f109e", + "zh:7b6efe897bffa37248064155a699e67953350b5b9a5476456c0160ce59254557", + "zh:7bc004bcb649ce1ec70e2cf848392e10a1edbcbf11b3292a4cc5c5d49bd769e4", + "zh:e1b17b7595f158fbb3021afa8869b541b5c10bdd2d8d2b2b3eaa82200b104ddd", + "zh:f741ca40e8e99a3e4114ad108ea2b5a5bccbedb008326c7f647f250580e69c0e", + "zh:fae9c7f8d08a447bb0972529f6db06999c35391046320206041a988aeca6b54c", + ] +} diff --git a/terraform/foo.tf b/terraform/foo.tf new file mode 100644 index 0000000..7f43304 --- /dev/null +++ b/terraform/foo.tf @@ -0,0 +1,45 @@ +locals { + public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDOqjSTQAQ2H4RD7oHWXjc6M4TcLniAsieo1hk7jl/VHxl6fVKxab5rtWpbDBN9SqNmoTHlWRSd+kCIVdg8a0Psy0NISTfSUniWh9qIJrjXTpWfJ9PkXIlVrleEz9Szn0GY5NyYUcNiZSencMszrOkJC8DcKIW8qp+17VeYpnS/hbwjIjdhgaFA8DjrHRgXuf88XBbi+XDB+Rw0vLLL1qsdT0NPe3uE1ixYCIUlVu3imMq431xJ/x3MLJoLJm3KSjO8NKWbw4PetxOd4LDhJbHkDpdA0P+D2ZewPIGYA45Z+pxZqvfrKIBnB4RIW5tCMGMeZHWS74vhXODPzf67TkScCGt/FU92yZHRpBNYwZ+dS+8YWMmo3t2/YWpPxLFXkAx6t78TdVGhhFrjWdxPB9hTdfdX1Sh51mbp9WVLYgqT+M/YROesrSwm7TKMgMLemA77ISf0LqWrGBo6fHRGmIfwe/fI9hSAObdHkARwPHD2GhZl+SxW7D9CV8jhV6KKbc0= ironmagma@Philips-MacBook-Pro.local" +} + +terraform { + required_providers { + hcloud = { + source = "hetznercloud/hcloud" + version = "~> 1.45" + } + + null = { + source = "hashicorp/null" + version = "3.2.2" + } + } +} + +resource "hcloud_ssh_key" "default" { + name = "Philip Macbook Pro M2" + public_key = local.public_key +} + +# Set the variable value in *.tfvars file +# or using the -var="hcloud_token=..." CLI option +# variable "hcloud_token" { +# sensitive = true +# } + +# Configure the Hetzner Cloud Provider +provider "hcloud" { + token = "hmUptEnfNpDdYVAeLOvmv14fZn9YV9wYuDhU4t0Mso26K2JLNbuJ2CvtCI3mLJyp" +} + +# Create a server +resource "hcloud_server" "web" { + name = "syncthing" + image = "fedora-40" + server_type = "cx32" + + ssh_keys = [ + "Philip Macbook Pro M2" + ] +} + diff --git a/terraform/terraform.tfstate b/terraform/terraform.tfstate new file mode 100644 index 0000000..0cd3f83 --- /dev/null +++ b/terraform/terraform.tfstate @@ -0,0 +1,75 @@ +{ + "version": 4, + "terraform_version": "1.5.7", + "serial": 28, + "lineage": "0a446551-97f6-5e1f-fd21-d1a5bd66b38f", + "outputs": {}, + "resources": [ + { + "mode": "managed", + "type": "hcloud_server", + "name": "web", + "provider": "provider[\"registry.terraform.io/hetznercloud/hcloud\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "allow_deprecated_images": false, + "backup_window": "", + "backups": false, + "datacenter": "hel1-dc2", + "delete_protection": false, + "firewall_ids": [], + "id": "51104554", + "ignore_remote_firewall_ids": false, + "image": "fedora-40", + "ipv4_address": "135.181.83.225", + "ipv6_address": "2a01:4f9:c010:8efd::1", + "ipv6_network": "2a01:4f9:c010:8efd::/64", + "iso": null, + "keep_disk": false, + "labels": {}, + "location": "hel1", + "name": "syncthing", + "network": [], + "placement_group_id": 0, + "primary_disk_size": 80, + "public_net": [], + "rebuild_protection": false, + "rescue": null, + "server_type": "cx32", + "shutdown_before_deletion": false, + "ssh_keys": [ + "Philip Macbook Pro M2" + ], + "status": "running", + "timeouts": null, + "user_data": null + }, + "sensitive_attributes": [], + "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo1NDAwMDAwMDAwMDAwfX0=" + } + ] + }, + { + "mode": "managed", + "type": "hcloud_ssh_key", + "name": "default", + "provider": "provider[\"registry.terraform.io/hetznercloud/hcloud\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "fingerprint": "eb:d4:34:7f:69:a7:82:3c:4c:f6:54:d3:4a:f3:73:cd", + "id": "22314214", + "labels": {}, + "name": "Philip Macbook Pro M2", + "public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDOqjSTQAQ2H4RD7oHWXjc6M4TcLniAsieo1hk7jl/VHxl6fVKxab5rtWpbDBN9SqNmoTHlWRSd+kCIVdg8a0Psy0NISTfSUniWh9qIJrjXTpWfJ9PkXIlVrleEz9Szn0GY5NyYUcNiZSencMszrOkJC8DcKIW8qp+17VeYpnS/hbwjIjdhgaFA8DjrHRgXuf88XBbi+XDB+Rw0vLLL1qsdT0NPe3uE1ixYCIUlVu3imMq431xJ/x3MLJoLJm3KSjO8NKWbw4PetxOd4LDhJbHkDpdA0P+D2ZewPIGYA45Z+pxZqvfrKIBnB4RIW5tCMGMeZHWS74vhXODPzf67TkScCGt/FU92yZHRpBNYwZ+dS+8YWMmo3t2/YWpPxLFXkAx6t78TdVGhhFrjWdxPB9hTdfdX1Sh51mbp9WVLYgqT+M/YROesrSwm7TKMgMLemA77ISf0LqWrGBo6fHRGmIfwe/fI9hSAObdHkARwPHD2GhZl+SxW7D9CV8jhV6KKbc0= ironmagma@Philips-MacBook-Pro.local" + }, + "sensitive_attributes": [] + } + ] + } + ], + "check_results": null +} diff --git a/terraform/terraform.tfstate.backup b/terraform/terraform.tfstate.backup new file mode 100644 index 0000000..b415c17 --- /dev/null +++ b/terraform/terraform.tfstate.backup @@ -0,0 +1,56 @@ +{ + "version": 4, + "terraform_version": "1.5.7", + "serial": 26, + "lineage": "0a446551-97f6-5e1f-fd21-d1a5bd66b38f", + "outputs": {}, + "resources": [ + { + "mode": "managed", + "type": "hcloud_server", + "name": "web", + "provider": "provider[\"registry.terraform.io/hetznercloud/hcloud\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "allow_deprecated_images": false, + "backup_window": "", + "backups": false, + "datacenter": "hel1-dc2", + "delete_protection": false, + "firewall_ids": [], + "id": "51104554", + "ignore_remote_firewall_ids": false, + "image": "fedora-40", + "ipv4_address": "135.181.83.225", + "ipv6_address": "2a01:4f9:c010:8efd::1", + "ipv6_network": "2a01:4f9:c010:8efd::/64", + "iso": null, + "keep_disk": false, + "labels": {}, + "location": "hel1", + "name": "syncthing", + "network": [], + "placement_group_id": 0, + "primary_disk_size": 80, + "public_net": [], + "rebuild_protection": false, + "rescue": null, + "server_type": "cx32", + "shutdown_before_deletion": false, + "ssh_keys": [ + "Philip Macbook Pro M2" + ], + "status": "running", + "timeouts": null, + "user_data": null + }, + "sensitive_attributes": [], + "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo1NDAwMDAwMDAwMDAwfX0=" + } + ] + } + ], + "check_results": null +}