Compare commits

..

14 commits

Author SHA1 Message Date
1f585246c2 tor: multiple instances in containers 2024-11-18 00:13:36 +01:00
Casper V. Kristensen
7b6353545d temporarily allow mu ssh access to servers 2024-11-17 22:31:46 +01:00
110d9b26e8 vim: conform 2024-11-15 02:07:58 +01:00
ef62607ad1 tor: disable firewall 2024-11-13 23:16:03 +01:00
46ebeab4dc tor: new ssh key 2024-11-13 03:00:23 +01:00
f2333f98ac tor: enable hot-adding memory 2024-11-13 02:52:31 +01:00
3007e31d45 ssh: remove old known hosts 2024-11-13 02:15:59 +01:00
5c120d545d programs: move from base to desktop
This reduces disk-usage for servers.
2024-11-13 02:15:59 +01:00
2ae1e8fca8 docker: move module from base to desktop
This reduces disk-usage for servers.
2024-11-13 02:15:59 +01:00
a9566be65a flake.lock: Update
Flake lock file updates:

• Updated input 'nixos-hardware':
    'github:NixOS/nixos-hardware/184687ae1a3139faa4746168baf071f60d0310c8' (2024-11-11)
  → 'github:NixOS/nixos-hardware/f6581f1c3b137086e42a08a906bdada63045f991' (2024-11-12)
• Updated input 'secrets':
    'git+ssh://git@git.caspervk.net/caspervk/nixos-secrets.git?ref=refs/heads/master&rev=f2d6367a7320e3c597122869f073dc839e56abe9' (2024-11-10)
  → 'git+ssh://git@git.caspervk.net/caspervk/nixos-secrets.git?ref=refs/heads/master&rev=a250fcf99ece2ae6e92713d9cf8b24c98a579320' (2024-11-12)
2024-11-13 02:15:59 +01:00
5fd0c01ed3 tor: new server 2024-11-13 02:15:59 +01:00
02629a9ba2 knot: update dnssec documentation 2024-11-11 23:18:35 +01:00
snowflake
916c08ac61 flake.lock: Update
Flake lock file updates:

• Updated input 'nixos-hardware':
    'github:NixOS/nixos-hardware/e1cc1f6483393634aee94514186d21a4871e78d7?narHash=sha256-yMO0T0QJlmT/x4HEyvrCyigGrdYfIXX3e5gWqB64wLg%3D' (2024-11-06)
  → 'github:NixOS/nixos-hardware/184687ae1a3139faa4746168baf071f60d0310c8?narHash=sha256-0ctfVp27ingWtY7dbP5%2BQpSQ98HaOZleU0teyHQUAw0%3D' (2024-11-11)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/83fb6c028368e465cd19bb127b86f971a5e41ebc?narHash=sha256-rz30HrFYCHiWEBCKHMffHbMdWJ35hEkcRVU0h7ms3x0%3D' (2024-11-07)
  → 'github:NixOS/nixpkgs/9256f7c71a195ebe7a218043d9f93390d49e6884?narHash=sha256-q2yjIWFFcTzp5REWQUOU9L6kHdCDmFDpqeix86SOvDc%3D' (2024-11-10)
2024-11-11 23:18:35 +01:00
40fa98a67c flake.lock: Update
Flake lock file updates:

• Updated input 'home-manager-unstable':
    'github:nix-community/home-manager/8f6ca7855d409aeebe2a582c6fd6b6a8d0bf5661' (2024-11-03)
  → 'github:nix-community/home-manager/60bb110917844d354f3c18e05450606a435d2d10' (2024-11-10)
• Updated input 'impermanence':
    'github:nix-community/impermanence/0d09341beeaa2367bac5d718df1404bf2ce45e6f' (2024-10-31)
  → 'github:nix-community/impermanence/3ed3f0eaae9fcc0a8331e77e9319c8a4abd8a71a' (2024-11-10)
• Updated input 'nix-index-database':
    'github:nix-community/nix-index-database/cc2ddbf2df8ef7cc933543b1b42b845ee4772318' (2024-11-03)
  → 'github:nix-community/nix-index-database/896019f04b22ce5db4c0ee4f89978694f44345c3' (2024-11-10)
• Updated input 'nixos-hardware':
    'github:NixOS/nixos-hardware/f6e0cd5c47d150c4718199084e5764f968f1b560' (2024-11-02)
  → 'github:NixOS/nixos-hardware/e1cc1f6483393634aee94514186d21a4871e78d7' (2024-11-06)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/080166c15633801df010977d9d7474b4a6c549d7' (2024-10-30)
  → 'github:NixOS/nixpkgs/83fb6c028368e465cd19bb127b86f971a5e41ebc' (2024-11-07)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/7ffd9ae656aec493492b44d0ddfb28e79a1ea25d' (2024-11-02)
  → 'github:NixOS/nixpkgs/76612b17c0ce71689921ca12d9ffdc9c23ce40b2' (2024-11-09)
• Updated input 'secrets':
    'git+ssh://git@git.caspervk.net/caspervk/nixos-secrets.git?ref=refs/heads/master&rev=179e97132af1fd8fae92a1692e0dfa31fb663ce3' (2024-10-14)
  → 'git+ssh://git@git.caspervk.net/caspervk/nixos-secrets.git?ref=refs/heads/master&rev=f2d6367a7320e3c597122869f073dc839e56abe9' (2024-11-10)
2024-11-10 21:17:22 +01:00
14 changed files with 166 additions and 113 deletions

View file

@ -85,11 +85,11 @@
]
},
"locked": {
"lastModified": 1730633670,
"narHash": "sha256-ZFJqIXpvVKvzOVFKWNRDyIyAo+GYdmEPaYi1bZB6uf0=",
"lastModified": 1731235328,
"narHash": "sha256-NjavpgE9/bMe/ABvZpyHIUeYF1mqR5lhaep3wB79ucs=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "8f6ca7855d409aeebe2a582c6fd6b6a8d0bf5661",
"rev": "60bb110917844d354f3c18e05450606a435d2d10",
"type": "github"
},
"original": {
@ -101,11 +101,11 @@
},
"impermanence": {
"locked": {
"lastModified": 1730403150,
"narHash": "sha256-W1FH5aJ/GpRCOA7DXT/sJHFpa5r8sq2qAUncWwRZ3Gg=",
"lastModified": 1731242966,
"narHash": "sha256-B3C3JLbGw0FtLSWCjBxU961gLNv+BOOBC6WvstKLYMw=",
"owner": "nix-community",
"repo": "impermanence",
"rev": "0d09341beeaa2367bac5d718df1404bf2ce45e6f",
"rev": "3ed3f0eaae9fcc0a8331e77e9319c8a4abd8a71a",
"type": "github"
},
"original": {
@ -121,11 +121,11 @@
]
},
"locked": {
"lastModified": 1730604744,
"narHash": "sha256-/MK6QU4iOozJ4oHTfZipGtOgaT/uy/Jm4foCqHQeYR4=",
"lastModified": 1731209121,
"narHash": "sha256-BF7FBh1hIYPDihdUlImHGsQzaJZVLLfYqfDx41wjuF0=",
"owner": "nix-community",
"repo": "nix-index-database",
"rev": "cc2ddbf2df8ef7cc933543b1b42b845ee4772318",
"rev": "896019f04b22ce5db4c0ee4f89978694f44345c3",
"type": "github"
},
"original": {
@ -136,11 +136,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1730537918,
"narHash": "sha256-GJB1/aaTnAtt9sso/EQ77TAGJ/rt6uvlP0RqZFnWue8=",
"lastModified": 1731403644,
"narHash": "sha256-T9V7CTucjRZ4Qc6pUEV/kpgNGzQbHWfGcfK6JJLfUeI=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "f6e0cd5c47d150c4718199084e5764f968f1b560",
"rev": "f6581f1c3b137086e42a08a906bdada63045f991",
"type": "github"
},
"original": {
@ -152,11 +152,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1730327045,
"narHash": "sha256-xKel5kd1AbExymxoIfQ7pgcX6hjw9jCgbiBjiUfSVJ8=",
"lastModified": 1731239293,
"narHash": "sha256-q2yjIWFFcTzp5REWQUOU9L6kHdCDmFDpqeix86SOvDc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "080166c15633801df010977d9d7474b4a6c549d7",
"rev": "9256f7c71a195ebe7a218043d9f93390d49e6884",
"type": "github"
},
"original": {
@ -183,11 +183,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1730531603,
"narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=",
"lastModified": 1731139594,
"narHash": "sha256-IigrKK3vYRpUu+HEjPL/phrfh7Ox881er1UEsZvw9Q4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d",
"rev": "76612b17c0ce71689921ca12d9ffdc9c23ce40b2",
"type": "github"
},
"original": {
@ -214,11 +214,11 @@
},
"secrets": {
"locked": {
"lastModified": 1728945400,
"narHash": "sha256-q68NlsyYSNzHol9xHA/PBbBc/o/oKQWtftJe7eTDq18=",
"lastModified": 1731452589,
"narHash": "sha256-GpAaJ+WcJd1BMmQmO4QoCnvXz4s2WWl8AOyRMRRKa24=",
"ref": "refs/heads/master",
"rev": "179e97132af1fd8fae92a1692e0dfa31fb663ce3",
"revCount": 46,
"rev": "a250fcf99ece2ae6e92713d9cf8b24c98a579320",
"revCount": 47,
"type": "git",
"url": "ssh://git@git.caspervk.net/caspervk/nixos-secrets.git"
},

View file

@ -53,12 +53,22 @@
# Enable ACME ACL on all zones
acl = ["acme"];
# Enable automatic DNSSEC signing on all zones. The KSK must be
# configured in the parent zone. Use the following command to get the
# required record(s):
# configured in the parent zone through the registrar. Either the
# DNSKEY or DS, depending on registrar:
#
# > sudo keymgr caspervk.net dnskey
# [<zone> <record-type> <key-type> <protocol> <algorithm-type> <public-key>]
#
# OR
#
# > sudo keymgr caspervk.net ds
# [<zone> <record-type> <key-tag> <algorithm-type> <digest-type> <digest>]
#
# https://knot.readthedocs.io/en/master/configuration.html#automatic-dnssec-signing
# DNSSEC can be validated using https://dnsviz.net.
#
# DNSSEC can be validated using:
# - https://dnssec-debugger.verisignlabs.com
# - https://dnsviz.net
dnssec-signing = "on";
dnssec-policy = "default";
# Knot overwrites the zonefiles with auto-generated DNSSEC records by

View file

@ -12,10 +12,8 @@
boot = {
loader = {
grub = {
enable = true;
device = "/dev/vda";
};
efi.canTouchEfiVariables = true;
systemd-boot.enable = true;
};
initrd.luks.devices.crypted.device = "/dev/disk/by-label/crypted";
};

View file

@ -9,7 +9,7 @@
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"];
boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod"];
boot.initrd.kernelModules = ["dm-snapshot"];
boot.kernelModules = [];
boot.extraModulePackages = [];
@ -37,5 +37,18 @@
}
];
# Enable hot-adding memory. Otherwise, the machine will be left with 1GB of
# memory only.
# https://pve.proxmox.com/wiki/Hotplug_(qemu_disk,nic,cpu,memory)
# Nix code inspired by (this isn't hyperv):
# https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/hyperv-guest.nix
services.udev.packages = lib.singleton (pkgs.writeTextFile {
name = "proxmox-memory-hotadd-udev-rules";
destination = "/etc/udev/rules.d/80-hotplug-mem.rules";
text = ''
SUBSYSTEM=="memory", ACTION=="add", TEST=="state", ATTR{state}=="offline", ATTR{state}="online"
'';
});
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

View file

@ -6,23 +6,20 @@
];
};
# The NixOS firewall enables stateful connection tracking by default, which
# can be bad for performance.
# https://github.com/NixOS/nixpkgs/blob/2e88dbad29664f78b4c7f89f9b54d2dd2faef8e6/nixos/modules/services/networking/firewall-iptables.nix#L139
networking.firewall.enable = false;
systemd.network = {
networks."10-lan" = {
# IPv4 settings are from `sudo dhcpcd --test`.
# IPv6 settings are from https://www.ssdvps.dk/knowledgebase/18/IPv6-Gateway.html.
matchConfig.Name = "ens3";
matchConfig.Name = "enp0s18";
address = [
"91.210.59.57/25"
"2a12:bec4:11d3:de9f::1/64"
"185.231.102.51/24"
"2a0c:5700:3133:650:b0ea:eeff:fedb:1f7b/64"
];
routes = [
{routeConfig = {Gateway = "91.210.59.1";};}
{
routeConfig = {
Gateway = "2a12:bec4:11d3::1";
GatewayOnLink = true;
};
}
{routeConfig = {Gateway = "185.231.102.1";};}
];
};
};

View file

@ -1,11 +1,15 @@
{
config,
pkgs,
secrets,
...
}: let
mkTorConfig = {
orPort,
controlPort,
dirPort,
}: {
services.tor = {
enable = true;
openFirewall = true;
relay = {
enable = true;
role = "exit";
@ -15,16 +19,16 @@
ContactInfo = "admin@caspervk.net";
ORPort = [
{
addr = "91.210.59.57";
port = 443;
addr = "185.231.102.51";
port = orPort;
}
{
addr = "[2a12:bec4:11d3:de9f::1]";
port = 443;
addr = "[2a0c:5700:3133:650:b0ea:eeff:fedb:1f7b]";
port = orPort;
}
];
ControlPort = 9051; # for nyx
DirPort = 80;
ControlPort = controlPort; # for nyx, localhost only
DirPort = dirPort;
DirPortFrontPage = builtins.toFile "tor-exit-notice.html" (builtins.readFile ./tor-exit-notice.html);
ExitRelay = true;
IPv6Exit = true;
@ -33,8 +37,49 @@
"reject *:25"
"accept *:*"
];
# https://support.torproject.org/relay-operators/multiple-relays/
MyFamily = builtins.concatStringsSep "," [
"1B9D2C9E0EFE2C6BD23D62B2FCD145886AD242D1" # instance 1
];
};
};
in {
containers.tor-1 = {
autoStart = true;
# TODO: what does ephemeral mean?
ephemeral = true;
bindMounts = {
# https://support.torproject.org/relay-operators/upgrade-or-move/
"/var/lib/tor/keys/ed25519_master_id_secret_key".hostPath = config.age.secrets.tor-1-ed25519-master-id-secret-key.path;
"/var/lib/tor/keys/secret_id_key".hostPath = config.age.secrets.tor-1-secret-id-key.path;
};
config = {config, ...}: {
services.tor = mkTorConfig {
orPort = 443;
controlPort = 9051;
dirPort = 80;
};
system.stateVersion = config.system.stateVersion;
};
};
environment.systemPackages = with pkgs; [
nyx # Command-line monitor for Tor
];
age.secrets.tor-ed25519-master-id-secret-key = {
file = "${secrets}/secrets/tor-1-ed25519-master-id-secret-key.age";
mode = "400";
owner = "root";
group = "root";
};
age.secrets.tor-secret-id-key = {
file = "${secrets}/secrets/tor-1-secret-id-key.age";
mode = "400";
owner = "root";
group = "root";
};
# https://support.torproject.org/relay-operators/#relay-operators_relay-bridge-overloaded
# https://lists.torproject.org/pipermail/tor-talk/2012-August/025296.html
@ -96,19 +141,4 @@
# Disable RFC1323 timestamps (TODO: why?)
"net.ipv4.tcp_timestamps" = 0;
};
environment.systemPackages = with pkgs; [
nyx # Command-line monitor for Tor
];
environment.persistence."/nix/persist" = {
directories = [
{
directory = "/var/lib/tor";
user = "tor";
group = "tor";
mode = "0700";
}
];
};
}

View file

@ -17,24 +17,6 @@
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "sd_mod"];
boot.initrd.kernelModules = ["dm-snapshot"];
# https://wiki.nixos.org/wiki/Remote_disk_unlocking
# > ssh -o HostKeyAlias=tor-initrd root@tor
boot.initrd.network = {
enable = true;
# Clear initrd network configuration before stage 2
flushBeforeStage2 = true;
ssh = {
enable = true;
authorizedKeys = config.users.users.caspervk.openssh.authorizedKeys.keys;
# NOTE: the key is stored insecurely in the global Nix store and
# unencrypted boot partition, which is why we use a separate key.
# > sudo ssh-keygen -t ed25519 -N "" -f /nix/persist/initrd-ssh_host_ed25519_key
hostKeys = ["/nix/persist/initrd-ssh_host_ed25519_key"];
};
};
boot.kernelParams = ["ip=192.168.0.95::192.168.0.1"];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];

View file

@ -1,7 +1,6 @@
{...}: {
imports = [
./agenix.nix
./docker.nix
./fish.nix
./git.nix
./hardware.nix

View file

@ -2,34 +2,25 @@
# NixOS default packages:
# https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/config/system-path.nix
environment.systemPackages = with pkgs; [
ascii
bandwhich
bat
binutils
black
clang
dnsutils
fd
file
fzf
gcc
git
gnumake
htop
iputils
jq
lsof
magic-wormhole-rs
mtr
ncdu
ntp
openssl
pciutils
postgresql
progress
pwgen
python3
python310
python311
python312
socat
@ -43,6 +34,6 @@
wget
whois
wireguard-tools
yq
yq-go
];
}

View file

@ -12,6 +12,8 @@
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPB/qr63FB0ZqOe/iZGwIKNHD8a1Ud/mXVjQPmpIG7pM caspervk@omega"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII71DKQziktCkyMAmL25QKRK6nG2uJDkQXioIZp5JkMZ caspervk@zeta"
# TODO: remove
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICA1+3EYBguNE+6uJgWZixTKBGr6CpstlU6Drtf8w0As caspervk@mu"
];
};
@ -20,8 +22,7 @@
"alpha".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGOpQNEmmEe6jr7Mv37ozokvtTSd1I3SmUU1tpCSNTkc";
"delta".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFe9RpnO1/QRU81kjtEsWN66xfP5Y/qf5EQZ6wdM/XCT";
"sigma".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC4Kvx/lcFRvl7KlxqqhrJ32h3FzuzyLA5BNB42+p92c";
"tor".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVPxvqwS2NMqqCGBkMmExzdBY5hGLegiOuqPJAOfdKk";
"tor-initrd".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVPxvqwS2NMqqCGBkMmExzdBY5hGLegiOuqPJAOfdKk";
"tor".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEOov/Qrjo7y86SO+qUdBC84NZdVsax/nksq9Vmmr1Uq";
"git.caspervk.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC4Kvx/lcFRvl7KlxqqhrJ32h3FzuzyLA5BNB42+p92c";
};

View file

@ -256,10 +256,6 @@
highlight = {
enable = true,
},
-- Indentation based on treesitter
indent = {
enable = true,
},
})
'';
}
@ -487,7 +483,7 @@
anchor_bias = "above",
-- Keep open until leaving insert mode.
-- Default: { CursorMoved, CursorMovedI, InsertCharPre }.
close_events = { "CursorMoved", },
close_events = {"CursorMoved"},
-- Make floating window unfocusable. Allows updating parameter
-- highlight with another <C-s> rather than focusing the window.
focusable = false,
@ -502,7 +498,6 @@
vim.keymap.set("n", "gD", vim.lsp.buf.declaration)
vim.keymap.set("n", "gy", vim.lsp.buf.type_definition)
vim.keymap.set("n", "gI", ts.lsp_implementations)
vim.keymap.set("n", "<Leader>gq", vim.lsp.buf.format)
-- TODO: This becomes default in newer neovim?
vim.keymap.set("n", "gra", vim.lsp.buf.code_action)
@ -525,13 +520,6 @@
-- https://github.com/nix-community/nixd
lspconfig.nixd.setup({
capabilities = capabilities,
settings = {
nixd = {
formatting = {
command = {"${pkgs.alejandra}/bin/alejandra"},
},
},
},
})
-- https://docs.basedpyright.com
@ -687,6 +675,40 @@
'';
}
# Lightweight yet powerful formatter plugin for Neovim.
# https://github.com/stevearc/conform.nvim
{
plugin = conform-nvim;
type = "lua";
config =
# lua
''
-- TODO: injected language formatting (treesitter code blocks)
local conform = require("conform")
conform.setup({
formatters_by_ft = {
-- Use conform built-ins on all ("*") filetypes
["*"] = {"trim_newlines", "trim_whitespace"},
css = {"prettier"},
graphql = {"prettier"},
html = {"prettier"},
javascript = {"prettier"},
json = {"prettier"},
markdown = {"prettier"},
nix = {"alejandra"},
-- Ruff follows the project's pyproject.toml/ruff.toml
python = {"ruff_fix", "ruff_organize_imports", "ruff_format"},
terraform = {"tofu_fmt"},
toml = {"taplo"},
typescript = {"prettier"},
yaml = {"prettier"},
},
})
vim.o.formatexpr = "v:lua.require'conform'.formatexpr()"
vim.keymap.set("n", "<Leader>gq", conform.format)
'';
}
# Indentation guides.
# https://github.com/lukas-reineke/indent-blankline.nvim
{
@ -883,9 +905,14 @@
}
];
extraPackages = [
nixpkgs-unstable.legacyPackages.${pkgs.system}.basedpyright
pkgs.nixd
pkgs.yaml-language-server
nixpkgs-unstable.legacyPackages.${pkgs.system}.basedpyright # lsp
nixpkgs-unstable.legacyPackages.${pkgs.system}.ruff # lsp/conform
pkgs.alejandra # conform
pkgs.nixd # lsp
pkgs.nodePackages.prettier # conform
pkgs.opentofu # conform
pkgs.taplo # conform
pkgs.yaml-language-server # lsp
];
extraLuaPackages = ps: [];
extraPython3Packages = ps: [];

View file

@ -1,6 +1,7 @@
{...}: {
imports = [
./clipman.nix
./docker.nix
./flatpak.nix
./foot.nix
./gammastep.nix

View file

@ -8,11 +8,13 @@
# Packages useful on a desktop computer which don't require their own module
environment.systemPackages = with pkgs; [
ascii
aspell
aspellDicts.da
aspellDicts.en
aspellDicts.en-computers
aspellDicts.en-science
black
element-desktop
firefox-wayland
gimp
@ -30,6 +32,8 @@
libreoffice
mpv
mumble
postgresql
pwgen
spotify
thunderbird
tor-browser-bundle-bin