diff --git a/boxes/mainsail/default.nix b/boxes/mainsail/default.nix index d17b946..0a90333 100644 --- a/boxes/mainsail/default.nix +++ b/boxes/mainsail/default.nix @@ -56,7 +56,8 @@ }; users.users.usr.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbhM3wj0oqjR3pUaZgpfX4Xo4dlzvBTbQ48zHyg7Pwx usr" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbhM3wj0oqjR3pUaZgpfX4Xo4dlzvBTbQ48zHyg7Pwx usr" # x230t + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB2xUbQw9+RCPVw7qCFm4NNCP/MpS2BIArcwMv0KdKOI usr" # mlg ]; system.stateVersion = "23.11"; diff --git a/boxes/mlg/default.nix b/boxes/mlg/default.nix index 61992fd..024c6cf 100644 --- a/boxes/mlg/default.nix +++ b/boxes/mlg/default.nix @@ -2,8 +2,9 @@ { imports = [ -# ./hardware-configuration.nix + ./hardware-configuration.nix ./nvidia.nix + ../../modules/ssh-phone-home.nix ../../modules/bootstrap.nix ../../modules/common.nix ../../modules/x11.nix @@ -25,9 +26,20 @@ libreoffice nomacs vscodium + thunderbird minetest ]; + services.openssh.enable = true; + services.ssh-phone-home = { + enable = true; + localUser = "usr"; + remoteHostname = "192.168.1.100"; + remotePort = 22; + remoteUser = "usr"; + bindPort = 2222; + }; + boot.loader = { efi = { canTouchEfiVariables = true; @@ -48,5 +60,9 @@ services.avahi.nssmdns = true; # enables the mDNS NSS plug-in services.avahi.openFirewall = true; # opens the firewall for UDP port 5353 - networking.hostName = "mlg"; + nixpkgs.config.allowUnfree = true; + networking = { + hostName = "mlg"; + firewall.enable = true; + }; } diff --git a/boxes/mlg/hardware-configuration.nix b/boxes/mlg/hardware-configuration.nix new file mode 100644 index 0000000..99531a4 --- /dev/null +++ b/boxes/mlg/hardware-configuration.nix @@ -0,0 +1,41 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# testing +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "vmd" "nvme" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/eada30c2-ffc5-4410-b1cf-fcea6a4040ff"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/5318-1A44"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp58s0.useDHCP = lib.mkDefault true; + # networking.interfaces.enp7s0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp0s20f3.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/boxes/mlg/home.nix b/boxes/mlg/home.nix new file mode 100644 index 0000000..8c118a1 --- /dev/null +++ b/boxes/mlg/home.nix @@ -0,0 +1,10 @@ +{ lib, inputs, config, pkgs, home, ... }: + +{ + imports = [ + ../../home/x11.nix + ../../home/chromium + ]; + + home.stateVersion = "23.11"; +} diff --git a/boxes/netbox/default.nix b/boxes/netbox/default.nix index 81cd363..df402c1 100644 --- a/boxes/netbox/default.nix +++ b/boxes/netbox/default.nix @@ -249,7 +249,8 @@ in { users.users.ryan = { openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbhM3wj0oqjR3pUaZgpfX4Xo4dlzvBTbQ48zHyg7Pwx usr" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbhM3wj0oqjR3pUaZgpfX4Xo4dlzvBTbQ48zHyg7Pwx usr" # x230t + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrpVDLQszFKoYbvYKRyVTTpehxR0BVU47SXkz39l2wK usr" # mainsail ]; isNormalUser = true; extraGroups = [ "wheel" "docker" ]; @@ -342,7 +343,7 @@ in { locations."~ \\.git" = { extraConfig = '' client_max_body_size 0; - + include ${pkgs.nginx}/conf/fastcgi_params; fastcgi_param SCRIPT_FILENAME ${pkgs.git}/bin/git-http-backend; fastcgi_param GIT_HTTP_EXPORT_ALL ""; diff --git a/boxes/x230t/default.nix b/boxes/x230t/default.nix index e2a89c8..f7c1a72 100644 --- a/boxes/x230t/default.nix +++ b/boxes/x230t/default.nix @@ -18,6 +18,11 @@ thunderbird hue-cli bluetuith + brave + vdirsyncer + isync + khal + todoman ]; hardware.bluetooth = { diff --git a/builds/flake.lock b/builds/flake.lock deleted file mode 100644 index c5ee110..0000000 --- a/builds/flake.lock +++ /dev/null @@ -1,27 +0,0 @@ -{ - "nodes": { - "nixpkgs": { - "locked": { - "lastModified": 1703467016, - "narHash": "sha256-/5A/dNPhbQx/Oa2d+Get174eNI3LERQ7u6WTWOlR1eQ=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "d02d818f22c777aa4e854efc3242ec451e5d462a", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-23.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "nixpkgs": "nixpkgs" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/builds/flake.nix b/builds/flake.nix deleted file mode 100644 index 350b96a..0000000 --- a/builds/flake.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ - inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11"; - - outputs = - { nixpkgs, ... }: - let - inherit (nixpkgs) lib; - withSystem = - f: - lib.fold lib.recursiveUpdate { } ( - map f [ - "x86_64-linux" - ] - ); - mkPackages = pkgs: { - st = pkgs.callPackage ./st.nix { }; - rebuild = pkgs.callPackage ./rebuild.nix { }; - utils = pkgs.callPackage ./utils.nix { }; - }; - in - withSystem ( - system: { - overlays.default = final: _: mkPackages final; - - packages.${system} = mkPackages nixpkgs.legacyPackages.${system}; - } - ); -} diff --git a/builds/utils.nix b/builds/utils.nix index 62dfb9e..50ee3ac 100644 --- a/builds/utils.nix +++ b/builds/utils.nix @@ -5,6 +5,7 @@ , libxcb # shell scripts stuff , makeWrapper +, sshuttle , sxhkd , bash , feh @@ -24,7 +25,7 @@ stdenv.mkDerivation rec { src = ./utils; nativeBuildInputs = [ makeWrapper pkg-config libxcb ]; - buildInputs = [ libxcb bash feh xrandr jq curl fzy ytfzf ffmpeg ]; + buildInputs = [ libxcb bash feh xrandr jq curl fzy ytfzf ffmpeg sshuttle ]; buildPhase = '' ls @@ -37,7 +38,7 @@ stdenv.mkDerivation rec { for i in $(ls $src/sh); do cp $src/sh/$i $out/bin ln -sf $out/bin/tmenu_run $out/bin/regenerate - wrapProgram $out/bin/$i --prefix PATH : ${lib.makeBinPath [ sxhkd bash feh xrandr jq figlet curl fzy ytfzf ffmpeg ]} + wrapProgram $out/bin/$i --prefix PATH : ${lib.makeBinPath [ sxhkd bash feh xrandr jq figlet curl fzy ytfzf ffmpeg sshuttle ]} done cp c/status/main $out/bin/statusbar diff --git a/builds/utils/sh/disp b/builds/utils/sh/disp index 32411e0..64ff359 100755 --- a/builds/utils/sh/disp +++ b/builds/utils/sh/disp @@ -27,6 +27,12 @@ case "$(hostname)" in bspc monitor VGA-1 -d 1 3 5 7 9 bspc monitor HDMI-1 -d 2 4 6 8 0 ;; + "mlg") + # holdover configuration for the time being + xrandr --output eDP-1 --brightness 0 + xrandr --output DP-1 --primary + bspc monitor DP-1 -d 1 2 3 4 5 6 7 8 9 + ;; "x230t") echo "x230t" case "$1" in diff --git a/builds/utils/sh/vpn b/builds/utils/sh/vpn new file mode 100755 index 0000000..9c6306c --- /dev/null +++ b/builds/utils/sh/vpn @@ -0,0 +1,5 @@ +#!/bin/sh + +# a poor man's vpn +ip=$(dig +short beepboop.systems) +sshuttle --dns -r ryan@$ip:443 0/0 diff --git a/flake.lock b/flake.lock index 00f1c4f..99bd06f 100644 --- a/flake.lock +++ b/flake.lock @@ -25,11 +25,11 @@ }, "locked": { "dir": "pkgs/firefox-addons", - "lastModified": 1705709716, - "narHash": "sha256-YJdWSN3ra0FsAQT5PXe7uXxMeAXxTR+SY/wVOO1c6Bs=", + "lastModified": 1706081037, + "narHash": "sha256-R2dkUMLZa6qvRl4mXOG7bLHaGvoOYf5vIXWeyRDqML0=", "owner": "rycee", "repo": "nur-expressions", - "rev": "d7ad3362283fced58410547650be31e37f9d0f41", + "rev": "5f23ef51cad74dbf30633366e52eb895c9c633d1", "type": "gitlab" }, "original": { @@ -93,11 +93,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1705641746, - "narHash": "sha256-D6c2aH8HQbWc7ZWSV0BUpFpd94ImFyCP8jFIsKQ4Slg=", + "lastModified": 1705916986, + "narHash": "sha256-iBpfltu6QvN4xMpen6jGGEb6jOqmmVQKUrXdOJ32u8w=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d2003f2223cbb8cd95134e4a0541beea215c1073", + "rev": "d7f206b723e42edb09d9d753020a84b3061a79d8", "type": "github" }, "original": { @@ -172,8 +172,7 @@ "firefox-addons": "firefox-addons", "home-manager": "home-manager", "nixpkgs": "nixpkgs", - "simple-nixos-mailserver": "simple-nixos-mailserver", - "utilpkg": "utilpkg" + "simple-nixos-mailserver": "simple-nixos-mailserver" } }, "simple-nixos-mailserver": { @@ -201,23 +200,6 @@ "type": "gitlab" } }, - "utilpkg": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1, - "narHash": "sha256-iemuV19UU8TriqixcvwdRUTa8lIrxc3Krwt4bHpUUWE=", - "path": "/nix/store/wazyj2lnn6ksl5v386m7f64v3zf64r80-source/builds", - "type": "path" - }, - "original": { - "path": "/nix/store/wazyj2lnn6ksl5v386m7f64v3zf64r80-source/builds", - "type": "path" - } - }, "utils": { "locked": { "lastModified": 1605370193, diff --git a/flake.nix b/flake.nix index 2a1dfcb..ebcd34a 100644 --- a/flake.nix +++ b/flake.nix @@ -11,16 +11,12 @@ url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons"; inputs.nixpkgs.follows = "nixpkgs"; }; - utilpkg = { - url = "./builds"; - inputs.nixpkgs.follows = "nixpkgs"; - }; simple-nixos-mailserver = { url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.11"; }; }; - outputs = { self, nixpkgs, home-manager, firefox-addons, simple-nixos-mailserver, utilpkg, ... }@inputs: { + outputs = { self, nixpkgs, home-manager, firefox-addons, simple-nixos-mailserver, ... }@inputs: { nixosConfigurations = { netbox = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; @@ -49,6 +45,20 @@ } ]; }; + mlg = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = { inherit inputs; }; + modules = [ + ./boxes/mlg + + home-manager.nixosModules.home-manager { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.extraSpecialArgs = { inherit inputs; }; + home-manager.users.usr = import ./boxes/mlg/home.nix; + } + ]; + }; virtbox = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = { inherit inputs; }; diff --git a/modules/common.nix b/modules/common.nix index 8d9f344..6336be3 100644 --- a/modules/common.nix +++ b/modules/common.nix @@ -6,10 +6,9 @@ ]; environment.systemPackages = [ -# is it this? this throws a similar error; no attr st, etc. - inputs.utilpkg.packages.x86_64-linux.st - inputs.utilpkg.packages.x86_64-linux.rebuild - inputs.utilpkg.packages.x86_64-linux.utils + (pkgs.callPackage ../builds/rebuild.nix {}) + (pkgs.callPackage ../builds/st.nix {}) + (pkgs.callPackage ../builds/utils.nix {}) pkgs.man-pages ]; diff --git a/modules/ssh-phone-home.nix b/modules/ssh-phone-home.nix new file mode 100644 index 0000000..d1e74b9 --- /dev/null +++ b/modules/ssh-phone-home.nix @@ -0,0 +1,105 @@ +{ config, lib, pkgs, ... }: + +# with thanks to +# https://www.auntieneo.net/2014/12/14/reverse-ssh-tunnel-on-nixos-with-systemd/ + +with lib; + +let + inherit (pkgs) openssh; + cfg = config.services.ssh-phone-home; +in + +{ + + ###### interface + + options = { + services.ssh-phone-home = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable a "phone home" reverse SSH proxy. + ''; + }; + + persist = mkOption { + type = types.bool; + default = true; + description = '' + When this is set to true, the service will persistently attempt to + reconnect at intervals whenever the port forwarding operation fails. + This is the recommended behavior for reliable operation. If one finds + oneself in an environment where this kind of behavior might draw the + suspicion of a network administrator, it might be a good idea to + set this option to false (or not use ssh-phone-home + at all). + ''; + }; + + localUser = mkOption { + description = '' + Local user to connect as (i.e. the user with password-less SSH keys). + ''; + }; + + remoteHostname = mkOption { + description = '' + The remote host to connect to. This should be the host outside of the + firewall or NAT. + ''; + }; + + remotePort = mkOption { + default = 22; + description = '' + The port on which to connect to the remote host via SSH protocol. + ''; + }; + + remoteUser = mkOption { + description = '' + The username to connect to the remote host as. + ''; + }; + + bindPort = mkOption { + default = 2222; + description = '' + The port to bind and listen to on the remote host. + ''; + }; + }; + }; + + + ###### implementation + + config = mkIf cfg.enable { + systemd.services.ssh-phone-home = + { + description = '' + Reverse SSH tunnel as a service + ''; + + # FIXME: This isn't triggered until a reboot, and probably won't work between suspends. + wantedBy = [ "multi-user.target" ]; + + serviceConfig = with cfg; { + User = cfg.localUser; + } // (if cfg.persist then + { + # Restart every 10 seconds on failure + RestartSec = 10; + Restart = "on-failure"; + } + else {} + ); + + script = with cfg; '' + ${openssh}/bin/ssh -NTC -o ServerAliveInterval=30 -o ExitOnForwardFailure=yes -R ${toString bindPort}:localhost:22 -l ${remoteUser} -p ${toString remotePort} ${remoteHostname} + ''; + }; + }; +}