This commit is contained in:
stupidcomputer 2024-01-24 23:42:18 -06:00
commit e28e53b6db
15 changed files with 223 additions and 96 deletions

View File

@ -56,7 +56,8 @@
}; };
users.users.usr.openssh.authorizedKeys.keys = [ users.users.usr.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbhM3wj0oqjR3pUaZgpfX4Xo4dlzvBTbQ48zHyg7Pwx usr" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbhM3wj0oqjR3pUaZgpfX4Xo4dlzvBTbQ48zHyg7Pwx usr" # x230t
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB2xUbQw9+RCPVw7qCFm4NNCP/MpS2BIArcwMv0KdKOI usr" # mlg
]; ];
system.stateVersion = "23.11"; system.stateVersion = "23.11";

View File

@ -2,8 +2,9 @@
{ {
imports = [ imports = [
# ./hardware-configuration.nix ./hardware-configuration.nix
./nvidia.nix ./nvidia.nix
../../modules/ssh-phone-home.nix
../../modules/bootstrap.nix ../../modules/bootstrap.nix
../../modules/common.nix ../../modules/common.nix
../../modules/x11.nix ../../modules/x11.nix
@ -25,9 +26,20 @@
libreoffice libreoffice
nomacs nomacs
vscodium vscodium
thunderbird
minetest minetest
]; ];
services.openssh.enable = true;
services.ssh-phone-home = {
enable = true;
localUser = "usr";
remoteHostname = "192.168.1.100";
remotePort = 22;
remoteUser = "usr";
bindPort = 2222;
};
boot.loader = { boot.loader = {
efi = { efi = {
canTouchEfiVariables = true; canTouchEfiVariables = true;
@ -48,5 +60,9 @@
services.avahi.nssmdns = true; # enables the mDNS NSS plug-in services.avahi.nssmdns = true; # enables the mDNS NSS plug-in
services.avahi.openFirewall = true; # opens the firewall for UDP port 5353 services.avahi.openFirewall = true; # opens the firewall for UDP port 5353
networking.hostName = "mlg"; nixpkgs.config.allowUnfree = true;
networking = {
hostName = "mlg";
firewall.enable = true;
};
} }

View File

@ -0,0 +1,41 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# testing
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "vmd" "nvme" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/eada30c2-ffc5-4410-b1cf-fcea6a4040ff";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/5318-1A44";
fsType = "vfat";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp58s0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp7s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp0s20f3.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

10
boxes/mlg/home.nix Normal file
View File

@ -0,0 +1,10 @@
{ lib, inputs, config, pkgs, home, ... }:
{
imports = [
../../home/x11.nix
../../home/chromium
];
home.stateVersion = "23.11";
}

View File

@ -249,7 +249,8 @@ in {
users.users.ryan = { users.users.ryan = {
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbhM3wj0oqjR3pUaZgpfX4Xo4dlzvBTbQ48zHyg7Pwx usr" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbhM3wj0oqjR3pUaZgpfX4Xo4dlzvBTbQ48zHyg7Pwx usr" # x230t
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrpVDLQszFKoYbvYKRyVTTpehxR0BVU47SXkz39l2wK usr" # mainsail
]; ];
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" "docker" ]; extraGroups = [ "wheel" "docker" ];
@ -342,7 +343,7 @@ in {
locations."~ \\.git" = { locations."~ \\.git" = {
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
include ${pkgs.nginx}/conf/fastcgi_params; include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_param SCRIPT_FILENAME ${pkgs.git}/bin/git-http-backend; fastcgi_param SCRIPT_FILENAME ${pkgs.git}/bin/git-http-backend;
fastcgi_param GIT_HTTP_EXPORT_ALL ""; fastcgi_param GIT_HTTP_EXPORT_ALL "";

View File

@ -18,6 +18,11 @@
thunderbird thunderbird
hue-cli hue-cli
bluetuith bluetuith
brave
vdirsyncer
isync
khal
todoman
]; ];
hardware.bluetooth = { hardware.bluetooth = {

View File

@ -1,27 +0,0 @@
{
"nodes": {
"nixpkgs": {
"locked": {
"lastModified": 1703467016,
"narHash": "sha256-/5A/dNPhbQx/Oa2d+Get174eNI3LERQ7u6WTWOlR1eQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d02d818f22c777aa4e854efc3242ec451e5d462a",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"nixpkgs": "nixpkgs"
}
}
},
"root": "root",
"version": 7
}

View File

@ -1,28 +0,0 @@
{
inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
outputs =
{ nixpkgs, ... }:
let
inherit (nixpkgs) lib;
withSystem =
f:
lib.fold lib.recursiveUpdate { } (
map f [
"x86_64-linux"
]
);
mkPackages = pkgs: {
st = pkgs.callPackage ./st.nix { };
rebuild = pkgs.callPackage ./rebuild.nix { };
utils = pkgs.callPackage ./utils.nix { };
};
in
withSystem (
system: {
overlays.default = final: _: mkPackages final;
packages.${system} = mkPackages nixpkgs.legacyPackages.${system};
}
);
}

View File

@ -5,6 +5,7 @@
, libxcb , libxcb
# shell scripts stuff # shell scripts stuff
, makeWrapper , makeWrapper
, sshuttle
, sxhkd , sxhkd
, bash , bash
, feh , feh
@ -24,7 +25,7 @@ stdenv.mkDerivation rec {
src = ./utils; src = ./utils;
nativeBuildInputs = [ makeWrapper pkg-config libxcb ]; nativeBuildInputs = [ makeWrapper pkg-config libxcb ];
buildInputs = [ libxcb bash feh xrandr jq curl fzy ytfzf ffmpeg ]; buildInputs = [ libxcb bash feh xrandr jq curl fzy ytfzf ffmpeg sshuttle ];
buildPhase = '' buildPhase = ''
ls ls
@ -37,7 +38,7 @@ stdenv.mkDerivation rec {
for i in $(ls $src/sh); do for i in $(ls $src/sh); do
cp $src/sh/$i $out/bin cp $src/sh/$i $out/bin
ln -sf $out/bin/tmenu_run $out/bin/regenerate ln -sf $out/bin/tmenu_run $out/bin/regenerate
wrapProgram $out/bin/$i --prefix PATH : ${lib.makeBinPath [ sxhkd bash feh xrandr jq figlet curl fzy ytfzf ffmpeg ]} wrapProgram $out/bin/$i --prefix PATH : ${lib.makeBinPath [ sxhkd bash feh xrandr jq figlet curl fzy ytfzf ffmpeg sshuttle ]}
done done
cp c/status/main $out/bin/statusbar cp c/status/main $out/bin/statusbar

View File

@ -27,6 +27,12 @@ case "$(hostname)" in
bspc monitor VGA-1 -d 1 3 5 7 9 bspc monitor VGA-1 -d 1 3 5 7 9
bspc monitor HDMI-1 -d 2 4 6 8 0 bspc monitor HDMI-1 -d 2 4 6 8 0
;; ;;
"mlg")
# holdover configuration for the time being
xrandr --output eDP-1 --brightness 0
xrandr --output DP-1 --primary
bspc monitor DP-1 -d 1 2 3 4 5 6 7 8 9
;;
"x230t") "x230t")
echo "x230t" echo "x230t"
case "$1" in case "$1" in

5
builds/utils/sh/vpn Executable file
View File

@ -0,0 +1,5 @@
#!/bin/sh
# a poor man's vpn
ip=$(dig +short beepboop.systems)
sshuttle --dns -r ryan@$ip:443 0/0

View File

@ -25,11 +25,11 @@
}, },
"locked": { "locked": {
"dir": "pkgs/firefox-addons", "dir": "pkgs/firefox-addons",
"lastModified": 1705709716, "lastModified": 1706081037,
"narHash": "sha256-YJdWSN3ra0FsAQT5PXe7uXxMeAXxTR+SY/wVOO1c6Bs=", "narHash": "sha256-R2dkUMLZa6qvRl4mXOG7bLHaGvoOYf5vIXWeyRDqML0=",
"owner": "rycee", "owner": "rycee",
"repo": "nur-expressions", "repo": "nur-expressions",
"rev": "d7ad3362283fced58410547650be31e37f9d0f41", "rev": "5f23ef51cad74dbf30633366e52eb895c9c633d1",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {
@ -93,11 +93,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1705641746, "lastModified": 1705916986,
"narHash": "sha256-D6c2aH8HQbWc7ZWSV0BUpFpd94ImFyCP8jFIsKQ4Slg=", "narHash": "sha256-iBpfltu6QvN4xMpen6jGGEb6jOqmmVQKUrXdOJ32u8w=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "d2003f2223cbb8cd95134e4a0541beea215c1073", "rev": "d7f206b723e42edb09d9d753020a84b3061a79d8",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -172,8 +172,7 @@
"firefox-addons": "firefox-addons", "firefox-addons": "firefox-addons",
"home-manager": "home-manager", "home-manager": "home-manager",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"simple-nixos-mailserver": "simple-nixos-mailserver", "simple-nixos-mailserver": "simple-nixos-mailserver"
"utilpkg": "utilpkg"
} }
}, },
"simple-nixos-mailserver": { "simple-nixos-mailserver": {
@ -201,23 +200,6 @@
"type": "gitlab" "type": "gitlab"
} }
}, },
"utilpkg": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1,
"narHash": "sha256-iemuV19UU8TriqixcvwdRUTa8lIrxc3Krwt4bHpUUWE=",
"path": "/nix/store/wazyj2lnn6ksl5v386m7f64v3zf64r80-source/builds",
"type": "path"
},
"original": {
"path": "/nix/store/wazyj2lnn6ksl5v386m7f64v3zf64r80-source/builds",
"type": "path"
}
},
"utils": { "utils": {
"locked": { "locked": {
"lastModified": 1605370193, "lastModified": 1605370193,

View File

@ -11,16 +11,12 @@
url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons"; url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
utilpkg = {
url = "./builds";
inputs.nixpkgs.follows = "nixpkgs";
};
simple-nixos-mailserver = { simple-nixos-mailserver = {
url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.11"; url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.11";
}; };
}; };
outputs = { self, nixpkgs, home-manager, firefox-addons, simple-nixos-mailserver, utilpkg, ... }@inputs: { outputs = { self, nixpkgs, home-manager, firefox-addons, simple-nixos-mailserver, ... }@inputs: {
nixosConfigurations = { nixosConfigurations = {
netbox = nixpkgs.lib.nixosSystem { netbox = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
@ -49,6 +45,20 @@
} }
]; ];
}; };
mlg = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit inputs; };
modules = [
./boxes/mlg
home-manager.nixosModules.home-manager {
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.extraSpecialArgs = { inherit inputs; };
home-manager.users.usr = import ./boxes/mlg/home.nix;
}
];
};
virtbox = nixpkgs.lib.nixosSystem { virtbox = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs = { inherit inputs; }; specialArgs = { inherit inputs; };

View File

@ -6,10 +6,9 @@
]; ];
environment.systemPackages = [ environment.systemPackages = [
# is it this? this throws a similar error; no attr st, etc. (pkgs.callPackage ../builds/rebuild.nix {})
inputs.utilpkg.packages.x86_64-linux.st (pkgs.callPackage ../builds/st.nix {})
inputs.utilpkg.packages.x86_64-linux.rebuild (pkgs.callPackage ../builds/utils.nix {})
inputs.utilpkg.packages.x86_64-linux.utils
pkgs.man-pages pkgs.man-pages
]; ];

105
modules/ssh-phone-home.nix Normal file
View File

@ -0,0 +1,105 @@
{ config, lib, pkgs, ... }:
# with thanks to
# https://www.auntieneo.net/2014/12/14/reverse-ssh-tunnel-on-nixos-with-systemd/
with lib;
let
inherit (pkgs) openssh;
cfg = config.services.ssh-phone-home;
in
{
###### interface
options = {
services.ssh-phone-home = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable a "phone home" reverse SSH proxy.
'';
};
persist = mkOption {
type = types.bool;
default = true;
description = ''
When this is set to true, the service will persistently attempt to
reconnect at intervals whenever the port forwarding operation fails.
This is the recommended behavior for reliable operation. If one finds
oneself in an environment where this kind of behavior might draw the
suspicion of a network administrator, it might be a good idea to
set this option to false (or not use <literal>ssh-phone-home</literal>
at all).
'';
};
localUser = mkOption {
description = ''
Local user to connect as (i.e. the user with password-less SSH keys).
'';
};
remoteHostname = mkOption {
description = ''
The remote host to connect to. This should be the host outside of the
firewall or NAT.
'';
};
remotePort = mkOption {
default = 22;
description = ''
The port on which to connect to the remote host via SSH protocol.
'';
};
remoteUser = mkOption {
description = ''
The username to connect to the remote host as.
'';
};
bindPort = mkOption {
default = 2222;
description = ''
The port to bind and listen to on the remote host.
'';
};
};
};
###### implementation
config = mkIf cfg.enable {
systemd.services.ssh-phone-home =
{
description = ''
Reverse SSH tunnel as a service
'';
# FIXME: This isn't triggered until a reboot, and probably won't work between suspends.
wantedBy = [ "multi-user.target" ];
serviceConfig = with cfg; {
User = cfg.localUser;
} // (if cfg.persist then
{
# Restart every 10 seconds on failure
RestartSec = 10;
Restart = "on-failure";
}
else {}
);
script = with cfg; ''
${openssh}/bin/ssh -NTC -o ServerAliveInterval=30 -o ExitOnForwardFailure=yes -R ${toString bindPort}:localhost:22 -l ${remoteUser} -p ${toString remotePort} ${remoteHostname}
'';
};
};
}