diff --git a/flake.lock b/flake.lock index 299f626..e74d8bd 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "catppuccin": { "locked": { - "lastModified": 1720472194, - "narHash": "sha256-CYscFEts6tyvosc1T29nxhzIYJAj/1CCEkV3ZMzSN/c=", + "lastModified": 1721784420, + "narHash": "sha256-bgF6fN4Qgk7NErFKGuuqWXcLORsiykTYyqMUFRiAUBY=", "owner": "catppuccin", "repo": "nix", - "rev": "d75d5803852fb0833767dc969a4581ac13204e22", + "rev": "8bdb55cc1c13f572b6e4307a3c0d64f1ae286a4f", "type": "github" }, "original": { @@ -99,11 +99,11 @@ ] }, "locked": { - "lastModified": 1720734513, - "narHash": "sha256-neWQ8eNtLTd+YMesb7WjKl1SVCbDyCm46LUgP/g/hdo=", + "lastModified": 1722203588, + "narHash": "sha256-91V5FMSQ4z9bkhTCf0f86Zjw0bh367daSf0mzCIW0vU=", "owner": "nix-community", "repo": "home-manager", - "rev": "90ae324e2c56af10f20549ab72014804a3064c7f", + "rev": "792757f643cedc13f02098d8ed506d82e19ec1da", "type": "github" }, "original": { @@ -119,11 +119,11 @@ ] }, "locked": { - "lastModified": 1720926593, - "narHash": "sha256-fW6e27L6qY6s+TxInwrS2EXZZfhMAlaNqT0sWS49qMA=", + "lastModified": 1722136042, + "narHash": "sha256-x3FmT4QSyK28itMiR5zfYhUrG5nY+2dv+AIcKfmSp5A=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "5fe5b0cdf1268112dc96319388819b46dc051ef4", + "rev": "c0ca47e8523b578464014961059999d8eddd4aae", "type": "github" }, "original": { @@ -143,11 +143,11 @@ ] }, "locked": { - "lastModified": 1720920808, - "narHash": "sha256-aq9nBiDz0i+JH47YDtPcx/f5OaMMxy/JvBNLDMe97aI=", + "lastModified": 1722302960, + "narHash": "sha256-byZl18UZCHy3vLhxrXp8THzlzmwNfil93ZQLY30i7/Q=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "2571d560820e4ce23cf060a4460cebc0d9d17f60", + "rev": "e1a1e6cabd0140ed353e173290e6d92510f5fd66", "type": "github" }, "original": { @@ -158,11 +158,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1720737798, - "narHash": "sha256-G/OtEAts7ZUvW5lrGMXSb8HqRp2Jr9I7reBuvCOL54w=", + "lastModified": 1722278305, + "narHash": "sha256-xLBAegsn9wbj+pQfbX07kykd5VBV3Ywk3IbObVAAlWA=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "c5013aa7ce2c7ec90acee5d965d950c8348db751", + "rev": "eab049fe178c11395d65a858ba1b56461ba9652d", "type": "github" }, "original": { @@ -174,11 +174,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1721187324, - "narHash": "sha256-QA/hwTo9TsEbtTxFjHdyIopyRqVbC3psML9D1CuSGcg=", + "lastModified": 1722307517, + "narHash": "sha256-QTsnr7l9MlOVMASsv6w1luxAKqR32RJceBYQlg5bpkM=", "owner": "xinyangli", "repo": "nixpkgs", - "rev": "5a00e83edebdcf87790dfa0a304b092f4e3ed694", + "rev": "ebd00a4a357b00eb56b5d11f57aeb2b1fca9be34", "type": "github" }, "original": { @@ -190,11 +190,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1720691131, - "narHash": "sha256-CWT+KN8aTPyMIx8P303gsVxUnkinIz0a/Cmasz1jyIM=", + "lastModified": 1722087241, + "narHash": "sha256-2ShmEaFi0kJVOEEu5gmlykN5dwjWYWYUJmlRTvZQRpU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a046c1202e11b62cbede5385ba64908feb7bfac4", + "rev": "8c50662509100d53229d4be607f1a3a31157fa12", "type": "github" }, "original": { @@ -206,11 +206,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1720915306, - "narHash": "sha256-6vuViC56+KSr+945bCV8akHK+7J5k6n/epYg/W3I5eQ=", + "lastModified": 1721524707, + "narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "74348da2f3a312ee25cea09b98cdba4cb9fa5d5d", + "rev": "556533a23879fc7e5f98dd2e0b31a6911a213171", "type": "github" }, "original": { @@ -222,11 +222,11 @@ }, "nur": { "locked": { - "lastModified": 1720935990, - "narHash": "sha256-SAji50yPFmnQfD2XsDHk6tqEkRHDcWMpEoOlnEneqAY=", + "lastModified": 1722304333, + "narHash": "sha256-fC+PkQuMo1DykB7my6VLPOQi6ugnZuOGdGmAAKCmFVY=", "owner": "nix-community", "repo": "NUR", - "rev": "42851361fdfde870bfd7e3c71f2ac5d3113c63d6", + "rev": "6cfe9fb0882d3d57fd67c783905757bb10b9115e", "type": "github" }, "original": { @@ -258,11 +258,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1720926522, - "narHash": "sha256-eTpnrT6yu1vp8C0B5fxHXhgKxHoYMoYTEikQx///jxY=", + "lastModified": 1722114803, + "narHash": "sha256-s6YhI8UHwQvO4cIFLwl1wZ1eS5Cuuw7ld2VzUchdFP0=", "owner": "Mic92", "repo": "sops-nix", - "rev": "0703ba03fd9c1665f8ab68cc3487302475164617", + "rev": "eb34eb588132d653e4c4925d862f1e5a227cc2ab", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 422c338..c2ba7c6 100644 --- a/flake.nix +++ b/flake.nix @@ -59,6 +59,7 @@ , ... }@inputs: let sharedHmModules = [ + inputs.sops-nix.homeManagerModules.sops inputs.nix-index-database.hmModules.nix-index catppuccin.homeManagerModules.catppuccin self.homeManagerModules @@ -100,6 +101,7 @@ }; in { + nixpkgs = nixpkgs; nixosModules.default = import ./modules/nixos; homeManagerModules = import ./modules/home-manager; @@ -175,6 +177,18 @@ machines/raspite/configuration.nix ] ++ sharedColmenaModules; }; + + weilite = { ... }: { + imports = [ + machines/weilite + ] ++ sharedColmenaModules; + deployment = { + targetHost = "weilite.coho-tet.ts.net"; + targetPort = 22; + buildOnTarget = false; + }; + nixpkgs.system = "x86_64-linux"; + }; }; nixosConfigurations = { diff --git a/home/xin/calcite.nix b/home/xin/calcite.nix index 9ba1359..b26d5d8 100644 --- a/home/xin/calcite.nix +++ b/home/xin/calcite.nix @@ -54,4 +54,9 @@ vscode = { enable = true; languages = { cxx = true; python = true; scala = true; latex = true; }; }; zellij = { enable = true; }; }; + + programs.atuin = { + enable = true; + flags = [ "--disable-up-arrow" ]; + }; } diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index 66c7b50..56cbfe5 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -33,6 +33,7 @@ boot.loader.grub = { enable = true; efiSupport = true; + configurationLimit = 5; }; fileSystems."/mnt/storage" = { diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index a9889f0..2bb6541 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -63,6 +63,7 @@ in }; }; services.kanidm = { + package = pkgs.kanidm.withSecretProvisioning; enableServer = true; serverSettings = { domain = "auth.xinyang.life"; @@ -72,6 +73,84 @@ in tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem''; # db_path = "/var/lib/kanidm/kanidm.db"; }; + provision = { + enable = true; + autoRemove = true; + groups = { + forgejo-access = { + members = [ "xin" ]; + }; + gts-users = { + members = [ "xin" ]; + }; + ocis-users = { + members = [ "xin" ]; + }; + linux_users = { + members = [ "xin" ]; + }; + hedgedoc-users = { + members = [ "xin" ]; + }; + immich-users = { + members = [ "xin" "zhuo" ]; + }; + }; + persons = { + xin = { + displayName = "Xinyang Li"; + mailAddresses = [ "lixinyang411@gmail.com" ]; + }; + + zhuo = { + displayName = "Zhuo"; + mailAddresses = [ "13681104320@163.com" ]; + }; + }; + systems.oauth2 = { + forgejo = { + displayName = "ForgeJo"; + originUrl = "https://git.xinyang.life/"; + originLanding = " https://git.xinyang.life/user/oauth2/kandim"; + allowInsecureClientDisablePkce = true; + scopeMaps = { + forgejo-access = [ "openid" "email" "profile" "groups" ]; + }; + }; + gts = { + displayName = "GoToSocial"; + originUrl = "https://xinyang.life/"; + allowInsecureClientDisablePkce = true; + scopeMaps = { + gts-users = [ "openid" "email" "profile" "groups" ]; + }; + }; + owncloud = { + displayName = "ownCloud"; + originUrl = "https://home.xinyang.life:9201/"; + public = true; + scopeMaps = { + ocis-users = [ "openid" "email" "profile" ]; + }; + }; + hedgedoc = { + displayName = "HedgeDoc"; + originUrl = "https://docs.xinyang.life/"; + allowInsecureClientDisablePkce = true; + scopeMaps = { + hedgedoc-users = [ "openid" "email" "profile" ]; + }; + }; + immich-mobile = { + displayName = "Immich"; + originUrl = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/"; + allowInsecureClientDisablePkce = true; + scopeMaps = { + immich-users = [ "openid" "email" "profile" ]; + }; + }; + }; + }; }; services.matrix-conduit = { enable = true; @@ -179,10 +258,6 @@ in virtualHosts."http://auth.xinyang.life:80".extraConfig = '' reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP} - route { - reverse_proxy * ${config.security.acme.certs."auth.xinyang.life".listenHTTP} order first - abort - } ''; virtualHosts."https://auth.xinyang.life".extraConfig = '' reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} { diff --git a/machines/weilite/default.nix b/machines/weilite/default.nix new file mode 100644 index 0000000..83bd70b --- /dev/null +++ b/machines/weilite/default.nix @@ -0,0 +1,88 @@ +{ config, pkgs, lib, modulesPath, ... }: + +with lib; + +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + config = { + networking.hostName = "weilite"; + commonSettings = { + auth.enable = true; + nix = { + enable = true; + enableMirrors = true; + }; + }; + + boot = { + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "usb_storage" "sd_mod" ]; + kernelModules = [ "kvm-intel" ]; + }; + + environment.systemPackages = [ + pkgs.virtiofsd + ]; + + systemd.mounts = [ + { what = "XinPhotos"; + where = "/mnt/XinPhotos"; + type = "virtiofs"; + wantedBy = [ "immich-server.service" ]; + } + ]; + + services.openssh.ports = [ 22 2222 ]; + + services.immich = { + enable = true; + mediaLocation = "/mnt/XinPhotos/immich"; + host = "127.0.0.1"; + port = 3001; + openFirewall = true; + machine-learning.enable = false; + environment = { + IMMICH_MACHINE_LEARNING_ENABLED = "false"; + }; + }; + + services.dae = { + enable = true; + configFile = "/var/lib/dae/config.dae"; + }; + + services.tailscale = { + enable = true; + openFirewall = true; + permitCertUid = "caddy"; + }; + + services.caddy = { + enable = true; + virtualHosts."weilite.coho-tet.ts.net:8080".extraConfig = '' + reverse_proxy 127.0.0.1:${toString config.services.immich.port} + ''; + }; + + time.timeZone = "Asia/Shanghai"; + + fileSystems."/" = { + device = "/dev/disk/by-label/nixos"; + fsType = "btrfs"; + }; + + fileSystems."/boot" = { + device = "/dev/sda1"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + system.stateVersion = "24.11"; + }; +} diff --git a/modules/home-manager/zellij.nix b/modules/home-manager/zellij.nix index 6eda3e5..e03047c 100644 --- a/modules/home-manager/zellij.nix +++ b/modules/home-manager/zellij.nix @@ -19,6 +19,13 @@ in "Ctrl p" "Ctrl n" ]; + shared_except = { + _args = [ "pane" "locked" ]; + bind = { + _args = [ "Ctrl b"]; + SwitchToMode = "Pane"; + }; + }; }; }; }; diff --git a/modules/nixos/common-settings/auth.nix b/modules/nixos/common-settings/auth.nix new file mode 100644 index 0000000..f70d350 --- /dev/null +++ b/modules/nixos/common-settings/auth.nix @@ -0,0 +1,41 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkIf mkEnableOption mkOption types; + + cfg = config.commonSettings.auth; +in +{ + options.commonSettings.auth = { + enable = mkEnableOption "Common auth settings for servers"; + }; + + config = mkIf cfg.enable { + custom.kanidm-client = { + enable = true; + uri = "https://auth.xinyang.life"; + asSSHAuth = { + enable = true; + allowedGroups = [ "linux_users" ]; + }; + sudoers = [ "xin@auth.xinyang.life" ]; + }; + + services.openssh = { + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = "no"; + GSSAPIAuthentication = "no"; + KerberosAuthentication = "no"; + }; + }; + services.fail2ban.enable = true; + + security.sudo = { + execWheelOnly = true; + wheelNeedsPassword = false; + }; + }; +} + diff --git a/modules/nixos/common-nix-conf.nix b/modules/nixos/common-settings/nix-conf.nix similarity index 100% rename from modules/nixos/common-nix-conf.nix rename to modules/nixos/common-settings/nix-conf.nix diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 0d64656..7908b49 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -1,7 +1,8 @@ { config, pkgs, ... }: { imports = [ - ./common-nix-conf.nix + ./common-settings/auth.nix + ./common-settings/nix-conf.nix ./restic.nix ./vaultwarden.nix ./prometheus.nix diff --git a/modules/nixos/vaultwarden.nix b/modules/nixos/vaultwarden.nix index 6c0af66..b4c7d04 100644 --- a/modules/nixos/vaultwarden.nix +++ b/modules/nixos/vaultwarden.nix @@ -22,8 +22,8 @@ in # TODO: mailserver support }; }; - config = { - services.vaultwarden = mkIf cfg.enable { + config = mkIf cfg.enable { + services.vaultwarden = { enable = true; dbBackend = "sqlite"; config = {