diff --git a/fleet.nix b/fleet.nix index 8b4216b..2d4c0a0 100644 --- a/fleet.nix +++ b/fleet.nix @@ -31,10 +31,6 @@ username = "nb"; key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC1dDoAJUY58I+4SSfDAkO5kInsMcJT/r/mW+MYXLQVR"; } - { - username = "nb-new"; - key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC1dDoAJUY58I+4SSfDAkO5kInsMcJT/r/mW+MYXLQVR"; - } { username = "fw"; key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDtxpJAFohRtBaET9e7EE4I6UmeUT/h1ZTD1zeOHFiWB/AT71ooDT4/QukJOA3LqklDjtDQHH+qjGY50Wa8/oGTA/X3aBDPg5GAHN+U+kYO2UTC69VVjh4TTS35ijg+AdgegtMI4c0VIUMZB24tthV9KEbD20w6XnTzy2Q6PjbBrwsOeHYr9pkygJZDU65ZeKmLyR6yLaadHzXX1I7V2SwiakPEebhQaGipm540d+tAbirKCHcmiORkpd++e3dfwi25hC9bCQ7b3bdaFPAmuhhFEid4jpCt79X+l0qqpClgRLziBjYykNJDFKAljFBJA11/3ofPCuaBCDUuJVhAH044gtT3sbvJq1prd8ElZy6L1yc5YbfFgDMwi71Y2hef780NmDs5Opk9xUCKqdl1YfLyUDgdiiaZ8uhUMd2Ai9BAxJAXtcz/V41ngt3YkUVyGTZdTAODIKk44blGIkgs7JO4yam4UB1curbD0faIZnWLyS5pdFQ+FI05YVjoHXJdme8="; diff --git a/hosts/mail/modules/openldap.nix b/hosts/mail/modules/openldap.nix index be00dea..2fbd175 100644 --- a/hosts/mail/modules/openldap.nix +++ b/hosts/mail/modules/openldap.nix @@ -330,42 +330,6 @@ in { ]; }; - "olcDatabase={9}mdb".attrs = { - objectClass = ["olcDatabaseConfig" "olcMdbConfig"]; - - olcDatabase = "{9}mdb"; - olcDbDirectory = "/var/lib/openldap/data"; - - olcSuffix = "dc=scana11y,dc=com"; - - olcAccess = [ - '' - {0}to attrs=userPassword - by self write - by anonymous auth - by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write - by dn="cn=authelia,ou=system,ou=users,dc=cloonar,dc=com" write - by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read - by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write - by * none - '' - '' - {1}to attrs=pgpPublicKey - by self write - by anonymous read - by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read - by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write - by * read - '' - '' - {2}to * - by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read - by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write - by * read - '' - ]; - }; - # "cn=module{0},cn=config" = { # attrs = { # objectClass = "olcModuleList"; diff --git a/hosts/nb/modules/desktop/default.nix b/hosts/nb/modules/desktop/default.nix index 647f850..1e10d4b 100644 --- a/hosts/nb/modules/desktop/default.nix +++ b/hosts/nb/modules/desktop/default.nix @@ -65,7 +65,6 @@ in { pinentry rbw rofi-rbw - swayimg thunderbird vlc wl-clipboard diff --git a/hosts/web-arm/configuration.nix b/hosts/web-arm/configuration.nix index b8f9db4..c4acebe 100644 --- a/hosts/web-arm/configuration.nix +++ b/hosts/web-arm/configuration.nix @@ -45,9 +45,6 @@ ./sites/support.cloonar.dev.nix ./sites/stage.cloonar-technologies.at.nix - ./sites/stage.scana11y.com.nix - ./sites/scana11y.com.nix - ./sites/cloonar.dev.nix ./sites/paraclub.at.nix ./sites/api.paraclub.at.nix diff --git a/hosts/web-arm/sites/scana11y.com.nix b/hosts/web-arm/sites/scana11y.com.nix deleted file mode 100644 index 9a25a9e..0000000 --- a/hosts/web-arm/sites/scana11y.com.nix +++ /dev/null @@ -1,45 +0,0 @@ -{ pkgs, lib, config, ... }: -let - domain = "scana11y.com"; - dataDir = "/var/www/${domain}"; - user = builtins.replaceStrings ["." "-"] ["_" "_"] domain; -in { - services.nginx.virtualHosts."${domain}" = { - forceSSL = true; - enableACME = true; - acmeRoot = "/var/lib/acme/acme-challenge"; - - root = "${dataDir}"; - - locations."/favicon.ico".extraConfig = '' - log_not_found off; - access_log off; - ''; - - locations."/".extraConfig = '' - index index.html; - try_files $uri $uri/ /index.html$is_args$args; - ''; - - locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = '' - expires 365d; - add_header Pragma "public"; - add_header Cache-Control "public"; - ''; - - locations."~ [^/]\.php(/|$)".extraConfig = '' - deny all; - ''; - }; - users.users."${user}" = { - isNormalUser = true; - createHome = true; - home = dataDir; - homeMode= "770"; - group = "nginx"; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID20OFQ9ZbRC2GFH5cii7mAhyD28GBwqM+1+2b36HI4k" - ]; - }; - users.groups.${user} = {}; -} diff --git a/hosts/web-arm/sites/stage.scana11y.com.nix b/hosts/web-arm/sites/stage.scana11y.com.nix deleted file mode 100644 index 5580e01..0000000 --- a/hosts/web-arm/sites/stage.scana11y.com.nix +++ /dev/null @@ -1,45 +0,0 @@ -{ pkgs, lib, config, ... }: -let - domain = "stage.scana11y.com"; - dataDir = "/var/www/${domain}"; - user = builtins.replaceStrings ["." "-"] ["_" "_"] domain; -in { - services.nginx.virtualHosts."${domain}" = { - forceSSL = true; - enableACME = true; - acmeRoot = "/var/lib/acme/acme-challenge"; - - root = "${dataDir}"; - - locations."/favicon.ico".extraConfig = '' - log_not_found off; - access_log off; - ''; - - locations."/".extraConfig = '' - index index.html; - try_files $uri $uri/ /index.html$is_args$args; - ''; - - locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = '' - expires 365d; - add_header Pragma "public"; - add_header Cache-Control "public"; - ''; - - locations."~ [^/]\.php(/|$)".extraConfig = '' - deny all; - ''; - }; - users.users."${user}" = { - isNormalUser = true; - createHome = true; - home = dataDir; - homeMode= "770"; - group = "nginx"; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGIM0XUH9EUucDsvJKqwytgsTRcSsu6KmqAZ9LVgPre2" - ]; - }; - users.groups.${user} = {}; -} diff --git a/iso/configuration.nix b/iso/configuration.nix index d6e7164..a9a2fa5 100644 --- a/iso/configuration.nix +++ b/iso/configuration.nix @@ -1,9 +1,5 @@ -{ config, lib, pkgs, ... }: -let - impermanence = builtins.fetchTarball "https://github.com/nix-community/impermanence/archive/master.tar.gz"; -in { +{ config, lib, pkgs, ... }: { imports = [ - "${impermanence}/nixos.nix" #installer-only ./hardware-configuration.nix @@ -54,34 +50,5 @@ in { zip ]; - environment.persistence."/nix/persist" = { - hideMounts = true; - directories = [ - "/home" - ]; - }; - environment.persistence."/nix/persist/system" = { - hideMounts = true; - directories = [ - "/etc/nixos" - "/root/.ssh" - "/var/bento" - "/var/log" - "/var/lib/bluetooth" - "/var/lib/docker" - "/var/lib/flatpak" - "/var/lib/fprint" - "/var/lib/nixos" - "/var/lib/mysql" - "/etc/NetworkManager/system-connections" - ]; - files = [ - { file = "/etc/ssh/ssh_host_ed25519_key"; parentDirectory = { mode = "u=rwx,g=,o="; }; } - { file = "/etc/ssh/ssh_host_ed25519_key.pub"; parentDirectory = { mode = "u=rwx,g=,o="; }; } - { file = "/etc/ssh/ssh_host_rsa_key"; parentDirectory = { mode = "u=rwx,g=,o="; }; } - { file = "/etc/ssh/ssh_host_rsa_key.pub"; parentDirectory = { mode = "u=rwx,g=,o="; }; } - ]; - }; - system.stateVersion = "23.05"; # Did you read the comment? } diff --git a/iso/default.nix b/iso/default.nix index 367cc98..6cc200d 100644 --- a/iso/default.nix +++ b/iso/default.nix @@ -44,12 +44,10 @@ wait-for mkfs.fat -F 32 -n boot /dev/disk/by-partlabel/BOOT wait-for [ -b /dev/disk/by-partlabel/NIXOS ] - ${cryptsetup}/bin/cryptsetup luksFormat --type=luks2 --label=root /dev/disk/by-partlabel/NIXOS /dev/zero --keyfile-size=1 - ${cryptsetup}/bin/cryptsetup luksOpen /dev/disk/by-partlabel/NIXOS root --key-file=/dev/zero --keyfile-size=1 - mkfs.btrfs -f -L nixos /dev/mapper/root + mkfs.btrfs -f -L nixos /dev/disk/by-partlabel/NIXOS sync - mount /dev/mapper/root /mnt + mount /dev/disk/by-partlabel/NIXOS /mnt btrfs subvolume create /mnt/@ btrfs subvolume create /mnt/@nix-store @@ -58,56 +56,14 @@ umount /mnt sync - mount -t tmpfs -o size=16G,mode=755 tmpfs /mnt - mkdir -p /mnt/nix - mount -o noatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvol=@ /dev/mapper/root /mnt/nix + mount -o noatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvol=@ /dev/disk/by-partlabel/NIXOS /mnt mkdir -p /mnt/nix/{store,persist} - mount -o noatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvol=@nix-store /dev/mapper/root /mnt/nix/store - mount -o noatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvol=@nix-persist /dev/mapper/root /mnt/nix/persist - - mkdir -p /mnt/nix/persist/home - - mkdir -p /mnt/etc/nixos - mkdir -p /mnt/nix/persist/system/etc/nixos - mount --bind /mnt/nix/persist/system/etc/nixos /mnt/etc/nixos - mkdir -p /mnt/root/.ssh - mkdir -p /mnt/nix/persist/system/root/.ssh - mount --bind /mnt/nix/persist/system/root/.ssh /mnt/root/.ssh - mkdir -p /mnt/var/bento - mkdir -p /mnt/nix/persist/system/var/bento - mount --bind /mnt/nix/persist/system/var/bento /mnt/var/bento - mkdir -p /mnt/var/log - mkdir -p /mnt/nix/persist/system/var/log - mount --bind /mnt/nix/persist/system/var/log /mnt/var/log - mkdir -p /mnt/var/lib/bluetooth - mkdir -p /mnt/nix/persist/system/var/lib/bluetooth - mount --bind /mnt/nix/persist/system/var/lib/bluetooth /mnt/var/lib/bluetooth - mkdir -p /mnt/var/lib/docker - mkdir -p /mnt/nix/persist/system/var/lib/docker - mount --bind /mnt/nix/persist/system/var/lib/docker /mnt/var/lib/docker - mkdir -p /mnt/var/lib/flatpak - mkdir -p /mnt/nix/persist/system/var/lib/flatpak - mount --bind /mnt/nix/persist/system/var/lib/flatpak /mnt/var/lib/flatpak - mkdir -p /mnt/var/lib/fprint - mkdir -p /mnt/nix/persist/system/var/lib/fprint - mount --bind /mnt/nix/persist/system/var/lib/fprint /mnt/var/lib/fprint - mkdir -p /mnt/var/lib/nixos - mkdir -p /mnt/nix/persist/system/var/lib/nixos - mount --bind /mnt/nix/persist/system/var/lib/nixos /mnt/var/lib/nixos - mkdir -p /mnt/var/lib/mysql - mkdir -p /mnt/nix/persist/system/var/lib/mysql - mount --bind /mnt/nix/persist/system/var/lib/mysql /mnt/var/lib/mysql - mkdir -p /mnt/etc/NetworkManager/system-connections - mkdir -p /mnt/nix/persist/system/etc/NetworkManager/system-connections - mount --bind /mnt/nix/persist/system/etc/NetworkManager/system-connections /mnt/etc/NetworkManager/system-connections + mount -o noatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvol=@nix-store /dev/disk/by-partlabel/NIXOS /mnt/nix/store + mount -o noatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvol=@nix-persist /dev/disk/by-partlabel/NIXOS /mnt/nix/persist mkdir /mnt/boot wait-for mount /dev/disk/by-label/boot /mnt/boot - mkdir -p /mnt/nix/persist/system/etc/ssh - ssh-keygen -t ed25519 -N "" -f /mnt/nix/persist/system/etc/ssh/ssh_host_ed25519_key - ssh-keygen -t rsa -b 4096 -N "" -f /mnt/nix/persist/system/etc/ssh/ssh_host_rsa_key - install -D ${./configuration.nix} /mnt/etc/nixos/configuration.nix install -D ${./hardware-configuration.nix} /mnt/etc/nixos/hardware-configuration.nix diff --git a/iso/hardware-configuration.nix b/iso/hardware-configuration.nix index bb35b73..9ccd886 100644 --- a/iso/hardware-configuration.nix +++ b/iso/hardware-configuration.nix @@ -6,29 +6,9 @@ fsType = "vfat"; }; - fileSystems."/" = { - device = "none"; - fsType = "tmpfs"; - options = [ "size=16G" "mode=755" ]; - }; - - boot.initrd.luks.devices.root = { - device = "/dev/disk/by-label/root"; - - # WARNING: Leaks some metadata, see cryptsetup man page for --allow-discards. - allowDiscards = true; - - # Set your own key with: - # cryptsetup luksChangeKey /dev/disk/by-label/root --key-file=/dev/zero --keyfile-size=1 - # You can then delete the rest of this block. - keyFile = "/dev/zero"; - keyFileSize = 1; - }; - - fileSystems."/nix" = { - device = "/dev/mapper/root"; + fileSystems."/" = { + device = "/dev/disk/by-partlabel/NIXOS"; fsType = "btrfs"; - neededForBoot = true; options = [ "subvol=@" "ssd" @@ -39,9 +19,8 @@ }; fileSystems."/nix/store" = { - device = "/dev/mapper/root"; + device = "/dev/disk/by-uuid/…"; fsType = "btrfs"; - neededForBoot = true; options = [ "subvol=@nix-store" "ssd" @@ -52,9 +31,8 @@ }; fileSystems."/nix/persist" = { - device = "/dev/mapper/root"; + device = "/dev/disk/by-partlabel/NIXOS"; fsType = "btrfs"; - neededForBoot = true; options = [ "subvol=@nix-persist" "ssd"