diff --git a/fleet.nix b/fleet.nix index 2d4c0a0..8b4216b 100644 --- a/fleet.nix +++ b/fleet.nix @@ -31,6 +31,10 @@ username = "nb"; key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC1dDoAJUY58I+4SSfDAkO5kInsMcJT/r/mW+MYXLQVR"; } + { + username = "nb-new"; + key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC1dDoAJUY58I+4SSfDAkO5kInsMcJT/r/mW+MYXLQVR"; + } { username = "fw"; key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDtxpJAFohRtBaET9e7EE4I6UmeUT/h1ZTD1zeOHFiWB/AT71ooDT4/QukJOA3LqklDjtDQHH+qjGY50Wa8/oGTA/X3aBDPg5GAHN+U+kYO2UTC69VVjh4TTS35ijg+AdgegtMI4c0VIUMZB24tthV9KEbD20w6XnTzy2Q6PjbBrwsOeHYr9pkygJZDU65ZeKmLyR6yLaadHzXX1I7V2SwiakPEebhQaGipm540d+tAbirKCHcmiORkpd++e3dfwi25hC9bCQ7b3bdaFPAmuhhFEid4jpCt79X+l0qqpClgRLziBjYykNJDFKAljFBJA11/3ofPCuaBCDUuJVhAH044gtT3sbvJq1prd8ElZy6L1yc5YbfFgDMwi71Y2hef780NmDs5Opk9xUCKqdl1YfLyUDgdiiaZ8uhUMd2Ai9BAxJAXtcz/V41ngt3YkUVyGTZdTAODIKk44blGIkgs7JO4yam4UB1curbD0faIZnWLyS5pdFQ+FI05YVjoHXJdme8="; diff --git a/hosts/mail/modules/openldap.nix b/hosts/mail/modules/openldap.nix index 2fbd175..be00dea 100644 --- a/hosts/mail/modules/openldap.nix +++ b/hosts/mail/modules/openldap.nix @@ -330,6 +330,42 @@ in { ]; }; + "olcDatabase={9}mdb".attrs = { + objectClass = ["olcDatabaseConfig" "olcMdbConfig"]; + + olcDatabase = "{9}mdb"; + olcDbDirectory = "/var/lib/openldap/data"; + + olcSuffix = "dc=scana11y,dc=com"; + + olcAccess = [ + '' + {0}to attrs=userPassword + by self write + by anonymous auth + by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write + by dn="cn=authelia,ou=system,ou=users,dc=cloonar,dc=com" write + by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read + by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write + by * none + '' + '' + {1}to attrs=pgpPublicKey + by self write + by anonymous read + by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read + by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write + by * read + '' + '' + {2}to * + by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read + by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write + by * read + '' + ]; + }; + # "cn=module{0},cn=config" = { # attrs = { # objectClass = "olcModuleList"; diff --git a/hosts/nb/modules/desktop/default.nix b/hosts/nb/modules/desktop/default.nix index 1e10d4b..647f850 100644 --- a/hosts/nb/modules/desktop/default.nix +++ b/hosts/nb/modules/desktop/default.nix @@ -65,6 +65,7 @@ in { pinentry rbw rofi-rbw + swayimg thunderbird vlc wl-clipboard diff --git a/hosts/web-arm/configuration.nix b/hosts/web-arm/configuration.nix index c4acebe..b8f9db4 100644 --- a/hosts/web-arm/configuration.nix +++ b/hosts/web-arm/configuration.nix @@ -45,6 +45,9 @@ ./sites/support.cloonar.dev.nix ./sites/stage.cloonar-technologies.at.nix + ./sites/stage.scana11y.com.nix + ./sites/scana11y.com.nix + ./sites/cloonar.dev.nix ./sites/paraclub.at.nix ./sites/api.paraclub.at.nix diff --git a/hosts/web-arm/sites/scana11y.com.nix b/hosts/web-arm/sites/scana11y.com.nix new file mode 100644 index 0000000..9a25a9e --- /dev/null +++ b/hosts/web-arm/sites/scana11y.com.nix @@ -0,0 +1,45 @@ +{ pkgs, lib, config, ... }: +let + domain = "scana11y.com"; + dataDir = "/var/www/${domain}"; + user = builtins.replaceStrings ["." "-"] ["_" "_"] domain; +in { + services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + acmeRoot = "/var/lib/acme/acme-challenge"; + + root = "${dataDir}"; + + locations."/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + + locations."/".extraConfig = '' + index index.html; + try_files $uri $uri/ /index.html$is_args$args; + ''; + + locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = '' + expires 365d; + add_header Pragma "public"; + add_header Cache-Control "public"; + ''; + + locations."~ [^/]\.php(/|$)".extraConfig = '' + deny all; + ''; + }; + users.users."${user}" = { + isNormalUser = true; + createHome = true; + home = dataDir; + homeMode= "770"; + group = "nginx"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID20OFQ9ZbRC2GFH5cii7mAhyD28GBwqM+1+2b36HI4k" + ]; + }; + users.groups.${user} = {}; +} diff --git a/hosts/web-arm/sites/stage.scana11y.com.nix b/hosts/web-arm/sites/stage.scana11y.com.nix new file mode 100644 index 0000000..5580e01 --- /dev/null +++ b/hosts/web-arm/sites/stage.scana11y.com.nix @@ -0,0 +1,45 @@ +{ pkgs, lib, config, ... }: +let + domain = "stage.scana11y.com"; + dataDir = "/var/www/${domain}"; + user = builtins.replaceStrings ["." "-"] ["_" "_"] domain; +in { + services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + acmeRoot = "/var/lib/acme/acme-challenge"; + + root = "${dataDir}"; + + locations."/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + + locations."/".extraConfig = '' + index index.html; + try_files $uri $uri/ /index.html$is_args$args; + ''; + + locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = '' + expires 365d; + add_header Pragma "public"; + add_header Cache-Control "public"; + ''; + + locations."~ [^/]\.php(/|$)".extraConfig = '' + deny all; + ''; + }; + users.users."${user}" = { + isNormalUser = true; + createHome = true; + home = dataDir; + homeMode= "770"; + group = "nginx"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGIM0XUH9EUucDsvJKqwytgsTRcSsu6KmqAZ9LVgPre2" + ]; + }; + users.groups.${user} = {}; +} diff --git a/iso/configuration.nix b/iso/configuration.nix index a9a2fa5..d6e7164 100644 --- a/iso/configuration.nix +++ b/iso/configuration.nix @@ -1,5 +1,9 @@ -{ config, lib, pkgs, ... }: { +{ config, lib, pkgs, ... }: +let + impermanence = builtins.fetchTarball "https://github.com/nix-community/impermanence/archive/master.tar.gz"; +in { imports = [ + "${impermanence}/nixos.nix" #installer-only ./hardware-configuration.nix @@ -50,5 +54,34 @@ zip ]; + environment.persistence."/nix/persist" = { + hideMounts = true; + directories = [ + "/home" + ]; + }; + environment.persistence."/nix/persist/system" = { + hideMounts = true; + directories = [ + "/etc/nixos" + "/root/.ssh" + "/var/bento" + "/var/log" + "/var/lib/bluetooth" + "/var/lib/docker" + "/var/lib/flatpak" + "/var/lib/fprint" + "/var/lib/nixos" + "/var/lib/mysql" + "/etc/NetworkManager/system-connections" + ]; + files = [ + { file = "/etc/ssh/ssh_host_ed25519_key"; parentDirectory = { mode = "u=rwx,g=,o="; }; } + { file = "/etc/ssh/ssh_host_ed25519_key.pub"; parentDirectory = { mode = "u=rwx,g=,o="; }; } + { file = "/etc/ssh/ssh_host_rsa_key"; parentDirectory = { mode = "u=rwx,g=,o="; }; } + { file = "/etc/ssh/ssh_host_rsa_key.pub"; parentDirectory = { mode = "u=rwx,g=,o="; }; } + ]; + }; + system.stateVersion = "23.05"; # Did you read the comment? } diff --git a/iso/default.nix b/iso/default.nix index 6cc200d..367cc98 100644 --- a/iso/default.nix +++ b/iso/default.nix @@ -44,10 +44,12 @@ wait-for mkfs.fat -F 32 -n boot /dev/disk/by-partlabel/BOOT wait-for [ -b /dev/disk/by-partlabel/NIXOS ] - mkfs.btrfs -f -L nixos /dev/disk/by-partlabel/NIXOS + ${cryptsetup}/bin/cryptsetup luksFormat --type=luks2 --label=root /dev/disk/by-partlabel/NIXOS /dev/zero --keyfile-size=1 + ${cryptsetup}/bin/cryptsetup luksOpen /dev/disk/by-partlabel/NIXOS root --key-file=/dev/zero --keyfile-size=1 + mkfs.btrfs -f -L nixos /dev/mapper/root sync - mount /dev/disk/by-partlabel/NIXOS /mnt + mount /dev/mapper/root /mnt btrfs subvolume create /mnt/@ btrfs subvolume create /mnt/@nix-store @@ -56,14 +58,56 @@ umount /mnt sync - mount -o noatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvol=@ /dev/disk/by-partlabel/NIXOS /mnt + mount -t tmpfs -o size=16G,mode=755 tmpfs /mnt + mkdir -p /mnt/nix + mount -o noatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvol=@ /dev/mapper/root /mnt/nix mkdir -p /mnt/nix/{store,persist} - mount -o noatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvol=@nix-store /dev/disk/by-partlabel/NIXOS /mnt/nix/store - mount -o noatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvol=@nix-persist /dev/disk/by-partlabel/NIXOS /mnt/nix/persist + mount -o noatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvol=@nix-store /dev/mapper/root /mnt/nix/store + mount -o noatime,compress=zstd:3,ssd,discard=async,space_cache=v2,subvol=@nix-persist /dev/mapper/root /mnt/nix/persist + + mkdir -p /mnt/nix/persist/home + + mkdir -p /mnt/etc/nixos + mkdir -p /mnt/nix/persist/system/etc/nixos + mount --bind /mnt/nix/persist/system/etc/nixos /mnt/etc/nixos + mkdir -p /mnt/root/.ssh + mkdir -p /mnt/nix/persist/system/root/.ssh + mount --bind /mnt/nix/persist/system/root/.ssh /mnt/root/.ssh + mkdir -p /mnt/var/bento + mkdir -p /mnt/nix/persist/system/var/bento + mount --bind /mnt/nix/persist/system/var/bento /mnt/var/bento + mkdir -p /mnt/var/log + mkdir -p /mnt/nix/persist/system/var/log + mount --bind /mnt/nix/persist/system/var/log /mnt/var/log + mkdir -p /mnt/var/lib/bluetooth + mkdir -p /mnt/nix/persist/system/var/lib/bluetooth + mount --bind /mnt/nix/persist/system/var/lib/bluetooth /mnt/var/lib/bluetooth + mkdir -p /mnt/var/lib/docker + mkdir -p /mnt/nix/persist/system/var/lib/docker + mount --bind /mnt/nix/persist/system/var/lib/docker /mnt/var/lib/docker + mkdir -p /mnt/var/lib/flatpak + mkdir -p /mnt/nix/persist/system/var/lib/flatpak + mount --bind /mnt/nix/persist/system/var/lib/flatpak /mnt/var/lib/flatpak + mkdir -p /mnt/var/lib/fprint + mkdir -p /mnt/nix/persist/system/var/lib/fprint + mount --bind /mnt/nix/persist/system/var/lib/fprint /mnt/var/lib/fprint + mkdir -p /mnt/var/lib/nixos + mkdir -p /mnt/nix/persist/system/var/lib/nixos + mount --bind /mnt/nix/persist/system/var/lib/nixos /mnt/var/lib/nixos + mkdir -p /mnt/var/lib/mysql + mkdir -p /mnt/nix/persist/system/var/lib/mysql + mount --bind /mnt/nix/persist/system/var/lib/mysql /mnt/var/lib/mysql + mkdir -p /mnt/etc/NetworkManager/system-connections + mkdir -p /mnt/nix/persist/system/etc/NetworkManager/system-connections + mount --bind /mnt/nix/persist/system/etc/NetworkManager/system-connections /mnt/etc/NetworkManager/system-connections mkdir /mnt/boot wait-for mount /dev/disk/by-label/boot /mnt/boot + mkdir -p /mnt/nix/persist/system/etc/ssh + ssh-keygen -t ed25519 -N "" -f /mnt/nix/persist/system/etc/ssh/ssh_host_ed25519_key + ssh-keygen -t rsa -b 4096 -N "" -f /mnt/nix/persist/system/etc/ssh/ssh_host_rsa_key + install -D ${./configuration.nix} /mnt/etc/nixos/configuration.nix install -D ${./hardware-configuration.nix} /mnt/etc/nixos/hardware-configuration.nix diff --git a/iso/hardware-configuration.nix b/iso/hardware-configuration.nix index 9ccd886..bb35b73 100644 --- a/iso/hardware-configuration.nix +++ b/iso/hardware-configuration.nix @@ -6,9 +6,29 @@ fsType = "vfat"; }; - fileSystems."/" = { - device = "/dev/disk/by-partlabel/NIXOS"; + fileSystems."/" = { + device = "none"; + fsType = "tmpfs"; + options = [ "size=16G" "mode=755" ]; + }; + + boot.initrd.luks.devices.root = { + device = "/dev/disk/by-label/root"; + + # WARNING: Leaks some metadata, see cryptsetup man page for --allow-discards. + allowDiscards = true; + + # Set your own key with: + # cryptsetup luksChangeKey /dev/disk/by-label/root --key-file=/dev/zero --keyfile-size=1 + # You can then delete the rest of this block. + keyFile = "/dev/zero"; + keyFileSize = 1; + }; + + fileSystems."/nix" = { + device = "/dev/mapper/root"; fsType = "btrfs"; + neededForBoot = true; options = [ "subvol=@" "ssd" @@ -19,8 +39,9 @@ }; fileSystems."/nix/store" = { - device = "/dev/disk/by-uuid/…"; + device = "/dev/mapper/root"; fsType = "btrfs"; + neededForBoot = true; options = [ "subvol=@nix-store" "ssd" @@ -31,8 +52,9 @@ }; fileSystems."/nix/persist" = { - device = "/dev/disk/by-partlabel/NIXOS"; + device = "/dev/mapper/root"; fsType = "btrfs"; + neededForBoot = true; options = [ "subvol=@nix-persist" "ssd"