From 4a8bcb34590faadc02e0d30a4443d4fa81f4ac41 Mon Sep 17 00:00:00 2001 From: Profpatsch Date: Mon, 31 Oct 2022 21:28:40 +0100 Subject: haku: prepare for new deployment Comment out a lot of the old stuff that I might not want to re-enable later. And get rid of the pre-tailscale wireguard desaster. --- machines/profpatsch/haku.nix | 321 ++++++++++++++++++++----------------------- 1 file changed, 147 insertions(+), 174 deletions(-) (limited to 'machines/profpatsch') diff --git a/machines/profpatsch/haku.nix b/machines/profpatsch/haku.nix index 1f9cb1b3..9bae1fc8 100644 --- a/machines/profpatsch/haku.nix +++ b/machines/profpatsch/haku.nix @@ -41,32 +41,37 @@ in config = { + system.stateVersion = "22.11"; + # TODO abstract out vuizvui.modifyNixPath = false; - nix.nixPath = [ - "nixpkgs=${with pkgs.vuizvui.profpatsch; filterSourceGitignoreWith { - gitignoreLines = - readGitignoreFile "${toString pkgs.path}/.gitignore"; - globMap = glob: - # filter out the non-rooted file globs, - # because those take forever to filter - # (10(!) seconds evaluation time in my test). - if (!glob.isDir && !glob.isRooted) - then null - else glob; - } pkgs.path}" - # TODO? - # "vuizvui=/root/vuizvui" - # TODO: nicer? - "nixos-config=${pkgs.writeText "haku-configuration.nix" '' - (import ).profpatsch.haku.config - ''}" - ]; + # nix.nixPath = [ + # "nixpkgs=${with pkgs.vuizvui.profpatsch; filterSourceGitignoreWith { + # gitignoreLines = + # readGitignoreFile "${toString pkgs.path}/.gitignore"; + # globMap = glob: + # # filter out the non-rooted file globs, + # # because those take forever to filter + # # (10(!) seconds evaluation time in my test). + # if (!glob.isDir && !glob.isRooted) + # then null + # else glob; + # } pkgs.path}" + # # TODO? + # # "vuizvui=/root/vuizvui" + # # TODO: nicer? + # "nixos-config=${pkgs.writeText "haku-configuration.nix" '' + # (import ).profpatsch.haku.config + # ''}" + # ]; vuizvui.user.profpatsch.server.sshPort = sshPort; boot.loader.grub.device = "/dev/sda"; + boot.initrd.availableKernelModules = [ "ahci" ]; + boot.kernelModules = [ "kvm-intel" ]; + fileSystems = { "/" = { device = "/dev/sda3"; @@ -78,148 +83,144 @@ in }; }; + swapDevices = [ + { device = "/dev/sda4"; } + ]; + + hardware.cpu.intel.updateMicrocode = true; + environment.systemPackages = with pkgs; [ mktorrent # torrent file creator - pkgs.vuizvui.profpatsch.warpspeed # trivial http file server + # pkgs.vuizvui.profpatsch.warpspeed # trivial http file server ]; - users.groups.data-seeding = {}; + # users.groups.data-seeding = {}; users.users = { root.openssh.authorizedKeys.keys = [ myKey ]; - rtorrent = { - isNormalUser = true; - extraGroups = [ "data-seeding" ]; - }; - vorstand = { - isNormalUser = true; - openssh.authorizedKeys.keys = [ myKey - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUgS0VB5XayQobQfOi0tYeqpSSCXzftTKEyII4OYDhuF0/CdXSqOIvdqnWQ8933lPZ5234qCXCniIlRJpJQLBPJdJ7/XnC6W37asuft6yVYxTZnZat8edCuJETMvwZJZNttxHC04k3JPf9RMj25luICWabICH5XP9Mz3GoWSaOz7IOm7jiLQiF3UtiFOG06w76d3UfcIVbqjImwWv8nysphi9IQfL0XgC24zNE6LSeE7IN5xTOxoZxORQGsCEnFNCPevReNcSB0pI9xQ1iao7evaZkpzT4D4iQ/K7Ss8dsfFWN30NPMQS5ReQTUKtmGn1YlgkitiYTEXbMjkYbQaQr daniel@shadow" - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtfWeIH7YZpWUUOZ3oC5FB2/J+P3scxm29gUQdVij/K0TuxW1yN/HtcvrO1mwSshS6sNZ2N6/Kb6+kuGyx1mEnaFt87K5ucxC7TNqiURh4eeZE1xX7B5Ob8TVegrBxoe+vcfaoyxn7sUzgF719H0aYC7PP6p3AIbhq3hRLcvY26u9/gZ39H79A71wCunauvpcnpb+rqyJMN6m2YoeOcoloe7wUDI8Xw5dUetHpNKn9k1vzS16CdwP4pAKI8aBtdNK7ZojVMe9LfBG8HHPr9K+cwcaxQuXkFBJzrfrtBCfQwrgWppsu/W/kGBs1ybku2bOFI5UXJBnsraXQqr1NLIfL phj@phj-X220" - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDj8dla7nOE7RSho2/9LAn+DANYkB1BmMoNryzTQ5mUJWukf5coCc+aNJcXYeu5dSTEicW2qQuD8mt8SDI5Qzv4oSpIYEsd0j4eW/BlC5XYd+4jS7Hfk/a1mJjMG7jdvOUtK3lLtrKaHxVUUjqdxKzzFBZlPov6FgHSJ//h1HxreV/Y0jL94qSvK39FZde5xlV/wQBvpglrMNu7FFWqyeKrOZ7U8D70scFliIuPok/02iQ31P+ncUfV3XrFyJodQq8J3hYEorGVKp3nNM1zaLlg8uqHk18Zt0GFnEAClBrC13yjM0jpMvaMyuXMaWuKeqsBZeUyaSo1j6BNsW/bFjiJ thomas-glamsch@gmx.de" - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCneS9f0u6sITEzKULgIK7LGKskPpyXlQoSLB6aYAS9ZUkZXHh97XwIQqv20/edsAwpKhSSw//n08bvlYjpUSDAg9V/iZzdEV1M7fxek1c0rxtFxbeCds5K67JV+wGEusVyQdtmVzyshBBg+Mk/66E3KgqMyjCyGPk/0qWaj6187DOxerbXI5QkO7lCPIa5jP2YR4yzmFomcGb4PqpPlWfOcjjEjtpenQkhy7iS0ukfkQ9jhIcppuvkZ9A8PL/ccHDNVg0YKNJbsviB5MwKm/6drK87fprP9SP0i7QZsdKhaaW3rQtzCiWup4Avwx91VfeLvef8JJnmDrx+tR7azdGCiiRQvLakT2aIyMSTcDG41PYsesFvqBhRidSgzdZ4I2jjT1iHL4XREQVSjB5voAFdXHrndZj9PT8mTMo1RsdM1YMspHD1ohn2a3YkzKHD6g1n0UM379lyJ2mBEA1w+Nb48s60Mecuy2MlFgN6MbwYXifJkm806nI09ExEfgan8JvWOUQLgCDtp4mGt62vYMmBb5UqyUpvTcPbxoAbpHx+LEAD9Q0OE8S8WGnmkXxnnP2fL1fkcL1wjwvDbW0q9ezl9SrMfxcd+n46kbkYnSJ8HwZSZPX3wn2FAqIAKR+46BSsXW5FTo0xwR9wEjaBC7/6PxcxmAivGJZzYUZ0cjCCOw== lisanne.wolters@gmx.net" - ]; - }; + # rtorrent = { + # isNormalUser = true; + # extraGroups = [ "data-seeding" ]; + # }; - youtube2audiopodcast = { - isSystemUser = true; - group = "youtube2audiopodcast"; - }; + # youtube2audiopodcast = { + # isSystemUser = true; + # group = "youtube2audiopodcast"; + # }; }; # semi-tmp - vuizvui.services.drawpile = { - enable = true; - configFile = '' - [config] - serverTitle = bsalc - sessionSizeLimit = 200MB - sessionCountLimit = 1 - persistence = true - idleTimeLimit = 0 - title = Welcome to the bsalc server! - ''; - }; - - vuizvui.services.profpatsch.gonic = { - enable = true; - listenAddress = "${tailscaleAddress}:${toString gonicPortTailscale}"; - musicDir = "/data/seeding"; - musicDirGroup = "data-seeding"; - podcastDir = "/data/podcasts"; - podcastDirGroup = "data-seeding"; - scanIntervalMinutes = 10; - }; - - services.samba = { - enable = true; - enableNmbd = false; - enableWinbindd = false; - nsswins = false; - extraConfig = '' - # only listen to tailscale - interfaces = ${tailscaleInterface} - smb ports = ${toString sambaPortTailscale} - ''; - shares = { - data-seeding = { - "path" = "/data/seeding"; - "read only" = "yes"; - "browsable" = "yes"; - "guest ok" = "yes"; - }; - }; - }; - # somewhat hacky, but we want tailscale to be up - systemd.services.samba-smbd.wants = [ "tailscaled.service" ]; - systemd.services.samba-smbd.after = [ "tailscaled.service" ]; - - systemd.services.warpspeed = - let user = config.users.users.rtorrent; - in { - description = "internally served public files (see nginx)"; - wantedBy = [ "default.target" ]; - serviceConfig.WorkingDirectory = "${user.home}/public"; - # *6: all hosts, v6 preferred - script = ''${pkgs.vuizvui.profpatsch.warpspeed}/bin/warpspeed "*6" ${toString warpspeedPort}''; - serviceConfig.User = config.users.users.rtorrent.name; - }; - - systemd.services.youtube2audiopodcast = - let user = config.users.users.youtube2audiopodcast; - in { - description = "serve a youtube playlist as rss"; - wantedBy = [ "default.target" ]; - script = "${pkgs.vuizvui.profpatsch.youtube2audiopodcast { - url = "https://${hakuHostName}${youtube2audiopodcastSubdir}"; - internalPort = toString youtube2audiopodcastPort; - }}"; - serviceConfig.User = config.users.users.youtube2audiopodcast.name; - }; + # vuizvui.services.drawpile = { + # enable = true; + # configFile = '' + # [config] + # serverTitle = bsalc + # sessionSizeLimit = 200MB + # sessionCountLimit = 1 + # persistence = true + # idleTimeLimit = 0 + # title = Welcome to the bsalc server! + # ''; + # }; + + # vuizvui.services.profpatsch.gonic = { + # enable = true; + # listenAddress = "${tailscaleAddress}:${toString gonicPortTailscale}"; + # musicDir = "/data/seeding"; + # musicDirGroup = "data-seeding"; + # podcastDir = "/data/podcasts"; + # podcastDirGroup = "data-seeding"; + # scanIntervalMinutes = 10; + # }; + + # services.samba = { + # enable = true; + # enableNmbd = false; + # enableWinbindd = false; + # nsswins = false; + # extraConfig = '' + # # only listen to tailscale + # interfaces = ${tailscaleInterface} + # smb ports = ${toString sambaPortTailscale} + # ''; + # shares = { + # data-seeding = { + # "path" = "/data/seeding"; + # "read only" = "yes"; + # "browsable" = "yes"; + # "guest ok" = "yes"; + # }; + # }; + # }; + # # somewhat hacky, but we want tailscale to be up + # systemd.services.samba-smbd.wants = [ "tailscaled.service" ]; + # systemd.services.samba-smbd.after = [ "tailscaled.service" ]; + + # systemd.services.warpspeed = + # let user = config.users.users.rtorrent; + # in { + # description = "internally served public files (see nginx)"; + # wantedBy = [ "default.target" ]; + # serviceConfig.WorkingDirectory = "${user.home}/public"; + # # *6: all hosts, v6 preferred + # script = ''${pkgs.vuizvui.profpatsch.warpspeed}/bin/warpspeed "*6" ${toString warpspeedPort}''; + # serviceConfig.User = config.users.users.rtorrent.name; + # }; + + # systemd.services.youtube2audiopodcast = + # let user = config.users.users.youtube2audiopodcast; + # in { + # description = "serve a youtube playlist as rss"; + # wantedBy = [ "default.target" ]; + # script = "${pkgs.vuizvui.profpatsch.youtube2audiopodcast { + # url = "https://${hakuHostName}${youtube2audiopodcastSubdir}"; + # internalPort = toString youtube2audiopodcastPort; + # }}"; + # serviceConfig.User = config.users.users.youtube2audiopodcast.name; + # }; security.acme.acceptTerms = true; - security.acme.email = "mail@profpatsch.de"; - - services.nginx = { - enable = true; - virtualHosts.${hakuHostName} = { - forceSSL = true; - enableACME = true; - locations."/pub/" = { - proxyPass = "http://127.0.0.1:${toString warpspeedPort}/"; - }; - locations."${youtube2audiopodcastSubdir}/" = { - proxyPass = "http://127.0.0.1:${toString youtube2audiopodcastPort}/"; - }; - locations."/".root = - let lojbanistanSrc = pkgs.fetchFromGitHub { - owner = "lojbanistan"; - repo = "lojbanistan.de"; - rev = "ef02aa8f074d0d5209839cd12ba7a67685fdaa05"; - sha256 = "1hr2si73lam463pcf25napfbk0zb30kgv3ncc0ahv6wndjpsvg7z"; - }; - in pkgs.runCommandLocal "lojbanistan-www" {} '' - mkdir $out - echo "coi do" > $out/index.html - ${pkgs.imagemagick}/bin/convert \ - ${lojbanistanSrc}/design/flag-of-lojbanistan-icon.svg \ - -define icon:auto-resize=64,48,32,16 \ - $out/favicon.ico - ''; - serverAliases = [ "lojbanistan.de" ]; - }; - }; + security.acme.defaults.email = "mail@profpatsch.de"; + + # services.nginx = { + # enable = true; + # virtualHosts.${hakuHostName} = { + # forceSSL = true; + # enableACME = true; + # locations."/pub/" = { + # proxyPass = "http://127.0.0.1:${toString warpspeedPort}/"; + # }; + # locations."${youtube2audiopodcastSubdir}/" = { + # proxyPass = "http://127.0.0.1:${toString youtube2audiopodcastPort}/"; + # }; + # locations."/".root = + # let lojbanistanSrc = pkgs.fetchFromGitHub { + # owner = "lojbanistan"; + # repo = "lojbanistan.de"; + # rev = "ef02aa8f074d0d5209839cd12ba7a67685fdaa05"; + # sha256 = "1hr2si73lam463pcf25napfbk0zb30kgv3ncc0ahv6wndjpsvg7z"; + # }; + # in pkgs.runCommandLocal "lojbanistan-www" {} '' + # mkdir $out + # echo "coi do" > $out/index.html + # ${pkgs.imagemagick}/bin/convert \ + # ${lojbanistanSrc}/design/flag-of-lojbanistan-icon.svg \ + # -define icon:auto-resize=64,48,32,16 \ + # $out/favicon.ico + # ''; + # serverAliases = [ "lojbanistan.de" ]; + # }; + # }; networking = { - nat = { - enable = true; - externalInterface = ethernetInterface; - internalInterfaces = [ wireguard.interface ]; - }; - hostName = "haku"; + + useNetworkd = true; + + interfaces.enp0s20.useDHCP = true; + firewall = { allowedTCPPorts = [ 80 443 @@ -228,48 +229,20 @@ in 60100 ]; allowedUDPPorts = [ - wireguard.port 60100 ]; + # warning: Strict reverse path filtering breaks Tailscale exit node use and some subnet routing setups. Consider setting `networking.firewall.checkReversePath` = 'loose' + checkReversePath = "loose"; + interfaces.${tailscaleInterface} = { allowedTCPPorts = [ gonicPortTailscale sambaPortTailscale ]; }; - - # forward wireguard connections to ethernet device (VPN) - extraCommands = '' - iptables -t nat -A POSTROUTING -s ${wireguard.internalNetwork.range} -o ${ethernetInterface} -j MASQUERADE - '' - # drop every other kind of forwarding, except from wg0 to epn (and bridge wg) - + '' - iptables -P FORWARD DROP - iptables -A FORWARD -i ${wireguard.interface} -o ${ethernetInterface} -j ACCEPT - iptables -A FORWARD -o ${wireguard.interface} -i ${ethernetInterface} -j ACCEPT - iptables -A FORWARD -i ${wireguard.interface} -o ${wireguard.interface} -j ACCEPT - ''; }; - wireguard.interfaces.${wireguard.interface} = { - ips = [ wireguard.internalNetwork.server ]; - listenPort = wireguard.port; - privateKeyFile = "/root/keys/wg/vpn.priv"; - - peers = [ - { # shiki (TODO: factor out) - publicKey = "x3ko/R8PLzcyjVjqot9qmGBb3NrG/4JvgRkIOQMEsUA="; - allowedIPs = [ (wireguard.internalNetwork.addr 2) ]; - } - { # mushu - publicKey = "Stx6N4/JurtAuYX+43WPOCLBqheE99O6WRvxW+sd3jw="; - allowedIPs = [ (wireguard.internalNetwork.addr 3) ]; - } - ]; - }; - - nameservers = [ "62.210.16.6" "62.210.16.7" -- cgit 1.4.1