Commit graph

189 commits

Author SHA1 Message Date
Simon Bruder ea45b45c60
restic: Fix restic-auth script
Since I migrated to sops, the password store structure changed.
2021-05-27 14:38:33 +02:00
Simon Bruder 2c8a291ae9
Make flake inputs available as module argument
This moves a bunch of stuff out of flake.nix into the modules they
belong to. This removes complexity from flake.nix and gives the project
a more organised structure.

Sadly, it is not possible to import modules from a flake outside of
flake.nix, since that leads to an infinite recursion (`config` has to be
evaluated before `config._modules.args.inputs` is available but `config`
depends on an import from `config._modules.args.inputs`). Therefore, the
`extraModules` argument in `machines/default.nix` has to be used for
that (it now has access to all flake inputs).
2021-05-15 10:04:44 +02:00
Simon Bruder 400b55a293
Convert to flake
Fixes #3.
2021-05-01 17:36:58 +02:00
Simon Bruder af036e88db
nix: Enable flake support 2021-05-01 17:08:21 +02:00
Simon Bruder 5b5bf546b3
wireguard: Simplify sopsFile path 2021-05-01 16:53:06 +02:00
Simon Bruder 8a339c51a2
Show system closure diff on activation 2021-04-25 09:50:03 +02:00
Simon Bruder feb82fca2e
nix: Make netrc readable by wheel group
This also splits the nix configuration from the default module into its
own file.
2021-04-09 11:34:49 +02:00
Simon Bruder 8d9e3af211
Add binary cache hosted on fuuko
See machines/fuuko/services/binary-cache.nix for limitations.
2021-04-08 16:19:57 +02:00
Simon Bruder 07d4260b95
nix: Use daemonNiceLevel instead of CPUSchedulingPolicy 2021-04-08 15:42:49 +02:00
Simon Bruder 4a8a7e0a4f
Use sops for secrets
Since I currently do not have access to sayuri, sayuri’s migration is
not done yet. The host keys and wg-home-private-key secret still have to
be added.
2021-04-06 14:05:48 +02:00
Simon Bruder b595aceb7c
initrd-ssh: Treat host-key as state
This also removes the explicit passing of the public key fingerprint to
the unlock script, since the host key is no longer available in pass.
Unlocking still works, since the keys are configured in modules/ssh.nix.
2021-04-06 11:45:04 +02:00
Simon Bruder 41f8d468b6
restic/system: Include /root and /etc 2021-04-06 10:47:05 +02:00
Simon Bruder a102f691a6
tools: Add ssh-to-pgp 2021-04-06 10:21:48 +02:00
Simon Bruder 37f95b3d79
ssh: Add global known hosts
Fixes #47.
2021-04-04 11:29:31 +02:00
Simon Bruder 0212f2adbd
fuuko/drone: Init 2021-04-03 18:47:01 +02:00
Simon Bruder ce7425d8c4
Remove issei from vpn and prometheus 2021-04-02 18:13:09 +02:00
Simon Bruder e94c72e42e
Add open ports for quick tests 2021-03-29 22:26:10 +02:00
Simon Bruder a7ad88a5ec
Include unstable channel as overlay
This allows nix cli tools to access unstable from niv’s pinned rev
(instead of having to rely on uncached and unpinned
channel:nixos-unstable). Also packageOverrides might get
deprecated/removed[1] eventually.

[1]: https://github.com/NixOS/nixpkgs/issues/43266
2021-03-29 12:03:58 +02:00
Simon Bruder c8b7a9c8e9
gui: Install adwaita icons system-wide 2021-03-27 13:22:34 +01:00
Simon Bruder c1992958bf
media-proxy: Start after network is online 2021-03-27 12:45:43 +01:00
Simon Bruder 58c72c3200
Allow build on machines that are missing secrets 2021-03-21 11:36:14 +01:00
Simon Bruder 9b9f574d52
tools: Add dmidecode 2021-03-10 15:49:53 +01:00
Simon Bruder d73da1a131
restic/system: Limit upload to 1.5M by default 2021-03-08 18:46:35 +01:00
Simon Bruder 07f152cb20
fuuko: Add media file index 2021-03-08 15:40:41 +01:00
Simon Bruder 878bdd30d5
fuuko: Add ftp server and scan converter 2021-03-08 15:30:04 +01:00
Simon Bruder 542a89ef57
sayuri: Add foldingathome specialisation 2021-03-06 15:32:18 +01:00
Simon Bruder 270f20d05b
Add nginx hardening option 2021-03-05 15:58:53 +01:00
Simon Bruder 83f1c69713
restic/system: Constantly use system for naming
In the future I may create add other backup jobs, so it should be clear,
that this only backs up the system.
2021-02-28 12:22:43 +01:00
Simon Bruder d7272e9db3
restic: Simplify timerConfig
The upstream restic module validates the types anyway, so I can drop the
ugly expression to copy the option.
2021-02-28 12:22:42 +01:00
Simon Bruder 6a8904011a
restic: Fix typo in excludes filename 2021-02-28 12:22:42 +01:00
Simon Bruder c77328af22
Replace builtins with lib where possible 2021-02-27 19:57:00 +01:00
Simon Bruder 2a4e358502
node_exporter: Disable rapl collector
It does not work since the service does not have permission and
therefore writes errors into the journal every scrape.
2021-02-21 00:06:16 +01:00
Simon Bruder 13876617f5
node_exporter: Fix name of systemd collector 2021-02-21 00:04:26 +01:00
Simon Bruder 785bb2214b
wireguard/home: Add dns server 2021-02-20 19:57:10 +01:00
Simon Bruder be7e67cf1f
wireguard/home: Make vueko central server
This also restructures the wireguard/home configuration, since now
better peer management is possible.
2021-02-20 19:57:04 +01:00
Simon Bruder c921c2802a
tools: Add compsize 2021-02-20 12:47:27 +01:00
Simon Bruder e0ef586e5e
nginx-interactive-index: Init 2021-02-18 12:10:03 +01:00
Simon Bruder b00498f23d
tools: Add hdparm 2021-02-14 15:30:44 +01:00
Simon Bruder eb97e936ed
zsh: Use grml config system wide 2021-02-14 13:29:51 +01:00
Simon Bruder 15cdd42845
Remove global swapiness
All machines should either import <nixpkgs-hardware/common/pc/hdd> or
<nixpkgs-hardware/common/pc/ssd> if they have swap.
2021-02-08 23:20:31 +01:00
Simon Bruder 29c6d37142
Remove journald extra configuration
Since `Storage=persistent` is the default in NixOS, it is not needed.
2021-02-08 23:19:02 +01:00
Simon Bruder 78c9a2cab9
tools: Add (r)age 2021-02-08 19:17:13 +01:00
Simon Bruder 62f1dbe30f
mailserver: Disable recipient_restrictions for submission
Otherwise, sending mails to slow destinations might fail (with the
client throwing an error).
2021-02-06 16:51:10 +01:00
Simon Bruder 9c62905442
mailserver: Add module 2021-02-06 12:48:05 +01:00
Simon Bruder 335f2908e7
tools: Add ccze 2021-02-05 17:51:29 +01:00
Simon Bruder 5ed071c0ed
Move admin tools to system tools
Fixes #37.

This also removes some tools from the user profile since I do not need
them anymore.
2021-02-05 17:34:34 +01:00
Simon Bruder 998d47fd1a
nix: Only keep outputs and drvs on full systems 2021-02-05 17:19:19 +01:00
Simon Bruder 1437601d5a
Reduce locales and disable docs on small systems 2021-02-05 15:36:51 +01:00
Simon Bruder 520d750404
firewall: Entirely disable reverse path checking
This hopefully fixes #26 (or more specific a regression caused by it,
see the comment in the issue). I didn’t test it for long, but it seems
to work.
2021-02-02 21:40:30 +01:00
Simon Bruder 34c801c7e9
Make it possible to disable smartd per-machine
On virtual machines it does not make much sense to have it activated
(also the service fails to start).
2021-02-01 17:03:26 +01:00