diff --git a/default.nix b/default.nix index 47c528e..79c1614 100755 --- a/default.nix +++ b/default.nix @@ -2,7 +2,7 @@ let inherit (builtins) toString; - inherit (lib.modules) mkDefault; + inherit (lib.modules) mkDefault mkIf; inherit (lib.my) mapModulesRec'; in { imports = @@ -15,6 +15,7 @@ in { package = pkgs.nix; # flake registry and nix path pinning + # might not be needed? see: https://github.com/NixOS/nixpkgs/commit/e456032addae76701eb17e6c03fc515fd78ad74f nixPath = [ "nixpkgs=${inputs.nixpkgs}" ]; registry.nixpkgs.flake = inputs.nixpkgs; @@ -32,6 +33,9 @@ in { }; }; + # set our git revision inside `nixos-version` + system.configurationRevision = with inputs; mkIf (self ? rev) self.rev; + time.timeZone = mkDefault "America/Los_Angeles"; i18n.defaultLocale = mkDefault "en_US.UTF-8"; diff --git a/flake.lock b/flake.lock index 586528d..f566bec 100755 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1709485962, - "narHash": "sha256-rmFB4uE10+LJbcVE4ePgiuHOBlUIjQOeZt4VQVJTU8M=", + "lastModified": 1710164657, + "narHash": "sha256-l64+ZjaQAVkHDVaK0VHwtXBdjcBD6nLBD+p7IfyBp/w=", "owner": "nix-community", "repo": "home-manager", - "rev": "d579633ff9915a8f4058d5c439281097e92380a8", + "rev": "017b12de5b899ef9b64e2c035ce257bfe95b8ae2", "type": "github" }, "original": { @@ -22,11 +22,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1709237383, - "narHash": "sha256-cy6ArO4k5qTx+l5o+0mL9f5fa86tYUX3ozE1S+Txlds=", + "lastModified": 1709961763, + "narHash": "sha256-6H95HGJHhEZtyYA3rIQpvamMKAGoa8Yh2rFV29QnuGw=", "owner": "nixos", "repo": "nixpkgs", - "rev": "1536926ef5621b09bba54035ae2bb6d806d72ac8", + "rev": "3030f185ba6a4bf4f18b87f345f104e6a6961f34", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 3d96afd..3527f24 100755 --- a/flake.nix +++ b/flake.nix @@ -1,5 +1,5 @@ { - description = "Flake-o-rama"; + description = "a collection of personal nix configurations"; inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; diff --git a/hosts/server/default.nix b/hosts/nixos-server-reid/default.nix similarity index 69% rename from hosts/server/default.nix rename to hosts/nixos-server-reid/default.nix index 7608a91..03e1335 100755 --- a/hosts/server/default.nix +++ b/hosts/nixos-server-reid/default.nix @@ -4,20 +4,16 @@ let in { imports = [ - ./hardware-configuration.nix + ./hardware.nix ./webapps/default.nix ]; - users.groups.dotfiles = {}; - - # HACK HACK HACK - services.logrotate.checkConfig = false; - # HACK HACK HACK - normalUsers = { reidlab = { conf = { - packages = with pkgs; [ bat tree micro duf ]; + packages = with pkgs; [ + bat btop duf file micro nix-output-monitor tree which + ]; extraGroups = [ "wheel" "dotfiles" ]; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICmwWuwS+a1GzYFSNOkgk/zF5bolXqat1RP5FXJv+vto reidlab@rei-pc" @@ -33,11 +29,6 @@ in { }; }; - keyboard = { - locale = "en_US.UTF-8"; - variant = "qwerty"; - }; - modules = { services = { ssh = { @@ -55,8 +46,6 @@ in { security.useDoas = false; }; - networking = { - hostName = "nixos-server-reid"; - networkmanager.enable = true; - }; + # enable network manager - probably not the best on a single server but Oh Well + networking.networkmanager.enable = true; } diff --git a/hosts/server/hardware-configuration.nix b/hosts/nixos-server-reid/hardware.nix similarity index 81% rename from hosts/server/hardware-configuration.nix rename to hosts/nixos-server-reid/hardware.nix index b880e8d..83a985a 100755 --- a/hosts/server/hardware-configuration.nix +++ b/hosts/nixos-server-reid/hardware.nix @@ -7,10 +7,12 @@ ]; boot = { - initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ]; + initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" ]; initrd.kernelModules = [ ]; - kernelPackages = pkgs.linuxPackages_latest; kernelModules = [ ]; + extraModulePackages = [ ]; + # TODO: move bootloader, networking, boot speed to another file? + kernelPackages = pkgs.linuxPackages_latest; loader = { # use u-boot over grub grub.enable = lib.mkForce false; @@ -18,14 +20,13 @@ }; }; - fileSystems = { - "/" = { + fileSystems."/" = { device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888"; fsType = "ext4"; }; - }; - swapDevices = [ ]; + swapDevices = + [ ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/hosts/server/webapps/default.nix b/hosts/nixos-server-reid/webapps/default.nix similarity index 86% rename from hosts/server/webapps/default.nix rename to hosts/nixos-server-reid/webapps/default.nix index cdacaeb..02cd416 100755 --- a/hosts/server/webapps/default.nix +++ b/hosts/nixos-server-reid/webapps/default.nix @@ -12,15 +12,10 @@ in { port = 3000; }; - metrics = { - enable = false; - domain = "metrics.reidlab.online"; - port = 2342; - }; - # you should probably keep this on - # configures acme, gzip, optimization, proxy, and ssl config - # opens ports and adds some Headers + # actually enables nginx, configures acme, + # gzip, optimization, proxy, ssl config, + # opens ports, and adds some Headers nginx-config = { enable = true; defaultLuaPackagePath = /var/www/reidlab.online/lua; diff --git a/modules/keyboard.nix b/modules/keyboard.nix deleted file mode 100755 index 7c39e8d..0000000 --- a/modules/keyboard.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ config, lib, pkgs, options, ... }: - -with lib; -let - cfg = config.keyboard; -in { - options.keyboard = { - locale = mkOption { - type = types.str; - default = "en_US.UTF-8"; - }; - variant = mkOption { - type = types.str; - default = ""; - }; - }; -} diff --git a/modules/security.nix b/modules/security.nix index 474b50c..1fdc7bc 100755 --- a/modules/security.nix +++ b/modules/security.nix @@ -5,7 +5,7 @@ let cfg = config.modules.security; in { options.modules.security = { - useDoas = mkEnableOption "use doas instead of sudo"; + useDoas = mkEnableOption "use opendoas instead of sudo"; }; config = mkIf cfg.enable { @@ -23,7 +23,7 @@ in { # do not accept IP source packets (we are not a router) "net.ipv4.conf.all.accept_source_route" = 0; "net.ipv6.conf.all.accept_source_route" = 0; - # Don't send ICMP redirects (again, we're not a router) + # don't send ICMP redirects (again, we're not a router) "net.ipv4.conf.all.send_redirects" = 0; "net.ipv4.conf.default.send_redirects" = 0; # refuse ICMP redirects (MITM mitigations) @@ -49,9 +49,16 @@ in { }; security = { + # prevents replacing the kernel without a reboot protectKernelImage = true; + # rtkit allows unprivileged processes to use realtime scheduling + # polkit allows unprivileged processes to speak to privileged processes (ex. nmtui, reboot) rtkit.enable = true; + polkit.enable = true; }; + + # while this is on by default, i am going to explicitly specify this + networking.firewall.enable = true; } // (mkIf cfg.useDoas { security.sudo.enable = false; security.doas.enable = true; diff --git a/modules/services/loki.yml b/modules/services/loki.yml deleted file mode 100644 index 6c47d51..0000000 --- a/modules/services/loki.yml +++ /dev/null @@ -1,55 +0,0 @@ -auth_enabled: false - -server: - http_listen_port: 3100 - -ingester: - lifecycler: - address: 0.0.0.0 - ring: - kvstore: - store: inmemory - replication_factor: 1 - final_sleep: 0s - chunk_idle_period: 1h # Any chunk not receiving new logs in this time will be flushed - max_chunk_age: 1h # All chunks will be flushed when they hit this age, default is 1h - chunk_target_size: 1048576 # Loki will attempt to build chunks up to 1.5MB, flushing first if chunk_idle_period or max_chunk_age is reached first - chunk_retain_period: 30s # Must be greater than index read cache TTL if using an index cache (Default index read cache TTL is 5m) - max_transfer_retries: 0 # Chunk transfers disabled - -schema_config: - configs: - - from: 2023-12-08 - store: boltdb-shipper - object_store: filesystem - schema: v11 - index: - prefix: index_ - period: 24h - -storage_config: - boltdb_shipper: - active_index_directory: /var/lib/loki/boltdb-shipper-active - cache_location: /var/lib/loki/boltdb-shipper-cache - cache_ttl: 24h # Can be increased for faster performance over longer query periods, uses more disk space - shared_store: filesystem - filesystem: - directory: /var/lib/loki/chunks - -limits_config: - reject_old_samples: true - reject_old_samples_max_age: 168h - -chunk_store_config: - max_look_back_period: 0s - -table_manager: - retention_deletes_enabled: false - retention_period: 0s - -compactor: - working_directory: /var/lib/loki - shared_store: filesystem - compactor_ring: - kvstore: - store: inmemory \ No newline at end of file diff --git a/modules/services/metrics.nix b/modules/services/metrics.nix deleted file mode 100644 index 1cbd26b..0000000 --- a/modules/services/metrics.nix +++ /dev/null @@ -1,95 +0,0 @@ -{ config, lib, pkgs, options, ... }: - -with lib; -let - cfg = config.modules.services.metrics; -in { - options.modules.services.metrics = { - enable = mkEnableOption "enable grafana with loki, prometheus, and promtail"; - domain = mkOption { - type = types.str; - default = "grafana.reidlab.online"; - }; - port = mkOption { - type = types.int; - default = 2342; - }; - }; - - config = mkIf cfg.enable { - systemd.services.promtail = { - description = "promtail, an agent for loki"; - wantedBy = [ "multi-user.target" ]; - - serviceConfig = { - ExecStart = '' - ${pkgs.grafana-loki}/bin/promtail --config.file ${./promtail.yml} - ''; - }; - }; - services = { - grafana = { - enable = true; - - settings = { - server = { - domain = cfg.domain; - http_port = cfg.port; - http_addr = "127.0.0.1"; - }; - }; - }; - - prometheus = let - ports = { - base = 9001; - node = 9002; - nginx = 9003; - }; - in { - enable = true; - port = ports.base; - - exporters = { - node = { - enable = true; - enabledCollectors = [ "systemd" ]; - port = ports.node; - }; - nginx = { - enable = true; - port = ports.nginx; - }; - }; - - scrapeConfigs = [ - { - job_name = "nixos-server-reid"; - static_configs = [{ - targets = [ - "127.0.0.1:${toString ports.node}" - "127.0.0.1:${toString ports.nginx}" - ]; - }]; - } - ]; - }; - - loki = { - enable = true; - configFile = ./loki.yml; - }; - - nginx.statusPage = true; - - nginx.virtualHosts."${cfg.domain}" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString cfg.port}"; - proxyWebsockets = true; - }; - }; - }; - }; -} diff --git a/modules/services/nginx-conf.nix b/modules/services/nginx-conf.nix index f446f57..84a40ab 100755 --- a/modules/services/nginx-conf.nix +++ b/modules/services/nginx-conf.nix @@ -5,7 +5,7 @@ let cfg = config.modules.services.nginx-config; in { options.modules.services.nginx-config = { - enable = mkEnableOption "enable nginx, a high performance web server along with default configurations"; + enable = mkEnableOption "enable and configure nginx. you know what nginx is."; package = mkOption { type = types.package; @@ -28,6 +28,7 @@ in { security.acme = { acceptTerms = true; defaults.email = "reidlab325@gmail.com"; + # uncomment me for staging! # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; }; @@ -40,8 +41,6 @@ in { recommendedGzipSettings = true; recommendedProxySettings = true; - logError = "stderr warn"; - # TODO: clean this up oh my god like everything here :sob: im vomiting shaking and crying looking at this. commonHttpConfig = let # lua diff --git a/modules/services/promtail.yml b/modules/services/promtail.yml deleted file mode 100644 index 1085e65..0000000 --- a/modules/services/promtail.yml +++ /dev/null @@ -1,20 +0,0 @@ -server: - http_listen_port: 28183 - grpc_listen_port: 0 - -positions: - filename: /tmp/positions.yaml - -clients: - - url: http://127.0.0.1:3100/loki/api/v1/push - -scrape_configs: - - job_name: journal - journal: - max_age: 12h - labels: - job: systemd-journal - host: nixos-server-reid - relabel_configs: - - source_labels: ["__journal__systemd_unit"] - target_label: "unit" \ No newline at end of file diff --git a/readme.md b/readme.md index 5db5b04..813af11 100755 --- a/readme.md +++ b/readme.md @@ -1,27 +1,19 @@ -# flake-o-rama +# nix-server nix flake config! this is just used on my personal server at the moment -please do not use this as a learning resource for nix as i have essentially zero clue what i'm doing - ## users -this flake is built for a multi-user experience per host, enforced by `modules/user.nix`, and found in the `default.nix` file for each host. - -as this is a multi-user setup, the `dotfiles` group will be used for read and write access to the flake - -## development - -to build the system, run `sudo nixos-rebuild switch --flake .#server` - -please periodically run `nix flake update` to make sure we arent slacking on package versions - -before committing, please run `nix flake check` and make sure everything is ok +this flake is built for a multi-user experience per host, enforced by [`modules/users.nix`](./modules/users.nix), and found in the `default.nix` file for each host. ## todo -- remove the lua static stuff from nginx + maybe cloudflare ips too +- remove the lua static stuff from nginx + maybe cloudflare ips too + redis - per-host architecture selection, atm it is hardcoded to `aarch64` - some weird perl error abt locales when building using doas - `keepEnv` might fix this +- move common config such as bootloader and networking settings to [`default.nix`](./default.nix) +- swap back to hardened kernel - leverage nixos-hardware -- somehow add desktop evironments and per-user dotfiles while keeping a multi-user setup +- somehow add desktop evironments and per-user dotfiles while keeping a multi-user setup - we can always give this up if needed +- flake-parts +- god im ruining everything for myself. maybe just make another repo for desktops