nixserver->server; start working on phone config

2023-10-17 20:25:03 +07:00 · 2023-10-17 20:25:03 +07:00 · 18d471c2ec
parent 9a4d9a7330
commit 18d471c2ec
18 changed files with 146 additions and 126 deletions
--- a/extra-builtins.nix
+++ b/extra-builtins.nix
@ -2,22 +2,21 @@
  secrets = exec [ "cat" "/etc/nixos/private/default.nix" ] {
    # compress and base64 the file to make it representable in nix,
    # then decompress it back in a derivation (shouldn't there be a better way...)
-    copyToStore = pkgs: path:
+    copyToStore = pkgs: name: path:
      let
        archive = exec [
          "/bin/sh" "-c"
-          "echo '\"' && (cd /etc/nixos/private && tar czv ${path} 2>/dev/null | base64 -w0) && echo '\"'"
+          "echo '\"' && (cd /etc/nixos/private && tar -I ${pkgs.zstd}/bin/zstd -c -- ${pkgs.lib.escapeShellArg path} 2>/dev/null | base64 -w0) && echo '\"'"
        ];
      in "${pkgs.stdenvNoCC.mkDerivation {
-        name = "private";
+        inherit name;
        unpackPhase = "true";
        buildPhase = "true";
        installPhase = ''
          mkdir -p $out
          cd $out
-          echo "${archive}" | base64 -d | tar xzv
+          echo "${archive}" | base64 -d | tar -I ${pkgs.zstd}/bin/zstd -x
        '';
-        url = builtins.toFile "private.tar.gz.base64" archive;
-      }}/${path}";
+      }}/${toString path}";
    };
 }
--- a/flake.lock
+++ b/flake.lock
@ -35,11 +35,11 @@
    "flake-compat_2": {
      "flake": false,
      "locked": {
-        "lastModified": 1673956053,
-        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
        "type": "github"
      },
      "original": {
@ -143,11 +143,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1695274149,
-        "narHash": "sha256-TXMD7TkBA6BYR77465ej5jZcHYTdDC67H1C/Zpp0aiQ=",
+        "lastModified": 1697331506,
+        "narHash": "sha256-N6RD9EudU+i7SJO3z3S309XQRhp81iqaN9G9sxRtVts=",
        "owner": "chayleaf",
        "repo": "maubot.nix",
-        "rev": "1b5d44af45a3fb7b2fa29a4b7590b5cb37d1fdf1",
+        "rev": "cf32a2873523c80cebdd1ee409c45593040944b8",
        "type": "github"
      },
      "original": {
@ -156,6 +156,23 @@
        "type": "github"
      }
    },
+    "mobile-nixos": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1697544701,
+        "narHash": "sha256-u/59b13bwEqxR1x2l9SeSya2ZXABmjpUCdTrXVMLrsA=",
+        "owner": "chayleaf",
+        "repo": "mobile-nixos",
+        "rev": "b3ec466c5abbda7de279dccb010ab10e74dd07ee",
+        "type": "github"
+      },
+      "original": {
+        "owner": "chayleaf",
+        "ref": "cleanup",
+        "repo": "mobile-nixos",
+        "type": "github"
+      }
+    },
    "nix-gaming": {
      "inputs": {
        "flake-parts": "flake-parts",
@ -352,6 +369,7 @@
        "home-manager": "home-manager",
        "impermanence": "impermanence",
        "maubot": "maubot",
+        "mobile-nixos": "mobile-nixos",
        "nix-gaming": "nix-gaming",
        "nixos-hardware": "nixos-hardware",
        "nixos-mailserver": "nixos-mailserver",
--- a/flake.nix
+++ b/flake.nix
@ -7,6 +7,11 @@
    nixpkgs2.url = "github:nixos/nixpkgs/master";
    # nixpkgs.url = "github:chayleaf/nixpkgs/ccache2";
    nixos-hardware.url = "github:NixOS/nixos-hardware";
+    mobile-nixos = {
+      # url = "github:NixOS/mobile-nixos";
+      url = "github:chayleaf/mobile-nixos/cleanup";
+      flake = false;
+    };
    impermanence.url = "github:nix-community/impermanence";
    nur.url = "github:nix-community/NUR";
    rust-overlay = {
@ -51,7 +56,22 @@
    };
  };

-  outputs = inputs@{ self, nixpkgs, nixpkgs2, nixos-hardware, impermanence, home-manager, nur, nix-gaming, notlua, notnft, nixos-mailserver, nixos-router, maubot, ... }:
+  outputs = inputs@
+    { self
+    , nixpkgs
+    , nixpkgs2
+    , nixos-hardware
+    , mobile-nixos
+    , impermanence
+    , home-manager
+    , nur
+    , nix-gaming
+    , notlua
+    , notnft
+    , nixos-mailserver
+    , nixos-router
+    , maubot
+    , ... }:
  let
    # --impure required for developing
    # it takes the paths for modules from filesystem as opposed to flake inputs
@ -104,7 +124,7 @@
        system = "aarch64-linux";
        modules = [
          {
-            _module.args.server-config = nixosConfigurations.nixserver.config;
+            _module.args.server-config = nixosConfigurations.server.config;
            _module.args.notnft = if devNft then (import /${devPath}/notnft { inherit (nixpkgs) lib; }).config.notnft else notnft.lib.${system};
          }
          (if devNixRt then import /${devPath}/nixos-router else nixos-router.nixosModules.default)
@ -128,7 +148,7 @@
      router-sd = mkBpiR3 "sd" routerConfig;
      router-emmc-cross = crossConfig router-emmc;
      router-sd-cross = crossConfig router-emmc;
-      nixserver = {
+      server = {
        system = "aarch64-linux";
        modules = [
          { _module.args.router-config = nixosConfigurations.router-emmc.config; }
@ -138,7 +158,7 @@
          ./system/modules/scanservjs.nix
        ];
      };
-      nixserver-cross = crossConfig nixserver;
+      server-cross = crossConfig server;
      nixmsi = rec {
        system = "x86_64-linux";
        modules = [
@ -156,6 +176,16 @@
        ];
      };
      nixmsi-cross = crossConfig nixmsi;
+      phone = {
+        system = "aarch64-linux";
+        modules = [
+          (import "${mobile-nixos}/lib/configuration.nix" {
+            device = "oneplus-enchilada";
+          })
+          ./system/hosts/phone/default.nix
+        ];
+      };
+      phone-cross = crossConfig phone;
    };

    # this is the system config processing part
@ -274,7 +304,7 @@
      "x86_64-linux"
      "aarch64-linux"
    ] (system: let self = overlay ((mkPkgs { inherit system; }) // self) (import nixpkgs { inherit system; }); in self);
-    nixosImages.router = let pkgs = mkPkgs { system = "aarch64-linux"; }; in {
+    nixosImages.router = let pkgs = mkPkgs { inherit (config.router-emmc) system; }; in {
      emmcImage = pkgs.callPackage ./system/hardware/bpi-r3/image.nix {
        inherit (nixosConfigurations.router-emmc) config;
        rootfsImage = nixosConfigurations.router-emmc.config.system.build.rootfsImage;
@ -286,6 +316,8 @@
        bpiR3Stuff = pkgs.bpiR3StuffSd;
      };
    };
+    nixosImages.phone = nixosConfigurations.phone.config.mobile.outputs.disk-image;
+    nixosImages.phone-fastboot = nixosConfigurations.phone.config.mobile.outputs.android.android-fastboot-image;

    hydraJobs = let
      addMeta = x: x // {
@ -295,7 +327,7 @@
        };
      };
    in {
-      server.${config.nixserver.system} = addMeta nixosConfigurations.nixserver.config.system.build.toplevel;
+      server.${config.server.system} = addMeta nixosConfigurations.server.config.system.build.toplevel;
      workstation.${config.nixmsi.system} = addMeta nixosConfigurations.nixmsi.config.system.build.toplevel;
      router.${config.router-emmc.system} = addMeta nixosConfigurations.router-emmc-cross.config.system.build.toplevel;
      workstation-home.${config.nixmsi.system} = addMeta homeConfigurations."user@nixmsi".activation-script;
--- a/home/common/firefox.nix
+++ b/home/common/firefox.nix
@ -32,7 +32,7 @@
        inherit (pkgs.librewolf-unwrapped) extraPrefsFiles extraPoliciesFiles;
        wmClass = "LibreWolf";
        libName = "librewolf";
-        # TODO: keepass in extraNativeMessagingHosts?
+        enableKeePassXC = true;
      };
    profiles = {
      chayleaf = {
--- a/private.nix.sample
+++ b/private.nix.sample
@ -1,6 +1,6 @@
 # copy a path to store (needed because I don't copy the secrets to store by default)
 # arg must be a string because of how nix handles relative paths as absolute
-{ copyToStore ? (pkgs: x: ./. + x)
+{ copyToStore ? (pkgs: name: x: ./. + x)
 , ... }: {
  nixmsi = {
    system = { pkgs, ... }: {
@ -13,7 +13,7 @@
      # insert private user config for username here
    };
  };
-  nixserver.system = { ... }: {
+  server.system = { ... }: {
    server.localIpV4 = ...;
    server.lanCidrV4 = ...;
    server.localIpV6 = ...;
--- a/system/devices/hp-probook-g0-server.nix
+++ b/system/devices/hp-probook-g0-server.nix
@ -1,55 +0,0 @@
-{ config, ... }:
-
-let
-  efiPart = "/dev/disk/by-uuid/3E2A-A5CB";
-  rootUuid = "6aace237-9b48-4294-8e96-196759a5305b";
-  rootPart = "/dev/disk/by-uuid/${rootUuid}";
-  root2Uuid = "e7e5ca5e-294e-42be-a58c-cb4d54a583e8";
-  root2Part = "/dev/disk/by-uuid/${root2Uuid}";
-in {
-  imports = [
-    ../hardware/hp-probook-g0.nix
-    ../hosts/nixserver
-  ];
-
-  boot.loader = {
-    grub = {
-      enable = true;
-      device = "nodev";
-      efiSupport = true;
-      efiInstallAsRemovable = true;
-    };
-    efi.efiSysMountPoint = "/boot/efi";
-  };
-  fileSystems = {
-    "/" =    { device = "none"; fsType = "tmpfs"; neededForBoot = true;
-               options = [ "defaults" "size=2G" "mode=755" ]; };
-    "/persist" =
-             { device = root2Part; fsType = "bcachefs"; neededForBoot = true; };
-    "/boot" =
-             { device = rootPart; fsType = "btrfs"; neededForBoot = true;
-               options = [ "compress=zstd:15" "subvol=boot" ]; };
-    "/boot/efi" =
-             { device = efiPart; fsType = "vfat"; };
-  };
-  services.beesd = {
-    filesystems.root = {
-      spec = "UUID=${rootUuid}";
-      hashTableSizeMB = 128;
-      extraOptions = [ "--loadavg-target" "8.0" ];
-    };
-  };
-
-  zramSwap.enable = true;
-  swapDevices = [ ];
-
-  impermanence = {
-    enable = true;
-    path = /persist;
-    directories = [
-      { directory = /home/${config.common.mainUsername}; user = config.common.mainUsername; group = "users"; mode = "0700"; }
-      { directory = /root; }
-      { directory = /nix; }
-    ];
-  };
-}
--- a/system/devices/radxa-rock5a-server.nix
+++ b/system/devices/radxa-rock5a-server.nix
@ -16,7 +16,7 @@ in
 {
  imports = [
    ../hardware/radxa-rock5a
-    ../hosts/nixserver
+    ../hosts/server
    hardware.common-pc-ssd
  ];

--- a/system/hosts/phone/default.nix
+++ b/system/hosts/phone/default.nix
@ -0,0 +1,40 @@
+# WIP (I don't even have the phone yet)
+
+{ pkgs
+, config
+, ... }:
+
+{
+  system.stateVersion = "23.11";
+
+  # kde connect
+  networking.firewall.allowedTCPPortRanges = [
+    { from = 1714; to = 1764; }
+  ];
+  networking.firewall.allowedUDPPortRanges = [
+    { from = 1714; to = 1764; }
+  ];
+
+  networking.wireless.iwd.enable = true;
+  common.minimal = false;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+    jack.enable = true;
+  };
+  security.polkit.enable = true;
+  security.rtkit.enable = true;
+  xdg.portal = {
+    enable = true;
+    extraPortals = with pkgs; [ xdg-desktop-portal-gtk xdg-desktop-portal-wlr ];
+  };
+  services.sshd.enable = true;
+  users.users.${config.common.mainUsername}.extraGroups = [ "video" "feedbackd" "dialout" ];
+
+  mobile.generatedFilesystems.rootfs = {
+    filesystem = "btrfs";
+    btrfs.partitionID = "44444444-4444-4444-8888-888888888888";
+  };
+}
--- a/system/hosts/nixserver/default.nix
+++ b/system/hosts/nixserver/default.nix
@ -152,40 +152,34 @@ in {
  services.nginx.package = pkgs.nginxQuic;
  /* DNS over TLS
  services.nginx.streamConfig =
-    let
-      inherit (config.security.acme.certs."${cfg.domainName}") directory;
-    in ''
-      upstream dns {
-        zone dns 64k;
-        server 127.0.0.1:53;
-      }
-      server {
-        listen 853 ssl;
-        ssl_certificate ${directory}/fullchain.pem;
-        ssl_certificate_key ${directory}/key.pem;
-        ssl_trusted_certificate ${directory}/chain.pem;
-        proxy_pass dns;
-      }
-    '';*/
-    services.nginx.commonHttpConfig =
-    let
-      realIpsFromList = lib.strings.concatMapStringsSep "\n" (x: "set_real_ip_from  ${x};");
-      fileToList = x: lib.strings.splitString "\n" (builtins.readFile x);
-      cfipv4 = fileToList (pkgs.fetchurl {
+  let
+    inherit (config.security.acme.certs."${cfg.domainName}") directory;
+  in ''
+    upstream dns {
+      zone dns 64k;
+      server 127.0.0.1:53;
+    }
+    server {
+      listen 853 ssl;
+      ssl_certificate ${directory}/fullchain.pem;
+      ssl_certificate_key ${directory}/key.pem;
+      ssl_trusted_certificate ${directory}/chain.pem;
+      proxy_pass dns;
+    }
+  '';*/
+  services.nginx.commonHttpConfig = ''
+    log_format postdata '{\"ip\":\"$remote_addr\",\"time\":\"$time_iso8601\",\"referer\":\"$http_referer\",\"body\":\"$request_body\",\"ua\":\"$http_user_agent\"}';
+
+    ${lib.concatMapStringsSep "\n" (x: "set_real_ip_from ${x};") (lib.splitString "\n" ''
+      ${builtins.readFile (builtins.fetchurl {
        url = "https://www.cloudflare.com/ips-v4";
        sha256 = "0ywy9sg7spafi3gm9q5wb59lbiq0swvf0q3iazl0maq1pj1nsb7h";
-      });
-      cfipv6 = fileToList (pkgs.fetchurl {
+      })}
+      ${builtins.readFile (builtins.fetchurl {
        url = "https://www.cloudflare.com/ips-v6";
        sha256 = "1ad09hijignj6zlqvdjxv7rjj8567z357zfavv201b9vx3ikk7cy";
-      });
-    in
-    ''
-      log_format postdata '{\"ip\":\"$remote_addr\",\"time\":\"$time_iso8601\",\"referer\":\"$http_referer\",\"body\":\"$request_body\",\"ua\":\"$http_user_agent\"}';
-
-      ${realIpsFromList cfipv4}
-      ${realIpsFromList cfipv6}
-      real_ip_header CF-Connecting-IP;
+      })}'')}
+    real_ip_header CF-Connecting-IP;
  '';
  # brotli and zstd requires recompilation so I don't enable it
  # services.nginx.recommendedBrotliSettings = true;
--- a/system/hosts/nixserver/fdroid.nix
+++ b/system/hosts/nixserver/fdroid.nix
--- a/system/hosts/nixserver/home.nix
+++ b/system/hosts/nixserver/home.nix
@ -84,22 +84,17 @@ in {
  };
  users.users.nginx.extraGroups = [ "grafana" ];

-  /*services.nix-serve = {
-    enable = true;
-    package = pkgs.nix-serve-ng;
-    bindAddress = "127.0.0.1";
-    secretKeyFile = "/secrets/cache-priv-key.pem";
-  };*/
  services.harmonia = {
    enable = true;
    signKeyPath = "/secrets/cache-priv-key.pem";
    settings.bind = "[::1]:5000";
  };
  nix.settings.allowed-users = [ "nix-serve" "harmonia" "hydra" "hydra-www" ];
-  # only hydra has access to this file anyway
-  nix.settings.extra-builtins-file = "/etc/nixos/private/extra-builtins.nix";
+  # make sure only hydra has access to this file
+  # so normal nix evals don't have access to builtins
+  nix.settings.extra-builtins-file = "/etc/nixos/extra-builtins.nix";
  impermanence.directories = [
-    { directory = /etc/nixos/private; user = "hydra"; group = "hydra"; mode = "0700"; }
+    { directory = /etc/nixos; user = "hydra"; group = "hydra"; mode = "0700"; }
  ];
  nix.settings.allowed-uris = [
    # required for home-manager
@ -114,12 +109,6 @@ in {
    enableACME = true;
    forceSSL = true;
    basicAuthFile = "/secrets/home_password";
-    /*locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
-    extraConfig = ''
-      proxy_read_timeout 300;
-      proxy_connect_timeout 300;
-      proxy_send_timeout 300;
-    '';*/
    locations."/".proxyPass = "http://${config.services.harmonia.settings.bind or "[::1]:5000"}";
    locations."/".extraConfig = ''
      proxy_set_header Host $host;
@ -144,10 +133,7 @@ in {
    # smtpHost = "mail.${cfg.domainName}";
    useSubstitutes = true;
  };
-  boot.binfmt.emulatedSystems = {
-    "x86_64-linux" = [ "aarch64-linux" ];
-    "aarch64-linux" = [ "x86_64-linux" ];
-  }.${pkgs.system};
+  boot.binfmt.emulatedSystems = builtins.filter (x: x != pkgs.system) [ "aarch64-linux" "x86_64-linux" ];
  nix.buildMachines = [
    {
      # there were some bugs related to not specifying the machine
--- a/system/hosts/nixserver/keycloak.nix
+++ b/system/hosts/nixserver/keycloak.nix
@ -29,12 +29,15 @@ in {
    ENABLE_OPENID_SIGNIN = true;
    ENABLE_OPENID_SIGNUP = true;
  };
+  systemd.services.gitea.after = [ "keycloak.service" ];

  services.nextcloud.extraOptions.allow_local_remote_servers = true;
+  systemd.services.nextcloud.after = [ "keycloak.service" ];

  # a crude way to make some python packages available for synapse
  services.matrix-synapse.plugins = with pkgs.python3.pkgs; [ authlib ];
  services.matrix-synapse.settings.password_config.enabled = false;
+  systemd.services.matrix-synapse.after = [ "keycloak.service" ];

  # See also https://meta.akkoma.dev/t/390
  # https://<pleroma>/oauth/keycloak?scope=openid+profile
@ -100,6 +103,7 @@ in {
    OAUTH_CONSUMER_STRATEGIES = "keycloak:ueberauth_keycloak_strategy";
  });
  systemd.services.akkoma = {
+    after = [ "keycloak.service" ];
    environment.OAUTH_CONSUMER_STRATEGIES = "keycloak:ueberauth_keycloak_strategy";
    serviceConfig.EnvironmentFile = "/secrets/akkoma/envrc";
  };*/
--- a/system/hosts/nixserver/mailserver.nix
+++ b/system/hosts/nixserver/mailserver.nix
--- a/system/hosts/nixserver/matrix.nix
+++ b/system/hosts/nixserver/matrix.nix
--- a/system/hosts/nixserver/maubot.nix
+++ b/system/hosts/nixserver/maubot.nix
--- a/system/hosts/nixserver/mumble.nix
+++ b/system/hosts/nixserver/mumble.nix
--- a/system/hosts/nixserver/options.nix
+++ b/system/hosts/nixserver/options.nix
--- a/system/modules/impermanence.nix
+++ b/system/modules/impermanence.nix
@ -125,6 +125,8 @@ in {
        { directory = /var/db/sudo/lectured; user = "root"; group = "root"; mode = "0700"; }
      ] ++ lib.optionals config.services.openldap.enable [
        { directory = /var/lib/openldap; inherit (config.services.openldap) user group; mode = "0755"; }
+      ] ++ lib.optionals (config.services.scanservjs.enable or false) [
+        { directory = /var/lib/scanservjs; user = "scanservjs"; group = "scanservjs"; mode = "0750"; }
      ] ++ cfg.directories);
      files = map (x:
        if builtins.isPath x then toString x