diff --git a/README.md b/README.md index 9a1c362..ad643c2 100644 --- a/README.md +++ b/README.md @@ -48,14 +48,12 @@ nix multi user, multi system, configuration with `sops` secret management, `home ## Tech Debt - monitor configuration in `~/.config/monitors.xml` should be sym linked to `/run/gdm/.config/monitors.xml` (https://www.reddit.com/r/NixOS/comments/u09cz9/home_manager_create_my_own_symlinks_automatically/) -- syncthing folders should just be enabled per devices and then combined with "extraDevices" to give final folder configurations - syncthing folder passwords - nfs export should be backed by the same values for server and client - move fail2ban configs out of fail2ban.nix and into configs for their respective services - nginx config should be reworked to give a list of subdomains and then the config information to apply to each proxy ## New Features - offline access for nfs mounts (overlay with rsync might be a good option here? https://www.spinics.net/lists/linux-unionfs/msg07105.html note about nfs4 and overlay fs) -- Flake templates - we need to add these to some kind of local registry??? `nix flake show templates` - https://nix.dev/manual/nix/2.18/command-ref/new-cli/nix3-flake-init - samba mounts - figure out steam vr things? - Open GL? @@ -70,3 +68,5 @@ nix multi user, multi system, configuration with `sops` secret management, `home - SMART test with email results - Create Tor guard/relay server - remote distributed builds - https://nix.dev/tutorials/nixos/distributed-builds-setup.html +- migrate away from flakes and move to npins +- forgejo dedicated sshd that can only do forgejo things and that the main deamon proxies to when trying to log in with the git user, with the goal of being able to host that deamon on port 22222 and set up a port forward rule on gateway for 22 -> deamon:22222 \ No newline at end of file diff --git a/configurations/home-manager/default.nix b/configurations/home-manager/default.nix index 3aa4c0e..a7fa478 100644 --- a/configurations/home-manager/default.nix +++ b/configurations/home-manager/default.nix @@ -1,10 +1,12 @@ { lib, config, + osConfig, ... }: let users = config.host.users; in { leyla = lib.mkIf users.leyla.isNormalUser (import ./leyla); eve = lib.mkIf users.eve.isNormalUser (import ./eve); + git = lib.mkIf (osConfig.services.forgejo.enable or false) (import ./git); } diff --git a/configurations/home-manager/git/default.nix b/configurations/home-manager/git/default.nix new file mode 100644 index 0000000..2276e7a --- /dev/null +++ b/configurations/home-manager/git/default.nix @@ -0,0 +1,20 @@ +{osConfig, ...}: { + home = { + username = osConfig.users.users.git.name; + homeDirectory = osConfig.users.users.git.home; + + # This value determines the Home Manager release that your configuration is + # compatible with. This helps avoid breakage when a new Home Manager release + # introduces backwards incompatible changes. + # + # You should not change this value, even if you update Home Manager. If you do + # want to update the value, then make sure to first check the Home Manager + # release notes. + stateVersion = "23.11"; # Please read the comment before changing. + }; + + programs.ssh.extraConfig = '' + AuthorizedKeysFile + /var/lib/forgejo/.ssh/authorized_keys + ''; +} diff --git a/flake.nix b/flake.nix index 8c64e2b..f9cb9a6 100644 --- a/flake.nix +++ b/flake.nix @@ -114,7 +114,12 @@ nixpkgs.lib.attrsets.mapAttrsToList (hostname: system: ( nixpkgs.lib.attrsets.mapAttrs' (user: _: { name = "${user}@${hostname}"; - value = mkHome user hostname system.pkgs.hostPlatform.system system.config; + value = mkHome { + user = user; + host = hostname; + system = system.pkgs.hostPlatform.system; + osConfig = system.config; + }; }) system.config.home-manager.users )) diff --git a/modules/nixos-modules/server/fail2ban.nix b/modules/nixos-modules/server/fail2ban.nix index cd2a978..a84b5ad 100644 --- a/modules/nixos-modules/server/fail2ban.nix +++ b/modules/nixos-modules/server/fail2ban.nix @@ -92,7 +92,7 @@ in { enabled = true; filter = "forgejo"; action = ''iptables-multiport[name=HTTP, port="http,https"]''; - logpath = "${config.services.forgejo.stateDir}/log/*.log"; + logpath = "${config.services.forgejo.settings.log.ROOT_PATH}/*.log"; backend = "auto"; findtime = 600; bantime = 600; diff --git a/modules/nixos-modules/server/forgejo.nix b/modules/nixos-modules/server/forgejo.nix index a6b3ede..f0c1974 100644 --- a/modules/nixos-modules/server/forgejo.nix +++ b/modules/nixos-modules/server/forgejo.nix @@ -6,7 +6,7 @@ forgejoPort = 8081; stateDir = "/var/lib/forgejo"; db_user = "forgejo"; - sshPort = 2222; + sshPort = 22222; in { options.host.forgejo = { enable = lib.mkEnableOption "should forgejo be enabled on this computer"; @@ -33,31 +33,32 @@ in { }; }; - services.forgejo = { - enable = true; - database = { - type = "postgres"; - socket = "/run/postgresql"; - }; - lfs.enable = true; - settings = { - server = { - DOMAIN = "${config.host.forgejo.subdomain}.${config.host.reverse_proxy.hostname}"; - HTTP_PORT = forgejoPort; - START_SSH_SERVER = true; - SSH_LISTEN_PORT = sshPort; - SSH_PORT = 22; - # TODO: we need to create this user, and then store their authorized keys somewhere and have both ssh server allow login in as that user based on those authorized keys - BUILTIN_SSH_SERVER_USER = "git"; - ROOT_URL = "https://git.jan-leila.com:"; - }; - service = { - DISABLE_REGISTRATION = true; - }; + services = { + forgejo = { + enable = true; database = { - DB_TYPE = "postgres"; - NAME = db_user; - USER = db_user; + type = "postgres"; + socket = "/run/postgresql"; + }; + lfs.enable = true; + settings = { + server = { + DOMAIN = "${config.host.forgejo.subdomain}.${config.host.reverse_proxy.hostname}"; + HTTP_PORT = forgejoPort; + START_SSH_SERVER = true; + SSH_LISTEN_PORT = sshPort; + SSH_PORT = 22; + BUILTIN_SSH_SERVER_USER = config.users.users.git.name; + ROOT_URL = "https://git.jan-leila.com"; + }; + service = { + DISABLE_REGISTRATION = true; + }; + database = { + DB_TYPE = "postgres"; + NAME = db_user; + USER = db_user; + }; }; }; }; diff --git a/modules/nixos-modules/server/network_storage/nfs.nix b/modules/nixos-modules/server/network_storage/nfs.nix index b398582..1b52d26 100644 --- a/modules/nixos-modules/server/network_storage/nfs.nix +++ b/modules/nixos-modules/server/network_storage/nfs.nix @@ -37,20 +37,15 @@ lib.mkIf (config.host.network_storage.nfs.enable && config.host.network_storage.enable) { services.nfs.server = { enable = true; - exports = lib.strings.concatLines ( - [ - "/export 100.64.0.0/10(rw,fsid=0,no_subtree_check)" - ] - ++ (builtins.map ( - directory: "${directory._directory} 100.64.0.0/10(rw,nohide,sync,no_subtree_check,crossmnt)" + exports = lib.strings.concatLines (lib.lists.imap0 ( + i: directory: "${directory._directory} 100.64.0.0/10(fsid=${toString i},rw,nohide,sync,no_subtree_check,crossmnt)" + ) + ( + builtins.filter ( + directory: lib.lists.any (target: target == directory.folder) config.host.network_storage.nfs.directories ) - ( - builtins.filter ( - directory: lib.lists.any (target: target == directory.folder) config.host.network_storage.nfs.directories - ) - config.host.network_storage.directories - )) - ); + config.host.network_storage.directories + )); }; networking.firewall.interfaces.${config.services.tailscale.interfaceName}.allowedTCPPorts = [ config.host.network_storage.nfs.port diff --git a/modules/nixos-modules/sync.nix b/modules/nixos-modules/sync.nix index e185781..de361e6 100644 --- a/modules/nixos-modules/sync.nix +++ b/modules/nixos-modules/sync.nix @@ -77,7 +77,7 @@ in { assertion = lib.strings.hasPrefix mountDir folder.path; message = "syncthing folder ${folder.label} is stored at ${folder.path} which not under the persisted path of ${mountDir}"; }) - config.services.syncthing.folders; + config.services.syncthing.settings.folders; environment.persistence = { "/persist/system/root" = { enable = true; diff --git a/modules/nixos-modules/users.nix b/modules/nixos-modules/users.nix index f57e894..92f4016 100644 --- a/modules/nixos-modules/users.nix +++ b/modules/nixos-modules/users.nix @@ -20,9 +20,9 @@ adguardhome = 2003; hass = 2004; headscale = 2005; - nextcloud = 2006; syncthing = 2007; ollama = 2008; + git = 2009; }; gids = { @@ -35,9 +35,9 @@ adguardhome = 2003; hass = 2004; headscale = 2005; - nextcloud = 2006; syncthing = 2007; ollama = 2008; + git = 2009; }; users = config.users.users; @@ -141,12 +141,6 @@ in { group = config.users.users.headscale.name; }; - nextcloud = { - uid = lib.mkForce uids.nextcloud; - isSystemUser = true; - group = config.users.users.nextcloud.name; - }; - syncthing = { uid = lib.mkForce uids.syncthing; isSystemUser = true; @@ -158,6 +152,13 @@ in { isSystemUser = true; group = config.users.users.ollama.name; }; + + git = { + uid = lib.mkForce uids.git; + isSystemUser = !config.services.forgejo.enable; + isNormalUser = config.services.forgejo.enable; + group = config.users.users.git.name; + }; }; groups = { @@ -232,14 +233,6 @@ in { ]; }; - nextcloud = { - gid = lib.mkForce gids.nextcloud; - members = [ - users.nextcloud.name - # leyla - ]; - }; - syncthing = { gid = lib.mkForce gids.syncthing; members = [ @@ -255,6 +248,13 @@ in { users.ollama.name ]; }; + + git = { + gid = lib.mkForce gids.git; + members = [ + users.git.name + ]; + }; }; }; } diff --git a/util/default.nix b/util/default.nix index 028212c..c6e0e06 100644 --- a/util/default.nix +++ b/util/default.nix @@ -36,8 +36,13 @@ home-manager-config = nixpkgs: { home-manager.useUserPackages = true; home-manager.backupFileExtension = "backup"; - home-manager.extraSpecialArgs = {inherit inputs outputs util;}; - home-manager.users = import ../configurations/home-manager nixpkgs; + home-manager.extraSpecialArgs = { + inherit inputs outputs util; + }; + home-manager.users = import ../configurations/home-manager (nixpkgs + // { + osConfig = nixpkgs.config; + }); home-manager.sharedModules = home-manager-modules; }; @@ -61,7 +66,7 @@ in { nixpkgs.lib.nixosSystem { modules = [ { - # TODO: authorized keys for all users + # TODO: authorized keys for all users and hosts } ../configurations/nixos/${host} ]; @@ -97,7 +102,12 @@ in { ]; }; - mkHome = user: host: system: osConfig: + mkHome = { + user, + host, + system, + osConfig, + }: home-manager.lib.homeManagerConfiguration { pkgs = pkgsFor system; extraSpecialArgs = {