From f5bef1ad43c16d8bf4fd6ea9f545166e9acaff01 Mon Sep 17 00:00:00 2001 From: Leyla Becker Date: Fri, 14 Mar 2025 02:04:20 -0500 Subject: [PATCH 1/9] removed completed task from tech debt --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 9a1c362..a6b726e 100644 --- a/README.md +++ b/README.md @@ -48,7 +48,6 @@ nix multi user, multi system, configuration with `sops` secret management, `home ## Tech Debt - monitor configuration in `~/.config/monitors.xml` should be sym linked to `/run/gdm/.config/monitors.xml` (https://www.reddit.com/r/NixOS/comments/u09cz9/home_manager_create_my_own_symlinks_automatically/) -- syncthing folders should just be enabled per devices and then combined with "extraDevices" to give final folder configurations - syncthing folder passwords - nfs export should be backed by the same values for server and client - move fail2ban configs out of fail2ban.nix and into configs for their respective services From f81878afd71fca857028050ffa143d3dae238a94 Mon Sep 17 00:00:00 2001 From: Leyla Becker Date: Fri, 14 Mar 2025 11:32:50 -0500 Subject: [PATCH 2/9] added talk to new features --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index a6b726e..095b9c5 100644 --- a/README.md +++ b/README.md @@ -69,3 +69,4 @@ nix multi user, multi system, configuration with `sops` secret management, `home - SMART test with email results - Create Tor guard/relay server - remote distributed builds - https://nix.dev/tutorials/nixos/distributed-builds-setup.html +- migrate away from flakes and move to npins \ No newline at end of file From c1f90f07c972e5166d027689754a763db69de266 Mon Sep 17 00:00:00 2001 From: Leyla Becker Date: Fri, 14 Mar 2025 11:45:07 -0500 Subject: [PATCH 3/9] updated path for fail2ban config --- modules/nixos-modules/server/fail2ban.nix | 2 +- modules/nixos-modules/sync.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/nixos-modules/server/fail2ban.nix b/modules/nixos-modules/server/fail2ban.nix index cd2a978..a84b5ad 100644 --- a/modules/nixos-modules/server/fail2ban.nix +++ b/modules/nixos-modules/server/fail2ban.nix @@ -92,7 +92,7 @@ in { enabled = true; filter = "forgejo"; action = ''iptables-multiport[name=HTTP, port="http,https"]''; - logpath = "${config.services.forgejo.stateDir}/log/*.log"; + logpath = "${config.services.forgejo.settings.log.ROOT_PATH}/*.log"; backend = "auto"; findtime = 600; bantime = 600; diff --git a/modules/nixos-modules/sync.nix b/modules/nixos-modules/sync.nix index e185781..de361e6 100644 --- a/modules/nixos-modules/sync.nix +++ b/modules/nixos-modules/sync.nix @@ -77,7 +77,7 @@ in { assertion = lib.strings.hasPrefix mountDir folder.path; message = "syncthing folder ${folder.label} is stored at ${folder.path} which not under the persisted path of ${mountDir}"; }) - config.services.syncthing.folders; + config.services.syncthing.settings.folders; environment.persistence = { "/persist/system/root" = { enable = true; From a31230fe6728193872fe77178a72febcf9436b6a Mon Sep 17 00:00:00 2001 From: Leyla Becker Date: Fri, 14 Mar 2025 12:02:39 -0500 Subject: [PATCH 4/9] added new feature to tasks --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 095b9c5..ad643c2 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,6 @@ nix multi user, multi system, configuration with `sops` secret management, `home - nginx config should be reworked to give a list of subdomains and then the config information to apply to each proxy ## New Features - offline access for nfs mounts (overlay with rsync might be a good option here? https://www.spinics.net/lists/linux-unionfs/msg07105.html note about nfs4 and overlay fs) -- Flake templates - we need to add these to some kind of local registry??? `nix flake show templates` - https://nix.dev/manual/nix/2.18/command-ref/new-cli/nix3-flake-init - samba mounts - figure out steam vr things? - Open GL? @@ -69,4 +68,5 @@ nix multi user, multi system, configuration with `sops` secret management, `home - SMART test with email results - Create Tor guard/relay server - remote distributed builds - https://nix.dev/tutorials/nixos/distributed-builds-setup.html -- migrate away from flakes and move to npins \ No newline at end of file +- migrate away from flakes and move to npins +- forgejo dedicated sshd that can only do forgejo things and that the main deamon proxies to when trying to log in with the git user, with the goal of being able to host that deamon on port 22222 and set up a port forward rule on gateway for 22 -> deamon:22222 \ No newline at end of file From 9b857234f4fe62ee3f71d8130d301e1d9ceb1100 Mon Sep 17 00:00:00 2001 From: Leyla Becker Date: Fri, 14 Mar 2025 12:29:42 -0500 Subject: [PATCH 5/9] updated port number for forgejo internal ssh server --- modules/nixos-modules/server/forgejo.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos-modules/server/forgejo.nix b/modules/nixos-modules/server/forgejo.nix index a6b3ede..ee98305 100644 --- a/modules/nixos-modules/server/forgejo.nix +++ b/modules/nixos-modules/server/forgejo.nix @@ -6,7 +6,7 @@ forgejoPort = 8081; stateDir = "/var/lib/forgejo"; db_user = "forgejo"; - sshPort = 2222; + sshPort = 22222; in { options.host.forgejo = { enable = lib.mkEnableOption "should forgejo be enabled on this computer"; From 34dce8d9d17aeb192b39447452cb7a6e3ca3dcb7 Mon Sep 17 00:00:00 2001 From: Leyla Becker Date: Fri, 14 Mar 2025 19:47:02 -0500 Subject: [PATCH 6/9] fixed exports folder on nfs --- modules/nixos-modules/server/network_storage/nfs.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos-modules/server/network_storage/nfs.nix b/modules/nixos-modules/server/network_storage/nfs.nix index b398582..405ea2c 100644 --- a/modules/nixos-modules/server/network_storage/nfs.nix +++ b/modules/nixos-modules/server/network_storage/nfs.nix @@ -39,7 +39,7 @@ enable = true; exports = lib.strings.concatLines ( [ - "/export 100.64.0.0/10(rw,fsid=0,no_subtree_check)" + "/exports 100.64.0.0/10(rw,fsid=0,no_subtree_check)" ] ++ (builtins.map ( directory: "${directory._directory} 100.64.0.0/10(rw,nohide,sync,no_subtree_check,crossmnt)" From 44d6b4827db34649ab62294d55af0afeeaf797e6 Mon Sep 17 00:00:00 2001 From: Leyla Becker Date: Fri, 14 Mar 2025 19:49:11 -0500 Subject: [PATCH 7/9] fixed forgejo ssh --- modules/nixos-modules/server/forgejo.nix | 49 ++++++++++++------------ modules/nixos-modules/users.nix | 32 ++++++++-------- 2 files changed, 41 insertions(+), 40 deletions(-) diff --git a/modules/nixos-modules/server/forgejo.nix b/modules/nixos-modules/server/forgejo.nix index ee98305..f0c1974 100644 --- a/modules/nixos-modules/server/forgejo.nix +++ b/modules/nixos-modules/server/forgejo.nix @@ -33,31 +33,32 @@ in { }; }; - services.forgejo = { - enable = true; - database = { - type = "postgres"; - socket = "/run/postgresql"; - }; - lfs.enable = true; - settings = { - server = { - DOMAIN = "${config.host.forgejo.subdomain}.${config.host.reverse_proxy.hostname}"; - HTTP_PORT = forgejoPort; - START_SSH_SERVER = true; - SSH_LISTEN_PORT = sshPort; - SSH_PORT = 22; - # TODO: we need to create this user, and then store their authorized keys somewhere and have both ssh server allow login in as that user based on those authorized keys - BUILTIN_SSH_SERVER_USER = "git"; - ROOT_URL = "https://git.jan-leila.com:"; - }; - service = { - DISABLE_REGISTRATION = true; - }; + services = { + forgejo = { + enable = true; database = { - DB_TYPE = "postgres"; - NAME = db_user; - USER = db_user; + type = "postgres"; + socket = "/run/postgresql"; + }; + lfs.enable = true; + settings = { + server = { + DOMAIN = "${config.host.forgejo.subdomain}.${config.host.reverse_proxy.hostname}"; + HTTP_PORT = forgejoPort; + START_SSH_SERVER = true; + SSH_LISTEN_PORT = sshPort; + SSH_PORT = 22; + BUILTIN_SSH_SERVER_USER = config.users.users.git.name; + ROOT_URL = "https://git.jan-leila.com"; + }; + service = { + DISABLE_REGISTRATION = true; + }; + database = { + DB_TYPE = "postgres"; + NAME = db_user; + USER = db_user; + }; }; }; }; diff --git a/modules/nixos-modules/users.nix b/modules/nixos-modules/users.nix index f57e894..92f4016 100644 --- a/modules/nixos-modules/users.nix +++ b/modules/nixos-modules/users.nix @@ -20,9 +20,9 @@ adguardhome = 2003; hass = 2004; headscale = 2005; - nextcloud = 2006; syncthing = 2007; ollama = 2008; + git = 2009; }; gids = { @@ -35,9 +35,9 @@ adguardhome = 2003; hass = 2004; headscale = 2005; - nextcloud = 2006; syncthing = 2007; ollama = 2008; + git = 2009; }; users = config.users.users; @@ -141,12 +141,6 @@ in { group = config.users.users.headscale.name; }; - nextcloud = { - uid = lib.mkForce uids.nextcloud; - isSystemUser = true; - group = config.users.users.nextcloud.name; - }; - syncthing = { uid = lib.mkForce uids.syncthing; isSystemUser = true; @@ -158,6 +152,13 @@ in { isSystemUser = true; group = config.users.users.ollama.name; }; + + git = { + uid = lib.mkForce uids.git; + isSystemUser = !config.services.forgejo.enable; + isNormalUser = config.services.forgejo.enable; + group = config.users.users.git.name; + }; }; groups = { @@ -232,14 +233,6 @@ in { ]; }; - nextcloud = { - gid = lib.mkForce gids.nextcloud; - members = [ - users.nextcloud.name - # leyla - ]; - }; - syncthing = { gid = lib.mkForce gids.syncthing; members = [ @@ -255,6 +248,13 @@ in { users.ollama.name ]; }; + + git = { + gid = lib.mkForce gids.git; + members = [ + users.git.name + ]; + }; }; }; } From da78b208cdf94f653a7a036f511625ec312ecf6e Mon Sep 17 00:00:00 2001 From: Leyla Becker Date: Fri, 14 Mar 2025 20:21:18 -0500 Subject: [PATCH 8/9] added ssh config for local git pushes --- configurations/home-manager/default.nix | 2 ++ configurations/home-manager/git/default.nix | 20 ++++++++++++++++++++ flake.nix | 7 ++++++- util/default.nix | 18 ++++++++++++++---- 4 files changed, 42 insertions(+), 5 deletions(-) create mode 100644 configurations/home-manager/git/default.nix diff --git a/configurations/home-manager/default.nix b/configurations/home-manager/default.nix index 3aa4c0e..a7fa478 100644 --- a/configurations/home-manager/default.nix +++ b/configurations/home-manager/default.nix @@ -1,10 +1,12 @@ { lib, config, + osConfig, ... }: let users = config.host.users; in { leyla = lib.mkIf users.leyla.isNormalUser (import ./leyla); eve = lib.mkIf users.eve.isNormalUser (import ./eve); + git = lib.mkIf (osConfig.services.forgejo.enable or false) (import ./git); } diff --git a/configurations/home-manager/git/default.nix b/configurations/home-manager/git/default.nix new file mode 100644 index 0000000..2276e7a --- /dev/null +++ b/configurations/home-manager/git/default.nix @@ -0,0 +1,20 @@ +{osConfig, ...}: { + home = { + username = osConfig.users.users.git.name; + homeDirectory = osConfig.users.users.git.home; + + # This value determines the Home Manager release that your configuration is + # compatible with. This helps avoid breakage when a new Home Manager release + # introduces backwards incompatible changes. + # + # You should not change this value, even if you update Home Manager. If you do + # want to update the value, then make sure to first check the Home Manager + # release notes. + stateVersion = "23.11"; # Please read the comment before changing. + }; + + programs.ssh.extraConfig = '' + AuthorizedKeysFile + /var/lib/forgejo/.ssh/authorized_keys + ''; +} diff --git a/flake.nix b/flake.nix index 8c64e2b..f9cb9a6 100644 --- a/flake.nix +++ b/flake.nix @@ -114,7 +114,12 @@ nixpkgs.lib.attrsets.mapAttrsToList (hostname: system: ( nixpkgs.lib.attrsets.mapAttrs' (user: _: { name = "${user}@${hostname}"; - value = mkHome user hostname system.pkgs.hostPlatform.system system.config; + value = mkHome { + user = user; + host = hostname; + system = system.pkgs.hostPlatform.system; + osConfig = system.config; + }; }) system.config.home-manager.users )) diff --git a/util/default.nix b/util/default.nix index 028212c..c6e0e06 100644 --- a/util/default.nix +++ b/util/default.nix @@ -36,8 +36,13 @@ home-manager-config = nixpkgs: { home-manager.useUserPackages = true; home-manager.backupFileExtension = "backup"; - home-manager.extraSpecialArgs = {inherit inputs outputs util;}; - home-manager.users = import ../configurations/home-manager nixpkgs; + home-manager.extraSpecialArgs = { + inherit inputs outputs util; + }; + home-manager.users = import ../configurations/home-manager (nixpkgs + // { + osConfig = nixpkgs.config; + }); home-manager.sharedModules = home-manager-modules; }; @@ -61,7 +66,7 @@ in { nixpkgs.lib.nixosSystem { modules = [ { - # TODO: authorized keys for all users + # TODO: authorized keys for all users and hosts } ../configurations/nixos/${host} ]; @@ -97,7 +102,12 @@ in { ]; }; - mkHome = user: host: system: osConfig: + mkHome = { + user, + host, + system, + osConfig, + }: home-manager.lib.homeManagerConfiguration { pkgs = pkgsFor system; extraSpecialArgs = { From fc8877ff1050e4cc5539c233511c655ecffadec8 Mon Sep 17 00:00:00 2001 From: Leyla Becker Date: Fri, 14 Mar 2025 20:35:11 -0500 Subject: [PATCH 9/9] added fsid to all nfs mounts --- .../server/network_storage/nfs.nix | 21 +++++++------------ 1 file changed, 8 insertions(+), 13 deletions(-) diff --git a/modules/nixos-modules/server/network_storage/nfs.nix b/modules/nixos-modules/server/network_storage/nfs.nix index 405ea2c..1b52d26 100644 --- a/modules/nixos-modules/server/network_storage/nfs.nix +++ b/modules/nixos-modules/server/network_storage/nfs.nix @@ -37,20 +37,15 @@ lib.mkIf (config.host.network_storage.nfs.enable && config.host.network_storage.enable) { services.nfs.server = { enable = true; - exports = lib.strings.concatLines ( - [ - "/exports 100.64.0.0/10(rw,fsid=0,no_subtree_check)" - ] - ++ (builtins.map ( - directory: "${directory._directory} 100.64.0.0/10(rw,nohide,sync,no_subtree_check,crossmnt)" + exports = lib.strings.concatLines (lib.lists.imap0 ( + i: directory: "${directory._directory} 100.64.0.0/10(fsid=${toString i},rw,nohide,sync,no_subtree_check,crossmnt)" + ) + ( + builtins.filter ( + directory: lib.lists.any (target: target == directory.folder) config.host.network_storage.nfs.directories ) - ( - builtins.filter ( - directory: lib.lists.any (target: target == directory.folder) config.host.network_storage.nfs.directories - ) - config.host.network_storage.directories - )) - ); + config.host.network_storage.directories + )); }; networking.firewall.interfaces.${config.services.tailscale.interfaceName}.allowedTCPPorts = [ config.host.network_storage.nfs.port