diff --git a/TODO.md b/TODO.md deleted file mode 100644 index 52635fc..0000000 --- a/TODO.md +++ /dev/null @@ -1,10 +0,0 @@ -- [ ] Update the README.md -- [ ] switch ssh keys to ECC (fuck RSA) - -- [ ] migrate forge.dobutterfliescry.net -> tearforge.net -- [ ] rename forgejo user to git -- [ ] setup my own VPN -- [ ] connect match to my VPN -- [ ] use matcha to build stuff instead of using my laptop - -- [ ] make `ceru` do local and remote deployments diff --git a/flake.lock b/flake.lock index 26fea2d..6285619 100644 --- a/flake.lock +++ b/flake.lock @@ -3,11 +3,12 @@ "cerulean": { "inputs": { "deploy-rs": "deploy-rs", - "home-manager": "home-manager", - "microvm": "microvm", "nixpkgs": [ "nixpkgs" ], + "nixpkgs-unstable": [ + "nixpkgs-unstable" + ], "nt": [ "nt" ], @@ -16,26 +17,20 @@ ] }, "locked": { - "lastModified": 1771194110, - "narHash": "sha256-x6rijGWmPL5FTpkr+8vpcKKCOT33QHEV8bP6ibEAXFE=", - "owner": "cry128", - "repo": "Cerulean", - "rev": "d527937829dec0f410f126a2f85e374cb99a2fbb", - "type": "github" + "lastModified": 1770984845, + "narHash": "sha256-si6XCx0xGq3z7dZSVCx5NgVxgFdnTc1qaKro5IemG70=", + "path": "/home/me/cry/mk/Cerulean", + "type": "path" }, "original": { - "owner": "cry128", - "repo": "Cerulean", - "type": "github" + "path": "/home/me/cry/mk/Cerulean", + "type": "path" } }, "deploy-rs": { "inputs": { "flake-compat": "flake-compat", - "nixpkgs": [ - "cerulean", - "nixpkgs" - ], + "nixpkgs": "nixpkgs", "utils": "utils" }, "locked": { @@ -171,7 +166,6 @@ "home-manager": { "inputs": { "nixpkgs": [ - "cerulean", "nixpkgs" ] }, @@ -190,49 +184,6 @@ "type": "github" } }, - "home-manager_2": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1770260404, - "narHash": "sha256-3iVX1+7YUIt23hBx1WZsUllhbmP2EnXrV8tCRbLxHc8=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "0d782ee42c86b196acff08acfbf41bb7d13eed5b", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-25.11", - "repo": "home-manager", - "type": "github" - } - }, - "microvm": { - "inputs": { - "nixpkgs": [ - "cerulean", - "nixpkgs" - ], - "spectrum": "spectrum" - }, - "locked": { - "lastModified": 1770310890, - "narHash": "sha256-lyWAs4XKg3kLYaf4gm5qc5WJrDkYy3/qeV5G733fJww=", - "owner": "microvm-nix", - "repo": "microvm.nix", - "rev": "68c9f9c6ca91841f04f726a298c385411b7bfcd5", - "type": "github" - }, - "original": { - "owner": "microvm-nix", - "repo": "microvm.nix", - "type": "github" - } - }, "nix-flatpak": { "locked": { "lastModified": 1767983141, @@ -319,16 +270,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1770770419, - "narHash": "sha256-iKZMkr6Cm9JzWlRYW/VPoL0A9jVKtZYiU4zSrVeetIs=", - "owner": "nixos", + "lastModified": 1743014863, + "narHash": "sha256-jAIUqsiN2r3hCuHji80U7NNEafpIMBXiwKlSrjWMlpg=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "6c5e707c6b5339359a9a9e215c5e66d6d802fd7a", + "rev": "bd3bac8bfb542dbde7ffffb6987a1a1f9d41699f", "type": "github" }, "original": { - "owner": "nixos", - "ref": "nixos-25.11", + "owner": "NixOS", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } @@ -365,6 +316,22 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 1770770419, + "narHash": "sha256-iKZMkr6Cm9JzWlRYW/VPoL0A9jVKtZYiU4zSrVeetIs=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "6c5e707c6b5339359a9a9e215c5e66d6d802fd7a", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-25.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1767313136, "narHash": "sha256-16KkgfdYqjaeRGBaYsNrhPRRENs0qzkQVUooNHtoy2w=", @@ -383,21 +350,18 @@ "nt": { "inputs": { "nix-unit": "nix-unit", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs_3", "systems": "systems_2" }, "locked": { - "lastModified": 1770975056, - "narHash": "sha256-ZXTz/P3zUbbM6lNXzt91u8EwfNqhXpYMu8+wvFZqQHE=", - "owner": "cry128", - "repo": "nt", - "rev": "f42dcdd49a7921a7f433512e83d5f93696632412", - "type": "github" + "lastModified": 1770975061, + "narHash": "sha256-dedEcQSEzur2/pBcxFFygkSrMuKGOUWThOUD2LXMCsA=", + "path": "/home/me/cry/mk/nt", + "type": "path" }, "original": { - "owner": "cry128", - "repo": "nt", - "type": "github" + "path": "/home/me/cry/mk/nt", + "type": "path" } }, "root": { @@ -405,31 +369,15 @@ "cerulean": "cerulean", "dobutterfliescry-net": "dobutterfliescry-net", "grub2-themes": "grub2-themes", - "home-manager": "home-manager_2", + "home-manager": "home-manager", "nix-flatpak": "nix-flatpak", "nixcord": "nixcord", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "nixpkgs-unstable": "nixpkgs-unstable", "nt": "nt", "systems": "systems_3" } }, - "spectrum": { - "flake": false, - "locked": { - "lastModified": 1759482047, - "narHash": "sha256-H1wiXRQHxxPyMMlP39ce3ROKCwI5/tUn36P8x6dFiiQ=", - "ref": "refs/heads/main", - "rev": "c5d5786d3dc938af0b279c542d1e43bce381b4b9", - "revCount": 996, - "type": "git", - "url": "https://spectrum-os.org/git/spectrum" - }, - "original": { - "type": "git", - "url": "https://spectrum-os.org/git/spectrum" - } - }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index 2e7b315..6f73362 100644 --- a/flake.nix +++ b/flake.nix @@ -12,15 +12,16 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - nt.url = "github:cry128/nt"; - # nt.url = "/home/me/cry/mk/nt"; + # nt.url = "github:cry128/nt"; + nt.url = "/home/me/cry/mk/nt"; cerulean = { - url = "github:cry128/Cerulean"; - # url = "/home/me/cry/mk/Cerulean"; + # url = "github:cry128/Cerulean"; + url = "/home/me/cry/mk/Cerulean"; inputs = { systems.follows = "systems"; nixpkgs.follows = "nixpkgs"; + nixpkgs-unstable.follows = "nixpkgs-unstable"; nt.follows = "nt"; }; }; diff --git a/groups/all/default.nix b/groups/all/default.nix index a636196..3860303 100644 --- a/groups/all/default.nix +++ b/groups/all/default.nix @@ -24,13 +24,6 @@ ]; }; - programs.nh = { - enable = true; - clean.enable = true; - clean.extraArgs = "--keep-since 7d --keep 3"; - flake = "/home/me/flake"; # sets NH_OS_FLAKE variable for you - }; - nix.settings = { # make wheel group trusted users allows my "ae" user # to import packages not signed by a trusted key diff --git a/groups/all/modules/flatpak.nix b/groups/all/modules/flatpak.nix index fbc2b38..20cf828 100644 --- a/groups/all/modules/flatpak.nix +++ b/groups/all/modules/flatpak.nix @@ -1,12 +1,12 @@ {...}: { services.flatpak = { - # DEBUG: remotes = [ - # DEBUG: { - # DEBUG: location = "https://dl.flathub.org/repo/flathub.flatpakrepo"; - # DEBUG: name = "flathub"; - # DEBUG: } - # DEBUG: ]; + remotes = [ + { + location = "https://dl.flathub.org/repo/flathub.flatpakrepo"; + name = "flathub"; + } + ]; - # DEBUG: uninstallUnmanaged = true; + uninstallUnmanaged = true; }; } diff --git a/groups/cryde/default.nix b/groups/cryde/default.nix index 02c1be0..03cdd2c 100644 --- a/groups/cryde/default.nix +++ b/groups/cryde/default.nix @@ -109,6 +109,9 @@ }; systemPackages = with pkgs; [ sddm-theme-corners + # dependencies for my sddm theme: + # XXX: add these as a buildInput + # pkgs.libsForQt5.qt5.qtgraphicaleffects ]; }; diff --git a/groups/cryos/programs.nix b/groups/cryos/programs.nix index 3e58545..947a1e5 100644 --- a/groups/cryos/programs.nix +++ b/groups/cryos/programs.nix @@ -19,7 +19,7 @@ hexyl # ASM nasm - x86-manpages + # x86-manpages # DEBUG # C Family gcc clang diff --git a/groups/server/default.nix b/groups/server/default.nix index 32fe569..6182ef1 100644 --- a/groups/server/default.nix +++ b/groups/server/default.nix @@ -1,7 +1,7 @@ {lib, ...}: { networking.firewall = { allowedTCPPorts = [ - 42069 # ssh + 22 ]; }; @@ -9,7 +9,7 @@ # accept Lets Encrypt's security policy acme = { acceptTerms = true; - defaults.email = "eclarkboman@gmail.com"; + defaults.email = "them@dobutterfliescry.net"; }; sudo = { @@ -26,7 +26,7 @@ services = { openssh = { enable = true; - ports = [42069]; + ports = [22]; settings = { PasswordAuthentication = false; PermitRootLogin = "no"; @@ -37,22 +37,6 @@ }; }; - # simple fail2ban config (not production ready or anything though) - # refer to: https://nixos.wiki/wiki/Fail2Ban - services.fail2ban = { - enable = true; - - maxretry = 5; - bantime = "10m"; # 10 minute ban - bantime-increment = { - enable = true; - formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)"; - # multipliers = "1 2 4 8 16 32 64"; - maxtime = "168h"; # dont ban for more than 1 week - overalljails = true; - }; - }; - users = { users = { # primary user diff --git a/homes/me/default.nix b/homes/me/default.nix index 169219f..8484344 100755 --- a/homes/me/default.nix +++ b/homes/me/default.nix @@ -106,30 +106,42 @@ }; # set ssh profiles - # WARNING: this DOES NOT start the ssh-agent - # WARNING: for that you need to use `services.ssh-agent.enable` + # NOTE: (IMPORTANT) this DOES NOT start the ssh-agent + # for that you need to use `services.ssh-agent.enable` ssh = { enable = true; forwardAgent = false; - addKeysToAgent = "yes"; + addKeysToAgent = "no"; matchBlocks = { - butterfly = { - hostname = "dobutterfliescry.net"; - user = "cry"; - port = 42069; - identityFile = "~/.ssh/id_butterfly"; + hyrule = { + hostname = "imbored.dev"; + user = "ae"; + port = 22; + identityFile = "~/.ssh/id_hyrule"; setEnv = { TERM = "linux"; }; }; clocktown = { - hostname = "hyrule.dobutterfliescry.net"; - user = "cry"; - port = 42069; - identityFile = "~/.ssh/id_hyrule"; + hostname = "clocktown.dobutterfliescry.net"; + user = "root"; + port = 22; + identityFile = "~/.ssh/id_clocktown"; + }; + subspace = { + hostname = "imbored.dev"; + user = "subspace"; + port = 22; + identityFile = "~/.ssh/id_subspace"; + }; + dead = { + hostname = "deadlyserver.com"; + user = "emile"; + port = 29843; + identityFile = "~/.ssh/id_deadlyserver"; setEnv = { - TERM = "linux"; + TERM = "xterm-256color"; }; }; youcue = { diff --git a/homes/modules/git.nix b/homes/modules/git.nix index c1e3ed6..402efaa 100755 --- a/homes/modules/git.nix +++ b/homes/modules/git.nix @@ -7,24 +7,24 @@ enable = true; lfs.enable = true; + userName = "_cry64"; + userEmail = "them@dobutterfliescry.net"; + signing = { # key = "F68745A836CA0412"; # format = "openpgp"; # signByDefault = true; }; - settings = { - user.name = "_cry64"; - user.email = "them@dobutterfliescry.net"; - - alias = { - s = "status"; - d = "diff"; - l = "log"; - c = "commit"; - p = "push"; - }; + aliases = { + s = "status"; + d = "diff"; + l = "log"; + c = "commit"; + p = "push"; + }; + extraConfig = { color.ui = true; core.editor = "hx"; github.user = "cry128"; @@ -51,7 +51,7 @@ "codeberg:" ]; }; - "git@tearforge.net/" = { + "forgejo@forge.dobutterfliescry.net:2222/" = { insteadOf = [ "cry:" "forge:" diff --git a/homes/modules/server/fail2ban.nix b/homes/modules/server/fail2ban.nix new file mode 100755 index 0000000..0681c68 --- /dev/null +++ b/homes/modules/server/fail2ban.nix @@ -0,0 +1,17 @@ +{...}: { + # simple fail2ban config (not production ready or anything though) + # refer to: https://nixos.wiki/wiki/Fail2Ban + services.fail2ban = { + enable = true; + + maxretry = 5; + bantime = "10m"; # 10 minute ban + bantime-increment = { + enable = true; + formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)"; + multipliers = "1 2 4 8 16 32 64"; + maxtime = "168h"; # dont ban for more than 1 week + overalljails = true; + }; + }; +} diff --git a/homes/modules/server/nginx.nix b/homes/modules/server/nginx.nix new file mode 100755 index 0000000..a11b65c --- /dev/null +++ b/homes/modules/server/nginx.nix @@ -0,0 +1,35 @@ +{...}: { + services = { + # use nginx as the reverse proxy + # (also will use certbot and Let's Encrypt) + # refer to: https://nixos.wiki/wiki/Nginx + nginx = { + enable = true; + + recommendedProxySettings = true; + recommendedTlsSettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + + # https://imbored.dev + virtualHosts = { + "imbored.dev" = { + forceSSL = true; + enableACME = true; + # config reverse proxy paths + locations = { + "/" = { + # TODO + proxyPass = "http://127.0.0.1:12345"; + }; + }; + }; + }; + }; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "eclarkboman@gmail.com"; + }; +} diff --git a/homes/modules/server/ssh.nix b/homes/modules/server/ssh.nix new file mode 100755 index 0000000..b898468 --- /dev/null +++ b/homes/modules/server/ssh.nix @@ -0,0 +1,13 @@ +{...}: { + services.openssh = { + enable = true; + ports = [22]; + settings = { + PasswordAuthentication = true; + PermitRootLogin = "no"; + AllowUsers = null; # allow all users by default + UseDns = true; + X11Forwarding = false; + }; + }; +} diff --git a/hosts/butterfly/services/nginx.nix b/hosts/butterfly/services/nginx.nix index 5dcb5c6..ba78c0a 100644 --- a/hosts/butterfly/services/nginx.nix +++ b/hosts/butterfly/services/nginx.nix @@ -1,13 +1,30 @@ -{pkgs, ...}: { +{ + inputs, + pkgs, + ... +}: { + nixpkgs.overlays = [ + (self: super: { + # in wake of CVE-2022-3602/CVE-2022-3786 + nginxStable = super.nginxStable.override {openssl = pkgs.libressl;}; + }) + inputs.dobutterfliescry-net.overlays.default + ]; + + # simple nginx instance to host static construction page + # TODO: I want sshd and forgejo's ssh server to both be bound to port 22 + # So change sshd to listen on a different address/port (ie 2222 or 127.0.0.3:22, etc) + # and change forgejo to use 127.0.0.2:22 (use port 22, ONLY change loopback address) services.nginx = { enable = true; - # NOTE: in wake of CVE-2022-3602/CVE-2022-3786 nginxStable is overlayed - package = pkgs.nginx; + # XXX: TODO: this should auto use the nginxStable overlay no? + # in wake of CVE-2022-3602/CVE-2022-3786 + # package = pkgs.nginxStable.override {openssl = pkgs.libressl;}; - # recommendedGzipSettings = true; - # recommendedOptimisation = true; - # recommendedProxySettings = true; - # recommendedTlsSettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; # streamConfig = '' # server { @@ -26,33 +43,40 @@ enableACME = true; # kTLS = true; # offload TLS to the linux kernel }; + + vault = + { + forceSSL = true; + locations."/".proxyPass = "${localhost}:8222"; + } + // std; + forge = + { + forceSSL = true; + extraConfig = '' + client_max_body_size 512M; + ''; + locations."/".proxyPass = "${localhost}:3000"; + } + // std; in { "dobutterfliescry.net" = { default = true; - addSSL = true; # addSSL NOT forceSSL <3 + addSSL = true; # not strictly enforced <3 + # root = "/var/www/cry"; root = "${pkgs.dobutterfliescry-net}/www"; # extraConfig = '' # error_page 404 /custom_404.html; # ''; } // std; - "vault.imbored.dev" = - { - forceSSL = true; - locations."/".proxyPass = "${localhost}:8222"; - } - // std; - # "tearforge.net" = - # { - # forceSSL = true; - # extraConfig = '' - # client_max_body_size 512M; - # ''; - # locations."/".proxyPass = "${localhost}:3000"; - # } - # // std; + # Route "vault" subdomain to vaultwarden + "vault.imbored.dev" = vault; + # Route "forge" subdomain to forgejo + # TODO: use `forgejo.settings.server.ENABLE_ACME` instead? # "tearforge.net" = forge; + "forge.dobutterfliescry.net" = forge; }; }; } diff --git a/nixpkgs.nix b/nixpkgs.nix index 816800f..12e275c 100644 --- a/nixpkgs.nix +++ b/nixpkgs.nix @@ -3,17 +3,15 @@ inputs, system, ... -} @ args: { - nixpkgs.channels.default = rec { - default = pkgs; +}: { + nixpkgs.channels.default = { # nixpkgs (stable branch) pkgs = { inherit system; source = inputs.nixpkgs; - overlays = [ - inputs.dobutterfliescry-net.overlays.default - (import ./overlays/default.nix args) - ]; + overlays = + [inputs.dobutterfliescry-net.overlays.default] + ++ import ./overlays/default.nix; config = { # allowUnfree = false; allowBroken = false; @@ -33,10 +31,9 @@ upkgs = { inherit system; source = inputs.nixpkgs-unstable; - overlays = [ - inputs.dobutterfliescry-net.overlays.default - (import ./overlays/default.nix args) - ]; + overlays = + [inputs.dobutterfliescry-net.overlays.default] + ++ import ./overlays/default.nix; config = { allowUnfree = false; allowBroken = false; diff --git a/overlays/default.nix b/overlays/default.nix index d18a23d..5c6507a 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -1,5 +1,5 @@ -{inputs, ...}: ( - self: super: { +[ + (self: super: { angry-oxide = import ../packages/angryoxide { pkgs = super; inherit @@ -18,10 +18,6 @@ pkgs = super; }; - # in wake of CVE-2022-3602/CVE-2022-3786 - nginxStable = super.nginxStable.override {openssl = super.libressl;}; - nginx = super.nginx.override {openssl = super.libressl;}; - element-desktop = super.element-desktop.overrideAttrs (final: prev: { desktopItems = [ ((builtins.elemAt prev.desktopItems 0).override { @@ -29,5 +25,5 @@ }) ]; }); - } -) + }) +] diff --git a/snow.nix b/snow.nix index 4d3b575..7b263f3 100644 --- a/snow.nix +++ b/snow.nix @@ -13,6 +13,10 @@ cerulean.mkNexus ./. (self: { server = {}; }; + extraModules = with inputs; [ + home-manager.nixosModules.default + ]; + nodes = let inherit (self.nexus) @@ -43,21 +47,14 @@ cerulean.mkNexus ./. (self: { butterfly = { system = "x86_64-linux"; groups = [groups.server]; - deploy.ssh = { - host = "dobutterfliescry.net"; - user = "cry"; - port = 42069; - }; + deploy.ssh.host = "dobutterfliescry.net"; }; # pls dont sue me im broke hyrule = { system = "x86_64-linux"; groups = [groups.server]; - deploy.ssh = { - host = "hyrule.dobutterfliescry.net"; - user = "cry"; - }; + deploy.ssh.host = "hyrule.dobutterfliescry.net"; }; # call me a statistician the way she spreads in my sheets