From eaee170085c9a5445d4096098d25b82d46a1f295 Mon Sep 17 00:00:00 2001 From: Hung Date: Fri, 20 Jan 2023 10:48:41 -0800 Subject: [PATCH 1/5] forgot .envrc :/ --- templates/py-poetry/.envrc | 6 ++++++ templates/py-poetry/README.md | 2 ++ 2 files changed, 8 insertions(+) create mode 100644 templates/py-poetry/.envrc diff --git a/templates/py-poetry/.envrc b/templates/py-poetry/.envrc new file mode 100644 index 0000000..9834d0e --- /dev/null +++ b/templates/py-poetry/.envrc @@ -0,0 +1,6 @@ +# If nix-shell available, then nix is installed. We're going to use nix-direnv. +if command -v nix-shell &> /dev/null +then + use flake +fi + diff --git a/templates/py-poetry/README.md b/templates/py-poetry/README.md index d5c64c3..2349dfa 100644 --- a/templates/py-poetry/README.md +++ b/templates/py-poetry/README.md @@ -4,6 +4,8 @@ - Bootstrapped with [pegasust/dotfiles](https://git.pegasust.com/pegasust/dotfiles) +`nix flake new --template git:git.pegasust.com/pegasust/dotfiles#py-poetry ./` + - Provides [devShell (`nix develop`)](https://nixos.org/manual/nix/stable/command-ref/new-cli/nix3-develop.html), [shell.nix (`nix-shell -p ./`)](https://nixos.org/manual/nix/stable/command-ref/nix-shell.html) From b63f75815c301b52b20d02b84a49f52a25776aa8 Mon Sep 17 00:00:00 2001 From: Hung Date: Fri, 20 Jan 2023 10:59:07 -0800 Subject: [PATCH 2/5] bonehead on nix flake's fetch git convention --- templates/py-poetry/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/py-poetry/README.md b/templates/py-poetry/README.md index 2349dfa..2b1e13a 100644 --- a/templates/py-poetry/README.md +++ b/templates/py-poetry/README.md @@ -4,7 +4,7 @@ - Bootstrapped with [pegasust/dotfiles](https://git.pegasust.com/pegasust/dotfiles) -`nix flake new --template git:git.pegasust.com/pegasust/dotfiles#py-poetry ./` +`nix flake new --template git+https://git.pegasust.com/pegasust/dotfiles.git#py-poetry ./` - Provides [devShell (`nix develop`)](https://nixos.org/manual/nix/stable/command-ref/new-cli/nix3-develop.html), [shell.nix (`nix-shell -p ./`)](https://nixos.org/manual/nix/stable/command-ref/nix-shell.html) From 4ab83570aaaa183fd0934695206cf0f93b13c0c2 Mon Sep 17 00:00:00 2001 From: Hung Date: Fri, 20 Jan 2023 13:13:14 -0800 Subject: [PATCH 3/5] while top-level nixosConfiguration is broken, bring back nix-conf/system --- modules/mosh.sys.nix | 24 ++++++--- modules/tailscale.sys.nix | 87 ++++++++++++++++--------------- native_configs/ssh/config | 5 ++ nix-conf/system/configuration.nix | 65 ++--------------------- nix-conf/system/flake.nix | 50 +++++++++++++++--- 5 files changed, 114 insertions(+), 117 deletions(-) diff --git a/modules/mosh.sys.nix b/modules/mosh.sys.nix index 193f661..33571cd 100644 --- a/modules/mosh.sys.nix +++ b/modules/mosh.sys.nix @@ -2,12 +2,24 @@ , lib , config , ... -}: { - environment.systemPackages = [ pkgs.mosh ]; - networking.firewall = lib.mkIf config.networking.firewall.enable { - allowedUDPPortRanges = [ - { from = 60000; to = 61000; } # mosh - ]; +}: +let cfg = config.mod.mosh; in +{ + options.mod.mosh = { + enable = lib.mkOption { + type = lib.types.bool; + description = "enable mosh"; + default = true; + example = false; + }; + }; + config = lib.mkIf cfg.enable { + environment.systemPackages = [ pkgs.mosh ]; + networking.firewall = lib.mkIf config.networking.firewall.enable { + allowedUDPPortRanges = [ + { from = 60000; to = 61000; } # mosh + ]; + }; }; } diff --git a/modules/tailscale.sys.nix b/modules/tailscale.sys.nix index f926523..6e3e1bb 100644 --- a/modules/tailscale.sys.nix +++ b/modules/tailscale.sys.nix @@ -2,48 +2,53 @@ , config , lib , ... -}: { - environment.systemPackages = [ pkgs.tailscale ]; - services.tailscale.enable = true; - - systemd.services.tailscale-autoconnect = { - description = "Automatically connects to Tailscale"; - - # make sure tailscale is running before trying to connect to tailscale - after = [ "network-pre.target" "tailscale.service" ]; - wants = [ "network-pre.target" "tailscale.service" ]; - wantedBy = [ "multi-user.target" ]; - - # set this service as a oneshot job - serviceConfig.Type = "oneshot"; - - # have the job run this shell script - script = '' - # wait for tailscaled to settle - sleep 2 - # check if we are already authenticated to tailscale - status="$(${pkgs.tailscale}/bin/tailscale status -json | ${pkgs.jq}/bin/jq -r .BackendState)" - if [ $status = "Running" ]; then # if so, then do nothing - exit 0 - fi - - # ${pkgs.tailscale}/bin/tailscale up # blocks, doesn't give url - # This time, configure device auth so that we authenticate from portal - # https://tailscale.com/kb/1099/device-authorization/#enable-device-authorization-for-your-network - ${pkgs.tailscale}/bin/tailscale up -authkey tskey-auth-kJcgTG5CNTRL-PUVFkk31z1bThHpfq3FC5b1jcMmkW2EYW - ''; +}: let cfg = config.mod.tailscale; in { + options.mod.tailscale = { + enable = lib.mkEnableOption "tailscale"; }; + config = lib.mkIf cfg.enable { + environment.systemPackages = [ pkgs.tailscale ]; + services.tailscale.enable = true; - networking.firewall = lib.mkIf config.networking.firewall.enable { - trustedInterfaces = [ - "tailscale0" - ]; - allowedUDPPorts = [ - config.services.tailscale.port - ]; - allowedTCPPorts = [ - 22 - ]; - checkReversePath = "loose"; + systemd.services.tailscale-autoconnect = { + description = "Automatically connects to Tailscale"; + + # make sure tailscale is running before trying to connect to tailscale + after = [ "network-pre.target" "tailscale.service" ]; + wants = [ "network-pre.target" "tailscale.service" ]; + wantedBy = [ "multi-user.target" ]; + + # set this service as a oneshot job + serviceConfig.Type = "oneshot"; + + # have the job run this shell script + script = '' + # wait for tailscaled to settle + sleep 2 + # check if we are already authenticated to tailscale + status="$(${pkgs.tailscale}/bin/tailscale status -json | ${pkgs.jq}/bin/jq -r .BackendState)" + if [ $status = "Running" ]; then # if so, then do nothing + exit 0 + fi + + # ${pkgs.tailscale}/bin/tailscale up # blocks, doesn't give url + # This time, configure device auth so that we authenticate from portal + # https://tailscale.com/kb/1099/device-authorization/#enable-device-authorization-for-your-network + ${pkgs.tailscale}/bin/tailscale up -authkey tskey-auth-kJcgTG5CNTRL-PUVFkk31z1bThHpfq3FC5b1jcMmkW2EYW + ''; + }; + + networking.firewall = lib.mkIf config.networking.firewall.enable { + trustedInterfaces = [ + "tailscale0" + ]; + allowedUDPPorts = [ + config.services.tailscale.port + ]; + allowedTCPPorts = [ + 22 + ]; + checkReversePath = "loose"; + }; }; } diff --git a/native_configs/ssh/config b/native_configs/ssh/config index 13a3cea..a1b2f67 100644 --- a/native_configs/ssh/config +++ b/native_configs/ssh/config @@ -47,3 +47,8 @@ Host mokoi User ubuntu_admin Port 22 +Host noami + HostName 10.100.200.230 + User htran + Port 22 + diff --git a/nix-conf/system/configuration.nix b/nix-conf/system/configuration.nix index 1ab2020..e4318dd 100755 --- a/nix-conf/system/configuration.nix +++ b/nix-conf/system/configuration.nix @@ -11,9 +11,11 @@ in with lib; { imports = (if includeHardware then [ - ./profiles/${hostname}/hardware-configuration.nix + "${proj_root}/hosts/${hostname}/hardware-configuration.nix" ] else [ ]) ++ [ "${modulesPath}/profiles/minimal.nix" + "${proj_root}/modules/tailscale.sys.nix" + "${proj_root}/modules/mosh.sys.nix" ]; boot = _boot; @@ -54,67 +56,6 @@ with lib; pkgs.inetutils # network diag pkgs.mtr # network diag pkgs.sysstat # sys diag - pkgs.mosh # ssh-alt; parsec-like - pkgs.tailscale # VPC ]; - # tailscale is mandatory : ^) - # inherit services; - services = lib.recursiveUpdate _services { - tailscale.enable = true; - ntp.enable = true; - }; - # create a oneshot job to authenticate to Tailscale - systemd.services.tailscale-autoconnect = { - description = "Automatic connection to Tailscale"; - - # make sure tailscale is running before trying to connect to tailscale - after = [ "network-pre.target" "tailscale.service" ]; - wants = [ "network-pre.target" "tailscale.service" ]; - wantedBy = [ "multi-user.target" ]; - - # set this service as a oneshot job - serviceConfig.Type = "oneshot"; - - # have the job run this shell script - script = '' - # wait for tailscaled to settle - sleep 2 - # check if we are already authenticated to tailscale - status="$(${pkgs.tailscale}/bin/tailscale status -json | ${pkgs.jq}/bin/jq -r .BackendState)" - if [ $status = "Running" ]; then # if so, then do nothing - exit 0 - fi - - # ${pkgs.tailscale}/bin/tailscale up # blocks, doesn't give url - # This time, configure device auth so that we authenticate from portal - # https://tailscale.com/kb/1099/device-authorization/#enable-device-authorization-for-your-network - ${pkgs.tailscale}/bin/tailscale up -authkey tskey-auth-kJcgTG5CNTRL-PUVFkk31z1bThHpfq3FC5b1jcMmkW2EYW - ''; - }; - # Don't touch networking.firewall.enable, just configure everything else. - # inherit networking; - # inherit _networking; - networking = lib.recursiveUpdate _networking { - firewall = - if _networking ? firewall.enable && _networking.firewall.enable then { - trustedInterfaces = _networking.firewall.trustedInterfaces or [ ] ++ [ - "tailscale0" - ]; - allowedUDPPorts = _networking.firewall.allowedUDPPorts or [ ] ++ [ - config.services.tailscale.port - ]; - allowedTCPPorts = _networking.firewall.allowedTCPPorts or [ ] ++ [ - 22 - ]; - allowedUDPPortRanges = _networking.firewall.allowedUDPPortRanges or [ ] ++ [ - { from = 60000; to = 61000; } # mosh - - ]; - checkReversePath = "loose"; - } else { enable = false; }; - }; - - environment.noXlibs = lib.mkForce false; - } diff --git a/nix-conf/system/flake.nix b/nix-conf/system/flake.nix index 31f4dde..ed34adc 100644 --- a/nix-conf/system/flake.nix +++ b/nix-conf/system/flake.nix @@ -56,6 +56,7 @@ ./configuration.nix { system.stateVersion = "22.05"; + mod.tailscale.enable = true; } ]; specialArgs = { @@ -205,6 +206,37 @@ hostname = "nixos"; }; }; + nixosConfigurations.htran-dev = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = base_modules ++ [ + ./configuration.nix + { + system.stateVersion = "22.11"; + mod.tailscale.enable = false; + networking.defaultGateway = { + address = "10.100.200.1"; + # interface = "ens32"; + }; + networking.interface.ens32.ipv4.addresses = [ + {address = "10.100.200.230"; prefixLength = 24;} + ]; + } + ]; + specialArgs = { + hostname = "htran-dev"; + _networking = { + firewall.enable = true; + useDHCP = false; + interfaces.eth0.useDHCP = true; + }; + _boot.loader.grub.enable = true; + _boot.loader.grub.version = 2; + _services.openssh = { + permitRootLogin = "no"; + enable = true; + }; + }; + }; nixosConfigurations.bao = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs.hostname = "bao"; @@ -260,14 +292,15 @@ services.xserver.displayManager.sddm.enable = true; services.xserver.desktopManager.plasma5 = { enable = true; - excludePackages = let plasma5 = pkgs.libsForQt5; in [ - plasma5.elisa # audio viewer - plasma5.konsole # I use alacritty instaed - plasma5.plasma-browser-integration - plasma5.print-manager # will enable if I need - plasma5.khelpcenter # why not just write manpages instead :( - # plasma5.ksshaskpass # pls just put prompts on my dear terminal - ]; + excludePackages = let plasma5 = pkgs.libsForQt5; in + [ + plasma5.elisa # audio viewer + plasma5.konsole # I use alacritty instaed + plasma5.plasma-browser-integration + plasma5.print-manager # will enable if I need + plasma5.khelpcenter # why not just write manpages instead :( + # plasma5.ksshaskpass # pls just put prompts on my dear terminal + ]; }; # disables KDE's setting of askpassword @@ -292,6 +325,7 @@ hardware.pulseaudio.support32Bit = true; nixpkgs.config.pulseaudio = true; hardware.pulseaudio.extraConfig = "load-module module-combine-sink"; + mod.tailscale.enable = true; # Sound: pipewire # sound.enable = false; From 6f21b98c0ee138382697d5cdd78282e381080412 Mon Sep 17 00:00:00 2001 From: Hung Date: Fri, 20 Jan 2023 13:16:52 -0800 Subject: [PATCH 4/5] conf-sysnix.sh use that nix-conf/system for now --- scripts/config-sysnix.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/config-sysnix.sh b/scripts/config-sysnix.sh index f7de08d..d8586a5 100755 --- a/scripts/config-sysnix.sh +++ b/scripts/config-sysnix.sh @@ -46,5 +46,5 @@ cat "${SSH_PUB}" >> "${SSH_DIR}/authorized_keys" sort -u "${SSH_DIR}/authorized_keys" -o "${SSH_DIR}/authorized_keys" echo "Apply nixos-rebuild" -sudo nixos-rebuild switch --flake "${SYSNIX_DIR}#${HOSTNAME}" +sudo nixos-rebuild switch --flake "${SYSNIX_DIR}/nix-conf/system#${HOSTNAME}" From 7bddd37b4826dc9a18bc8ecbcc58867bce9d33b9 Mon Sep 17 00:00:00 2001 From: Hung Date: Fri, 20 Jan 2023 13:19:59 -0800 Subject: [PATCH 5/5] another bonehead on networking interfaces should be plural --- nix-conf/system/flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nix-conf/system/flake.nix b/nix-conf/system/flake.nix index ed34adc..e2e7c10 100644 --- a/nix-conf/system/flake.nix +++ b/nix-conf/system/flake.nix @@ -217,7 +217,7 @@ address = "10.100.200.1"; # interface = "ens32"; }; - networking.interface.ens32.ipv4.addresses = [ + networking.interfaces.ens32.ipv4.addresses = [ {address = "10.100.200.230"; prefixLength = 24;} ]; }