diff --git a/flake.nix b/flake.nix index d9a55f8..eeed680 100755 --- a/flake.nix +++ b/flake.nix @@ -14,6 +14,23 @@ formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt; nixosConfigurations = { + birne = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + ./hosts/birne/configuration.nix + + ./modules/base.nix + ./modules/autoupdate.nix + ./modules/desktop.nix + ./modules/printing.nix + ./modules/wifi.nix + ./modules/options.nix + { + fsr.enable_office_bloat = true; + } + + ]; + }; sanddorn = nixpkgs.lib.nixosSystem { system = "aarch64-linux"; modules = [ @@ -25,6 +42,8 @@ ./hosts/sanddorn/configuration.nix ./modules/infoscreen.nix ./modules/base.nix + ./modules/autoupdate.nix + ./modules/wifi.nix ./modules/desktop.nix ./modules/options.nix "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" @@ -47,7 +66,6 @@ ./modules/nginx.nix ./modules/hedgedoc.nix ./modules/wiki.nix - ./modules/ftp.nix ./modules/stream.nix ./modules/nextcloud.nix ./modules/matrix.nix diff --git a/hosts/birne/configuration.nix b/hosts/birne/configuration.nix new file mode 100755 index 0000000..5ab2329 --- /dev/null +++ b/hosts/birne/configuration.nix @@ -0,0 +1,41 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking = { + hostName = "birne"; + interfaces.wlp4s0.useDHCP = true; + interfaces.enp1s0.useDHCP = true; + wireless = { + enable = true; + interfaces = [ "wlp4s0" ]; + }; + }; + + nixpkgs.config.allowUnfree = true; + users.users.printer = { + isNormalUser = true; + password = "printer"; + extraGroups = [ ]; + }; + + environment.systemPackages = with pkgs; [ + firefox + ]; + + system.stateVersion = "21.05"; + +} + diff --git a/hosts/birne/hardware-configuration.nix b/hosts/birne/hardware-configuration.nix new file mode 100755 index 0000000..5ad5d2a --- /dev/null +++ b/hosts/birne/hardware-configuration.nix @@ -0,0 +1,33 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ohci_pci" "ehci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" "wl" ]; + boot.extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ]; + + fileSystems."/" = + { + device = "/dev/disk/by-uuid/9799b183-a191-484e-b9a4-05e29412af25"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/CF58-EB12"; + fsType = "vfat"; + }; + + swapDevices = + [{ device = "/dev/disk/by-uuid/94622e8e-8b58-4b3b-9494-d144ccaeb486"; }]; + + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/quitte/wireguard_server.nix b/hosts/quitte/wireguard_server.nix new file mode 100644 index 0000000..7a4f113 --- /dev/null +++ b/hosts/quitte/wireguard_server.nix @@ -0,0 +1,24 @@ +{ config, ... }: + +{ + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + + networking.wg-quick.interfaces = { + wg-dvb = { + # pubkey: 8iQQSCI14dObcrMw0/rZJxfvpOAhy3CU+haJq2nyIzc= + address = [ "10.13.37.1/32" ]; + privateKeyFile = config.sops.secrets.wg-seckey.path; + listenPort = 51820; + peers = [ + { + # Tassilo + publicKey = "vgo3le9xrFsIbbDZsAhQZpIlX+TuWjfEyUcwkoqUl2Y="; + allowedIPs = [ "10.13.37.2/32" ]; + persistentKeepalive = 25; + } + ]; + }; + }; +} + + diff --git a/modules/autoupdate.nix b/modules/autoupdate.nix new file mode 100755 index 0000000..7152937 --- /dev/null +++ b/modules/autoupdate.nix @@ -0,0 +1,10 @@ +{ pkgs, config, ... }: + +{ + system.autoUpgrade = { + enable = true; + dates = "12:00"; + # might need to move this into the configuration of `birne`? + allowReboot = true; + }; +} diff --git a/modules/ftp.nix b/modules/ftp.nix deleted file mode 100644 index 39c419b..0000000 --- a/modules/ftp.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, pkgs, ... }: -let - domain = "ftp.${config.fsr.domain}"; -in -{ - services.nginx.virtualHosts."${domain}" = { - enableACME = true; - forceSSL = true; - root = "/srv/ftp"; - extraConfig = '' - autoindex on; - ''; - locations."~/(klausuren|uebungen|skripte|abschlussarbeiten)".extraConfig = '' - allow 141.30.0.0/16; - allow 141.76.0.0/16; - allow 172.16.0.0/16; - deny all; - ''; - - }; -} diff --git a/modules/keycloak.nix b/modules/keycloak.nix new file mode 100644 index 0000000..881980b --- /dev/null +++ b/modules/keycloak.nix @@ -0,0 +1,64 @@ +{ pkgs, config, lib, ... }: { + + sops.secrets.postgres_keycloak = { + owner = config.systemd.services.keycloak.serviceConfig.User; + group = "keycloak"; + }; + + users.users.keycloak = { + name = "keycloak"; + isSystemUser = true; + group = "keycloak"; + }; + + users.groups.keycloak = { + name = "keycloak"; + members = [ "keycloak" ]; + }; + + services = { + keycloak = { + enable = true; + + settings = { + hostname = "keycloak.quitte.tassilo-tanneberger.de"; + http-host = "127.0.0.1"; + http-port = 8000; + https-port = 8001; + proxy = "edge"; + }; + + database = { + username = "keycloak"; + type = "postgresql"; + passwordFile = config.sops.secrets.postgres_keycloak.path; + name = "keycloak"; + host = "localhost"; + createLocally = true; + }; + }; + postgresql = { + enable = true; + }; + nginx = { + enable = true; + recommendedProxySettings = true; + virtualHosts = { + "${config.services.keycloak.settings.hostname}" = { + enableACME = true; + forceSSL = true; + http2 = true; + locations = { + "/" = + let + cfg = config.services.keycloak.settings; + in + { + proxyPass = "http://${cfg.http-host}:${toString cfg.http-port}"; + }; + }; + }; + }; + }; + }; +} diff --git a/modules/ldap.nix b/modules/ldap.nix index fbde7cb..dd459e0 100644 --- a/modules/ldap.nix +++ b/modules/ldap.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, ... }: let domain = "auth.${config.fsr.domain}"; @@ -89,29 +89,6 @@ in daemon.enable = true; }; - security.pam.services.sshd.text = '' - # Account management. - account sufficient ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so - account required pam_unix.so - - # Authentication management. - auth sufficient pam_unix.so likeauth try_first_pass - auth sufficient ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so use_first_pass - auth required pam_deny.so - - # Password management. - password sufficient pam_unix.so nullok sha512 - password sufficient ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so - - # Session management. - session required pam_env.so conffile=/etc/pam/environment readenv=0 - session required pam_unix.so - session required pam_loginuid.so - session optional pam_mkhomedir.so - session optional ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so - session optional ${pkgs.systemd}/lib/security/pam_systemd.so - - ''; services.nginx = { enable = true; diff --git a/modules/nginx.nix b/modules/nginx.nix index 7cc17f2..c97c327 100644 --- a/modules/nginx.nix +++ b/modules/nginx.nix @@ -1,23 +1,6 @@ { config, pkgs, ... }: { - services.nginx = { - enable = true; - appendHttpConfig = '' - map $remote_addr $remote_addr_anon { - ~(?P\d+\.\d+\.\d+)\. $ip.0; - ~(?P[^:]+:[^:]+): $ip::; - # IP addresses to not anonymize - 127.0.0.1 $remote_addr; - ::1 $remote_addr; - default 0.0.0.0; - } - log_format anon_ip '$remote_addr_anon - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log anon_ip; - ''; - }; + services.nginx.enable = true; security.acme = { acceptTerms = true; defaults = { diff --git a/modules/printing.nix b/modules/printing.nix new file mode 100755 index 0000000..c99e4ae --- /dev/null +++ b/modules/printing.nix @@ -0,0 +1,36 @@ +{ pkgs, config, ... }: + +{ + # Enable CUPS to print documents. + services = { + printing.enable = true; + printing.drivers = with pkgs; [ + gutenprint + gutenprintBin + hplip + hplipWithPlugin + ]; + avahi.enable = true; + }; + + environment.systemPackages = with pkgs; [ + gnome.gnome-control-center + ]; + # set up Heiko + hardware.printers.ensurePrinters = [ + { + description = "Drucker im FSR Buero"; + deviceUri = "dnssd://Kyocera%20ECOSYS%20M6630cidn._ipp._tcp.local/?uuid=4509a320-007e-002c-00dd-002507504ad0"; + location = "FSR Buero"; + model = "Kyocera ECOSYS M6630cidn KPDL"; + name = "Heiko"; + } + { + description = "Drucker im FSR Buero"; + deviceUri = "dnssd://Kyocera%20ECOSYS%20M6630cidn._pdl-datastream._tcp.local/?uuid=4509a320-007e-002c-00dd-002507504ad0"; + location = "FSR Buero"; + model = "Kyocera ECOSYS M6630cidn KPDL"; + name = "Heiko"; + } + ]; +} diff --git a/modules/sogo.nix b/modules/sogo.nix new file mode 100644 index 0000000..ffcae44 --- /dev/null +++ b/modules/sogo.nix @@ -0,0 +1,63 @@ +{ config, pkgs, ... }: +let + SOGo-hostname = "mail.${config.fsr.domain}"; + domain = config.fsr.domain; +in +{ + sops.secrets.sogo_ldap_search = { + key = "portunus_search"; + # owner = config.systemd.services keine Ahnung was hier hin soll + + + }; + services = { + sogo = { + enable = true; + language = "German"; + extraConfig = '' + WOWorkersCount = 10; + SOGoUserSources = ({ + type = ldap; + CNFieldName = cn; + UIDFieldName = uid; + baseDN = "ou = users, dc=ifsr, dc=de"; + bindDN = "uid=search, ou=users, dc=ifsr, dc=de"; + bindPassword = ${config.sops.secrets.SOGo_ldap_search.path}; + hostname = "ldap://localhost"; + canAuthenticate = YES; + id = directory; + + }); + SOGoProfileURL = "postgresql://sogo:sogo@localhost:5432/sogo/sogo_user_profile"; + SOGoFolderInfoURL = "postgreql://sogo:sogo@localhost:5432/sogo/sogo_folder_info"; + OCSSessionsFolderURL = "postgresql://sogo:sogo@localhost:5432/sogo/sogo_sessions_folder"; + + ''; # Hier ist bindPassword noch nicht vollständig + vhostName = "${SOGo-hostname}"; + timezone = "Europe/Berlin"; + }; + postgresql = { + ensureUsers = [{ + name = "SOGo"; + }]; + ensureDatabases = [ "SOGo" ]; + }; + + nginx = { + recommendedProxySettings = true; + virtualHosts."${SOGo-hostname}" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:20000"; + proxyWebsockets = true; + }; + }; + + + }; + + }; + }; +} diff --git a/modules/wifi.nix b/modules/wifi.nix new file mode 100755 index 0000000..561186e --- /dev/null +++ b/modules/wifi.nix @@ -0,0 +1,24 @@ +# +# Useful config +# https://tu-dresden.de/zih/dienste/service-katalog/arbeitsumgebung/zugang_datennetz/wlan-eduroam +# https://www.stura.htw-dresden.de/stura/ref/hopo/dk/nachrichten/eduroam-meets-nixos +# +{ pkgs, config, ... }: +let + password = "$(${pkgs.coreutils}/bin/cat /run/secrets/fsr_wifi_psk)"; +in +{ + networking = { + wireless = { + enable = true; + networks = { + "FSR" = { + priority = 10; + pskRaw = "9dbdf08e1205b1167a812a35cfac4b49a86e155eec707bd47f4d06d829e7d168"; + }; + }; + }; + }; +} + + diff --git a/secrets/birne.test.yaml b/secrets/birne.test.yaml new file mode 100755 index 0000000..aa848a4 --- /dev/null +++ b/secrets/birne.test.yaml @@ -0,0 +1,43 @@ +fsr_wifi: ENC[AES256_GCM,data:CD0ge6d5+gc=,iv:yuWfwwGm2HOKvMQQ9lF4TFOqvCU2z06sqS+pzhCFhfY=,tag:1+8MwcPUGgtcdXvTNAuR5g==,type:str] +fsr_wifi_psk: ENC[AES256_GCM,data:uwq/nkKm9eDdMxUJMQ==,iv:q9mzhfkPBM1oTQN69tSEiQmf3hYZ4pGJEqjVEjU//FI=,tag:g0p+S2jlkAT0jY5hBRKuXw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1925katzy5gws3f9hnvnlwspu6trxf488arwt6ayw3urg2mgumqhszxnmqh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBySHgvQThoSmpXOUc1a3lN + dXR6ZElYYlppOXNISXM0bURxQjdIU3pDL2wwCmNoT0pYTEdubWh3eFc3VzVwdnR3 + TU5CbFlBTWxYaHRjamUzamIzQ1VnbFEKLS0tIDVUSEVtKzh1aVp1ekxVd2xRWHVo + dEExQkJySmo5eGtEdXVvd1FFVVhpdFUKNx1FXti0qWKDRYM6wsIUceXbjzra5ezc + 0fNI2r7qnVQ1QghtKnibwMUR1q4/DphKEm4eX4e6q+jfHleHCSk6+g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-03-05T13:53:02Z" + mac: ENC[AES256_GCM,data:ZpEk+wpGQz2ul+Me6i45wXkzvuxzwkibLcljBs2KjTAgjH6F4q1JyXuY271JD95A5HgEvv4Atm3sbHaG+hghXy/36WSFw5jJRBwOjDrOSSAq12+UFeYjgSA2EwbvgbBdIO6VgaRLnXtobtLFG5qaVzUAvSevo6n8vBhEjSHEEJk=,iv:iZ9bJ+it3s6lB8piPeKjVy4QYzwYGUb4EUwvnCR753Q=,tag:Nveq//4C1tiwGOkeXV7a0A==,type:str] + pgp: + - created_at: "2022-03-05T13:42:43Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA/YLzOYaRIJJARAAvxLI7hxutYG0KDovCjpGKIZA1JyNjp1/QYLKz3QDUFsZ + Ykwmixkt2wjTQjn9aE66ujLiEzMDfV2VZ6ao7Ehg04fysU1WurqEB5D+hiS6SCc2 + 3DgvlPeicY+87oZin1iaqL505MzQCEVbmcar++VCdQIGUZSQvbn1Nxn3RxKjHCjm + RW0juiSH1FUIZdBPL9NgUEixv7KpdEBxO5JR30GxDgYMG1Xji9Y2KsBy9XP5Lhn2 + ziuzs6vTfFTuVUdylJNkT6yVgK4V7oEkIMiVPGFYXSUWT3TNZ0qRwuk6UJYLfvnY + Mt0jyKyi+hRIWPQEjBmpK/siBsQGSCXsRe84g+LUtdfPbvqwdZb59qy5B65z/ku/ + 6EQIaPRkgCa5AED3gJQCbBYhvymdgl8ZZcXkVV1Ap2VgKS5o0s+CNjdiNkXdGTL/ + NdE7kehGJCtsHUVGs2I8TfLg/uVgJTKEodTq8eLu8WhVkNKzk9aFBCfHKYtkXBIi + ZIXUHNbPtXDL4aHgOTuTYjWM8bhW0pdnkGX7daqPsfNqgR9hzOo3TzoR3DRDK91w + cvUZ9hApYJ0OVxuPa38JGiYn3826iSSRK8qPjAndE4HhYgT/lZvu8/vZAW6EF/yH + 8exruofMHNBNNdotkYDnyaFO6C+00SMcTUkG49vRqQKwrBygAoPLEKQhDBgczcnU + aAEJAhBWRVtwhCZtQV1MCl5u0IbSlxQiIH93FrdTfbJQdKM+LFlwkXOngO4blGOi + 1tQbkiyLzIio+yoyfvbXZOIeMkLA3GynsKtxjnYYipXkuv3LP5BvZiH+bzG9jPW4 + jXrR59MZPJLY + =hWOx + -----END PGP MESSAGE----- + fp: 91EBE87016391323642A6803B966009D57E69CC6 + unencrypted_suffix: _unencrypted + version: 3.7.1 diff --git a/secrets/birne.yaml b/secrets/birne.yaml new file mode 100755 index 0000000..a638ef7 --- /dev/null +++ b/secrets/birne.yaml @@ -0,0 +1,43 @@ +fsr_wifi: ENC[AES256_GCM,data:nzfwY2UygQSdboRvfDxVSrUE+WLBJLYBLw==,iv:yR3lCbyUSg97+MnuwUkXEsHtSGuYOPYRgvW/YZYDhv0=,tag:eN/lqD1BetqnFDAFJE6D2g==,type:str] +fsr_wifi_psk: ENC[AES256_GCM,data:A1Z809FJ0fUd93QcX5NNnfVxyzUZMuPGC6Hu4M9LpRoMOTrMcRPMDaR0N+cgmV7rnjYvzm4gTSTEcnqsnLGyNA==,iv:WMs3/I3SEDJwcpyqclCfxKcx61m/6BcwbGaGS4I4a5s=,tag:oYG8M3NQ2lkcUGr2K5YUEg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1jyxk2z69pm8hpz5zlf5lh05vrws2sprum3ucx2xjpq8efctcfdaq0jhs3w + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRQXByc2lJWnQ0Rm1Wb1V5 + aVFaY0cwcnVlUFRKNGNYYjJjMnB5NVlkendRCkxJZ0JILzVvbDZRNzlYaWtEREJr + VmYzaUNiU0VmTkZzckhJeS84OU5TUkUKLS0tIG5qTnVtbHV3TWh0cW4xYlJiV0Ji + MFQrNkJxUUVFSStPenM4Tmx6dlVsSm8KQMPsuc/E89aDek3csMarrKm5qcfQKf3u + 2ApD8dEN+L1L9bbJGAY6uNM6sXu5eTAGD7+Rc0duZIdDCg0LGFV8jw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-03-05T13:52:43Z" + mac: ENC[AES256_GCM,data:/uszrMeVsVlpjFyI29/Sasr8jY3/elnnbbUDmZ1+3YHzoujQRZe47VOpfOgs/XZym+jj7MZInu5Y361YalFb0ArS7GmexZA88rFvOqHPIIUuk2h1iCHLpZRafg96x737snna7L7zHNJFJLBhqcpdt0U4U6SZjXlJ9UgR96c6Agk=,iv:4kCCIhUEfc0GCzoh+3cNxB3cnn71/0jmKI1r62dYFmk=,tag:REOoImReJds8LBKZpeu78w==,type:str] + pgp: + - created_at: "2022-03-05T13:41:12Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA/YLzOYaRIJJAQ/+Jis1dE0ZmxKIaqJKc1itSqd09ieVJDMmei410O2VycU3 + 98YHvdrkRcG+3tLkvzebATANyHcJeefjt4uvQnMjlswX5DHm3JxNYnfOhCQNpexl + 80Lp/0qmnCy1rd2C8/Mr9ub2frupEGeBgU4TwA1LW5X1f89NP9R7b6tBcVMyF/OW + +WWu2g+0yLC9rle0a5QeIkrKsmyB5+dEYOakCMunKCYXE+MS4ULkZqFxhJ8ckTo7 + rKiR8UwzDL+iMl4zLgeNF5Uw7WH8tdHiD3thHQvzjL9++Tg4jZWdgtjdICs1ye2y + sUGzk0RhjXT/Q3rBwQbiivZq7s3ngBpom0co74+X6DORMN0P8WUdox7j4KUS3/oA + KwtyUF92dK9uJwckyN7LXho7zVTnZXV7jjupBacjr0TeHgYzP1eDhbsC6mFlWv2x + mHeK7hQF6VBNi1tAVlcMktbuxZRtc8P0ljFeSXRDoLJKdduIb3TKbGSsAHs1lX+n + CEK2kfS+V6g4CXaSsAsDqIZ75k6bJYRd8M81a1XvSAMB1fzQYDU1zrPGquggOBku + S0R0y0po7OwnqQ0HBgVHC8uU8hbG/EIvA1Wpw9FQnjGugi0pOoIiynqJWzttFwvq + XBV27Z7wumWzwij9uFt+TEy7Olulu/Vi/56tiyUNnbklwQqe1mj1m4nnu6z6v4TU + aAEJAhDM3iZRqVMChcCd6A/btYAwNnZrJNzxj+BIV5/+sAk3wjqc6UM7+qdBuzsH + uYq+HBTcdQgpoyqtFryrjQvCsksB6O4eS62FIAKfD65HaxNYQLUYNJ4Xs3NIqroH + MogSWSOw4clo + =8/Ez + -----END PGP MESSAGE----- + fp: 91EBE87016391323642A6803B966009D57E69CC6 + unencrypted_suffix: _unencrypted + version: 3.7.1