Add 'infra/libkookie/' from commit 'd661aa56a8843e991261510c1bb28fdc2f6975ae'

git-subtree-dir: infra/libkookie
git-subtree-mainline: 49f735974dd103039ddc4cb576bb76555164a9e7
git-subtree-split: d661aa56a8843e991261510c1bb28fdc2f6975ae

7 files changed, 388 insertions, 0 deletions

diff --git a/infra/libkookie/roots/hyperion.nix b/infra/libkookie/roots/hyperion.nix
new file mode 100644
index 000000000000..bcb9aae740d7
--- /dev/null
+++ b/infra/libkookie/roots/hyperion.nix
@@ -0,0 +1,91 @@
+/* TOP LEVEL DEVICE CONFIGURATION FOR
+ * 
+ *    hyperion (Hetzner EX41 root server)
+ *
+ * This file only contains settings that are specific to this one
+ * device (hardware and things outside of nix, like partitions).
+ *
+ * This file is part of LIBKOOKIE, a collection of nix expressions.
+ * LIBKOOKIE is licensed under the GPL-3.0 (or later) -- see LICENSE
+ */
+
+{ lib, config, pkgs, ... }:
+
+{
+  imports = [
+    # General machine base setup
+    <home-manager/nixos>
+    ../modules/nix
+    ../modules/base
+
+    # Server base setup
+    ../modules/server
+    ../modules/server/nginx
+
+    # Modules enabled on this server
+    ../modules/server/blog
+    #../modules/server/gitlab-ci
+    ../modules/server/prosody
+    ../modules/server/quassel
+    #../modules/server/syncthing
+    ../modules/server/tor
+
+    # Define allowed ssh users
+    #../modules/users/spacekookie
+    #../modules/users/qyliss
+  ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.copyKernels = true;
+
+  boot.loader.grub.efiSupport = false;
+  boot.zfs.devNodes = "/dev";
+  boot.loader.grub.zfsSupport = true;
+  boot.loader.grub.device = "/dev/sdb";
+
+  hardware.cpu.intel.updateMicrocode = true;
+
+  networking = {
+    dhcpcd.enable = false;
+    defaultGateway = "95.216.98.1";
+    nameservers = [ "1.1.1.1" ];
+    interfaces.enp0s31f6 = {
+      ipv4.addresses = [ { address = "95.216.98.55"; prefixLength = 26; } ];
+    };
+
+    # NAT settings for wireguard
+    nat.enable = true;
+    nat.externalInterface = "eth0";
+    nat.internalInterfaces = [ "intranet" ];
+  };
+
+  networking.hostName = "hyperion"; # Define your hostname.
+  networking.hostId = "d83bebd1";
+
+  networking.wireguard.interfaces."intranet" = {
+    ips = [ "10.13.12.1" ];
+    listenPort = 51820;
+    privateKeyFile = "/var/lib/wireguard/keys/private";
+
+    peers = [
+      { publicKey = "NHMpnZW6h/MwxWcjztpwH5NN44jS9lB1b5T5jby1i1A=";
+        allowedIPs = [ "10.13.12.2/32" ]; }
+      { publicKey = "U/EmC6uMGqrLOd+lqfquDcUShPHgoulN35Dan6RAqyU=";
+        allowedIPs = [ "10.13.12.3/32" ]; }
+      { publicKey = "yh8gU4otkndmSsVBuaPMxxFHem45FE3POvSAWi8LEik=";
+        allowedIPs = [ "10.13.12.4/32" ]; }
+
+      { publicKey = "cPvj0SPITg1twz3DprtQgehJDOAhOL/hnXlB5ZS6Fi4=";
+        endpoint = "85.119.82.108:51820";
+        allowedIPs = [ "10.172.171.0/24" ]; }
+    ];
+  };
+  
+  # FIXME: Change this, but I wanna know what will break first
+  time.timeZone = "Europe/Berlin";
+
+  # TODO: Should this be in here or `users` root?
+  users.mutableUsers = false;
+  system.stateVersion = "19.03";
+}
diff --git a/infra/libkookie/roots/tempest.nix b/infra/libkookie/roots/tempest.nix
new file mode 100644
index 000000000000..40a6aa915687
--- /dev/null
+++ b/infra/libkookie/roots/tempest.nix
@@ -0,0 +1,90 @@
+/* TOP LEVEL DEVICE CONFIGURATION FOR
+ * 
+ *    tempest (AMD workstation)
+ *
+ * This file only contains settings that are specific to this one
+ * device (hardware and things outside of nix, like partitions).
+ *
+ * This file is part of LIBKOOKIE, a collection of nix expressions.
+ * LIBKOOKIE is licensed under the GPL-3.0 (or later) -- see LICENSE
+ */
+
+{ lib, config, pkgs, ... }:
+
+{
+  nixpkgs.config.allowUnfree = true;
+
+  imports = [
+    ../modules/nix
+    ../modules/nix/home-manager.nix
+    
+    ../modules/base
+    ../modules/docker
+    ../modules/workstation
+    ../modules/workstation/hardware/yubikey
+    ../modules/workstation/hardware/xkblayout
+  ];
+  
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/disk/by-id/ata-Samsung_SSD_850_EVO_500GB_S2RBNB0J340787H";
+    enableCryptodisk = true;
+    zfsSupport = true;
+    version = 2;
+  };
+
+  hardware.cpu.amd.updateMicrocode = true;
+  hardware.enableRedistributableFirmware = true;
+
+  boot.initrd.availableKernelModules =
+    [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [];
+
+  services.zfs.autoSnapshot.enable = true;
+  
+  fileSystems."/" = {
+    device = "zroot";
+    fsType = "zfs";
+
+    encrypted = {
+      enable = true;
+      label = "lvm";
+      blkDev = "/dev/disk/by-uuid/e01e1473-ea51-4ec7-a5a9-44d673396644";
+    };
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/0583b1a0-88c1-4e1c-855e-2df948272cbf";
+    fsType = "ext4";
+  };
+
+  swapDevices = [];
+  nix.maxJobs = 16;
+  
+  ## From Mass Effect: Andromeda
+  networking.hostName = "tempest";
+  networking.hostId = "01fd342c";
+  networking.firewall.allowedTCPPorts = [ 9000 ];
+  
+  networking.useDHCP = false;
+  networking.interfaces.enp7s0.useDHCP = true;
+
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_GB.UTF-8";
+
+  # Set your time zone.
+  time.timeZone = "Europe/Berlin";
+
+  programs.sway.enable = true;
+  programs.mtr.enable = true;
+  programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
+  services.openssh.enable = true;
+
+  # users.users.spacekookie.hashedPassword = "$6$rounds=1000000$22ypycQ2AlCCv8iC$RrzyAbCX3D518nCgfR3MTqZhfK.GAclme7EQlKTlqH4oV1YvGd/aHdTfe59iMpf/J18tqEO2aSXsevTVQz2yW.";
+  users.users.spacekookie.hashedPassword = "$6$rounds=1000000$IncTbazL/YhUV5$brzwb3Xa0cmmazpxJGPPo93wfs6jAomL1NYJ7Amw3WSyTjXGXGbedIMmm06nkeCnJfJzoZ.Jd47q88ot3USZi/";
+  system.stateVersion = "19.09";
+}
+
diff --git a/infra/libkookie/roots/uwu.nix b/infra/libkookie/roots/uwu.nix
new file mode 100644
index 000000000000..e430b793f4c5
--- /dev/null
+++ b/infra/libkookie/roots/uwu.nix
@@ -0,0 +1,102 @@
+/* TOP LEVEL DEVICE CONFIGURATION FOR
+ * 
+ *    uwu (Thinkpad X230)
+ *
+ * This file only contains settings that are specific to this one
+ * device (hardware and things outside of nix, like partitions).
+ *
+ * This file is part of LIBKOOKIE, a collection of nix expressions.
+ * LIBKOOKIE is licensed under the GPL-3.0 (or later) -- see LICENSE
+ */
+
+{ lib, config, pkgs, ... }:
+
+
+let
+  forActiveUsers = (attrs:
+    lib.listToAttrs (map (u: lib.nameValuePair "${u}" ({ ... }: attrs))
+      [ "spacekookie" ]));
+in
+{
+  nixpkgs.config.allowUnfree = true;
+  
+  imports = [
+    <home-manager/nixos>
+    <modules>
+    ../config/nix
+    ../config/base
+    ../config/docker
+    ../config/workstation
+    ../config/workstation/hardware/trackpoint
+  ];
+
+  # libkookie.ui.i3.enable = true;
+
+  home-manager.users = forActiveUsers {
+    imports = [];
+  };
+  
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.initrd.availableKernelModules =
+    [ "xhci_pci" "ehci_pci" "ahci" "sd_mod" "sdhci_pci" ];
+  hardware.enableRedistributableFirmware = true;
+  
+  boot.loader.grub = {
+    copyKernels = true;
+    device = "/dev/sda";
+    zfsSupport = true;
+    enableCryptodisk = true;
+  };
+
+  boot.extraModprobeConfig = "options kvm_item nested=1";
+  boot.zfs.devNodes = "/dev"; # FIXME: Why do I set this?
+  boot.cleanTmpDir = true;
+  boot.tmpOnTmpfs = true;
+  boot.supportedFilesystems = [ "zfs" "exfat" ];
+
+  services.zfs.autoSnapshot.enable = true;
+  
+  fileSystems."/" = {
+    device = "zroot";
+    fsType = "zfs";
+
+    encrypted = {
+      enable = true;
+      label = "lvm";
+      blkDev = "/dev/disk/by-uuid/f1440abd-99e3-46a8-aa36-7824972fee54";
+    };
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/672c497c-18aa-4b00-ac95-78e810363d81";
+    fsType = "ext3";
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-uuid/bd3d5c22-eed0-4371-ae25-456b8dfe9356"; }
+  ];
+
+  nix.maxJobs = lib.mkDefault 4;
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+
+  services.mullvad.enable = true;
+  programs.java.enable = true;
+  
+  # owo
+  networking.hostName = "uwu";
+  networking.hostId = "a82ecf29";
+  networking.wireguard.interfaces."intranet" = {
+    ips = [ "10.13.12.3" ];
+    privateKeyFile = "/var/lib/wg/private";
+    peers = [
+      { publicKey = "ugHG/NOqM/9hde9EmWpu7XsCpjT3WQbjLK99IGHtdjQ=";
+        allowedIPs = [ "10.13.12.0/24" "10.172.171.0/24" ];
+        endpoint = "hyperion.kookie.space:51820";
+        persistentKeepalive = 25; }
+    ];
+  };
+
+  system.stateVersion = "19.03";
+  users.users.spacekookie.hashedPassword = "$6$rounds=1000000$22ypycQ2AlCCv8iC$RrzyAbCX3D518nCgfR3MTqZhfK.GAclme7EQlKTlqH4oV1YvGd/aHdTfe59iMpf/J18tqEO2aSXsevTVQz2yW.";
+  
+}
diff --git a/infra/libkookie/roots/uwu/default.nix b/infra/libkookie/roots/uwu/default.nix
new file mode 100644
index 000000000000..a09ca365ce13
--- /dev/null
+++ b/infra/libkookie/roots/uwu/default.nix
@@ -0,0 +1,45 @@
+/* TOP LEVEL DEVICE CONFIGURATION FOR
+ * 
+ *    uwu (Thinkpad X230)
+ *
+ * This file is part of LIBKOOKIE, a collection of nix expressions.
+ * LIBKOOKIE is licensed under the GPL-3.0 (or later) -- see LICENSE
+ */
+
+{ lib, config, pkgs, ... }:
+
+{
+  
+  imports = [
+    ./part.nix
+  ] ++ [
+    <home-manager/nixos>
+    <modules/nix>
+    <modules/base>
+    <modules/users>
+    <modules/workstation>
+    <modules/workstation/hardware/trackpoint>
+  ];
+
+  libkookie.activeUsers = [ "spacekookie" ];
+  
+  nix.maxJobs = lib.mkDefault 4;
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+
+  # owo
+  networking.hostName = "uwu";
+  networking.hostId = "a82ecf29";
+  networking.wireguard.interfaces."intranet" = {
+    ips = [ "10.13.12.3" ];
+    privateKeyFile = "/var/lib/wg/private";
+    peers = [
+      { publicKey = "ugHG/NOqM/9hde9EmWpu7XsCpjT3WQbjLK99IGHtdjQ=";
+        allowedIPs = [ "10.13.12.0/24" "10.172.171.0/24" ];
+        endpoint = "hyperion.kookie.space:51820";
+        persistentKeepalive = 25; }
+    ];
+  };
+
+  system.stateVersion = "19.03";
+  users.users.spacekookie.hashedPassword = "$6$rounds=1000000$22ypycQ2AlCCv8iC$RrzyAbCX3D518nCgfR3MTqZhfK.GAclme7EQlKTlqH4oV1YvGd/aHdTfe59iMpf/J18tqEO2aSXsevTVQz2yW.";
+}
diff --git a/infra/libkookie/roots/uwu/part.nix b/infra/libkookie/roots/uwu/part.nix
new file mode 100644
index 000000000000..945bd2a29a2a
--- /dev/null
+++ b/infra/libkookie/roots/uwu/part.nix
@@ -0,0 +1,44 @@
+{ lib, config, ... }:
+
+{
+  hardware.enableRedistributableFirmware = true;
+
+  boot = {
+    kernelModules = [ "kvm-intel" ];
+    initrd.availableKernelModules = [ "sdhci_pci" "xhci_pci"
+                                      "ehci_pci" "sd_mod" "ahci" ];
+
+    extraModprobeConfig = "options kvm_item nested=1";
+    zfs.devNodes = "/dev";
+    cleanTmpDir = true;
+    tmpOnTmpfs = true;
+    supportedFilesystems = [ "zfs" "exfat" ];
+
+    loader.grub = {
+      copyKernels = true;
+      device = "/dev/sda";
+      zfsSupport = true;
+      enableCryptodisk = true;
+    };
+  };
+  
+  fileSystems."/" = {
+    device = "zroot";
+    fsType = "zfs";
+
+    encrypted = {
+      enable = true;
+      label = "lvm";
+      blkDev = "/dev/disk/by-uuid/f1440abd-99e3-46a8-aa36-7824972fee54";
+    };
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/672c497c-18aa-4b00-ac95-78e810363d81";
+    fsType = "ext3";
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-uuid/bd3d5c22-eed0-4371-ae25-456b8dfe9356"; }
+  ];
+}
diff --git a/infra/libkookie/roots/virt/README b/infra/libkookie/roots/virt/README
new file mode 100644
index 000000000000..dc47b816aca1
--- /dev/null
+++ b/infra/libkookie/roots/virt/README
@@ -0,0 +1,6 @@
+# Virtual Roots
+
+This directory contains virtual device configurations, such as VMs,
+containers, and build utilities.  Some are meant for desktop use,
+others to run on a server.  Usage is documented in the head comment of
+each file.
\ No newline at end of file
diff --git a/infra/libkookie/roots/virt/transmission.nix b/infra/libkookie/roots/virt/transmission.nix
new file mode 100644
index 000000000000..1b92c4e7f9c5
--- /dev/null
+++ b/infra/libkookie/roots/virt/transmission.nix
@@ -0,0 +1,10 @@
+/* VIRTUAL DEVICE CONFIGURATION FOR
+ * 
+ *    transmission-cli & mulvad
+ *
+ * This file only contains settings that are specific to this one
+ * device (hardware and things outside of nix, like partitions).
+ *
+ * This file is part of LIBKOOKIE, a collection of nix expressions.
+ * LIBKOOKIE is licensed under the GPL-3.0 (or later) -- see LICENSE
+ */