lots of stuff

Signed-off-by: gwg313 <gwg313@pm.me>

hosts/candlekeep/configuration.nix

@@ -46,9 +46,12 @@
   ];
 
   laptop.enable = true;
-  nfs.enable = true;
+  # nfs.enable = true;
   ssh.enable = true;
   ssh_guard.enable = true;
+  steam.enable = true;
+
+  programs.nix-ld.dev.enable = true;
 
   # Bootloader.
   boot = {

hosts/grymforge/configuration.nix

@@ -19,6 +19,7 @@
     ../../common/gui/hyprland.nix
     ../../common/gui/steam.nix
     ../../common/gui/thunar.nix
+    ../../common/gui/retroarch.nix
     ../../common/style/stylix.nix
     ../../common/nixos/sysctl
 
@@ -45,6 +46,7 @@
     # Import your generated (nixos-generate-config) hardware configuration
     ./hardware-configuration.nix
   ];
+  programs.obs-studio.enableVirtualCamera = true;
 
   ssh.enable = true;
   ssh_guard.enable = true;

hosts/kerby/configuration.nix

@@ -0,0 +1,112 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+{
+  config,
+  pkgs,
+  lib,
+  inputs,
+  ...
+}:
+{
+  # sops
+  sops = {
+    defaultSopsFile = ../../secrets/secrets.yaml;
+    defaultSopsFormat = "yaml";
+    age.keyFile = "/home/gwg313/.config/sops/age/keys.txt";
+  };
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    ../../common/nixos/ssh/default.nix
+    inputs.sops-nix.nixosModules.sops
+  ];
+
+  ssh.enable = true;
+  ssh_guard.enable = true;
+  ssh_client.enable = false;
+  services.openssh.authorizedKeysFiles = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINvOfDSjlvegGqfUS18XwXB7SvS2n9/hGYUpKxRb9vgb gwg313@pm.me"
+  ];
+  services.openssh.settings = {
+    PermitRootLogin = lib.mkForce "yes";
+
+    AllowUsers = lib.mkForce [
+      "gwg313"
+      "root"
+    ];
+  };
+
+  users.users.gwg313 = {
+    isNormalUser = true;
+    description = "gwg313";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINvOfDSjlvegGqfUS18XwXB7SvS2n9/hGYUpKxRb9vgb gwg313@pm.me"
+    ];
+    extraGroups = [
+      "networkmanager"
+      "wheel"
+    ];
+    packages = with pkgs; [ ];
+  };
+
+  users.users = {
+    root = {
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINvOfDSjlvegGqfUS18XwXB7SvS2n9/hGYUpKxRb9vgb gwg313@pm.me"
+      ];
+    };
+  };
+
+  # Bootloader.
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/sda";
+  boot.loader.grub.useOSProber = true;
+  networking.hostName = "kerby"; # Define your hostname.
+  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+  # Configure network proxy if necessary
+  # networking.proxy.default = "http://user:password@proxy:port/";
+  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
+  # Enable networking
+  networking.networkmanager.enable = true;
+  # Set your time zone.
+  time.timeZone = "America/Toronto";
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_CA.UTF-8";
+  # Configure keymap in X11
+  services.xserver.xkb = {
+    layout = "us";
+    variant = "";
+  };
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  # Allow unfree packages
+  nixpkgs.config.allowUnfree = true;
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  environment.systemPackages = with pkgs; [
+    #  vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
+    #  wget
+  ];
+  # Some programs need SUID wrappers, can be configured further or are
+  # started in user sessions.
+  # programs.mtr.enable = true;
+  # programs.gnupg.agent = {
+  #   enable = true;
+  #   enableSSHSupport = true;
+  # };
+  # List services that you want to enable:
+  # Enable the OpenSSH daemon.
+  # services.openssh.enable = true;
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "24.11"; # Did you read the comment?
+}

hosts/kerby/hardware-configuration.nix

@@ -0,0 +1,43 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "ata_piix"
+    "uhci_hcd"
+    "virtio_pci"
+    "virtio_scsi"
+    "sd_mod"
+    "sr_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/979e137f-7d21-4dac-b6eb-51c8add1cf48";
+    fsType = "ext4";
+  };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/kerby/kerberos-kdc.nix

@@ -0,0 +1,15 @@
+{ }:
+{
+  services.kerberoskdc = {
+    enable = true;
+    realm = "LOCAL.GWG313.XYZ";
+    databaseFile = "/var/lib/krb5kdc/principal";
+    adminServer.enable = true;
+    kadmindPort = 749;
+    kdcPort = 88;
+    extraConfig = ''
+      max_life = 10h
+      max_renewable_life = 7d
+    '';
+  };
+}

hosts/kerby/kerberos.nix

@@ -0,0 +1,69 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  services.krb5kdc = {
+    enable = true;
+    realms = {
+      "EXAMPLE.LOCAL" = {
+        aclFile = "/etc/krb5kdc/kadm5.acl";
+        dictFile = "/etc/krb5kdc/kadm5.dict";
+        databaseName = "/var/lib/krb5kdc/principal";
+        adminServer = "kerberos.example.local";
+        supportedEnctypes = [ "aes256-cts-hmac-sha1-96" ];
+      };
+    };
+  };
+
+  services.kadmind.enable = true;
+
+  services.krb5 = {
+    enable = true;
+    libdefaults = {
+      default_realm = "EXAMPLE.LOCAL";
+    };
+    realms = {
+      "EXAMPLE.LOCAL" = {
+        kdc = [ "kerberos.example.local" ];
+        admin_server = "kerberos.example.local";
+      };
+    };
+  };
+
+  environment.etc."krb5kdc/kadm5.acl".text = "*/admin@EXAMPLE.LOCAL *";
+
+  sops.secrets."kdc/master_password" = { };
+  sops.secrets."kdc/admin_password" = { };
+
+  systemd.services.krb5-bootstrap = {
+    description = "Bootstrap KDC DB + principals";
+    wantedBy = [ "multi-user.target" ];
+    before = [ "krb5kdc.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+            set -e
+            DB="/var/lib/krb5kdc/principal"
+            if [ ! -f "$DB" ]; then
+              MASTER_PW=$(<${config.sops.secrets."kdc/master_password".path})
+              ADMIN_PW=$(<${config.sops.secrets."kdc/admin_password".path})
+
+              echo "Creating KDC database..."
+              echo "$MASTER_PW" | kdb5_util create -s -P "$MASTER_PW"
+
+              echo "$ADMIN_PW
+      $ADMIN_PW" | kadmin.local -q "addprinc root/admin"
+
+              kadmin.local -q "addprinc -randkey nfs/truenas.example.local"
+              kadmin.local -q "ktadd -k /etc/krb5kdc/nfs.keytab nfs/truenas.example.local"
+            fi
+    '';
+  };
+
+  environment.etc."krb5kdc/nfs.keytab".source = "/etc/krb5kdc/nfs.keytab";
+}

hosts/kerby/krb5.nix

@@ -0,0 +1,11 @@
+{ }:
+{
+  services.krb5 = {
+    enable = true;
+    defaultRealm = "LOCAL.GWG313.XYZ";
+    realms."LOCAL.GWG313.XYZ" = {
+      kdc = [ "kerby.local.gwg313.xyz" ];
+      adminServer = "kerby.local.gwg313.xyz";
+    };
+  };
+}

hosts/seikan/routes.nix

@@ -3,7 +3,6 @@
     dynamicConfigOptions = {
       http = {
         services = {
-
           music_zt.loadBalancer.servers = [
             {
               url = "https://music.zerotier.gwg313.xyz";
@@ -51,10 +50,33 @@
               url = "https://git.zerotier.gwg313.xyz";
             }
           ];
+
+          registry_zt.loadBalancer.servers = [
+            {
+              url = "https://registry.zerotier.gwg313.xyz";
+            }
+          ];
+
+          ci_zt.loadBalancer.servers = [
+            {
+              url = "https://ci.zerotier.gwg313.xyz";
+            }
+          ];
+
+          s3_zt.loadBalancer.servers = [
+            {
+              url = "https://s3.zerotier.gwg313.xyz";
+            }
+          ];
+
+          s3_console_zt.loadBalancer.servers = [
+            {
+              url = "https://s3-console.zerotier.gwg313.xyz";
+            }
+          ];
         };
 
         routers = {
-
           music_zt = {
             entryPoints = [ "websecure" ];
             rule = "Host(`music.gwg313.xyz`)";
@@ -118,9 +140,39 @@
             middlewares = [ "headers" ];
           };
 
+          ci_zt = {
+            entryPoints = [ "websecure" ];
+            rule = "Host(`ci.gwg313.xyz`)";
+            service = "ci_zt";
+            tls.certResolver = "le";
+            middlewares = [ "headers" ];
+          };
+
+          registry_zt = {
+            entryPoints = [ "websecure" ];
+            rule = "Host(`registry.gwg313.xyz`)";
+            service = "registry_zt";
+            tls.certResolver = "le";
+            middlewares = [ "headers" ];
+          };
+
+          s3_zt = {
+            entryPoints = [ "websecure" ];
+            rule = "Host(`s3.gwg313.xyz`)";
+            service = "s3_zt";
+            tls.certResolver = "le";
+            middlewares = [ "headers" ];
+          };
+
+          s3_console = {
+            entryPoints = [ "websecure" ];
+            rule = "Host(`s3-console.gwg313.xyz`)";
+            service = "s3_console_zt";
+            tls.certResolver = "le";
+            middlewares = [ "headers" ];
+          };
         };
       };
     };
   };
-
 }

hosts/seikan/traefik.nix

@@ -1,11 +1,9 @@
 # Traefik
-{
-  config,
-  ...
-}:
+{ config, ... }:
 {
   imports = [
     ./routes.nix
+    ../../common/networking/hosts.nix
   ];
   sops.secrets.cf-api-token = {
     mode = "0440";

hosts/seikan/zerotier.nix

@@ -1,7 +1,4 @@
-{
-  inputs,
-  ...
-}:
+{ inputs, ... }:
 {
   services.zerotierone = {
     joinNetworks = [
@@ -9,15 +6,4 @@
     ];
     enable = true;
   };
-
-  networking.extraHosts = ''
-    10.147.17.246 audiobooks.zerotier.gwg313.xyz
-    10.147.17.246 music.zerotier.gwg313.xyz
-    10.147.17.246 recipes.zerotier.gwg313.xyz
-    10.147.17.246 scholarsome.zerotier.gwg313.xyz
-    10.147.17.246 bookmarks.zerotier.gwg313.xyz
-    10.147.17.246 pastebin.zerotier.gwg313.xyz
-    10.147.17.246 snippets.zerotier.gwg313.xyz
-    10.147.17.246 git.zerotier.gwg313.xyz
-  '';
 }

hosts/waypoint/routes.nix

@@ -6,7 +6,6 @@
     dynamicConfigOptions = {
       http = {
         routers = {
-
           music = {
             entryPoints = [ "websecure" ];
             rule = "Host(`music.gwg313.xyz`)";
@@ -70,9 +69,39 @@
             middlewares = [ "headers" ];
           };
 
+          registry = {
+            entryPoints = [ "websecure" ];
+            rule = "Host(`registry.gwg313.xyz`)";
+            service = "registry_local";
+            tls.certResolver = "le";
+            middlewares = [ "headers" ];
+          };
+
+          ci = {
+            entryPoints = [ "websecure" ];
+            rule = "Host(`ci.gwg313.xyz`)";
+            service = "ci_local";
+            tls.certResolver = "le";
+            middlewares = [ "headers" ];
+          };
+
+          s3 = {
+            entryPoints = [ "websecure" ];
+            rule = "Host(`s3.gwg313.xyz`)";
+            service = "s3_local";
+            tls.certResolver = "le";
+            middlewares = [ "headers" ];
+          };
+
+          s3_console = {
+            entryPoints = [ "websecure" ];
+            rule = "Host(`s3-console.gwg313.xyz`)";
+            service = "s3_console_local";
+            tls.certResolver = "le";
+            middlewares = [ "headers" ];
+          };
         };
       };
     };
   };
-
 }

hosts/waypoint/routes_zerotier.nix

@@ -6,7 +6,6 @@
     dynamicConfigOptions = {
       http = {
         routers = {
-
           music_zerotier = {
             entryPoints = [ "websecure" ];
             rule = "Host(`music.zerotier.gwg313.xyz`)";
@@ -69,9 +68,47 @@
             middlewares = [ "headers" ];
           };
 
+          git_zt = {
+            entryPoints = [ "websecure" ];
+            rule = "Host(`git.zerotier.gwg313.xyz`)";
+            service = "git_local";
+            tls.certResolver = "le";
+            middlewares = [ "headers" ];
+          };
+
+          ci_zt = {
+            entryPoints = [ "websecure" ];
+            rule = "Host(`ci.zerotier.gwg313.xyz`)";
+            service = "ci_local";
+            tls.certResolver = "le";
+            middlewares = [ "headers" ];
+          };
+
+          registry_zt = {
+            entryPoints = [ "websecure" ];
+            rule = "Host(`registry.zerotier.gwg313.xyz`)";
+            service = "registry_local";
+            tls.certResolver = "le";
+            middlewares = [ "headers" ];
+          };
+
+          s3_zt = {
+            entryPoints = [ "websecure" ];
+            rule = "Host(`s3.zerotier.gwg313.xyz`)";
+            service = "s3_local";
+            tls.certResolver = "le";
+            middlewares = [ "headers" ];
+          };
+
+          s3_console_zt = {
+            entryPoints = [ "websecure" ];
+            rule = "Host(`s3-console.zerotier.gwg313.xyz`)";
+            service = "s3_console_local";
+            tls.certResolver = "le";
+            middlewares = [ "headers" ];
+          };
         };
       };
     };
   };
-
 }

hosts/waypoint/services.nix

@@ -3,7 +3,6 @@
     dynamicConfigOptions = {
       http = {
         services = {
-
           argocd_local.loadBalancer.servers = [
             {
               url = "https://10.1.10.3:30007";
@@ -11,7 +10,7 @@
           ];
           music_local.loadBalancer.servers = [
             {
-              url = "http://10.1.10.3:30033";
+              url = "https://music.gwg313.xyz";
             }
           ];
 
@@ -63,11 +62,34 @@
           ];
           git_local.loadBalancer.servers = [
             {
-              url = "http://10.1.10.3:32221";
+              url = "https://git.gwg313.xyz";
+            }
+          ];
+
+          registry_local.loadBalancer.servers = [
+            {
+              url = "https://registry.gwg313.xyz";
+            }
+          ];
+
+          ci_local.loadBalancer.servers = [
+            {
+              url = "https://ci.gwg313.xyz";
+            }
+          ];
+
+          s3_local.loadBalancer.servers = [
+            {
+              url = "https://s3.gwg313.xyz";
+            }
+          ];
+
+          s3_console_local.loadBalancer.servers = [
+            {
+              url = "https://s3-console.gwg313.xyz";
             }
           ];
         };
-
       };
     };
   };

hosts/waypoint/traefik.nix

@@ -1,13 +1,11 @@
 # Traefik
-{
-  config,
-  ...
-}:
+{ config, ... }:
 {
   imports = [
     ./routes_local.nix
     ./routes_zerotier.nix
     ./routes.nix
+    ../../common/networking/hosts.nix
   ];
   sops.secrets.cf-api-token = {
     mode = "0440";