From 977e7c795ab2ca3d2a226bdbebf4d5e7b3dad96c Mon Sep 17 00:00:00 2001 From: tzlil Date: Fri, 31 Mar 2023 17:56:36 +0300 Subject: completed hydrus setup, made ssh-agent autostart (wantedBy default.target) --- flake.lock | 36 +++++++++++++++--------------- hosts/vps/cfg.nix | 3 +++ hosts/vps/hydrus.nix | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++ profiles/security.nix | 2 ++ profiles/user.nix | 4 +++- 5 files changed, 87 insertions(+), 19 deletions(-) create mode 100644 hosts/vps/hydrus.nix diff --git a/flake.lock b/flake.lock index 26453be..ad8a444 100644 --- a/flake.lock +++ b/flake.lock @@ -43,11 +43,11 @@ }, "hardware": { "locked": { - "lastModified": 1678397099, - "narHash": "sha256-5xq8YJe+h19TlD+EI4AE/3H3jcCcQ2AWU6CWBVc5tRc=", + "lastModified": 1680070330, + "narHash": "sha256-aoT2YZCd9LEtiEULFLIF0ykKydgE72X8gw/k9/pRS5I=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "556101ff85bd6e20900ec73ee525b935154bc8ea", + "rev": "a6aa8174fa61e55bd7e62d35464d3092aefe0421", "type": "github" }, "original": { @@ -64,11 +64,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1678571066, - "narHash": "sha256-MrlMr2A3tK1MY/JUGWMVzMwois8+mHWXm/1yYdwQSIc=", + "lastModified": 1680249941, + "narHash": "sha256-7Ylr0NAr8msd3YVaYBw6uyJIRbtOq5l6aLrmrYA5qTw=", "owner": "nix-community", "repo": "home-manager", - "rev": "bf5712c5865e543fb3f4796511d4cf51efd841b1", + "rev": "67b97020b6970d39b4126a7870063d11337ecb80", "type": "github" }, "original": { @@ -87,11 +87,11 @@ "xdph": "xdph" }, "locked": { - "lastModified": 1678628798, - "narHash": "sha256-AQZK2/OmY+Vf+hnDkIJ/oqjCiEhCTHlTo2f1IhSYXFw=", + "lastModified": 1680265039, + "narHash": "sha256-KUMwbTvoVxEh9VtXCDyWHb1PfvxUyWVvrlT6nahhf8s=", "owner": "hyprwm", "repo": "Hyprland", - "rev": "146d231ec5ea9059a64e34caeba06e790991e81a", + "rev": "24ef5d888c648d9a89fdd12c2dbff84f1153aa67", "type": "github" }, "original": { @@ -188,11 +188,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1678470307, - "narHash": "sha256-OEeMUr3ueLIXyW/OaFUX5jUdimyQwMg/7e+/Q0gC/QE=", + "lastModified": 1680125544, + "narHash": "sha256-mlqo1r+TZUOuypWdrZHluxWL+E5WzXlUXNZ9Y0WLDFU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0c4800d579af4ed98ecc47d464a5e7b0870c4b1f", + "rev": "9a6aabc4740790ef3bbb246b86d029ccf6759658", "type": "github" }, "original": { @@ -210,11 +210,11 @@ "utils": "utils_2" }, "locked": { - "lastModified": 1678614044, - "narHash": "sha256-J27xhKwVJGfB51tTSWT077l+URuRrLbElScvjB3HLgc=", + "lastModified": 1680261737, + "narHash": "sha256-tJDA4yMBkDESIFyGKKjUObg3UcnGvpdPdnbuK9hDtR4=", "owner": "wamserma", "repo": "flake-programs-sqlite", - "rev": "0937e66bdf1c27d331f4f418c68efc58f5228354", + "rev": "fd509bb8400249dc5370068183b86b31a4aacd60", "type": "github" }, "original": { @@ -269,11 +269,11 @@ "flake": false, "locked": { "host": "gitlab.freedesktop.org", - "lastModified": 1677789111, - "narHash": "sha256-dWrk+Q3bLdtFe5rkyaAKWCQJCeE/KFNllcu1DvBC38c=", + "lastModified": 1679340088, + "narHash": "sha256-/1KiYoBivDj8HC/eVK2Tr2WYkVdKJxq2Lb0tQs0qqJo=", "owner": "wlroots", "repo": "wlroots", - "rev": "5ae17de23f5fd9bb252a698f3771c840280e2c05", + "rev": "1d64e12391a638201c679e71d4e22bb45e5faa8e", "type": "gitlab" }, "original": { diff --git a/hosts/vps/cfg.nix b/hosts/vps/cfg.nix index 3c7787b..c902c53 100644 --- a/hosts/vps/cfg.nix +++ b/hosts/vps/cfg.nix @@ -12,6 +12,7 @@ ../../mixins/cli.nix ./website.nix ./git.nix + ./hydrus.nix ]; config = { @@ -74,5 +75,7 @@ enable = true; algorithm = "zstd"; }; + + networking.networkmanager.enable = lib.mkForce false; }; } diff --git a/hosts/vps/hydrus.nix b/hosts/vps/hydrus.nix new file mode 100644 index 0000000..2fe988e --- /dev/null +++ b/hosts/vps/hydrus.nix @@ -0,0 +1,61 @@ +{ + pkgs, + config, + lib, + ... +}: { + config = { + users.groups.hydrus = {}; + users.users.hydrus = { + isSystemUser = true; + description = "hydrus"; + group = "hydrus"; + home = "/home/hydrus"; + }; + + systemd.services.Xvnc = { + description = "Xvnc"; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + ExecStart = "${pkgs.turbovnc}/bin/Xvnc :30 -iglx -depth 24 -rfbwait 120000 -deferupdate 1 -localhost -verbose -securitytypes none"; + User = "hydrus"; + Group = "hydrus"; + Restart = "on-failure"; + RestartSec = "5s"; + }; + }; + + systemd.services.hydrus = { + description = "Hydrus"; + wantedBy = [ "multi-user.target" "Xvnc.service" ]; + wants = [ "podman-hydrus-web.service" ]; + + serviceConfig = { + Environment = "DISPLAY=:30"; + ExecStart = "${pkgs.hydrus}/bin/hydrus-client -d /home/hydrus"; + User = "hydrus"; + Group = "hydrus"; + Restart = "on-failure"; + RestartSec = "5s"; + }; + }; + + + security.lockKernelModules = lib.mkForce false; + virtualisation.oci-containers.containers.hydrus-web = { + ports = ["8080:80"]; + image = "ghcr.io/floogulinc/hydrus-web:dev"; + }; + + networking.firewall.allowedTCPPorts = [45869]; + + environment.persistence."/nix/persist".directories = [ + { + directory = "/home/hydrus"; + user = "hydrus"; + group = "hydrus"; + } + ]; + }; +} diff --git a/profiles/security.nix b/profiles/security.nix index 8ca89e3..ddd980e 100644 --- a/profiles/security.nix +++ b/profiles/security.nix @@ -21,6 +21,8 @@ security.allowSimultaneousMultithreading = false; security.forcePageTableIsolation = true; + security.unprivilegedUsernsClone = config.virtualisation.containers.enable; + security.virtualisation.flushL1DataCache = "always"; security.apparmor.enable = true; diff --git a/profiles/user.nix b/profiles/user.nix index 0a3bebe..d343e9c 100644 --- a/profiles/user.nix +++ b/profiles/user.nix @@ -19,6 +19,8 @@ # password.file = ../secrets/password.age; }; + + programs.fish.enable = true; # needed now users.users.tzlil = { isNormalUser = true; description = "Me"; @@ -62,7 +64,7 @@ in { Unit = { Description = "SSH Agent"; - After = ["default.target"]; + WantedBy = ["default.target"]; }; Service = { ExecStartPre = "${pkgs.coreutils}/bin/rm -f %t/ssh-agent"; -- cgit 1.4.1