oceanbox/platform
6
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Merge branch 'main' of gitlab.com:oceanbox/clusterfck

Browse Source
This commit is contained in:
Administrator
2025-12-14 11:46:09 +01:00
parent 591bfbfe15 7b23c53032
commit 53cf811713
14 changed files with 845 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
.envrc Normal file
View File

@@ -0,0 +1,12 @@
#!/usr/bin/env bash
# the shebang is ignored, but nice for editors
watch_file nix/sources.json
# Load .env file if it exists
dotenv_if_exists
# Set npins dir
export NPINS_DIRECTORY="nix"
# Activate development shell
use nix

1
.gitignore vendored
View File

@@ -7,3 +7,4 @@ gcroots/
ca
configuration.nix
system
.direnv

1
k8s/hel1/.gitignore vendored
View File

@@ -1 +1,2 @@
*.xz
.direnv

1
modules/default.nix
View File

@@ -20,6 +20,7 @@ with lib;
./mft
./fs
./pki/certs.nix
./gitlab-runner.nix
../nixos
];
}

103
modules/gitlab-runner.nix Normal file
View File

@@ -0,0 +1,103 @@
{
pkgs,
lib,
config,
...
}:
with lib;
let
cfg = config.features.gitlab-runner;
configuration = {
services.gitlab-runner = {
enable = true;
# NOTE(mrtz): Periodically prune gitlab runner's Docker resources
clear-docker-cache = {
enable = true;
dates = "monthly";
};
settings = {
concurrent = 16;
};
services = {
nix = {
# NOTE(simkir): This must be uploaded to the host after you've
# registered a runner in gitlab.
registrationConfigFile = "/root/gitlab/gitlab-runner-registration";
# TODO(mrtz): https://archives.docs.gitlab.com/17.0/ee/ci/runners/new_creation_workflow/
# authenticationTokenConfigFile = "";
requestConcurrency = 3;
dockerImage = "alpine";
dockerVolumes = [
# The items are ro because we write to the store via the daemon
"/nix/store:/nix/store:ro"
"/nix/var/nix/db:/nix/var/nix/db:ro"
"/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
];
dockerDisableCache = true;
registrationFlags = [
"--docker-pull-policy=if-not-present"
"--docker-allowed-pull-policies=if-not-present"
"--docker-allowed-pull-policies=always"
];
preBuildScript = pkgs.writeScript "setup-container" ''
mkdir -p -m 0755 /nix/var/log/nix/drvs
mkdir -p -m 0755 /nix/var/nix/gcroots
mkdir -p -m 0755 /nix/var/nix/profiles
mkdir -p -m 0755 /nix/var/nix/temproots
mkdir -p -m 0755 /nix/var/nix/userpool
mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
mkdir -p -m 1777 /nix/var/nix/profiles/per-user
mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
mkdir -p -m 0700 "$HOME/.nix-defexpr"
mkdir -p /etc/nix
cat << EOF > /etc/nix/nix.conf
experimental-features = nix-command flakes pipe-operators
EOF
. ${pkgs.nix}/etc/profile.d/nix-daemon.sh
${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-25.05 nixpkgs
${pkgs.nix}/bin/nix-channel --update nixpkgs
'';
environmentVariables = {
ENV = "/etc/profile";
USER = "root";
NIX_REMOTE = "daemon";
# Taken from https://cobalt.rocks/posts/nix-gitlab/
PATH =
(pkgs.lib.strings.makeSearchPathOutput "bin" "bin" (
with pkgs;
[
gnugrep
findutils
coreutils
curl
nix
openssh
bash
git
skopeo
]
))
+ ":/nix/var/nix/profiles/default/bin:/usr/local/bin:/usr/local/sbin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
};
tagList = [ "nix" ];
};
};
};
};
in
{
options.features.gitlab-runner = {
enable = mkEnableOption "Enable Gitlab runner service";
};
config = mkIf cfg.enable configuration;
}

146
nix/default.nix Normal file
View File

@@ -0,0 +1,146 @@
/*
This file is provided under the MIT licence:
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the Software), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/
# Generated by npins. Do not modify; will be overwritten regularly
let
data = builtins.fromJSON (builtins.readFile ./sources.json);
version = data.version;
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
range =
first: last: if first > last then [ ] else builtins.genList (n: first + n) (last - first + 1);
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257
stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1));
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
concatMapStrings = f: list: concatStrings (map f list);
concatStrings = builtins.concatStringsSep "";
# If the environment variable NPINS_OVERRIDE_${name} is set, then use
# the path directly as opposed to the fetched source.
# (Taken from Niv for compatibility)
mayOverride =
name: path:
let
envVarName = "NPINS_OVERRIDE_${saneName}";
saneName = stringAsChars (c: if (builtins.match "[a-zA-Z0-9]" c) == null then "_" else c) name;
ersatz = builtins.getEnv envVarName;
in
if ersatz == "" then
path
else
# this turns the string into an actual Nix path (for both absolute and
# relative paths)
builtins.trace "Overriding path of \"${name}\" with \"${ersatz}\" due to set \"${envVarName}\"" (
if builtins.substring 0 1 ersatz == "/" then
/. + ersatz
else
/. + builtins.getEnv "PWD" + "/${ersatz}"
);
mkSource =
name: spec:
assert spec ? type;
let
path =
if spec.type == "Git" then
mkGitSource spec
else if spec.type == "GitRelease" then
mkGitSource spec
else if spec.type == "PyPi" then
mkPyPiSource spec
else if spec.type == "Channel" then
mkChannelSource spec
else if spec.type == "Tarball" then
mkTarballSource spec
else
builtins.throw "Unknown source type ${spec.type}";
in
spec // { outPath = mayOverride name path; };
mkGitSource =
{
repository,
revision,
url ? null,
submodules,
hash,
branch ? null,
...
}:
assert repository ? type;
# At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
# In the latter case, there we will always be an url to the tarball
if url != null && !submodules then
builtins.fetchTarball {
inherit url;
sha256 = hash; # FIXME: check nix version & use SRI hashes
}
else
let
url =
if repository.type == "Git" then
repository.url
else if repository.type == "GitHub" then
"https://github.com/${repository.owner}/${repository.repo}.git"
else if repository.type == "GitLab" then
"${repository.server}/${repository.repo_path}.git"
else
throw "Unrecognized repository type ${repository.type}";
urlToName =
url: rev:
let
matched = builtins.match "^.*/([^/]*)(\\.git)?$" url;
short = builtins.substring 0 7 rev;
appendShort = if (builtins.match "[a-f0-9]*" rev) != null then "-${short}" else "";
in
"${if matched == null then "source" else builtins.head matched}${appendShort}";
name = urlToName url revision;
in
builtins.fetchGit {
rev = revision;
inherit name;
# hash = hash;
inherit url submodules;
};
mkPyPiSource =
{ url, hash, ... }:
builtins.fetchurl {
inherit url;
sha256 = hash;
};
mkChannelSource =
{ url, hash, ... }:
builtins.fetchTarball {
inherit url;
sha256 = hash;
};
mkTarballSource =
{
url,
locked_url ? url,
hash,
...
}:
builtins.fetchTarball {
url = locked_url;
sha256 = hash;
};
in
if version == 5 then
builtins.mapAttrs mkSource data.pins
else
throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"

50
nix/sources.json Normal file
View File

@@ -0,0 +1,50 @@
{
"pins": {
"nixos-2505": {
"type": "Git",
"repository": {
"type": "GitHub",
"owner": "nixos",
"repo": "nixpkgs"
},
"branch": "nixos-25.05",
"submodules": false,
"revision": "9a7b80b6f82a71ea04270d7ba11b48855681c4b0",
"url": "https://github.com/nixos/nixpkgs/archive/9a7b80b6f82a71ea04270d7ba11b48855681c4b0.tar.gz",
"hash": "1ahp8ybsxay6q20gv5dhwj6pbqcljh4y51np462lzqryjl8gwqpk"
},
"nixos-2511": {
"type": "Git",
"repository": {
"type": "GitHub",
"owner": "nixos",
"repo": "nixpkgs"
},
"branch": "nixos-25.11",
"submodules": false,
"revision": "8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f",
"url": "https://github.com/nixos/nixpkgs/archive/8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f.tar.gz",
"hash": "19ljxfhs2i85rqrkawdz7wn16gx006s2hni51qlzk5z1b022x9aa"
},
"nixos-hardware": {
"type": "Git",
"repository": {
"type": "GitHub",
"owner": "nixos",
"repo": "nixos-hardware"
},
"branch": "master",
"submodules": false,
"revision": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3",
"url": "https://github.com/nixos/nixos-hardware/archive/9154f4569b6cdfd3c595851a6ba51bfaa472d9f3.tar.gz",
"hash": "1vmlcda7864ya2byxivnpzkqf41cavj9ms5hjh6i0h8anls56lk6"
},
"nixpkgs": {
"type": "Channel",
"name": "nixpkgs-unstable",
"url": "https://releases.nixos.org/nixpkgs/nixpkgs-26.05pre904683.23258e03aaa4/nixexprs.tar.xz",
"hash": "05l4vicvsalz3w373jr5fl7q91zm13p7nmvh4bs8mnm2gh535742"
}
},
"version": 5
}

2
nixos

Submodule nixos updated: 444d8f8008...d30deeae00

48
packages/krdp.nix Normal file
View File

@@ -0,0 +1,48 @@
{ pkgs }:
pkgs.stdenv.mkDerivation rec {
name = "krdp";
version = "6.5.3";
outputs = [
"out"
];
src = pkgs.fetchFromGitLab {
domain = "invent.kde.org";
owner = "plasma";
repo = "krdp";
tag = "v${version}";
hash = "sha256-J4lPMh1ZqwoHOXfmOJOa2M/KUf/z0ZsyVqVrPpuvPzk=";
};
nativeBuildInputs = with pkgs; [
cmake
pkg-config
qt6.qtbase
qt6.wrapQtAppsNoGuiHook
kdePackages.extra-cmake-modules
kdePackages.kcmutils
kdePackages.kconfig
kdePackages.kcrash
kdePackages.kguiaddons
kdePackages.ki18n
kdePackages.kpipewire
kdePackages.kstatusnotifieritem
kdePackages.qtkeychain
kdePackages.qtquick3d
];
buildInputs = with pkgs; [
freerdp
pam
kdePackages.qtwayland
];
cmakeFlags = [
"-DQT_MAJOR_VERSION=6"
];
env.LANG = "C.UTF-8";
}

11
shell.nix Normal file
View File

@@ -0,0 +1,11 @@
{
sources ? import ./nix,
pkgs ? import sources.nixos-2505 { },
}:
pkgs.mkShellNoCC {
packages = with pkgs; [
npins
colmena
nixfmt-rfc-style
];
}

175
tos/hashmap/default.nix Normal file
View File

@@ -0,0 +1,175 @@
{ pkgs, ... }:
{
networking = {
hostName = "hashmap";
domain = "obx";
search = [ "obx" ];
firewall.allowedTCPPorts = [];
firewall.extraCommands = '''';
resolvconf = {
enable = false;
};
nameservers = [
"100.100.100.100"
];
};
boot = {
consoleLogLevel = 3;
plymouth = {
enable = true;
theme = "ibm";
themePackages = [
(pkgs.adi1090x-plymouth-themes.override { selected_themes = [ "ibm" ]; })
];
};
tmp.cleanOnBoot = true;
kernel = {
sysctl = {
"net.ipv4.ip_forward" = true;
};
};
kernelParams = [
# Quite boot
"quiet"
"udev.log_level=3"
];
supportedFilesystems = [ "ntfs" ];
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
initrd = {
# Quiet boot
verbose = false;
# Use zstd compression instead of gzip for initrd
compressor = "zstd";
# Make boot more reliable by using systemd inside initrd
systemd.enable = true;
};
initrd.luks.devices = {
luksroot = {
device = "/dev/nvme0n1p1";
preLVM = true;
allowDiscards = true;
};
luks-data = {
device = "/dev/sda1";
preLVM = true;
allowDiscards = true;
};
};
loader.grub = {
enable = false;
device = "/dev/sda1";
configurationLimit = 3;
};
};
# Use nvd to get package diff before apply
system.activationScripts.system-diff = {
supportsDryActivation = true; # safe: only outputs to stdout
text = ''
export PATH="${pkgs.lib.makeBinPath [ pkgs.nixVersions.latest ]}:$PATH"
if [ -e /run/current-system ]; then
${pkgs.lib.getExe pkgs.nvd} diff '/run/current-system' "$systemConfig" || true
fi
'';
};
console = {
font = "Lat2-Terminus16";
keyMap = "us";
};
i18n = {
defaultLocale = "en_US.UTF-8";
extraLocaleSettings = {
LC_CTYPE = "en_DK.UTF-8";
LC_TIME = "en_DK.UTF-8";
LC_PAPER = "en_DK.UTF-8";
LC_NAME = "en_DK.UTF-8";
LC_ADDRESS = "en_DK.UTF-8";
LC_TELEPHONE = "en_DK.UTF-8";
LC_MEASUREMENT = "en_DK.UTF-8";
LC_IDENTIFICATION = "en_DK.UTF-8";
};
};
time.timeZone = "Europe/Oslo";
features = {
desktop.enable = true;
desktop.plasma.enable = true;
os = {
networkmanager.enable = true;
externalInterface = "eno2";
docker.enable = true;
adminAuthorizedKeys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDULdlLC8ZLu9qBZUYsjhpr6kv5RH4yPkekXQdD7prkqapyoptUkO1nOTDwy7ZsKDxmp9Zc6OtdhgoJbowhGW3VIZPmooWO8twcaYDpkxEBLUehY/n8SlAwBtiHJ4mTLLcynJMVrjmTQLF3FeWVof0Aqy6UtZceFpLp1eNkiHTCM3anwtb9+gfr91dX1YsAOqxqv7ooRDu5rCRUvOi4OvRowepyuBcCjeWpTkJHkC9WGxuESvDV3CySWkGC2fF2LHkAu6SFsFE39UA5ZHo0b1TK+AFqRFiBAb7ULmtuno1yxhpBxbozf8+Yyc7yLfMNCyBpL1ci7WnjKkghQv7yM1xN2XMJLpF56v0slSKMoAs7ThoIlmkRm/6o3NCChgu0pkpNg/YP6A3HfYiEDgChvA6rAHX6+to50L9xF3ajqk4BUzWd/sCk7Q5Op2lzj31L53Ryg8vMP8hjDjYcgEcCCsGOcjUVgcsmfC9LupwRIEz3aF14AWg66+3zAxVho8ozjes= jonas.juselius@juselius.io"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFbrEhm1acesXmbgfO5lN1gcTFXqusq61QyCZXunYJpl"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIdcJteh9d/N1o8BbdEMRVxeMjm28saon/Oh2tV0+TYj"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC68qcYMBNNWjCoRo1OrfGe3OTBsHprPJPQwaywlOUM03xQLNyF2JcqY8wXJ+Hf2dOopJWOWnS5RwsOtxxV5bUX0tk7yPV38AKGhwW1Q0Xy//nGYypoe4JSvvLJLN4dWoBtkhJFQcJcdAbi6jRrDU1J8n2ZwPwFtQWoEwdm0Mq0H+MR6c97Xnl4pkjCHUOVxyaaCCzo1GSotAG2TQanwcbr5AOTptP3CRGOQ8D7T0iN1v5bJmP4fc6P/av30spOzKksksIg21aMHcted5K5I8XJymftfgJbHr5uKtsgrnHtx7qcPiISkoToQWRttYhTEj0GjLIJwCXZ5Fon1rCVWDW+VvhzI7PhXmhBEOHxuLeSuG3lC9L0NpWJkoIJo7WqMtFo3rJPmRQS6AWFy11SIjvsBQVfDk3Jz1QmV8dxM1ksyZzx5VQ0+zOqIsagjJJIHwKhxgNsVXSO/Hqrua5oCsdgSfnrNVujwagfxY9TQa0bNwYkEs79Oot9EiFdLi9wwrE= Simen Kirkvik (gitlab.com)"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC2tox0uyFGfU1zPNU6yAVSoGOUkeU959aiTMrqu1U9MCCOP2o4IhZIlRpZ08XVnUU/AhycCUF4HgGqdcco8oIVX0P0Cn83KJoD/DOqAiz+1VwIUUV1ylrRdNqCgf4wnmLni3sUPHJdQnuq57+pzDDjHMr9CcBL2KzOHD/QanfR+jZmv9K3OS5oDcWquSCziXkpbkWQURPactmtyzGK2FRRxONZgYrB8gRTDstlWQg/t6GHNVelzuJ7SEf+t8pk/S2e/XAvfZyRJhrVJ35iZKpmxkIn5v0g1Z+z0yX/KRSAPRtNg9uM44cmto77MFx7iFs0CuleL3zHvRvZYW1ZnsKAiP07UkEK87luMpkTzFr9CSHJGpgk1RZYA3qidQti44n6NU9YRNhzO4v+KQE6XDqO80gZCJboSXr3fnYn/QHpPXzK5JcZNWmClyMURYj10qv9So3Fh0o3LV5GThA6JgN874vUywUZanPEdn8ePBcAsjLRzA4YBGEuvJCc6FELSuY2s+/pFba8NXQvrOdJKSRC0g5USQFfaWDln4Q4zZ1G5z76p1u6GtRWxvakkUQ0fze9KAW7msxeKaw+B7uMtyvCL8V2zEE8WKFP1sNyYEe7Sgp3RVfym2VPMNTZVhEImfM/3D+WbzfoJztnJvFKXeeMCcne4G8swyef3o1s3b+CvQ== Simen Kirkvik (gitlab.com)"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIQUQsPdS3Wvl46cPl6rBrAPDLX9r8tx1V7yVkr1GhP07hVYVcLV0wojMaB8Zi5kvr/sgBpiuU6oKNqx4+5gN70uQC+JbM5Orna8SoN4L2jfO2WgTMFZEqmDoyzCCglUl2EiqFDvKEC/dvFSjn/qJG6eUdEGpTuB/VQljidZMJrloq0kf4iYy0uaXdrkoKLlBEjXo1forlr2KAYq48PsTovyQxrDqG25UcRhjmoq0Ag7ZGquQXB8Ouwe+H/lVWQFJU+Vy4nqqvv1Fq/bQHW92dZDnlwrMyY6lVsp6Cgc3jzcB5dTfN9Zt+iaVFSE+Tojl04n1oKU4Z5kMbTPRTLLDgjlVRY9JGHOXNO8bqEPG0E7sNXBGSncie9nXnfDoVhXAd8KoVkvXCXYvS+pk82ig0ET+8HC7KRZysB5sqD++GbexbPZFYrOhEZYfvY00sOAVvFCh8h6sC1tXAvXZqUgvTClOINDh42NBs/vTmg6RoG57z1moTa5RsGlVAguKqaiE= Simen Kirkvik (gitlab.com)"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII77Aa2MFZMTha8PdkNg32UR8y6Hwb4R0aR9Ad9qifNq"
];
};
};
services.tailscale = {
enable = true;
useRoutingFeatures = "client";
extraUpFlags = [
"--login-server=https://headscale.svc.oceanbox.io"
"--accept-dns=true"
"--accept-routes"
];
};
services.resolved = {
enable = true;
fallbackDns = [
"1.1.1.1"
];
};
nixpkgs.config.allowUnfreee = true;
nix = {
package = pkgs.nixVersions.stable;
settings = {
# Cleanup
auto-optimise-store = true;
# Keep them for debugging
keep-derivations = true;
keep-outputs = true;
experimental-features = [
"nix-command"
"flakes"
"pipe-operators"
];
};
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 14d";
};
extraOptions = ''
# See https://jackson.dev/post/nix-reasonable-defaults/
connect-timeout = 5
download-attempts = 2
log-lines = 25
warn-dirty = false
fallback = true
# Only brings pain
flake-registry = ""
'';
};
imports = [
./users.nix
./hardware-configuration.nix
];
}

48
tos/hashmap/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,48 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"nvme"
"usbhid"
"sd_mod"
];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/954fb6f1-a95d-41ef-bca3-991e2716b415";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/EDC0-FC90";
fsType = "vfat";
};
swapDevices = [
{ device = "/dev/disk/by-uuid/062df612-c520-4067-b300-65908ea882bb"; }
];
fileSystems."/data" = {
device = "/dev/vg1/data";
fsType = "ext4";
};
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
}

154
tos/hashmap/users.nix Normal file
View File

@@ -0,0 +1,154 @@
{ pkgs, config, ... }:
{
users.extraGroups = {
admin = {
gid = 10000;
};
bast = {
gid = 1000;
};
stig = {
gid = 1001;
};
};
users.groups = {
"coffee-kai" = {
gid = 1002;
};
};
users.extraUsers.root.openssh.authorizedKeys.keys = config.features.os.adminAuthorizedKeys;
users.extraUsers.admin = {
description = "Administrator";
home = "/home/admin";
group = "admin";
extraGroups = [
"users"
"wheel"
"root"
"adm"
"cdrom"
"docker"
"fuse"
"wireshark"
"libvirtd"
"networkmanager"
"tty"
"keys"
];
uid = 10000;
isNormalUser = true;
createHome = true;
useDefaultShell = false;
# shell = pkgs.fish;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiAS30ZO+wgfAqDE9Y7VhRunn2QszPHA5voUwo+fGOf jonas-3"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDULdlLC8ZLu9qBZUYsjhpr6kv5RH4yPkekXQdD7prkqapyoptUkO1nOTDwy7ZsKDxmp9Zc6OtdhgoJbowhGW3VIZPmooWO8twcaYDpkxEBLUehY/n8SlAwBtiHJ4mTLLcynJMVrjmTQLF3FeWVof0Aqy6UtZceFpLp1eNkiHTCM3anwtb9+gfr91dX1YsAOqxqv7ooRDu5rCRUvOi4OvRowepyuBcCjeWpTkJHkC9WGxuESvDV3CySWkGC2fF2LHkAu6SFsFE39UA5ZHo0b1TK+AFqRFiBAb7ULmtuno1yxhpBxbozf8+Yyc7yLfMNCyBpL1ci7WnjKkghQv7yM1xN2XMJLpF56v0slSKMoAs7ThoIlmkRm/6o3NCChgu0pkpNg/YP6A3HfYiEDgChvA6rAHX6+to50L9xF3ajqk4BUzWd/sCk7Q5Op2lzj31L53Ryg8vMP8hjDjYcgEcCCsGOcjUVgcsmfC9LupwRIEz3aF14AWg66+3zAxVho8ozjes= jonas.juselius@juselius.io"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFbrEhm1acesXmbgfO5lN1gcTFXqusq61QyCZXunYJpl"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIdcJteh9d/N1o8BbdEMRVxeMjm28saon/Oh2tV0+TYj"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKfgY468dPNpdXZCkD9jw1p2qA0+z56Wi/c1VYE+riki"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII77Aa2MFZMTha8PdkNg32UR8y6Hwb4R0aR9Ad9qifNq"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII77Aa2MFZMTha8PdkNg32UR8y6Hwb4R0aR9Ad9qifNq mrtz@wurst"
];
};
# TODO(simkir): Keeping Stig and Radovan until safe to nuke :^)
users.extraUsers.bast = {
description = "Radovan Bast";
home = "/home/bast";
group = "bast";
extraGroups = [
"users"
"wheel"
"root"
"adm"
"cdrom"
"docker"
"fuse"
"wireshark"
"libvirtd"
"networkmanager"
"video"
"render"
"tty"
];
uid = 1000;
isNormalUser = true;
createHome = true;
useDefaultShell = false;
shell = pkgs.fish;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFbrEhm1acesXmbgfO5lN1gcTFXqusq61QyCZXunYJpl"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIdcJteh9d/N1o8BbdEMRVxeMjm28saon/Oh2tV0+TYj"
];
};
users.extraUsers.stig = {
description = "Stig Rune Jensen";
home = "/home/stig";
group = "stig";
extraGroups = [
"users"
"wheel"
"root"
"adm"
"cdrom"
"docker"
"fuse"
"wireshark"
"libvirtd"
"networkmanager"
"video"
"render"
"tty"
"keys"
];
uid = 1001;
isNormalUser = true;
createHome = true;
useDefaultShell = false;
shell = pkgs.fish;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKfgY468dPNpdXZCkD9jw1p2qA0+z56Wi/c1VYE+riki"
];
};
users.users.coffee-kai = {
createHome = true;
isNormalUser = true;
uid = 1002;
description = "Coffee Kai";
hashedPassword = "$y$j9T$9PDWdg.Hrz8pLABo4DngQ.$DSVTPzzTlU5/fHWsjlwsTJfPRErXXtlNllKij6tUWO8";
group = "coffee-kai";
extraGroups = [
"users"
"wheel"
"root"
"adm"
"cdrom"
"docker"
"fuse"
"wireshark"
"libvirtd"
"networkmanager"
"tty"
"keys"
];
shell = pkgs.fish;
useDefaultShell = false;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiAS30ZO+wgfAqDE9Y7VhRunn2QszPHA5voUwo+fGOf jonas-3"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDULdlLC8ZLu9qBZUYsjhpr6kv5RH4yPkekXQdD7prkqapyoptUkO1nOTDwy7ZsKDxmp9Zc6OtdhgoJbowhGW3VIZPmooWO8twcaYDpkxEBLUehY/n8SlAwBtiHJ4mTLLcynJMVrjmTQLF3FeWVof0Aqy6UtZceFpLp1eNkiHTCM3anwtb9+gfr91dX1YsAOqxqv7ooRDu5rCRUvOi4OvRowepyuBcCjeWpTkJHkC9WGxuESvDV3CySWkGC2fF2LHkAu6SFsFE39UA5ZHo0b1TK+AFqRFiBAb7ULmtuno1yxhpBxbozf8+Yyc7yLfMNCyBpL1ci7WnjKkghQv7yM1xN2XMJLpF56v0slSKMoAs7ThoIlmkRm/6o3NCChgu0pkpNg/YP6A3HfYiEDgChvA6rAHX6+to50L9xF3ajqk4BUzWd/sCk7Q5Op2lzj31L53Ryg8vMP8hjDjYcgEcCCsGOcjUVgcsmfC9LupwRIEz3aF14AWg66+3zAxVho8ozjes= jonas.juselius@juselius.io"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC2tox0uyFGfU1zPNU6yAVSoGOUkeU959aiTMrqu1U9MCCOP2o4IhZIlRpZ08XVnUU/AhycCUF4HgGqdcco8oIVX0P0Cn83KJoD/DOqAiz+1VwIUUV1ylrRdNqCgf4wnmLni3sUPHJdQnuq57+pzDDjHMr9CcBL2KzOHD/QanfR+jZmv9K3OS5oDcWquSCziXkpbkWQURPactmtyzGK2FRRxONZgYrB8gRTDstlWQg/t6GHNVelzuJ7SEf+t8pk/S2e/XAvfZyRJhrVJ35iZKpmxkIn5v0g1Z+z0yX/KRSAPRtNg9uM44cmto77MFx7iFs0CuleL3zHvRvZYW1ZnsKAiP07UkEK87luMpkTzFr9CSHJGpgk1RZYA3qidQti44n6NU9YRNhzO4v+KQE6XDqO80gZCJboSXr3fnYn/QHpPXzK5JcZNWmClyMURYj10qv9So3Fh0o3LV5GThA6JgN874vUywUZanPEdn8ePBcAsjLRzA4YBGEuvJCc6FELSuY2s+/pFba8NXQvrOdJKSRC0g5USQFfaWDln4Q4zZ1G5z76p1u6GtRWxvakkUQ0fze9KAW7msxeKaw+B7uMtyvCL8V2zEE8WKFP1sNyYEe7Sgp3RVfym2VPMNTZVhEImfM/3D+WbzfoJztnJvFKXeeMCcne4G8swyef3o1s3b+CvQ== ski027@uit.no"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII77Aa2MFZMTha8PdkNg32UR8y6Hwb4R0aR9Ad9qifNq"
];
packages = with pkgs; [
ghostty
flatpak
openssl
kdePackages.kconfig
];
};
}

94
tos/hive.nix Normal file
View File

@@ -0,0 +1,94 @@
let
sources = import ../nix;
nixpkgs = sources.nixos-2511;
pkgs = import nixpkgs { };
dashboard = "https://grafana.adm.oceanbox.io/d/ba1383fb-b53d-4a90-bd0c-bc76c75450bc/umami?orgId=1&kiosk&refresh=1m&from=now-7d&to=now&timezone=browser&var-groups=$__all";
krdp = pkgs.callPackage ../packages/krdp.nix { };
in
{
meta = {
nixpkgs = nixpkgs;
};
hashmap =
{ ... }:
{
imports = [
(import ./hashmap)
(import ../modules)
(import ../nixos)
(import "${sources.nixos-hardware}/common/cpu/intel/comet-lake")
];
deployment = {
# NOTE: Build on hashmap
buildOnTarget = true;
targetHost = "hashmap.ts.obx";
tags = [
"tos"
"dashboard"
];
};
# Why would you ever use this :(((((
system = {
copySystemConfiguration = true;
autoUpgrade.enable = pkgs.lib.mkForce false;
};
environment.systemPackages = with pkgs; [
htop
btop
intel-gpu-tools
];
features = {
gitlab-runner.enable = true;
};
services = {
displayManager = {
defaultSession = "plasma";
autoLogin = {
enable = true;
user = "coffee-kai";
};
};
};
systemd.user.services.krdp = {
enable = true;
description = "KDE RDP server";
after = [
"plasma-core.target"
"plasma-xdg-desktop-portal-kde.service"
];
wantedBy = [ "default.target" ];
serviceConfig = {
Type = "exec";
ExecStart = "${krdp}/bin/krdpserver -u admin -p 'en to tre fire'";
# Restart when closed/on-failure
Restart = "on-abnormal";
};
unitConfig.ConditionUser = "coffee-kai";
};
systemd.user.services.dashboard = {
enable = true;
description = "Kiosk Dashboard";
after = [
"plasma-core.target"
"plasma-xdg-desktop-portal-kde.service"
];
wantedBy = [ "plasma-workspace.target" ];
serviceConfig = {
Type = "exec";
ExecStart = "${pkgs.chromium}/bin/chromium-browser --kiosk ${dashboard}";
# Restart when closed/on-failure
Restart = "always";
RestartSec = 3;
};
unitConfig.ConditionUser = "coffee-kai";
};
};
}