Compare commits
9 Commits
075e6b35cf
...
51215319d3
| Author | SHA1 | Date |
|---|---|---|
David Crompton
|
51215319d3 | |
|
David Crompton
|
0f1b553c9c | |
|
David Crompton
|
e8f7009c73 | |
|
David Crompton
|
123479797f | |
|
David Crompton
|
85e721a9fd | |
|
David Crompton
|
8f5c8a1a2e | |
|
David Crompton
|
24249296ff | |
|
David Crompton
|
e5a3b79023 | |
|
David Crompton
|
03d7c2d38a |
36
flake.lock
36
flake.lock
|
|
@ -3,11 +3,11 @@
|
|||
"flake-compat": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1673956053,
|
||||
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
|
||||
"lastModified": 1696426674,
|
||||
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
|
||||
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -24,11 +24,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1694098879,
|
||||
"narHash": "sha256-0z/ikbghhbPLU4KcqJBbfNMTCCYnkbZBgKfGCxLJ/Vs=",
|
||||
"lastModified": 1698332476,
|
||||
"narHash": "sha256-hVM6jueBvac6BEkzP2iNH5eweKUDH7fgUV7lluRuSF4=",
|
||||
"owner": "doronbehar",
|
||||
"repo": "nix-matlab",
|
||||
"rev": "edbcbd18f5e27d72bbbc3081171d2c11995a9b77",
|
||||
"rev": "a0d67ef885dc5e8dda36a5ba1f8717711d6221fd",
|
||||
"type": "gitlab"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -39,11 +39,11 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1694048570,
|
||||
"narHash": "sha256-PEQptwFCVaJ+jLFJgrZll2shQ9VI/7xVhrCYkJo8iIw=",
|
||||
"lastModified": 1698288402,
|
||||
"narHash": "sha256-jIIjApPdm+4yt8PglX8pUOexAdEiAax/DXW3S/Mb21E=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "4f77ea639305f1de0a14d9d41eef83313360638c",
|
||||
"rev": "60b9db998f71ea49e1a9c41824d09aa274be1344",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -55,11 +55,11 @@
|
|||
},
|
||||
"nixpkgs-stable": {
|
||||
"locked": {
|
||||
"lastModified": 1693675694,
|
||||
"narHash": "sha256-2pIOyQwGyy2FtFAUIb8YeKVmOCcPOTVphbAvmshudLE=",
|
||||
"lastModified": 1697929210,
|
||||
"narHash": "sha256-RkQZif6QhswEwv7484mrKfIU8XmIWm+ED6llbr4IyxM=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "5601118d39ca9105f8e7b39d4c221d3388c0419d",
|
||||
"rev": "fb000224952bf7749a9e8b3779104ef7ea4465c8",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -71,11 +71,11 @@
|
|||
},
|
||||
"nixpkgs-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1693985761,
|
||||
"narHash": "sha256-K5b+7j7Tt3+AqbWkcw+wMeqOAWyCD1MH26FPZyWXpdo=",
|
||||
"lastModified": 1698134075,
|
||||
"narHash": "sha256-foCD+nuKzfh49bIoiCBur4+Fx1nozo+4C/6k8BYk4sg=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "0bffda19b8af722f8069d09d8b6a24594c80b352",
|
||||
"rev": "8efd5d1e283604f75a808a20e6cde0ef313d07d4",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -101,11 +101,11 @@
|
|||
"nixpkgs-stable": "nixpkgs-stable"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1693898833,
|
||||
"narHash": "sha256-OIrMAGNYNeLs6IvBynxcXub7aSW3GEUvWNsb7zx6zuU=",
|
||||
"lastModified": 1698273636,
|
||||
"narHash": "sha256-swsqg/ckSVJnravx7ie9NFQSKIH27owtlk0wh4+xStk=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "faf21ac162173c2deb54e5fdeed002a9bd6e8623",
|
||||
"rev": "014e44d334a39481223a5d163530d4c4ca2e75cb",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
|
|||
|
|
@ -20,6 +20,8 @@
|
|||
./nosleep.nix
|
||||
];
|
||||
|
||||
sops.defaultSopsFile = ./secrets/system.yaml;
|
||||
|
||||
# Support NTFS(3g)
|
||||
boot.supportedFilesystems = ["ntfs"];
|
||||
|
||||
|
|
@ -78,12 +80,6 @@
|
|||
|
||||
nix.registry.nixpkgs.flake = nixpkgs;
|
||||
|
||||
# TODO: Make services directory for with a nix for each service that is enabled and what options it has
|
||||
# List services that you want to enable:
|
||||
|
||||
# Enable the OpenSSH daemon.
|
||||
services.openssh.enable = true;
|
||||
|
||||
# Open ports in the firewall.
|
||||
# networking.firewall.allowedTCPPorts = [ ... ];
|
||||
# networking.firewall.allowedUDPPorts = [ ... ];
|
||||
|
|
|
|||
|
|
@ -0,0 +1,22 @@
|
|||
guacamole:
|
||||
properties: ENC[AES256_GCM,data:L+xiZBm1282zV1GUfp9RfV0blpOfotUhIYX4DF48Har3pWur3WcKfWcc67ZzVsfafeQtOLmH1MLq8EL1DX594qnE0mr19/vrdYldeHgK2RgE8DQ9wNOFLZGiK2WjIBcHJdq4mnV+Wb7xNZ8q6XC6sOBcDNqr7ROpGC2E1hBKPlQJn/IlTwf6HNBROoasNFI+2uXdssCbWml3juwSCOSTvXA9m3LZCgUuCKLbuAfTtVh1HQqy,iv:SaY+nIOnw0m6DA2IPJUJKwcVVIn34hmEDIFyNdq/rG4=,tag:T32EiZ5PUZIaI11OJl/wqg==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1cvmffz227lhsvy4ufh0gnkfsvs5f27hv5l90m0lf4558uphteefsj2t74j
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0bTd1bkxQODRaZXZPSDhU
|
||||
N2JhY2JCanR2aXlaaWN1Mi9WT2hjSjVBVnlvCmd5Q0IrZUUraC9ySmZKeDRkcDNq
|
||||
UUlTL3NBQXRlcEx0NnB3WXdHUTRaZmcKLS0tIG9nV0cxeDFBdGU0UGxVb3YyV29Q
|
||||
WlhEWlJXeitFTGRMYlZJV0c1YjFPa28KCvxqVERVc7dAkBZUTq/lN/8KiHT96mXe
|
||||
GB71RxixJyoctcpIuddQX1wBZLtQk4KPxWQYXW7it7YeyfFdGkStpA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-10-31T17:56:39Z"
|
||||
mac: ENC[AES256_GCM,data:aUIudcJ2BgkDIu9XQTIibcr2SghNieR7L445tkTgnf71oecTUp21BuVHzljggllNF9kvucH5jIkjHJmGeF7vP59RT5ERB2ziXZeulB+NBo3Kad8XbeBjdzkQev6rf3XRhlv9XtysAEvrE+KGS0j4e4WFrfqoHZW9BBS/NnTLoJM=,iv:z3A+Ise+POIqaQLU6Q/w1kmjUmaoxjKR+3pDPk+D6u0=,tag:PnjeaDBfq299Jj5F7yxMDQ==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
||||
|
|
@ -1,7 +1,10 @@
|
|||
{ ... }: {
|
||||
imports = [
|
||||
# Reverse Proxying of Forward Facing Servers
|
||||
./servers/caddy.nix
|
||||
./servers/xpra.nix
|
||||
# Git Instances for WS-KCNHUB Projects
|
||||
./servers/gitea.nix
|
||||
# Online Remote Connectivity
|
||||
./servers/guac.nix
|
||||
];
|
||||
}
|
||||
|
|
|
|||
|
|
@ -49,6 +49,11 @@ in {
|
|||
}];
|
||||
};
|
||||
services.caddy.virtualHosts = {
|
||||
"ws.kcnhub.com" = {
|
||||
extraConfig = ''
|
||||
redir "https://git.ws.kcnhub.com/DavidC/WS-KCNHUB/wiki"
|
||||
'';
|
||||
};
|
||||
"${domain}" = {
|
||||
extraConfig = ''
|
||||
reverse_proxy 127.0.0.1:${toString config.services.gitea.settings.server.HTTP_PORT}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,93 @@
|
|||
{ config, lib, pkgs, nixpkgs-unstable, ... }: {
|
||||
imports = [
|
||||
"${nixpkgs-unstable}/nixos/modules/services/web-apps/guacamole-server.nix"
|
||||
"${nixpkgs-unstable}/nixos/modules/services/web-apps/guacamole-client.nix"
|
||||
];
|
||||
|
||||
services.guacamole-server.enable = true;
|
||||
services.guacamole-server.package = pkgs.unstable.guacamole-server;
|
||||
services.guacamole-server.port = 4822;
|
||||
|
||||
# Configure Database Authentication
|
||||
environment.etc = let
|
||||
dbauth-src = pkgs.fetchurl {
|
||||
url = "https://dlcdn.apache.org/guacamole/1.5.3/binary/guacamole-auth-jdbc-1.5.3.tar.gz";
|
||||
hash = "sha256-7Tuncc5Io4oOVvApkTuAUSSdvr/dMv/tvOLfDbEyJH8=";
|
||||
};
|
||||
dbauth = pkgs.stdenv.mkDerivation {
|
||||
name = "jdbc";
|
||||
version = "1.5.3";
|
||||
src = dbauth-src;
|
||||
installPhase = ''
|
||||
mkdir $out
|
||||
cp -r * $out
|
||||
'';
|
||||
};
|
||||
in {
|
||||
"guacamole/extensions/postgresql.jar" = {
|
||||
source = "${dbauth}/postgresql/guacamole-auth-jdbc-postgresql-1.5.3.jar";
|
||||
};
|
||||
"guacamole/lib/postgresql.jar" = {
|
||||
source = pkgs.fetchurl {
|
||||
url = "https://jdbc.postgresql.org/download/postgresql-42.6.0.jar";
|
||||
hash = "sha256-uBfGekDJQkn9WdTmhuMyftDT0/rkJrINoPHnVlLPxGE=";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# User user perms for psql login
|
||||
users = {
|
||||
users.guacamole = {
|
||||
isSystemUser = true;
|
||||
group = "guacamole";
|
||||
};
|
||||
groups.guacamole = {};
|
||||
};
|
||||
systemd.services.guacamole-server.serviceConfig = {
|
||||
User = "guacamole";
|
||||
Group = "guacamole";
|
||||
DynamicUser = pkgs.lib.mkForce false;
|
||||
};
|
||||
|
||||
# TODO: Write description that autoruns schemas in dbauth/postgresql/schemas
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
port = 5432;
|
||||
ensureDatabases = [
|
||||
"guacamole"
|
||||
];
|
||||
ensureUsers = [{
|
||||
name = "guacamole";
|
||||
ensurePermissions = {
|
||||
"DATABASE \"guacamole\"" = "ALL PRIVILEGES";
|
||||
};
|
||||
ensureClauses = {
|
||||
createdb = true;
|
||||
};
|
||||
}];
|
||||
};
|
||||
|
||||
services.guacamole-client.enable = true;
|
||||
services.guacamole-client.enableWebserver = true;
|
||||
services.guacamole-client.package = pkgs.unstable.guacamole-client;
|
||||
services.guacamole-client.settings = {
|
||||
guacd-hostname = "localhost";
|
||||
guacd-port = 4822;
|
||||
|
||||
# Postgresql Auth Settings:
|
||||
postgresql-hostname = "localhost";
|
||||
postgresql-database = "guacamole";
|
||||
postgresql-username = "guacamole";
|
||||
# Password is superfluous: only can be used through guacamole user.
|
||||
postgresql-password = "";
|
||||
};
|
||||
services.caddy.virtualHosts = {
|
||||
"remote.ws.kcnhub.com" = {
|
||||
# Proxy to default tomcat port ( 8080 )
|
||||
extraConfig = ''
|
||||
rewrite * /guacamole{uri}
|
||||
reverse_proxy 127.0.0.1:8080
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -1,48 +0,0 @@
|
|||
{ config, pkgs, lib, ...}: let
|
||||
xpra-html5 = pkgs.fetchFromGitHub {
|
||||
owner = "Xpra-org";
|
||||
repo = "xpra-html5";
|
||||
rev = "e5fb000a9d4042c54e55c5e30c0936125ec3a045";
|
||||
hash = "sha256-nfPePTvOVBgx/aMx380vu4Kn9sxmo1QNb050N95ENPk=";
|
||||
};
|
||||
xpra-web = pkgs.writeScript "xpra-web" ''
|
||||
#!${pkgs.bash}/bin/bash
|
||||
${pkgs.xpra}/bin/xpra $@ --html=${xpra-html5}/html5
|
||||
'';
|
||||
in {
|
||||
environment.systemPackages = [ pkgs.xpra ];
|
||||
systemd.sockets.xpra-web = {
|
||||
description = "Xpra Web Socket";
|
||||
partOf = [ "xpra-web.service" ];
|
||||
wantedBy = [ "sockets.target" ];
|
||||
socketConfig = {
|
||||
# ListenStream = 14500;
|
||||
ListenStream = "/run/xpra/system";
|
||||
SocketUser = "root";
|
||||
SocketGroup = "users";
|
||||
PassCredentials = "true";
|
||||
};
|
||||
};
|
||||
systemd.services.xpra-web = {
|
||||
description = "xpra-web";
|
||||
after = [ "network.target" "xpra-web.socket" ];
|
||||
requires = [ "xpra-web.socket" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
ExecStart = ''${xpra-web} proxy :14500 --daemon=no \
|
||||
--socket-dirs=/run/xpra --socket-permissions=666 \
|
||||
--log-dir=/var/log --pidfile=/run/xpra/proxy.pid \
|
||||
--auth=pam --bind-tcp=0.0.0.0:10000'';
|
||||
Restart = "always";
|
||||
# Security
|
||||
NoNewPrivileges = true;
|
||||
ReadWritePaths = [ "/run/xpra" "/tmp" ];
|
||||
# Sandboxing
|
||||
ProtectSystem = "strict";
|
||||
ProtectKernelTunables = true;
|
||||
ProtectControlGroups = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
{ ... }: {
|
||||
imports = [
|
||||
# ./services/remote-desktop-guac.nix
|
||||
./services/rdp.nix
|
||||
./services/ssh.nix
|
||||
./services/xrdp.nix
|
||||
];
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,15 +0,0 @@
|
|||
{ config, lib, pkgs, ... }: {
|
||||
virtualization = {
|
||||
podman = {
|
||||
enable = true;
|
||||
};
|
||||
dockerCompat = true;
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
# Nicely Make and Run Container Sets
|
||||
podman-compose
|
||||
# For Running Simulations Containerized
|
||||
apptainer
|
||||
];
|
||||
}
|
||||
|
|
@ -1,18 +0,0 @@
|
|||
{ config, lib, pkgs, nixpkgs-unstable, ... }: {
|
||||
imports = [
|
||||
"${nixpkgs-unstable}/nixos/modules/services/web-apps/guacamole-server.nix"
|
||||
"${nixpkgs-unstable}/nixos/modules/services/web-apps/guacamole-client.nix"
|
||||
];
|
||||
|
||||
services.guacamole-server.enable = true;
|
||||
services.guacamole-server.package = pkgs.unstable.guacamole-server;
|
||||
services.guacamole-server.port = 4822;
|
||||
|
||||
services.guacamole-client.enable = true;
|
||||
services.guacamole-client.enableWebserver = true;
|
||||
services.guacamole-client.package = pkgs.unstable.guacamole-client;
|
||||
services.guacamole-client.settings = {
|
||||
guacd-hostname = "localhost";
|
||||
guacd-port = 4822;
|
||||
};
|
||||
}
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
{ ... }: {
|
||||
services.openssh.enable = true;
|
||||
}
|
||||
|
|
@ -8,6 +8,8 @@
|
|||
./users/matlab-server.nix
|
||||
./users/frances.nix
|
||||
./users/srikar.nix
|
||||
./users/zhenyangsun.nix
|
||||
./users/ngilab.nix
|
||||
|
||||
# Groups
|
||||
./users/groups/admin.nix
|
||||
|
|
|
|||
|
|
@ -11,6 +11,6 @@
|
|||
};
|
||||
# Github desktop uses this to be deprecated package, do it anyways:
|
||||
nixpkgs.config.permittedInsecurePackages = [
|
||||
"openssl-1.1.1v"
|
||||
"openssl-1.1.1w"
|
||||
];
|
||||
}
|
||||
|
|
|
|||
|
|
@ -11,6 +11,6 @@
|
|||
};
|
||||
# Github desktop uses this to be deprecated package, do it anyways:
|
||||
nixpkgs.config.permittedInsecurePackages = [
|
||||
"openssl-1.1.1v"
|
||||
"openssl-1.1.1w"
|
||||
];
|
||||
}
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ cat <<EOF > $1.nix
|
|||
{ pkgs, ... }: {
|
||||
users.users.$1 = {
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" ];
|
||||
extraGroups = [ ];
|
||||
homeSize = "50g";
|
||||
homeProjectId = $((projId+1));
|
||||
packages = with pkgs; [
|
||||
|
|
|
|||
|
|
@ -0,0 +1,11 @@
|
|||
{ pkgs, ... }: {
|
||||
users.users.ngilab = {
|
||||
isNormalUser = true;
|
||||
extraGroups = [ ];
|
||||
homeSize = "50g";
|
||||
homeProjectId = 109;
|
||||
packages = with pkgs; [
|
||||
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
{ pkgs, ... }: {
|
||||
users.users.srikar = {
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" ];
|
||||
extraGroups = [ ];
|
||||
homeSize = "50g";
|
||||
homeProjectId = 107;
|
||||
packages = with pkgs; [
|
||||
|
|
|
|||
|
|
@ -0,0 +1,11 @@
|
|||
{ pkgs, ... }: {
|
||||
users.users.zhenyangsun = {
|
||||
isNormalUser = true;
|
||||
extraGroups = [ ];
|
||||
homeSize = "50g";
|
||||
homeProjectId = 108;
|
||||
packages = with pkgs; [
|
||||
|
||||
];
|
||||
};
|
||||
}
|
||||
Loading…
Reference in New Issue