kfm/niveum
1
0
Fork 0
mirror of https://github.com/kmein/niveum synced 2026-03-16 10:11:08 +01:00
Code Releases Activity

Compare commits

base: kfm:4188968ee144775fa48ec6881e2b71872b2518e6
Branches Tags
kfm:master kfm:update_flake_lock_action kfm:nethack kfm:wayland kfm:feature/hass-prometheus kfm:feature/itools kfm:feature/specus kfm:hass-nix-2 kfm:hass-nix kfm:grimm kfm:mympd kfm:tahina kfm:new-krops kfm:flakes kfm:flakes-2 kfm:20.09 kfm:mail
...
compare: kfm:be0a9620a44d2ecec2e716137eca69e18f6717c3
Branches Tags
kfm:master kfm:update_flake_lock_action kfm:nethack kfm:wayland kfm:feature/hass-prometheus kfm:feature/itools kfm:feature/specus kfm:hass-nix-2 kfm:hass-nix kfm:grimm kfm:mympd kfm:tahina kfm:new-krops kfm:flakes kfm:flakes-2 kfm:20.09 kfm:mail

5 Commits
4188968ee1 ... be0a9620a4

Author SHA1 Message Date
Kierán Meinhardt
be0a9620a4 niveum-ssh: install 2025-12-29 13:35:17 +01:00
Kierán Meinhardt
afb621a98e try-connect: check localhost first 2025-12-29 13:32:13 +01:00
Kierán Meinhardt
6259075f40 try-connect: use for deploy scripts 2025-12-29 13:17:42 +01:00
Kierán Meinhardt
f70383c732 tor: enable ssh 2025-12-29 12:27:40 +01:00
Kierán Meinhardt
c3dc7b9e51 unify profiles 2025-12-29 12:22:30 +01:00
15 changed files with 211 additions and 128 deletions
Expand all files Collapse all files

9
configs/default.nix
View File

@@ -193,7 +193,6 @@ in
};
}
./android.nix
./admin-essentials.nix
./stylix.nix
./alacritty.nix
./backup.nix
@@ -216,14 +215,12 @@ in
./i3.nix
./i3status-rust.nix
./keyboard
./mycelium.nix
./kdeconnect.nix
{ services.upower.enable = true; }
./lb.nix
./mpv.nix
./mime.nix
./neovim.nix
./nix.nix
./newsboat.nix
./flameshot.nix
./packages.nix
@@ -232,17 +229,13 @@ in
./polkit.nix
./printing.nix
./redshift.nix
./retiolum.nix
./rofi.nix
./spacetime.nix
./ssh.nix
./sshd.nix
./sound.nix
./sudo.nix
./tmux.nix
./unclutter.nix
./vscode.nix
./watson.nix
./wallpaper.nix
./zsh.nix
{
@@ -250,8 +243,6 @@ in
# nothing to see here
'';
}
./tor.nix
./mastodon-bot.nix
{
home-manager.users.me = {
xdg.userDirs =

20
configs/mastodon-bot.nix
View File

@@ -1,20 +0,0 @@
{ pkgs, ... }:
{
systemd.services.imaginary-illuminations = {
enable = false;
wants = [ "network-online.target" ];
serviceConfig = {
User = "kfm";
Group = "users";
WorkingDirectory = "/home/kfm/cloud/Seafile/Documents/Media/imaginary-illuminations";
Restart = "on-failure";
RestartSec = "15s";
};
startAt = "7:00";
script = ''
${pkgs.deno}/bin/deno run -A post.ts
'';
};
systemd.timers.imaginary-illuminations.timerConfig.RandomizedDelaySec = "14h";
}

2
configs/packages.nix
View File

@@ -199,6 +199,8 @@ in
${pkgs.openssh}/bin/ssh -p ${toString pkgs.lib.niveum.machines.makanek.sshPort} ${pkgs.lib.niveum.machines.makanek.externalIp} "cd /var/lib/weechat/logs && grep --ignore-case --color=always --recursive $@" | ${pkgs.less}/bin/less --raw-control-chars
'')
niveum-ssh
spotify
playerctl

1
configs/ssh.nix
View File

@@ -60,6 +60,7 @@
user = "kfm";
port = pkgs.lib.niveum.sshPort;
};
"*.onion".proxyCommand = "nc -xlocalhost:9050 %h %p";
};
};
}

16
configs/tor.nix
View File

@@ -1,4 +1,7 @@
{ pkgs, ... }:
{ config, lib, pkgs, ... }:
let
sshPort = pkgs.lib.niveum.machines.${config.networking.hostName}.sshPort;
in
{
services.tor.enable = true;
services.tor.client.enable = true;
@@ -6,4 +9,15 @@
pkgs.tor
pkgs.torsocks
];
services.tor.relay.onionServices = {
"ssh" = {
version = 3;
map = [{
port = sshPort;
target.port = sshPort;
target.addr = "127.0.0.1";
}];
};
};
}

10
configs/watson.nix
View File

@@ -1,10 +0,0 @@
{
config,
pkgs,
...
}:
{
environment.systemPackages = [ pkgs.watson ];
environment.variables.WATSON_DIR = "${config.users.users.me.home}/cloud/Seafile/Documents/watson";
}

149
flake.nix
View File

@@ -94,7 +94,10 @@
{
${localSystem} =
let
pkgs = nixpkgs.legacyPackages.${localSystem};
pkgs = import nixpkgs {
system = localSystem;
overlays = [ self.overlays.default ];
};
lib = nixpkgs.lib;
in
lib.mergeAttrsList [
@@ -113,45 +116,31 @@
hostname:
let
machines = import lib/machines.nix;
systemAddresses =
system:
lib.optionals (system ? "internalIp") [ system.internalIp ]
++ lib.optionals (system ? "externalIp") [ system.externalIp ]
++ lib.optionals (system ? "retiolum") [
system.retiolum.ipv6
system.retiolum.ipv4
]
++ lib.optionals (system ? "mycelium") [ system.mycelium.ipv6 ];
addresses = lib.listToAttrs (
map (name: {
inherit name;
value = systemAddresses (machines.${hostname});
}) (builtins.attrNames self.nixosConfigurations)
);
deployScript = pkgs.writers.writeBash "deploy-${hostname}" ''
# try to connect to any of the known addresses
targets=(
${lib.concatStringsSep " " (map (addr: "\"root@${addr}\"") addresses.${hostname})}
)
for target in "''${targets[@]}"; do
nc -z -w 2 "$(echo $target | cut -d'@' -f2)" ${
toString machines.${hostname}.sshPort
} && reachable_target=$target && break
done
if [ -z "$reachable_target" ]; then
echo "No reachable target found for ${hostname}" >&2
reachable=$(${pkgs.try-connect.${hostname}}/bin/try-connect)
if [ -z "$reachable" ]; then
exit 1
fi
echo "Deploying to ${hostname} via $reachable_target"
export NIX_SSHOPTS='-p ${toString machines.${hostname}.sshPort}'
target="root@$reachable"
echo "Deploying to ${hostname} via $target"
# Set SSH options based on address type
if [[ "$reachable" == *.onion ]]; then
export NIX_SSHOPTS="-p ${
toString machines.${hostname}.sshPort
} -o ProxyCommand='${pkgs.netcat}/bin/nc -x localhost:9050 %h %p' -o ControlPath=none"
else
export NIX_SSHOPTS="-p ${toString machines.${hostname}.sshPort}"
fi
${pkgs.nixos-rebuild-ng}/bin/nixos-rebuild-ng switch \
--max-jobs 2 \
--log-format internal-json \
--flake .#${hostname} \
--target-host "$reachable_target" \
${
lib.optionalString (localSystem != machines.${hostname}.system) "--build-host $reachable_target"
} \
--target-host "$target" \
${lib.optionalString (localSystem != machines.${hostname}.system) "--build-host $target"} \
|& ${pkgs.nix-output-monitor}/bin/nom --json
'';
in
@@ -320,6 +309,8 @@
swallow = prev.callPackage packages/swallow.nix { };
tocharian-font = prev.callPackage packages/tocharian-font.nix { };
ttspaste = prev.callPackage packages/ttspaste.nix { };
niveum-ssh = prev.callPackage packages/niveum-ssh.nix { };
try-connect = prev.callPackage packages/try-connect.nix {};
unicodmenu = prev.callPackage packages/unicodmenu.nix { };
vg = prev.callPackage packages/vg.nix { };
vim-kmein = prev.callPackage packages/vim-kmein { };
@@ -340,13 +331,20 @@
nixosConfigurations =
let
defaultModules = [
profiles.default = [
{ nix.nixPath = [ "nixpkgs=${nixpkgs}" ]; }
{ nixpkgs.overlays = [ self.overlays.default ]; }
agenix.nixosModules.default
retiolum.nixosModules.retiolum
configs/mycelium.nix
configs/tor.nix
configs/retiolum.nix
configs/spacetime.nix
configs/nix.nix
configs/sshd.nix
configs/admin-essentials.nix
];
desktopModules = [
profiles.desktop = [
home-manager.nixosModules.home-manager
nix-index-database.nixosModules.default
nur.modules.nixos.default
@@ -354,61 +352,84 @@
self.nixosModules.system-dependent
self.nixosModules.power-action
];
profiles.server = [
configs/save-space.nix
configs/monitoring.nix
self.nixosModules.passport
{
system.autoUpgrade = {
enable = true;
flake = self.outPath;
flags = [
"--print-build-logs"
];
dates = "02:00";
randomizedDelaySec = "45min";
};
}
];
in
{
ful = nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
modules = defaultModules ++ [
systems/ful/configuration.nix
self.nixosModules.passport
self.nixosModules.panoptikon
self.nixosModules.go-webring
stockholm.nixosModules.reaktor2
nur.modules.nixos.default
{ nixpkgs.overlays = [ stockholm.overlays.default ]; }
];
modules =
profiles.default
++ profiles.server
++ [
systems/ful/configuration.nix
self.nixosModules.panoptikon
self.nixosModules.go-webring
stockholm.nixosModules.reaktor2
nur.modules.nixos.default
{ nixpkgs.overlays = [ stockholm.overlays.default ]; }
];
};
zaatar = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = defaultModules ++ [
systems/zaatar/configuration.nix
];
modules =
profiles.default
++ profiles.server
++ [
systems/zaatar/configuration.nix
];
};
kibbeh = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules =
defaultModules
++ desktopModules
profiles.default
++ profiles.desktop
++ [
systems/kibbeh/configuration.nix
];
};
makanek = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = defaultModules ++ [
systems/makanek/configuration.nix
self.nixosModules.telegram-bot
self.nixosModules.passport
nur.modules.nixos.default
];
modules =
profiles.default
++ profiles.server
++ [
systems/makanek/configuration.nix
self.nixosModules.telegram-bot
nur.modules.nixos.default
];
};
tahina = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = defaultModules ++ [
modules = profiles.default ++ [
systems/tahina/configuration.nix
];
};
tabula = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = defaultModules ++ [
modules = profiles.default ++ [
systems/tabula/configuration.nix
];
};
manakish = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules =
defaultModules
++ desktopModules
profiles.default
++ profiles.desktop
++ [
systems/manakish/configuration.nix
];
@@ -416,8 +437,8 @@
kabsa = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules =
defaultModules
++ desktopModules
profiles.default
++ profiles.desktop
++ [
systems/kabsa/configuration.nix
];
@@ -425,8 +446,8 @@
fatteh = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules =
defaultModules
++ desktopModules
profiles.default
++ profiles.desktop
++ [
systems/fatteh/configuration.nix
];
@@ -491,6 +512,7 @@
mpv-tuner
mpv-tv
new-mac
niveum-ssh
nix-git
noise-waves
notemenu
@@ -511,6 +533,7 @@
timer
tocharian-font
trans
try-connect
ttspaste
unicodmenu
untilport

3
lib/default.nix
View File

@@ -81,6 +81,9 @@ in
myceliumAddresses = lib.mapAttrs (_: v: v.mycelium.ipv6) (
lib.filterAttrs (_: v: v ? "mycelium") machines
);
torAddresses = lib.mapAttrs (_: v: v.torAddress) (
lib.filterAttrs (_: v: v ? "torAddress") machines
);
syncthingIds = lib.mapAttrs (_: v: { id = v.syncthingId; }) (
lib.filterAttrs (_: v: v ? "syncthingId") machines
);

4
lib/machines.nix
View File

@@ -31,6 +31,7 @@ in
ipv6 = "42:0:3c46:aa73:82b0:14d7:7bf8:bf2";
ipv4 = "10.243.2.77";
};
torAddress = "uoe7poyeliuaudf4x5nrwvs3t55ldcdpfqfyeqsadbs77ttjx7upquyd.onion";
mycelium.ipv6 = "463:a0d4:daa3:aa8d:a9b1:744a:46a5:7a80";
inherit sshPort;
system = "x86_64-linux";
@@ -45,6 +46,7 @@ in
ipv6 = "42:0:3c46:2c8b:a564:1213:9fb4:1bc4";
};
mycelium.ipv6 = "5bf:d60e:bebf:5163:f495:8787:880c:6d41";
torAddress = "ll3k2akcpwuo562hlbr452yvzhi6kmpjzcnjgw6z4nege2yftspgjjad.onion";
inherit sshPort;
system = "aarch64-linux";
};
@@ -54,6 +56,7 @@ in
ipv6 = "42:0:3c46:156e:10b6:3bd6:6e82:b2cd";
};
mycelium.ipv6 = "5c5:49e0:7793:f017:59e1:1715:9e0e:3fc8";
torAddress = "hurgxlejplh7lj2hyaj4gk2fuearibst6axdxl2ekfohiivyiab3gkad.onion";
inherit sshPort;
system = "x86_64-linux";
};
@@ -64,6 +67,7 @@ in
ipv6 = "42:0:3c46:f7a9:1f0a:1b2b:822a:6050";
};
mycelium.ipv6 = "43f:ad4f:fa67:d9f7:8a56:713c:7418:164b";
torAddress = "gnaoacvkhovpllpiwi4a4mbnx4awpdcufwtsj365tiweybdeec7thuyd.onion";
inherit sshPort;
system = "x86_64-linux";
};

34
packages/niveum-ssh.nix Normal file
View File

@@ -0,0 +1,34 @@
{
symlinkJoin,
writers,
lib,
netcat,
openssh,
try-connect,
}:
let
inherit (lib.niveum) machines;
sshableMachines = lib.filterAttrs (name: value: value ? "sshPort") machines;
in
symlinkJoin {
name = "niveum-ssh";
paths = lib.mapAttrsToList (
hostname: _:
writers.writeBashBin "niveum-ssh-${hostname}" ''
reachable=$(${try-connect.${hostname}}/bin/try-connect)
if [ -z "$reachable" ]; then
exit 1
fi
if [[ "$reachable" == *.onion ]]; then
exec ${openssh}/bin/ssh -p ${toString machines.${hostname}.sshPort} \
-o ProxyCommand="${netcat}/bin/nc -x localhost:9050 %h %p" \
"root@$reachable" "$@"
else
exec ${openssh}/bin/ssh -p ${toString machines.${hostname}.sshPort} \
"root@$reachable" "$@"
fi
''
) sshableMachines;
}

66
packages/try-connect.nix Normal file
View File

@@ -0,0 +1,66 @@
{
lib,
writers,
netcat,
}:
let
inherit (lib.niveum) machines;
sshableMachines = lib.filterAttrs (name: value: value ? "sshPort") machines;
systemAddresses =
system:
lib.optionals (system ? "internalIp") [ system.internalIp ]
++ lib.optionals (system ? "externalIp") [ system.externalIp ]
++ lib.optionals (system ? "retiolum") [
system.retiolum.ipv6
system.retiolum.ipv4
]
++ lib.optionals (system ? "mycelium") [ system.mycelium.ipv6 ]
++ lib.optionals (system ? "torAddress") [ system.torAddress ];
addresses = lib.listToAttrs (
map (name: {
inherit name;
value = systemAddresses (machines.${name});
}) (builtins.attrNames sshableMachines)
);
in
lib.mapAttrs (
name: _:
writers.writeBashBin "try-connect" ''
port=${toString machines.${name}.sshPort}
hostname=$(hostname)
if [[ "$hostname" == "${name}" ]]; then
echo "Target is localhost, using ::1 or 127.0.0.1" >&2
if ${netcat}/bin/nc -z -w 2 ::1 "$port" 2>/dev/null; then
echo "::1"
exit 0
fi
if ${netcat}/bin/nc -z -w 2 127.0.0.1 "$port" 2>/dev/null; then
echo "127.0.0.1"
exit 0
fi
fi
for addr in ${lib.concatStringsSep " " addresses.${name}}; do
# Check if it's an onion address
if [[ "$addr" == *.onion ]]; then
if ${netcat}/bin/nc -z localhost 9050 2>/dev/null; then
echo "Trying $addr via Tor..." >&2
if echo | ${netcat}/bin/nc -z -x localhost:9050 -w 5 "$addr" "$port" 2>/dev/null; then
echo "$addr"
exit 0
fi
fi
else
echo "Trying $addr..." >&2
if ${netcat}/bin/nc -z -w 2 "$addr" "$port" 2>/dev/null; then
echo "$addr"
exit 0
fi
fi
done
echo "No reachable address found for ${name}" >&2
exit 1
''
) sshableMachines

9
systems/ful/configuration.nix
View File

@@ -16,15 +16,6 @@
./gemini.nix
./wallabag.nix
./nethack.nix
../../configs/monitoring.nix
../../configs/mycelium.nix
../../configs/tor.nix
../../configs/save-space.nix
../../configs/spacetime.nix
../../configs/retiolum.nix
../../configs/sshd.nix
../../configs/nix.nix
../../configs/admin-essentials.nix
];
niveum.passport = {

1
systems/kibbeh/configuration.nix
View File

@@ -19,7 +19,6 @@
../../configs/sshd.nix
../../configs/sudo.nix
../../configs/zsh.nix
../../configs/tor.nix
];
age.secrets = {

8
systems/makanek/configuration.nix
View File

@@ -14,7 +14,6 @@
./monitoring
# ./names.nix
./nextcloud.nix
../../configs/mycelium.nix
./radio-news.nix
./scrabble.nix
# ./onlyoffice.nix
@@ -22,15 +21,8 @@
./oracle
./tt-rss.nix
./weechat.nix
../../configs/monitoring.nix
../../configs/nix.nix
../../configs/tor.nix
../../configs/save-space.nix
../../configs/retiolum.nix
../../configs/spacetime.nix
../../configs/sshd.nix
../../configs/bots
../../configs/admin-essentials.nix
];
services.restic.backups.niveum = {

7
systems/zaatar/configuration.nix
View File

@@ -9,17 +9,10 @@
./backup.nix
./gaslight.nix
./hardware-configuration.nix
../../configs/mycelium.nix
./home-assistant.nix
../../configs/monitoring.nix
../../configs/retiolum.nix
../../configs/printing.nix
../../configs/spacetime.nix
../../configs/sshd.nix
../../configs/tmux.nix
../../configs/wpa_supplicant.nix
../../configs/nix.nix
../../configs/admin-essentials.nix
];
services.pipewire.systemWide = true;