From 50016144458c406f84e540a2d66f86beb3ebe7e9 Mon Sep 17 00:00:00 2001 From: Sky Hearn Date: Sun, 3 Mar 2024 16:17:28 -0800 Subject: [PATCH] basic users and wireguard setup --- canary.txt | 3 + canary.txt.sig | Bin 0 -> 637 bytes configuration.nix | 360 ++++++++-------------------------------------- users.nix | 50 +++++++ 4 files changed, 116 insertions(+), 297 deletions(-) create mode 100644 canary.txt create mode 100644 canary.txt.sig create mode 100644 users.nix diff --git a/canary.txt b/canary.txt new file mode 100644 index 0000000..c68062a --- /dev/null +++ b/canary.txt @@ -0,0 +1,3 @@ +This document exists to inform users that Sky Hearn has not been served with a secret government subpoena in any of their hardware, their software, or their services. + +2024-03-03 diff --git a/canary.txt.sig b/canary.txt.sig new file mode 100644 index 0000000000000000000000000000000000000000..f1eaff3fd1f73c67987b0b16a930f82cef5d35d8 GIT binary patch literal 637 zcmV-@0)qXc0h_?f%)r5TYfEc~)f2ThjB5@jaV00_B^Ficl~k0ZKKbntl95@gkdmKV znwy$eqL5mVSzJ=AP?E2ZnU|Jdl&er$oLU6rXC#&=1ZP(&c%&v4D3oWGWGEy8dC5hoB?{^JWvNAZU?Yo5lM3=v^Adq3DkSDrD&(gDjZ4ie z0-92kQl40pssrU0=ckoG`1wUJA)wir$*IM9TwF#5Mkcxj#z4f?$+($?fsunjR!otl zzx7J__v?EXDd)yG!+gog1o9XI7pDMBqwum4M$6_tN7oO7?LWw^6y*|+_99+iJs>)NBEre2>hp_g^xg3X4m zmb>Fbo+};uZTMW+Pk!h3!XIz`mS1qPeenCm4&#JB#V<6D|Ku-QAbIezcJH*rZ3!=L z7fwmB_9*!)rJmlj@7zwC+a^yHmWVM&PWU*p(NwAE8tldzO2> zW9GdB{Y>klg3`omt#>G2S@+=g#KKISeCs71j9XVNoz?7>B&wLPx7uz3vr{9#vFYEK zm)x_@oH_r<(C3G8Wx~zpbEHcb7CzKzI`_1S`SKbq(Vu?;B&-jG?s5FF=J@+Pc~|wE z@^57w=I0V@-<^~rYQwMh$1P&Pm09zPJVRWqSUOfcJGX25XM^W94EeTRKeLWVzPtWR XZsFsX!UlKV7zp`tEMWGT{&zJ1MVC>R literal 0 HcmV?d00001 diff --git a/configuration.nix b/configuration.nix index 30ce733..e6a5edf 100644 --- a/configuration.nix +++ b/configuration.nix @@ -8,6 +8,7 @@ imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix + ./users.nix ]; @@ -15,318 +16,84 @@ boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - # amdgpu stuffs - boot.initrd.kernelModules = [ "amdgpu" ]; - services.xserver.videoDrivers = [ "amdgpu" ]; - - # opengl support - hardware.opengl.enable = true; - # opengl packages - hardware.opengl.extraPackages = with pkgs; [ - rocm-opencl-icd - rocm-opencl-runtime - vaapiVdpau - libvdpau-va-gl - ]; - hardware.opengl.driSupport = true; + # use network manager and set hostname + networking.networkmanager.enable = true; + networking.hostName = "rackserver"; - networking.hostName = "sky-laptop"; # Define your hostname. - # Pick only one of the below networking options. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. - # Set your time zone. - time.timeZone = "America/Los_Angeles"; + # wireguard server setup - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Select internationalisation properties. - i18n.defaultLocale = "en_US.UTF-8"; - console = { - font = "Lat2-Terminus16"; - #keyMap = "us"; - useXkbConfig = true; # use xkb.options in tty. + # enable NAT + networking.nat.enable = true; + networking.nat.externalInterface = "eth0"; + networking.nat.internalInterfaces = [ "wg0" ]; + networking.firewall = { + allowedUDPPorts = [ 51820 ]; }; - # Enable the X11 windowing system - services.xserver.enable = true; - services.xserver.displayManager.sessionCommands = '' -slstatus & -nitrogen --restore & -clipcatd & -''; + networking.wireguard.interfaces = { + # "wg0" is the network interface name. You can name the interface arbitrarily. + wg0 = { + # Determines the IP address and subnet of the server's end of the tunnel interface. + ips = [ "10.100.0.1/24" ]; - # Configure keymap in X11 - services.xserver.xkb.layout = "us"; - # services.xserver.xkb.options = "eurosign:e,caps:escape"; + # The port that WireGuard listens to. Must be accessible by the client. + listenPort = 51820; - # Enable CUPS to print documents. - # services.printing.enable = true; + # This allows the wireguard server to route your traffic to the internet and hence be like a VPN + # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + ''; - # Enable sound. - sound.enable = true; - hardware.pulseaudio.enable = true; + # This undoes the above command + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + ''; - # Enable touchpad support (enabled default in most desktopManager). - services.xserver.libinput.enable = true; - - # Enable dwm - services.xserver.windowManager.dwm.package = pkgs.dwm.overrideAttrs { - src = ./dwm; - }; - services.xserver.windowManager.dwm.enable = true; + # Path to the private key file. + # + # Note: The private key can also be included inline via the privateKey option, + # but this makes the private key world-readable; thus, using privateKeyFile is + # recommended. + privateKeyFile = "path to private key file"; - # Sky User - users.users.sky.isNormalUser = true; - users.users.sky.extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. - nixpkgs.config.allowUnfreePredicate = pkg: - builtins.elem (lib.getName pkg) [ - "obsidian" - ]; - - nixpkgs.config.permittedInsecurePackages = - lib.optional (pkgs.obsidian.version == "1.4.16") "electron-25.9.0"; - - home-manager.useGlobalPkgs = true; - # Home Manager for Sky - home-manager.users.sky = {pkgs, ...}: { - home.packages = with pkgs; [ - obsidian - (callPackage (./rolldice/default.nix) {}) - clang-tools - rclone - trash-cli - mumble - nheko - zim - moonlight-embedded - nitrogen - firefox-bin - neofetch - ncpamixer - tree - xclip - grpc - clipcat - keepassxc - jellyfin-media-player - ]; - - services.picom = { - enable = true; - vSync = true; - backend = "glx"; - inactiveOpacity = 0.9; - settings = { - blur = { - method = "dual-kawase"; - }; - }; + peers = [ + # List of allowed peers. + { # Nub + # Public key of the peer (not a file path). + publicKey = "{}"; + # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing. + allowedIPs = [ "10.100.0.2/32" ]; + } + { # Ku + publicKey = "{}"; + allowedIPs = [ "10.100.0.3/32" ]; + } + { # Sky Laptop + publicKey = "{}"; + allowedIPs = [ "10.100.0.4/32" ]; + } + { # Sky Desktop + publicKey = "{}"; + allowedIPs = [ "10.100.0.5/32" ]; + } + ]; }; - - programs.bash = { - enable = true; - shellAliases = { - nv = "nvim"; - ccm = "clipcat-menu"; - }; - }; - - programs.git = { - enable = true; - userName = "Sky Hearn"; - userEmail = "sky.hearn@pm.me"; - signing = { - key = "DAB485883AE426EC"; - signByDefault = false; - }; - }; - - programs.neovim = { - enable = true; - defaultEditor = true; - extraConfig = '' - set shiftwidth=2 smarttab - set expandtab - set tabstop=8 softtabstop=0 - ''; - extraPackages = with pkgs; [ - # Use the project flake's language server to prevent version mismatches - # clang_12 - # rust-analyzer - ]; - plugins = with pkgs.vimPlugins; [ - { - plugin = gruvbox-nvim; - type = "viml"; - # Better performance is off until I can figure out a way to make the cache outside the nix store - config = '' - if has('termguicolors') - set termguicolors - endif - colorscheme gruvbox - ''; - } - { - plugin = lualine-nvim; - type = "lua"; - config = '' - require'lualine'.setup { - options = { - theme = 'gruvbox' - }, - sections = { - lualine_c = {'lsp_progress'} - } - } - ''; - } - { - plugin = lsp-status-nvim; - type = "lua"; - config = '' - require'lsp-status'.register_progress() - ''; - } - { - plugin = nvim-lspconfig; - type = "lua"; - config = '' - -- Mappings. - -- See `:help vim.diagnostic.*` for documentation on any of the below functions - local opts = { noremap=true, silent=true } - vim.keymap.set('n', 'e', vim.diagnostic.open_float, opts) - vim.keymap.set('n', '[d', vim.diagnostic.goto_prev, opts) - vim.keymap.set('n', ']d', vim.diagnostic.goto_next, opts) - vim.keymap.set('n', 'q', vim.diagnostic.setloclist, opts) - - -- Use an on_attach function to only map the following keys - -- after the language server attaches to the current buffer - local on_attach = function(client, bufnr) - -- Set up status tracking - require'lsp-status'.on_attach(client) - -- Enable completion triggered by - vim.api.nvim_buf_set_option(bufnr, 'omnifunc', 'v:lua.vim.lsp.omnifunc') - - -- Mappings. - -- See `:help vim.lsp.*` for documentation on any of the below functions - local bufopts = { noremap=true, silent=true, buffer=bufnr } - vim.keymap.set('n', 'gD', vim.lsp.buf.declaration, bufopts) - vim.keymap.set('n', 'gd', vim.lsp.buf.definition, bufopts) - vim.keymap.set('n', 'K', vim.lsp.buf.hover, bufopts) - vim.keymap.set('n', 'gi', vim.lsp.buf.implementation, bufopts) - vim.keymap.set('n', '', vim.lsp.buf.signature_help, bufopts) - vim.keymap.set('n', 'wa', vim.lsp.buf.add_workspace_folder, bufopts) - vim.keymap.set('n', 'wr', vim.lsp.buf.remove_workspace_folder, bufopts) - vim.keymap.set('n', 'wl', function() - print(vim.inspect(vim.lsp.buf.list_workspace_folders())) - end, bufopts) - vim.keymap.set('n', 'D', vim.lsp.buf.type_definition, bufopts) - vim.keymap.set('n', 'rn', vim.lsp.buf.rename, bufopts) - vim.keymap.set('n', 'ca', vim.lsp.buf.code_action, bufopts) - vim.keymap.set('n', 'gr', vim.lsp.buf.references, bufopts) - vim.keymap.set('n', 'f', function() vim.lsp.buf.format { async = true } end, bufopts) - end - - local lsp_flags = { - -- This is the default in Nvim 0.7+ - debounce_text_changes = 150, - } - - local servers = { 'clangd', 'rust_analyzer' } - - for _, lsp in ipairs(servers) do - require'lspconfig'[lsp].setup( - vim.tbl_extend('keep', - require('coq').lsp_ensure_capabilities({ - on_attach = on_attach, - flags = lsp_flags - }) or {}, - require'lsp-status'.capabilities - ) - ) - end - ''; - } - { - plugin = coq_nvim; - type = "lua"; - config = '' - vim.g.coq_settings = { auto_start = 'shut-up', xdg = true } - ''; - } - { - plugin = nvim-treesitter.withAllGrammars; - type = "lua"; - config = '' - require'nvim-treesitter.configs'.setup { - -- TODO: Make this use stdpath("data") - -- parser_install_dir = "~/.local/share/nvim/site", - -- ensure_installed = { "nix", "help", "rust", "c", "lua" }, - -- auto_install = true, - highlight = { - enable = true - }, - incremental_selection = { - enable = true, - keymaps = { - init_selection = "gnn", -- set to `false` to disable one of the mappings - node_incremental = "grn", - scope_incremental = "grc", - node_decremental = "grm", - } - }, - indent = { - enable = true - }, - } - vim.cmd([[ - set foldmethod=expr - set foldexpr=nvim_treesitter#foldexpr() - set nofoldenable - ]]) - ''; - } - { - plugin = telescope-nvim; - } - ]; }; - home.stateVersion = "23.11"; - }; - # List packages installed in system profile. To search, run: - # $ nix search wget - environment.systemPackages = with pkgs; [ - pulseaudio - bash - vim - wget - acpi - dmenu - dunst - libnotify - (pkgs.st.overrideAttrs (_: { - src = ./st; - }) - ) - (pkgs.slstatus.overrideAttrs (_: { - src = ./slstatus; - }) - ) - libva-utils - ]; - - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - programs.mtr.enable = true; - # List services that you want to enable: # Enable the OpenSSH daemon. - services.openssh.enable = true; + services.openssh = { + enable = true; + settings = { + # Forbid root login through SSH. + PermitRootLogin = "no"; + # key authentication + PasswordAuthentication = false; + }; + }; # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; @@ -356,5 +123,4 @@ clipcatd & # # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . system.stateVersion = "23.11"; # Did you read the comment? - } diff --git a/users.nix b/users.nix new file mode 100644 index 0000000..3e8e52f --- /dev/null +++ b/users.nix @@ -0,0 +1,50 @@ +{ config, lib, pkgs, ...}; + +{ + imports = + [ # Include the results of the hardware scan. + + ]; + + users.users.sky.isNormalUser = true; + users.users.ku.isNormalUser = true; + users.users.nub.isNormalUser = true; + + users.groups.wheel.members=["sky"]; + + home-manager.users.sky = { pkgs, ... }: { + home.packages = [ ]; + programs.bash.enable = true; + + # The state version is required and should stay at the version you + # originally installed. + home.stateVersion = "23.11"; + }; + + home-manager.users.ku = { pkgs, ... }: { + home.packages = [ ]; + programs.bash.enable = true; + + # The state version is required and should stay at the version you + # originally installed. + home.stateVersion = "23.11"; + }; + + home-manager.users.nub = { pkgs, ... }: { + home.packages = [ ]; # TODO: Copy ku's nvconfig + programs.bash.enable = true; + + # The state version is required and should stay at the version you + # originally installed. + home.stateVersion = "23.11"; + }; + + home-manager.users.wg = { pkgs, ... }: { + home.packages = [ ]; + programs.bash.enable = true; + + # The state version is required and should stay at the version you + # originally installed. + home.stateVersion = "23.11"; + }; +}