fmt + pwnzero config

NixOS/nixpkgs#216886 (comment)
go3ranh · Sep 7, 2023 · 5afb4e0 · 5afb4e0
1 parent 107a391
commit 5afb4e0
Show file tree

Hide file tree

Showing 3 changed files with 282 additions and 35 deletions.
diff --git a/flake.nix b/flake.nix
@@ -40,22 +40,45 @@
           modules = [
             ./host/pitest
             "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
+            #self.nixosModules.goeranh
+            #{
+            #  environment.systemPackages = [
+            #    self.packages.aarch64-linux.proxmark
+            #  ];
+            #  programs.bash.interactiveShellInit = ''
+            #    source ${self.packages.aarch64-linux.settings.bashrc.outPath}
+            #    source ${self.packages.aarch64-linux.settings.goeranh.outPath}
+            #  '';
+            #  programs.neovim.runtime."init.lua".text = lib.readFile "${self.packages.aarch64-linux.settings.nvimconfig.outPath}/nvim-config/init.lua";
+            #    programs.neovim.configure = {
+            #      customRC = ''
+            #        dofile('${self.packages.aarch64-linux.settings.nvimconfig.outPath}/init.lua')
+            #      '';
+            #    };
+            #}
+          ];
+        };
+        pwnzero = lib.nixosSystem {
+          system = "aarch64-linux";
+          modules = [
+            ./host/pwnzero
+            "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
             self.nixosModules.goeranh
             nixos-hardware.nixosModules.raspberry-pi-4
             {
               environment.systemPackages = [
-			    self.packages.aarch64-linux.proxmark
-	          ];
+                self.packages.aarch64-linux.proxmark
+              ];
               programs.bash.interactiveShellInit = ''
                 source ${self.packages.aarch64-linux.settings.bashrc.outPath}
                 source ${self.packages.aarch64-linux.settings.goeranh.outPath}
               '';
               programs.neovim.runtime."init.lua".text = lib.readFile "${self.packages.aarch64-linux.settings.nvimconfig.outPath}/nvim-config/init.lua";
-                programs.neovim.configure = {
-                  customRC = ''
-                    dofile('${self.packages.aarch64-linux.settings.nvimconfig.outPath}/init.lua')
-                  '';
-                };
+              programs.neovim.configure = {
+                customRC = ''
+                  dofile('${self.packages.aarch64-linux.settings.nvimconfig.outPath}/init.lua')
+                '';
+              };
             }
             {
               _module.args.nixinate = {
@@ -173,8 +196,8 @@
             ./host/node5
             {
               environment.systemPackages = [
-			    self.packages.x86_64-linux.proxmark
-	          ];
+                self.packages.x86_64-linux.proxmark
+              ];
               programs = {
                 bash.interactiveShellInit = ''
                   source ${self.packages.x86_64-linux.settings.bashrc.outPath}
@@ -203,8 +226,8 @@
 
       #legacyPackages = nixpkgs.legacyPackages;
       #packages.x86_64-linux = import ./packages.nix { inherit inputs lib self pkgsx86; };
-      packages.x86_64-linux = import ./packages.nix { inputs = inputs; lib = lib; self=self; archpkgs = pkgsx86; };
-      packages.aarch64-linux = import ./packages.nix { inputs = inputs; lib = lib; self=self; archpkgs = pkgsarm64; };
+      packages.x86_64-linux = import ./packages.nix { inputs = inputs; lib = lib; self = self; archpkgs = pkgsx86; };
+      packages.aarch64-linux = import ./packages.nix { inputs = inputs; lib = lib; self = self; archpkgs = pkgsarm64; };
 
       devShells = {
         x86_64-linux = {

diff --git a/host/pwnzero/default.nix b/host/pwnzero/default.nix
@@ -0,0 +1,224 @@
+{ config, pkgs, lib, ... }:
+{
+  hardware.enableRedistributableFirmware = true;
+  powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
+
+  nixpkgs.config.packageOverrides = pkgs: {
+    makeModulesClosure = x:
+      # prevent kernel install fail due to missing modules
+      pkgs.makeModulesClosure (x // { allowMissing = true; });
+  };
+
+  boot = {
+    kernelParams = lib.mkForce [
+      #"snd_bcm2835.enable_headphones=1"
+      # don't let sd-image-aarch64.nix setup serial console as it breaks bluetooth.
+      "console=tty0"
+      # allow GPIO access
+      "iomem=relaxed"
+      "strict-devmem=0"
+      # booting sometimes fails with an oops in the ethernet driver. reboot after 5s
+      "panic=5"
+      "oops=panic"
+      # for the patch below
+      "compat_uts_machine=armv6l"
+    ];
+
+    tmp.useTmpfs = true;
+    tmp.tmpfsSize = "80%";
+  };
+  fileSystems."/" = lib.mkForce {
+    device = "/dev/disk/by-label/NIXOS_SD";
+    fsType = "ext4";
+  };
+
+  goeranh = {
+    server = true;
+  };
+
+  networking = {
+    hostName = "pwnzero"; # Define your hostname.
+    domain = "tailf0ec0.ts.net";
+    nftables.enable = true;
+    useDHCP = false;
+    interfaces.wlan0.useDHCP = true;
+    wireless = {
+      enable = true;
+      interfaces = [ "wlan0" ];
+      networks = {
+        "test" = {
+          psk = "test";
+        };
+      };
+    };
+    defaultGateway = "192.168.178.1";
+    nameservers = [ "1.1.1.1" "8.8.8.8" ];
+
+    firewall.enable = true;
+    firewall.allowedTCPPorts = [ 80 443 2222 ];
+    nat = {
+      enable = true;
+      internalInterfaces = [ "ve-+" ];
+      externalInterface = "eth0";
+    };
+  };
+
+  nix = {
+    daemonCPUSchedPolicy = "idle";
+    daemonIOSchedClass = "idle";
+    settings = {
+      builders-use-substitutes = true;
+      cores = 4;
+      extra-platforms = "armv6l-linux";
+      max-jobs = 1;
+      system-features = [ ];
+      trusted-users = [ "client" ];
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    libraspberrypi
+    raspberrypi-eeprom
+    vim
+    tmux
+    wget
+  ];
+
+  security.sudo = {
+    enable = true;
+    wheelNeedsPassword = false;
+  };
+  sdImage.compressImage = false;
+
+  console.keyMap = "de";
+
+  services = {
+    # Do not log to flash:
+    journald.extraConfig = ''
+      Storage=volatile
+    '';
+    gitea = {
+      enable = true;
+      settings = {
+        service.DISABLE_REGISTRATION = true;
+        server = {
+          ROOT_URL = "https://${config.networking.fqdn}/git/";
+          WORK_PATH = "/var/lib/gitea";
+          DISABLE_SSH = false;
+          DOMAIN = "${config.networking.fqdn}";
+          SSH_DOMAIN = "${config.networking.fqdn}";
+          SSH_PORT = 2222;
+          START_SSH_SERVER = true;
+        };
+        log.LEVEL = "Warn";
+      };
+      package = pkgs.forgejo;
+    };
+    atuin = {
+      enable = true;
+      #openFirewall = true;
+      openRegistration = false;
+      host = "127.0.0.1";
+      maxHistoryLength = 1000000;
+      path = "/atuin/";
+    };
+    nginx = {
+      enable = true;
+      virtualHosts = {
+        "${config.networking.fqdn}" = {
+          sslCertificate = "/var/lib/pitest.tailf0ec0.ts.net.crt";
+          sslCertificateKey = "/var/lib/pitest.tailf0ec0.ts.net.key";
+          forceSSL = true;
+          locations = {
+            "/" = {
+              proxyPass = "http://localhost:8081";
+            };
+            "/git/" = {
+              proxyPass = "http://localhost:3000";
+              extraConfig = ''
+                rewrite ^/git(.*)$ $1 break;
+              '';
+            };
+            "/invoices/" = {
+              proxyPass = "http://10.0.0.2/";
+            };
+            "/atuin/" = {
+              proxyPass = "http://127.0.0.1:8888";
+            };
+          };
+        };
+      };
+    };
+  };
+
+  containers = {
+    invoiceplane = {
+      autoStart = true;
+      privateNetwork = true;
+      hostAddress = "10.0.0.1";
+      localAddress = "10.0.0.2";
+      config = { config, pkgs, ... }: {
+
+        nix.settings.experimental-features = [ "nix-command" "flakes" ];
+        services.invoiceplane = {
+          sites = {
+            "10.0.0.2" = {
+              enable = true;
+              #port = 81;
+              #proxyPathPrefix = "/invoices";
+              database = {
+                createLocally = true;
+              };
+            };
+          };
+        };
+
+        system.stateVersion = "23.05";
+
+        networking.firewall = {
+          enable = true;
+          allowedTCPPorts = [ 80 2222 ];
+        };
+
+        # Manually configure nameserver. Using resolved inside the container seems to fail
+        # currently
+        environment.etc."resolv.conf".text = "nameserver 8.8.8.8";
+
+      };
+    };
+  };
+  virtualisation.libvirtd.enable = true;
+  virtualisation.podman.enable = true;
+
+  systemd = {
+    services.nix-daemon.serviceConfig = {
+      LimitNOFILE = lib.mkForce 8192;
+      CPUWeight = 5;
+      MemoryHigh = "4G";
+      MemoryMax = "6G";
+      MemorySwapMax = "0";
+    };
+    #network = {
+    #  enable = true;
+    #  networks."10-lan" = {
+    #    enable = true;
+    #    matchConfig.Name = "eth0";
+    #    address = [ "192.168.178.2/24" ];
+    #    gateway = [ "192.168.178.1" ];
+    #    dns = [ "1.1.1.1" "9.9.9.9" ];
+    #    routes = [
+    #      { routeConfig.Gateway = "192.168.178.1"; }
+    #      {
+    #        routeConfig = {
+    #          Gateway = "192.168.178.1";
+    #          GatewayOnLink = true;
+    #        };
+    #      }
+    #    ];
+    #  };
+    #};
+  };
+
+  system.stateVersion = "22.11"; # Did you read the comment?
+}
+
diff --git a/packages.nix b/packages.nix
@@ -30,30 +30,30 @@ builtins.foldl'
     name = "settings";
     description = "goeranh settings / dotfiles";
     bashrc = archpkgs.writeText ".bashrc" ''
-      #source "${archpkgs.fzf.outPath}/share/fzf/key-bindings.bash"
-      source "${archpkgs.fzf.outPath}/share/fzf/completion.bash"
-      function pkgsearch (){
-      nix-env -qa | fzf
-      }
-
-      export XDG_CONFIG_HOME="/home/goeranh/.config"
-      export XDG_CONFIG_DIRS="$XDG_CONFIG_DIRS:/home/goeranh/.config"
-      export GOPATH="/home/goeranh/gitprojects"
-
-	  eval "$(atuin init bash)"
-
-	  source ${archpkgs.git.outPath}/share/bash-completion/completions/git
-
-      eval "$(direnv hook bash)"
-	  #bfs 2>/dev/null | fzf +m
-      HISTFILESIZE=100000
-      HISTSIZE=10000
-
-      shopt -s histappend
-      shopt -s checkwinsize
-      shopt -s extglob
-      shopt -s globstar
-      shopt -s checkjobs
+            #source "${archpkgs.fzf.outPath}/share/fzf/key-bindings.bash"
+            source "${archpkgs.fzf.outPath}/share/fzf/completion.bash"
+            function pkgsearch (){
+            nix-env -qa | fzf
+            }
+
+            export XDG_CONFIG_HOME="/home/goeranh/.config"
+            export XDG_CONFIG_DIRS="$XDG_CONFIG_DIRS:/home/goeranh/.config"
+            export GOPATH="/home/goeranh/gitprojects"
+
+      	  eval "$(atuin init bash)"
+
+      	  source ${archpkgs.git.outPath}/share/bash-completion/completions/git
+
+            eval "$(direnv hook bash)"
+      	  #bfs 2>/dev/null | fzf +m
+            HISTFILESIZE=100000
+            HISTSIZE=10000
+
+            shopt -s histappend
+            shopt -s checkwinsize
+            shopt -s extglob
+            shopt -s globstar
+            shopt -s checkjobs
     '';
 
     goeranh = archpkgs.writeText ".goeranh" ''