diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..c4a847d --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/result diff --git a/README.md b/README.md index a1ab5da..e69de29 100644 --- a/README.md +++ b/README.md @@ -1 +0,0 @@ -fish `scrap-default-tool-paths` to update paths and completions (persists after a restart) diff --git a/default-configurations/.clang-format b/default-configurations/.clang-format new file mode 100644 index 0000000..31bf1f3 --- /dev/null +++ b/default-configurations/.clang-format @@ -0,0 +1,12 @@ +BasedOnStyle: Mozilla + +IndentWidth: 2 +TabWidth: 2 +UseTab: ForContinuationAndIndentation +AllowShortIfStatementsOnASingleLine: false +IndentCaseLabels: false +AlignAfterOpenBracket: BlockIndent +AlignArrayOfStructures: Right +AlignConsecutiveAssignments: Consecutive +AlignConsecutiveMacros: Consecutive +IndentExternBlock: NoIndent diff --git a/.editorconfig b/default-configurations/.editorconfig similarity index 68% rename from .editorconfig rename to default-configurations/.editorconfig index 69f93c9..65b6a99 100644 --- a/.editorconfig +++ b/default-configurations/.editorconfig @@ -4,13 +4,14 @@ root = true end_of_line = lf insert_final_newline = true charset = utf-8 +trim_trailing_whitespace = true indent_style = tab -indent_size = 2 +tab_width = 2 -[*.yaml] +[*.{json,yml}] indent_style = space indent_size = 2 -[*.zig] +[*.{toml,rs,zig}] indent_style = space indent_size = 4 diff --git a/default-configurations/.pre-commit-config.yaml b/default-configurations/.pre-commit-config.yaml new file mode 100644 index 0000000..addd627 --- /dev/null +++ b/default-configurations/.pre-commit-config.yaml @@ -0,0 +1,40 @@ +repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.6.0 + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer + - id: check-added-large-files + - id: check-json + - id: check-yaml + - id: check-toml + - id: check-merge-conflict + + - repo: https://github.com/astral-sh/ruff-pre-commit + rev: v0.6.9 + hooks: + - id: ruff-format + + - repo: https://github.com/pryorda/dockerfilelint-precommit-hooks + rev: v0.1.0 + hooks: + - id: dockerfilelint + + - repo: https://github.com/sirosen/check-jsonschema + rev: 0.28.2 + hooks: + - id: check-github-actions + - id: check-github-workflows + + - repo: https://github.com/pre-commit/mirrors-clang-format + rev: v19.1.0 + hooks: + - id: clang-format + types_or: [c++, c] + exclude: ^runners/py-libs + + - repo: https://github.com/editorconfig-checker/editorconfig-checker.python + rev: 3.0.3 + hooks: + - id: editorconfig-checker + # exclude: diff --git a/default-configurations/gitignore b/default-configurations/gitignore new file mode 100644 index 0000000..5afd477 --- /dev/null +++ b/default-configurations/gitignore @@ -0,0 +1,25 @@ +# editors +.vscode/ +.idea/ +.godot/ + +# apple +.DS_Store +.AppleDouble +.LSOverride + +# build related directories +/build +target +zig-out +zig-build + +# secrets +.env + +# py +__pycache__/ +.pytest_cache +.mypy_cache +.ruff_cache +.coverage* diff --git a/default-configurations/ruff.toml b/default-configurations/ruff.toml new file mode 100644 index 0000000..9a6994e --- /dev/null +++ b/default-configurations/ruff.toml @@ -0,0 +1,11 @@ +exclude = [ +] +indent-width = 2 + +[format] +indent-style = "tab" +quote-style = "single" +line-ending = "lf" + +skip-magic-trailing-comma = false +docstring-code-format = true diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..b901269 --- /dev/null +++ b/flake.lock @@ -0,0 +1,88 @@ +{ + "nodes": { + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1733328505, + "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1736373539, + "narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "bd65bc3cde04c16755955630b344bc9e35272c56", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-24.11", + "repo": "home-manager", + "type": "github" + } + }, + "nixos-wsl": { + "inputs": { + "flake-compat": "flake-compat", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1736095716, + "narHash": "sha256-csysw/Szu98QDiA2lhWk9seYOyCebeVEWL89zh1cduM=", + "owner": "nix-community", + "repo": "NixOS-WSL", + "rev": "63c3b4ed1712a3a0621002cd59bfdc80875ecbb0", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "main", + "repo": "NixOS-WSL", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1736344531, + "narHash": "sha256-8YVQ9ZbSfuUk2bUf2KRj60NRraLPKPS0Q4QFTbc+c2c=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "bffc22eb12172e6db3c5dde9e3e5628f8e3e7912", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "home-manager": "home-manager", + "nixos-wsl": "nixos-wsl", + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..8622bca --- /dev/null +++ b/flake.nix @@ -0,0 +1,66 @@ +{ + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + nixos-wsl = { + url = "github:nix-community/NixOS-WSL/main"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + home-manager = { + url = "github:nix-community/home-manager/release-24.11"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; + + outputs = inputs@{ self, nixpkgs, nixos-wsl, home-manager, ... }: + let + rootPath = self; + additionalArgs = { inherit inputs rootPath; }; + importArg = inputs // { pkgs = nixpkgs; lib = nixpkgs.lib; } // additionalArgs; + hostNameMod = name: { networking.hostName = "kp2pml30-${name}"; }; + makeNamedSys = nameArg: arg: { + "${nameArg}" = + nixpkgs.lib.nixosSystem + ((builtins.removeAttrs arg ["modules"]) // { specialArgs = additionalArgs; modules = arg.modules ++ [(hostNameMod nameArg)]; }); + }; + makeSys = { sys }: [ + (makeNamedSys "server-${sys}" { + system = sys; + modules = [ + ./nix/common.nix + ./nix/server.nix + ]; + }) + + (makeNamedSys "personal-${sys}" { + system = sys; + modules = [ + ./nix/common.nix + ./nix/personal.nix + ]; + }) + + (makeNamedSys "personal-${sys}-wsl" { + system = sys; + modules = [ + ./nix/wsl.nix + ./nix/common.nix + ./nix/personal.nix + ]; + }) + ] ; + in + { + nixosConfigurations = + builtins.foldl' + (x: y: x // y) + {} + (builtins.concatMap makeSys [ { sys = "x86_64-linux"; } ]) + ; + }; +} + +# example +# + nix --extra-experimental-features 'nix-command flakes' build --out-link /tmp/nixos-rebuild.ydOEVb/nixos-rebuild '.#nixosConfigurations."wsl-amd64".config.system.build.nixos-rebuild' --show-trace +# ++ readlink -e /tmp/nixos-rebuild.ydOEVb/nixos-rebuild +# + p=/nix/store/rd18dwsifrcyghim695q18nhvyfykxxg-nixos-rebuild +# exec /nix/store/rd18dwsifrcyghim695q18nhvyfykxxg-nixos-rebuild/bin/nixos-rebuild switch --flake .#wsl-amd64 diff --git a/home-test/.config/fish/functions/fish_prompt.fish b/home-test/.config/fish/functions/fish_prompt.fish deleted file mode 100644 index b4b4cf8..0000000 --- a/home-test/.config/fish/functions/fish_prompt.fish +++ /dev/null @@ -1,139 +0,0 @@ -# based on https://github.com/oh-my-fish/theme-eden/blob/master/LICENSE - -function _git_branch_name - echo (command git symbolic-ref HEAD 2> /dev/null | sed -e 's|^refs/heads/||') -end - -function _is_git_dirty - set resStr (timeout 0.2s git status -s --ignore-submodules=dirty 2> /dev/null) - set res $status - if [ $res = 0 ] - if [ "$resStr" = "" ] - echo "clean" - else - echo "dirty" - end - else if [ $res = 124 ] - echo "?" - else - echo "dirty" - end -end - -## Function to show a segment -function _prompt_segment -d "Function to show a segment" - # Get colors - set -l bg $argv[1] - set -l fg $argv[2] - - # Set 'em - set_color -b $bg - set_color $fg - - # Print text - if [ -n "$argv[3]" ] - echo -n -s $argv[3] - end - -# Reset - set_color -b normal - set_color normal - - # Print padding - if [ (count $argv) = 4 ] - echo -n -s $argv[4] - end -end - -function show_ssh_status -d "Function to show the ssh tag" - if test "$THEME_EDEN_HIDE_SSH_TAG" != 'yes' - if [ -n "$SSH_CLIENT" ] - if [ (id -u) = "0" ] - _prompt_segment red white "-SSH-" ' ' - else - _prompt_segment blue white "-SSH-" ' ' - end - end - end -end - -function show_host -d "Show host & user name" - if [ (id -u) = "0" ] - echo -n (set_color red) - else - echo -n (set_color blue) - end - echo -n "$USER@"(hostname|cut -d . -f 1)' ' (set color normal) -end - -function show_cwd -d "Function to show the current working directory" - if test "$theme_short_path" != 'yes' -a (prompt_pwd) != '~' -a (prompt_pwd) != '/' - set -l cwd (dirname (prompt_pwd)) - test $cwd != '/'; and set cwd $cwd'/' - _prompt_segment normal cyan $cwd - end - set_color -o cyan - echo -n (basename (prompt_pwd))' ' - set_color normal -end - -function show_git_info -d "Show git branch and dirty state" - if [ (_git_branch_name) ] - set -l git_branch '['(_git_branch_name)']' - - set_color -o - echo -ne " " - set dirty (_is_git_dirty) - switch "$dirty" - case "clean" - set_color -o green - echo -ne "$git_branch " - case "dirty" - set_color -o red - echo -ne "$git_branch× " - case '*' - set_color -o yellow - echo -ne "$git_branch? " - end - set_color normal - end -end - -function show_times - if test $CMD_DURATION -ge 500 - if test $CMD_DURATION -ge 60000 - set -l duration_minutes (math "floor($CMD_DURATION / 60000)") - set -l duration_seconds (math "round(($CMD_DURATION % 60000) / 1000)") - printf "%02d:%02d " $duration_minutes $duration_seconds - else if test $CMD_DURATION -ge 1000 - set -l duration_seconds (math "round($CMD_DURATION / 1000)") - echo -ns "$duration_seconds""s " - else - echo -ns "$CMD_DURATION""ms " - end - end - # Output the current time - echo -ne (date "+%H:%M:%S") -end - -function show_prompt_char -d "Terminate with a nice prompt char" - echo "" - echo -n -s $normal '» ' -end - -function fish_prompt - set -l code $status - # use tput to move cursor to line start - echo -ne (tput cr) - - show_ssh_status - show_host - show_cwd - show_git_info - show_times - - if test $code != 0 - echo -ns (set_color red) '[' $code ']' - end - show_prompt_char -end diff --git a/home-test/.config/fish/functions/fish_right_prompt.fish b/home-test/.config/fish/functions/fish_right_prompt.fish deleted file mode 100644 index b9473a4..0000000 --- a/home-test/.config/fish/functions/fish_right_prompt.fish +++ /dev/null @@ -1,37 +0,0 @@ -function fish_right_prompt - return - - # Last command status - set -l code $status - - # https://github.com/fish-shell/fish-shell/issues/3476#issuecomment-256058730 - # Save the cursor position, move it up one line, and move it to the right two spaces - tput sc; tput cuf 2 - - #if test $code != 0 - # echo -ns (set_color red) '-' $code '- ' - #end - - set_color $fish_color_autosuggestion 2> /dev/null; or set_color 555 - - # Output the duration of the last command - if test $CMD_DURATION -ge 500 - if test $CMD_DURATION -ge 60000 - set -l duration_minutes (math "floor($CMD_DURATION / 60000)") - set -l duration_seconds (math "round(($CMD_DURATION % 60000) / 1000)") - printf "%02d:%02d " $duration_minutes $duration_seconds - else if test $CMD_DURATION -ge 1000 - set -l duration_seconds (math "round($CMD_DURATION / 1000)") - echo "$duration_seconds""s " - else - echo "$CMD_DURATION""ms " - end - end - - # Output the current time - echo (date "+%H:%M:%S") - - # Restores the cursor position - tput rc - -end diff --git a/home/.config/nvim/base.vim b/home/.config/nvim/base.vim new file mode 100644 index 0000000..9e82f3a --- /dev/null +++ b/home/.config/nvim/base.vim @@ -0,0 +1,75 @@ +set termguicolors +set nowrap +set nu rnu +set list +set listchars=tab:┆\ ,space:·,nbsp:␣ +set tabstop=2 +set shiftwidth=2 +set noexpandtab + +nmap :w +imap :w + +noremap (col('.') == matchend(getline('.'), '^\s*')+1 ? '0' : '^') +imap + +vnoremap > >gv +vnoremap < %i %i', s:i, s:i) + let s:i += 1 +endwhile + +set clipboard=unnamedplus + +colorscheme tokyonight-night +if exists(':GuiRenderLigatures') + GuiRenderLigatures 1 +endif + +if exists(':GuiFont') + GuiFont FiraCode\ Nerd\ Font +endif + +if exists(':NERDTreeToggle') + map :NERDTreeToggle + autocmd bufenter * if (winnr("$") == 1 && exists("b:NERDTree") && b:NERDTree.isTabTree()) | q | endif +endif + +if exists(':BufferGoto') + let s:i = 1 + while s:i < 10 + execute printf('nmap %i :BufferGoto %i', s:i, s:i) + let s:i += 1 + endwhile + + nmap :BufferNext + nmap :BufferPrevious + nmap :BufferClose +endif + +if exists(':DetectIndent') + autocmd BufRead * DetectIndent +endif + +if exists(':CocInfo') + inoremap coc#refresh() + inoremap + \ coc#pum#visible() ? coc#pum#confirm() : "\" + nmap ld (coc-definition) + nmap lt (coc-type-definition) + nmap li (coc-implementation) + nmap lr (coc-references) +endif + +if exists(':LeaderGuide') + nnoremap :LeaderGuide '\' + nnoremap :LeaderGuide '' + let g:smap = get(g:, 'smap', {}) + " let g:smap[''] = get(g:smap, '', {}) + " let g:smap[''].l = 'language' + let g:smap.l = {'name' : 'language'} + call leaderGuide#register_prefix_descriptions("", "g:smap") +endif diff --git a/home/.config/nvim/init.vim b/home/.config/nvim/init.vim index 93a1d96..01099b1 100644 --- a/home/.config/nvim/init.vim +++ b/home/.config/nvim/init.vim @@ -3,6 +3,7 @@ call plug#begin() Plug 'kyazdani42/nvim-web-devicons' Plug 'romgrk/barbar.nvim' Plug 'jiangmiao/auto-pairs' + Plug 'RaafatTurki/hex.nvim' if executable('node') Plug 'neoclide/coc.nvim', {'branch': 'release'} endif @@ -73,3 +74,4 @@ let g:smap.l = {'name' : 'language'} call leaderGuide#register_prefix_descriptions("", "g:smap") lua require('feline').setup() +lua require('hex').setup() diff --git a/nix/common.nix b/nix/common.nix new file mode 100644 index 0000000..43b0131 --- /dev/null +++ b/nix/common.nix @@ -0,0 +1,56 @@ +{ pkgs +, ... +}: +{ + system.stateVersion = "24.05"; + + users.mutableUsers = false; + + nix.gc = { + automatic = true; + dates = "weekly"; + }; + + networking = { + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + }; + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + environment.systemPackages = with pkgs; [ + curl + neovim + bash + git + + zip unzip + xz + zstd + gnutar + + diffutils + file + tree + gnused + gnugrep + stow + + killall + gnupg + ]; + + programs = { + neovim.enable = true; + neovim.defaultEditor = true; + + git = { + enable = true; + lfs.enable = true; + config = { + init.defaultBranch = "main"; + }; + }; + }; +} diff --git a/nix/personal.nix b/nix/personal.nix new file mode 100644 index 0000000..cf4c048 --- /dev/null +++ b/nix/personal.nix @@ -0,0 +1,29 @@ +{ pkgs +, inputs +, ... +}@args: +{ + imports = [ + inputs.home-manager.nixosModules.home-manager + ]; + + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.users.kp2pml30 = import ./personal/home.nix args; + + users.users.kp2pml30 = import ./personal/user.nix args; + + programs = { + fish.enable = true; + tmux.enable = true; + }; + + environment.systemPackages = with pkgs; [ + fish + fishPlugins.grc + grc + + fira-code + nerd-fonts.fira-code + ]; +} diff --git a/nix/personal/home.nix b/nix/personal/home.nix new file mode 100644 index 0000000..6a932a5 --- /dev/null +++ b/nix/personal/home.nix @@ -0,0 +1,50 @@ +{ pkgs +, ... +}@args: +{ + home.stateVersion = "24.05"; + + home = { + username = "kp2pml30"; + homeDirectory = "/home/kp2pml30"; + packages = with pkgs; [ + starship + jq + ]; + }; + + nix.gc = { + automatic = true; + frequency = "weekly"; + }; + + programs = { + git = { + enable = true; + userName = "kp2pml30"; + userEmail = "kp2pml30@gmail.com"; + lfs.enable = true; + extraConfig = { + init.defaultBranch = "main"; + }; + }; + + fish = { + enable = true; + }; + + starship = { + enable = true; + settings = { + add_newline = false; + format = "$cmd_duration$username$hostname$git_branch$git_commit$git_state$git_status$directory$status\n$character"; + hostname.ssh_only = true; + cmd_duration.format = "took [$duration]($style)\n"; + }; + }; + + home-manager.enable = true; + + neovim = import ./neovim.nix args; + }; +} diff --git a/nix/personal/neovim.nix b/nix/personal/neovim.nix new file mode 100644 index 0000000..bacb7d5 --- /dev/null +++ b/nix/personal/neovim.nix @@ -0,0 +1,33 @@ +{ pkgs +, lib +, rootPath +, ... +}: +let + fromGitHub = rev: repo: pkgs.vimUtils.buildVimPlugin { + pname = "${lib.strings.sanitizeDerivationName repo}"; + version = rev; + src = builtins.fetchGit { + url = "https://github.com/${repo}.git"; + rev = rev; + }; + }; + nvimConfig = builtins.readFile (rootPath + "/home/.config/nvim/base.vim"); +in +{ + enable = true; + defaultEditor = true; + + plugins = with pkgs.vimPlugins; [ + nvim-treesitter.withAllGrammars + nvim-autopairs + nerdtree + tokyonight-nvim + barbar-nvim + feline-nvim + (fromGitHub "d63c811337b2f75de52f16efee176695f31e7fbc" "timakro/vim-yadi") + (fromGitHub "aafa5c187a15701a7299a392b907ec15d9a7075f" "nvim-tree/nvim-web-devicons") + ]; + + extraConfig = nvimConfig; +} diff --git a/nix/personal/user.nix b/nix/personal/user.nix new file mode 100644 index 0000000..fa0c0fa --- /dev/null +++ b/nix/personal/user.nix @@ -0,0 +1,7 @@ +{ pkgs, ... }: +{ + isNormalUser = true; + extraGroups = [ "wheel" "networkmanager" ]; + shell = pkgs.fish; + hashedPassword = "$6$UK6oHr2gPRYD4Rak$lgF.mYReC0jahNuI4kt0j/CsrajVzMprvp3HgjKwwsjYHU6/Ur9jfROXZbKhhpyCLRmnlCpWeRCbHEYO/jhIv/"; +} diff --git a/nix/server.nix b/nix/server.nix new file mode 100644 index 0000000..37d19f8 --- /dev/null +++ b/nix/server.nix @@ -0,0 +1,45 @@ +{ config, pkgs, ... }: +let + mhostname = "example.org" ; +in +{ + services.openssh = { + enable = true; + ports = [ 22 ]; + openFirewall = true; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + AllowUsers = [ "kp2pml30-serv" ]; + }; + }; + + users.users.kp2pml30-serv = import ./user.nix; + users.users.nginx.extraGroups = [ "acme" ]; + + security.acme = { + acceptTerms = true; + defaults.email = "kp2pml30@gmail.com"; + certs."${mhostname}" = { + serverAliases = [ "*.${mhostname}" ]; + webroot = "/var/lib/acme/.challenges"; + group = "nginx"; + #extraDomainNames = [ "mail.example.org" ]; + }; + }; + services.nginx = { + virtualHosts."${mhostname}" = { + enableACME = true; + listen = [ + { port = 80; } + ]; + locations."/.well-known/acme-challenge/" = { + root = "/var/lib/acme/.challenges"; + }; + locations."/" = { + return = 404; + }; + }; + streamConfig = (builtins.readFile ./stream.nginx); + }; +} diff --git a/nix/server/stream.nginx b/nix/server/stream.nginx new file mode 100644 index 0000000..49320b4 --- /dev/null +++ b/nix/server/stream.nginx @@ -0,0 +1,86 @@ +map $ssl_preread_server_name $name { + chat.signal.org signal-service; + ud-chat.signal.org signal-service; + storage.signal.org storage-service; + cdn.signal.org signal-cdn; + cdn2.signal.org signal-cdn2; + cdn3.signal.org signal-cdn3; + cdsi.signal.org cdsi; + contentproxy.signal.org content-proxy; + sfu.voip.signal.org sfu; + svr2.signal.org svr2; + updates.signal.org updates; + updates2.signal.org updates2; + backend1.svr3.signal.org svr31; + backend2.svr3.signal.org svr32; + backend3.svr3.signal.org svr33; + default deny; +} + +upstream signal-service { + server chat.signal.org:443; +} + +upstream storage-service { + server storage.signal.org:443; +} + +upstream signal-cdn { + server cdn.signal.org:443; +} + +upstream signal-cdn2 { + server cdn2.signal.org:443; +} + +upstream signal-cdn3 { + server cdn3.signal.org:443; +} + +upstream cdsi { + server cdsi.signal.org:443; +} + +upstream content-proxy { + server contentproxy.signal.org:443; +} + +upstream sfu { + server sfu.voip.signal.org:443; +} + +upstream svr2 { + server svr2.signal.org:443; +} + +upstream svr31 { + server backend1.svr3.signal.org:443; +} + +upstream svr32 { + server backend2.svr3.signal.org:443; +} + +upstream svr33 { + server backend3.svr3.signal.org:443; +} + +upstream updates { + server updates.signal.org:443; +} + +upstream updates2 { + server updates2.signal.org:443; +} + +upstream deny { + server 127.0.0.1:9; +} + +server { + listen 443; + proxy_pass $name; + ssl_preread on; + error_log /dev/null; + access_log off; +} diff --git a/nix/server/user.nix b/nix/server/user.nix new file mode 100644 index 0000000..da6e4c9 --- /dev/null +++ b/nix/server/user.nix @@ -0,0 +1,8 @@ +{ config, pkgs, ... }: +{ + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCmc+wSjdvbyiFmB55r1ilegor533eo7hsE62z+pXCu0YIaVZwUoRe0Sqj0GoMzfn80jXubNmQgV+Wk8byz/xAsZ4R9Y/PFVuZYA/uDRAQ0TXpqxBSCH2CHkwioolg6q+sMXdUJTvvKkCpluXVk8o9ZN+5+rBhc2xAeZw2FDbz+u2HHYN8zCXFB3MPPJNG9CscBQirBgOkhg0ASCJ2rahaAJVaBosS7DD6S6iEip8bGgwByuWJl0oZr9cdJHkQDl2AMdNZrxoPcLqItCk5Mz9ssxTcK0lj/xIBXqLNMe4RPUJeWOOMNexeKRbzJEaF+G3Pfboqqeg7UPM6/9h9CXW9cyY/DXEj2pQmEi2jYWdTpx/ViCg83/rLboGyiyAuE6AWGte8r5YqYKuFEB0ixswENlH0s4TXEmouimRRkypzT4KAJ/ObPLsnGAkbzbLcsPCQUQSywQ8TGo3b72gNWTKjn9PeqBZkzgU9AXtxN1hCmKAX+/KwnGUSqyDz2YRhcO1E= kp2pml30@r3vdy2b10vv-pc" + ]; + extraGroups = [ "wheel" "networkmanager" ]; +} diff --git a/nix/wsl.nix b/nix/wsl.nix new file mode 100644 index 0000000..2cd55cd --- /dev/null +++ b/nix/wsl.nix @@ -0,0 +1,14 @@ +{ pkgs +, inputs +, ... +}: +{ + imports = [ + inputs.nixos-wsl.nixosModules.default + ]; + wsl = { + enable = true; + defaultUser = "kp2pml30"; + wslConf.interop.appendWindowsPath = false; + }; +} diff --git a/scripts/git-config.sh b/scripts/git-config.sh new file mode 100755 index 0000000..df7f2f7 --- /dev/null +++ b/scripts/git-config.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash + +set -ex + +git config --global init.defaultBranch main + +git lfs install + +git config --global user.email kp2pml30@gmail.com +git config --global user.name kp2pml30 diff --git a/set-symlinks.sh b/scripts/set-config-symlinks.sh similarity index 89% rename from set-symlinks.sh rename to scripts/set-config-symlinks.sh index d172fa8..f7ce02f 100755 --- a/set-symlinks.sh +++ b/scripts/set-config-symlinks.sh @@ -4,6 +4,6 @@ set -ex SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) -cd "$SCRIPT_DIR" +cd "$SCRIPT_DIR/.." stow --no-folding --target "$HOME" --dir "$SCRIPT_DIR" home diff --git a/vps/iptables.erb b/vps/iptables.erb new file mode 100644 index 0000000..0378b72 --- /dev/null +++ b/vps/iptables.erb @@ -0,0 +1,49 @@ +% # run it like this: `erb ports='[]' iptables.erb | iptables-restore` +% # NOTE: it discards docker iptable rules +*filter + +-N DOCKER-USER +-N DOCKER-ISOLATION-STAGE-1 + +# don't restrict output at all +-A OUTPUT -j ACCEPT + +# allow all loopback +-A INPUT -i lo -j ACCEPT +-A FORWARD -i lo -j ACCEPT + +# allow all established +-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +-A DOCKER-USER -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + +# allow wireguard +-A INPUT -i wg0 -j ACCEPT +-A FORWARD -i wg0 -j ACCEPT +-A DOCKER-USER -i wg0 -j ACCEPT + +# allow all docker +-A DOCKER-USER -i docker0 -j DOCKER-ISOLATION-STAGE-1 + +% require 'json' +% prts = [22, 80, 443] + JSON.parse(ports) +# apply it with `iptables-restore < ./iptables` + +# allow all loopback +-A INPUT -i lo -j ACCEPT + +# custom ports +% prts.each { |port| +% ['tcp', 'udp'].each { |proto| +-A FORWARD -p <%= proto %> --dport <%= port %> -j ACCEPT +-A INPUT -p <%= proto %> --dport <%= port %> -j ACCEPT +-A DOCKER-USER -p <%= proto %> -m conntrack --ctorigdstport <%= port %> --ctdir ORIGINAL -j ACCEPT +% } + +% } +% +# disallow all other +-A INPUT -j DROP +-A FORWARD -j DROP +-A DOCKER-USER -j DROP + +COMMIT diff --git a/vps/vpn/make-server.sh b/vps/vpn/make-server.sh new file mode 100755 index 0000000..ec111c1 --- /dev/null +++ b/vps/vpn/make-server.sh @@ -0,0 +1,118 @@ +#!/usr/bin/env bash + +set -e + +SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) + +HOST="" +PORT="" +GENKEY=false + +function show_help { + echo "wireguard configurator" + echo " --host host-name" + echo " --port port" + echo " [--gen-key]" +} + +while [ $# -ne 0 ] +do + ARG="$1" + shift + case "$ARG" in + --help) + show_help + exit 0 + ;; + --host) + HOST="$1" + shift + ;; + --port) + PORT="$1" + shift + ;; + --gen-keys) + GENKEY=true + ;; + *) + echo "unknown argument $ARG" + show_help + exit 1 + ;; + esac +done + +echo "Parsed:" +echo " --host $HOST" +echo " --port $PORTI" + +if [ "$HOST" == "" ] +then + echo "host not set" + show_help + exit 1 +fi + +if [ "$PORT" == "" ] +then + echo "port not set" + show_help + exit 1 +fi + +if [ ! -f .gitignore ] +then + echo "INFO creating gitignore" + touch .gitignore +fi + +if ! grep -Pq '^/key$' .gitignore +then + echo "INFO adding key to .gitignore" + echo "/key" >> .gitignore +fi + +if ! grep -Pq '^/wg0\.conf$' .gitignore +then + echo "INFO adding wg0.conf to .gitignore" + echo "/wg0.conf" >> .gitignore +fi + +if [ "$GENKEY" == "true" ] +then + touch key + chmod 600 key + wg genkey > key + wg pubkey < key > key.pub +fi + +touch wg0.conf +chmod 600 wg0.conf +KEY="$(cat key)" +erb "private_key=$KEY" port="$PORT" "$SCRIPT_DIR/wg0.conf.erb" > wg0.conf +KEY="" + +PUBKEY="$(cat key.pub)" + +echo "" +echo "Run following to start wireguard:" +echo " wg-quick up ./wg0.conf" +echo "You can add peers as follows:" +echo " wg set wg0 peer allowed-ips IP" +echo "" +echo "Client's configuration is" +echo "==================================" +cat <<-EOF +[Interface] +Address = 10.30.30.@@/32 +PrivateKey = +DNS = 10.30.30.1 + +[Peer] +PublicKey = $PUBKEY +Endpoint = $HOST:$PORT +AllowedIPs = 10.30.30.0/24 +PersistentKeepalive = 25 +EOF +echo "=================================="