fix things & make some others simpler, also ipv6 🎉

6 files changed, 89 insertions, 68 deletions

diff --git a/abbenay/configuration.nix b/abbenay/configuration.nix
index ec4c08d..62a4a58 100644
--- a/abbenay/configuration.nix
+++ b/abbenay/configuration.nix
@@ -9,9 +9,6 @@
   services.avahi.enable = true;
   services.avahi.nssmdns = true;
 
-    enable = true;
-  };
-
   environment.systemPackages = with pkgs; [
     gnome3.gnome-tweaks
     flatpak
diff --git a/chaski/configuration.nix b/chaski/configuration.nix
index 2ecfe4c..658f55a 100644
--- a/chaski/configuration.nix
+++ b/chaski/configuration.nix
@@ -10,58 +10,39 @@
       ./hardware-configuration.nix
       ./services/uplcg.nix
       ./services/tracktrain.nix
+      ./services/chat.nix
     ];
 
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-
-
-  users.users.chat = {
-    isNormalUser = true;
-    home = "/home/chat";
-    shell = pkgs.fish;
-    packages = with pkgs; [
-      fish tmux weechat
-    ];
-  };
-  services.openssh = {
-    extraConfig = ''
-      Match user chat
-        ForceCommand tmux attach || tmux
-    '';
-  };
-  programs.mosh.enable = true;
-  users.users.chat.openssh.authorizedKeys.keys = [
-    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCTeuG1alKNNqoT2d5nUAlH0Otsk0NHM7nmkYC5Yfk8qcLsgY4v2dXlyrMzieajYgDjndEApgO3/S/V0EQGhvHc0UugC6LU84jHPwsgYVABRmFS74v/ww8NigaNIAevwWl+DxlnK4nnWdB1lo4xS69ooQdvoAjbubk16dP04LsAbH8Z+3cPB5WKAaayNx62DUwObzDSpztqCagCZzlqpwKG1UGJngrqEhk7B5Q0v9iCk91gqVkLSPllsB00+bqIimgkMVIZnoLLh7pcEgOvbG0yP2EG3ttDNN3jPpqE6mu+znfLq+ua/MwJy5hjmY5R54yPlcvFdsIU34jrdMCDvWqpV49VrLwVvkFN3lRZln/9eifkXXJciP4Ber3xEl8JltysV1PE5iJunWfbcOy0fwsYvBChDeyR5G3CLG2c25jKL9f1Iq95QBBMVYgIxq/dpGy0tjB+24w1JzsorvElsmz5etXLXCydLP07ic9PfSu1Wmwu7F0tweIk52x97sra6ePhtY+TTRffjjDz0DEho1bWDfrPV0xfPPAWXWTKYisVO4VVmMQsJbtXrfxUJbappM5vIXcJ+2JpT2Oh7Kiy3rjm+pd7rukgoCp7yN5z8v+2vuOfHqBuKUwlaRg/XNMyPrbnGGzVR1xzUuhwdOnjAyMmAr95Ne9hRBPwfVo2NR/ZZw=="
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpWMKJrYaI9BRFCeVimQfHkg0THZJwLqh+z2fFxLU7q stuebinm@pixelimn"
-  ];
 
   services.nginx.enable = true;
-  services.nginx.appendHttpConfig = ''
-     access_log off;
-     add_header Permissions-Policy "interest-cohort=()";
-  '';
 
   # Use the GRUB 2 boot loader.
   boot.loader.grub.enable = true;
   boot.loader.grub.version = 2;
+  boot.loader.grub.devices = [ "/dev/sda" ];
 
-  networking.hostName = "chaski"; # Define your hostname.
+  networking = {
+    hostName = "chaski";
 
-  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
-  # Per-interface useDHCP will be mandatory in the future, so this generated config
-  # replicates the default behaviour.
-  networking.useDHCP = false;
-  networking.interfaces.ens10.useDHCP = true;
-  networking.interfaces.ens3.useDHCP = true;
+    enableIPv6 = true;
+    defaultGateway6 = {
+      address = "fe80::1";
+      interface = "ens3";
+    };
 
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "20.09"; # Did you read the comment?
+    interfaces.ens3.ipv6.addresses = [ {
+      address = "2a01:4f9:c010:69ed::1";
+      prefixLength = 64;
+    } ];
+
+    useDHCP = false;
+    interfaces.ens10.useDHCP = true;
+    interfaces.ens3.useDHCP = true;
+
+    firewall.logRefusedConnections = false;
+    firewall.allowedTCPPorts = [ 80 443 ];
+  };
 
-  boot.loader.grub.devices = [ "/dev/sda" ];
 
+  system.stateVersion = "20.09"; # Did you read the comment?
 }
diff --git a/chaski/services/chat.nix b/chaski/services/chat.nix
new file mode 100644
index 0000000..0771e19
--- /dev/null
+++ b/chaski/services/chat.nix
@@ -0,0 +1,43 @@
+{ config, lib, pkgs, inputs, ... }:
+
+# this defines an extra user, so i can run weechat in tmux
+# (and not deal with having an irc relay)
+{
+
+  imports = [ inputs.home-manager.nixosModule ];
+
+  programs.mosh.enable = true;
+  users.users.chat = {
+    isNormalUser = true;
+    home = "/home/chat";
+    shell = pkgs.fish;
+    packages = with pkgs; [
+      fish tmux weechat
+    ];
+  };
+  home-manager.users.chat = _: {
+    programs.tmux = {
+      enable = true;
+      terminal = "screen-256color";
+    };
+    home.stateVersion = "22.11";
+  };
+  services.openssh = {
+    extraConfig = ''
+      Match user chat
+        ForceCommand ${pkgs.writeScript "logon-weechat" ''
+          #!${pkgs.fish}/bin/fish
+          if test -n "$SSH_ORIGINAL_COMMAND"
+            # allow mosh to start its server
+            exec fish -c "$SSH_ORIGINAL_COMMAND"
+          else
+            tmux attach || tmux -c weechat
+          end
+        ''}
+    '';
+  };
+  users.users.chat.openssh.authorizedKeys.keys = [
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCTeuG1alKNNqoT2d5nUAlH0Otsk0NHM7nmkYC5Yfk8qcLsgY4v2dXlyrMzieajYgDjndEApgO3/S/V0EQGhvHc0UugC6LU84jHPwsgYVABRmFS74v/ww8NigaNIAevwWl+DxlnK4nnWdB1lo4xS69ooQdvoAjbubk16dP04LsAbH8Z+3cPB5WKAaayNx62DUwObzDSpztqCagCZzlqpwKG1UGJngrqEhk7B5Q0v9iCk91gqVkLSPllsB00+bqIimgkMVIZnoLLh7pcEgOvbG0yP2EG3ttDNN3jPpqE6mu+znfLq+ua/MwJy5hjmY5R54yPlcvFdsIU34jrdMCDvWqpV49VrLwVvkFN3lRZln/9eifkXXJciP4Ber3xEl8JltysV1PE5iJunWfbcOy0fwsYvBChDeyR5G3CLG2c25jKL9f1Iq95QBBMVYgIxq/dpGy0tjB+24w1JzsorvElsmz5etXLXCydLP07ic9PfSu1Wmwu7F0tweIk52x97sra6ePhtY+TTRffjjDz0DEho1bWDfrPV0xfPPAWXWTKYisVO4VVmMQsJbtXrfxUJbappM5vIXcJ+2JpT2Oh7Kiy3rjm+pd7rukgoCp7yN5z8v+2vuOfHqBuKUwlaRg/XNMyPrbnGGzVR1xzUuhwdOnjAyMmAr95Ne9hRBPwfVo2NR/ZZw=="
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpWMKJrYaI9BRFCeVimQfHkg0THZJwLqh+z2fFxLU7q stuebinm@pixelimn"
+  ];
+}
diff --git a/common/headless.nix b/common/headless.nix
index d3a7c22..0689e6a 100644
--- a/common/headless.nix
+++ b/common/headless.nix
@@ -28,4 +28,27 @@
     defaults.email = "stuebinm@disroot.org";
   };
 
+  services.fail2ban = {
+    enable = true;
+    bantime-increment.enable = true;
+    bantime-increment.overalljails = true;
+    bantime-increment.maxtime = "1312m";
+    ignoreIP = [ "185.39.64.13" ];
+  };
+
+  services.logrotate = {
+    enable = true;
+    # the nginx module does stuff here, which apparently no one tells anyone about
+    settings.nginx = {
+      rotate = 2;
+      nocompress = true;
+      compress = false;
+    };
+  };
+
+  services.nginx.appendHttpConfig = ''
+     access_log off;
+     add_header Permissions-Policy "interest-cohort=()";
+  '';
+  programs.mosh.enable = true;
 }
diff --git a/flora/configuration.nix b/flora/configuration.nix
index 750268e..c04f240 100644
--- a/flora/configuration.nix
+++ b/flora/configuration.nix
@@ -35,31 +35,12 @@
     
     useDHCP = false;
     interfaces.ens3.useDHCP = true;
+    interfaces.ens10.useDHCP = true;
 
     firewall.logRefusedConnections = false;
-    
-
   };
 
-  services.fail2ban = {
-    enable = true;
-    bantime-increment.enable = true;
-    bantime-increment.overalljails = true;
-    bantime-increment.maxtime = "1312m";
-    ignoreIP = [ "88.133.194.232" ];
-  };
-  
-  services.logrotate = {
-    enable = true;
-    # the nginx module does stuff here, which apparently no one tells anyone about
-    settings.nginx = {
-      rotate = 2;
-      nocompress = true;
-      compress = false;
-    };
-  };
 
-  
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave
diff --git a/flora/services/nginx.nix b/flora/services/nginx.nix
index bbcacb7..fbbff73 100644
--- a/flora/services/nginx.nix
+++ b/flora/services/nginx.nix
@@ -9,9 +9,5 @@
     recommendedOptimisation = true;
     recommendedTlsSettings = true;
     recommendedProxySettings = true;
-
-    appendHttpConfig = ''
-      add_header Permissions-Policy "interest-cohort=()";
-    '';
   };
 }