Initial commit

flake.nix

@@ -0,0 +1,48 @@
+{
+  description = "Streams 'R' Us infrastructure";
+  inputs.nixos.url = "nixpkgs/23.11";
+  inputs.irccat = {
+    url = "github:irccloud/irccat";
+    flake = false;
+  };
+
+  outputs = { self, nixos, irccat }: {
+    nixosConfigurations = {
+      macmini = nixos.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = [
+          # "${nixos}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix"
+          ./hosts/macmini/configuration.nix
+          ./irccat.nix
+          ({ pkgs, ... }: let
+            irccatPort = 6969;
+          in {
+            environment.systemPackages = [ pkgs.vim ];
+            services.sshd.enable = true;
+            services.tailscale = {
+              enable = true;
+              extraUpFlags = [ "--ssh" "--auth-key=tskey-auth-keGMqf2CNTRL-78FqMr8gSfGLNace1ZSvfGMoLzYHKXas" ];
+            };
+            services.irccat = {
+              enable = true;
+              package = pkgs.irccat.overrideAttrs {
+                src = irccat;
+              };
+              config = {
+                irc.server = "irc.libera.chat:6697";
+                irc.nick = "sru-bot";
+                irc.channels = "#emfcamp-video";
+                http = {
+		  listen = "localhost:${toString irccatPort}";
+                  listeners.github = {
+                    default_channel = "#emfcamp-video";
+                  };
+                };
+              };
+            };
+          })
+        ];
+      };
+    };
+  };
+}

hosts/macmini/configuration.nix

@@ -0,0 +1,46 @@
+{config, pkgs, ...}: {
+  imports =
+    [ ./hardware-configuration.nix ];
+
+  boot.loader.systemd-boot.enable = true;
+  nixpkgs.config.allowUnfree = true;
+
+  networking.hostName = "macmini";
+
+  time.timeZone = "Europe/London";
+
+  users.users.samw = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+  };
+
+  environment.systemPackages = with pkgs; [
+    git
+    htop
+    vim
+    wget
+  ];
+
+  services.openssh.enable = true;
+  services.tailscale = {
+    enable = true;
+    extraUpFlags = [ "--ssh" ];
+  };
+
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It's perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+
+}
+

hosts/macmini/hardware-configuration.nix

@@ -0,0 +1,39 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" "wl" ];
+  boot.extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/28b6ff7f-a91d-4d25-a2f5-4726267dc7d1";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/8B90-BC9C";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/5db7cdf3-a2b0-4c29-8261-f12d6c5897e7"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp3s0f0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

irccat.nix

@@ -0,0 +1,81 @@
+# TODO: upstream this
+{ config, lib, pkgs, ... }:
+with lib;
+let
+  cfg = config.services.irccat;
+  format = pkgs.formats.json {};
+  cfgFile = format.generate "config.json" cfg.config;
+in
+{
+  options = {
+    services.irccat = {
+      enable = mkEnableOption (lib.mdDoc "Irccat irc event sender");
+      package = mkPackageOption pkgs "irccat" {};
+      config = mkOption {
+        type = types.submodule {
+          freeformType = format.type;
+          options.irc.server = mkOption {
+            type = types.str;
+            description = lib.mdDoc ''
+              The host:port of the IRC server to connect to
+            '';
+            example = "irc.libera.chat:6697";
+          };
+          options.irc.tls = mkOption {
+            type = types.bool;
+            default = true;
+            description = lib.mdDoc ''
+              Whether to secure the IRC connection with TLS
+            '';
+          };
+          options.irc.nick = mkOption {
+            type = types.str;
+            description = lib.mdDoc ''
+              The nick irccat will use
+            '';
+          };
+          options.http.listen = mkOption {
+            type = types.str;
+            description = mdDoc ''
+              The listen address:port to listen on for HTTP
+            '';
+          };
+        };
+        description = ''
+          irccat configuration. For supported values, see the 
+          [example json](https://github.com/irccloud/irccat/blob/master/examples/irccat.json).
+        '';
+      };
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    systemd.services.irccat = {
+      description = "Irccat IRC event sender";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+
+      serviceConfig = {
+        ExecStart = "${cfg.package}/bin/irccat -config ${cfgFile}";
+        DynamicUser = true;
+
+        # Basic hardening
+        NoNewPrivileges = "yes";
+        PrivateTmp = "yes";
+        PrivateDevices = "yes";
+        DevicePolicy = "closed";
+        ProtectSystem = "strict";
+        ProtectHome = "read-only";
+        ProtectControlGroups = "yes";
+        ProtectKernelModules = "yes";
+        ProtectKernelTunables = "yes";
+        RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
+        RestrictNamespaces = "yes";
+        RestrictRealtime = "yes";
+        RestrictSUIDSGID = "yes";
+        MemoryDenyWriteExecute = "yes";
+        LockPersonality = "yes";
+      };
+    };
+  };
+}
+