megamanmalte/nixos
0
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

chore(hosts): restructure

Browse source
This commit is contained in:
Malte Tammena 2024-01-15 15:59:54 +01:00
parent b289df3d50
commit 9df7c3692b
15 changed files with 64 additions and 92 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
flake.nix
View file

@ -83,11 +83,9 @@
];
# The list of all hosts known to me
listOfHosts = let
removeSuffix = builtins.replaceStrings [".nix"] [""];
hostDir = builtins.readDir ./hosts;
hostFileNames = builtins.attrNames hostDir;
in
map removeSuffix hostFileNames;
builtins.attrNames hostDir;
in
flake-parts.lib.mkFlake {inherit inputs;} {
# Flake-parts modules to use
@ -178,7 +176,7 @@
value = inputs.nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {inherit inputs;};
modules = modulesSharedByAllSystems ++ [{nixpkgs.overlays = overlaysSharedByAll;} ./hosts/${name}.nix];
modules = modulesSharedByAllSystems ++ [{nixpkgs.overlays = overlaysSharedByAll;} ./hosts/${name}/default.nix];
};
};
in

10
hosts/cerithium-telescopium.nix → hosts/cerithium-telescopium/default.nix
View file

@ -1,13 +1,9 @@
{
config,
pkgs,
...
}: {
{pkgs, ...}: {
imports = [
../hardware/intel-nuc.nix
../../hardware/intel-nuc.nix
];
config = let
hashes = builtins.import ../hashes.nix;
hashes = builtins.import ../../hashes.nix;
in {
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;

2
hosts/chrysomallon-squamiferum.nix → hosts/chrysomallon-squamiferum/default.nix
View file

@ -14,7 +14,7 @@
networking.firewall.enable = false;
settings.ssh.openOutsideVPN = true;
users.users.nixos.openssh.authorizedKeys.keyFiles = [../users/malte/yubikey.pub];
users.users.nixos.openssh.authorizedKeys.keyFiles = [../../users/malte/yubikey.pub];
environment.noXlibs = false;

37
hosts/faunus-ater.nix → hosts/faunus-ater/default.nix
View file

@ -9,18 +9,19 @@
in {
imports = [
inputs.nixos-hardware.nixosModules.common-cpu-intel #-cpu-only
../modules/nginx-reverse-proxy.nix
../hardware/asrock-z370-i3-black-box.nix
./faunus-ater/modules/gogs.nix
./faunus-ater/modules/home-assistant.nix
./faunus-ater/modules/hydra.nix
./faunus-ater/modules/komga.nix
./faunus-ater/modules/nix-serve.nix
./faunus-ater/modules/mealie.nix
./faunus-ater/modules/paperless.nix
./faunus-ater/modules/photoprism.nix
./faunus-ater/modules/timetagger.nix
./faunus-ater/modules/trilium.nix
../../modules/nginx-reverse-proxy.nix
../../hardware/asrock-z370-i3-black-box.nix
./modules/gogs.nix
./modules/home-assistant.nix
./modules/hydra.nix
./modules/komga.nix
./modules/nix-serve.nix
./modules/mealie.nix
./modules/paperless.nix
./modules/photoprism.nix
./modules/timetagger.nix
./modules/trilium.nix
./modules/restic.nix
];
config = {
networking.hostName = "faunus-ater";
@ -42,7 +43,6 @@ in {
services.zfs.autoScrub.enable = true;
services.zfs.autoScrub.pools = ["rpool"];
# === Additional services ===
services.fwupd.enable = true;
powerManagement = {
enable = true;
@ -50,6 +50,7 @@ in {
cpuFreqGovernor = "powersave";
};
# === PODMAN ===
virtualisation.oci-containers.backend = "podman";
virtualisation.podman = {
enable = true;
@ -65,13 +66,6 @@ in {
};
};
# === Restic User Backup ===
services.resticConfigured = {
enable = true;
rootDir = "/data/dirty/restic";
openFirewall = true;
};
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# === BACKUPS ===
@ -93,12 +87,13 @@ in {
};
# === RUNTIME SECRETS ===
sops.defaultSopsFile = ../secrets/hosts/faunus-ater/secrets.yaml;
sops.defaultSopsFile = ../../secrets/hosts/faunus-ater/secrets.yaml;
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
sops.secrets = {
"internal-restic-password" = {};
};
# === SERVICE EXPOSURE ===
# All services that run here, that should be exposed need to be exposed on the VPN
networking.firewall.interfaces.${config.services.tailscale.interfaceName}.allowedTCPPorts = let
selectPort = _: config: config.port;

4
hosts/faunus-ater/modules/hydra.nix
View file

@ -84,6 +84,10 @@
sslCertificateKey = config.sops.secrets."certificate-key-hydra-tammena-me".path;
sslCertificate = pkgs.writeText "hydra-tammena-me.crt" (builtins.readFile ../../../secrets/pub/hydra-tammena-me.crt);
serverAliases = [
"hydra.home"
];
locations."/" = {
proxyPass = "http://localhost:${builtins.toString config.services.hydra.port}";
};

4
hosts/faunus-ater/modules/komga.nix
View file

@ -16,6 +16,10 @@
sslCertificateKey = config.sops.secrets."certificate-key-read-tammena-me".path;
sslCertificate = pkgs.writeText "read-tammena-me.crt" (builtins.readFile ../../../secrets/pub/read-tammena-me.crt);
serverAliases = [
"read.home"
];
locations."/" = {
proxyPass = "http://[::1]:${builtins.toString config.services.komga.port}";
proxyWebsockets = true;

19
hosts/faunus-ater/modules/restic.nix Normal file
View file

@ -0,0 +1,19 @@
{lib, ...}: let
port = 8000;
in {
services.restic.server = {
enable = true;
dataDir = "/data/dirty/restic";
listenAddress = "0.0.0.0:${builtins.toString port}";
extraFlags = ["--no-auth"];
};
# Open firewall
networking.firewall.allowedTCPPorts = [port];
# TODO: This should be moved
systemd.services.restic-rest-server.unitConfig = {
Requires = lib.mkForce ["network.target"];
After = lib.mkForce ["network.target"];
};
}

10
hosts/granodomus-lima.nix → hosts/granodomus-lima/default.nix
View file

@ -4,15 +4,15 @@
config,
...
}: let
state = builtins.import ../state.nix;
state = builtins.import ../../state.nix;
mkVirtHost = lib.attrsets.recursiveUpdate {
forceSSL = true;
enableACME = true;
};
in {
imports = [
../hardware/netcup-vps-200-g10.nix
../modules/nginx-reverse-proxy.nix
../../hardware/netcup-vps-200-g10.nix
../../modules/nginx-reverse-proxy.nix
];
config = {
boot.loader.grub.enable = true;
@ -30,13 +30,13 @@ in {
};
};
sops.defaultSopsFile = ../secrets/hosts/granodomus-lima/secrets.yaml;
sops.defaultSopsFile = ../../secrets/hosts/granodomus-lima/secrets.yaml;
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
services.fail2ban = {
enable = true;
ignoreIP = let
vpn = (builtins.import ../state.nix).vpn;
vpn = state.vpn;
extractIPs = _: config: [config.v4 config.v6];
in
lib.flatten (lib.attrsets.mapAttrsToList extractIPs vpn);

8
hosts/helix-texta.nix → hosts/helix-texta/default.nix
View file

@ -11,9 +11,9 @@
inputs.nixos-hardware.nixosModules.common-pc-laptop-acpi_call
inputs.self.nixosModules.homeManagerConfig
inputs.custom-udev-rules.nixosModule
../hardware/thinkpad-p1-gen3.nix
../modules/light-actkbd.nix
../modules/nvidia-fixed.nix
../../hardware/thinkpad-p1-gen3.nix
../../modules/light-actkbd.nix
../../modules/nvidia-fixed.nix
];
config = {
@ -167,7 +167,7 @@
services.fwupd.enable = true;
services.devmon.enable = true;
sops.defaultSopsFile = ../secrets/hosts/helix-texta/secrets.yaml;
sops.defaultSopsFile = ../../secrets/hosts/helix-texta/secrets.yaml;
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
# This value determines the NixOS release from which the default

4
hosts/murex-pecten.nix → hosts/murex-pecten/default.nix
View file

@ -10,7 +10,7 @@
inputs.nixos-hardware.nixosModules.common-gpu-amd
inputs.self.nixosModules.homeManagerConfig
inputs.custom-udev-rules.nixosModule
../hardware/aorus.nix
../../hardware/aorus.nix
];
config = {
@ -157,7 +157,7 @@
vial
];
sops.defaultSopsFile = ../secrets/hosts/murex-pecten/secrets.yaml;
sops.defaultSopsFile = ../../secrets/hosts/murex-pecten/secrets.yaml;
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
environment.systemPackages = with pkgs; [

4
hosts/polymita-picta.nix → hosts/polymita-picta/default.nix
View file

@ -7,8 +7,8 @@
imports = [
inputs.self.nixosModules.homeManagerConfig
inputs.jovian-nixos.nixosModules.default
../hardware/steam-deck.nix
../modules/steam.nix
../../hardware/steam-deck.nix
../../modules/steam.nix
];
config = {
boot.loader.systemd-boot = {

2
hosts/radix-balthica.nix → hosts/radix-balthica/default.nix
View file

@ -18,7 +18,7 @@
# TODO: Update and think of some automatic way of keeping this up to date.
boot.kernelPackages = pkgs.linuxPackages_5_15;
users.users.nixos.openssh.authorizedKeys.keyFiles = [../users/malte/yubikey.pub];
users.users.nixos.openssh.authorizedKeys.keyFiles = [../../users/malte/yubikey.pub];
environment.systemPackages = with pkgs; [
# For special computers

2
hosts/trochulus-hispidus.nix → hosts/trochulus-hispidus/default.nix
View file

@ -8,7 +8,7 @@
inputs.nixos-hardware.nixosModules.common-pc-laptop
inputs.nixos-hardware.nixosModules.common-pc-laptop-ssd
inputs.self.nixosModules.homeManagerConfig
../hardware/latitude-e7440.nix
../../hardware/latitude-e7440.nix
];
config = {
boot.loader.systemd-boot.enable = true;

1
modules/base-system.nix
View file

@ -21,7 +21,6 @@ in {
./marie.nix
./deck.nix
./radicale.nix
./restic.nix
./wakeup.nix
./state.nix
];

43
modules/restic.nix
View file

@ -1,43 +0,0 @@
{
lib,
config,
...
}: let
cfg = config.services.resticConfigured;
in {
options.services.resticConfigured = with lib; {
enable = mkEnableOption "Configured Restic rest server service";
rootDir = mkOption {
type = types.str;
description = "Path to use for storage";
};
port = mkOption {
type = types.int;
default = 8000;
description = "Port to use for the rest server";
};
openFirewall = mkOption {
type = types.bool;
default = false;
description = "Whether to open the firewall for port ${builtins.toString cfg.port}";
};
};
config = lib.mkIf cfg.enable {
services.restic.server = {
enable = true;
dataDir = cfg.rootDir;
listenAddress = "0.0.0.0:${builtins.toString cfg.port}";
extraFlags = ["--no-auth"];
};
networking.firewall.allowedTCPPorts =
lib.mkIf cfg.openFirewall [cfg.port];
# TODO: This should be moved
systemd.services.restic-rest-server.unitConfig = {
Requires = lib.mkForce ["network.target"];
After = lib.mkForce ["network.target"];
};
};
}