From 9df7c3692bc02c1e7aaa8f81e5805c846f726e28 Mon Sep 17 00:00:00 2001 From: Malte Tammena Date: Mon, 15 Jan 2024 15:59:54 +0100 Subject: [PATCH] chore(hosts): restructure --- flake.nix | 6 +-- .../default.nix} | 10 ++--- .../default.nix} | 2 +- .../default.nix} | 37 +++++++--------- hosts/faunus-ater/modules/hydra.nix | 4 ++ hosts/faunus-ater/modules/komga.nix | 4 ++ hosts/faunus-ater/modules/restic.nix | 19 ++++++++ .../default.nix} | 10 ++--- .../default.nix} | 8 ++-- .../default.nix} | 4 +- .../default.nix} | 4 +- .../default.nix} | 2 +- .../default.nix} | 2 +- modules/base-system.nix | 1 - modules/restic.nix | 43 ------------------- 15 files changed, 64 insertions(+), 92 deletions(-) rename hosts/{cerithium-telescopium.nix => cerithium-telescopium/default.nix} (96%) rename hosts/{chrysomallon-squamiferum.nix => chrysomallon-squamiferum/default.nix} (92%) rename hosts/{faunus-ater.nix => faunus-ater/default.nix} (80%) create mode 100644 hosts/faunus-ater/modules/restic.nix rename hosts/{granodomus-lima.nix => granodomus-lima/default.nix} (94%) rename hosts/{helix-texta.nix => helix-texta/default.nix} (96%) rename hosts/{murex-pecten.nix => murex-pecten/default.nix} (97%) rename hosts/{polymita-picta.nix => polymita-picta/default.nix} (98%) rename hosts/{radix-balthica.nix => radix-balthica/default.nix} (88%) rename hosts/{trochulus-hispidus.nix => trochulus-hispidus/default.nix} (98%) delete mode 100644 modules/restic.nix diff --git a/flake.nix b/flake.nix index 1d50955..91bbdf0 100644 --- a/flake.nix +++ b/flake.nix @@ -83,11 +83,9 @@ ]; # The list of all hosts known to me listOfHosts = let - removeSuffix = builtins.replaceStrings [".nix"] [""]; hostDir = builtins.readDir ./hosts; - hostFileNames = builtins.attrNames hostDir; in - map removeSuffix hostFileNames; + builtins.attrNames hostDir; in flake-parts.lib.mkFlake {inherit inputs;} { # Flake-parts modules to use @@ -178,7 +176,7 @@ value = inputs.nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = {inherit inputs;}; - modules = modulesSharedByAllSystems ++ [{nixpkgs.overlays = overlaysSharedByAll;} ./hosts/${name}.nix]; + modules = modulesSharedByAllSystems ++ [{nixpkgs.overlays = overlaysSharedByAll;} ./hosts/${name}/default.nix]; }; }; in diff --git a/hosts/cerithium-telescopium.nix b/hosts/cerithium-telescopium/default.nix similarity index 96% rename from hosts/cerithium-telescopium.nix rename to hosts/cerithium-telescopium/default.nix index 2246968..971b930 100644 --- a/hosts/cerithium-telescopium.nix +++ b/hosts/cerithium-telescopium/default.nix @@ -1,13 +1,9 @@ -{ - config, - pkgs, - ... -}: { +{pkgs, ...}: { imports = [ - ../hardware/intel-nuc.nix + ../../hardware/intel-nuc.nix ]; config = let - hashes = builtins.import ../hashes.nix; + hashes = builtins.import ../../hashes.nix; in { boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; diff --git a/hosts/chrysomallon-squamiferum.nix b/hosts/chrysomallon-squamiferum/default.nix similarity index 92% rename from hosts/chrysomallon-squamiferum.nix rename to hosts/chrysomallon-squamiferum/default.nix index 4e43893..d43ce55 100644 --- a/hosts/chrysomallon-squamiferum.nix +++ b/hosts/chrysomallon-squamiferum/default.nix @@ -14,7 +14,7 @@ networking.firewall.enable = false; settings.ssh.openOutsideVPN = true; - users.users.nixos.openssh.authorizedKeys.keyFiles = [../users/malte/yubikey.pub]; + users.users.nixos.openssh.authorizedKeys.keyFiles = [../../users/malte/yubikey.pub]; environment.noXlibs = false; diff --git a/hosts/faunus-ater.nix b/hosts/faunus-ater/default.nix similarity index 80% rename from hosts/faunus-ater.nix rename to hosts/faunus-ater/default.nix index 5a9b2df..3ecb0e8 100644 --- a/hosts/faunus-ater.nix +++ b/hosts/faunus-ater/default.nix @@ -9,18 +9,19 @@ in { imports = [ inputs.nixos-hardware.nixosModules.common-cpu-intel #-cpu-only - ../modules/nginx-reverse-proxy.nix - ../hardware/asrock-z370-i3-black-box.nix - ./faunus-ater/modules/gogs.nix - ./faunus-ater/modules/home-assistant.nix - ./faunus-ater/modules/hydra.nix - ./faunus-ater/modules/komga.nix - ./faunus-ater/modules/nix-serve.nix - ./faunus-ater/modules/mealie.nix - ./faunus-ater/modules/paperless.nix - ./faunus-ater/modules/photoprism.nix - ./faunus-ater/modules/timetagger.nix - ./faunus-ater/modules/trilium.nix + ../../modules/nginx-reverse-proxy.nix + ../../hardware/asrock-z370-i3-black-box.nix + ./modules/gogs.nix + ./modules/home-assistant.nix + ./modules/hydra.nix + ./modules/komga.nix + ./modules/nix-serve.nix + ./modules/mealie.nix + ./modules/paperless.nix + ./modules/photoprism.nix + ./modules/timetagger.nix + ./modules/trilium.nix + ./modules/restic.nix ]; config = { networking.hostName = "faunus-ater"; @@ -42,7 +43,6 @@ in { services.zfs.autoScrub.enable = true; services.zfs.autoScrub.pools = ["rpool"]; - # === Additional services === services.fwupd.enable = true; powerManagement = { enable = true; @@ -50,6 +50,7 @@ in { cpuFreqGovernor = "powersave"; }; + # === PODMAN === virtualisation.oci-containers.backend = "podman"; virtualisation.podman = { enable = true; @@ -65,13 +66,6 @@ in { }; }; - # === Restic User Backup === - services.resticConfigured = { - enable = true; - rootDir = "/data/dirty/restic"; - openFirewall = true; - }; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; # === BACKUPS === @@ -93,12 +87,13 @@ in { }; # === RUNTIME SECRETS === - sops.defaultSopsFile = ../secrets/hosts/faunus-ater/secrets.yaml; + sops.defaultSopsFile = ../../secrets/hosts/faunus-ater/secrets.yaml; sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; sops.secrets = { "internal-restic-password" = {}; }; + # === SERVICE EXPOSURE === # All services that run here, that should be exposed need to be exposed on the VPN networking.firewall.interfaces.${config.services.tailscale.interfaceName}.allowedTCPPorts = let selectPort = _: config: config.port; diff --git a/hosts/faunus-ater/modules/hydra.nix b/hosts/faunus-ater/modules/hydra.nix index 5b8851e..1ff1335 100644 --- a/hosts/faunus-ater/modules/hydra.nix +++ b/hosts/faunus-ater/modules/hydra.nix @@ -84,6 +84,10 @@ sslCertificateKey = config.sops.secrets."certificate-key-hydra-tammena-me".path; sslCertificate = pkgs.writeText "hydra-tammena-me.crt" (builtins.readFile ../../../secrets/pub/hydra-tammena-me.crt); + serverAliases = [ + "hydra.home" + ]; + locations."/" = { proxyPass = "http://localhost:${builtins.toString config.services.hydra.port}"; }; diff --git a/hosts/faunus-ater/modules/komga.nix b/hosts/faunus-ater/modules/komga.nix index 9e900a1..567e671 100644 --- a/hosts/faunus-ater/modules/komga.nix +++ b/hosts/faunus-ater/modules/komga.nix @@ -16,6 +16,10 @@ sslCertificateKey = config.sops.secrets."certificate-key-read-tammena-me".path; sslCertificate = pkgs.writeText "read-tammena-me.crt" (builtins.readFile ../../../secrets/pub/read-tammena-me.crt); + serverAliases = [ + "read.home" + ]; + locations."/" = { proxyPass = "http://[::1]:${builtins.toString config.services.komga.port}"; proxyWebsockets = true; diff --git a/hosts/faunus-ater/modules/restic.nix b/hosts/faunus-ater/modules/restic.nix new file mode 100644 index 0000000..06b086a --- /dev/null +++ b/hosts/faunus-ater/modules/restic.nix @@ -0,0 +1,19 @@ +{lib, ...}: let + port = 8000; +in { + services.restic.server = { + enable = true; + dataDir = "/data/dirty/restic"; + listenAddress = "0.0.0.0:${builtins.toString port}"; + extraFlags = ["--no-auth"]; + }; + + # Open firewall + networking.firewall.allowedTCPPorts = [port]; + + # TODO: This should be moved + systemd.services.restic-rest-server.unitConfig = { + Requires = lib.mkForce ["network.target"]; + After = lib.mkForce ["network.target"]; + }; +} diff --git a/hosts/granodomus-lima.nix b/hosts/granodomus-lima/default.nix similarity index 94% rename from hosts/granodomus-lima.nix rename to hosts/granodomus-lima/default.nix index 2677fd4..dca04e8 100644 --- a/hosts/granodomus-lima.nix +++ b/hosts/granodomus-lima/default.nix @@ -4,15 +4,15 @@ config, ... }: let - state = builtins.import ../state.nix; + state = builtins.import ../../state.nix; mkVirtHost = lib.attrsets.recursiveUpdate { forceSSL = true; enableACME = true; }; in { imports = [ - ../hardware/netcup-vps-200-g10.nix - ../modules/nginx-reverse-proxy.nix + ../../hardware/netcup-vps-200-g10.nix + ../../modules/nginx-reverse-proxy.nix ]; config = { boot.loader.grub.enable = true; @@ -30,13 +30,13 @@ in { }; }; - sops.defaultSopsFile = ../secrets/hosts/granodomus-lima/secrets.yaml; + sops.defaultSopsFile = ../../secrets/hosts/granodomus-lima/secrets.yaml; sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; services.fail2ban = { enable = true; ignoreIP = let - vpn = (builtins.import ../state.nix).vpn; + vpn = state.vpn; extractIPs = _: config: [config.v4 config.v6]; in lib.flatten (lib.attrsets.mapAttrsToList extractIPs vpn); diff --git a/hosts/helix-texta.nix b/hosts/helix-texta/default.nix similarity index 96% rename from hosts/helix-texta.nix rename to hosts/helix-texta/default.nix index 7975e57..6042458 100644 --- a/hosts/helix-texta.nix +++ b/hosts/helix-texta/default.nix @@ -11,9 +11,9 @@ inputs.nixos-hardware.nixosModules.common-pc-laptop-acpi_call inputs.self.nixosModules.homeManagerConfig inputs.custom-udev-rules.nixosModule - ../hardware/thinkpad-p1-gen3.nix - ../modules/light-actkbd.nix - ../modules/nvidia-fixed.nix + ../../hardware/thinkpad-p1-gen3.nix + ../../modules/light-actkbd.nix + ../../modules/nvidia-fixed.nix ]; config = { @@ -167,7 +167,7 @@ services.fwupd.enable = true; services.devmon.enable = true; - sops.defaultSopsFile = ../secrets/hosts/helix-texta/secrets.yaml; + sops.defaultSopsFile = ../../secrets/hosts/helix-texta/secrets.yaml; sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; # This value determines the NixOS release from which the default diff --git a/hosts/murex-pecten.nix b/hosts/murex-pecten/default.nix similarity index 97% rename from hosts/murex-pecten.nix rename to hosts/murex-pecten/default.nix index 6415300..1b7c60e 100644 --- a/hosts/murex-pecten.nix +++ b/hosts/murex-pecten/default.nix @@ -10,7 +10,7 @@ inputs.nixos-hardware.nixosModules.common-gpu-amd inputs.self.nixosModules.homeManagerConfig inputs.custom-udev-rules.nixosModule - ../hardware/aorus.nix + ../../hardware/aorus.nix ]; config = { @@ -157,7 +157,7 @@ vial ]; - sops.defaultSopsFile = ../secrets/hosts/murex-pecten/secrets.yaml; + sops.defaultSopsFile = ../../secrets/hosts/murex-pecten/secrets.yaml; sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; environment.systemPackages = with pkgs; [ diff --git a/hosts/polymita-picta.nix b/hosts/polymita-picta/default.nix similarity index 98% rename from hosts/polymita-picta.nix rename to hosts/polymita-picta/default.nix index 74f707c..6d18687 100644 --- a/hosts/polymita-picta.nix +++ b/hosts/polymita-picta/default.nix @@ -7,8 +7,8 @@ imports = [ inputs.self.nixosModules.homeManagerConfig inputs.jovian-nixos.nixosModules.default - ../hardware/steam-deck.nix - ../modules/steam.nix + ../../hardware/steam-deck.nix + ../../modules/steam.nix ]; config = { boot.loader.systemd-boot = { diff --git a/hosts/radix-balthica.nix b/hosts/radix-balthica/default.nix similarity index 88% rename from hosts/radix-balthica.nix rename to hosts/radix-balthica/default.nix index f0ba853..5530b21 100644 --- a/hosts/radix-balthica.nix +++ b/hosts/radix-balthica/default.nix @@ -18,7 +18,7 @@ # TODO: Update and think of some automatic way of keeping this up to date. boot.kernelPackages = pkgs.linuxPackages_5_15; - users.users.nixos.openssh.authorizedKeys.keyFiles = [../users/malte/yubikey.pub]; + users.users.nixos.openssh.authorizedKeys.keyFiles = [../../users/malte/yubikey.pub]; environment.systemPackages = with pkgs; [ # For special computers diff --git a/hosts/trochulus-hispidus.nix b/hosts/trochulus-hispidus/default.nix similarity index 98% rename from hosts/trochulus-hispidus.nix rename to hosts/trochulus-hispidus/default.nix index 4bcd569..9a7e137 100644 --- a/hosts/trochulus-hispidus.nix +++ b/hosts/trochulus-hispidus/default.nix @@ -8,7 +8,7 @@ inputs.nixos-hardware.nixosModules.common-pc-laptop inputs.nixos-hardware.nixosModules.common-pc-laptop-ssd inputs.self.nixosModules.homeManagerConfig - ../hardware/latitude-e7440.nix + ../../hardware/latitude-e7440.nix ]; config = { boot.loader.systemd-boot.enable = true; diff --git a/modules/base-system.nix b/modules/base-system.nix index 7724d79..6506b59 100644 --- a/modules/base-system.nix +++ b/modules/base-system.nix @@ -21,7 +21,6 @@ in { ./marie.nix ./deck.nix ./radicale.nix - ./restic.nix ./wakeup.nix ./state.nix ]; diff --git a/modules/restic.nix b/modules/restic.nix deleted file mode 100644 index 64dd92f..0000000 --- a/modules/restic.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ - lib, - config, - ... -}: let - cfg = config.services.resticConfigured; -in { - options.services.resticConfigured = with lib; { - enable = mkEnableOption "Configured Restic rest server service"; - rootDir = mkOption { - type = types.str; - description = "Path to use for storage"; - }; - port = mkOption { - type = types.int; - default = 8000; - description = "Port to use for the rest server"; - }; - openFirewall = mkOption { - type = types.bool; - default = false; - description = "Whether to open the firewall for port ${builtins.toString cfg.port}"; - }; - }; - - config = lib.mkIf cfg.enable { - services.restic.server = { - enable = true; - dataDir = cfg.rootDir; - listenAddress = "0.0.0.0:${builtins.toString cfg.port}"; - extraFlags = ["--no-auth"]; - }; - - networking.firewall.allowedTCPPorts = - lib.mkIf cfg.openFirewall [cfg.port]; - - # TODO: This should be moved - systemd.services.restic-rest-server.unitConfig = { - Requires = lib.mkForce ["network.target"]; - After = lib.mkForce ["network.target"]; - }; - }; -}