megamanmalte/nixos
0
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

chore(hosts): restructure

Browse source
This commit is contained in:
Malte Tammena 2024-01-15 15:59:54 +01:00
parent b289df3d50
commit 9df7c3692b
15 changed files with 64 additions and 92 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
flake.nix
View file

@ -83,11 +83,9 @@
]; ];
# The list of all hosts known to me # The list of all hosts known to me
listOfHosts = let listOfHosts = let
removeSuffix = builtins.replaceStrings [".nix"] [""];
hostDir = builtins.readDir ./hosts; hostDir = builtins.readDir ./hosts;
hostFileNames = builtins.attrNames hostDir;
in in
map removeSuffix hostFileNames; builtins.attrNames hostDir;
in in
flake-parts.lib.mkFlake {inherit inputs;} { flake-parts.lib.mkFlake {inherit inputs;} {
# Flake-parts modules to use # Flake-parts modules to use
@ -178,7 +176,7 @@
value = inputs.nixpkgs.lib.nixosSystem { value = inputs.nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs = {inherit inputs;}; specialArgs = {inherit inputs;};
modules = modulesSharedByAllSystems ++ [{nixpkgs.overlays = overlaysSharedByAll;} ./hosts/${name}.nix]; modules = modulesSharedByAllSystems ++ [{nixpkgs.overlays = overlaysSharedByAll;} ./hosts/${name}/default.nix];
}; };
}; };
in in

10
hosts/cerithium-telescopium.nix → hosts/cerithium-telescopium/default.nix
View file

@ -1,13 +1,9 @@
{ {pkgs, ...}: {
config,
pkgs,
...
}: {
imports = [ imports = [
../hardware/intel-nuc.nix ../../hardware/intel-nuc.nix
]; ];
config = let config = let
hashes = builtins.import ../hashes.nix; hashes = builtins.import ../../hashes.nix;
in { in {
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;

2
hosts/chrysomallon-squamiferum.nix → hosts/chrysomallon-squamiferum/default.nix
View file

@ -14,7 +14,7 @@
networking.firewall.enable = false; networking.firewall.enable = false;
settings.ssh.openOutsideVPN = true; settings.ssh.openOutsideVPN = true;
users.users.nixos.openssh.authorizedKeys.keyFiles = [../users/malte/yubikey.pub]; users.users.nixos.openssh.authorizedKeys.keyFiles = [../../users/malte/yubikey.pub];
environment.noXlibs = false; environment.noXlibs = false;

37
hosts/faunus-ater.nix → hosts/faunus-ater/default.nix
View file

@ -9,18 +9,19 @@
in { in {
imports = [ imports = [
inputs.nixos-hardware.nixosModules.common-cpu-intel #-cpu-only inputs.nixos-hardware.nixosModules.common-cpu-intel #-cpu-only
../modules/nginx-reverse-proxy.nix ../../modules/nginx-reverse-proxy.nix
../hardware/asrock-z370-i3-black-box.nix ../../hardware/asrock-z370-i3-black-box.nix
./faunus-ater/modules/gogs.nix ./modules/gogs.nix
./faunus-ater/modules/home-assistant.nix ./modules/home-assistant.nix
./faunus-ater/modules/hydra.nix ./modules/hydra.nix
./faunus-ater/modules/komga.nix ./modules/komga.nix
./faunus-ater/modules/nix-serve.nix ./modules/nix-serve.nix
./faunus-ater/modules/mealie.nix ./modules/mealie.nix
./faunus-ater/modules/paperless.nix ./modules/paperless.nix
./faunus-ater/modules/photoprism.nix ./modules/photoprism.nix
./faunus-ater/modules/timetagger.nix ./modules/timetagger.nix
./faunus-ater/modules/trilium.nix ./modules/trilium.nix
./modules/restic.nix
]; ];
config = { config = {
networking.hostName = "faunus-ater"; networking.hostName = "faunus-ater";
@ -42,7 +43,6 @@ in {
services.zfs.autoScrub.enable = true; services.zfs.autoScrub.enable = true;
services.zfs.autoScrub.pools = ["rpool"]; services.zfs.autoScrub.pools = ["rpool"];
# === Additional services ===
services.fwupd.enable = true; services.fwupd.enable = true;
powerManagement = { powerManagement = {
enable = true; enable = true;
@ -50,6 +50,7 @@ in {
cpuFreqGovernor = "powersave"; cpuFreqGovernor = "powersave";
}; };
# === PODMAN ===
virtualisation.oci-containers.backend = "podman"; virtualisation.oci-containers.backend = "podman";
virtualisation.podman = { virtualisation.podman = {
enable = true; enable = true;
@ -65,13 +66,6 @@ in {
}; };
}; };
# === Restic User Backup ===
services.resticConfigured = {
enable = true;
rootDir = "/data/dirty/restic";
openFirewall = true;
};
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# === BACKUPS === # === BACKUPS ===
@ -93,12 +87,13 @@ in {
}; };
# === RUNTIME SECRETS === # === RUNTIME SECRETS ===
sops.defaultSopsFile = ../secrets/hosts/faunus-ater/secrets.yaml; sops.defaultSopsFile = ../../secrets/hosts/faunus-ater/secrets.yaml;
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
sops.secrets = { sops.secrets = {
"internal-restic-password" = {}; "internal-restic-password" = {};
}; };
# === SERVICE EXPOSURE ===
# All services that run here, that should be exposed need to be exposed on the VPN # All services that run here, that should be exposed need to be exposed on the VPN
networking.firewall.interfaces.${config.services.tailscale.interfaceName}.allowedTCPPorts = let networking.firewall.interfaces.${config.services.tailscale.interfaceName}.allowedTCPPorts = let
selectPort = _: config: config.port; selectPort = _: config: config.port;

4
hosts/faunus-ater/modules/hydra.nix
View file

@ -84,6 +84,10 @@
sslCertificateKey = config.sops.secrets."certificate-key-hydra-tammena-me".path; sslCertificateKey = config.sops.secrets."certificate-key-hydra-tammena-me".path;
sslCertificate = pkgs.writeText "hydra-tammena-me.crt" (builtins.readFile ../../../secrets/pub/hydra-tammena-me.crt); sslCertificate = pkgs.writeText "hydra-tammena-me.crt" (builtins.readFile ../../../secrets/pub/hydra-tammena-me.crt);
serverAliases = [
"hydra.home"
];
locations."/" = { locations."/" = {
proxyPass = "http://localhost:${builtins.toString config.services.hydra.port}"; proxyPass = "http://localhost:${builtins.toString config.services.hydra.port}";
}; };

4
hosts/faunus-ater/modules/komga.nix
View file

@ -16,6 +16,10 @@
sslCertificateKey = config.sops.secrets."certificate-key-read-tammena-me".path; sslCertificateKey = config.sops.secrets."certificate-key-read-tammena-me".path;
sslCertificate = pkgs.writeText "read-tammena-me.crt" (builtins.readFile ../../../secrets/pub/read-tammena-me.crt); sslCertificate = pkgs.writeText "read-tammena-me.crt" (builtins.readFile ../../../secrets/pub/read-tammena-me.crt);
serverAliases = [
"read.home"
];
locations."/" = { locations."/" = {
proxyPass = "http://[::1]:${builtins.toString config.services.komga.port}"; proxyPass = "http://[::1]:${builtins.toString config.services.komga.port}";
proxyWebsockets = true; proxyWebsockets = true;

19
hosts/faunus-ater/modules/restic.nix Normal file
View file

@ -0,0 +1,19 @@
{lib, ...}: let
port = 8000;
in {
services.restic.server = {
enable = true;
dataDir = "/data/dirty/restic";
listenAddress = "0.0.0.0:${builtins.toString port}";
extraFlags = ["--no-auth"];
};
# Open firewall
networking.firewall.allowedTCPPorts = [port];
# TODO: This should be moved
systemd.services.restic-rest-server.unitConfig = {
Requires = lib.mkForce ["network.target"];
After = lib.mkForce ["network.target"];
};
}

10
hosts/granodomus-lima.nix → hosts/granodomus-lima/default.nix
View file

@ -4,15 +4,15 @@
config, config,
... ...
}: let }: let
state = builtins.import ../state.nix; state = builtins.import ../../state.nix;
mkVirtHost = lib.attrsets.recursiveUpdate { mkVirtHost = lib.attrsets.recursiveUpdate {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
}; };
in { in {
imports = [ imports = [
../hardware/netcup-vps-200-g10.nix ../../hardware/netcup-vps-200-g10.nix
../modules/nginx-reverse-proxy.nix ../../modules/nginx-reverse-proxy.nix
]; ];
config = { config = {
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
@ -30,13 +30,13 @@ in {
}; };
}; };
sops.defaultSopsFile = ../secrets/hosts/granodomus-lima/secrets.yaml; sops.defaultSopsFile = ../../secrets/hosts/granodomus-lima/secrets.yaml;
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
services.fail2ban = { services.fail2ban = {
enable = true; enable = true;
ignoreIP = let ignoreIP = let
vpn = (builtins.import ../state.nix).vpn; vpn = state.vpn;
extractIPs = _: config: [config.v4 config.v6]; extractIPs = _: config: [config.v4 config.v6];
in in
lib.flatten (lib.attrsets.mapAttrsToList extractIPs vpn); lib.flatten (lib.attrsets.mapAttrsToList extractIPs vpn);

8
hosts/helix-texta.nix → hosts/helix-texta/default.nix
View file

@ -11,9 +11,9 @@
inputs.nixos-hardware.nixosModules.common-pc-laptop-acpi_call inputs.nixos-hardware.nixosModules.common-pc-laptop-acpi_call
inputs.self.nixosModules.homeManagerConfig inputs.self.nixosModules.homeManagerConfig
inputs.custom-udev-rules.nixosModule inputs.custom-udev-rules.nixosModule
../hardware/thinkpad-p1-gen3.nix ../../hardware/thinkpad-p1-gen3.nix
../modules/light-actkbd.nix ../../modules/light-actkbd.nix
../modules/nvidia-fixed.nix ../../modules/nvidia-fixed.nix
]; ];
config = { config = {
@ -167,7 +167,7 @@
services.fwupd.enable = true; services.fwupd.enable = true;
services.devmon.enable = true; services.devmon.enable = true;
sops.defaultSopsFile = ../secrets/hosts/helix-texta/secrets.yaml; sops.defaultSopsFile = ../../secrets/hosts/helix-texta/secrets.yaml;
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
# This value determines the NixOS release from which the default # This value determines the NixOS release from which the default

4
hosts/murex-pecten.nix → hosts/murex-pecten/default.nix
View file

@ -10,7 +10,7 @@
inputs.nixos-hardware.nixosModules.common-gpu-amd inputs.nixos-hardware.nixosModules.common-gpu-amd
inputs.self.nixosModules.homeManagerConfig inputs.self.nixosModules.homeManagerConfig
inputs.custom-udev-rules.nixosModule inputs.custom-udev-rules.nixosModule
../hardware/aorus.nix ../../hardware/aorus.nix
]; ];
config = { config = {
@ -157,7 +157,7 @@
vial vial
]; ];
sops.defaultSopsFile = ../secrets/hosts/murex-pecten/secrets.yaml; sops.defaultSopsFile = ../../secrets/hosts/murex-pecten/secrets.yaml;
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [

4
hosts/polymita-picta.nix → hosts/polymita-picta/default.nix
View file

@ -7,8 +7,8 @@
imports = [ imports = [
inputs.self.nixosModules.homeManagerConfig inputs.self.nixosModules.homeManagerConfig
inputs.jovian-nixos.nixosModules.default inputs.jovian-nixos.nixosModules.default
../hardware/steam-deck.nix ../../hardware/steam-deck.nix
../modules/steam.nix ../../modules/steam.nix
]; ];
config = { config = {
boot.loader.systemd-boot = { boot.loader.systemd-boot = {

2
hosts/radix-balthica.nix → hosts/radix-balthica/default.nix
View file

@ -18,7 +18,7 @@
# TODO: Update and think of some automatic way of keeping this up to date. # TODO: Update and think of some automatic way of keeping this up to date.
boot.kernelPackages = pkgs.linuxPackages_5_15; boot.kernelPackages = pkgs.linuxPackages_5_15;
users.users.nixos.openssh.authorizedKeys.keyFiles = [../users/malte/yubikey.pub]; users.users.nixos.openssh.authorizedKeys.keyFiles = [../../users/malte/yubikey.pub];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
# For special computers # For special computers

2
hosts/trochulus-hispidus.nix → hosts/trochulus-hispidus/default.nix
View file

@ -8,7 +8,7 @@
inputs.nixos-hardware.nixosModules.common-pc-laptop inputs.nixos-hardware.nixosModules.common-pc-laptop
inputs.nixos-hardware.nixosModules.common-pc-laptop-ssd inputs.nixos-hardware.nixosModules.common-pc-laptop-ssd
inputs.self.nixosModules.homeManagerConfig inputs.self.nixosModules.homeManagerConfig
../hardware/latitude-e7440.nix ../../hardware/latitude-e7440.nix
]; ];
config = { config = {
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;

1
modules/base-system.nix
View file

@ -21,7 +21,6 @@ in {
./marie.nix ./marie.nix
./deck.nix ./deck.nix
./radicale.nix ./radicale.nix
./restic.nix
./wakeup.nix ./wakeup.nix
./state.nix ./state.nix
]; ];

43
modules/restic.nix
View file

@ -1,43 +0,0 @@
{
lib,
config,
...
}: let
cfg = config.services.resticConfigured;
in {
options.services.resticConfigured = with lib; {
enable = mkEnableOption "Configured Restic rest server service";
rootDir = mkOption {
type = types.str;
description = "Path to use for storage";
};
port = mkOption {
type = types.int;
default = 8000;
description = "Port to use for the rest server";
};
openFirewall = mkOption {
type = types.bool;
default = false;
description = "Whether to open the firewall for port ${builtins.toString cfg.port}";
};
};
config = lib.mkIf cfg.enable {
services.restic.server = {
enable = true;
dataDir = cfg.rootDir;
listenAddress = "0.0.0.0:${builtins.toString cfg.port}";
extraFlags = ["--no-auth"];
};
networking.firewall.allowedTCPPorts =
lib.mkIf cfg.openFirewall [cfg.port];
# TODO: This should be moved
systemd.services.restic-rest-server.unitConfig = {
Requires = lib.mkForce ["network.target"];
After = lib.mkForce ["network.target"];
};
};
}