nrabulinski/settei
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

Initial commit

Browse source
This commit is contained in:
Nikodem Rabuliński 2023-08-03 14:54:05 +02:00
commit 9661927410
No known key found for this signature in database
GPG key ID: FF629AA9E08138DB
27 changed files with 1091 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.envrc Normal file
View file

@ -0,0 +1 @@
use flake

1
.gitignore vendored Normal file
View file

@ -0,0 +1 @@
.direnv

5
README.md Normal file
View file

@ -0,0 +1,5 @@
<h1 align="center">
<ruby>
雪定<rp>(</rp><rt>せってい</rt><rp>)</rp>
</ruby>
</h1>

9
assets/default.nix Normal file
View file

@ -0,0 +1,9 @@
{lib, ...}: {
options.assets = lib.mkOption {
type = lib.types.unspecified;
};
config.assets = {
sshKeys = import ./ssh.nix {};
};
}

17
assets/ssh.nix Normal file
View file

@ -0,0 +1,17 @@
{...}: {
other = {
bootstrap = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEvSD7mNn5x+Ras/shxzyRMEhPqKeide3IH39UG6kLMV nikodem@rabulinski.com";
};
user = {
bootstrap-old = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMWVNUo+LRL86T4pv30/J31orpDVIMWCSgh/xvQHon8X openpgp:0xB6AB96F3";
mobile = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL+j/gYSgLh7FQpAiUzWVIOCCAzZWRHez60p4n0OrGO0gU6tJoBQ6tD2vq8OTa8aj7j2Y++9CSguCn/3T9E6Qbk=";
hijiri-vm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP6tfXLB6xhcl3rtI5x9NXSs12U4LVy06RRlyZxiORa0 nikodem@rabulinski.com";
kazuki = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIImsFb9qRxX0n2Bmy00T8iPam+Fc3mgKkm7dfM7AQRHN nikodem@rabulinski.com";
};
system = {
kazuki = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEyYhYWDNmKSrpcslD3NzWW+lQmDcLJdjLh7CSkL4hW5 root@kazuki";
};
}

18
deploy.nix Normal file
View file

@ -0,0 +1,18 @@
{
self,
lib,
inputs,
...
}: {
flake.deploy.nodes =
lib.mapAttrs (name: value: {
hostname = name;
sshUser = "niko";
profiles.system = {
user = "root";
path = inputs.deploy-rs.lib.${value.pkgs.stdenv.system}.activate.nixos value;
};
remoteBuild = true;
})
self.nixosConfigurations;
}

333
flake.lock generated Normal file
View file

@ -0,0 +1,333 @@
{
"nodes": {
"agenix": {
"inputs": {
"darwin": [
"darwin"
],
"home-manager": [
"home-manager"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1690228878,
"narHash": "sha256-9Xe7JV0krp4RJC9W9W9WutZVlw6BlHTFMiUP/k48LQY=",
"owner": "ryantm",
"repo": "agenix",
"rev": "d8c973fd228949736dedf61b7f8cc1ece3236792",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"blobs": {
"flake": false,
"locked": {
"lastModified": 1604995301,
"narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"type": "gitlab"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1691012184,
"narHash": "sha256-AYxPkarxZPs18qSKPjT4t8flmgeyu3DcoLGMkeiWtvk=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "d3529322dcaaddf0c50cb277c9c2a355f3a36a3b",
"type": "github"
},
"original": {
"owner": "lnl7",
"repo": "nix-darwin",
"type": "github"
}
},
"deploy-rs": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": [
"nixpkgs"
],
"utils": "utils"
},
"locked": {
"lastModified": 1686747123,
"narHash": "sha256-XUQK9kwHpTeilHoad7L4LjMCCyY13Oq383CoFADecRE=",
"owner": "serokell",
"repo": "deploy-rs",
"rev": "724463b5a94daa810abfc64a4f87faef4e00f984",
"type": "github"
},
"original": {
"owner": "serokell",
"repo": "deploy-rs",
"type": "github"
}
},
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1690739034,
"narHash": "sha256-roW02IaiQ3gnEEDMCDWL5YyN+C4nBf/te6vfL7rG0jk=",
"owner": "nix-community",
"repo": "disko",
"rev": "4015740375676402a2ee6adebc3c30ea625b9a94",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1668681692,
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "009399224d5e398d03b22badca40a37ac85412a1",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1668681692,
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "009399224d5e398d03b22badca40a37ac85412a1",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1690933134,
"narHash": "sha256-ab989mN63fQZBFrkk4Q8bYxQCktuHmBIBqUG1jl6/FQ=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "59cf3f1447cfc75087e7273b04b31e689a8599fb",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1690982105,
"narHash": "sha256-32AzoLuwhtxBItcULRiCnxRfJcbVXbPZSH9TDVg21mU=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "b2ac1d2c32ac11b8d231d23622cdc4b2f28d07d2",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"mailserver": {
"inputs": {
"blobs": "blobs",
"flake-compat": "flake-compat_2",
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-22_11": "nixpkgs-22_11",
"nixpkgs-23_05": "nixpkgs-23_05",
"utils": "utils_2"
},
"locked": {
"lastModified": 1689976554,
"narHash": "sha256-uWJq3sIhkqfzPmfB2RWd5XFVooGFfSuJH9ER/r302xQ=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "c63f6e7b053c18325194ff0e274dba44e8d2271e",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"type": "gitlab"
}
},
"niko-nur": {
"inputs": {
"flake-parts": [
"flake-parts"
],
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1690830552,
"narHash": "sha256-8n8PipmWZnnE56QlhcGQCKG5cMU8v+NTaFkJzBM6k4w=",
"owner": "nrabulinski",
"repo": "nur-packages",
"rev": "b19fe09dd3f325ff2731b83f230e2573b67db4aa",
"type": "github"
},
"original": {
"owner": "nrabulinski",
"repo": "nur-packages",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1690753480,
"narHash": "sha256-GQgPs8fCh/LsyQoYMUZgT2p7jFVWyHu9p+1Nl/dp8GY=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "9e06dd56947c1dc3dc837c3149bfe02c71a6edd7",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-22_11": {
"locked": {
"lastModified": 1669558522,
"narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-22.11",
"type": "indirect"
}
},
"nixpkgs-23_05": {
"locked": {
"lastModified": 1684782344,
"narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "8966c43feba2c701ed624302b6a935f97bcbdf88",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-23.05",
"type": "indirect"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1691003216,
"narHash": "sha256-Qq/MPkhS12Bl0X060pPvX3v9ac3f2rRQfHjjozPh/Qs=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "4a56ce9727a0c5478a836a0d8a8f641c5b9a3d5f",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"agenix": "agenix",
"darwin": "darwin",
"deploy-rs": "deploy-rs",
"disko": "disko",
"flake-parts": "flake-parts",
"home-manager": "home-manager",
"mailserver": "mailserver",
"niko-nur": "niko-nur",
"nixpkgs": "nixpkgs_2"
}
},
"utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"utils_2": {
"locked": {
"lastModified": 1605370193,
"narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5021eac20303a61fafe17224c087f5519baed54d",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

88
flake.nix Normal file
View file

@ -0,0 +1,88 @@
{
outputs = inputs @ {flake-parts, ...}:
flake-parts.lib.mkFlake {inherit inputs;} {
systems = [
"x86_64-linux"
"aarch64-linux"
"aarch64-darwin"
];
imports = [
./assets
./hosts
./modules
./deploy.nix
];
perSystem = {
pkgs,
inputs',
...
}: {
devShells.default = pkgs.mkShellNoCC {
packages = [inputs'.deploy-rs.packages.deploy-rs inputs'.agenix.packages.agenix];
};
formatter = pkgs.alejandra;
};
};
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable";
flake-parts = {
url = "github:hercules-ci/flake-parts";
inputs.nixpkgs-lib.follows = "nixpkgs";
};
disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
};
home-manager = {
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs";
};
deploy-rs = {
url = "github:serokell/deploy-rs";
inputs.nixpkgs.follows = "nixpkgs";
};
niko-nur = {
url = "github:nrabulinski/nur-packages";
inputs = {
# Not overriding nixpkgs to get cache hits
# nixpkgs.follows = "nixpkgs";
flake-parts.follows = "flake-parts";
};
};
darwin = {
url = "github:lnl7/nix-darwin";
inputs.nixpkgs.follows = "nixpkgs";
};
agenix = {
url = "github:ryantm/agenix";
inputs = {
nixpkgs.follows = "nixpkgs";
darwin.follows = "darwin";
home-manager.follows = "home-manager";
};
};
mailserver = {
url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
inputs.nixpkgs.follows = "nixpkgs";
};
};
nixConfig = {
extra-substituters = [
"https://hyprland.cachix.org"
"https://cache.garnix.io"
"https://nix-community.cachix.org"
"https://cache.nixos.org/"
];
trusted-public-keys = [
"hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
"cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
];
};
}

34
hosts/default.nix Normal file
View file

@ -0,0 +1,34 @@
{
config,
self,
inputs,
lib,
...
}: {
mappers = {
nixos = module: {
modules = [
inputs.agenix.nixosModules.age
inputs.disko.nixosModules.disko
inputs.mailserver.nixosModules.default
self.nixosModules.settei
{
settei = {
username = "niko";
sane-defaults.enable = true;
flake-qol = {
enable = true;
inherit inputs;
};
};
}
module
];
};
};
imports = [
./kazuki
./hijiri-vm
];
}

30
hosts/hijiri-vm/default.nix Normal file
View file

@ -0,0 +1,30 @@
{
self,
inputs,
config,
...
}: {
configurations.nixos.hijiri-vm = {
modulesPath,
lib,
username,
...
}: {
imports = [
"${modulesPath}/profiles/qemu-guest.nix"
(import ./disks.nix {})
];
boot = {
supportedFilesystems = ["btrfs"];
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
};
nixpkgs.system = "aarch64-linux";
users.users.${username}.openssh.authorizedKeys.keys = lib.attrValues config.assets.sshKeys.user;
networking.domain = "hijiri";
networking.hostName = "vm";
};
}

42
hosts/hijiri-vm/disks.nix Normal file
View file

@ -0,0 +1,42 @@
{bootDevice ? "/dev/vda", ...}: {
disko.devices.disk.bootDisk = {
type = "disk";
device = bootDevice;
content = {
type = "table";
format = "gpt";
partitions = [
{
name = "EFI";
start = "1MiB";
end = "128MiB";
fs-type = "fat32";
bootable = true;
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
}
{
name = "LINUX";
start = "128MiB";
end = "100%";
content = {
type = "btrfs";
extraArgs = ["-f"];
subvolumes = let
mountOptions = ["compress=zstd" "noatime"];
in {
"/root" = {
inherit mountOptions;
mountpoint = "/";
};
"/nix" = {inherit mountOptions;};
};
};
}
];
};
};
}

97
hosts/kazuki/conduit.nix Normal file
View file

@ -0,0 +1,97 @@
{
config,
pkgs,
inputs',
...
}: let
formatJson = pkgs.formats.json {};
in {
services.matrix-conduit = {
enable = true;
package = inputs'.niko-nur.packages.conduit-latest;
settings.global = {
server_name = "nrab.lol";
database_backend = "rocksdb";
allow_registration = false;
};
};
systemd.services.conduit.serviceConfig.LimitNOFILE = 8192;
security.acme = {
acceptTerms = true;
defaults.email = "nikodem@rabulinski.com";
};
users.users.nginx.extraGroups = ["acme"];
networking.firewall.allowedTCPPorts = [80 443 8448 2222];
services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts = {
"nrab.lol" = {
forceSSL = true;
enableACME = true;
locations."=/.well-known/matrix/server" = {
alias = formatJson.generate "well-known-matrix-server" {
"m.server" = "matrix.nrab.lol";
};
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin "*";
'';
};
locations."=/.well-known/matrix/client" = {
alias = formatJson.generate "well-known-matrix-client" {
"m.homeserver" = {
"base_url" = "https://matrix.nrab.lol";
};
};
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin "*";
'';
};
};
"matrix.nrab.lol" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
{
addr = "0.0.0.0";
port = 8448;
ssl = true;
}
];
extraConfig = ''
merge_slashes off;
'';
locations."/_matrix/" = {
proxyPass = "http://backend_conduit$request_uri";
proxyWebsockets = true;
extraConfig = ''
proxy_set_header Host $host;
proxy_buffering off;
'';
};
};
};
upstreams."backend_conduit".servers = {
"localhost:${toString config.services.matrix-conduit.settings.global.port}" = {};
};
};
}

32
hosts/kazuki/default.nix Normal file
View file

@ -0,0 +1,32 @@
{
config,
self,
...
}: {
configurations.nixos.kazuki = {
modulesPath,
lib,
username,
...
}: {
imports = [
"${modulesPath}/profiles/qemu-guest.nix"
(import ./disks.nix {})
./conduit.nix
./mail.nix
./vault.nix
];
nixpkgs.system = "aarch64-linux";
users.users.${username}.openssh.authorizedKeys.keys = lib.attrValues config.assets.sshKeys.user;
boot = {
supportedFilesystems = ["btrfs"];
loader.systemd-boot.enable = true;
loader.systemd-boot.configurationLimit = 1;
loader.efi.canTouchEfiVariables = true;
};
};
}

51
hosts/kazuki/disks.nix Normal file
View file

@ -0,0 +1,51 @@
{bootDevice ? "/dev/sda", ...}: {
disko.devices.disk.bootDisk = {
type = "disk";
device = bootDevice;
content = {
type = "table";
format = "gpt";
partitions = [
{
name = "EFI";
start = "1MiB";
end = "128MiB";
fs-type = "fat32";
bootable = true;
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
}
{
name = "LINUX";
start = "128MiB";
end = "-4G";
content = {
type = "btrfs";
extraArgs = ["-f"];
subvolumes = let
mountOptions = ["compress=zstd" "noatime"];
in {
"/root" = {
inherit mountOptions;
mountpoint = "/";
};
"/nix" = {inherit mountOptions;};
};
};
}
{
name = "SWAP";
start = "-4G";
end = "100%";
content = {
type = "swap";
randomEncryption = true;
};
}
];
};
};
}

28
hosts/kazuki/mail.nix Normal file
View file

@ -0,0 +1,28 @@
{config, ...}: {
age.secrets = {
leet-nrab-lol.file = ../../secrets/leet-nrab-lol-pass.age;
alert-nrab-lol.file = ../../secrets/alert-nrab-lol-pass.age;
};
users.users.nginx.extraGroups = ["acme"];
networking.firewall.allowedTCPPorts = [80 443 8448 2222];
mailserver = {
enable = true;
fqdn = "mail.nrab.lol";
domains = ["nrab.lol"];
loginAccounts = {
"1337@nrab.lol" = {
hashedPasswordFile = config.age.secrets.leet-nrab-lol.path;
};
"alert@nrab.lol" = {
hashedPasswordFile = config.age.secrets.alert-nrab-lol.path;
sendOnly = true;
sendOnlyRejectMessage = "";
};
};
certificateScheme = "acme-nginx";
};
}

34
hosts/kazuki/vault.nix Normal file
View file

@ -0,0 +1,34 @@
{config, ...}: {
age.secrets.vault-cert-env.file = ../../secrets/vault-cert-env.age;
services.vaultwarden = {
enable = true;
config = {
ROCKET_PORT = 60001;
};
};
users.users.nginx.extraGroups = ["acme"];
networking.firewall.allowedTCPPorts = [80 443 8448 2222];
services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts."vault.rabulinski.com" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://vaultwarden";
};
};
upstreams.vaultwarden.servers = {
"localhost:${toString config.services.vaultwarden.config.ROCKET_PORT}" = {};
};
};
security.acme.certs."valut.rabulinski.com" = {
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets.vault-cert-env.path;
};
}

6
modules/default.nix Normal file
View file

@ -0,0 +1,6 @@
{...}: {
imports = [
./nixos
./flake
];
}

102
modules/flake/configurations.nix Normal file
View file

@ -0,0 +1,102 @@
{
nixpkgs,
darwin,
home-manager,
}: {
config,
lib,
flake-parts-lib,
...
}: let
inherit (lib) mkOption mapAttrs;
inherit (flake-parts-lib) mkSubmoduleOptions;
possibleConfigurations = {
nixos = {};
darwin = {};
home = {};
};
in {
_file = ./configurations.nix;
options = {
# Those functions take the final arguments and emit a valid configuration.
# Probably should hardly ever be overriden
builders = {
nixos = mkOption {
type = lib.types.functionTo lib.types.unspecified;
default = nixpkgs.lib.nixosSystem;
};
darwin = mkOption {
type = lib.types.functionTo lib.types.unspecified;
default = darwin.lib.darwinSystem;
};
home = mkOption {
type = lib.types.functionTo lib.types.unspecified;
default = home-manager.lib.homeManagerConfiguration;
};
};
# Those functions map the value of the configuration attribute
# and emit a list of arguments to be passed to respected evalModules
mappers =
mapAttrs
(_: _:
mkOption {
type = lib.types.functionTo lib.types.attrs;
default = lib.id;
})
possibleConfigurations;
configurations = {
nixos = mkOption {
type = lib.types.unspecified;
default = {};
};
darwin = mkOption {
type = lib.types.unspecified;
default = {};
};
home = mkOption {
type = lib.types.unspecified;
default = {};
};
};
# This is exposed so that it's possible to modify the arguments that get passed to a builder
# after they have been mapped. Probably shouldn't do it. Probably should remove it or make it read-only
configurationOptions =
mapAttrs
(_: _:
mkOption {
type = lib.types.attrsOf lib.types.attrs;
})
possibleConfigurations;
};
config = {
configurationOptions =
mapAttrs
(
name: _:
mapAttrs
(configurationName: val: let
mapped = config.mappers.${name} val;
# TODO: specialArgs is actually extraSpecialArgs in home-manager.
# At which level should that be handled?
defaultArgs = {
specialArgs = {inherit configurationName;};
};
in
lib.recursiveUpdate defaultArgs mapped)
config.configurations.${name}
)
possibleConfigurations;
flake = {
nixosConfigurations =
mapAttrs
(_: args: config.builders.nixos args)
config.configurationOptions.nixos;
};
};
}

15
modules/flake/default.nix Normal file
View file

@ -0,0 +1,15 @@
{
flake-parts-lib,
lib,
inputs,
...
}: let
inherit (flake-parts-lib) importApply;
flakeModules = {
configurations = importApply ./configurations.nix {inherit (inputs) nixpkgs darwin home-manager;};
};
in {
imports = lib.attrValues flakeModules;
flake = {inherit flakeModules;};
}

3
modules/nixos/default.nix Normal file
View file

@ -0,0 +1,3 @@
{config, ...}: {
flake.nixosModules.settei = import ./settei {inherit (config) perInput;};
}

16
modules/nixos/settei/default.nix Normal file
View file

@ -0,0 +1,16 @@
{perInput}: {
lib,
config,
...
}: {
imports = [
./sane-defaults.nix
(import ./flake-qol.nix {inherit perInput;})
];
options.settei = with lib; {
username = mkOption {
type = types.str;
};
};
}

45
modules/nixos/settei/flake-qol.nix Normal file
View file

@ -0,0 +1,45 @@
{perInput}: {
config,
lib,
pkgs,
...
}: let
cfg = config.settei.flake-qol;
in {
_file = ./flake-qol.nix;
options.settei.flake-qol = with lib; {
enable = lib.mkEnableOption "QoL defaults when using flakes";
reexportAsArgs = mkOption {
type = types.bool;
default = true;
};
inputs = mkOption {
type = types.unspecified;
};
inputs-flakes = mkOption {
type = types.attrs;
readOnly = true;
};
inputs' = mkOption {
type = types.attrs;
readOnly = true;
};
};
config = lib.mkIf cfg.enable {
settei.flake-qol = {
inputs-flakes = lib.filterAttrs (_: input: input ? flake -> input.flake) cfg.inputs;
inputs' = lib.mapAttrs (_: perInput pkgs.stdenv.system) cfg.inputs-flakes;
};
_module.args = lib.mkIf cfg.reexportAsArgs {
inherit (cfg) inputs inputs-flakes inputs';
};
nix = {
registry = lib.mapAttrs (_: flake: {inherit flake;}) cfg.inputs-flakes;
nixPath = map (name: "${name}=flake:${name}") (lib.attrNames cfg.inputs-flakes);
};
};
}

57
modules/nixos/settei/sane-defaults.nix Normal file
View file

@ -0,0 +1,57 @@
{
lib,
config,
...
} @ args: {
_file = ./sane-defaults.nix;
options.settei.sane-defaults = {
enable = lib.mkEnableOption "Personal sane defaults";
};
config = lib.mkIf config.settei.sane-defaults.enable (let
cfg = config.settei;
inherit (cfg) username;
in {
_module.args = {
username = lib.mkDefault username;
};
hardware.enableRedistributableFirmware = true;
services.openssh.enable = true;
services.tailscale.enable = true;
programs.mosh.enable = lib.mkDefault true;
users = {
mutableUsers = false;
users.${username} = {
isNormalUser = true;
home = "/home/${username}";
group = username;
extraGroups = ["wheel"];
};
groups.${username} = {};
};
networking.hostName = lib.mkDefault (
args.configurationName
or (throw "pass configurationName to module arguments or set networking.hostName yourself")
);
time.timeZone = lib.mkDefault "Europe/Warsaw";
nix = {
settings = {
experimental-features = ["nix-command" "flakes" "repl-flake" "auto-allocate-uids"];
trusted-users = [username];
auto-allocate-uids = true;
};
};
# TODO: Actually this should be extraRules which makes wheel users without any password set
# be able to use sudo with no password
security.sudo.wheelNeedsPassword = false;
system.stateVersion = "22.05";
});
}

10
secrets/alert-nrab-lol-pass.age Normal file
View file

@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 84j9mw jmpsgact3iy0+A1ggWzK98D1e7R/44F9TgzFSg6BIWA
K6S7UNkJNh859EgPdMTpYol4vaSD0nfjsu6SMk9F5Vo
-> ssh-ed25519 GKhvwg YGAiny4ZXIqplrdFqETxB4chp9IqJt5fHb+NK4Bvan0
0rgp0zJiGX5t4x/FKoLDJWMJW1hPsfVNMd4bPmv6Xdo
-> }Z-grease dI \ a^Wyct @c5
H3cGSMZsNUPMewieU4NK6zr4IlLt+hivE3FnRBrNzll7WGBd942TAFQ8YRa9sIbJ
b9mvv1dqYmoS7MBVAGJvLgaX
--- C9QLdKcJPuN/raiGvmopHeYM2tnURzDMzV8DRAmffR0
`0œDå±þ`Voœß/ü§Ä೯‰T~{({Ô:¨××hx­“šj^þBnÆ'TÓ0[€UÐg=_DDÿUþ!¼·-­¶õ5B ZŒÄ:<3A>s³}PF¥æÑfàh

BIN
secrets/leet-nrab-lol-pass.age Normal file
View file

Binary file not shown.

8
secrets/secrets.nix Normal file
View file

@ -0,0 +1,8 @@
let
keys = import ../assets/ssh.nix {};
in {
"leet-nrab-lol-pass.age".publicKeys = [keys.system.kazuki keys.other.bootstrap];
"alert-nrab-lol-pass.age".publicKeys = [keys.system.kazuki keys.other.bootstrap];
"vault-cert-env.age".publicKeys = [keys.system.kazuki keys.other.bootstrap];
# "bitwarden-env-file.age".publicKeys = [keys.system.kazuki keys.other.bootstrap];
}

9
secrets/vault-cert-env.age Normal file
View file

@ -0,0 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 84j9mw 13PBQImkhu4ivVTaeHWkpRfidgOFF7FBLD18amn5+Xs
ZeZhuWZqI8Poa1ROlaYAXkr6QBM4355lWpYaHAtaTP8
-> ssh-ed25519 GKhvwg gSXVzlieRXepW8s4onx4SDd75LVTyr1Rbc2/1LUIGTw
AOmJNzvioM7B+114BMBc5xbxfOAbielwizwtNzK2G7k
-> K/_&?-grease 'jg+M|s Cw&g=
yfPl
--- 8idL6hzmOCas0TKD8rvx7qlSGbzLPFxAOdlnSNi5+sY
Æ=»lÞ…XæÊsÄ$xKÑ2F^¢#ø_ìB ßq"½ZÎü*¢ù®Ôó2`0n|#ÉÑz SÅõ;UÀ@:¿âšRGuv>ʺÿ§€Ù÷é Z½\m†¦¼N(