commit 9661927410709d531c10eeef31182bcb26d61183 Author: Nikodem Rabuliński Date: Thu Aug 3 14:54:05 2023 +0200 Initial commit diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..3550a30 --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +use flake diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..92b2793 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.direnv diff --git a/README.md b/README.md new file mode 100644 index 0000000..d3794b0 --- /dev/null +++ b/README.md @@ -0,0 +1,5 @@ +

+ + 雪定(せってい) + +

diff --git a/assets/default.nix b/assets/default.nix new file mode 100644 index 0000000..909c9b1 --- /dev/null +++ b/assets/default.nix @@ -0,0 +1,9 @@ +{lib, ...}: { + options.assets = lib.mkOption { + type = lib.types.unspecified; + }; + + config.assets = { + sshKeys = import ./ssh.nix {}; + }; +} diff --git a/assets/ssh.nix b/assets/ssh.nix new file mode 100644 index 0000000..a977c03 --- /dev/null +++ b/assets/ssh.nix @@ -0,0 +1,17 @@ +{...}: { + other = { + bootstrap = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEvSD7mNn5x+Ras/shxzyRMEhPqKeide3IH39UG6kLMV nikodem@rabulinski.com"; + }; + + user = { + bootstrap-old = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMWVNUo+LRL86T4pv30/J31orpDVIMWCSgh/xvQHon8X openpgp:0xB6AB96F3"; + mobile = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL+j/gYSgLh7FQpAiUzWVIOCCAzZWRHez60p4n0OrGO0gU6tJoBQ6tD2vq8OTa8aj7j2Y++9CSguCn/3T9E6Qbk="; + + hijiri-vm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP6tfXLB6xhcl3rtI5x9NXSs12U4LVy06RRlyZxiORa0 nikodem@rabulinski.com"; + kazuki = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIImsFb9qRxX0n2Bmy00T8iPam+Fc3mgKkm7dfM7AQRHN nikodem@rabulinski.com"; + }; + + system = { + kazuki = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEyYhYWDNmKSrpcslD3NzWW+lQmDcLJdjLh7CSkL4hW5 root@kazuki"; + }; +} diff --git a/deploy.nix b/deploy.nix new file mode 100644 index 0000000..dadf7e6 --- /dev/null +++ b/deploy.nix @@ -0,0 +1,18 @@ +{ + self, + lib, + inputs, + ... +}: { + flake.deploy.nodes = + lib.mapAttrs (name: value: { + hostname = name; + sshUser = "niko"; + profiles.system = { + user = "root"; + path = inputs.deploy-rs.lib.${value.pkgs.stdenv.system}.activate.nixos value; + }; + remoteBuild = true; + }) + self.nixosConfigurations; +} diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..7705f33 --- /dev/null +++ b/flake.lock @@ -0,0 +1,333 @@ +{ + "nodes": { + "agenix": { + "inputs": { + "darwin": [ + "darwin" + ], + "home-manager": [ + "home-manager" + ], + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1690228878, + "narHash": "sha256-9Xe7JV0krp4RJC9W9W9WutZVlw6BlHTFMiUP/k48LQY=", + "owner": "ryantm", + "repo": "agenix", + "rev": "d8c973fd228949736dedf61b7f8cc1ece3236792", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "blobs": { + "flake": false, + "locked": { + "lastModified": 1604995301, + "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "type": "gitlab" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1691012184, + "narHash": "sha256-AYxPkarxZPs18qSKPjT4t8flmgeyu3DcoLGMkeiWtvk=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "d3529322dcaaddf0c50cb277c9c2a355f3a36a3b", + "type": "github" + }, + "original": { + "owner": "lnl7", + "repo": "nix-darwin", + "type": "github" + } + }, + "deploy-rs": { + "inputs": { + "flake-compat": "flake-compat", + "nixpkgs": [ + "nixpkgs" + ], + "utils": "utils" + }, + "locked": { + "lastModified": 1686747123, + "narHash": "sha256-XUQK9kwHpTeilHoad7L4LjMCCyY13Oq383CoFADecRE=", + "owner": "serokell", + "repo": "deploy-rs", + "rev": "724463b5a94daa810abfc64a4f87faef4e00f984", + "type": "github" + }, + "original": { + "owner": "serokell", + "repo": "deploy-rs", + "type": "github" + } + }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1690739034, + "narHash": "sha256-roW02IaiQ3gnEEDMCDWL5YyN+C4nBf/te6vfL7rG0jk=", + "owner": "nix-community", + "repo": "disko", + "rev": "4015740375676402a2ee6adebc3c30ea625b9a94", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1668681692, + "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1668681692, + "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1690933134, + "narHash": "sha256-ab989mN63fQZBFrkk4Q8bYxQCktuHmBIBqUG1jl6/FQ=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "59cf3f1447cfc75087e7273b04b31e689a8599fb", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1690982105, + "narHash": "sha256-32AzoLuwhtxBItcULRiCnxRfJcbVXbPZSH9TDVg21mU=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "b2ac1d2c32ac11b8d231d23622cdc4b2f28d07d2", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "mailserver": { + "inputs": { + "blobs": "blobs", + "flake-compat": "flake-compat_2", + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-22_11": "nixpkgs-22_11", + "nixpkgs-23_05": "nixpkgs-23_05", + "utils": "utils_2" + }, + "locked": { + "lastModified": 1689976554, + "narHash": "sha256-uWJq3sIhkqfzPmfB2RWd5XFVooGFfSuJH9ER/r302xQ=", + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "rev": "c63f6e7b053c18325194ff0e274dba44e8d2271e", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "type": "gitlab" + } + }, + "niko-nur": { + "inputs": { + "flake-parts": [ + "flake-parts" + ], + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1690830552, + "narHash": "sha256-8n8PipmWZnnE56QlhcGQCKG5cMU8v+NTaFkJzBM6k4w=", + "owner": "nrabulinski", + "repo": "nur-packages", + "rev": "b19fe09dd3f325ff2731b83f230e2573b67db4aa", + "type": "github" + }, + "original": { + "owner": "nrabulinski", + "repo": "nur-packages", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1690753480, + "narHash": "sha256-GQgPs8fCh/LsyQoYMUZgT2p7jFVWyHu9p+1Nl/dp8GY=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "9e06dd56947c1dc3dc837c3149bfe02c71a6edd7", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-22_11": { + "locked": { + "lastModified": 1669558522, + "narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-22.11", + "type": "indirect" + } + }, + "nixpkgs-23_05": { + "locked": { + "lastModified": 1684782344, + "narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "8966c43feba2c701ed624302b6a935f97bcbdf88", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-23.05", + "type": "indirect" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1691003216, + "narHash": "sha256-Qq/MPkhS12Bl0X060pPvX3v9ac3f2rRQfHjjozPh/Qs=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "4a56ce9727a0c5478a836a0d8a8f641c5b9a3d5f", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "agenix": "agenix", + "darwin": "darwin", + "deploy-rs": "deploy-rs", + "disko": "disko", + "flake-parts": "flake-parts", + "home-manager": "home-manager", + "mailserver": "mailserver", + "niko-nur": "niko-nur", + "nixpkgs": "nixpkgs_2" + } + }, + "utils": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "utils_2": { + "locked": { + "lastModified": 1605370193, + "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5021eac20303a61fafe17224c087f5519baed54d", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..b35d1a4 --- /dev/null +++ b/flake.nix @@ -0,0 +1,88 @@ +{ + outputs = inputs @ {flake-parts, ...}: + flake-parts.lib.mkFlake {inherit inputs;} { + systems = [ + "x86_64-linux" + "aarch64-linux" + "aarch64-darwin" + ]; + + imports = [ + ./assets + ./hosts + ./modules + ./deploy.nix + ]; + + perSystem = { + pkgs, + inputs', + ... + }: { + devShells.default = pkgs.mkShellNoCC { + packages = [inputs'.deploy-rs.packages.deploy-rs inputs'.agenix.packages.agenix]; + }; + + formatter = pkgs.alejandra; + }; + }; + + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable"; + flake-parts = { + url = "github:hercules-ci/flake-parts"; + inputs.nixpkgs-lib.follows = "nixpkgs"; + }; + disko = { + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + home-manager = { + url = "github:nix-community/home-manager"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + deploy-rs = { + url = "github:serokell/deploy-rs"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + niko-nur = { + url = "github:nrabulinski/nur-packages"; + inputs = { + # Not overriding nixpkgs to get cache hits + # nixpkgs.follows = "nixpkgs"; + flake-parts.follows = "flake-parts"; + }; + }; + darwin = { + url = "github:lnl7/nix-darwin"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + agenix = { + url = "github:ryantm/agenix"; + inputs = { + nixpkgs.follows = "nixpkgs"; + darwin.follows = "darwin"; + home-manager.follows = "home-manager"; + }; + }; + mailserver = { + url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; + + nixConfig = { + extra-substituters = [ + "https://hyprland.cachix.org" + "https://cache.garnix.io" + "https://nix-community.cachix.org" + "https://cache.nixos.org/" + ]; + trusted-public-keys = [ + "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc=" + "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + ]; + }; +} diff --git a/hosts/default.nix b/hosts/default.nix new file mode 100644 index 0000000..201a9b2 --- /dev/null +++ b/hosts/default.nix @@ -0,0 +1,34 @@ +{ + config, + self, + inputs, + lib, + ... +}: { + mappers = { + nixos = module: { + modules = [ + inputs.agenix.nixosModules.age + inputs.disko.nixosModules.disko + inputs.mailserver.nixosModules.default + self.nixosModules.settei + { + settei = { + username = "niko"; + sane-defaults.enable = true; + flake-qol = { + enable = true; + inherit inputs; + }; + }; + } + module + ]; + }; + }; + + imports = [ + ./kazuki + ./hijiri-vm + ]; +} diff --git a/hosts/hijiri-vm/default.nix b/hosts/hijiri-vm/default.nix new file mode 100644 index 0000000..2e27806 --- /dev/null +++ b/hosts/hijiri-vm/default.nix @@ -0,0 +1,30 @@ +{ + self, + inputs, + config, + ... +}: { + configurations.nixos.hijiri-vm = { + modulesPath, + lib, + username, + ... + }: { + imports = [ + "${modulesPath}/profiles/qemu-guest.nix" + (import ./disks.nix {}) + ]; + boot = { + supportedFilesystems = ["btrfs"]; + loader.systemd-boot.enable = true; + loader.efi.canTouchEfiVariables = true; + }; + + nixpkgs.system = "aarch64-linux"; + + users.users.${username}.openssh.authorizedKeys.keys = lib.attrValues config.assets.sshKeys.user; + + networking.domain = "hijiri"; + networking.hostName = "vm"; + }; +} diff --git a/hosts/hijiri-vm/disks.nix b/hosts/hijiri-vm/disks.nix new file mode 100644 index 0000000..7ee0a17 --- /dev/null +++ b/hosts/hijiri-vm/disks.nix @@ -0,0 +1,42 @@ +{bootDevice ? "/dev/vda", ...}: { + disko.devices.disk.bootDisk = { + type = "disk"; + device = bootDevice; + content = { + type = "table"; + format = "gpt"; + partitions = [ + { + name = "EFI"; + start = "1MiB"; + end = "128MiB"; + fs-type = "fat32"; + bootable = true; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + } + { + name = "LINUX"; + start = "128MiB"; + end = "100%"; + content = { + type = "btrfs"; + extraArgs = ["-f"]; + subvolumes = let + mountOptions = ["compress=zstd" "noatime"]; + in { + "/root" = { + inherit mountOptions; + mountpoint = "/"; + }; + "/nix" = {inherit mountOptions;}; + }; + }; + } + ]; + }; + }; +} diff --git a/hosts/kazuki/conduit.nix b/hosts/kazuki/conduit.nix new file mode 100644 index 0000000..74a577c --- /dev/null +++ b/hosts/kazuki/conduit.nix @@ -0,0 +1,97 @@ +{ + config, + pkgs, + inputs', + ... +}: let + formatJson = pkgs.formats.json {}; +in { + services.matrix-conduit = { + enable = true; + package = inputs'.niko-nur.packages.conduit-latest; + settings.global = { + server_name = "nrab.lol"; + database_backend = "rocksdb"; + allow_registration = false; + }; + }; + systemd.services.conduit.serviceConfig.LimitNOFILE = 8192; + + security.acme = { + acceptTerms = true; + defaults.email = "nikodem@rabulinski.com"; + }; + + users.users.nginx.extraGroups = ["acme"]; + networking.firewall.allowedTCPPorts = [80 443 8448 2222]; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + virtualHosts = { + "nrab.lol" = { + forceSSL = true; + enableACME = true; + + locations."=/.well-known/matrix/server" = { + alias = formatJson.generate "well-known-matrix-server" { + "m.server" = "matrix.nrab.lol"; + }; + extraConfig = '' + default_type application/json; + add_header Access-Control-Allow-Origin "*"; + ''; + }; + + locations."=/.well-known/matrix/client" = { + alias = formatJson.generate "well-known-matrix-client" { + "m.homeserver" = { + "base_url" = "https://matrix.nrab.lol"; + }; + }; + extraConfig = '' + default_type application/json; + add_header Access-Control-Allow-Origin "*"; + ''; + }; + }; + + "matrix.nrab.lol" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + { + addr = "0.0.0.0"; + port = 8448; + ssl = true; + } + ]; + extraConfig = '' + merge_slashes off; + ''; + + locations."/_matrix/" = { + proxyPass = "http://backend_conduit$request_uri"; + proxyWebsockets = true; + extraConfig = '' + proxy_set_header Host $host; + proxy_buffering off; + ''; + }; + }; + }; + + upstreams."backend_conduit".servers = { + "localhost:${toString config.services.matrix-conduit.settings.global.port}" = {}; + }; + }; +} diff --git a/hosts/kazuki/default.nix b/hosts/kazuki/default.nix new file mode 100644 index 0000000..10b4603 --- /dev/null +++ b/hosts/kazuki/default.nix @@ -0,0 +1,32 @@ +{ + config, + self, + ... +}: { + configurations.nixos.kazuki = { + modulesPath, + lib, + username, + ... + }: { + imports = [ + "${modulesPath}/profiles/qemu-guest.nix" + (import ./disks.nix {}) + + ./conduit.nix + ./mail.nix + ./vault.nix + ]; + + nixpkgs.system = "aarch64-linux"; + + users.users.${username}.openssh.authorizedKeys.keys = lib.attrValues config.assets.sshKeys.user; + + boot = { + supportedFilesystems = ["btrfs"]; + loader.systemd-boot.enable = true; + loader.systemd-boot.configurationLimit = 1; + loader.efi.canTouchEfiVariables = true; + }; + }; +} diff --git a/hosts/kazuki/disks.nix b/hosts/kazuki/disks.nix new file mode 100644 index 0000000..52c1293 --- /dev/null +++ b/hosts/kazuki/disks.nix @@ -0,0 +1,51 @@ +{bootDevice ? "/dev/sda", ...}: { + disko.devices.disk.bootDisk = { + type = "disk"; + device = bootDevice; + content = { + type = "table"; + format = "gpt"; + partitions = [ + { + name = "EFI"; + start = "1MiB"; + end = "128MiB"; + fs-type = "fat32"; + bootable = true; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + } + { + name = "LINUX"; + start = "128MiB"; + end = "-4G"; + content = { + type = "btrfs"; + extraArgs = ["-f"]; + subvolumes = let + mountOptions = ["compress=zstd" "noatime"]; + in { + "/root" = { + inherit mountOptions; + mountpoint = "/"; + }; + "/nix" = {inherit mountOptions;}; + }; + }; + } + { + name = "SWAP"; + start = "-4G"; + end = "100%"; + content = { + type = "swap"; + randomEncryption = true; + }; + } + ]; + }; + }; +} diff --git a/hosts/kazuki/mail.nix b/hosts/kazuki/mail.nix new file mode 100644 index 0000000..808361b --- /dev/null +++ b/hosts/kazuki/mail.nix @@ -0,0 +1,28 @@ +{config, ...}: { + age.secrets = { + leet-nrab-lol.file = ../../secrets/leet-nrab-lol-pass.age; + alert-nrab-lol.file = ../../secrets/alert-nrab-lol-pass.age; + }; + + users.users.nginx.extraGroups = ["acme"]; + networking.firewall.allowedTCPPorts = [80 443 8448 2222]; + + mailserver = { + enable = true; + fqdn = "mail.nrab.lol"; + domains = ["nrab.lol"]; + + loginAccounts = { + "1337@nrab.lol" = { + hashedPasswordFile = config.age.secrets.leet-nrab-lol.path; + }; + "alert@nrab.lol" = { + hashedPasswordFile = config.age.secrets.alert-nrab-lol.path; + sendOnly = true; + sendOnlyRejectMessage = ""; + }; + }; + + certificateScheme = "acme-nginx"; + }; +} diff --git a/hosts/kazuki/vault.nix b/hosts/kazuki/vault.nix new file mode 100644 index 0000000..c5328c9 --- /dev/null +++ b/hosts/kazuki/vault.nix @@ -0,0 +1,34 @@ +{config, ...}: { + age.secrets.vault-cert-env.file = ../../secrets/vault-cert-env.age; + + services.vaultwarden = { + enable = true; + config = { + ROCKET_PORT = 60001; + }; + }; + + users.users.nginx.extraGroups = ["acme"]; + networking.firewall.allowedTCPPorts = [80 443 8448 2222]; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + virtualHosts."vault.rabulinski.com" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://vaultwarden"; + }; + }; + + upstreams.vaultwarden.servers = { + "localhost:${toString config.services.vaultwarden.config.ROCKET_PORT}" = {}; + }; + }; + + security.acme.certs."valut.rabulinski.com" = { + dnsProvider = "cloudflare"; + credentialsFile = config.age.secrets.vault-cert-env.path; + }; +} diff --git a/modules/default.nix b/modules/default.nix new file mode 100644 index 0000000..4d6ccc8 --- /dev/null +++ b/modules/default.nix @@ -0,0 +1,6 @@ +{...}: { + imports = [ + ./nixos + ./flake + ]; +} diff --git a/modules/flake/configurations.nix b/modules/flake/configurations.nix new file mode 100644 index 0000000..0a6e04f --- /dev/null +++ b/modules/flake/configurations.nix @@ -0,0 +1,102 @@ +{ + nixpkgs, + darwin, + home-manager, +}: { + config, + lib, + flake-parts-lib, + ... +}: let + inherit (lib) mkOption mapAttrs; + inherit (flake-parts-lib) mkSubmoduleOptions; + possibleConfigurations = { + nixos = {}; + darwin = {}; + home = {}; + }; +in { + _file = ./configurations.nix; + + options = { + # Those functions take the final arguments and emit a valid configuration. + # Probably should hardly ever be overriden + builders = { + nixos = mkOption { + type = lib.types.functionTo lib.types.unspecified; + default = nixpkgs.lib.nixosSystem; + }; + darwin = mkOption { + type = lib.types.functionTo lib.types.unspecified; + default = darwin.lib.darwinSystem; + }; + home = mkOption { + type = lib.types.functionTo lib.types.unspecified; + default = home-manager.lib.homeManagerConfiguration; + }; + }; + + # Those functions map the value of the configuration attribute + # and emit a list of arguments to be passed to respected evalModules + mappers = + mapAttrs + (_: _: + mkOption { + type = lib.types.functionTo lib.types.attrs; + default = lib.id; + }) + possibleConfigurations; + + configurations = { + nixos = mkOption { + type = lib.types.unspecified; + default = {}; + }; + darwin = mkOption { + type = lib.types.unspecified; + default = {}; + }; + home = mkOption { + type = lib.types.unspecified; + default = {}; + }; + }; + + # This is exposed so that it's possible to modify the arguments that get passed to a builder + # after they have been mapped. Probably shouldn't do it. Probably should remove it or make it read-only + configurationOptions = + mapAttrs + (_: _: + mkOption { + type = lib.types.attrsOf lib.types.attrs; + }) + possibleConfigurations; + }; + + config = { + configurationOptions = + mapAttrs + ( + name: _: + mapAttrs + (configurationName: val: let + mapped = config.mappers.${name} val; + # TODO: specialArgs is actually extraSpecialArgs in home-manager. + # At which level should that be handled? + defaultArgs = { + specialArgs = {inherit configurationName;}; + }; + in + lib.recursiveUpdate defaultArgs mapped) + config.configurations.${name} + ) + possibleConfigurations; + + flake = { + nixosConfigurations = + mapAttrs + (_: args: config.builders.nixos args) + config.configurationOptions.nixos; + }; + }; +} diff --git a/modules/flake/default.nix b/modules/flake/default.nix new file mode 100644 index 0000000..7bd6926 --- /dev/null +++ b/modules/flake/default.nix @@ -0,0 +1,15 @@ +{ + flake-parts-lib, + lib, + inputs, + ... +}: let + inherit (flake-parts-lib) importApply; + flakeModules = { + configurations = importApply ./configurations.nix {inherit (inputs) nixpkgs darwin home-manager;}; + }; +in { + imports = lib.attrValues flakeModules; + + flake = {inherit flakeModules;}; +} diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix new file mode 100644 index 0000000..6629fa4 --- /dev/null +++ b/modules/nixos/default.nix @@ -0,0 +1,3 @@ +{config, ...}: { + flake.nixosModules.settei = import ./settei {inherit (config) perInput;}; +} diff --git a/modules/nixos/settei/default.nix b/modules/nixos/settei/default.nix new file mode 100644 index 0000000..c64aee7 --- /dev/null +++ b/modules/nixos/settei/default.nix @@ -0,0 +1,16 @@ +{perInput}: { + lib, + config, + ... +}: { + imports = [ + ./sane-defaults.nix + (import ./flake-qol.nix {inherit perInput;}) + ]; + + options.settei = with lib; { + username = mkOption { + type = types.str; + }; + }; +} diff --git a/modules/nixos/settei/flake-qol.nix b/modules/nixos/settei/flake-qol.nix new file mode 100644 index 0000000..85f60d7 --- /dev/null +++ b/modules/nixos/settei/flake-qol.nix @@ -0,0 +1,45 @@ +{perInput}: { + config, + lib, + pkgs, + ... +}: let + cfg = config.settei.flake-qol; +in { + _file = ./flake-qol.nix; + + options.settei.flake-qol = with lib; { + enable = lib.mkEnableOption "QoL defaults when using flakes"; + reexportAsArgs = mkOption { + type = types.bool; + default = true; + }; + inputs = mkOption { + type = types.unspecified; + }; + inputs-flakes = mkOption { + type = types.attrs; + readOnly = true; + }; + inputs' = mkOption { + type = types.attrs; + readOnly = true; + }; + }; + + config = lib.mkIf cfg.enable { + settei.flake-qol = { + inputs-flakes = lib.filterAttrs (_: input: input ? flake -> input.flake) cfg.inputs; + inputs' = lib.mapAttrs (_: perInput pkgs.stdenv.system) cfg.inputs-flakes; + }; + + _module.args = lib.mkIf cfg.reexportAsArgs { + inherit (cfg) inputs inputs-flakes inputs'; + }; + + nix = { + registry = lib.mapAttrs (_: flake: {inherit flake;}) cfg.inputs-flakes; + nixPath = map (name: "${name}=flake:${name}") (lib.attrNames cfg.inputs-flakes); + }; + }; +} diff --git a/modules/nixos/settei/sane-defaults.nix b/modules/nixos/settei/sane-defaults.nix new file mode 100644 index 0000000..ecb3f5a --- /dev/null +++ b/modules/nixos/settei/sane-defaults.nix @@ -0,0 +1,57 @@ +{ + lib, + config, + ... +} @ args: { + _file = ./sane-defaults.nix; + + options.settei.sane-defaults = { + enable = lib.mkEnableOption "Personal sane defaults"; + }; + + config = lib.mkIf config.settei.sane-defaults.enable (let + cfg = config.settei; + inherit (cfg) username; + in { + _module.args = { + username = lib.mkDefault username; + }; + + hardware.enableRedistributableFirmware = true; + + services.openssh.enable = true; + services.tailscale.enable = true; + programs.mosh.enable = lib.mkDefault true; + + users = { + mutableUsers = false; + users.${username} = { + isNormalUser = true; + home = "/home/${username}"; + group = username; + extraGroups = ["wheel"]; + }; + groups.${username} = {}; + }; + + networking.hostName = lib.mkDefault ( + args.configurationName + or (throw "pass configurationName to module arguments or set networking.hostName yourself") + ); + time.timeZone = lib.mkDefault "Europe/Warsaw"; + + nix = { + settings = { + experimental-features = ["nix-command" "flakes" "repl-flake" "auto-allocate-uids"]; + trusted-users = [username]; + auto-allocate-uids = true; + }; + }; + + # TODO: Actually this should be extraRules which makes wheel users without any password set + # be able to use sudo with no password + security.sudo.wheelNeedsPassword = false; + + system.stateVersion = "22.05"; + }); +} diff --git a/secrets/alert-nrab-lol-pass.age b/secrets/alert-nrab-lol-pass.age new file mode 100644 index 0000000..3cd5201 --- /dev/null +++ b/secrets/alert-nrab-lol-pass.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 84j9mw jmpsgact3iy0+A1ggWzK98D1e7R/44F9TgzFSg6BIWA +K6S7UNkJNh859EgPdMTpYol4vaSD0nfjsu6SMk9F5Vo +-> ssh-ed25519 GKhvwg YGAiny4ZXIqplrdFqETxB4chp9IqJt5fHb+NK4Bvan0 +0rgp0zJiGX5t4x/FKoLDJWMJW1hPsfVNMd4bPmv6Xdo +-> }Z-grease dI \ a^Wyct @c5 +H3cGSMZsNUPMewieU4NK6zr4IlLt+hivE3FnRBrNzll7WGBd942TAFQ8YRa9sIbJ +b9mvv1dqYmoS7MBVAGJvLgaX +--- C9QLdKcJPuN/raiGvmopHeYM2tnURzDMzV8DRAmffR0 +`0D`Vo/T~{({:hxj^Bn'T0[Ug=_DDU!-5B Z:s}PFfh \ No newline at end of file diff --git a/secrets/leet-nrab-lol-pass.age b/secrets/leet-nrab-lol-pass.age new file mode 100644 index 0000000..804d4c1 Binary files /dev/null and b/secrets/leet-nrab-lol-pass.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..8bf53e2 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,8 @@ +let + keys = import ../assets/ssh.nix {}; +in { + "leet-nrab-lol-pass.age".publicKeys = [keys.system.kazuki keys.other.bootstrap]; + "alert-nrab-lol-pass.age".publicKeys = [keys.system.kazuki keys.other.bootstrap]; + "vault-cert-env.age".publicKeys = [keys.system.kazuki keys.other.bootstrap]; + # "bitwarden-env-file.age".publicKeys = [keys.system.kazuki keys.other.bootstrap]; +} diff --git a/secrets/vault-cert-env.age b/secrets/vault-cert-env.age new file mode 100644 index 0000000..7232086 --- /dev/null +++ b/secrets/vault-cert-env.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 84j9mw 13PBQImkhu4ivVTaeHWkpRfidgOFF7FBLD18amn5+Xs +ZeZhuWZqI8Poa1ROlaYAXkr6QBM4355lWpYaHAtaTP8 +-> ssh-ed25519 GKhvwg gSXVzlieRXepW8s4onx4SDd75LVTyr1Rbc2/1LUIGTw +AOmJNzvioM7B+114BMBc5xbxfOAbielwizwtNzK2G7k +-> K/_&?-grease 'jg+M|s Cw&g= +yfPl +--- 8idL6hzmOCas0TKD8rvx7qlSGbzLPFxAOdlnSNi5+sY + =lXs$xK2F^#_B q"Z*2`0n|#z S;U@:RGuv>ʺ Z\mN( \ No newline at end of file