diff --git a/README.md b/README.md index ceff714..cf09670 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ Collection of my personal Nix configurations and opinionated NixOS, nix-darwin, ## Project structure - hosts - per-machine configurations - kazuki - my linux arm server - - legion - my linux x86 server[^1] + - legion - my linux x86 server - hijiri - my macbook[^1] - hijiri-vm - linux vm running on my macbook - miyagi - my work machine[^1] diff --git a/assets/ssh.nix b/assets/ssh.nix index 0d6107f..2ccf33f 100644 --- a/assets/ssh.nix +++ b/assets/ssh.nix @@ -13,5 +13,6 @@ system = { kazuki = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEyYhYWDNmKSrpcslD3NzWW+lQmDcLJdjLh7CSkL4hW5 root@kazuki"; + legion = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0Ktyj0FSn8KLRwRGd0Tp/qNUPXV7+XyxAsWGWdMYp8 root@legion"; }; } diff --git a/effects.nix b/effects.nix index 832e826..13bebcc 100644 --- a/effects.nix +++ b/effects.nix @@ -1,4 +1,4 @@ -{self, ...}: { +{ defaultEffectSystem = "aarch64-linux"; hercules-ci = { @@ -7,12 +7,4 @@ when.dayOfWeek = "Mon"; }; }; - - herculesCI = { - onPush = { - default.enable = true; - - wrappers.outputs = self.packages.aarch64-linux; - }; - }; } diff --git a/flake.lock b/flake.lock index 4c075b8..30ec171 100644 --- a/flake.lock +++ b/flake.lock @@ -282,6 +282,30 @@ "type": "gitlab" } }, + "nh": { + "inputs": { + "flake-parts": [ + "flake-parts" + ], + "nix-filter": "nix-filter", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1694971480, + "narHash": "sha256-5UKSMDiboMIs15WN6jbctJgYfnGPfkHhvWWaboB2rGk=", + "owner": "viperML", + "repo": "nh", + "rev": "4b88da6fc89bf06d6598ce9a881590a7cc0dcafd", + "type": "github" + }, + "original": { + "owner": "viperML", + "repo": "nh", + "type": "github" + } + }, "niko-nur": { "inputs": { "flake-parts": [ @@ -303,6 +327,21 @@ "type": "github" } }, + "nix-filter": { + "locked": { + "lastModified": 1687178632, + "narHash": "sha256-HS7YR5erss0JCaUijPeyg2XrisEb959FIct3n2TMGbE=", + "owner": "numtide", + "repo": "nix-filter", + "rev": "d90c75e8319d0dd9be67d933d8eb9d0894ec9174", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "nix-filter", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1687274257, @@ -441,6 +480,7 @@ "hercules-ci-effects": "hercules-ci-effects", "home-manager": "home-manager", "mailserver": "mailserver", + "nh": "nh", "niko-nur": "niko-nur", "nixpkgs": "nixpkgs_5", "racket": "racket", diff --git a/flake.nix b/flake.nix index 43c4486..4f0ae2e 100644 --- a/flake.nix +++ b/flake.nix @@ -19,15 +19,19 @@ ]; perSystem = { - pkgs, inputs', + pkgs, + lib, ... }: { devShells.default = pkgs.mkShellNoCC { - packages = [ - inputs'.deploy-rs.packages.deploy-rs - inputs'.agenix.packages.agenix - ]; + packages = + [ + inputs'.deploy-rs.packages.deploy-rs + inputs'.agenix.packages.agenix + ] + # TODO: Contribute darwin support to nh + ++ lib.optionals (!pkgs.stdenv.isDarwin) [inputs'.nh.packages.default]; }; formatter = pkgs.alejandra; @@ -54,11 +58,9 @@ }; niko-nur = { url = "github:nrabulinski/nur-packages"; - inputs = { - # Not overriding nixpkgs to get cache hits - # nixpkgs.follows = "nixpkgs"; - flake-parts.follows = "flake-parts"; - }; + # Not overriding nixpkgs to get cache hits + # inputs.nixpkgs.follows = "nixpkgs"; + inputs.flake-parts.follows = "flake-parts"; }; darwin = { url = "github:lnl7/nix-darwin"; @@ -68,11 +70,9 @@ darwin-old-for-agenix.url = "github:lnl7/nix-darwin/22620845fee1cc16f4ea639509c50fd989ccc1ce"; agenix = { url = "github:ryantm/agenix"; - inputs = { - nixpkgs.follows = "nixpkgs"; - darwin.follows = "darwin-old-for-agenix"; - home-manager.follows = "home-manager"; - }; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.darwin.follows = "darwin-old-for-agenix"; + inputs.home-manager.follows = "home-manager"; }; mailserver = { url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; @@ -84,10 +84,8 @@ }; wrapper-manager-hm-compat = { url = "github:nrabulinski/wrapper-manager-hm-compat"; - inputs = { - nixpkgs.follows = "nixpkgs"; - home-manager.follows = "home-manager"; - }; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.home-manager.follows = "home-manager"; }; # stylix = { # url = "github:danth/stylix"; @@ -106,10 +104,13 @@ }; hercules-ci-effects = { url = "github:hercules-ci/hercules-ci-effects"; - inputs = { - flake-parts.follows = "flake-parts"; - hercules-ci-agent.follows = "hercules-ci-agent"; - }; + inputs.flake-parts.follows = "flake-parts"; + inputs.hercules-ci-agent.follows = "hercules-ci-agent"; + }; + nh = { + url = "github:viperML/nh"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.flake-parts.follows = "flake-parts"; }; }; @@ -120,6 +121,7 @@ "https://nix-community.cachix.org" "https://cache.nixos.org/" "https://hercules-ci.cachix.org" + "https://nrabulinski.cachix.org" ]; trusted-public-keys = [ "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc=" @@ -127,6 +129,7 @@ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" "hercules-ci.cachix.org-1:ZZeDl9Va+xe9j+KqdzoBZMFJHVQ42Uu/c/1/KMC5Lw0=" + "nrabulinski.cachix.org-1:Q5FD7+1c68uH74CQK66UWNzxhanZW8xcg1LFXxGK8ic=" ]; }; } diff --git a/hosts/default.nix b/hosts/default.nix index 3874c61..73c7346 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -5,35 +5,54 @@ lib, ... }: { - builders = { - nixos = name: module: let - defaultOptions = { - username, - inputs', - lib, - ... - }: { - _file = ./default.nix; + imports = [ + ./kazuki + ./hijiri-vm + ./hijiri + ./legion + ./installer + ]; - settei = { - username = lib.mkDefault "niko"; - sane-defaults = { - enable = lib.mkDefault true; - allSshKeys = config.assets.sshKeys.user; - }; - flake-qol = { - enable = true; - inputs = inputs // {settei = self;}; - }; - user = { - enable = true; - config = { - home.packages = lib.attrValues inputs'.settei.packages; - }; + builders = let + sharedOptions = { + inputs', + lib, + ... + }: { + _file = ./default.nix; + + settei = { + username = lib.mkDefault "niko"; + sane-defaults = { + enable = lib.mkDefault true; + allSshKeys = config.assets.sshKeys.user; + }; + flake-qol = { + enable = true; + inputs = inputs // {settei = self;}; + }; + user = { + enable = true; + config = { + home.packages = let + wrappers = lib.attrValues inputs'.settei.packages; + extraPkgs = [inputs'.nh.packages.default]; + in + wrappers ++ extraPkgs; + + programs.git.enable = true; + home.sessionVariables.EDITOR = "hx"; }; }; + }; + + time.timeZone = lib.mkDefault "Europe/Warsaw"; + }; + in { + nixos = name: module: let + defaultOptions = { + _file = ./default.nix; - time.timeZone = lib.mkDefault "Europe/Warsaw"; i18n.defaultLocale = lib.mkDefault "en_US.UTF-8"; }; in @@ -46,17 +65,29 @@ inputs.hercules-ci-agent.nixosModules.agent-service self.nixosModules.settei self.nixosModules.common + sharedOptions + defaultOptions + module + ]; + specialArgs.configurationName = name; + }; + + darwin = name: module: let + defaultOptions = { + _file = ./default.nix; + }; + in + inputs.darwin.lib.darwinSystem { + modules = [ + inputs.agenix.darwinModules.age + inputs.home-manager.darwinModules.home-manager + inputs.hercules-ci-agent.darwinModules.agent-service + self.darwinModules.settei + sharedOptions defaultOptions module ]; specialArgs.configurationName = name; }; }; - - imports = [ - ./kazuki - ./hijiri-vm - # ./legion - ./installer - ]; } diff --git a/hosts/hijiri-vm/default.nix b/hosts/hijiri-vm/default.nix index 7a7681f..55c4cbd 100644 --- a/hosts/hijiri-vm/default.nix +++ b/hosts/hijiri-vm/default.nix @@ -1,9 +1,4 @@ { - self, - inputs, - config, - ... -}: { configurations.nixos.hijiri-vm = { modulesPath, lib, @@ -15,7 +10,7 @@ ./disks.nix ]; - nixpkgs.system = "aarch64-linux"; + nixpkgs.hostPlatform = "aarch64-linux"; boot = { loader.systemd-boot.enable = true; diff --git a/hosts/hijiri/default.nix b/hosts/hijiri/default.nix new file mode 100644 index 0000000..0900b97 --- /dev/null +++ b/hosts/hijiri/default.nix @@ -0,0 +1,5 @@ +{ + configurations.darwin.hijiri = { + nixpkgs.hostPlatform = "aarch64-darwin"; + }; +} diff --git a/hosts/kazuki/default.nix b/hosts/kazuki/default.nix index 9c1d694..0411661 100644 --- a/hosts/kazuki/default.nix +++ b/hosts/kazuki/default.nix @@ -1,9 +1,6 @@ { - config, - self, - ... -}: { configurations.nixos.kazuki = { + config, modulesPath, lib, ... @@ -17,7 +14,7 @@ ./vault.nix ]; - nixpkgs.system = "aarch64-linux"; + nixpkgs.hostPlatform = "aarch64-linux"; boot = { loader.systemd-boot.enable = true; @@ -26,10 +23,5 @@ }; common.hercules.enable = true; - age.secrets.kazuki-cachix = { - file = ../../secrets/kazuki-cachix.age; - owner = config.systemd.services.hercules-ci-agent.serviceConfig.User; - }; - services.hercules-ci-agent.settings.binaryCachesPath = config.age.secrets.kazuki-cachix.path; }; } diff --git a/hosts/kazuki/mail.nix b/hosts/kazuki/mail.nix index 808361b..f4b77b8 100644 --- a/hosts/kazuki/mail.nix +++ b/hosts/kazuki/mail.nix @@ -1,4 +1,5 @@ {config, ...}: { + # nix shell nixpkgs#apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 age.secrets = { leet-nrab-lol.file = ../../secrets/leet-nrab-lol-pass.age; alert-nrab-lol.file = ../../secrets/alert-nrab-lol-pass.age; diff --git a/hosts/legion/default.nix b/hosts/legion/default.nix index 120d8b6..d643316 100644 --- a/hosts/legion/default.nix +++ b/hosts/legion/default.nix @@ -1,18 +1,17 @@ -{config, ...}: let - inherit (config.assets) sshKeys; -in { +{ configurations.nixos.legion = { config, lib, + username, ... }: { imports = [ ./hardware.nix # ./disks.nix - ./initrd.nix + ./msmtp.nix ]; - nixpkgs.system = "x86_64-linux"; + nixpkgs.hostPlatform = "x86_64-linux"; specialisation = { nas.configuration = ./nas; @@ -28,10 +27,15 @@ in { hostName = "legion"; hostId = builtins.substring 0 8 (builtins.readFile ./machine-id); networkmanager.enable = true; - useDHCP = true; firewall.trustedInterfaces = ["tailscale0"]; }; + systemd.services.NetworkManager-wait-online.enable = false; powerManagement.cpuFreqGovernor = "performance"; + + age.secrets.niko-pass.file = ../../secrets/legion-niko-pass.age; + users.users.${username}.hashedPasswordFile = config.age.secrets.niko-pass.path; + + common.hercules.enable = true; }; } diff --git a/hosts/legion/disks.nix b/hosts/legion/disks.nix index 1589606..5b1194d 100644 --- a/hosts/legion/disks.nix +++ b/hosts/legion/disks.nix @@ -1,6 +1,10 @@ -args: let +args: +/* +let bootDevice = args.bootDevice or "/dev/nvme0n1"; -in { +in +*/ +{ assertions = [ { assertion = false; diff --git a/hosts/legion/hardware.nix b/hosts/legion/hardware.nix index 756a876..3b5b717 100644 --- a/hosts/legion/hardware.nix +++ b/hosts/legion/hardware.nix @@ -1,9 +1,11 @@ -{...}: { +{config, ...}: { boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "uas"]; boot.extraModulePackages = with config.boot.kernelPackages; [acpi_call]; boot.kernelModules = ["kvm-intel" "i2c-dev" "acpi_call"]; boot.blacklistedKernelModules = ["nouveau"]; + # Needed for enableAllFirmware + nixpkgs.config.allowUnfree = true; hardware = { enableAllFirmware = true; cpu.intel.updateMicrocode = true; diff --git a/hosts/legion/initrd.nix b/hosts/legion/initrd.nix deleted file mode 100644 index b9d4527..0000000 --- a/hosts/legion/initrd.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ - config, - username, - ... -}: { - boot.initrd = { - availableKernelModules = ["ath10k_pci" "r8169"]; - network.enable = true; - network.ssh = { - enable = true; - authorizedKeys = config.users.users.${username}.openssh.authorizedKeys.keys; - }; - }; -} diff --git a/hosts/legion/machine-id b/hosts/legion/machine-id new file mode 100644 index 0000000..2a76224 --- /dev/null +++ b/hosts/legion/machine-id @@ -0,0 +1 @@ +524209a432724c7abaf04398cdd6eecd diff --git a/hosts/legion/msmtp.nix b/hosts/legion/msmtp.nix new file mode 100644 index 0000000..fea94f5 --- /dev/null +++ b/hosts/legion/msmtp.nix @@ -0,0 +1,34 @@ +# TODO: Potentially make this a common module? +{ + pkgs, + config, + username, + ... +}: let + mail = "alert@nrab.lol"; + aliases = pkgs.writeText "mail-aliases" '' + ${username}: nikodem@rabulinski.com + root: ${mail} + ''; +in { + age.secrets.alert-plaintext.file = ../../secrets/alert-plain-pass.age; + + programs.msmtp = { + enable = true; + setSendmail = true; + defaults = { + inherit aliases; + tls = "on"; + auth = "login"; + tls_starttls = "off"; + }; + accounts = { + default = { + host = "mail.nrab.lol"; + passwordeval = "cat ${config.age.secrets.alert-plaintext.path}"; + user = mail; + from = mail; + }; + }; + }; +} diff --git a/hosts/legion/nas/default.nix b/hosts/legion/nas/default.nix index 426b69a..2e715eb 100644 --- a/hosts/legion/nas/default.nix +++ b/hosts/legion/nas/default.nix @@ -1,5 +1,6 @@ { pkgs, + lib, username, ... }: { @@ -7,7 +8,7 @@ ./media.nix ]; - boot.supportedFilesystems = ["zfs"]; + boot.supportedFilesystems = ["ext4" "zfs"]; boot.zfs.extraPools = ["yottapool"]; services.zfs = { @@ -15,7 +16,7 @@ zed.settings = { ZED_DEBUG_LOG = "/tmp/zed.debug.log"; ZED_EMAIL_ADDR = [username]; - ZED_EMAIL_PROG = "${pkgs.msmtp}/bin/msmtp"; + ZED_EMAIL_PROG = lib.getExe pkgs.msmtp; ZED_EMAIL_OPTS = "@ADDRESS@"; ZED_NOTIFY_INTERVAL_SECS = 3600; @@ -26,8 +27,8 @@ }; }; - fileSystems."/nix-cache" = { - device = "/dev/disk/by-label/CACHE"; + fileSystems."/bulk" = { + device = "/dev/disk/by-label/BULK"; fsType = "ext4"; }; } diff --git a/hosts/legion/nas/media.nix b/hosts/legion/nas/media.nix index 65c05ed..84752ca 100644 --- a/hosts/legion/nas/media.nix +++ b/hosts/legion/nas/media.nix @@ -1,4 +1,4 @@ -{ +{username, ...}: { services.jellyfin.enable = true; services.radarr.enable = true; services.sonarr.enable = true; @@ -13,6 +13,6 @@ jellyfin.extraGroups = ["radarr" "sonarr"]; radarr.extraGroups = ["deluge"]; sonarr.extraGroups = ["deluge"]; - niko.extraGroups = ["deluge"]; + ${username}.extraGroups = ["deluge"]; }; } diff --git a/modules/darwin/default.nix b/modules/darwin/default.nix new file mode 100644 index 0000000..aab4e64 --- /dev/null +++ b/modules/darwin/default.nix @@ -0,0 +1,5 @@ +{config, ...}: { + flake.darwinModules = { + settei = import ./settei {inherit (config) perInput;}; + }; +} diff --git a/modules/darwin/settei/default.nix b/modules/darwin/settei/default.nix new file mode 100644 index 0000000..3b18865 --- /dev/null +++ b/modules/darwin/settei/default.nix @@ -0,0 +1,6 @@ +{perInput}: { + imports = [ + (import ../../shared/settei {inherit perInput;}) + ./sane-defaults.nix + ]; +} diff --git a/modules/darwin/settei/sane-defaults.nix b/modules/darwin/settei/sane-defaults.nix new file mode 100644 index 0000000..b58d101 --- /dev/null +++ b/modules/darwin/settei/sane-defaults.nix @@ -0,0 +1,17 @@ +# For sane-default options shared between NixOS and darwin, see modules/shared/settei/sane-defaults.nix +{ + config, + lib, + username, + ... +}: { + config = lib.mkIf config.settei.sane-defaults.enable { + services.nix-daemon.enable = true; + + security.pam.enableSudoTouchIdAuth = true; + + users.users.${username}.home = "/Users/${username}"; + + system.stateVersion = 4; + }; +} diff --git a/modules/default.nix b/modules/default.nix index cf105c1..9268452 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,6 +1,7 @@ { imports = [ ./nixos + ./darwin ./flake ]; } diff --git a/modules/flake/configurations.nix b/modules/flake/configurations.nix index f1e64c3..79bccba 100644 --- a/modules/flake/configurations.nix +++ b/modules/flake/configurations.nix @@ -7,10 +7,8 @@ lib, flake-parts-lib, ... -}: let - inherit (lib) mkOption mapAttrs; - inherit (flake-parts-lib) mkSubmoduleOptions; -in { +}: +with lib; { _file = ./configurations.nix; options = { @@ -18,37 +16,36 @@ in { # Probably should hardly ever be overriden builders = { nixos = mkOption { - type = lib.types.functionTo lib.types.unspecified; + type = types.functionTo types.unspecified; default = _name: nixpkgs.lib.nixosSystem; }; darwin = mkOption { - type = lib.types.functionTo lib.types.unspecified; + type = types.functionTo types.unspecified; default = _name: darwin.lib.darwinSystem; }; home = mkOption { - type = lib.types.functionTo lib.types.unspecified; + type = types.functionTo types.unspecified; default = _name: home-manager.lib.homeManagerConfiguration; }; }; configurations = { nixos = mkOption { - type = lib.types.unspecified; + type = types.attrsOf types.deferredModule; default = {}; }; darwin = mkOption { - type = lib.types.unspecified; + type = types.attrsOf types.deferredModule; default = {}; }; home = mkOption { - type = lib.types.unspecified; + type = types.attrsOf types.deferredModule; default = {}; }; }; }; - config. - flake = { + config.flake = { nixosConfigurations = mapAttrs config.builders.nixos diff --git a/modules/nixos/common/hercules.nix b/modules/nixos/common/hercules.nix index 2f2dea7..b372e00 100644 --- a/modules/nixos/common/hercules.nix +++ b/modules/nixos/common/hercules.nix @@ -1,6 +1,5 @@ { config, - pkgs, lib, ... }: { @@ -8,19 +7,26 @@ options.common.hercules.enable = lib.mkEnableOption "Enables hercules-ci-agent with my configuration"; - config = lib.mkIf config.common.hercules.enable { - age.secrets.hercules-token = { - file = ../../secrets/hercules-token.age; - owner = config.systemd.services.hercules-ci-agent.serviceConfig.User; - }; + config = let + herculesUser = config.systemd.services.hercules-ci-agent.serviceConfig.User; + in + lib.mkIf config.common.hercules.enable { + age.secrets.hercules-token = { + file = ../../../secrets/hercules-token.age; + owner = herculesUser; + }; + age.secrets.hercules-cache = { + file = ../../../secrets/hercules-cache.age; + owner = herculesUser; + }; - services.hercules-ci-agent = { - enable = true; - settings = { - clusterJoinTokenPath = config.age.secrets.hercules-token.path; - concurrentTasks = lib.mkDefault 4; - binaryCachesPath = pkgs.writeText "empty-caches.json" "{}"; + services.hercules-ci-agent = { + enable = true; + settings = { + clusterJoinTokenPath = config.age.secrets.hercules-token.path; + concurrentTasks = lib.mkDefault 4; + binaryCachesPath = config.age.secrets.hercules-cache.path; + }; }; }; - }; } diff --git a/modules/nixos/settei/default.nix b/modules/nixos/settei/default.nix index 7d6ee0f..3b18865 100644 --- a/modules/nixos/settei/default.nix +++ b/modules/nixos/settei/default.nix @@ -1,19 +1,6 @@ {perInput}: { - lib, - config, - ... -}: { - _file = ./default.nix; - imports = [ + (import ../../shared/settei {inherit perInput;}) ./sane-defaults.nix - (import ./flake-qol.nix {inherit perInput;}) - ./user.nix ]; - - options.settei = with lib; { - username = mkOption { - type = types.str; - }; - }; } diff --git a/modules/nixos/settei/sane-defaults.nix b/modules/nixos/settei/sane-defaults.nix index 9dca8f8..58904bc 100644 --- a/modules/nixos/settei/sane-defaults.nix +++ b/modules/nixos/settei/sane-defaults.nix @@ -1,39 +1,19 @@ -# This module is supposed to be a reusable set of options you probably would want to set anyway -# -# Other default options which don't necessairly make sense for other people go into hosts/default.nix +# For sane-default options shared between NixOS and darwin, see modules/shared/settei/sane-defaults.nix { - lib, config, + username, + lib, ... -} @ args: { - _file = ./sane-defaults.nix; - - options.settei.sane-defaults = with lib; { - enable = mkEnableOption "Personal sane defaults (but they should make sense for anyone)"; - allSshKeys = mkOption { - type = types.attrsOf types.singleLineStr; - default = {}; - }; - }; - - config = lib.mkIf config.settei.sane-defaults.enable (let - cfg = config.settei; - inherit (cfg) username; - configName = optionName: - args.configurationName - or (throw "pass configurationName to module arguments or set ${optionName} yourself"); - in { - _module.args = { - username = lib.mkDefault username; - }; - +} @ args: let + cfg = config.settei.sane-defaults; +in { + config = lib.mkIf cfg.enable { # https://github.com/NixOS/nixpkgs/issues/254807 boot.swraid.enable = false; hardware.enableRedistributableFirmware = true; services.openssh.enable = true; - services.tailscale.enable = true; programs.mosh.enable = lib.mkDefault true; users = { @@ -45,41 +25,21 @@ extraGroups = ["wheel"]; openssh.authorizedKeys.keys = let filteredKeys = let - configName' = configName "users.users.${username}.openssh.authorizedKeys"; + configName' = + args.configurationName + or (throw "pass configurationName to module arguments or set users.users.${username}.openssh.authorizedKeys yourself"); in - lib.filterAttrs (name: _: name != configName') cfg.sane-defaults.allSshKeys; + lib.filterAttrs (name: _: name != configName') cfg.allSshKeys; in lib.mkDefault (lib.attrValues filteredKeys); }; groups.${username} = {}; }; - networking.hostName = lib.mkDefault (configName "networking.hostName"); - - nix = { - settings = { - experimental-features = ["nix-command" "flakes" "repl-flake" "auto-allocate-uids"]; - trusted-users = lib.optionals (!config.security.sudo.wheelNeedsPassword) [username]; - auto-allocate-uids = true; - extra-substituters = [ - "https://hyprland.cachix.org" - "https://cache.garnix.io" - "https://nix-community.cachix.org" - "https://hercules-ci.cachix.org" - ]; - trusted-public-keys = [ - "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc=" - "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "hercules-ci.cachix.org-1:ZZeDl9Va+xe9j+KqdzoBZMFJHVQ42Uu/c/1/KMC5Lw0=" - ]; - }; - }; - # TODO: Actually this should be extraRules which makes wheel users without any password set # be able to use sudo with no password security.sudo.wheelNeedsPassword = false; system.stateVersion = "22.05"; - }); + }; } diff --git a/modules/shared/settei/default.nix b/modules/shared/settei/default.nix new file mode 100644 index 0000000..7d6ee0f --- /dev/null +++ b/modules/shared/settei/default.nix @@ -0,0 +1,19 @@ +{perInput}: { + lib, + config, + ... +}: { + _file = ./default.nix; + + imports = [ + ./sane-defaults.nix + (import ./flake-qol.nix {inherit perInput;}) + ./user.nix + ]; + + options.settei = with lib; { + username = mkOption { + type = types.str; + }; + }; +} diff --git a/modules/nixos/settei/flake-qol.nix b/modules/shared/settei/flake-qol.nix similarity index 92% rename from modules/nixos/settei/flake-qol.nix rename to modules/shared/settei/flake-qol.nix index 065dc89..b4b6636 100644 --- a/modules/nixos/settei/flake-qol.nix +++ b/modules/shared/settei/flake-qol.nix @@ -43,7 +43,7 @@ in { nix = { registry = lib.mapAttrs (_: flake: {inherit flake;}) cfg.inputs-flakes; - nixPath = map (name: "${name}=flake:${name}") (lib.attrNames cfg.inputs-flakes); + nixPath = lib.mapAttrsToList (name: _: "${name}=flake:${name}") cfg.inputs-flakes; }; }; } diff --git a/modules/shared/settei/sane-defaults.nix b/modules/shared/settei/sane-defaults.nix new file mode 100644 index 0000000..0140d5b --- /dev/null +++ b/modules/shared/settei/sane-defaults.nix @@ -0,0 +1,58 @@ +# This module is supposed to be a reusable set of options you probably would want to set anyway +# +# Other default options which don't necessairly make sense for other people go into hosts/default.nix +{ + config, + pkgs, + lib, + ... +} @ args: { + _file = ./sane-defaults.nix; + + options.settei.sane-defaults = with lib; { + enable = mkEnableOption "Personal sane defaults (but they should make sense for anyone)"; + allSshKeys = mkOption { + type = types.attrsOf types.singleLineStr; + default = {}; + }; + }; + + config = lib.mkIf config.settei.sane-defaults.enable (let + cfg = config.settei; + inherit (cfg) username; + adminNeedsPassword = pkgs.stdenv.isLinux -> config.security.sudo.wheelNeedsPassword; + in { + _module.args = { + username = lib.mkDefault username; + }; + + services.tailscale.enable = true; + + networking.hostName = lib.mkDefault ( + args.configurationName + or (throw "pass configurationName to module arguments or set networking.hostName yourself") + ); + + nix = { + settings = { + experimental-features = ["nix-command" "flakes" "repl-flake" "auto-allocate-uids"]; + trusted-users = lib.optionals (!adminNeedsPassword) [username]; + auto-allocate-uids = true; + extra-substituters = [ + "https://hyprland.cachix.org" + "https://cache.garnix.io" + "https://nix-community.cachix.org" + "https://hercules-ci.cachix.org" + "https://nrabulinski.cachix.org" + ]; + trusted-public-keys = [ + "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc=" + "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "hercules-ci.cachix.org-1:ZZeDl9Va+xe9j+KqdzoBZMFJHVQ42Uu/c/1/KMC5Lw0=" + "nrabulinski.cachix.org-1:Q5FD7+1c68uH74CQK66UWNzxhanZW8xcg1LFXxGK8ic=" + ]; + }; + }; + }); +} diff --git a/modules/nixos/settei/user.nix b/modules/shared/settei/user.nix similarity index 95% rename from modules/nixos/settei/user.nix rename to modules/shared/settei/user.nix index 348c8d6..4ba3c13 100644 --- a/modules/nixos/settei/user.nix +++ b/modules/shared/settei/user.nix @@ -36,7 +36,7 @@ in { home = { inherit username; homeDirectory = config.users.users.${username}.home; - stateVersion = config.system.stateVersion; + stateVersion = "22.05"; }; programs.home-manager.enable = true; diff --git a/secrets/alert-nrab-lol-pass.age b/secrets/alert-nrab-lol-pass.age index 3cd5201..7fa96b1 100644 --- a/secrets/alert-nrab-lol-pass.age +++ b/secrets/alert-nrab-lol-pass.age @@ -1,10 +1,10 @@ age-encryption.org/v1 --> ssh-ed25519 84j9mw jmpsgact3iy0+A1ggWzK98D1e7R/44F9TgzFSg6BIWA -K6S7UNkJNh859EgPdMTpYol4vaSD0nfjsu6SMk9F5Vo --> ssh-ed25519 GKhvwg YGAiny4ZXIqplrdFqETxB4chp9IqJt5fHb+NK4Bvan0 -0rgp0zJiGX5t4x/FKoLDJWMJW1hPsfVNMd4bPmv6Xdo --> }Z-grease dI \ a^Wyct @c5 -H3cGSMZsNUPMewieU4NK6zr4IlLt+hivE3FnRBrNzll7WGBd942TAFQ8YRa9sIbJ -b9mvv1dqYmoS7MBVAGJvLgaX ---- C9QLdKcJPuN/raiGvmopHeYM2tnURzDMzV8DRAmffR0 -`0D`Vo/T~{({:hxj^Bn'T0[Ug=_DDU!-5B Z:s}PFfh \ No newline at end of file +-> ssh-ed25519 84j9mw bG9/dNwxbn7mVFKLraVw594U+CUVNXmDX56xODpn8m8 +wMuzPr8LdQEdeyF4LCKepSgRU1oWl2znplE/8T+AMVw +-> ssh-ed25519 GKhvwg gZ4nVDAdjyhXyoDsIr+LBnLaF94zJLe9hoDN8jRY2Sw +cdz0BUiD1YwnN7FWJcqzYYU83HzDYWlQgc+qPPMUtcE +-> `#k-grease A3Jo +IPGUbK+Mg0+gFt44tyFi +--- 6g1g/jyT0Yg+lgfmdUpZzUN5ryWGWIKYABUVw6crzfA +oeE^=*JnTj՘oq\nT.Te +Y:y,bź]"޾SFЉp)ڵۜJH.JgErOL \ No newline at end of file diff --git a/secrets/alert-plain-pass.age b/secrets/alert-plain-pass.age new file mode 100644 index 0000000..29341a2 --- /dev/null +++ b/secrets/alert-plain-pass.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 ioPMHA GErPiwFO6TluW+/QapeT0BhWH2yVd54UfCsi5s8STm8 +/rOO0+oXHGnJ54PdgPSJ/UWeZm1Ibtptnz+tv6zhTLA +-> ssh-ed25519 GKhvwg MtNidti8d7qz3NERKPdoU0UtNj/SZp2htzXYB3NUMXM +WKdKJtjfsWFgoO09wpw87JdOaGNqDpC9MRs7Fumfn/g +-> 'JP4o}-grease Thf +jq5xoH6w3eDeGBGf1jKPCxEl +--- sI/u3P4XIpQOMPXhtCy4XqRo+FSi5IdUDNxw0S88gWc +@;|U:B{x3!9A2ۀSNg#ً͇r68S 2 \ No newline at end of file diff --git a/secrets/hercules-cache.age b/secrets/hercules-cache.age new file mode 100644 index 0000000..e7f01f6 --- /dev/null +++ b/secrets/hercules-cache.age @@ -0,0 +1,14 @@ +age-encryption.org/v1 +-> ssh-ed25519 84j9mw UohYhuFXjwI+Ya6a2nIjFt1FSpp/S1fss8+ZffKf91M +q8q6+vScXETWtB8YDO84X6D5KTptP4JhNtW4yH8D2dw +-> ssh-ed25519 ioPMHA 0NAryvpJ42YzfO4/cNE6UvRzqEk4rjM4PTInqiSj/Qk +/V72hnrePBIiO0U6817ij91W2G3lHS/yZjLXu9ngMyw +-> ssh-ed25519 GKhvwg Lqt8W9uLyyEqtdQMriomn/D/s4yy/F7qID1N6FbbSVw +vSC+r50g8xVE+bKNJ7QMtZD9uacainZ+KK7U8Lb4B/A +-> kW{-]#L<-grease 7>z.Yr}9 YOwZ f"i}Y;^= +l3YcF04OxddtsUHtQLBW9qotCY+Wghl7y2HsRtEXnwBjRiyzvCjc/RMQ70/f4WW7 +xIS9WI00LtKj8rAoNmvOsIDkMzKvuutQmmZYBJEk +--- L1zbOMuts43q3o1ziGlV4VBu3DyKYO6jNVZlJt4CUdg +2͔um\:;b7aH 7ML!{uWXZv݊LHV\?*,$d6S3JҤ"D/eRkmI MMڑrMIpS)xk+luuGӮ3M{NٍB[i`o ɡ[Q1rh-ŕ +?f;5~5T"l,ŋ݋? i ([wX +<nxD_st$3%#g_!{!ߜ~8)̘OXۀg0<)GIdf'daC^=EHapnh~Aɶ/H' \ No newline at end of file diff --git a/secrets/hercules-token.age b/secrets/hercules-token.age index 06175fb..92ded9f 100644 Binary files a/secrets/hercules-token.age and b/secrets/hercules-token.age differ diff --git a/secrets/kazuki-cachix.age b/secrets/kazuki-cachix.age deleted file mode 100644 index c210043..0000000 Binary files a/secrets/kazuki-cachix.age and /dev/null differ diff --git a/secrets/leet-nrab-lol-pass.age b/secrets/leet-nrab-lol-pass.age index 804d4c1..5258560 100644 Binary files a/secrets/leet-nrab-lol-pass.age and b/secrets/leet-nrab-lol-pass.age differ diff --git a/secrets/legion-niko-pass.age b/secrets/legion-niko-pass.age new file mode 100644 index 0000000..9b9231d Binary files /dev/null and b/secrets/legion-niko-pass.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 68ddd3d..18f90ca 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -5,6 +5,8 @@ in { "alert-nrab-lol-pass.age".publicKeys = [keys.system.kazuki keys.other.bootstrap]; "vault-cert-env.age".publicKeys = [keys.system.kazuki keys.other.bootstrap]; # "bitwarden-env-file.age".publicKeys = [keys.system.kazuki keys.other.bootstrap]; - "hercules-token.age".publicKeys = [keys.system.kazuki keys.other.bootstrap]; - "kazuki-cachix.age".publicKeys = [keys.system.kazuki keys.other.bootstrap]; + "hercules-token.age".publicKeys = [keys.system.kazuki keys.system.legion keys.other.bootstrap]; + "hercules-cache.age".publicKeys = [keys.system.kazuki keys.system.legion keys.other.bootstrap]; + "alert-plain-pass.age".publicKeys = [keys.system.legion keys.other.bootstrap]; + "legion-niko-pass.age".publicKeys = [keys.system.legion keys.other.bootstrap]; } diff --git a/secrets/vault-cert-env.age b/secrets/vault-cert-env.age index 7232086..3066029 100644 --- a/secrets/vault-cert-env.age +++ b/secrets/vault-cert-env.age @@ -1,9 +1,9 @@ age-encryption.org/v1 --> ssh-ed25519 84j9mw 13PBQImkhu4ivVTaeHWkpRfidgOFF7FBLD18amn5+Xs -ZeZhuWZqI8Poa1ROlaYAXkr6QBM4355lWpYaHAtaTP8 --> ssh-ed25519 GKhvwg gSXVzlieRXepW8s4onx4SDd75LVTyr1Rbc2/1LUIGTw -AOmJNzvioM7B+114BMBc5xbxfOAbielwizwtNzK2G7k --> K/_&?-grease 'jg+M|s Cw&g= -yfPl ---- 8idL6hzmOCas0TKD8rvx7qlSGbzLPFxAOdlnSNi5+sY - =lXs$xK2F^#_B q"Z*2`0n|#z S;U@:RGuv>ʺ Z\mN( \ No newline at end of file +-> ssh-ed25519 84j9mw vOJaWCNIGFgf6O0nTt+g1a5y5iKvMlr9nrpF1jTNGmM +MxiliY7O3k0P47mYrmV6ovZu9+03JCCUvOe8Zu7gi34 +-> ssh-ed25519 GKhvwg XSQNhU9xCPQu7iIcshQxncgqp37J8iS1H6FKDaChPTo +uH8yhnQc184zK72pwwNod110/ehMiT/eWbHN894XThU +-> w>U?#&-grease