forked from pub-solar/infra
refactor: change file structure to use modules dir
This commit changes the file structure around, so that we have the following parts: `/modules` contains reusable logic blocks for hosts. `/hosts` contains host configurations. `/lib` contains nix library functions. `/overlays` contains overlay files. `/public-keys` contains all information regarding public keys. This change reduces the complexity of flake.nix, instead delegating this out to the `default.nix` files in the above directories.
This commit is contained in:
parent
65a660117a
commit
e8ad662631
81
flake.nix
81
flake.nix
|
@ -37,6 +37,8 @@
|
||||||
./public-keys
|
./public-keys
|
||||||
./lib
|
./lib
|
||||||
./overlays
|
./overlays
|
||||||
|
./modules
|
||||||
|
./hosts
|
||||||
];
|
];
|
||||||
|
|
||||||
perSystem = { system, pkgs, config, ... }: {
|
perSystem = { system, pkgs, config, ... }: {
|
||||||
|
@ -73,88 +75,11 @@
|
||||||
flake =
|
flake =
|
||||||
let
|
let
|
||||||
username = "barkeeper";
|
username = "barkeeper";
|
||||||
system = "x86_64-linux";
|
|
||||||
in {
|
in {
|
||||||
nixosConfigurations = {
|
inherit username;
|
||||||
nachtigall = self.nixos-flake.lib.mkLinuxSystem {
|
|
||||||
imports = [
|
|
||||||
self.nixosModules.common
|
|
||||||
./hosts/nachtigall
|
|
||||||
self.pub-solar.lib.linux.unlockZFSOnBoot
|
|
||||||
self.nixosModules.home-manager
|
|
||||||
self.nixosModules.linux
|
|
||||||
self.nixosModules.overlays
|
|
||||||
inputs.agenix.nixosModules.default
|
|
||||||
{
|
|
||||||
home-manager.users.${username} = {
|
|
||||||
imports = [
|
|
||||||
self.homeModules.common
|
|
||||||
];
|
|
||||||
home.stateVersion = "23.05";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;
|
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;
|
||||||
|
|
||||||
nixosModules = {
|
|
||||||
# Common nixos/nix-darwin configuration shared between Linux and macOS.
|
|
||||||
common = { pkgs, ... }: {
|
|
||||||
virtualisation.docker = {
|
|
||||||
enable = true;
|
|
||||||
extraOptions = ''
|
|
||||||
--data-root /var/lib/docker
|
|
||||||
'';
|
|
||||||
storageDriver = "zfs";
|
|
||||||
};
|
|
||||||
|
|
||||||
services.openssh.enable = true;
|
|
||||||
services.openssh.settings.PermitRootLogin = "prohibit-password";
|
|
||||||
services.openssh.settings.PasswordAuthentication = false;
|
|
||||||
};
|
|
||||||
|
|
||||||
# NixOS specific configuration
|
|
||||||
linux = { pkgs, ... }: {
|
|
||||||
users.users.${username} = {
|
|
||||||
name = username;
|
|
||||||
group = username;
|
|
||||||
extraGroups = ["wheel"];
|
|
||||||
isNormalUser = true;
|
|
||||||
openssh.authorizedKeys.keys = self.publicKeys.allAdmins;
|
|
||||||
};
|
|
||||||
users.groups.${username} = {};
|
|
||||||
|
|
||||||
security.sudo.wheelNeedsPassword = false;
|
|
||||||
nix.settings.trusted-users = [ "root" username ];
|
|
||||||
|
|
||||||
# TODO: Remove when we stop locking ourselves out.
|
|
||||||
users.users.root.openssh.authorizedKeys.keys = self.publicKeys.allAdmins;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
# All home-manager configurations are kept here.
|
|
||||||
homeModules = {
|
|
||||||
# Common home-manager configuration shared between Linux and macOS.
|
|
||||||
common = { pkgs, ... }: {
|
|
||||||
programs.git.enable = true;
|
|
||||||
programs.starship.enable = true;
|
|
||||||
programs.bash.enable = true;
|
|
||||||
programs.neovim = {
|
|
||||||
enable = true;
|
|
||||||
vimAlias = true;
|
|
||||||
viAlias = true;
|
|
||||||
defaultEditor = true;
|
|
||||||
# configure = {
|
|
||||||
# packages.myVimPackages = with pkgs.vimPlugins; {
|
|
||||||
# start = [vim-nix vim-surrund rainbow];
|
|
||||||
# };
|
|
||||||
# };
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
deploy.nodes = self.pub-solar.lib.deploy.mkDeployNodes self.nixosConfigurations {
|
deploy.nodes = self.pub-solar.lib.deploy.mkDeployNodes self.nixosConfigurations {
|
||||||
nachtigall = {
|
nachtigall = {
|
||||||
sshUser = username;
|
sshUser = username;
|
||||||
|
|
18
hosts/default.nix
Normal file
18
hosts/default.nix
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
{ self, ... }:
|
||||||
|
{
|
||||||
|
flake = {
|
||||||
|
nixosConfigurations = {
|
||||||
|
nachtigall = self.nixos-flake.lib.mkLinuxSystem {
|
||||||
|
imports = [
|
||||||
|
self.inputs.agenix.nixosModules.default
|
||||||
|
self.nixosModules.home-manager
|
||||||
|
./nachtigall
|
||||||
|
self.nixosModules.overlays
|
||||||
|
self.nixosModules.unlock-zfs-on-boot
|
||||||
|
self.nixosModules.core
|
||||||
|
self.nixosModules.docker
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, pkgs, ... }:
|
{ config, pkgs, flake, ... }:
|
||||||
{
|
{
|
||||||
# Use GRUB2 as the boot loader.
|
# Use GRUB2 as the boot loader.
|
||||||
# We don't use systemd-boot because Hetzner uses BIOS legacy boot.
|
# We don't use systemd-boot because Hetzner uses BIOS legacy boot.
|
||||||
|
@ -39,32 +39,9 @@
|
||||||
systemPackages = with pkgs; [ vim ];
|
systemPackages = with pkgs; [ vim ];
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users.hakkonaut = {
|
|
||||||
description = "CI and automation user";
|
|
||||||
home = "/home/hakkonaut";
|
|
||||||
createHome = true;
|
|
||||||
useDefaultShell = true;
|
|
||||||
uid = 998;
|
|
||||||
group = "hakkonaut";
|
|
||||||
isSystemUser = true;
|
|
||||||
openssh.authorizedKeys.keys = [
|
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW hakkonaut@flora-6"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
# https://nixos.wiki/wiki/ZFS#declarative_mounting_of_ZFS_datasets
|
# https://nixos.wiki/wiki/ZFS#declarative_mounting_of_ZFS_datasets
|
||||||
systemd.services.zfs-mount.enable = false;
|
systemd.services.zfs-mount.enable = false;
|
||||||
|
|
||||||
users.groups.hakkonaut = {};
|
|
||||||
|
|
||||||
users.users.root.initialHashedPassword = "$y$j9T$bIN6GjQkmPMllOcQsq52K0$q0Z5B5.KW/uxXK9fItB8H6HO79RYAcI/ZZdB0Djke32";
|
|
||||||
age.secrets."nachtigall-root-ssh-key" = {
|
|
||||||
file = "${flake.self}/secrets/nachtigall-root-ssh-key.age";
|
|
||||||
path = "/root/.ssh/id_ed25519";
|
|
||||||
mode = "400";
|
|
||||||
owner = root;
|
|
||||||
};
|
|
||||||
|
|
||||||
# This value determines the NixOS release with which your system is to be
|
# This value determines the NixOS release with which your system is to be
|
||||||
# compatible, in order to avoid breaking some software such as database
|
# compatible, in order to avoid breaking some software such as database
|
||||||
# servers. You should change this only after NixOS release notes say you
|
# servers. You should change this only after NixOS release notes say you
|
||||||
|
|
|
@ -7,7 +7,6 @@
|
||||||
./configuration.nix
|
./configuration.nix
|
||||||
|
|
||||||
./networking.nix
|
./networking.nix
|
||||||
./nix.nix
|
|
||||||
./apps/nginx.nix
|
./apps/nginx.nix
|
||||||
|
|
||||||
./apps/collabora.nix
|
./apps/collabora.nix
|
||||||
|
|
|
@ -21,14 +21,4 @@
|
||||||
];
|
];
|
||||||
networking.defaultGateway = "138.201.80.65";
|
networking.defaultGateway = "138.201.80.65";
|
||||||
networking.defaultGateway6 = { address = "fe80::1"; interface = "enp35s0"; };
|
networking.defaultGateway6 = { address = "fe80::1"; interface = "enp35s0"; };
|
||||||
|
|
||||||
services.resolved = {
|
|
||||||
enable = true;
|
|
||||||
extraConfig = ''
|
|
||||||
DNS=193.110.81.0#dns0.eu 185.253.5.0#dns0.eu 2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
|
|
||||||
FallbackDNS=5.1.66.255#dot.ffmuc.net 185.150.99.255#dot.ffmuc.net 2001:678:e68:f000::#dot.ffmuc.net 2001:678:ed0:f000::#dot.ffmuc.net
|
|
||||||
Domains=~.
|
|
||||||
DNSOverTLS=yes
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -11,10 +11,6 @@
|
||||||
## In configs, they can be used under "lib.our"
|
## In configs, they can be used under "lib.our"
|
||||||
|
|
||||||
deploy = import ./deploy.nix { inherit inputs lib; };
|
deploy = import ./deploy.nix { inherit inputs lib; };
|
||||||
|
|
||||||
linux = {
|
|
||||||
unlockZFSOnBoot = import ./unlock-zfs-on-boot.nix {publicKeys = self.publicKeys.allAdmins;};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
26
modules/default.nix
Normal file
26
modules/default.nix
Normal file
|
@ -0,0 +1,26 @@
|
||||||
|
{ self, ... }:
|
||||||
|
{
|
||||||
|
flake = {
|
||||||
|
nixosModules = rec {
|
||||||
|
nix = import ./nix.nix;
|
||||||
|
networking = import ./networking.nix;
|
||||||
|
unlock-zfs-on-boot = import ./unlock-zfs-on-boot.nix;
|
||||||
|
docker = import ./docker.nix;
|
||||||
|
terminal-tooling = import ./terminal-tooling.nix;
|
||||||
|
users = import ./users.nix;
|
||||||
|
|
||||||
|
core = {
|
||||||
|
imports = [
|
||||||
|
nix
|
||||||
|
networking
|
||||||
|
terminal-tooling
|
||||||
|
users
|
||||||
|
];
|
||||||
|
|
||||||
|
home-manager.users.${self.username} = {
|
||||||
|
home.stateVersion = "23.05";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
9
modules/docker.nix
Normal file
9
modules/docker.nix
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
{ pkgs, ... }: {
|
||||||
|
virtualisation.docker = {
|
||||||
|
enable = true;
|
||||||
|
extraOptions = ''
|
||||||
|
--data-root /var/lib/docker
|
||||||
|
'';
|
||||||
|
storageDriver = "zfs";
|
||||||
|
};
|
||||||
|
}
|
15
modules/networking.nix
Normal file
15
modules/networking.nix
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
{ pkgs, ... }: {
|
||||||
|
services.openssh.enable = true;
|
||||||
|
services.openssh.settings.PermitRootLogin = "prohibit-password";
|
||||||
|
services.openssh.settings.PasswordAuthentication = false;
|
||||||
|
|
||||||
|
services.resolved = {
|
||||||
|
enable = true;
|
||||||
|
extraConfig = ''
|
||||||
|
DNS=193.110.81.0#dns0.eu 185.253.5.0#dns0.eu 2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
|
||||||
|
FallbackDNS=5.1.66.255#dot.ffmuc.net 185.150.99.255#dot.ffmuc.net 2001:678:e68:f000::#dot.ffmuc.net 2001:678:ed0:f000::#dot.ffmuc.net
|
||||||
|
Domains=~.
|
||||||
|
DNSOverTLS=yes
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
|
@ -36,7 +36,7 @@
|
||||||
|
|
||||||
nixPath = [
|
nixPath = [
|
||||||
"nixpkgs=${flake.inputs.nixpkgs}"
|
"nixpkgs=${flake.inputs.nixpkgs}"
|
||||||
"nixos-config=${../../lib/compat/nixos}"
|
"nixos-config=${../lib/compat/nixos}"
|
||||||
"home-manager=${flake.inputs.home-manager}"
|
"home-manager=${flake.inputs.home-manager}"
|
||||||
];
|
];
|
||||||
};
|
};
|
18
modules/terminal-tooling.nix
Normal file
18
modules/terminal-tooling.nix
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
{ flake, ... }: {
|
||||||
|
home-manager.users.${flake.self.username} = {
|
||||||
|
programs.git.enable = true;
|
||||||
|
programs.starship.enable = true;
|
||||||
|
programs.bash.enable = true;
|
||||||
|
programs.neovim = {
|
||||||
|
enable = true;
|
||||||
|
vimAlias = true;
|
||||||
|
viAlias = true;
|
||||||
|
defaultEditor = true;
|
||||||
|
# configure = {
|
||||||
|
# packages.myVimPackages = with pkgs.vimPlugins; {
|
||||||
|
# start = [vim-nix vim-surrund rainbow];
|
||||||
|
# };
|
||||||
|
# };
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,4 +1,4 @@
|
||||||
{publicKeys}: {
|
{ flake, ... }: {
|
||||||
# From https://nixos.wiki/wiki/ZFS#Unlock_encrypted_zfs_via_ssh_on_boot
|
# From https://nixos.wiki/wiki/ZFS#Unlock_encrypted_zfs_via_ssh_on_boot
|
||||||
boot.initrd.network = {
|
boot.initrd.network = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -10,7 +10,7 @@
|
||||||
|
|
||||||
# Please create this manually the first time.
|
# Please create this manually the first time.
|
||||||
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
|
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
|
||||||
authorizedKeys = publicKeys;
|
authorizedKeys = flake.self.publicKeys.admins;
|
||||||
};
|
};
|
||||||
# this will automatically load the zfs password prompt on login
|
# this will automatically load the zfs password prompt on login
|
||||||
# and kill the other prompt so boot can continue
|
# and kill the other prompt so boot can continue
|
36
modules/users.nix
Normal file
36
modules/users.nix
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
{ flake, pkgs, ... }: {
|
||||||
|
users.users.${flake.self.username} = {
|
||||||
|
name = flake.self.username;
|
||||||
|
group = flake.self.username;
|
||||||
|
extraGroups = ["wheel"];
|
||||||
|
isNormalUser = true;
|
||||||
|
openssh.authorizedKeys.keys = flake.self.publicKeys.admins;
|
||||||
|
};
|
||||||
|
users.groups.${flake.self.username} = {};
|
||||||
|
|
||||||
|
# TODO: Remove when we stop locking ourselves out.
|
||||||
|
users.users.root.openssh.authorizedKeys.keys = flake.self.publicKeys.admins;
|
||||||
|
|
||||||
|
users.users.hakkonaut = {
|
||||||
|
description = "CI and automation user";
|
||||||
|
home = "/home/hakkonaut";
|
||||||
|
createHome = true;
|
||||||
|
useDefaultShell = true;
|
||||||
|
uid = 998;
|
||||||
|
group = "hakkonaut";
|
||||||
|
isSystemUser = true;
|
||||||
|
openssh.authorizedKeys.keys = flake.self.publicKeys.robots;
|
||||||
|
};
|
||||||
|
|
||||||
|
users.groups.hakkonaut = {};
|
||||||
|
|
||||||
|
users.users.root.initialHashedPassword = "$y$j9T$bIN6GjQkmPMllOcQsq52K0$q0Z5B5.KW/uxXK9fItB8H6HO79RYAcI/ZZdB0Djke32";
|
||||||
|
age.secrets."nachtigall-root-ssh-key" = {
|
||||||
|
file = "${flake.self}/secrets/nachtigall-root-ssh-key.age";
|
||||||
|
path = "/root/.ssh/id_ed25519";
|
||||||
|
mode = "400";
|
||||||
|
owner = root;
|
||||||
|
};
|
||||||
|
|
||||||
|
security.sudo.wheelNeedsPassword = false;
|
||||||
|
}
|
|
@ -2,7 +2,8 @@
|
||||||
{
|
{
|
||||||
flake = {
|
flake = {
|
||||||
publicKeys = {
|
publicKeys = {
|
||||||
allAdmins = lib.attrsets.attrValues (import ./admins.nix);
|
admins = lib.attrsets.attrValues (import ./admins.nix);
|
||||||
|
robots = lib.attrsets.attrValues (import ./robots.nix);
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
7
public-keys/robots.nix
Normal file
7
public-keys/robots.nix
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
{
|
||||||
|
# Used for restic backups to droppie, a server run by @b12f
|
||||||
|
"root@droppie" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQSephFJU0NMbVbhwvVJ2/m6jcPYo1IsWCsoarqKin root@droppie";
|
||||||
|
|
||||||
|
# robot user on flora-6
|
||||||
|
"hakkonaut@flora-6" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW hakkonaut@flora-6";
|
||||||
|
}
|
29
secrets/restic-password-droppie.age
Normal file
29
secrets/restic-password-droppie.age
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 iDKjwg tSrbeVPpTxjeuCg6JiOdeIcaGWq/PUOyXrt+ZNIWmzI
|
||||||
|
fz4B2nMu36G1DYPyNiu30Txx4cOLGyUreuBLqktORhY
|
||||||
|
-> ssh-ed25519 uYcDNw zySKp8qUnCKOCbIP17bWYvJ/TsKxLl/v/AEsfVQpHTc
|
||||||
|
SYqaUEXJ7mSA2wY6I3i/hirEiqvXVnWH1NYtXbaMzbw
|
||||||
|
-> ssh-rsa kFDS0A
|
||||||
|
MiyJjq7nn9B+PF9Lf6vD496FZUnUy5zI9H2kunJLhmYnr+7ZJaPGI+MW0cuPjsmM
|
||||||
|
1XhmUC72zA9WTiuReGijl9GhIyU0D6vPx+ezQrx18dUGRJEqnvk5C75SCUuPGtUi
|
||||||
|
DamPxJc781mnDSyW91MgRrqlBVwhfJ9Zmws3+/j8LODWb0T9Jvy0ywmFX4ilapr9
|
||||||
|
6dqbNmwBZkfh2CKB9LtMG/DuSNicgHscpt4Mt7EogJRdgBrGIcA1u8BXUOwf+R8G
|
||||||
|
Ya8VzoQV0iVhGtbff3g/6/0+UX9KEZBQc/aiT2ItrgUmgMyjAZo13Dj3pD2wPdfa
|
||||||
|
t346symp7bcYxRea/U0hfmPdnixIKgBLTUZkzrMFza26QOvnSwiMxWY+//Vmbp3z
|
||||||
|
0YCsyOQTQJVB+Q0pYE0+9EVI9bInP0LxHhM7mIdJroscRtY1YphjZUlFmcUXk0iC
|
||||||
|
5g3/wdLr8KdT4aZ93m4WVgkBUzg8chhfMHb9uFvpHT9xeZHrV3u30TuJpmmuqMXK
|
||||||
|
JD3+9xRzNVHwvfZuhD8B3vkK2tYO7pTxJytkJtdolx/uSju8SCm9F4lwt5y8rQd4
|
||||||
|
7676QS0IWS1WItcpLrsgk9nWZUNzy78gBc39jtJUOsFDqJSdAWACq/jgYpnx6Bja
|
||||||
|
5aZonRAp3fyCEavUpS4AQUJZGVx9EFp9LqXeUiIkCJU
|
||||||
|
-> ssh-ed25519 YFSOsg vJ7xw4zDSKBFuv8FT6ZnB83uGwHDnDsEwsvQ6urZkEk
|
||||||
|
gOkuwjOX8U/qmPuGrPPb+FYy6PuJjrgCNFYrukkaIPA
|
||||||
|
-> ssh-ed25519 iHV63A FzZRHQB39iDTLm4y1QLWtfDi3jZn6i59nuSlf0d5mww
|
||||||
|
5kiyKN7KFTv8pJgRAZTUMgR2+TInByFotDhAw307P6g
|
||||||
|
-> ssh-ed25519 BVsyTA rTjBaEI6AwwmpK9Q8elVJaSN60deXOMEmZPrsH9O1nY
|
||||||
|
HikNbHzx3BEJ3hn4YPFr2p/cnSu3qr9cvgdKCxN6xY8
|
||||||
|
-> h|2u%UF\-grease Gcp2NG
|
||||||
|
y6OjgzrOYEVgrY2+fv8a1xrVuoHQIPncGuGeLI0zHh4xf1qbzD2vKYp+W1fRBE8d
|
||||||
|
/yPEGUe/T/ZjO+F4oF266HUR23wancFeFoGpfJgWQVS2oc0Z4aMuNebf/+Kw087W
|
||||||
|
|
||||||
|
--- GJBLNxBoH7vI1mkcCmfbm9UiG4xuwIOWS7IaJKuO6cc
|
||||||
|
C<EFBFBD>3=¼,¦{-TçÄéȵ ™-ˆ]äÌ·»æq=‡“û
Òú–=~}Î1®˜ lß„¿fúì_[žU_å›A€G.ÒdŽêÖrëa`×åUyÉPt+̽òö‡¯!<
|
Loading…
Reference in a new issue