swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2026-04-14 21:29:12 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

chore: backup work done so far

Browse source
This commit is contained in:
Leon Schwarzäugl 2025-12-02 17:36:59 +01:00
parent 9acfc5f934
commit 5d27d18f85
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
77 changed files with 4005 additions and 2937 deletions
Download patch file Download diff file Expand all files Collapse all files

405
SwarselSystems.org
View file

@ -407,7 +407,7 @@ Nowadays, I use flake-parts to manage my flake. It allows me to conveniently spl
- =imports= are files pulled in to build the flake configuration (similar to the imports in the module system)
- =systems= defines the architectures that the flake should be provided for - I go here for the four "main" architectures, although true support is only provided for linux systems (see [[#h:6ed1a641-dba8-4e85-a62e-be93264df57a][Packages (pkgs)]] for the main reason)
** flake.nix skeleton
** flake.nix skeleton (inputs)
:PROPERTIES:
:CUSTOM_ID: h:aee5ec75-7ca6-40d8-b6ac-a3e7e33a474b
:END:
@ -526,7 +526,7 @@ A short overview over each input and what it does:
nur.url = "github:nix-community/NUR";
nixgl.url = "github:guibou/nixGL";
stylix.url = "github:danth/stylix";
sops-nix.url = "github:Mic92/sops-nix";
sops.url = "github:Mic92/sops-nix";
lanzaboote.url = "github:nix-community/lanzaboote";
nix-on-droid.url = "github:nix-community/nix-on-droid/release-24.05";
nixos-generators.url = "github:nix-community/nixos-generators";
@ -666,7 +666,7 @@ This is the file that manages the actual decryption of the files mentioned in [[
# Decrypt only if necessary
if [[ ! -e $out ]]; then
agekey=$(sudo ssh-to-age -private-key -i /etc/ssh/sops || sudo ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key)
agekey=$(sudo ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key || sudo ssh-to-age -private-key -i ~/.ssh/sops)
SOPS_AGE_KEY="$agekey" sops decrypt --output "$out" "$file"
fi
@ -971,9 +971,10 @@ The rest of the outputs either define or help define the actual configurations:
mkNixosHost = { minimal }: configName: arch:
inputs.nixpkgs.lib.nixosSystem {
specialArgs = {
inherit inputs outputs self minimal configName homeLib;
inherit inputs outputs self minimal homeLib configName arch;
inherit (config.pkgs.${arch}) lib;
inherit (config) globals nodes;
type = "nixos";
};
modules = [
inputs.disko.nixosModules.disko
@ -987,7 +988,7 @@ The rest of the outputs either define or help define the actual configurations:
inputs.nix-topology.nixosModules.default
inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm
inputs.simple-nixos-mailserver.nixosModules.default
inputs.sops-nix.nixosModules.sops
inputs.sops.nixosModules.sops
inputs.stylix.nixosModules.stylix
inputs.swarsel-nix.nixosModules.default
(inputs.nixos-extra-modules + "/modules/guests")
@ -1004,6 +1005,8 @@ The rest of the outputs either define or help define the actual configurations:
node = {
name = lib.mkForce configName;
arch = lib.mkForce arch;
type = lib.mkForce "nixos";
secretsDir = ../hosts/nixos/${arch}/${configName}/secrets;
lockFromBootstrapping = lib.mkIf (!minimal) (lib.swarselsystems.mkStrong true);
};
@ -1031,7 +1034,7 @@ The rest of the outputs either define or help define the actual configurations:
};
modules = [
# inputs.disko.nixosModules.disko
# inputs.sops-nix.nixosModules.sops
# inputs.sops.nixosModules.sops
# inputs.impermanence.nixosModules.impermanence
# inputs.lanzaboote.nixosModules.lanzaboote
# inputs.fw-fanctrl.nixosModules.default
@ -1040,12 +1043,15 @@ The rest of the outputs either define or help define the actual configurations:
"${self}/hosts/darwin/${arch}/${configName}"
"${self}/modules/nixos/darwin"
# needed for infrastructure
"${self}/modules/nixos/common/meta.nix"
"${self}/modules/shared/meta.nix"
"${self}/modules/nixos/common/globals.nix"
{
node.name = lib.mkForce configName;
node.secretsDir = ../hosts/darwin/${arch}/${configName}/secrets;
node = {
name = lib.mkForce configName;
arch = lib.mkForce arch;
type = lib.mkForce "darwin";
secretsDir = ../hosts/darwin/${arch}/${configName}/secrets;
};
}
];
};
@ -1058,18 +1064,27 @@ The rest of the outputs either define or help define the actual configurations:
systemFunc {
inherit pkgs;
extraSpecialArgs = {
inherit inputs lib outputs self configName;
inherit inputs lib outputs self configName arch type;
inherit (config) globals nodes;
minimal = false;
};
modules = [
inputs.stylix.homeModules.stylix
inputs.nix-index-database.homeModules.nix-index
# inputs.sops-nix.homeManagerModules.sops
inputs.sops.homeManagerModules.sops
inputs.spicetify-nix.homeManagerModules.default
inputs.swarsel-nix.homeModules.default
"${self}/hosts/${type}/${arch}/${configName}"
"${self}/profiles/home"
"${self}/modules/nixos/common/pii.nix"
{
node = {
name = lib.mkForce configName;
arch = lib.mkForce arch;
type = lib.mkForce type;
secretsDir = ../hosts/${type}/${arch}/${configName}/secrets;
};
}
];
};
@ -2391,6 +2406,7 @@ My work machine. Built for more security, this is the gold standard of my config
fileSystems = {
"/persist".neededForBoot = true;
"/home".neededForBoot = true;
"/".neededForBoot = true;
"/var/log".neededForBoot = true;
};
}
@ -3399,13 +3415,9 @@ My phone. I use only a minimal config for remote debugging here.
{
imports = [
# inputs.sops-nix.homeManagerModules.sops
"${self}/modules/home"
"${self}/modules/nixos/common/pii.nix"
"${self}/modules/nixos/common/meta.nix"
];
services.xcape = {
enable = true;
mapExpression = {
@ -3628,6 +3640,7 @@ This machine mainly acts as my proxy server to stand before my local machines.
minecraft = true;
restic = true;
diskEncryption = lib.mkForce false;
dns-hostrecord = true;
};
}
@ -3852,6 +3865,7 @@ This machine mainly acts as my proxy server to stand before my local machines.
postgresql = lib.mkDefault true;
attic = lib.mkDefault true;
garage = lib.mkDefault true;
dns-hostrecord = true;
};
}
@ -4050,6 +4064,7 @@ This machine mainly acts as my proxy server to stand before my local machines.
swarselmodules.server = {
nsd = true;
nginx = false;
dns-hostrecord = true;
};
}
@ -4239,6 +4254,7 @@ This machine mainly acts as my proxy server to stand before my local machines.
swarselmodules.server = {
nginx = false;
bastion = true;
dns-hostrecord = true;
# ssh = false;
};
@ -4430,6 +4446,7 @@ This machine mainly acts as my proxy server to stand before my local machines.
swarselmodules.server = {
nginx = false;
dns-hostrecord = true;
};
}
@ -4622,7 +4639,10 @@ This machine mainly acts as my proxy server to stand before my local machines.
};
} // lib.optionalAttrs (!minimal) {
swarselmodules.server.mailserver = true;
swarselmodules.server = {
mailserver = true;
dns-hostrecord = true;
};
swarselprofiles = {
server = true;
@ -4998,7 +5018,7 @@ TODO: cleanup this mess
#+begin_src nix-ts :tangle install/installer-config.nix
{ self, config, pkgs, lib, ... }:
let
pubKeys = lib.filesystem.listFilesRecursive "${self}/secrets/keys/ssh";
pubKeys = lib.filesystem.listFilesRecursive "${self}/secrets/public/ssh";
stateVersion = lib.mkDefault "23.05";
homeFiles = {
".bash_history" = {
@ -5850,35 +5870,6 @@ in
}
#+end_src
**** Meta options (options only)
:PROPERTIES:
:CUSTOM_ID: h:30b81bf9-1e69-4ce8-88af-5592896bcee4
:END:
#+begin_src nix-ts :tangle modules/nixos/common/meta.nix
{ lib, ... }:
{
options = {
node = {
secretsDir = lib.mkOption {
description = "Path to the secrets directory for this node.";
type = lib.types.path;
default = ./.;
};
name = lib.mkOption {
description = "Node Name.";
type = lib.types.str;
};
lockFromBootstrapping = lib.mkOption {
description = "Whether this host should be marked to not be bootstrapped again using swarsel-bootstrap.";
type = lib.types.bool;
};
};
};
}
#+end_src
**** Expose home-manager sops secrets in NixOS (automatically active)
:PROPERTIES:
:CUSTOM_ID: h:a8bbe15f-a7dd-4e6d-ba49-26206c38e9c8
@ -5891,7 +5882,7 @@ in
inherit (config.repo.secrets.common.emacs) radicaleUser;
modules = config.home-manager.users.${mainUser}.swarselmodules;
certsSopsFile = self + /secrets/certs/secrets.yaml;
certsSopsFile = self + /secrets/repo/certs.yaml;
in
{
config = lib.mkIf config.swarselsystems.withHomeManager {
@ -6139,7 +6130,7 @@ A breakdown of the flags being set:
We enable the use of =home-manager= as a NixoS module. A nice trick here is the =extraSpecialArgs = inputs= line, which enables the use of =seflf= in most parts of the configuration. This is useful to refer to the root of the flake (which is otherwise quite hard while maintaining flake purity).
#+begin_src nix-ts :tangle modules/nixos/common/home-manager.nix
{ self, inputs, config, lib, homeLib, outputs, globals, nodes, minimal, configName, ... }:
{ self, inputs, config, lib, homeLib, outputs, globals, nodes, minimal, configName, arch, type, ... }:
{
options.swarselmodules.home-manager = lib.mkEnableOption "home-manager";
config = lib.mkIf config.swarselmodules.home-manager {
@ -6151,7 +6142,7 @@ We enable the use of =home-manager= as a NixoS module. A nice trick here is the
overwriteBackup = true;
users.${config.swarselsystems.mainUser}.imports = [
inputs.nix-index-database.homeModules.nix-index
inputs.sops-nix.homeManagerModules.sops
# inputs.sops.homeManagerModules.sops # this is not needed!! we add these secrets in nixos scope
inputs.spicetify-nix.homeManagerModules.default
inputs.swarsel-nix.homeModules.default
{
@ -6172,7 +6163,7 @@ We enable the use of =home-manager= as a NixoS module. A nice trick here is the
];
extraSpecialArgs = {
inherit (inputs) self nixgl;
inherit inputs outputs globals nodes minimal configName;
inherit inputs outputs globals nodes minimal configName arch type;
lib = homeLib;
};
};
@ -6871,8 +6862,8 @@ Here I only enable =networkmanager= and a few default networks. The rest of the
#+begin_src nix-ts :tangle modules/nixos/client/network.nix
{ self, lib, pkgs, config, globals, ... }:
let
certsSopsFile = self + /secrets/certs/secrets.yaml;
clientSopsFile = self + /secrets/${config.node.name}/secrets.yaml;
certsSopsFile = self + /secrets/repo/certs.yaml;
clientSopsFile = "${config.node.secretsDir}/secrets.yaml";
inherit (config.repo.secrets.common.network) wlan1 mobile1 vpn1-location vpn1-cipher vpn1-address eduroam-anon;
@ -7183,7 +7174,7 @@ I use sops-nix to handle secrets that I want to have available on my machines at
- `ssh-keygen -t ed25519 -C "NAME sops"` in .ssh directory (or wherever) - name e.g. "sops"
- cat ~/.ssh/sops.pub | ssh-to-age | wl-copy
- add the output to .sops.yaml
- cp ~/.ssh/sops.pub ~/.dotfiles/secrets/keys/NAME.pub
- cp ~/.ssh/sops.pub ~/.dotfiles/secrets/public/NAME.pub
- update entry for sops.age.sshKeyPaths
#+begin_src nix-ts :tangle modules/nixos/client/sops.nix
@ -7194,8 +7185,8 @@ I use sops-nix to handle secrets that I want to have available on my machines at
sops = {
# age.sshKeyPaths = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs [ "/persist/.ssh/sops" "/persist/.ssh/ssh_host_ed25519_key" ] [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ];
age.sshKeyPaths = [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "${if config.swarselsystems.isImpermanence then "/persist" else ""}/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/general/secrets.yaml";
age.sshKeyPaths = [ "${if config.swarselsystems.isImpermanence then "/persist" else ""}/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/repo/common.yaml";
validateSopsFiles = false;
@ -8568,14 +8559,14 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t
];
};
users.users."${config.swarselsystems.mainUser}".openssh.authorizedKeys.keyFiles = [
(self + /secrets/keys/ssh/yubikey.pub)
(self + /secrets/keys/ssh/magicant.pub)
# (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/keys/ssh/jump.pub))
(self + /secrets/public/ssh/yubikey.pub)
(self + /secrets/public/ssh/magicant.pub)
# (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/public/ssh/jump.pub))
];
users.users.root.openssh.authorizedKeys.keyFiles = [
(self + /secrets/keys/ssh/yubikey.pub)
(self + /secrets/keys/ssh/magicant.pub)
# (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/keys/ssh/jump.pub))
(self + /secrets/public/ssh/yubikey.pub)
(self + /secrets/public/ssh/magicant.pub)
# (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/public/ssh/jump.pub))
];
security.sudo.extraConfig = ''
Defaults env_keep+=SSH_AUTH_SOCK
@ -8603,9 +8594,9 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t
group = lib.mkForce "jump";
createHome = lib.mkForce true;
openssh.authorizedKeys.keyFiles = [
(self + /secrets/keys/ssh/yubikey.pub)
(self + /secrets/keys/ssh/magicant.pub)
(self + /secrets/keys/ssh/builder.pub)
(self + /secrets/public/ssh/yubikey.pub)
(self + /secrets/public/ssh/magicant.pub)
(self + /secrets/public/ssh/builder.pub)
];
};
};
@ -8689,7 +8680,7 @@ Restricts access to the system by the nix build user as per https://discourse.ni
isSystemUser = true;
group = "builder";
openssh.authorizedKeys.keys = [
''${ssh-restrict} ${builtins.readFile "${self}/secrets/keys/ssh/builder.pub"}''
''${ssh-restrict} ${builtins.readFile "${self}/secrets/public/ssh/builder.pub"}''
];
};
};
@ -8709,7 +8700,8 @@ Generate hostId using =head -c4 /dev/urandom | od -A none -t x4=
{ lib, config, ... }:
let
netConfig = config.repo.secrets.local.networking;
netName = "${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}";
netPrefix = "${if config.swarselsystems.isCloud then config.node.name else "home"}";
netName = "${netPrefix}-${config.swarselsystems.server.localNetwork}";
in
{
options = {
@ -8724,6 +8716,11 @@ Generate hostId using =head -c4 /dev/urandom | od -A none -t x4=
default = netName;
readOnly = true;
};
netConfigPrefix = lib.mkOption {
type = lib.types.str;
default = netPrefix;
readOnly = true;
};
};
};
config = lib.mkIf config.swarselmodules.server.network {
@ -8836,8 +8833,8 @@ lspci -k -d 14c3:0616
enable = true;
port = 2222; # avoid hostkey changed nag
authorizedKeys = [
''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/keys/ssh/yubikey.pub"}''
''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/keys/ssh/magicant.pub"}''
''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/public/ssh/yubikey.pub"}''
''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/public/ssh/magicant.pub"}''
];
hostKeys = [ hostKeyPathBase ];
};
@ -8875,6 +8872,137 @@ lspci -k -d 14c3:0616
}
#+end_src
**** Wireguard
#+begin_src nix-ts :tangle modules/nixos/server/wireguard.nix
{ self, lib, config, confLib, globals, ... }:
let
wgInterface = "wg0";
inherit (confLib.gen { name = "wireguard"; port = 52829; user = "systemd-network"; group = "systemd-network"; }) servicePort serviceName serviceUser serviceGroup;
inherit (config.swarselsystems) sopsFile;
inherit (config.swarselsystems.server.wireguard) peers isClient isServer;
in
{
options = {
swarselmodules.${serviceName} = lib.mkEnableOption "enable ${serviceName} settings";
swarselsystems.server.wireguard = {
isServer = lib.mkEnableOption "set this as a wireguard server";
peers = lib.mkOption {
type = lib.types.listOf (lib.types.submodule {
freeformType = lib.types.attrs;
options = { };
});
default = [ ];
description = "Wireguard peer submodules as expected by systemd.network.netdevs.<name>.wireguardPeers";
};
};
};
config = lib.mkIf config.swarselmodules.${serviceName} {
sops = {
secrets = {
wireguard-private-key = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0600"; };
wireguard-home-preshared-key = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0600"; };
};
};
networking = {
firewall.allowedUDPPorts = [ servicePort ];
nat = {
enable = true;
enableIPv6 = true;
externalInterface = "ens6";
internalInterfaces = [ wgInterface ];
};
};
systemd.network = {
enable = true;
networks."50-${wgInterface}" = {
matchConfig.Name = wgInterface;
networkConfig = {
IPv4Forwarding = true;
IPv6Forwarding = true;
};
address = [
"${globals.networks."${config.swarselsystems.server.netConfigPrefix}-wg".hosts.${config.node.name}.cidrv4}"
"${globals.networks."${config.swarselsystems.server.netConfigPrefix}-wg".hosts.${config.node.name}.cidrv6}"
];
};
netdevs."50-wg0" = {
netdevConfig = {
Kind = "wireguard";
Name = wgInterface;
};
wireguardConfig = {
ListenPort = lib.mkIf isServer servicePort;
# ensure file is readable by `systemd-network` user
PrivateKeyFile = config.age.secrets.wg-key-vps.path;
# To automatically create routes for everything in AllowedIPs,
# add RouteTable=main
# RouteTable = "main";
# FirewallMark marks all packets send and received by wg0
# with the number 42, which can be used to define policy rules on these packets.
# FirewallMark = 42;
};
wireguardPeers = peers ++ lib.optionals isClient [
{
PublicKey = builtins.readFile "${self}/secrets/public/wg/${config.node.name}.pub";
PresharedKeyFile = config.sops.secrets."${config.node.name}-presharedKey".path;
Endpoint = "${globals.hosts.${config.node.name}.wanAddress4}:${toString servicePort}";
# Access to the whole network is routed through our entry node.
# AllowedIPs =
# (optional (networkCfg.cidrv4 != null) networkCfg.cidrv4)
# ++ (optional (networkCfg.cidrv6 != null) networkCfg.cidrv6);
}
];
};
};
# networking = {
# wireguard = {
# enable = true;
# interfaces = {
# wg1 = {
# privateKeyFile = config.sops.secrets.wireguard-private-key.path;
# ips = [ "192.168.178.201/24" ];
# peers = [
# {
# publicKey = "PmeFInoEJcKx+7Kva4dNnjOEnJ8lbudSf1cbdo/tzgw=";
# presharedKeyFile = config.sops.secrets.wireguard-home-preshared-key.path;
# name = "moonside";
# persistentKeepalive = 25;
# # endpoint = "${config.repo.secrets.common.ipv4}:51820";
# endpoint = "${config.repo.secrets.common.wireguardEndpoint}";
# # allowedIPs = [
# # "192.168.3.0/24"
# # "192.168.1.0/24"
# # ];
# allowedIPs = [
# "192.168.178.0/24"
# ];
# }
# ];
# };
# };
# };
# };
};
}
#+end_src
**** BTRFS
#+begin_src nix-ts :tangle modules/nixos/server/btrfs.nix
@ -10553,7 +10681,7 @@ Note: you still need to run =restic-<name> init= once on the host to get the buc
This section exposes several metrics that I use to check the health of my server. I need to expand on the exporters section at some point, but for now I have everything I need.
#+begin_src nix-ts :tangle modules/nixos/server/monitoring.nix
{ self, lib, config, globals, dns, confLib, ... }:
{ lib, config, globals, dns, confLib, ... }:
let
inherit (confLib.gen { name = "grafana"; port = 3000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
@ -10566,6 +10694,8 @@ This section exposes several metrics that I use to check the health of my server
kanidmDomain = globals.services.kanidm.domain;
inherit (config.swarselsystems) sopsFile;
sopsFile2 = "${config.node.secretsDir}/secrets2.yaml";
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@ -10580,7 +10710,7 @@ This section exposes several metrics that I use to check the health of my server
grafana-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
prometheus-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
kanidm-grafana-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
prometheus-admin-hash = { sopsFile = self + /secrets/winters/secrets2.yaml; owner = prometheusUser; group = prometheusGroup; mode = "0440"; };
prometheus-admin-hash = { sopsFile = sopsFile2; owner = prometheusUser; group = prometheusGroup; mode = "0440"; };
};
templates = {
@ -11280,7 +11410,7 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
#+begin_src nix-ts :tangle modules/nixos/server/kanidm.nix
{ self, lib, pkgs, config, globals, dns, confLib, ... }:
let
certsSopsFile = self + /secrets/certs/secrets.yaml;
certsSopsFile = self + /secrets/repo/certs.yaml;
inherit (config.swarselsystems) sopsFile;
inherit (confLib.gen { name = "kanidm"; port = 8300; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
@ -12261,10 +12391,10 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
:END:
#+begin_src nix-ts :tangle modules/nixos/server/radicale.nix
{ self, lib, config, globals, dns, confLib, ... }:
{ lib, config, globals, dns, confLib, ... }:
let
inherit (confLib.gen { name = "radicale"; port = 8000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
sopsFile = self + /secrets/winters/secrets2.yaml;
sopsFile = "${config.node.secretsDir}/secrets2.yaml";
cfg = config.services.${serviceName};
in
@ -12846,10 +12976,10 @@ Deployment notes:
:END:
#+begin_src nix-ts :tangle modules/nixos/server/snipe-it.nix
{ self, lib, config, globals, dns, confLib, ... }:
{ lib, config, globals, dns, confLib, ... }:
let
inherit (confLib.gen { name = "snipeit"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
sopsFile = self + /secrets/winters/secrets2.yaml;
sopsFile = "${config.node.secretsDir}/secrets2.yaml";
serviceDB = "snipeit";
@ -13423,6 +13553,24 @@ or 2) use classic path addressing =aws s3 cp <local file> s3://<bucket>/<path to
};
}
#+end_src
**** Set host domain for dns
#+begin_src nix-ts :tangle modules/nixos/server/dns-hostrecord.nix
{ lib, config, globals, dns, confLib, ... }:
let
inherit (confLib.gen { name = "dns-hostrecord"; proxy = config.node.name; }) serviceName proxyAddress4 proxyAddress6;
in
{
options. swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
nodes.stoicclub.swarselsystems.server.dns.${globals.domains.main}.subdomainRecords = {
"server.${config.node.name}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
};
}
#+end_src
**** nsd (dns)
:PROPERTIES:
:CUSTOM_ID: h:ef5b7ace-4870-4dfa-9532-9a9d2722dc9a
@ -13531,7 +13679,7 @@ or 2) use classic path addressing =aws s3 cp <local file> s3://<bucket>/<path to
SOA = {
nameServer = "soa";
adminEmail = "admin@${globals.domains.main}"; # this option is not parsed as domain (we cannot just write "admin")
serial = 2025120201; # update this on changes for secondary dns
serial = 2025120203; # update this on changes for secondary dns
};
useOrigin = false;
@ -14842,11 +14990,11 @@ Again, we adapt =nix= to our needs, enable the home-manager command for non-NixO
trusted-users = [
"@wheel"
"${mainUser}"
(lib.mkIf config.swarselmodules.server.ssh-builder "builder")
(lib.mkIf ((config.swarselmodules ? server) ? ssh-builder) "builder")
];
connect-timeout = 5;
bash-prompt-prefix = "$SHLVL:\\w ";
bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ ";
bash-prompt-prefix = lib.mkIf config.swarselsystems.isClient "$SHLVL:\\w ";
bash-prompt = lib.mkIf config.swarselsystems.isClient "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ ";
fallback = true;
min-free = 128000000;
max-free = 1000000000;
@ -15227,22 +15375,24 @@ I use sops-nix to handle secrets that I want to have available on my machines at
- `ssh-keygen -t ed25519 -C "NAME sops"` in .ssh directory (or wherever) - name e.g. "sops"
- cat ~/.ssh/sops.pub | ssh-to-age | wl-copy
- add the output to .sops.yaml
- cp ~/.ssh/sops.pub ~/.dotfiles/secrets/keys/NAME.pub
- cp ~/.ssh/sops.pub ~/.dotfiles/secrets/public/NAME.pub
- update entry for sops.age.sshKeyPaths
Since we are using the home-manager implementation here, we need to specify the runtime path.
At the same time, I want to avoid running the homeManager module of sops on a NixOS machine. Note that we cannot use =lib.mkIf= in the line =config == ...= as this would evaluate the blocks that are within; however, on a NixOS machine, there will be no =sops= module in the homeManager scope. Hence we use =optionalAttrs=. Also, we cannot make use of =config.swarselsystems.isNixos= because that will lead to an infinite recursion. Hence, we take the =type= arg that we passed during host declaration to make sure sops stays disabled. This is used in all places in the home-manager config that make use of sops-secrets.
#+begin_src nix-ts :tangle modules/home/common/sops.nix
{ config, lib, inputs, ... }:
{ config, lib, type, ... }:
let
inherit (config.swarselsystems) homeDir;
in
{
options.swarselmodules.sops = lib.mkEnableOption "sops settings";
config = lib.optionalAttrs (inputs ? sops) {
sops = {
age.sshKeyPaths = [ "${homeDir}/.ssh/sops" "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.ssh/ssh_host_ed25519_key" ];
defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.dotfiles/secrets/general/secrets.yaml";
config = lib.optionalAttrs (type != "nixos") {
sops = lib.mkIf (!config.swarselsystems.isNixos) {
age.sshKeyPaths = [ "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.ssh/sops" ];
defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.dotfiles/secrets/repo/common.yaml";
validateSopsFiles = false;
};
@ -15256,7 +15406,7 @@ I use sops-nix to handle secrets that I want to have available on my machines at
:END:
#+begin_src nix-ts :tangle modules/home/common/yubikey.nix
{ lib, config, inputs, confLib, ... }:
{ lib, config, confLib, type, ... }:
let
inherit (config.swarselsystems) homeDir;
in
@ -15271,7 +15421,7 @@ I use sops-nix to handle secrets that I want to have available on my machines at
confLib.getConfig.secrets.common.yubikeys.dev2
];
};
} // lib.optionalAttrs (inputs ? sops) {
} // lib.optionalAttrs (type != "nixos") {
sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
u2f-keys = { path = "${homeDir}/.config/Yubico/u2f_keys"; };
};
@ -15287,7 +15437,7 @@ I use sops-nix to handle secrets that I want to have available on my machines at
It is very convenient to have SSH aliases in place for machines that I use. This is mainly used for some server machines and some university clusters. We also enable agent forwarding to have our Yubikey SSH key accessible on the remote host.
#+begin_src nix-ts :tangle modules/home/common/ssh.nix
{ inputs, lib, config, confLib, ... }:
{ lib, config, confLib, type, ... }:
{
options.swarselmodules.ssh = lib.mkEnableOption "ssh settings";
config = lib.mkIf config.swarselmodules.ssh ({
@ -15313,7 +15463,7 @@ It is very convenient to have SSH aliases in place for machines that I use. This
};
} // confLib.getConfig.repo.secrets.common.ssh.hosts;
};
} // lib.optionalAttrs (inputs ? sops) {
} // lib.optionalAttrs (type != "nixos") {
sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
builder-key = { path = "${config.home.homeDirectory}/.ssh/builder"; mode = "0600"; };
};
@ -16117,7 +16267,7 @@ lib.mkMerge [ zshConfigEarlyInit zshConfig ];
Currently I only use it as before with =initExtra= though.
#+begin_src nix-ts :tangle modules/home/common/zsh.nix
{ config, pkgs, lib, minimal, inputs, globals, confLib, ... }:
{ config, pkgs, lib, minimal, globals, confLib, type, ... }:
let
inherit (config.swarselsystems) flakePath isNixos;
crocDomain = globals.services.croc.domain;
@ -16252,9 +16402,9 @@ Currently I only use it as before with =initExtra= though.
# QTWEBENGINE_CHROMIUM_FLAGS = "--no-sandbox";
};
};
} // lib.optionalAttrs (inputs ? sops) {
} // lib.optionalAttrs (type != "nixos") {
sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
croc-password = { };
github-nixpkgs-review-token = { };
};
@ -17624,7 +17774,7 @@ Currently I only use it as before with =initExtra= though.
Normally I use 4 mail accounts - here I set them all up. Three of them are Google accounts (sadly), which are a chore to setup. The last is just a sender account that I setup SMTP for here.
#+begin_src nix-ts :tangle modules/home/common/mail.nix
{ lib, config, inputs, globals, confLib, ... }:
{ lib, config, globals, confLib, type, ... }:
let
inherit (confLib.getConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4;
inherit (confLib.getConfig.repo.secrets.common) fullName;
@ -17826,7 +17976,7 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl
};
};
};
} // lib.optionalAttrs (inputs ? sops) {
} // lib.optionalAttrs (type != "nixos") {
sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
address1-token = { path = "${xdgDir}/secrets/address1-token"; };
address2-token = { path = "${xdgDir}/secrets/address2-token"; };
@ -17847,7 +17997,7 @@ By using the emacs-overlay NixOS module, I can install all Emacs packages that I
Lastly, I am defining some more packages here that the parser has problems finding. Also there are some packages that are not in ELPA or MELPA that I still want to use, like =calfw= and =fast-scroll=, so I build them here.
#+begin_src nix-ts :tangle modules/home/common/emacs.nix
{ self, lib, config, pkgs, globals, inputs, ... }:
{ self, lib, config, pkgs, globals, inputs, type, ... }:
let
inherit (config.swarselsystems) homeDir mainUser isPublic isNixos;
inherit (config.repo.secrets.common.emacs) radicaleUser;
@ -17952,7 +18102,7 @@ Lastly, I am defining some more packages here that the parser has problems findi
startWithUserSession = "graphical";
};
} // lib.optionalAttrs (inputs ? sops) {
} // lib.optionalAttrs (type != "nixos") {
sops = lib.mkIf (!isPublic && !isNixos) {
secrets = {
@ -17991,7 +18141,7 @@ The rest of the related configuration is found here:
- [[#h:f93f66f9-6b8b-478e-b139-b2f382c1f25e][waybarupdate]]
#+begin_src nix-ts :tangle modules/home/common/waybar.nix
{ self, config, lib, inputs, pkgs, ... }:
{ self, config, lib, pkgs, type, ... }:
let
inherit (config.swarselsystems) xdgDir;
generateIcons = n: lib.concatStringsSep " " (builtins.map (x: "{icon" + toString x + "}") (lib.range 0 (n - 1)));
@ -18313,7 +18463,7 @@ The rest of the related configuration is found here:
};
style = builtins.readFile (self + /files/waybar/style.css);
};
} // lib.optionalAttrs (inputs ? sops) {
} // lib.optionalAttrs (type != "nixos") {
sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
github-notifications-token = { path = "${xdgDir}/secrets/github-notifications-token"; };
};
@ -19560,7 +19710,7 @@ When setting up a new machine:
enable = true;
publicKeys = [
{
source = "${self}/secrets/keys/gpg/gpg-public-key-0x76FD3810215AE097.asc";
source = "${self}/secrets/public/gpg/gpg-public-key-0x76FD3810215AE097.asc";
trust = 5;
}
];
@ -19805,7 +19955,7 @@ This service changes the screen hue at night. I am not sure if that really does
#+begin_src nix-ts :tangle modules/home/common/anki.nix
{ lib, config, pkgs, globals, inputs, confLib, ... }:
{ lib, config, pkgs, globals, confLib, type, ... }:
let
moduleName = "anki";
inherit (config.swarselsystems) isPublic isNixos;
@ -19861,7 +20011,7 @@ This service changes the screen hue at night. I am not sure if that really does
})
];
};
} // lib.optionalAttrs (inputs ? sops) {
} // lib.optionalAttrs (type != "nixos") {
sops = lib.mkIf (!isPublic && !isNixos) {
secrets = {
anki-user = { };
@ -20634,13 +20784,13 @@ When setting up a new machine:
#+end_src
#+begin_src nix-ts :tangle modules/home/optional/work.nix :noweb yes
{ self, inputs, config, pkgs, lib, vars, confLib, ... }:
{ self, config, pkgs, lib, vars, confLib, type, ... }:
let
inherit (config.swarselsystems) homeDir mainUser;
inherit (confLib.getConfig.repo.secrets.local.mail) allMailAddresses;
inherit (confLib.getConfig.repo.secrets.local.work) mailAddress;
certsSopsFile = self + /secrets/certs/secrets.yaml;
certsSopsFile = self + /secrets/repo/certs.yaml;
in
{
options.swarselmodules.optional-work = lib.swarselsystems.mkTrueOption;
@ -21288,7 +21438,7 @@ When setting up a new machine:
};
};
} // lib.optionalAttrs (inputs ? sops) {
} // lib.optionalAttrs (type != "nixos") {
sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
harica-root-ca = {
sopsFile = certsSopsFile;
@ -21429,7 +21579,7 @@ TODO: check which of these can be replaced but builtin functions.
isBtrfs = lib.mkEnableOption "use btrfs filesystem";
sopsFile = lib.mkOption {
type = lib.types.str;
default = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/${config.node.name}/secrets.yaml";
default = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.node.secretsDir}/secrets.yaml";
};
homeDir = lib.mkOption {
type = lib.types.str;
@ -21718,6 +21868,40 @@ In short, the options defined here are passed to the modules systems using =_mod
}
#+end_src
*** Meta options (options only)
:PROPERTIES:
:CUSTOM_ID: h:30b81bf9-1e69-4ce8-88af-5592896bcee4
:END:
#+begin_src nix-ts :tangle modules/shared/meta.nix
{ lib, ... }:
{
options = {
node = {
secretsDir = lib.mkOption {
description = "Path to the secrets directory for this node.";
type = lib.types.path;
default = ./.;
};
name = lib.mkOption {
type = lib.types.str;
};
arch = lib.mkOption {
type = lib.types.str;
};
type = lib.mkOption {
type = lib.types.str;
};
lockFromBootstrapping = lib.mkOption {
description = "Whether this host should be marked to not be bootstrapped again using swarsel-bootstrap.";
type = lib.types.bool;
};
};
};
}
#+end_src
*** Config Library (confLib)
:PROPERTIES:
:CUSTOM_ID: h:a33322d5-014a-4072-a4a5-91bc71c343b8
@ -21747,7 +21931,7 @@ In short, the options defined here are passed to the modules systems using =_mod
serviceDir = dir;
serviceAddress = address;
serviceProxy = proxy;
proxyAddress4 = globals.hosts.${proxy}.wanAddress4;
proxyAddress4 = globals.hosts.${proxy}.wanAddress4 or null;
proxyAddress6 = globals.hosts.${proxy}.wanAddress6 or null;
};
};
@ -22762,8 +22946,7 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
vim "${git_root}"/.sops.yaml
fi
green "Updating all secrets files to reflect updates .sops.yaml"
sops updatekeys --yes --enable-local-keyservice "${git_root}"/secrets/*/secrets.yaml
sops updatekeys --yes --enable-local-keyservice "${git_root}"/hosts/nixos/"$target_arch"/"$target_hostname"/secrets/pii.nix.enc
sops updatekeys --yes --enable-local-keyservice "${git_root}"/hosts/nixos/"$target_arch"/"$target_hostname"/secrets/*
# --------------------------
green "Making ssh_host_ed25519_key available to home-manager for user $target_user"
sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts
@ -22936,7 +23119,7 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
fi
local_keys=$(ssh-add -L || true)
pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/keys/ssh/yubikey.pub)
pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/public/ssh/yubikey.pub)
read -ra pub_arr <<< "$pub_key"
cd .dotfiles
@ -23085,7 +23268,7 @@ Autoformatting always puts the =EOF= with indentation, which makes shfmt check f
git clone https://github.com/Swarsel/.dotfiles.git
local_keys=$(ssh-add -L || true)
pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/keys/ssh/yubikey.pub)
pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/public/ssh/yubikey.pub)
read -ra pub_arr <<< "$pub_key"
cd .dotfiles