swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 09:07:21 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

chore: backup work done so far

Browse source
This commit is contained in:
Leon Schwarzäugl 2025-12-02 17:36:59 +01:00
parent 9acfc5f934
commit 5d27d18f85
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
77 changed files with 4005 additions and 2937 deletions
Download patch file Download diff file Expand all files Collapse all files

4
modules/nixos/client/network.nix
View file

@ -1,7 +1,7 @@
{ self, lib, pkgs, config, globals, ... }:
let
certsSopsFile = self + /secrets/certs/secrets.yaml;
clientSopsFile = self + /secrets/${config.node.name}/secrets.yaml;
certsSopsFile = self + /secrets/repo/certs.yaml;
clientSopsFile = "${config.node.secretsDir}/secrets.yaml";
inherit (config.repo.secrets.common.network) wlan1 mobile1 vpn1-location vpn1-cipher vpn1-address eduroam-anon;

4
modules/nixos/client/sops.nix
View file

@ -5,8 +5,8 @@
sops = {
# age.sshKeyPaths = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs [ "/persist/.ssh/sops" "/persist/.ssh/ssh_host_ed25519_key" ] [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ];
age.sshKeyPaths = [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "${if config.swarselsystems.isImpermanence then "/persist" else ""}/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/general/secrets.yaml";
age.sshKeyPaths = [ "${if config.swarselsystems.isImpermanence then "/persist" else ""}/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/repo/common.yaml";
validateSopsFiles = false;

2
modules/nixos/common/home-manager-secrets.nix
View file

@ -4,7 +4,7 @@ let
inherit (config.repo.secrets.common.emacs) radicaleUser;
modules = config.home-manager.users.${mainUser}.swarselmodules;
certsSopsFile = self + /secrets/certs/secrets.yaml;
certsSopsFile = self + /secrets/repo/certs.yaml;
in
{
config = lib.mkIf config.swarselsystems.withHomeManager {

6
modules/nixos/common/home-manager.nix
View file

@ -1,4 +1,4 @@
{ self, inputs, config, lib, homeLib, outputs, globals, nodes, minimal, configName, ... }:
{ self, inputs, config, lib, homeLib, outputs, globals, nodes, minimal, configName, arch, type, ... }:
{
options.swarselmodules.home-manager = lib.mkEnableOption "home-manager";
config = lib.mkIf config.swarselmodules.home-manager {
@ -10,7 +10,7 @@
overwriteBackup = true;
users.${config.swarselsystems.mainUser}.imports = [
inputs.nix-index-database.homeModules.nix-index
inputs.sops-nix.homeManagerModules.sops
# inputs.sops.homeManagerModules.sops # this is not needed!! we add these secrets in nixos scope
inputs.spicetify-nix.homeManagerModules.default
inputs.swarsel-nix.homeModules.default
{
@ -31,7 +31,7 @@
];
extraSpecialArgs = {
inherit (inputs) self nixgl;
inherit inputs outputs globals nodes minimal configName;
inherit inputs outputs globals nodes minimal configName arch type;
lib = homeLib;
};
};

20
modules/nixos/common/meta.nix
View file

@ -1,20 +0,0 @@
{ lib, ... }:
{
options = {
node = {
secretsDir = lib.mkOption {
description = "Path to the secrets directory for this node.";
type = lib.types.path;
default = ./.;
};
name = lib.mkOption {
description = "Node Name.";
type = lib.types.str;
};
lockFromBootstrapping = lib.mkOption {
description = "Whether this host should be marked to not be bootstrapped again using swarsel-bootstrap.";
type = lib.types.bool;
};
};
};
}

6
modules/nixos/server/bastion.nix
View file

@ -14,9 +14,9 @@
group = lib.mkForce "jump";
createHome = lib.mkForce true;
openssh.authorizedKeys.keyFiles = [
(self + /secrets/keys/ssh/yubikey.pub)
(self + /secrets/keys/ssh/magicant.pub)
(self + /secrets/keys/ssh/builder.pub)
(self + /secrets/public/ssh/yubikey.pub)
(self + /secrets/public/ssh/magicant.pub)
(self + /secrets/public/ssh/builder.pub)
];
};
};

4
modules/nixos/server/disk-encrypt.nix
View file

@ -49,8 +49,8 @@ in
enable = true;
port = 2222; # avoid hostkey changed nag
authorizedKeys = [
''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/keys/ssh/yubikey.pub"}''
''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/keys/ssh/magicant.pub"}''
''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/public/ssh/yubikey.pub"}''
''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/public/ssh/magicant.pub"}''
];
hostKeys = [ hostKeyPathBase ];
};

14
modules/nixos/server/dns-hostrecord.nix Normal file
View file

@ -0,0 +1,14 @@
{ lib, config, globals, dns, confLib, ... }:
let
inherit (confLib.gen { name = "dns-hostrecord"; proxy = config.node.name; }) serviceName proxyAddress4 proxyAddress6;
in
{
options. swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
nodes.stoicclub.swarselsystems.server.dns.${globals.domains.main}.subdomainRecords = {
"server.${config.node.name}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
};
}

2
modules/nixos/server/kanidm.nix
View file

@ -1,6 +1,6 @@
{ self, lib, pkgs, config, globals, dns, confLib, ... }:
let
certsSopsFile = self + /secrets/certs/secrets.yaml;
certsSopsFile = self + /secrets/repo/certs.yaml;
inherit (config.swarselsystems) sopsFile;
inherit (confLib.gen { name = "kanidm"; port = 8300; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;

6
modules/nixos/server/monitoring.nix
View file

@ -1,4 +1,4 @@
{ self, lib, config, globals, dns, confLib, ... }:
{ lib, config, globals, dns, confLib, ... }:
let
inherit (confLib.gen { name = "grafana"; port = 3000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
@ -11,6 +11,8 @@ let
kanidmDomain = globals.services.kanidm.domain;
inherit (config.swarselsystems) sopsFile;
sopsFile2 = "${config.node.secretsDir}/secrets2.yaml";
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@ -25,7 +27,7 @@ in
grafana-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
prometheus-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
kanidm-grafana-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
prometheus-admin-hash = { sopsFile = self + /secrets/winters/secrets2.yaml; owner = prometheusUser; group = prometheusGroup; mode = "0440"; };
prometheus-admin-hash = { sopsFile = sopsFile2; owner = prometheusUser; group = prometheusGroup; mode = "0440"; };
};
templates = {

8
modules/nixos/server/network.nix
View file

@ -1,7 +1,8 @@
{ lib, config, ... }:
let
netConfig = config.repo.secrets.local.networking;
netName = "${if config.swarselsystems.isCloud then config.node.name else "home"}-${config.swarselsystems.server.localNetwork}";
netPrefix = "${if config.swarselsystems.isCloud then config.node.name else "home"}";
netName = "${netPrefix}-${config.swarselsystems.server.localNetwork}";
in
{
options = {
@ -16,6 +17,11 @@ in
default = netName;
readOnly = true;
};
netConfigPrefix = lib.mkOption {
type = lib.types.str;
default = netPrefix;
readOnly = true;
};
};
};
config = lib.mkIf config.swarselmodules.server.network {

2
modules/nixos/server/nsd/site1.nix
View file

@ -3,7 +3,7 @@ with dns.lib.combinators; {
SOA = {
nameServer = "soa";
adminEmail = "admin@${globals.domains.main}"; # this option is not parsed as domain (we cannot just write "admin")
serial = 2025120201; # update this on changes for secondary dns
serial = 2025120203; # update this on changes for secondary dns
};
useOrigin = false;

4
modules/nixos/server/radicale.nix
View file

@ -1,7 +1,7 @@
{ self, lib, config, globals, dns, confLib, ... }:
{ lib, config, globals, dns, confLib, ... }:
let
inherit (confLib.gen { name = "radicale"; port = 8000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
sopsFile = self + /secrets/winters/secrets2.yaml;
sopsFile = "${config.node.secretsDir}/secrets2.yaml";
cfg = config.services.${serviceName};
in

4
modules/nixos/server/snipe-it.nix
View file

@ -1,7 +1,7 @@
{ self, lib, config, globals, dns, confLib, ... }:
{ lib, config, globals, dns, confLib, ... }:
let
inherit (confLib.gen { name = "snipeit"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
sopsFile = self + /secrets/winters/secrets2.yaml;
sopsFile = "${config.node.secretsDir}/secrets2.yaml";
serviceDB = "snipeit";

2
modules/nixos/server/ssh-builder.nix
View file

@ -26,7 +26,7 @@ in
isSystemUser = true;
group = "builder";
openssh.authorizedKeys.keys = [
''${ssh-restrict} ${builtins.readFile "${self}/secrets/keys/ssh/builder.pub"}''
''${ssh-restrict} ${builtins.readFile "${self}/secrets/public/ssh/builder.pub"}''
];
};
};

12
modules/nixos/server/ssh.nix
View file

@ -22,14 +22,14 @@
];
};
users.users."${config.swarselsystems.mainUser}".openssh.authorizedKeys.keyFiles = [
(self + /secrets/keys/ssh/yubikey.pub)
(self + /secrets/keys/ssh/magicant.pub)
# (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/keys/ssh/jump.pub))
(self + /secrets/public/ssh/yubikey.pub)
(self + /secrets/public/ssh/magicant.pub)
# (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/public/ssh/jump.pub))
];
users.users.root.openssh.authorizedKeys.keyFiles = [
(self + /secrets/keys/ssh/yubikey.pub)
(self + /secrets/keys/ssh/magicant.pub)
# (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/keys/ssh/jump.pub))
(self + /secrets/public/ssh/yubikey.pub)
(self + /secrets/public/ssh/magicant.pub)
# (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/public/ssh/jump.pub))
];
security.sudo.extraConfig = ''
Defaults env_keep+=SSH_AUTH_SOCK

126
modules/nixos/server/wireguard.nix Normal file
View file

@ -0,0 +1,126 @@
{ self, lib, config, confLib, globals, ... }:
let
wgInterface = "wg0";
inherit (confLib.gen { name = "wireguard"; port = 52829; user = "systemd-network"; group = "systemd-network"; }) servicePort serviceName serviceUser serviceGroup;
inherit (config.swarselsystems) sopsFile;
inherit (config.swarselsystems.server.wireguard) peers isClient isServer;
in
{
options = {
swarselmodules.${serviceName} = lib.mkEnableOption "enable ${serviceName} settings";
swarselsystems.server.wireguard = {
isServer = lib.mkEnableOption "set this as a wireguard server";
peers = lib.mkOption {
type = lib.types.listOf (lib.types.submodule {
freeformType = lib.types.attrs;
options = { };
});
default = [ ];
description = "Wireguard peer submodules as expected by systemd.network.netdevs.<name>.wireguardPeers";
};
};
};
config = lib.mkIf config.swarselmodules.${serviceName} {
sops = {
secrets = {
wireguard-private-key = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0600"; };
wireguard-home-preshared-key = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0600"; };
};
};
networking = {
firewall.allowedUDPPorts = [ servicePort ];
nat = {
enable = true;
enableIPv6 = true;
externalInterface = "ens6";
internalInterfaces = [ wgInterface ];
};
};
systemd.network = {
enable = true;
networks."50-${wgInterface}" = {
matchConfig.Name = wgInterface;
networkConfig = {
IPv4Forwarding = true;
IPv6Forwarding = true;
};
address = [
"${globals.networks."${config.swarselsystems.server.netConfigPrefix}-wg".hosts.${config.node.name}.cidrv4}"
"${globals.networks."${config.swarselsystems.server.netConfigPrefix}-wg".hosts.${config.node.name}.cidrv6}"
];
};
netdevs."50-wg0" = {
netdevConfig = {
Kind = "wireguard";
Name = wgInterface;
};
wireguardConfig = {
ListenPort = lib.mkIf isServer servicePort;
# ensure file is readable by `systemd-network` user
PrivateKeyFile = config.age.secrets.wg-key-vps.path;
# To automatically create routes for everything in AllowedIPs,
# add RouteTable=main
# RouteTable = "main";
# FirewallMark marks all packets send and received by wg0
# with the number 42, which can be used to define policy rules on these packets.
# FirewallMark = 42;
};
wireguardPeers = peers ++ lib.optionals isClient [
{
PublicKey = builtins.readFile "${self}/secrets/public/wg/${config.node.name}.pub";
PresharedKeyFile = config.sops.secrets."${config.node.name}-presharedKey".path;
Endpoint = "${globals.hosts.${config.node.name}.wanAddress4}:${toString servicePort}";
# Access to the whole network is routed through our entry node.
# AllowedIPs =
# (optional (networkCfg.cidrv4 != null) networkCfg.cidrv4)
# ++ (optional (networkCfg.cidrv6 != null) networkCfg.cidrv6);
}
];
};
};
# networking = {
# wireguard = {
# enable = true;
# interfaces = {
# wg1 = {
# privateKeyFile = config.sops.secrets.wireguard-private-key.path;
# ips = [ "192.168.178.201/24" ];
# peers = [
# {
# publicKey = "PmeFInoEJcKx+7Kva4dNnjOEnJ8lbudSf1cbdo/tzgw=";
# presharedKeyFile = config.sops.secrets.wireguard-home-preshared-key.path;
# name = "moonside";
# persistentKeepalive = 25;
# # endpoint = "${config.repo.secrets.common.ipv4}:51820";
# endpoint = "${config.repo.secrets.common.wireguardEndpoint}";
# # allowedIPs = [
# # "192.168.3.0/24"
# # "192.168.1.0/24"
# # ];
# allowedIPs = [
# "192.168.178.0/24"
# ];
# }
# ];
# };
# };
# };
# };
};
}