diff --git a/SwarselSystems.org b/SwarselSystems.org index 409c370..9fd1cab 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -1252,69 +1252,33 @@ I have removed most of the machines from this section. What remains are some hos :END: #+begin_src nix :tangle hosts/nixos/sync/default.nix - { self, config, inputs, pkgs, ... }: - + { self, inputs, outputs, lib, ... }: + let + profilesPath = "${self}/profiles"; + in { imports = [ inputs.sops-nix.nixosModules.sops + "${profilesPath}/server/nixos" ./hardware-configuration.nix - ]; - environment.systemPackages = with pkgs; [ - git - gnupg - ssh-to-age - ]; + inputs.home-manager.nixosModules.home-manager + { + home-manager.users.swarsel.imports = [ + "${profilesPath}/server/home" + ] ++ (builtins.attrValues outputs.homeManagerModules); + } - services.xserver.xkb = { - layout = "us"; - variant = "altgr-intl"; - }; - - nix.settings.experimental-features = [ "nix-command" "flakes" ]; + ] ++ (builtins.attrValues outputs.nixosModules); sops = { - age.sshKeyPaths = [ "/etc/ssh/sops" ]; - defaultSopsFile = "/root/.dotfiles/secrets/sync/secrets.yaml"; - validateSopsFiles = false; - secrets.swarsel = { owner = "root"; }; - secrets.dnstokenfull = { owner = "acme"; }; - templates."certs.secret".content = '' - CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull} - ''; + defaultSopsFile = lib.mkForce "/root/.dotfiles/secrets/sync/secrets.yaml"; }; - security.acme = { - acceptTerms = true; - preliminarySelfsigned = false; - defaults.email = "mrswarsel@gmail.com"; - defaults.dnsProvider = "cloudflare"; - defaults.environmentFile = "${config.sops.templates."certs.secret".path}"; - }; services.nginx = { - enable = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; virtualHosts = { - - "synki.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://localhost:27701"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - "sync.swarsel.win" = { enableACME = true; forceSSL = true; @@ -1328,13 +1292,18 @@ I have removed most of the machines from this section. What remains are some hos }; }; }; - }; }; - boot.tmp.cleanOnBoot = true; + boot = { + tmp.cleanOnBoot = true; + loader.grub.device = "nodev"; + }; zramSwap.enable = false; + networking = { + firewall.allowedTCPPorts = [ 8384 22000 ]; + firewall.allowedUDPPorts = [ 21027 22000 ]; hostName = "sync"; enableIPv6 = false; domain = "subnet03112148.vcn03112148.oraclevcn.com"; @@ -1347,37 +1316,14 @@ I have removed most of the machines from this section. What remains are some hos iptables -I INPUT -m state --state NEW -p tcp --dport 22000 -j ACCEPT iptables -I INPUT -m state --state NEW -p udp --dport 22000 -j ACCEPT iptables -I INPUT -m state --state NEW -p udp --dport 21027 -j ACCEPT + iptables -I INPUT -m state --state NEW -p tcp --dport 9812 -j ACCEPT ''; }; - services.openssh = { - enable = true; - # settings.PermitRootLogin = "yes"; - }; - users.users.root.openssh.authorizedKeys.keyFiles = [ - "${self}/secrets/keys/ssh/nbl-imba-2.pub" - ]; - system.stateVersion = "23.11"; # TEMPLATE - but probably no need to change + # system.stateVersion = "23.11"; # TEMPLATE - but probably no need to change - environment.shellAliases = { - nswitch = "cd ~/.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; - }; - - boot.loader.grub.device = "nodev"; - - services.anki-sync-server = { - enable = true; - port = 27701; - address = "0.0.0.0"; - openFirewall = true; - users = [ - { - username = "Swarsel"; - passwordFile = config.sops.secrets.swarsel.path; - } - ]; - }; + # do not manage OCI syncthing through nix config services.syncthing = { enable = true; guiAddress = "0.0.0.0:8384"; @@ -1394,6 +1340,8 @@ I have removed most of the machines from this section. What remains are some hos server = { enable = true; forgejo = true; + ankisync = true; + emacs = true; }; }; @@ -3056,7 +3004,7 @@ This section is for setting things that should be used on hosts that are using t #+end_src -**** General NixOS settings (enable home-manager module, stateVersion) +**** General NixOS settings (stateVersion) :PROPERTIES: :CUSTOM_ID: h:24c9146f-2147-4fd5-bafc-d5853e15cf12 :END: @@ -4703,11 +4651,11 @@ Also, the system state version is set here. No need to touch it. :END: #+begin_src nix :tangle profiles/server/nixos/sops.nix - { config, ... }: + { config, lib, ... }: { sops = { - age.sshKeyPaths = [ "/etc/ssh/sops" ]; - defaultSopsFile = "${config.swarselsystems.flakePath}/secrets/server/winters/secrets.yaml"; + age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/sops" ]; + defaultSopsFile = lib.mkDefault "${config.swarselsystems.flakePath}/secrets/server/winters/secrets.yaml"; validateSopsFiles = false; }; @@ -6161,7 +6109,6 @@ Also, the system state version is set here. No need to touch it. services.emacs = { enable = true; - install = true; startWithGraphical = false; }; diff --git a/hosts/nixos/sync/default.nix b/hosts/nixos/sync/default.nix index 93468bc..d0739a6 100644 --- a/hosts/nixos/sync/default.nix +++ b/hosts/nixos/sync/default.nix @@ -1,66 +1,30 @@ -{ self, config, inputs, pkgs, ... }: - +{ self, inputs, outputs, lib, ... }: +let + profilesPath = "${self}/profiles"; +in { imports = [ inputs.sops-nix.nixosModules.sops + "${profilesPath}/server/nixos" ./hardware-configuration.nix - ]; - environment.systemPackages = with pkgs; [ - git - gnupg - ssh-to-age - ]; + inputs.home-manager.nixosModules.home-manager + { + home-manager.users.swarsel.imports = [ + "${profilesPath}/server/home" + ] ++ (builtins.attrValues outputs.homeManagerModules); + } - services.xserver.xkb = { - layout = "us"; - variant = "altgr-intl"; - }; - - nix.settings.experimental-features = [ "nix-command" "flakes" ]; + ] ++ (builtins.attrValues outputs.nixosModules); sops = { - age.sshKeyPaths = [ "/etc/ssh/sops" ]; - defaultSopsFile = "/root/.dotfiles/secrets/sync/secrets.yaml"; - validateSopsFiles = false; - secrets.swarsel = { owner = "root"; }; - secrets.dnstokenfull = { owner = "acme"; }; - templates."certs.secret".content = '' - CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull} - ''; + defaultSopsFile = lib.mkForce "/root/.dotfiles/secrets/sync/secrets.yaml"; }; - security.acme = { - acceptTerms = true; - preliminarySelfsigned = false; - defaults.email = "mrswarsel@gmail.com"; - defaults.dnsProvider = "cloudflare"; - defaults.environmentFile = "${config.sops.templates."certs.secret".path}"; - }; services.nginx = { - enable = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; virtualHosts = { - - "synki.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://localhost:27701"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - "sync.swarsel.win" = { enableACME = true; forceSSL = true; @@ -74,13 +38,18 @@ }; }; }; - }; }; - boot.tmp.cleanOnBoot = true; + boot = { + tmp.cleanOnBoot = true; + loader.grub.device = "nodev"; + }; zramSwap.enable = false; + networking = { + firewall.allowedTCPPorts = [ 8384 22000 ]; + firewall.allowedUDPPorts = [ 21027 22000 ]; hostName = "sync"; enableIPv6 = false; domain = "subnet03112148.vcn03112148.oraclevcn.com"; @@ -93,37 +62,14 @@ iptables -I INPUT -m state --state NEW -p tcp --dport 22000 -j ACCEPT iptables -I INPUT -m state --state NEW -p udp --dport 22000 -j ACCEPT iptables -I INPUT -m state --state NEW -p udp --dport 21027 -j ACCEPT + iptables -I INPUT -m state --state NEW -p tcp --dport 9812 -j ACCEPT ''; }; - services.openssh = { - enable = true; - # settings.PermitRootLogin = "yes"; - }; - users.users.root.openssh.authorizedKeys.keyFiles = [ - "${self}/secrets/keys/ssh/nbl-imba-2.pub" - ]; - system.stateVersion = "23.11"; # TEMPLATE - but probably no need to change + # system.stateVersion = "23.11"; # TEMPLATE - but probably no need to change - environment.shellAliases = { - nswitch = "cd ~/.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; - }; - - boot.loader.grub.device = "nodev"; - - services.anki-sync-server = { - enable = true; - port = 27701; - address = "0.0.0.0"; - openFirewall = true; - users = [ - { - username = "Swarsel"; - passwordFile = config.sops.secrets.swarsel.path; - } - ]; - }; + # do not manage OCI syncthing through nix config services.syncthing = { enable = true; guiAddress = "0.0.0.0:8384"; @@ -131,4 +77,18 @@ }; + swarselsystems = { + hasBluetooth = false; + hasFingerprint = false; + impermanence = false; + isBtrfs = false; + flakePath = "/.dotfiles"; + server = { + enable = true; + forgejo = true; + ankisync = true; + emacs = true; + }; + }; + } diff --git a/profiles/server/nixos/emacs.nix b/profiles/server/nixos/emacs.nix index 4ad2125..1e12342 100644 --- a/profiles/server/nixos/emacs.nix +++ b/profiles/server/nixos/emacs.nix @@ -6,7 +6,6 @@ services.emacs = { enable = true; - install = true; startWithGraphical = false; }; diff --git a/profiles/server/nixos/sops.nix b/profiles/server/nixos/sops.nix index 3de53ed..226b48e 100644 --- a/profiles/server/nixos/sops.nix +++ b/profiles/server/nixos/sops.nix @@ -1,8 +1,8 @@ -{ config, ... }: +{ config, lib, ... }: { sops = { - age.sshKeyPaths = [ "/etc/ssh/sops" ]; - defaultSopsFile = "${config.swarselsystems.flakePath}/secrets/server/winters/secrets.yaml"; + age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/sops" ]; + defaultSopsFile = lib.mkDefault "${config.swarselsystems.flakePath}/secrets/server/winters/secrets.yaml"; validateSopsFiles = false; }; diff --git a/secrets/sync/secrets.yaml b/secrets/sync/secrets.yaml index 3a9182e..38e0069 100644 --- a/secrets/sync/secrets.yaml +++ b/secrets/sync/secrets.yaml @@ -1,5 +1,6 @@ swarsel: ENC[AES256_GCM,data:WzMlNzg5iAu823s=,iv:U8ZutlrzBqq7z445kSnvluejtta4X/0YMIIOdcQuftg=,tag:IE0WMuXlNwnBHzXtrbVHKA==,type:str] dnstokenfull: ENC[AES256_GCM,data:hxgxSm6pcXOEHZHdSwQkfZryFccQXrCu9idULJhWK/tQ44FyRIU4Yg==,iv:ObKf1M1qkgCltkKJX+URaPSiK5Itd3xlfBXPjf1iVak=,tag:PASR0pgBdcDYjdTZ2eEUCg==,type:str] +swarseluser: ENC[AES256_GCM,data:e/p76dBuM7eLIrO0HBeJMs8eMCAGAklGcA==,iv:r+e9GGMDCCjh1eWnB4AJMFdMuXbVXxoLMefooq0SOlE=,tag:auRo+JnwH+EardJQbKek0A==,type:str] sops: kms: [] gcp_kms: [] @@ -15,8 +16,8 @@ sops: ckc3MmZZTVFyRGFaTVlVM29ra3JkbzQKNYhBd9oMS/jn2Oqyx9LpqJjQUx2mEZ/B aUNbenlCRr8KCc+yBXuTyI31LPXJ3YHsI1cfp1K/LGzCY2F0uk4rSw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-02-01T01:06:53Z" - mac: ENC[AES256_GCM,data:pjpS4BX6PJtGl7d5QAR5vRkuzLceGWUEWIzvCG5NTdz6TX5STHZqjX7V+DEKUbNG8HWTMAqUokr+2uHT+hQ5RxCVYMZeEfUgVqcxpxJHoGHcs+iwLDghqlh3jEZInSVXqhD4UP8A0JSGLtAEBc5o3bELp7pTEw8mLq4trEm4RvM=,iv:hYpEG7ws8RKYcrbeOmH7m4pcZ/F4nIQY4wb6RW3BpR0=,tag:tsAIE4Px9ZPIJ2l/KQUmXQ==,type:str] + lastmodified: "2024-12-15T16:12:07Z" + mac: ENC[AES256_GCM,data:hMx5qjmUgTS6cOzO2e0tFB3DwJzbruwPn0J1TIa6XbmgvcDThiOAxsfKRQUrc/uWd/1Ehke+VPdt77d8hgUoe+NuUQY592Lx78DhfdaVQkwR62MfKf1Y3unRjjGjILIK935qcesTPXm10hRUenxf8r0eXGMlYnFn3pLTTVOD7mw=,iv:FGdr2xJCRYGAlNt0r0Zkt/Abre/pCXebM6o+VkTcB7I=,tag:aeRgsVSNH4QE6S69sgUXCQ==,type:str] pgp: - created_at: "2024-02-01T01:06:36Z" enc: |- @@ -50,4 +51,4 @@ sops: -----END PGP MESSAGE----- fp: 4BE7925262289B476DBBC17B76FD3810215AE097 unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.9.1