diff --git a/.sops.yaml b/.sops.yaml index 1379cf1..2626089 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -62,7 +62,7 @@ creation_rules: - *swarsel age: - *nbl - - path_regex: hosts/nixos/x86_64-linux/pyramid/secrets/pii.nix.enc + - path_regex: hosts/nixos/pyramid/secrets/pii.nix.enc key_groups: - pgp: - *swarsel @@ -75,7 +75,7 @@ creation_rules: - *swarsel age: - *moonside - - path_regex: hosts/nixos/aarch64-linux/moonside/secrets/pii.nix.enc + - path_regex: hosts/nixos/moonside/secrets/pii.nix.enc key_groups: - pgp: - *swarsel @@ -88,7 +88,7 @@ creation_rules: - *swarsel age: - *bakery - - path_regex: hosts/nixos/x86_64-linux/bakery/secrets/pii.nix.enc + - path_regex: hosts/nixos/bakery/secrets/pii.nix.enc key_groups: - pgp: - *swarsel @@ -101,7 +101,7 @@ creation_rules: - *swarsel age: - *winters - - path_regex: hosts/nixos/x86_64-linux/winters/secrets/pii.nix.enc + - path_regex: hosts/nixos/winters/secrets/pii.nix.enc key_groups: - pgp: - *swarsel @@ -115,19 +115,14 @@ creation_rules: - *swarsel age: - *milkywell - - path_regex: hosts/nixos/aarch64-linux/milkywell/secrets/pii.nix.enc + - path_regex: hosts/nixos/milkywell/secrets/pii.nix.enc key_groups: - pgp: - *swarsel age: - *milkywell - - path_regex: hosts/nixos/x86_64-linux/summers/secrets/ - key_groups: - - pgp: - - *swarsel - - - path_regex: hosts/nixos/x86_64-linux/hintbooth/secrets/ + - path_regex: hosts/nixos/summers/secrets/ key_groups: - pgp: - *swarsel diff --git a/SwarselSystems.org b/SwarselSystems.org index 656b149..dbfb7e7 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -689,22 +689,6 @@ Concerning the =flake = _:= part: inherit (inputs.nixpkgs) lib; in rec { - cidrToSubnetMask = cidr: - let - prefixLength = lib.toInt (lib.last (lib.splitString "/" cidr)); - bits = lib.genList (i: if i < prefixLength then 1 else 0) 32; - octets = lib.genList - (i: - let - octetBits = lib.sublist (i * 8) 8 bits; - octetValue = lib.foldl (acc: bit: acc * 2 + bit) 0 octetBits; - in - octetValue - ) 4; - subnetMask = lib.concatStringsSep "." (map toString octets); - in - subnetMask; - mkIfElseList = p: yes: no: lib.mkMerge [ (lib.mkIf p yes) (lib.mkIf (!p) no) @@ -1356,141 +1340,110 @@ Lastly, in the =perSystem= attribute set, we see that it is actually passed some }; }; - devshells = { - deploy = - let - nix-version = "2_28"; - in { - packages = [ - (builtins.trace "alarm: pinned nix_${nix-version}" pkgs.stable25_05.nixVersions."nix_${nix-version}") - pkgs.git - pkgs.just - pkgs.age - pkgs.ssh-to-age - pkgs.sops - ]; + devshells.default = let + nix-version = "2_30"; + in { + packages = [ + (builtins.trace "alarm: pinned nix_${nix-version}" pkgs.nixVersions."nix_${nix-version}") + pkgs.git + pkgs.just + pkgs.age + pkgs.ssh-to-age + pkgs.sops + pkgs.nixpkgs-fmt + self.packages.${system}.swarsel-build + self.packages.${system}.swarsel-deploy + (pkgs.symlinkJoin { + name = "home-manager"; + buildInputs = [ pkgs.makeWrapper ]; + paths = [ pkgs.home-manager ]; + postBuild = '' + wrapProgram $out/bin/home-manager \ + --append-flags '--flake .#$(hostname)' + ''; + }) + ]; - env = - [ - { - name = "NIX_CONFIG"; - value = '' - plugin-files = ${pkgs.stable25_05.nix-plugins.overrideAttrs (o: { - buildInputs = [pkgs.stable25_05.nixVersions."nix_${nix-version}" pkgs.stable25_05.boost]; - patches = (o.patches or []) ++ [./nix-plugins.patch]; - })}/lib/nix/plugins - extra-builtins-file = ${self + /nix/extra-builtins.nix} - ''; - } - ]; - }; - default = - let - nix-version = "2_30"; - in + commands = [ { - packages = [ - (builtins.trace "alarm: pinned nix_${nix-version}" pkgs.nixVersions."nix_${nix-version}") - pkgs.git - pkgs.just - pkgs.age - pkgs.ssh-to-age - pkgs.sops - pkgs.nixpkgs-fmt - self.packages.${system}.swarsel-build - self.packages.${system}.swarsel-deploy - (pkgs.symlinkJoin { - name = "home-manager"; - buildInputs = [ pkgs.makeWrapper ]; - paths = [ pkgs.home-manager ]; - postBuild = '' - wrapProgram $out/bin/home-manager \ - --append-flags '--flake .#$(hostname)' - ''; - }) - ]; + package = pkgs.statix; + help = "Lint flake"; + } + { + package = pkgs.deadnix; + help = "Check flake for dead code"; + } + { + package = pkgs.nix-tree; + help = "Interactively browse dependency graphs of Nix derivations"; + } + { + package = pkgs.nvd; + help = "Diff two nix toplevels and show which packages were upgraded"; + } + { + package = pkgs.nix-diff; + help = "Explain why two Nix derivations differ"; + } + { + package = pkgs.nix-output-monitor; + help = "Nix Output Monitor (a drop-in alternative for `nix` which shows a build graph)"; + name = "nom \"$@\""; + } + { + name = "hm"; + help = "Manage home-manager config"; + command = "home-manager \"$@\""; + } + { + name = "fmt"; + help = "Format flake"; + command = "nixpkgs-fmt --check \"$FLAKE\""; + } + { + name = "sd"; + help = "Build and deploy this nix config to nodes"; + command = "swarsel-deploy \"$@\""; + } + { + name = "sl"; + help = "Build and deploy a config to nodes"; + command = "swarsel-deploy \${1} switch"; + } + { + name = "sw"; + help = "Build and switch to the host's config locally"; + command = "swarsel-deploy $(hostname) switch"; + } + { + name = "bld"; + help = "Build a number of configurations"; + command = "swarsel-build \"$@\""; + } + { + name = "c"; + help = "Work with the flake git repository"; + command = "git --git-dir=$FLAKE/.git --work-tree=$FLAKE/ \"$@\""; + } + ]; - commands = [ - { - package = pkgs.statix; - help = "Lint flake"; - } - { - package = pkgs.deadnix; - help = "Check flake for dead code"; - } - { - package = pkgs.nix-tree; - help = "Interactively browse dependency graphs of Nix derivations"; - } - { - package = pkgs.nvd; - help = "Diff two nix toplevels and show which packages were upgraded"; - } - { - package = pkgs.nix-diff; - help = "Explain why two Nix derivations differ"; - } - { - package = pkgs.nix-output-monitor; - help = "Nix Output Monitor (a drop-in alternative for `nix` which shows a build graph)"; - name = "nom \"$@\""; - } - { - name = "hm"; - help = "Manage home-manager config"; - command = "home-manager \"$@\""; - } - { - name = "fmt"; - help = "Format flake"; - command = "nixpkgs-fmt --check \"$FLAKE\""; - } - { - name = "sd"; - help = "Build and deploy this nix config to nodes"; - command = "swarsel-deploy \"$@\""; - } - { - name = "sl"; - help = "Build and deploy a config to nodes"; - command = "swarsel-deploy \${1} switch"; - } - { - name = "sw"; - help = "Build and switch to the host's config locally"; - command = "swarsel-deploy $(hostname) switch"; - } - { - name = "bld"; - help = "Build a number of configurations"; - command = "swarsel-build \"$@\""; - } - { - name = "c"; - help = "Work with the flake git repository"; - command = "git --git-dir=$FLAKE/.git --work-tree=$FLAKE/ \"$@\""; - } - ]; + devshell.startup.pre-commit-install.text = "pre-commit install"; - devshell.startup.pre-commit-install.text = "pre-commit install"; - - env = - let - nix-plugins = pkgs.nix-plugins.override { - nixComponents = pkgs.nixVersions."nixComponents_${nix-version}"; - }; - in - [ - { - name = "NIX_CONFIG"; - value = '' - plugin-files = ${nix-plugins}/lib/nix/plugins - extra-builtins-file = ${self + /nix/extra-builtins.nix} - ''; - } - ]; + env = let + nix-plugins = pkgs.nix-plugins.override { + nixComponents = pkgs.nixVersions."nixComponents_${nix-version}"; }; + in [ + { + # Additionally configure nix-plugins with our extra builtins file. + # We need this for our repo secrets. + name = "NIX_CONFIG"; + value = '' + plugin-files = ${nix-plugins}/lib/nix/plugins + extra-builtins-file = ${self + /nix/extra-builtins.nix} + ''; + } + ]; }; }; } @@ -2549,11 +2502,7 @@ This is my main server that I run at home. It handles most tasks that require bi loader.efi.canTouchEfiVariables = true; }; - # globals.hosts.${config.node.name}.ipv4 = config.repo.secrets.local.ipv4; - # globals.networks.home.hosts.${config.node.name} = { - # ipv4 = config.repo.secrets.local.home-ipv4; - # mac = config.repo.secrets.local.home-mac; - # }; + globals.hosts.${config.node.name}.ipv4 = config.repo.secrets.local.ipv4; networking = { inherit (config.repo.secrets.local) hostId; @@ -2693,6 +2642,8 @@ This is my main server that I run at home. It handles most tasks that require bi loader.efi.canTouchEfiVariables = true; }; + # globals.hosts.${config.node.name}.ipv4 = config.repo.secrets.local.ipv4; + networking = { inherit (config.repo.secrets.local) hostId; hostName = configName; @@ -2973,191 +2924,6 @@ This is my main server that I run at home. It handles most tasks that require bi #+end_src -**** Hintbooth (Router: HUNSN RM02) - -***** Main Configuration -#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/hintbooth/default.nix - { lib, minimal, ... }: - { - - imports = [ - ./hardware-configuration.nix - ./disk-config.nix - ]; - - swarselsystems = { - info = "HUNSN RM02, 8GB RAM"; - flakePath = "/root/.dotfiles"; - isImpermanence = true; - isSecureBoot = true; - isCrypted = true; - isBtrfs = true; - isLinux = true; - isNixos = true; - rootDisk = "/dev/sda"; - swapSize = "8G"; - }; - - } // lib.optionalAttrs (!minimal) { - - swarselprofiles = { - server = true; - router = false; - }; - - } - -#+end_src - -***** hardware-configuration -#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/hintbooth/hardware-configuration.nix - { config, lib, modulesPath, ... }: - - { - imports = - [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot = { - initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ]; - initrd.kernelModules = [ ]; - extraModulePackages = [ ]; - }; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; - } -#+end_src -***** disko - -#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/hintbooth/disk-config.nix - { lib, config, ... }: - let - type = "btrfs"; - extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite - subvolumes = { - "/root" = { - mountpoint = "/"; - mountOptions = [ - "subvol=root" - "compress=zstd" - "noatime" - ]; - }; - "/home" = lib.mkIf config.swarselsystems.isImpermanence { - mountpoint = "/home"; - mountOptions = [ - "subvol=home" - "compress=zstd" - "noatime" - ]; - }; - "/persist" = lib.mkIf config.swarselsystems.isImpermanence { - mountpoint = "/persist"; - mountOptions = [ - "subvol=persist" - "compress=zstd" - "noatime" - ]; - }; - "/log" = lib.mkIf config.swarselsystems.isImpermanence { - mountpoint = "/var/log"; - mountOptions = [ - "subvol=log" - "compress=zstd" - "noatime" - ]; - }; - "/nix" = { - mountpoint = "/nix"; - mountOptions = [ - "subvol=nix" - "compress=zstd" - "noatime" - ]; - }; - "/swap" = lib.mkIf config.swarselsystems.isSwap { - mountpoint = "/.swapvol"; - swap.swapfile.size = config.swarselsystems.swapSize; - }; - }; - in - { - disko.devices = { - disk = { - disk0 = { - type = "disk"; - device = config.swarselsystems.rootDisk; - content = { - type = "gpt"; - partitions = { - ESP = { - priority = 1; - name = "ESP"; - size = "512M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "defaults" ]; - }; - }; - root = lib.mkIf (!config.swarselsystems.isCrypted) { - size = "100%"; - content = { - inherit type subvolumes extraArgs; - postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' - MNTPOINT=$(mktemp -d) - mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5 - trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT - btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank - ''; - }; - }; - luks = lib.mkIf config.swarselsystems.isCrypted { - size = "100%"; - content = { - type = "luks"; - name = "cryptroot"; - passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh - settings = { - allowDiscards = true; - # https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36 - crypttabExtraOpts = [ - "fido2-device=auto" - "token-timeout=10" - ]; - }; - content = { - inherit type subvolumes extraArgs; - postCreateHook = lib.mkIf config.swarselsystems.isImpermanence '' - MNTPOINT=$(mktemp -d) - mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5 - trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT - btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank - ''; - }; - }; - }; - }; - }; - }; - }; - }; - - fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; - fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true; - } -#+end_src **** machpizza (MacBook Pro) :PROPERTIES: :CUSTOM_ID: h:28e1a7eb-356b-4015-83f7-9c552c8c0e9d @@ -4040,32 +3806,36 @@ TODO: cleanup this mess { self, config, pkgs, lib, ... }: let pubKeys = lib.filesystem.listFilesRecursive "${self}/secrets/keys/ssh"; - stateVersion = lib.mkDefault "23.05"; - homeFiles = { + in + { + + config = { + home-manager.users.root.home = { + stateVersion = "23.05"; + file = { ".bash_history" = { text = '' swarsel-install -n hotel ''; }; }; - in - { - - config = { - home-manager.users.root.home = { - inherit stateVersion; - file = homeFiles; }; home-manager.users.swarsel = { home = { username = "swarsel"; homeDirectory = lib.mkDefault "/home/swarsel"; - inherit stateVersion; + stateVersion = lib.mkDefault "23.05"; keyboard.layout = "us"; sessionVariables = { FLAKE = "/home/swarsel/.dotfiles"; }; - file = homeFiles; + file = { + ".bash_history" = { + text = '' + swarsel-install -n hotel + ''; + }; + }; }; }; @@ -4083,6 +3853,10 @@ TODO: cleanup this mess nix = { channel.enable = false; package = pkgs.nixVersions.nix_2_28; + # extraOptions = '' + # plugin-files = ${pkgs.dev.nix-plugins}/lib/nix/plugins + # extra-builtins-file = ${../nix/extra-builtins.nix} + # ''; extraOptions = '' plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: { buildInputs = [config.nix.package pkgs.boost]; @@ -4134,7 +3908,6 @@ TODO: cleanup this mess environment.etc."issue".text = '' ~SwarselSystems~ IP of primary interface: \4 - These IPs were also found: \4{eth0} \4{eth1} \4{eth2} \4{eth3} \4{wlan0} The Password for all users & root is 'setup'. Install the system remotely by running 'bootstrap -n -d ' on a machine with deployed secrets. Alternatively, run 'swarsel-install -n ' for a local install. For your convenience, an example call is in the bash history (press up on the keyboard to access). @@ -4145,7 +3918,6 @@ TODO: cleanup this mess wireless.enable = false; # dhcpcd.runHook = "${pkgs.utillinux}/bin/agetty --reload"; networkmanager.enable = true; - usePredictableInterfaceNames = false; }; services.getty.autologinUser = lib.mkForce "root"; @@ -4172,8 +3944,6 @@ TODO: cleanup this mess programs.bash.shellAliases = { "swarsel-install" = "nix run github:Swarsel/.dotfiles#swarsel-install --"; - "swarsel-net-manufacturer" = "lspci -nn | grep -i 'network\|ethernet'"; - "swarsel-kernel-module" = "lspci -k -d"; }; system.activationScripts.cache = { @@ -4562,91 +4332,6 @@ in mkOption types ; - - networkOptions = netSubmod: { - cidrv4 = mkOption { - type = types.nullOr types.net.cidrv4; - description = "The CIDRv4 of this network"; - default = null; - }; - - subnetMask4 = mkOption { - type = types.nullOr types.net.cidrv4; - description = "The dotted decimal form of the subnet mask of this network"; - readOnly = true; - default = lib.swarselsystems.cidrToSubnetMask netSubmod.cidrv4; - }; - - cidrv6 = mkOption { - type = types.nullOr types.net.cidrv6; - description = "The CIDRv6 of this network"; - default = null; - }; - - hosts = mkOption { - default = { }; - type = types.attrsOf ( - types.submodule (hostSubmod: { - options = { - id = mkOption { - type = types.int; - description = "The id of this host in the network"; - }; - - mac = mkOption { - type = types.nullOr types.net.mac; - description = "The MAC of the interface on this host that belongs to this network."; - default = null; - }; - - ipv4 = mkOption { - type = types.nullOr types.net.ipv4; - description = "The IPv4 of this host in this network"; - readOnly = true; - default = - if netSubmod.config.cidrv4 == null then - null - else - lib.net.cidr.host hostSubmod.config.id netSubmod.config.cidrv4; - }; - - ipv6 = mkOption { - type = types.nullOr types.net.ipv6; - description = "The IPv6 of this host in this network"; - readOnly = true; - default = - if netSubmod.config.cidrv6 == null then - null - else - lib.net.cidr.host hostSubmod.config.id netSubmod.config.cidrv6; - }; - - cidrv4 = mkOption { - type = types.nullOr types.str; # FIXME: this is not types.net.cidr because it would zero out the host part - description = "The IPv4 of this host in this network, including CIDR mask"; - readOnly = true; - default = - if netSubmod.config.cidrv4 == null then - null - else - lib.net.cidr.hostCidr hostSubmod.config.id netSubmod.config.cidrv4; - }; - - cidrv6 = mkOption { - type = types.nullOr types.str; # FIXME: this is not types.net.cidr because it would zero out the host part - description = "The IPv6 of this host in this network, including CIDR mask"; - readOnly = true; - default = - if netSubmod.config.cidrv6 == null then - null - else - lib.net.cidr.hostCidr hostSubmod.config.id netSubmod.config.cidrv6; - }; - }; - }) - ); - }; - }; in { options = { @@ -4682,44 +4367,12 @@ in ); }; - networks = mkOption { - default = { }; - type = types.attrsOf ( - types.submodule (netSubmod: { - options = networkOptions netSubmod // { - vlans = mkOption { - default = { }; - type = types.attrsOf ( - types.submodule (vlanNetSubmod: { - options = networkOptions vlanNetSubmod // { - id = mkOption { - type = types.ints.between 1 4094; - description = "The VLAN id"; - }; - - name = mkOption { - description = "The name of this VLAN"; - default = vlanNetSubmod.config._module.args.name; - type = types.str; - }; - }; - }) - ); - }; - }; - }) - ); - }; - hosts = mkOption { type = types.attrsOf ( types.submodule { options = { - defaultGateway4 = mkOption { - type = types.nullOr types.net.ipv4; - }; - defaultGateway6 = mkOption { - type = types.nullOr types.net.ipv6; + ipv4 = mkOption { + type = types.str; }; }; } @@ -5148,7 +4801,7 @@ This is also exposed to home-manager configurations, in case this ever breaks, I #+begin_src nix-ts :tangle modules/nixos/common/pii.nix # largely based on https://github.com/oddlama/nix-config/blob/main/modules/secrets.nix - { config, inputs, lib, ... }: + { config, inputs, lib, minimal, ... }: let # If the given expression is a bare set, it will be wrapped in a function, # so that the imported file can always be applied to the inputs, similar to @@ -5214,7 +4867,7 @@ This is also exposed to home-manager configurations, in case this ever breaks, I let local = config.node.secretsDir + "/pii.nix.enc"; in - (lib.optionalAttrs (lib.pathExists local) { inherit local; }) // lib.optionalAttrs true { + (lib.optionalAttrs (lib.pathExists local && !minimal) { inherit local; }) // lib.optionalAttrs (!minimal) { common = ../../../secrets/repo/pii.nix.enc; }; }; @@ -7257,162 +6910,6 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t } #+end_src -**** Network settings - - -#+begin_src nix-ts :tangle modules/nixos/server/network.nix - { lib, config, ... }: - { - options.swarselmodules.server.network = lib.mkEnableOption "enable server network config"; - config = lib.mkIf config.swarselmodules.server.network { - - globals.networks.home.hosts.${config.node.name} = { - inherit (config.repo.secrets.local.networking.networks.home) id; - mac = config.repo.secrets.local.networking.networks.home.mac or null; - }; - - globals.hosts.${config.node.name} = { - inherit (config.repo.secrets.local.networking) defaultGateway4; - }; - - networking = { - inherit (config.repo.secrets.local.networking) hostId; - hostName = config.node.name; - nftables.enable = lib.mkDefault true; - enableIPv6 = lib.mkDefault true; - firewall = { - enable = lib.mkDefault true; - }; - }; - - }; - } -#+end_src - -**** Disk encryption - -The hostkey can be generated with =ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key=. -Use =lspci -v | grep -iA8 'network\|ethernet'= to supposedly find out which kernel module is needed for networking in initrd. However I prefer a different approach: - -Use =lspci -nn | grep -i network= to find out manufacturer info: - -#+begin_src shell :exports both -lspci -nn | grep -i 'network\|ethernet' -#+end_src - -#+RESULTS: -: 04:00.0 Network controller [0280]: MEDIATEK Corp. MT7922 802.11ax PCI Express Wireless Network Adapter [14c3:0616] - -From the last bracket, then take the first value to find out the correct kernel module: - -#+begin_src shell :exports both -lspci -k -d 14c3: -#+end_src - -#+RESULTS: -| 04:00.0 | Network | controller: | MEDIATEK | Corp. | MT7922 | 802.11ax | PCI | Express | Wireless | Network | Adapter | -| | Subsystem: | MEDIATEK | Corp. | Device | e616 | | | | | | | -| | Kernel | driver | in | use: | mt7921e | | | | | | | -| | Kernel | modules: | mt7921e | | | | | | | | | - -#+begin_src nix-ts :tangle modules/nixos/server/disk-encrypt.nix - { self, lib, config, globals, ... }: - let - localIp = globals.networks.home.hosts.${config.node.name}.ipv4; - subnetMask = globals.networks.home.subnetMask4; - gatewayIp = globals.hosts.${config.node.name}.defaultGateway4; - in - { - options.swarselmodules.server.diskEncryption = lib.mkEnableOption "enable disk encryption config"; - config = lib.mkIf (config.swarselmodules.server.diskEncryption && config.swarselsystems.isCrypted) { - - boot.kernelParams = lib.mkIf (!config.swarselsystems.isLaptop) [ "ip=${localIp}::${gatewayIp}:${subnetMask}:${config.networking.hostName}::none" ]; - boot.initrd = { - availableKernelModules = [ "r8169" ]; - network = { - enable = true; - udhcpc.enable = lib.mkIf config.swarselsystems.isLaptop true; - flushBeforeStage2 = true; - ssh = { - enable = true; - port = 22; - authorizedKeyFiles = [ - (self + /secrets/keys/ssh/yubikey.pub) - (self + /secrets/keys/ssh/magicant.pub) - ]; - hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; - }; - postCommands = '' - echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile - ''; - }; - }; - - }; - } -#+end_src - -**** Router - -#+begin_src nix-ts :tangle modules/nixos/server/router.nix - { lib, config, ... }: - let - serviceName = "router"; - in - { - options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; - config = lib.mkIf config.swarselmodules.server.${serviceName} { - - systemd.network = { - wait-online.anyInterface = true; - networks = { - "30-lan0" = { - matchConfig.Name = "lan0"; - linkConfig.RequiredForOnline = "enslaved"; - networkConfig = { - ConfigureWithoutCarrier = true; - }; - }; - "30-lan1" = { - matchConfig.Name = "lan1"; - linkConfig.RequiredForOnline = "enslaved"; - networkConfig = { - ConfigureWithoutCarrier = true; - }; - }; - "30-lan2" = { - matchConfig.Name = "lan2"; - linkConfig.RequiredForOnline = "enslaved"; - networkConfig = { - ConfigureWithoutCarrier = true; - }; - }; - "30-lan3" = { - matchConfig.Name = "lan3"; - linkConfig.RequiredForOnline = "enslaved"; - networkConfig = { - ConfigureWithoutCarrier = true; - }; - }; - "10-wan" = { - matchConfig.Name = "wan"; - networkConfig = { - # start a DHCP Client for IPv4 Addressing/Routing - DHCP = "ipv4"; - DNSOverTLS = true; - DNSSEC = true; - IPv6PrivacyExtensions = false; - IPForward = true; - }; - # make routing on this interface a dependency for network-online.target - linkConfig.RequiredForOnline = "routable"; - }; - }; - }; - }; - } -#+end_src - **** kavita :PROPERTIES: :CUSTOM_ID: h:d33f5982-dfe6-42d0-9cf2-2cd8c7b04295 @@ -7427,7 +6924,7 @@ lspci -k -d 14c3: serviceName = "kavita"; serviceUser = "kavita"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + serviceAddress = globals.hosts.winters.ipv4; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; @@ -7499,7 +6996,7 @@ lspci -k -d 14c3: serviceName = "jellyfin"; serviceUser = "jellyfin"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + serviceAddress = globals.hosts.winters.ipv4; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; @@ -7571,7 +7068,7 @@ lspci -k -d 14c3: serviceUser = "navidrome"; serviceGroup = serviceUser; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + serviceAddress = globals.hosts.winters.ipv4; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; @@ -7925,7 +7422,7 @@ lspci -k -d 14c3: serviceName = "matrix"; serviceDomain = config.repo.secrets.common.services.domains.matrix; serviceUser = "matrix-synapse"; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + serviceAddress = globals.hosts.winters.ipv4; federationPort = 8448; whatsappPort = 29318; @@ -8283,7 +7780,7 @@ lspci -k -d 14c3: serviceGroup = serviceUser; serviceName = "nextcloud"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + serviceAddress = globals.hosts.winters.ipv4; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; @@ -8363,7 +7860,7 @@ lspci -k -d 14c3: serviceUser = "immich"; serviceName = "immich"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + serviceAddress = globals.hosts.winters.ipv4; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; @@ -8448,7 +7945,7 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml= serviceGroup = serviceUser; serviceName = "paperless"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + serviceAddress = globals.hosts.winters.ipv4; tikaPort = 9998; gotenbergPort = 3002; @@ -8776,7 +8273,7 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml= serviceUser = "syncthing"; serviceGroup = serviceUser; serviceName = "syncthing"; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + serviceAddress = globals.hosts.winters.ipv4; specificServiceName = "syncthing-${configName}"; cfg = config.services.${serviceName}; @@ -9002,7 +8499,7 @@ This section exposes several metrics that I use to check the health of my server serviceGroup = serviceUser; serviceName = "grafana"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + serviceAddress = globals.hosts.winters.ipv4; prometheusPort = 9090; prometheusUser = "prometheus"; @@ -9256,7 +8753,7 @@ This is a WIP Jenkins instance. It is used to automatically build a new system w servicePort = 8088; serviceName = "jenkins"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + serviceAddress = globals.hosts.winters.ipv4; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; @@ -9351,7 +8848,7 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with serviceUser = "freshrss"; serviceGroup = serviceName; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + serviceAddress = globals.hosts.winters.ipv4; inherit (config.swarselsystems) sopsFile; in @@ -9467,7 +8964,7 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with serviceGroup = serviceUser; serviceName = "forgejo"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + serviceAddress = globals.hosts.winters.ipv4; kanidmDomain = globals.services.kanidm.domain; in @@ -9631,7 +9128,7 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with servicePort = 27701; serviceName = "ankisync"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + serviceAddress = globals.hosts.winters.ipv4; ankiUser = globals.user.name; in @@ -9716,7 +9213,7 @@ To get other URLs (token, etc.), use https:///oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid//oauth2/openid/.useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/hosts/nixos/x86_64-linux/hintbooth/secrets/pii.nix.enc b/hosts/nixos/x86_64-linux/hintbooth/secrets/pii.nix.enc deleted file mode 100644 index e9aa129..0000000 --- a/hosts/nixos/x86_64-linux/hintbooth/secrets/pii.nix.enc +++ /dev/null @@ -1,16 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:dXhWlutdXYLxq7pAWK77lK1mz1y/lh0nl4mHa/jf4ABaQxkB9or1/ceEGwzUoFZAP+EmCuz35UpGYuT4jdti/BPDFsg3273NjVxfPBdV3Mr75FpEG56tMZKafUwARtwsBGQcIduPUgymOxKxUzy5YJokbdFThAa9Y25OFKDwOtN33NSG5QT8tEtBOFzeUx5K+9Kt1YDFCgl8dOOFtA==,iv:wZ1VY7IcK2dFjgrGZrUg+Oz3id8DZKzVgPMkjBrp1GE=,tag:F0SH8w32ec09P3NaMLcuTA==,type:str]", - "sops": { - "lastmodified": "2025-11-09T23:30:30Z", - "mac": "ENC[AES256_GCM,data:odBcMskVn/ag12j/sDxqD7/8q3GD+LPfoRQ4UcwiFAdRWIRyLKdG3HUJzt1yEVQnpvaHHOq3QmGC34FPA+GT6zw6TC9EacibmigX5uT+n6hYdVgXy97T/nD9ITtq6gVy8VjWugKpqMwTDta1HV037DKTf7LDmrTUaFhzFmtzNyA=,iv:CjkjUwCzACzuUI/TceDeopRsT9xiIZxciGq7UeBEVTw=,tag:ySF9Dxha7it2F2g81NZ+EQ==,type:str]", - "pgp": [ - { - "created_at": "2025-11-09T11:20:20Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAAgiGGUn4Dhw6aB34J+332lw/CMPnZb3apThxgKjAVLKDz\neEeG+iD3iOJ3m+xg0KhgV5m2nykw0LXcXlErNIxnBmPm91DiQuW2Nzgz2J9FYF+J\nMHZ65JG+9nEt6dUplEKTBS492hiKrfD6a3BR/WFy9qrv0uY8DutAeUbkXVXqY+Sn\nxTTu2DK9Yy6lps2gmaZ1nJwLffaILyZuwYqMKtv1d1tEQFsBbkwh1chj0857nldD\n4t+bDYpMa1eFBQ/vi4YfMrw19Qq0xEWo7nKdT/pj8qAW9c4D7pHf7rm4t0T+H3tN\nfk1dJKuZuITXRrIth1zhq5bLepsIWtk/hG9fNKPbYj+xThhbCWEpH18FVVJsPCtv\nksZ3i70uz6FvyMYxyNANTMIxVa+SI+dhx6bCGQ/I9xFxK2Yju/yL6Gt4av3GhyjK\ncd8B5AlIKzxDvhWBMakjf+R/I63a7AlI9QliZhEFrpNOdcBu78ZvtKKplJ6fG8SZ\nExCFFf/qtqHtM0rvl8wyyVntD2r9WLKwDF7+tlygxbexqCaVs8CPtuiswOEGldc3\nZkG+zYsXSvBmyyfwrVYoIKRjJ1QiYys+EE5OdfI9kZ/I+kByiwr6PRHDnIkuc7jj\n8odeSq/KVMwS3d0u3c6qTPWbnSvAa6KM91dnMaXb0ws/B0eNE22USNk//KVfdKKF\nAgwDC9FRLmchgYQBD/99q4jpY7LnuV12/KxqZvbSHkBlO3HlBDYfmAYUn1gYS83T\ni+eGlWqHlXAwaqDnz5hGKe/yHRBVZjUO8Ic61ujHH28dPC++hMDkfq9sBH9mXeXA\nfovVEQJOiF65K40Lel9FAa9E5yjGSvcocqBrsh4usS6jTrFJmnat4poCnJDG+Ova\n7S2kD2FEwQxRRFlWX8I7nsmdxgATIIVhLgvCImJKAb2GEBmXx/Vpj6UTG5H+dvtP\niYtHxq0QOpeR47wNc5nUTaHTP0Lsj9hB4SS7rTdKHptXEtHCEznM7SEarNCt+MQY\nQd5O/x3cItJKADxV2JO2XPL96hqlX/e6+CWcsW89nAbuIID651b7ZWBw19F+62dt\nxlVrehcsYWLz+GuGBYysx+/0EVuZ422AEi/v9ft5YdigXrxq0ddJKRtFvcQFMh0G\n2w12fADrzX2ExzTWWc7FIwBmCr5XcwLVtmwU2bOD8mX36B7UPybBDsZ5J7/fr3TP\nYIz5ApQI5ewNsBhVoyJxSJQ6IoEBC5udrGNBMKOgZEYW+1MTWPojDU9eIg0Mew1D\n7PkXYEDrHBUccbaePLViUPcEeGkE7gB/FAWsIIfjRFzR8GDJpf/RnEK7G4mvPrIw\nlH8ARzgA93gtGOyx0DVOg+zIeplbARgZoIhyX3QCpsOTPz/CmBZIwMikRZfag9Je\nAfBikUXA2MBcIDAocQAKFILnFLyY7qgNKhvqhiCc+j04GmP7mjtAiZXP7lyUauRM\nt2PUcec90jfk0wsT1DXfeJKuWVa1hkv4/2Ejz5/PXa6ZQbrmBtZG9ZIDk2VveQ==\n=k0BA\n-----END PGP MESSAGE-----", - "fp": "4BE7925262289B476DBBC17B76FD3810215AE097" - } - ], - "unencrypted_suffix": "_unencrypted", - "version": "3.11.0" - } -} diff --git a/hosts/nixos/x86_64-linux/summers/default.nix b/hosts/nixos/x86_64-linux/summers/default.nix index 3b6051b..43c4b49 100644 --- a/hosts/nixos/x86_64-linux/summers/default.nix +++ b/hosts/nixos/x86_64-linux/summers/default.nix @@ -11,6 +11,8 @@ loader.efi.canTouchEfiVariables = true; }; + # globals.hosts.${config.node.name}.ipv4 = config.repo.secrets.local.ipv4; + networking = { inherit (config.repo.secrets.local) hostId; hostName = configName; diff --git a/hosts/nixos/x86_64-linux/summers/secrets/pii.nix.enc b/hosts/nixos/x86_64-linux/summers/secrets/pii.nix.enc index 6f72187..dae95ff 100644 --- a/hosts/nixos/x86_64-linux/summers/secrets/pii.nix.enc +++ b/hosts/nixos/x86_64-linux/summers/secrets/pii.nix.enc @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:PFtZdHoWzYmrHio52kBZ7LDthUI+qAPBfCqkY/ubTIwVJoaZixXbuzJdJuA84YH5YBZ/umTYG/9Ocs4hNbCYoPcG6VdreIcqwVxD6PgCEtqtTK0qxOfBqdIXQ1Gl2EzyMuxQm3pFFEx1zzueJ3KvdZEZRtzvytLlw/pKkETLECAxqAoZ5fSVApzIczGI053046v7ItdulGLOZGc=,iv:0EhqmcDH8yFC78H2tuhGbu49ZzVaMtdvf/7XuNU9hyo=,tag:/8rHZKR6CLH7HNAaK5EDOg==,type:str]", + "data": "ENC[AES256_GCM,data:XTHUIhn7yVn2/EvZBSg1v+EU154Kj0hgvHbUdpnc2W4U+0UNBlqxRvVxw8XFm8uo1en2hXoS,iv:XeEzWY0UB/QqbxoIQJEOkWlaU5nyETl0Aki7iyRq/Y8=,tag:rcNiCc5a6+wLYAzX1pMxxQ==,type:str]", "sops": { "age": [ { @@ -11,8 +11,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNeGtTZ0ZSV0trWlQrS2dV\nSFo0dytGYXhRTjl6cDZrUU0wZ1IybDVRaFZrCmZmRmxJNmdwS0xodHdEOGU4bldU\nR1JScHAvZHhlVTBJbWExb0VpR0h2MXMKLS0tIDYwQmZpMjdYRmpBeXFNOXArN0h5\nVGN1THljeCtVV0hXenMyRVJkMjlHNEEKm+yZTT48nYr3H0Bd1OKw/CYk1kwnrBzk\nTgSQHsGXhmOyDag9cSZ4wAOmqtqSjA9bouFBuhl2lSbgpjnarvFaXQ==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-11-09T23:30:06Z", - "mac": "ENC[AES256_GCM,data:/af6vMgOLZ6bqLdwhmCg9lX+S1afi3HoKeVhrEgxtjrob3IIHMoD2YqP+PhXazGTyArBPEHxojZ9ew8SqedosID61nE8H45gMV6jz8g4hF9sm7c5CRavEk7Lgy4kO4Xw6LyUEO379RUa3OOrhKrOI2+zWf+NkCQf8Hy79Cc56Ds=,iv:BDuCygDtMYdYfd8p3xZSNN4ZaFiN9WbNRD+3LSluwlY=,tag:+S01XGwLZcCa9c8IDDjjGg==,type:str]", + "lastmodified": "2025-11-06T11:16:16Z", + "mac": "ENC[AES256_GCM,data:rBE1qTiaLme63i23YL16qmDE6rcKaxwWwzzqgsv4SmKCBJonjiyUc4DyRU8JuCbTx6K9+4VtERJzTLlbXhvjXl27LRQtfbNSBXBIyTgdSz0Fo46lDdVUMFSdPDbU97XAx9P3eu425aspkJYxffOJ2lvqinAVuw9U6oBpot5jVaw=,iv:N3mp0DY80UVGa4Vf4ya+5B/9w8iTihAyg/XgStgtHAo=,tag:tKjnbFm0yFddj759OK5Mdw==,type:str]", "pgp": [ { "created_at": "2025-08-24T23:36:17Z", diff --git a/hosts/nixos/x86_64-linux/winters/default.nix b/hosts/nixos/x86_64-linux/winters/default.nix index c50b4a7..cbe391e 100644 --- a/hosts/nixos/x86_64-linux/winters/default.nix +++ b/hosts/nixos/x86_64-linux/winters/default.nix @@ -10,11 +10,7 @@ loader.efi.canTouchEfiVariables = true; }; - # globals.hosts.${config.node.name}.ipv4 = config.repo.secrets.local.ipv4; - # globals.networks.home.hosts.${config.node.name} = { - # ipv4 = config.repo.secrets.local.home-ipv4; - # mac = config.repo.secrets.local.home-mac; - # }; + globals.hosts.${config.node.name}.ipv4 = config.repo.secrets.local.ipv4; networking = { inherit (config.repo.secrets.local) hostId; diff --git a/hosts/nixos/x86_64-linux/winters/secrets/pii.nix.enc b/hosts/nixos/x86_64-linux/winters/secrets/pii.nix.enc index cdcc63e..053a465 100644 --- a/hosts/nixos/x86_64-linux/winters/secrets/pii.nix.enc +++ b/hosts/nixos/x86_64-linux/winters/secrets/pii.nix.enc @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:4SiiMDgtS3KPoG/fuYnfzaxVycaQsSycTODMQQS9a4ICcZFY21LdKCRQs8N908ndBrdjMIHMhG6LDI1RVRs6m5EBZLYho3dzvf3YlpztnypaGrAkXfTnCuvP15vvAOgHnJYF3PQ41XcKoQ9yKRJGv3E/1lt2bkGkZsH43aDizz/BfRXpKKOezLkzumi6IYiwrVrdPHf0yQj7qeMBfPi9WBicf+/daonOOssa1JMqZ8B+Uy8tG0qi6JlL2eQa18njDfV7rcmGyQGUYBkVoc2E+YYrAUbB7KDYSwe3Gqzo75Ls6IjH8O0KemYnqPbOIPrlrAsGPen+ZAT6tdCQ9QCNwXlGLERRidVcSWjjk32VthlLzXGrhXoChidwui7ff8SwUXIf9OyV1E4wREdPJPBkOBVKOhaCEZfEavREHRTlftmE0KHi6k4CXKi2HPvOvOt4HvHALSFJCKkmrn+8THv01niHS0X3iQfIJCzPpXFCkKVYB+2t/NOPeB6qJsI3+eLpd7jhU9p4q6Ny/OmSpYRFgqqF4TXg+npYQm7L1bqSkpRqbzfQmS9MdEl/h79K2x2GYBmTOAR6fs7c7kUFiXoxrP56Sh3sLyTuhzD3VGJ6HxHFlaIXAi3tZ9VObSCa3zpLWv7j6e3vNp01Z0O0UfJ5ZNNHOe+IIyUtEAA9ywLxU+uRuCsBe7PZeT95WpfDkiQVY3LPXxFr92dE4w6Ex6CZyneUF3wOwDqxVi+J2FXAJkYXDi6uE3kyBhn77FsaEVx5H/GxxsT8cFXEa6EjhQ0/eQTw7DYZ11urgN7iNDKrhh4oPnkI9HRrIaqbtaW3H8Rzx01/JkkfOdhiXHxYILm4W6YnLt0kTPI+nNgUEX2/H5h12xXPCF4isK6oHe+DExbP+5Ccz0AOEueNMn0LxH/zhG/f6k7sdOs05PIC0p56v1yRrhYtaVemFdfSWI4dgaXpygR5h2YtrGDHKq8vlsafIa8olrjbgMMpeXjrnpDSC8MgQ55wLHAEIVWPdKmr74704gGKz7PL6L0DAqh8YMTIHaOdf5h520qqiFm0bJWttrPhi0LvHlZUsumgGJ+MqQdRpxbnjo3q8rY0pwyVNxCHieKdchjdCeH9+xhoMpVvjwudrbsycyeF2Bm/TY5emoSTKWq8ucnkpTqXUpuRpi6kaqQRZIMoSR4BjsfGDcNrT+SWqjVnkOOx5EL7B0cJUt9QGaWeSsTj3JK7InnhfyKr44f4e0T2RHjwarZoW9OnPFJnwnsvUarQ5U8LRdRfY0H74XoMdfpZhlTgV1sS37MdKjgakQzVRY5ANA3H4VmaTeJxjPelSnve/Vtkp3SPIuhacfBkMCkoDGPqjR8nmJ1vZdqM9RlLyZcNnZxqsQHT0/wqHSAImfZiLiTHIpkBucYOvt1/OuFrnUTz8XtHFZU6f3tMTM5pCZS5/X2nA+LXiW7+uoIcYpowPb5iVfkFc0T/rSWbqqZoR+kAWFllGK+k9h8brlGyKdwBWF45xWmpl4CSwvngzKKW14f3Ljlf7NyrcUXOxHfrL3wzIoYMFcqNWLh6D4qPt3cqJDihYzF4GYu73VJhUK6sn2GqZ/XCttfBd5MfrvSqLv4iHmrYC3oXl0JS+J7LuZudWIJSEDGhv1ZUdUKahKWsfMvmmVnk28AczdE/rBiAJ+9POeRmGYJ743PSua0k+tBIUbdQ+xkuruenII4pK37yd5H0Ic4ATtcVg0Bg4se5JBXmEoHodO5t2Vg8gUXVI+Xc,iv:C/7cgdkpNmOIeb8cdYI0rbyxebJLgpqIU8ezO+zRqCA=,tag:NywhkBzKpQrJ3H7ZKxvYgQ==,type:str]", + "data": "ENC[AES256_GCM,data:i8kqmycc80NLcOirK7D20hxsWWFGNMx5d1SDueaSTmymvTb0rNMFiRoLf44c9Bc5yBySg9zRNCJ8lyc1SZH5YAqIYGN8y4nzOTxyPxT1R+Igtzm49sBdp1dK6MVCW1/xIsjDE/niV19l9LTptN7neCIEuDjB22bSMRhfVOxOiSwd2FKBeH61XACFLAz3AuVC4a+FhqsBkmLOAg7SIG0xdsyi2tjuTOCiMci9eQk8q9XkmLQC3z6vBaIBxPErkIG/fyhNBYt0Hv+37b/TFVbBL9qnGK369Ln9EUm0IarInaq9haxE18DkI5bzlJH5hw4JNjMGFz8av6rOJT5oW52yPor1RBodwUtP6YDQCQsdINIbjmAM9C0HGBY31nyy07fVT+QDcNydjT1fEXLSJTseO5E/MrRCVBioorBpG+5kBBQhRMihGeT8htVGVQpiJC7peARRfSQTUqjNH/esWTPCk0xPOXgApgPIbXBIJFj4RiH2erzN1PKPpuGZfuqbEr63VXCp6t0jttZKDEEjob1ZJMKfiqRubaz+ycg/sxFb1p+l9O21ihW8jM9huiBpVTc+mHU0ENTSstC4uB5LG6HMqV9vmqrKP4OM13vifggpQ6K9VRXebpI/t4tdRETcwWIMo/LRCmhGO4o0+1tNG+ayVDVmY/ORJu/Nrl61TtmUXxGc74Vd1sea+60LuqDHdIEs06thxFLSCVXaxa70gTlQIlVSEJBz9yaAMm7Iw4CSvLbYTXrRg6P/jIZx7rGSyC7I/kFMAPsa2KYxUUkBNd8zSoHyf8paxbgocb3yNcMtHIyNYiOXaLgr56DasJKsXTdjnuic6PLBCd9+U9o9R4wdBw4CGHZ3+3P+LexImkK9InVTm3QD9gyWtgDe66jrQMJxicixtx6hKvP0P0nmjhE6UjhfMMYV2Qu7vx1APhE62KF9y+axIlKju4kYkRhC9BHi2FuZUCFkPiPd/RRWzBTuChnKud9TWTixBtzpBI39/5e3i8f55hcG0XkUT+rMolq/hCObIczq7M2TVrZK4vUGByHXi1Vljk+K2tUZLVGq+Vpa7JUfmyp/qdUBG5FFXBBLUmAA0yjR+XxTtuZ4+M7JdgoYlzXEN8AbyBTEfVps4HJVPfwWMZaXEWqc7fwSVNlkRpIGSkbF8+tzBd0M66FtjbC9hs1P/SwwUr/ZTwJW0D8EXDUOJo2VCGpGtzHZpg5wd7qPTKL20fLVrpdfKIMeBrPtpCkv2YAzSXClAMQqMJ1DtrFr9WNeTAv0ROwkfnGIYwFpDnK3Xy3Z9V1HlZY3K/UYybzb43Dvtl0qWcSmXxKWLK0rqe3r4sWKA/gpOi8UIyCssAv5At0JO2e0yBJv7tXi+WGNZIBEy559EYdnfHty2KZTR5M/PiP5t1PMbuzUkee3voybnAioCZfGsh5Ln04ZihUHbtbxocM4yieaqBd7nryO81b1ZARoZKbASaGMc7y65pgsA1MiNnbtGIZUwlNyg1q3iZxdtkG6qgG2vCY9Z6JNXXl6RoBmbDbCaIzvid8OXvK8z0z4t0BpYQCFVb3/sEAqweUnQffstEFB,iv:+cS1MmSlZWLdRt5Ey31y6WrDAudgjHxsUbfCBUK0/Sg=,tag:byOqNWWPQmlrDWQO1tRRJQ==,type:str]", "sops": { "age": [ { @@ -11,8 +11,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNeGtTZ0ZSV0trWlQrS2dV\nSFo0dytGYXhRTjl6cDZrUU0wZ1IybDVRaFZrCmZmRmxJNmdwS0xodHdEOGU4bldU\nR1JScHAvZHhlVTBJbWExb0VpR0h2MXMKLS0tIDYwQmZpMjdYRmpBeXFNOXArN0h5\nVGN1THljeCtVV0hXenMyRVJkMjlHNEEKm+yZTT48nYr3H0Bd1OKw/CYk1kwnrBzk\nTgSQHsGXhmOyDag9cSZ4wAOmqtqSjA9bouFBuhl2lSbgpjnarvFaXQ==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-11-09T23:29:33Z", - "mac": "ENC[AES256_GCM,data:UU9a1Yg8Inmcht6gc2pTi3GpV945YAMdVN08Q2/yjg5850N3VhVcD0dsu/bn+4fOSvOiDtWzkoqq1PquRWJbfDjZJxl0aivU7UHN3st64nxIc/mKKZp7VwavMDTVDQScRlpaPZoC0zZ5CDQtBQisfY2AiDtfUVBKZLfuvI3Kjsc=,iv:RPcSwZHVlTo8laro1bCAaJT8KXXCtLHJk1iH4zaZbgk=,tag:qOhN4DNr+d1/34R6L78PLg==,type:str]", + "lastmodified": "2025-11-04T09:26:35Z", + "mac": "ENC[AES256_GCM,data:T8GqsMxfFB9s1EOeLHNzxoz23FCOnlNsBsbvMxiLq7a78xt5Xw3dVN/IWfkyiCDwfSjo+fVx2yEd5tP/B3fSN7S8WJNSe5ZywLpal/RlsCzv7ARvbVCaBx22S4az97JsR1qQUcGSvoiTH5e/0t2tBtimGJ1witbvbiGkTBp8taw=,iv:Qs26cjeMLtRhTDO91yfBo93wUKJ9zVfUbJ8o6myHGUo=,tag:FbT8emz6q1QnXdxoX6hsYQ==,type:str]", "pgp": [ { "created_at": "2025-08-24T23:36:17Z", diff --git a/install/installer-config.nix b/install/installer-config.nix index 942440e..3ee5c91 100644 --- a/install/installer-config.nix +++ b/install/installer-config.nix @@ -1,32 +1,36 @@ { self, config, pkgs, lib, ... }: let pubKeys = lib.filesystem.listFilesRecursive "${self}/secrets/keys/ssh"; - stateVersion = lib.mkDefault "23.05"; - homeFiles = { - ".bash_history" = { - text = '' - swarsel-install -n hotel - ''; - }; - }; in { config = { home-manager.users.root.home = { - inherit stateVersion; - file = homeFiles; + stateVersion = "23.05"; + file = { + ".bash_history" = { + text = '' + swarsel-install -n hotel + ''; + }; + }; }; home-manager.users.swarsel = { home = { username = "swarsel"; homeDirectory = lib.mkDefault "/home/swarsel"; - inherit stateVersion; + stateVersion = lib.mkDefault "23.05"; keyboard.layout = "us"; sessionVariables = { FLAKE = "/home/swarsel/.dotfiles"; }; - file = homeFiles; + file = { + ".bash_history" = { + text = '' + swarsel-install -n hotel + ''; + }; + }; }; }; @@ -44,6 +48,10 @@ in nix = { channel.enable = false; package = pkgs.nixVersions.nix_2_28; + # extraOptions = '' + # plugin-files = ${pkgs.dev.nix-plugins}/lib/nix/plugins + # extra-builtins-file = ${../nix/extra-builtins.nix} + # ''; extraOptions = '' plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: { buildInputs = [config.nix.package pkgs.boost]; @@ -95,7 +103,6 @@ in environment.etc."issue".text = '' ~SwarselSystems~ IP of primary interface: \4 - These IPs were also found: \4{eth0} \4{eth1} \4{eth2} \4{eth3} \4{wlan0} The Password for all users & root is 'setup'. Install the system remotely by running 'bootstrap -n -d ' on a machine with deployed secrets. Alternatively, run 'swarsel-install -n ' for a local install. For your convenience, an example call is in the bash history (press up on the keyboard to access). @@ -106,7 +113,6 @@ in wireless.enable = false; # dhcpcd.runHook = "${pkgs.utillinux}/bin/agetty --reload"; networkmanager.enable = true; - usePredictableInterfaceNames = false; }; services.getty.autologinUser = lib.mkForce "root"; @@ -133,8 +139,6 @@ in programs.bash.shellAliases = { "swarsel-install" = "nix run github:Swarsel/.dotfiles#swarsel-install --"; - "swarsel-net-manufacturer" = "lspci -nn | grep -i 'network\|ethernet'"; - "swarsel-kernel-module" = "lspci -k -d"; }; system.activationScripts.cache = { diff --git a/justfile b/justfile index b13d397..f2f9f7f 100644 --- a/justfile +++ b/justfile @@ -10,9 +10,12 @@ check-trace: update: nix flake update -iso CONFIG="live-iso": +iso: rm -rf result - nix build --print-out-paths .#live-iso + nix build .#nixosConfigurations.iso.config.system.build.isoImage && ln -sf result/iso/*.iso latest.iso + +iso-flake FLAKE SYSTEM="x86_64" FORMAT="iso": + nixos-generate --flake .#{{FLAKE}} -f {{FORMAT}} --system {{SYSTEM}} iso-install DRIVE: iso sudo dd if=$(eza --sort changed result/iso/*.iso | tail -n1) of={{DRIVE}} bs=4M status=progress oflag=sync @@ -22,6 +25,3 @@ dd DRIVE ISO: sync USER HOST: rsync -rltv --filter=':- .gitignore' -e "ssh -l {{USER}}" . {{USER}}@{{HOST}}:.dotfiles/ - -bootstrap DEST CONFIG ARCH="x86_64-linux": - nix develop .#deploy --command zsh -c "swarsel-bootstrap -n {{CONFIG}} -d {{DEST}} -a {{ARCH}}" diff --git a/modules/nixos/common/globals.nix b/modules/nixos/common/globals.nix index 8d226d4..c42e7ae 100644 --- a/modules/nixos/common/globals.nix +++ b/modules/nixos/common/globals.nix @@ -4,91 +4,6 @@ let mkOption types ; - - networkOptions = netSubmod: { - cidrv4 = mkOption { - type = types.nullOr types.net.cidrv4; - description = "The CIDRv4 of this network"; - default = null; - }; - - subnetMask4 = mkOption { - type = types.nullOr types.net.cidrv4; - description = "The dotted decimal form of the subnet mask of this network"; - readOnly = true; - default = lib.swarselsystems.cidrToSubnetMask netSubmod.cidrv4; - }; - - cidrv6 = mkOption { - type = types.nullOr types.net.cidrv6; - description = "The CIDRv6 of this network"; - default = null; - }; - - hosts = mkOption { - default = { }; - type = types.attrsOf ( - types.submodule (hostSubmod: { - options = { - id = mkOption { - type = types.int; - description = "The id of this host in the network"; - }; - - mac = mkOption { - type = types.nullOr types.net.mac; - description = "The MAC of the interface on this host that belongs to this network."; - default = null; - }; - - ipv4 = mkOption { - type = types.nullOr types.net.ipv4; - description = "The IPv4 of this host in this network"; - readOnly = true; - default = - if netSubmod.config.cidrv4 == null then - null - else - lib.net.cidr.host hostSubmod.config.id netSubmod.config.cidrv4; - }; - - ipv6 = mkOption { - type = types.nullOr types.net.ipv6; - description = "The IPv6 of this host in this network"; - readOnly = true; - default = - if netSubmod.config.cidrv6 == null then - null - else - lib.net.cidr.host hostSubmod.config.id netSubmod.config.cidrv6; - }; - - cidrv4 = mkOption { - type = types.nullOr types.str; # FIXME: this is not types.net.cidr because it would zero out the host part - description = "The IPv4 of this host in this network, including CIDR mask"; - readOnly = true; - default = - if netSubmod.config.cidrv4 == null then - null - else - lib.net.cidr.hostCidr hostSubmod.config.id netSubmod.config.cidrv4; - }; - - cidrv6 = mkOption { - type = types.nullOr types.str; # FIXME: this is not types.net.cidr because it would zero out the host part - description = "The IPv6 of this host in this network, including CIDR mask"; - readOnly = true; - default = - if netSubmod.config.cidrv6 == null then - null - else - lib.net.cidr.hostCidr hostSubmod.config.id netSubmod.config.cidrv6; - }; - }; - }) - ); - }; - }; in { options = { @@ -124,44 +39,12 @@ in ); }; - networks = mkOption { - default = { }; - type = types.attrsOf ( - types.submodule (netSubmod: { - options = networkOptions netSubmod // { - vlans = mkOption { - default = { }; - type = types.attrsOf ( - types.submodule (vlanNetSubmod: { - options = networkOptions vlanNetSubmod // { - id = mkOption { - type = types.ints.between 1 4094; - description = "The VLAN id"; - }; - - name = mkOption { - description = "The name of this VLAN"; - default = vlanNetSubmod.config._module.args.name; - type = types.str; - }; - }; - }) - ); - }; - }; - }) - ); - }; - hosts = mkOption { type = types.attrsOf ( types.submodule { options = { - defaultGateway4 = mkOption { - type = types.nullOr types.net.ipv4; - }; - defaultGateway6 = mkOption { - type = types.nullOr types.net.ipv6; + ipv4 = mkOption { + type = types.str; }; }; } diff --git a/modules/nixos/common/pii.nix b/modules/nixos/common/pii.nix index b39de85..26b31d0 100644 --- a/modules/nixos/common/pii.nix +++ b/modules/nixos/common/pii.nix @@ -1,5 +1,5 @@ # largely based on https://github.com/oddlama/nix-config/blob/main/modules/secrets.nix -{ config, inputs, lib, ... }: +{ config, inputs, lib, minimal, ... }: let # If the given expression is a bare set, it will be wrapped in a function, # so that the imported file can always be applied to the inputs, similar to @@ -65,7 +65,7 @@ in let local = config.node.secretsDir + "/pii.nix.enc"; in - (lib.optionalAttrs (lib.pathExists local) { inherit local; }) // lib.optionalAttrs true { + (lib.optionalAttrs (lib.pathExists local && !minimal) { inherit local; }) // lib.optionalAttrs (!minimal) { common = ../../../secrets/repo/pii.nix.enc; }; }; diff --git a/modules/nixos/server/ankisync.nix b/modules/nixos/server/ankisync.nix index b845ad7..0447dea 100644 --- a/modules/nixos/server/ankisync.nix +++ b/modules/nixos/server/ankisync.nix @@ -5,7 +5,7 @@ let servicePort = 27701; serviceName = "ankisync"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + serviceAddress = globals.hosts.winters.ipv4; ankiUser = globals.user.name; in diff --git a/modules/nixos/server/atuin.nix b/modules/nixos/server/atuin.nix index d355e6f..38fe352 100644 --- a/modules/nixos/server/atuin.nix +++ b/modules/nixos/server/atuin.nix @@ -3,7 +3,7 @@ let servicePort = 8888; serviceName = "atuin"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + serviceAddress = globals.hosts.winters.ipv4; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; diff --git a/modules/nixos/server/disk-encrypt.nix b/modules/nixos/server/disk-encrypt.nix deleted file mode 100644 index dddc1a4..0000000 --- a/modules/nixos/server/disk-encrypt.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ self, lib, config, globals, ... }: -let - localIp = globals.networks.home.hosts.${config.node.name}.ipv4; - subnetMask = globals.networks.home.subnetMask4; - gatewayIp = globals.hosts.${config.node.name}.defaultGateway4; -in -{ - options.swarselmodules.server.diskEncryption = lib.mkEnableOption "enable disk encryption config"; - config = lib.mkIf (config.swarselmodules.server.diskEncryption && config.swarselsystems.isCrypted) { - - boot.kernelParams = lib.mkIf (!config.swarselsystems.isLaptop) [ "ip=${localIp}::${gatewayIp}:${subnetMask}:${config.networking.hostName}::none" ]; - boot.initrd = { - availableKernelModules = [ "r8169" ]; - network = { - enable = true; - udhcpc.enable = lib.mkIf config.swarselsystems.isLaptop true; - flushBeforeStage2 = true; - ssh = { - enable = true; - port = 22; - authorizedKeyFiles = [ - (self + /secrets/keys/ssh/yubikey.pub) - (self + /secrets/keys/ssh/magicant.pub) - ]; - hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; - }; - postCommands = '' - echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile - ''; - }; - }; - - }; -} diff --git a/modules/nixos/server/firefly-iii.nix b/modules/nixos/server/firefly-iii.nix index c0acad1..37aa48a 100644 --- a/modules/nixos/server/firefly-iii.nix +++ b/modules/nixos/server/firefly-iii.nix @@ -5,7 +5,7 @@ let serviceGroup = serviceUser; serviceName = "firefly-iii"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + serviceAddress = globals.hosts.winters.ipv4; nginxGroup = "nginx"; diff --git a/modules/nixos/server/forgejo.nix b/modules/nixos/server/forgejo.nix index a674078..886c6aa 100644 --- a/modules/nixos/server/forgejo.nix +++ b/modules/nixos/server/forgejo.nix @@ -7,7 +7,7 @@ let serviceGroup = serviceUser; serviceName = "forgejo"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + serviceAddress = globals.hosts.winters.ipv4; kanidmDomain = globals.services.kanidm.domain; in diff --git a/modules/nixos/server/freshrss.nix b/modules/nixos/server/freshrss.nix index 0375e64..8e94add 100644 --- a/modules/nixos/server/freshrss.nix +++ b/modules/nixos/server/freshrss.nix @@ -5,7 +5,7 @@ let serviceUser = "freshrss"; serviceGroup = serviceName; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + serviceAddress = globals.hosts.winters.ipv4; inherit (config.swarselsystems) sopsFile; in diff --git a/modules/nixos/server/garage.nix b/modules/nixos/server/garage.nix index d537552..5ac3673 100644 --- a/modules/nixos/server/garage.nix +++ b/modules/nixos/server/garage.nix @@ -5,7 +5,7 @@ let serviceName = "garage"; servicePort = 3900; serviceDomain = config.repo.secrets.common.services.domains."${serviceName}-${configName}"; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + serviceAddress = globals.hosts.${configName}.ipv4; cfg = config.services.${serviceName}; metadata_dir = "/var/lib/garage/meta"; diff --git a/modules/nixos/server/homebox.nix b/modules/nixos/server/homebox.nix index c1b62ab..56adac9 100644 --- a/modules/nixos/server/homebox.nix +++ b/modules/nixos/server/homebox.nix @@ -3,7 +3,7 @@ let servicePort = 7745; serviceName = "homebox"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + serviceAddress = globals.hosts.winters.ipv4; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; diff --git a/modules/nixos/server/immich.nix b/modules/nixos/server/immich.nix index cefa330..e3bc4a0 100644 --- a/modules/nixos/server/immich.nix +++ b/modules/nixos/server/immich.nix @@ -4,7 +4,7 @@ let serviceUser = "immich"; serviceName = "immich"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + serviceAddress = globals.hosts.winters.ipv4; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; diff --git a/modules/nixos/server/jellyfin.nix b/modules/nixos/server/jellyfin.nix index 552f8bf..420bbb6 100644 --- a/modules/nixos/server/jellyfin.nix +++ b/modules/nixos/server/jellyfin.nix @@ -4,7 +4,7 @@ let serviceName = "jellyfin"; serviceUser = "jellyfin"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + serviceAddress = globals.hosts.winters.ipv4; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; diff --git a/modules/nixos/server/jenkins.nix b/modules/nixos/server/jenkins.nix index 808bcef..91d94f0 100644 --- a/modules/nixos/server/jenkins.nix +++ b/modules/nixos/server/jenkins.nix @@ -3,7 +3,7 @@ let servicePort = 8088; serviceName = "jenkins"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + serviceAddress = globals.hosts.winters.ipv4; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; diff --git a/modules/nixos/server/kanidm.nix b/modules/nixos/server/kanidm.nix index e7ab275..79b1983 100644 --- a/modules/nixos/server/kanidm.nix +++ b/modules/nixos/server/kanidm.nix @@ -8,7 +8,7 @@ let serviceGroup = serviceUser; serviceName = "kanidm"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + serviceAddress = globals.hosts.winters.ipv4; oauth2ProxyDomain = globals.services.oauth2Proxy.domain; immichDomain = globals.services.immich.domain; diff --git a/modules/nixos/server/kavita.nix b/modules/nixos/server/kavita.nix index dfa915e..c93be62 100644 --- a/modules/nixos/server/kavita.nix +++ b/modules/nixos/server/kavita.nix @@ -6,7 +6,7 @@ let serviceName = "kavita"; serviceUser = "kavita"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + serviceAddress = globals.hosts.winters.ipv4; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; diff --git a/modules/nixos/server/koillection.nix b/modules/nixos/server/koillection.nix index eb45709..08da2d1 100644 --- a/modules/nixos/server/koillection.nix +++ b/modules/nixos/server/koillection.nix @@ -6,7 +6,7 @@ let servicePort = 2282; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; serviceDir = "/Vault/data/koillection"; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + serviceAddress = globals.hosts.winters.ipv4; postgresUser = config.systemd.services.postgresql.serviceConfig.User; # postgres postgresPort = config.services.postgresql.settings.port; # 5432 diff --git a/modules/nixos/server/matrix.nix b/modules/nixos/server/matrix.nix index ba18600..24f4530 100644 --- a/modules/nixos/server/matrix.nix +++ b/modules/nixos/server/matrix.nix @@ -6,7 +6,7 @@ let serviceName = "matrix"; serviceDomain = config.repo.secrets.common.services.domains.matrix; serviceUser = "matrix-synapse"; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + serviceAddress = globals.hosts.winters.ipv4; federationPort = 8448; whatsappPort = 29318; diff --git a/modules/nixos/server/monitoring.nix b/modules/nixos/server/monitoring.nix index d1ee714..758e63d 100644 --- a/modules/nixos/server/monitoring.nix +++ b/modules/nixos/server/monitoring.nix @@ -5,7 +5,7 @@ let serviceGroup = serviceUser; serviceName = "grafana"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + serviceAddress = globals.hosts.winters.ipv4; prometheusPort = 9090; prometheusUser = "prometheus"; diff --git a/modules/nixos/server/navidrome.nix b/modules/nixos/server/navidrome.nix index 34b245a..30cb8da 100644 --- a/modules/nixos/server/navidrome.nix +++ b/modules/nixos/server/navidrome.nix @@ -5,7 +5,7 @@ let serviceUser = "navidrome"; serviceGroup = serviceUser; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + serviceAddress = globals.hosts.winters.ipv4; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; diff --git a/modules/nixos/server/network.nix b/modules/nixos/server/network.nix deleted file mode 100644 index 90b8c0e..0000000 --- a/modules/nixos/server/network.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ lib, config, ... }: -{ - options.swarselmodules.server.network = lib.mkEnableOption "enable server network config"; - config = lib.mkIf config.swarselmodules.server.network { - - globals.networks.home.hosts.${config.node.name} = { - inherit (config.repo.secrets.local.networking.networks.home) id; - mac = config.repo.secrets.local.networking.networks.home.mac or null; - }; - - globals.hosts.${config.node.name} = { - inherit (config.repo.secrets.local.networking) defaultGateway4; - }; - - networking = { - inherit (config.repo.secrets.local.networking) hostId; - hostName = config.node.name; - nftables.enable = lib.mkDefault true; - enableIPv6 = lib.mkDefault true; - firewall = { - enable = lib.mkDefault true; - }; - }; - - }; -} diff --git a/modules/nixos/server/nextcloud.nix b/modules/nixos/server/nextcloud.nix index 50e8b9f..36765d2 100644 --- a/modules/nixos/server/nextcloud.nix +++ b/modules/nixos/server/nextcloud.nix @@ -8,7 +8,7 @@ let serviceGroup = serviceUser; serviceName = "nextcloud"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + serviceAddress = globals.hosts.winters.ipv4; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; diff --git a/modules/nixos/server/paperless.nix b/modules/nixos/server/paperless.nix index 005bdab..ca813b1 100644 --- a/modules/nixos/server/paperless.nix +++ b/modules/nixos/server/paperless.nix @@ -7,7 +7,7 @@ let serviceGroup = serviceUser; serviceName = "paperless"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + serviceAddress = globals.hosts.winters.ipv4; tikaPort = 9998; gotenbergPort = 3002; diff --git a/modules/nixos/server/radicale.nix b/modules/nixos/server/radicale.nix index 411a3e6..7ad9fe2 100644 --- a/modules/nixos/server/radicale.nix +++ b/modules/nixos/server/radicale.nix @@ -7,7 +7,7 @@ let serviceUser = "radicale"; serviceGroup = serviceUser; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + serviceAddress = globals.hosts.winters.ipv4; cfg = config.services.${serviceName}; in diff --git a/modules/nixos/server/router.nix b/modules/nixos/server/router.nix deleted file mode 100644 index fb8112a..0000000 --- a/modules/nixos/server/router.nix +++ /dev/null @@ -1,56 +0,0 @@ -{ lib, config, ... }: -let - serviceName = "router"; -in -{ - options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; - config = lib.mkIf config.swarselmodules.server.${serviceName} { - - systemd.network = { - wait-online.anyInterface = true; - networks = { - "30-lan0" = { - matchConfig.Name = "lan0"; - linkConfig.RequiredForOnline = "enslaved"; - networkConfig = { - ConfigureWithoutCarrier = true; - }; - }; - "30-lan1" = { - matchConfig.Name = "lan1"; - linkConfig.RequiredForOnline = "enslaved"; - networkConfig = { - ConfigureWithoutCarrier = true; - }; - }; - "30-lan2" = { - matchConfig.Name = "lan2"; - linkConfig.RequiredForOnline = "enslaved"; - networkConfig = { - ConfigureWithoutCarrier = true; - }; - }; - "30-lan3" = { - matchConfig.Name = "lan3"; - linkConfig.RequiredForOnline = "enslaved"; - networkConfig = { - ConfigureWithoutCarrier = true; - }; - }; - "10-wan" = { - matchConfig.Name = "wan"; - networkConfig = { - # start a DHCP Client for IPv4 Addressing/Routing - DHCP = "ipv4"; - DNSOverTLS = true; - DNSSEC = true; - IPv6PrivacyExtensions = false; - IPForward = true; - }; - # make routing on this interface a dependency for network-online.target - linkConfig.RequiredForOnline = "routable"; - }; - }; - }; - }; -} diff --git a/modules/nixos/server/snipe-it.nix b/modules/nixos/server/snipe-it.nix index 3ae183e..b7a9edd 100644 --- a/modules/nixos/server/snipe-it.nix +++ b/modules/nixos/server/snipe-it.nix @@ -9,7 +9,7 @@ let serviceUser = "snipeit"; serviceGroup = serviceUser; serviceDomain = config.repo.secrets.common.services.domains.${serviceName}; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + serviceAddress = globals.hosts.winters.ipv4; mysqlPort = 3306; in diff --git a/modules/nixos/server/syncthing.nix b/modules/nixos/server/syncthing.nix index 6eb61c6..6d1ac78 100644 --- a/modules/nixos/server/syncthing.nix +++ b/modules/nixos/server/syncthing.nix @@ -7,7 +7,7 @@ let serviceUser = "syncthing"; serviceGroup = serviceUser; serviceName = "syncthing"; - serviceAddress = globals.networks.home.hosts.${config.node.name}.ipv4; + serviceAddress = globals.hosts.winters.ipv4; specificServiceName = "syncthing-${configName}"; cfg = config.services.${serviceName}; diff --git a/nix/devshell.nix b/nix/devshell.nix index a1ce6f6..2969bcf 100644 --- a/nix/devshell.nix +++ b/nix/devshell.nix @@ -46,142 +46,114 @@ }; }; - devshells = { - deploy = - let - nix-version = "2_28"; - in - { - packages = [ - (builtins.trace "alarm: pinned nix_${nix-version}" pkgs.stable25_05.nixVersions."nix_${nix-version}") - pkgs.git - pkgs.just - pkgs.age - pkgs.ssh-to-age - pkgs.sops - ]; + devshells.default = + let + nix-version = "2_30"; + in + { + packages = [ + (builtins.trace "alarm: pinned nix_${nix-version}" pkgs.nixVersions."nix_${nix-version}") + pkgs.git + pkgs.just + pkgs.age + pkgs.ssh-to-age + pkgs.sops + pkgs.nixpkgs-fmt + self.packages.${system}.swarsel-build + self.packages.${system}.swarsel-deploy + (pkgs.symlinkJoin { + name = "home-manager"; + buildInputs = [ pkgs.makeWrapper ]; + paths = [ pkgs.home-manager ]; + postBuild = '' + wrapProgram $out/bin/home-manager \ + --append-flags '--flake .#$(hostname)' + ''; + }) + ]; - env = - [ - { - name = "NIX_CONFIG"; - value = '' - plugin-files = ${pkgs.stable25_05.nix-plugins.overrideAttrs (o: { - buildInputs = [pkgs.stable25_05.nixVersions."nix_${nix-version}" pkgs.stable25_05.boost]; - patches = (o.patches or []) ++ [./nix-plugins.patch]; - })}/lib/nix/plugins - extra-builtins-file = ${self + /nix/extra-builtins.nix} - ''; - } - ]; - }; - default = - let - nix-version = "2_30"; - in - { - packages = [ - (builtins.trace "alarm: pinned nix_${nix-version}" pkgs.nixVersions."nix_${nix-version}") - pkgs.git - pkgs.just - pkgs.age - pkgs.ssh-to-age - pkgs.sops - pkgs.nixpkgs-fmt - self.packages.${system}.swarsel-build - self.packages.${system}.swarsel-deploy - (pkgs.symlinkJoin { - name = "home-manager"; - buildInputs = [ pkgs.makeWrapper ]; - paths = [ pkgs.home-manager ]; - postBuild = '' - wrapProgram $out/bin/home-manager \ - --append-flags '--flake .#$(hostname)' + commands = [ + { + package = pkgs.statix; + help = "Lint flake"; + } + { + package = pkgs.deadnix; + help = "Check flake for dead code"; + } + { + package = pkgs.nix-tree; + help = "Interactively browse dependency graphs of Nix derivations"; + } + { + package = pkgs.nvd; + help = "Diff two nix toplevels and show which packages were upgraded"; + } + { + package = pkgs.nix-diff; + help = "Explain why two Nix derivations differ"; + } + { + package = pkgs.nix-output-monitor; + help = "Nix Output Monitor (a drop-in alternative for `nix` which shows a build graph)"; + name = "nom \"$@\""; + } + { + name = "hm"; + help = "Manage home-manager config"; + command = "home-manager \"$@\""; + } + { + name = "fmt"; + help = "Format flake"; + command = "nixpkgs-fmt --check \"$FLAKE\""; + } + { + name = "sd"; + help = "Build and deploy this nix config to nodes"; + command = "swarsel-deploy \"$@\""; + } + { + name = "sl"; + help = "Build and deploy a config to nodes"; + command = "swarsel-deploy \${1} switch"; + } + { + name = "sw"; + help = "Build and switch to the host's config locally"; + command = "swarsel-deploy $(hostname) switch"; + } + { + name = "bld"; + help = "Build a number of configurations"; + command = "swarsel-build \"$@\""; + } + { + name = "c"; + help = "Work with the flake git repository"; + command = "git --git-dir=$FLAKE/.git --work-tree=$FLAKE/ \"$@\""; + } + ]; + + devshell.startup.pre-commit-install.text = "pre-commit install"; + + env = + let + nix-plugins = pkgs.nix-plugins.override { + nixComponents = pkgs.nixVersions."nixComponents_${nix-version}"; + }; + in + [ + { + # Additionally configure nix-plugins with our extra builtins file. + # We need this for our repo secrets. + name = "NIX_CONFIG"; + value = '' + plugin-files = ${nix-plugins}/lib/nix/plugins + extra-builtins-file = ${self + /nix/extra-builtins.nix} ''; - }) - ]; - - commands = [ - { - package = pkgs.statix; - help = "Lint flake"; - } - { - package = pkgs.deadnix; - help = "Check flake for dead code"; - } - { - package = pkgs.nix-tree; - help = "Interactively browse dependency graphs of Nix derivations"; - } - { - package = pkgs.nvd; - help = "Diff two nix toplevels and show which packages were upgraded"; - } - { - package = pkgs.nix-diff; - help = "Explain why two Nix derivations differ"; - } - { - package = pkgs.nix-output-monitor; - help = "Nix Output Monitor (a drop-in alternative for `nix` which shows a build graph)"; - name = "nom \"$@\""; - } - { - name = "hm"; - help = "Manage home-manager config"; - command = "home-manager \"$@\""; - } - { - name = "fmt"; - help = "Format flake"; - command = "nixpkgs-fmt --check \"$FLAKE\""; - } - { - name = "sd"; - help = "Build and deploy this nix config to nodes"; - command = "swarsel-deploy \"$@\""; - } - { - name = "sl"; - help = "Build and deploy a config to nodes"; - command = "swarsel-deploy \${1} switch"; - } - { - name = "sw"; - help = "Build and switch to the host's config locally"; - command = "swarsel-deploy $(hostname) switch"; - } - { - name = "bld"; - help = "Build a number of configurations"; - command = "swarsel-build \"$@\""; - } - { - name = "c"; - help = "Work with the flake git repository"; - command = "git --git-dir=$FLAKE/.git --work-tree=$FLAKE/ \"$@\""; } ]; - - devshell.startup.pre-commit-install.text = "pre-commit install"; - - env = - let - nix-plugins = pkgs.nix-plugins.override { - nixComponents = pkgs.nixVersions."nixComponents_${nix-version}"; - }; - in - [ - { - name = "NIX_CONFIG"; - value = '' - plugin-files = ${nix-plugins}/lib/nix/plugins - extra-builtins-file = ${self + /nix/extra-builtins.nix} - ''; - } - ]; - }; - }; + }; }; } diff --git a/nix/lib.nix b/nix/lib.nix index c41db61..a7b6194 100644 --- a/nix/lib.nix +++ b/nix/lib.nix @@ -6,22 +6,6 @@ let inherit (inputs.nixpkgs) lib; in rec { - cidrToSubnetMask = cidr: - let - prefixLength = lib.toInt (lib.last (lib.splitString "/" cidr)); - bits = lib.genList (i: if i < prefixLength then 1 else 0) 32; - octets = lib.genList - (i: - let - octetBits = lib.sublist (i * 8) 8 bits; - octetValue = lib.foldl (acc: bit: acc * 2 + bit) 0 octetBits; - in - octetValue - ) 4; - subnetMask = lib.concatStringsSep "." (map toString octets); - in - subnetMask; - mkIfElseList = p: yes: no: lib.mkMerge [ (lib.mkIf p yes) (lib.mkIf (!p) no) diff --git a/profiles/nixos/localserver/default.nix b/profiles/nixos/localserver/default.nix index 928e012..c73b619 100644 --- a/profiles/nixos/localserver/default.nix +++ b/profiles/nixos/localserver/default.nix @@ -15,8 +15,6 @@ boot = lib.mkDefault true; server = { general = lib.mkDefault true; - network = lib.mkDefault true; - diskEncryption = lib.mkDefault true; packages = lib.mkDefault true; ssh = lib.mkDefault true; nginx = lib.mkDefault true; diff --git a/profiles/nixos/minimal/default.nix b/profiles/nixos/minimal/default.nix index c233faa..a224336 100644 --- a/profiles/nixos/minimal/default.nix +++ b/profiles/nixos/minimal/default.nix @@ -21,7 +21,6 @@ server = { ssh = lib.mkDefault true; - diskEncryption = lib.mkDefault true; }; }; diff --git a/profiles/nixos/router/default.nix b/profiles/nixos/router/default.nix deleted file mode 100644 index 256cfa0..0000000 --- a/profiles/nixos/router/default.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ lib, config, ... }: -{ - options.swarselprofiles.router = lib.mkEnableOption "enable the router profile"; - config = lib.mkIf config.swarselprofiles.router { - swarselmodules = { - server = { - router = lib.mkDefault true; - }; - }; - }; - -} diff --git a/secrets/repo/globals.nix.enc b/secrets/repo/globals.nix.enc index d6641b4..64a35db 100644 --- a/secrets/repo/globals.nix.enc +++ b/secrets/repo/globals.nix.enc @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:1nK/JO8sa+N6EXpyIHBnRapOXYbtM38jnNCf/j0wIOG+0uJvQEFc1e9gIFvuvmPUpUjh6XMuEKNxvLTjFlaLiypOX3yJVTn2fiyOWSm244wcye0GRPe+RWIi+1kEPrFDBEG2JFB+9iGSx0Vf2NfBPgaVFnr4Z2TTGH/kvxiTV6KYucWQNHh+jvVKZ6vAsCP2pFWp2yhpov9l5Tj6MwyK7E46Gn7DmCAtlZcA64Nht+99Zrrfuq8byan6w8RMFR830GJvdMAAD/Vsz/6aGQfHhpJwl4L8/4WwvhQq/DuU1umI1Q7r7FosXbos6g8wTWuM3ccD7V//tFDeVkaMKJzkLkQt0JbyzansijadTYjo0I1w15iH2nySBSIrsOJauBcw3XaP6NfAC3fN1lh/fDaj5HWud5v2ginWRfJNYalfMvTkXm2E5m8SXjanGJL1bHBle4TwEDNPT8+LFIJm8gf57rQRcRlh,iv:W3xvnTblM4Aa0dzDKiWqHM6B5zmu5ddk3D4tYAVNBiY=,tag:KelbYP9xbTmDaWiPrkS+Mw==,type:str]", + "data": "ENC[AES256_GCM,data:8qexHpKJg6o1Fb9H50I3H25UOpNFs2sQl2hd3B2hdJRTjc96aVgTgI838Fnn7G6mFBpHqP0SFCU0/CP6SKqbhJ6SucrfpQN/RqZlSCxmuZi3sqv3voNd7/5JzY0D/5XUTfzHkeEA34HS0GcNLLY7m+QskfJdqGSMB5P++88xCNETqv+sRPVegm1ZGttj+tttesLkAcIU0556WiQhyIcpR4ZiO75NWRFerOmb4LxADR+bwBfesfGUfjflsqOSJll17N9SECSWE7o75Ojn+yde/EznK+zQlsCYvPp90d2xU6dpdRNtp9jrjvXvEVCmcwjIqIKXqurc2CU=,iv:xBYgbmjHwhbH+7WR5MLVysrChxr6rERo6WZuu07sUS0=,tag:vMoMu9mrrGRTA3oO2wsnWw==,type:str]", "sops": { "age": [ { @@ -27,8 +27,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBibGlMSU4vUEF5UlNVZzlr\nMTMyOFY2Zi8rZFdZT1JrelZEUUZkZHFvOFdzCjVPbVovaU9nZklJQWNZeDJZNm0r\nMXBIK2hsZEY0NElxTVVMWmN6WU1Ld28KLS0tIENaallkK05SMllia3prV25hZDR2\nZDBNU0dYYnJESG1JZGpvSGp1WW9UMVEKJgfdLp7BRXvyAekecNJiaBXmxSj1qNxx\nZeHceqEkfWV/PzX+RP4LHjXTQCLEOJijbKxDmxSsYq49hC9xjZASuw==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-11-09T22:41:57Z", - "mac": "ENC[AES256_GCM,data:iHmgHvT3yn5ayimvO+miRA3dA/0o4juBvBzWIXwtZyt5gSI4oJizMbRaX5coVJgeDdPsYaiQFqSnEPrPmrMIR16jdmscQLvz7X1gtdanMP++5q13jWOkiUHPC2nZy47M+36bzC2P/BHqKE782ERTGnD70VZO4a1lOa7pB32NutY=,iv:oOn9x/xf5g82GXdZ9fDxgEiUScXXfzSdEZccqFQLF4w=,tag:iEhx2Hm0yP6G/1w6cIgHIg==,type:str]", + "lastmodified": "2025-07-22T17:19:04Z", + "mac": "ENC[AES256_GCM,data:r1h9ouXb8o8Vk3/l3SX6hxbPApMn4BcCIs52Jhv9s9RYURMGb9qqPipbX7yFIYDBMka2qJJ0BneJz2EI60nTxx+QqATImR2oot2U6iONrelgs+AL3We//xpHOVHSxQ9XMmeEOcVqXEU3u843jV1RElxarRCwB9yM6IWTPx2qNzA=,iv:bS571Ddgz6Fbhyxy2bL/087ZTD7egcvPoLXD9uF8aN0=,tag:HJBI6G6ivRHhJMXYrNhIKw==,type:str]", "pgp": [ { "created_at": "2025-07-02T12:10:18Z", @@ -37,6 +37,6 @@ } ], "unencrypted_suffix": "_unencrypted", - "version": "3.11.0" + "version": "3.10.2" } }