diff options
| -rw-r--r-- | flake.lock | 6 | ||||
| -rw-r--r-- | flake.nix | 109 | ||||
| -rw-r--r-- | lib/default.nix | 4 | ||||
| -rw-r--r-- | lib/ivi.nix | 82 | ||||
| -rw-r--r-- | lib/my.nix | 15 | ||||
| -rw-r--r-- | machines/serber.nix | 31 | ||||
| -rw-r--r-- | overlays/suckless.nix | 2 | ||||
| -rw-r--r-- | profiles/core/configuration.nix | 25 | ||||
| -rw-r--r-- | profiles/core/secrets.nix | 35 | ||||
| -rw-r--r-- | profiles/station/irc.nix | 21 | ||||
| -rw-r--r-- | profiles/station/music.nix | 14 | ||||
| -rw-r--r-- | secrets/hello | 20 | ||||
| -rw-r--r-- | templates/ansible/flake.nix | 9 | ||||
| -rw-r--r-- | templates/flake/.envrc | 4 | ||||
| -rw-r--r-- | templates/flake/flake.nix | 42 | ||||
| -rw-r--r-- | templates/go/flake.nix | 6 |
16 files changed, 248 insertions, 177 deletions
@@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1696940889, - "narHash": "sha256-p2Wic74A1tZpFcld1wSEbFQQbrZ/tPDuLieCnspamQo=", + "lastModified": 1697371398, + "narHash": "sha256-Tn5feZ5SoYHQM9BTjw5e06DuNu8wc21gC9+bq/kXA8Y=", "owner": "nix-community", "repo": "home-manager", - "rev": "6bba64781e4b7c1f91a733583defbd3e46b49408", + "rev": "3b67ae3f665379c06999641f99d94dba75b53876", "type": "github" }, "original": { @@ -1,5 +1,5 @@ { - description = "Home Manager configuration"; + description = "Nixos, home-manager, and deploy-rs configuration"; inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; @@ -8,6 +8,7 @@ url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; }; + deploy-rs.url = "github:serokell/deploy-rs"; }; outputs = inputs@{ @@ -15,74 +16,66 @@ nixpkgs, home-manager, sops-nix, + deploy-rs, ... }: let system = "x86_64-linux"; pkgs = import nixpkgs {inherit system;}; - lib = (nixpkgs.lib.extend (_: _: home-manager.lib)).extend (import ./lib); - in with lib; { - inherit lib; + lib = (nixpkgs.lib.extend (_: _: home-manager.lib)).extend (import ./lib self); - nixosConfigurations.lemptop = nixpkgs.lib.nixosSystem { + # Gets module from ./machines/ and uses the lib to define which other modules + # the machine needs. + mkSystem = name: machineModule: with lib; + let + machine = ivi.machines.${name}; + in + lib.nixosSystem { inherit lib system; - specialArgs = {inherit inputs;}; - modules = [ - ({config, ... }: { - nixpkgs.overlays = with lib; [(composeManyExtensions [ - (import ./overlays/vimPlugins.nix {inherit pkgs;}) - (import ./overlays/suckless.nix {inherit pkgs; home = config.users.users.mike.home;}) - ])]; - }) - ./machines/lemptop.nix - ] ++ (attrValues - (attrsets.mergeAttrsList (map modulesIn [ - ./profiles/core - ./profiles/station - ./profiles/email - ]))); + specialArgs = {inherit machine inputs;}; + modules = with lib; + machine.modules + ++ [machineModule] + ++ [({ config, ... }: { + nixpkgs.overlays = with lib; [(composeManyExtensions [ + (import ./overlays/vimPlugins.nix {inherit pkgs;}) + (import ./overlays/suckless.nix {inherit pkgs; home = config.users.users.mike.home;}) + ])];}) + ]; }; + in with lib; { + inherit lib; + nixosConfigurations = with lib; + mapAttrs + (hostname: machineConfig: + mkSystem + hostname + machineConfig) + (modulesIn ./machines); - nixosConfigurations.core = extraModules: nixpkgs.lib.nixosSystem { - inherit lib system; - specialArgs = {inherit inputs;}; - modules = extraModules ++ [ - ({config, ... }: { - nixpkgs.overlays = with lib; [(composeManyExtensions [ - (import ./overlays/vimPlugins.nix {inherit pkgs;}) - ])]; + deploy.nodes = + mapAttrs + (hostname: machine: + { + hostname = hostname + "." + ivi.domain; + sshUser = "root"; + profiles.system.path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.${hostname} }) - ] ++ (attrValues - (attrsets.mergeAttrsList (map modulesIn [ - ./profiles/core - ]))); - }; + (filterAttrs (_: machine: machine.isDeployed) ivi.machines); - nixosModules.core = { ... }: { - imports = [ - ({config, ... }: { - nixpkgs.overlays = with lib; [(composeManyExtensions [ - (import ./overlays/vimPlugins.nix {inherit pkgs;}) - ])]; - }) - ] ++ (attrValues - (attrsets.mergeAttrsList (map modulesIn [ - ./profiles/core - ]))); + devShells."${system}".default = pkgs.mkShell { + name = "deploy"; + buildInputs = [ + pkgs.bashInteractive + deploy-rs.packages."${system}".default + ]; + shellHook = '' + export HCLOUD_TOKEN="$(pass show personal/hetzner-token)" + ''; }; - templates = { - default = { - path = ./templates/flake; - description = "Python and go stuff"; - }; - ansible = { - path = ./templates/ansible; - description = "Ansible and shellhook to login to awx"; - }; - go = { - path = ./templates/go; - description = "Go, gotools, and gofumpt"; - }; - }; + templates = + mapAttrs + (templateName: path: {inherit path;}) + (modulesIn ./templates); }; } diff --git a/lib/default.nix b/lib/default.nix index 6375d5b..7b80611 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -1,4 +1,4 @@ -lib: prev: with lib; { +self: lib: prev: with lib; { modulesIn = dir: pipe dir [ builtins.readDir (mapAttrsToList (name: type: @@ -17,5 +17,5 @@ lib: prev: with lib; { collectFlakeInputs = input: [ input ] ++ concatMap collectFlakeInputs (builtins.attrValues (input.inputs or {})); - my = import ./my.nix lib; + ivi = import ./ivi.nix self lib; } diff --git a/lib/ivi.nix b/lib/ivi.nix new file mode 100644 index 0000000..64d358a --- /dev/null +++ b/lib/ivi.nix @@ -0,0 +1,82 @@ +self: lib: with lib; let + modules = [ + { + options.machines = mkOption { + description = "Lookup for static info needed to configure machines"; + default = {}; + type = with types; attrsOf (submodule ({ name, config, ... }: { + freeformType = attrs; + options = { + modules = mkOption { + description = "Final list of modules to import"; + type = listOf str; + default = []; + }; + profiles = mkOption { + description = "List of profiles to use"; + type = listOf str; + default = []; + }; + hostname = mkOption { + description = "The machine's hostname"; + type = str; + readOnly = true; + default = name; + }; + ipv4 = mkOption { + description = "The machines public IPv4 addresses"; + type = listOf str; + default = []; + }; + ipv6 = mkOption { + description = "The machines public IPv6 addresses"; + type = listOf str; + default = []; + }; + isDeployed = mkOption { + description = "The machine is deployed with nixos"; + type = boolean; + default = false; + }; + }; + config = { + modules = + (concatMap + (p: (attrValues (modulesIn (self + "/profiles/" + p)))) + ivi.machines.${name}.profiles + ); + }; + })); + }; + config = { + _module.freeformType = with types; attrs; + + username = "ivi"; + githubUsername = "ivi-vink"; + realName = "Mike Vink"; + domain = "vinkland.xyz"; + email = "mike1994vink@gmail.com"; + sshKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMT59Kbv+rO0PvB1q5u3l9wdUgsKT0M8vQ7WHnjq+kYN ${ivi.email}" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDqsfYS7sOLfLWvGTmxT2QYGkbXJ5kREFl42n3jtte5sLps76KECgKqEjA4OLhNZ51lKFBDzcn1QOUl3RN4+qHsBtkr+02a7hhf1bBLeb1sx6+FVXdsarln5lUF/NMcpj6stUi8mqY4aQ21jQKxZsGip9fI8fx3HtXYCVhIarRbshQlwDqTplJBLDtrnmWTprxVnz1xSZRr3euXsIh1FFQZI6klPPBa6qFJtWWtGNBCRr8Sruo6I4on7QjNyW/s1OgiNAR0N2IO9wCdjlXrjNnFEAaMrpDpZde7eULbiFP2pHYVVy/InwNhhePYkeBh/4BzlaUZVv6gXsX7wOC5OyWaXbbMzWEopbnqeXXLwNyOZ88YpN/c+kZk2/1CHl+xmlVGAr9TnZ9VST5Y4ZAEqq8OKoP3ZcchAWxWjzTgPogSfiIAP/n5xrgB+8uRZb/gkN+I7RTQKGrS2Ex7gfkj39beDeevQj3XVQ1U2kp3n+jUBHItCCpZyHISgTYW2Ct6lrziJpD0kPlAOrN3BGQtkStHYK+4EE1PrrwWGkG7Ue+tlETe8FTg+AMv1VjLV9b3pHZJCrao5/cY2MxkfGzf4HTfeueqSLSsrYuiogHAPvvzfvOV5un+dWX8HyeBjmKTBwDBFuhdca/wzk0ArHSgEYUmh2NXj/G4gaSF3EX5ZSxmMQ== ${ivi.email}" + ]; + + machines = { + lemptop = { + profiles = [ + "core" + "station" + "email" + ]; + }; + serber = { + isDeployed = true; + profiles = [ + "core" + ]; + }; + }; + }; + } + ]; +in (evalModules { inherit modules; }).config diff --git a/lib/my.nix b/lib/my.nix deleted file mode 100644 index 720fd32..0000000 --- a/lib/my.nix +++ /dev/null @@ -1,15 +0,0 @@ -lib: with lib; let - modules = [ - { - config = { - _module.freeformType = with types; attrs; - - username = "ivi"; - githubUsername = "mvinkio"; - realName = "Mike Vink"; - domain = "vinkland.xyz"; - email = "mike1994vink@gmail.com"; - }; - } - ]; -in (evalModules { inherit modules; }).config diff --git a/machines/serber.nix b/machines/serber.nix new file mode 100644 index 0000000..34789f7 --- /dev/null +++ b/machines/serber.nix @@ -0,0 +1,31 @@ +{ config, pkgs, sops, ... }: { + imports = [ + ./hardware-configuration.nix + ./networking.nix # generated at runtime by nixos-infect + ]; + + system.stateVersion = "23.05"; + boot.tmp.cleanOnBoot = true; + zramSwap.enable = true; + networking.hostName = "vinkland"; + networking.domain = "xyz"; + services.openssh.enable = true; + + sops.secrets.porkbunCredentials = { + format = "binary"; + sopsFile = ../../secrets/credentials/porkbun; + }; + + security.acme = { + acceptTerms = true; + defaults = { + extraLegoRunFlags = ["--preferred-chain" "ISRG Root X1"]; + email = ivi.email; + dnsProvider = "porkbun"; + credentialsFile = config.sops.secrets.porkbunCredentials.path; + }; + certs = { + "vinkland.xyz" = { }; + }; + }; +} diff --git a/overlays/suckless.nix b/overlays/suckless.nix index 7ce02b4..959cab6 100644 --- a/overlays/suckless.nix +++ b/overlays/suckless.nix @@ -1,7 +1,7 @@ {pkgs, home, ...}: (final: prev: { st = (prev.st.overrideAttrs (oldAttrs: rec { src = /. + home + "/flake/mut/st"; - version = "0.2.0"; + version = "0.3.0"; buildInputs = oldAttrs.buildInputs ++ [prev.harfbuzz]; })); dwm = (prev.dwm.overrideAttrs (oldAttrs: rec { diff --git a/profiles/core/configuration.nix b/profiles/core/configuration.nix index 5c3c270..e487fae 100644 --- a/profiles/core/configuration.nix +++ b/profiles/core/configuration.nix @@ -3,19 +3,25 @@ pkgs, ... }: { - users.users.mike = { + imports = [ (mkAliasOptionModule [ "ivi" ] [ "users" "users" ivi.username ]) ]; + + time.timeZone = "Europe/Amsterdam"; + users.users.${ivi.username} = { + uid = 1000; isNormalUser = true; + description = ivi.realName; extraGroups = ["wheel" "networkmanager" "docker" "transmission"]; + openssh.authorizedKeys.keys = ivi.sshKeys; }; security = { - sudo = { - wheelNeedsPassword = false; - extraConfig = '' - Defaults env_keep+="EDITOR" - Defaults env_keep+="SSH_CONNECTION SSH_CLIENT SSH_TTY" - Defaults env_keep+="http_proxy https_proxy" - ''; - }; + sudo = { + wheelNeedsPassword = false; + extraConfig = '' + Defaults env_keep+="EDITOR" + Defaults env_keep+="SSH_CONNECTION SSH_CLIENT SSH_TTY" + Defaults env_keep+="http_proxy https_proxy" + ''; + }; }; environment.systemPackages = with pkgs; [ man-pages @@ -35,7 +41,6 @@ usbutils ]; - nix.package = pkgs.nixUnstable; nix.extraOptions = '' experimental-features = nix-command flakes diff --git a/profiles/core/secrets.nix b/profiles/core/secrets.nix index c7a3ba5..15d6ee5 100644 --- a/profiles/core/secrets.nix +++ b/profiles/core/secrets.nix @@ -1,28 +1,25 @@ -{inputs,config,lib,pkgs,...}: with lib; { +{machine,inputs,config,lib,pkgs,...}: with lib; { imports = [ inputs.sops-nix.nixosModules.sops - (mkAliasOptionModule [ "secrets" ] [ "home-manager" "users" "mike" ]) # TODO: get username(s) from machine config + (mkAliasOptionModule [ "secrets" ] [ "home-manager" "users" "mike" ]) # TODO: get my username(s) from machine config ]; sops = { - gnupg = { - sshKeyPaths = []; - }; age.sshKeyPaths = []; - age.keyFile = "${config.hm.xdg.configHome}/sops/age/keys.txt"; + age.keyFile = mkIf (machine.hostname == "lemptop") "${config.hm.xdg.configHome}/sops/age/keys.txt"; - # secrets = mapAttrs' (name: _: let - # parts = splitString "." name; - # base = head parts; - # format = if length parts > 1 then elemAt parts 1 else "binary"; - # in - # { - # name = base; - # value = { - # sopsFile = "${inputs.self}/secrets/${name}"; - # inherit format; - # key = "lemptop"; # TODO: get actual hostname from somewhere - # }; - # }) (builtins.readDir "${inputs.self}/secrets"); # keep it out of the store + secrets = mapAttrs' (name: _: let + parts = splitString "." name; + base = head parts; + format = if length parts > 1 then elemAt parts 1 else "binary"; + in + { + name = base; + value = { + sopsFile = "${inputs.self}/secrets/${name}"; + inherit format; + key = machine.hostname; + }; + }) (builtins.readDir "${inputs.self}/secrets"); # keep it out of the store }; environment = { diff --git a/profiles/station/irc.nix b/profiles/station/irc.nix index 8e9cf8a..9feb293 100644 --- a/profiles/station/irc.nix +++ b/profiles/station/irc.nix @@ -1,5 +1,5 @@ {...}: { - programs.tiny = { + hm.programs.tiny = { enable = true; settings = { servers = [ @@ -8,15 +8,20 @@ port = 6697; tls = true; realname = "Mike Vink"; - nicks = [ "ivi" ]; + nicks = [ "ivi-v" ]; + join = ["#nixos"]; + sasl = { + username = "ivi-v"; + password.command = "pass show personal/liberachat"; + }; } ]; - }; - defaults = { - nicks = [ "ivi" ]; - realname = "Mike Vink"; - join = []; - tls = true; + defaults = { + nicks = [ "ivi-v" ]; + realname = "Mike Vink"; + join = []; + tls = true; + }; }; }; } diff --git a/profiles/station/music.nix b/profiles/station/music.nix new file mode 100644 index 0000000..085534e --- /dev/null +++ b/profiles/station/music.nix @@ -0,0 +1,14 @@ +{ pkgs, ... }: { + services.mopidy = { + enable = true; + extensionPackages = with pkgs; [mopidy-spotify]; + extraConfigFiles = [ + ]; + }; + hm.programs.ncmpcpp = { + enable = true; + bindings = [ + { key = "+"; command = "show_clock"; } + ]; + }; +} diff --git a/secrets/hello b/secrets/hello new file mode 100644 index 0000000..27b3a95 --- /dev/null +++ b/secrets/hello @@ -0,0 +1,20 @@ +{ + "data": "ENC[AES256_GCM,data:iZxyYQ6u7mUWk/1dr5bK09ko95QAJd3OTyZo/CT4HXSueFyHfo8fL8DDQNUSGMA=,iv:vSwpBRPCedBslzaqdeFun9YP9uHtFqsz44lU2mNd8yU=,tag:EE+4AsotaE2HBKB7ADwzqw==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age10q9wse8dh0749ffj576q775q496pycucxlla9rjdq5rd7f4csyhqqrmkk0", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHbTNCUUI1UXBVRDJKVWRC\ndDgwRys5V1pZYm9IaGNBVUJpdldNK0gyWHo4CmF4VTRLTnRhVGErSGVnZGdNUUl4\nN1pVYWFPaThZdC94Y3ByaytRUnpxdTAKLS0tIGZJbktoMVp4bDBTSFVOWnpOOTlS\nSXJjeUNkZjVuQmdJdmtBa2N6UnMrNVkKpqPVSJud8ccgtYQc5mkhD3x4zMB+Sw8N\nJ6TxxGWt9tmwPb03Hy1BbeasmN93hA60tTF29WiAzcAiMBk+4o4IyQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2023-10-16T19:06:39Z", + "mac": "ENC[AES256_GCM,data:OnCstF0Kch19iTjg/mlMR96UEJKkMSW9xL3weNR2P+h8TmaredEzOjxRVtX8yWevQ3NH0+EEnasjhwSQJ85slUMZoCrNK8xG3Z+Is3ey+1rahskJ20e9UJ6AMP3mwjPNfW2nLVjjikbnRirw4cG151vqTCbkC+FLNaSVi3K1H+g=,iv:Pcq6sq9gpTPW1wy6helri73jpmkvhdm/Et/rzLn9vxU=,tag:cabq18p9PHkeRQVdGv8BdQ==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +}
\ No newline at end of file diff --git a/templates/ansible/flake.nix b/templates/ansible/flake.nix index 98c47ef..df49972 100644 --- a/templates/ansible/flake.nix +++ b/templates/ansible/flake.nix @@ -3,12 +3,6 @@ nixpkgs.url = "nixpkgs"; nix-filter.url = "github:numtide/nix-filter"; flake-utils.url = "github:numtide/flake-utils"; - nixpkgs-terraform-providers-bin.url = "github:nix-community/nixpkgs-terraform-providers-bin"; - nixpkgs-terraform-providers-bin.inputs.nixpkgs.follows = "nixpkgs"; - poetry2nix = { - url = "github:nix-community/poetry2nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; }; outputs = { self, @@ -21,13 +15,10 @@ { inherit system; }; - poetry = inputs.poetry2nix.packages.${system}.poetry; - inherit (inputs.poetry2nix.legacyPackages.${system}) mkPoetryEnv defaultPoetryOverrides; in { devShells.default = pkgs.mkShell { name = "dev"; buildInputs = [ - poetry pkgs.ansible-language-server pkgs.bashInteractive ]; diff --git a/templates/flake/.envrc b/templates/flake/.envrc deleted file mode 100644 index 1305de8..0000000 --- a/templates/flake/.envrc +++ /dev/null @@ -1,4 +0,0 @@ -if ! has nix_direnv_version || ! nix_direnv_version 2.2.0; then - source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/2.2.0/direnvrc" "sha256-5EwyKnkJNQeXrRkYbwwRBcXbibosCJqyIUuz9Xq+LRc=" -fi -use flake diff --git a/templates/flake/flake.nix b/templates/flake/flake.nix deleted file mode 100644 index 83c2bca..0000000 --- a/templates/flake/flake.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ - inputs = { - nixpkgs.url = "nixpkgs"; - nix-filter.url = "github:numtide/nix-filter"; - flake-utils.url = "github:numtide/flake-utils"; - nixpkgs-terraform-providers-bin.url = "github:nix-community/nixpkgs-terraform-providers-bin"; - nixpkgs-terraform-providers-bin.inputs.nixpkgs.follows = "nixpkgs"; - poetry2nix = { - url = "github:nix-community/poetry2nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - }; - outputs = { - self, - flake-utils, - ... - } @ inputs: - flake-utils.lib.eachDefaultSystem (system: let - pkgs = - import inputs.nixpkgs - { - inherit system; - }; - python = pkgs.python310; - poetry = inputs.poetry2nix.packages.${system}.poetry; - inherit (inputs.poetry2nix.legacyPackages.${system}) mkPoetryEnv defaultPoetryOverrides; - - more-providers = inputs.nixpkgs-terraform-providers-bin.legacyPackages.${system}.providers; - terraform = pkgs.terraform.withPlugins (p: [ - more-providers.microsoft.azuredevops - ]); - in { - devShells.default = pkgs.mkShell { - name = "dev"; - buildInputs = [ - terraform - poetry - pkgs.nodejs - ]; - }; - }); -} diff --git a/templates/go/flake.nix b/templates/go/flake.nix index b41da36..d99ce9a 100644 --- a/templates/go/flake.nix +++ b/templates/go/flake.nix @@ -3,12 +3,6 @@ nixpkgs.url = "nixpkgs"; nix-filter.url = "github:numtide/nix-filter"; flake-utils.url = "github:numtide/flake-utils"; - nixpkgs-terraform-providers-bin.url = "github:nix-community/nixpkgs-terraform-providers-bin"; - nixpkgs-terraform-providers-bin.inputs.nixpkgs.follows = "nixpkgs"; - poetry2nix = { - url = "github:nix-community/poetry2nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; }; outputs = { self, |