From 5430e70bd4468474723cc1d8e2edb7a1ee8e9f9d Mon Sep 17 00:00:00 2001 From: Sam Date: Mon, 7 Oct 2024 14:19:27 +0100 Subject: [PATCH] add vars networking.addresses from nix-secrets --- flake.lock | 9 ++- flake.nix | 12 +++- .../optional/desktop/common/default.nix | 2 + .../optional/desktop/common/firefox.nix | 70 +++++++++++-------- home/common/optional/git.nix | 7 +- hosts/citadel/default.nix | 5 +- hosts/common/core/default.nix | 6 ++ hosts/common/core/sops.nix | 16 ++--- .../optional/nixos-containers/jellyfin.nix | 14 ++-- .../optional/nixos-containers/nix-bitcoin.nix | 17 +++-- .../optional/nixos-containers/postgres.nix | 14 ++-- hosts/common/optional/printing.nix | 10 ++- hosts/semita/default.nix | 11 ++- hosts/sparky/default.nix | 70 ++++++++++++------- justfile | 5 ++ vars/default.nix | 8 +++ 16 files changed, 179 insertions(+), 97 deletions(-) create mode 100644 vars/default.nix diff --git a/flake.lock b/flake.lock index 8c0208d..f89b09e 100644 --- a/flake.lock +++ b/flake.lock @@ -426,13 +426,12 @@ } }, "nix-secrets": { - "flake": false, "locked": { - "lastModified": 1728169228, - "narHash": "sha256-WT6kWWqMQE4KBdziZ/uuJ9sPcVg+6QJoOdBPdKAD0gI=", + "lastModified": 1728307023, + "narHash": "sha256-0UW+bb5hXNeLgrBbHuwZLeP/yTSC12wHrArpzNW7/kw=", "ref": "refs/heads/master", - "rev": "e9709bbb9adc91fb6b4dab5b16e15546cc596695", - "revCount": 165, + "rev": "3db4dbfd1032f9fe9f5c898d74ea738a0a70395b", + "revCount": 176, "type": "git", "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" }, diff --git a/flake.nix b/flake.nix index 631427e..1c38153 100644 --- a/flake.nix +++ b/flake.nix @@ -53,7 +53,7 @@ nix-secrets = { url = "git+ssh://git@git.bitlab21.com/sam/nix-secrets.git"; - flake = false; + inputs = { }; }; }; @@ -69,7 +69,14 @@ "x86_64-linux" ]; forAllSystems = nixpkgs.lib.genAttrs systems; - specialArgs = { inherit inputs outputs; }; + inherit (nixpkgs) lib; + configVars = import ./vars { inherit inputs lib; }; + specialArgs = { + inherit + inputs + outputs + configVars + ; }; in { packages = forAllSystems (system: import ./pkgs nixpkgs.legacyPackages.${system}); @@ -78,6 +85,7 @@ nixosModules = import ./modules/nixos; homeManagerModules = import ./modules/home-manager; + # System level configs nixosConfigurations = { nixdev = nixpkgs.lib.nixosSystem { diff --git a/home/common/optional/desktop/common/default.nix b/home/common/optional/desktop/common/default.nix index 779990c..b45060c 100644 --- a/home/common/optional/desktop/common/default.nix +++ b/home/common/optional/desktop/common/default.nix @@ -18,5 +18,7 @@ pkgs.qgis pkgs.mpv pkgs.gnome.simple-scan + pkgs.pandoc + pkgs.texlive.combined.scheme-small ]; } diff --git a/home/common/optional/desktop/common/firefox.nix b/home/common/optional/desktop/common/firefox.nix index 7de4cc1..d5e2262 100644 --- a/home/common/optional/desktop/common/firefox.nix +++ b/home/common/optional/desktop/common/firefox.nix @@ -1,38 +1,51 @@ -{ pkgs, config, ... }: -let - user = config.home.username; -in { + pkgs, + config, + configVars, + ... +}: let + user = config.home.username; + jellyfinIp = configVars.networking.addresses.jellyfin.ip; + jellyfinPort = configVars.networking.addresses.jellyfin.port; +in { programs.firefox = { enable = true; profiles.${user} = { search = { force = true; default = "Searx"; - order = [ "Searx" "DuckDuckGo" ]; + order = ["Searx" "DuckDuckGo"]; engines = { "Nix Packages" = { - urls = [{ - template = "https://search.nixos.org/packages"; - params = [ - { name = "type"; value = "packages"; } - { name = "query"; value = "{searchTerms}"; } - ]; - }]; + urls = [ + { + template = "https://search.nixos.org/packages"; + params = [ + { + name = "type"; + value = "packages"; + } + { + name = "query"; + value = "{searchTerms}"; + } + ]; + } + ]; icon = "''${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg"; - definedAliases = [ "@np" ]; + definedAliases = ["@np"]; }; "NixOS Wiki" = { - urls = [{ template = "https://nixos.wiki/index.php?search={searchTerms}"; }]; + urls = [{template = "https://nixos.wiki/index.php?search={searchTerms}";}]; iconUpdateURL = "https://nixos.wiki/favicon.png"; updateInterval = 24 * 60 * 60 * 1000; # every day - definedAliases = [ "@nw" ]; + definedAliases = ["@nw"]; }; "Searx" = { - urls = [{ template = "http://10.0.10.35:8855/?q={searchTerms}"; }]; + urls = [{template = "http://10.0.10.35:8855/?q={searchTerms}";}]; iconUpdateURL = "https://docs.searxng.org/_static/searxng-wordmark.svg"; updateInterval = 24 * 60 * 60 * 1000; # every day - definedAliases = [ "@searx" ]; + definedAliases = ["@searx"]; }; "Bing".metaData.hidden = true; "Google".metaData.alias = "@g"; # builtin engines only support specifying one additional alias @@ -41,16 +54,18 @@ in bookmarks = [ { - name = "wikipedia"; - tags = [ "wiki" ]; - keyword = "wiki"; - url = "https://en.wikipedia.org/wiki/Special:Search?search=%s&go=Go"; - } - { - name = "bitlab21"; - tags = [ "bitcoin" ]; - keyword = "bitcoin"; - url = "https://bitlab21.com"; + name = "toolbar"; + toolbar = true; + bookmarks = [ + { + name = "Jellyfin"; + url = "http://${jellyfinIp}:${jellyfinPort}"; + } + { + name = "Nixos Package Search"; + url = "https://search.nixos.org/packages"; + } + ]; } ]; @@ -75,7 +90,6 @@ in privacy-badger zotero-connector ]; - }; }; } diff --git a/home/common/optional/git.nix b/home/common/optional/git.nix index 0f719b2..2638629 100644 --- a/home/common/optional/git.nix +++ b/home/common/optional/git.nix @@ -1,10 +1,13 @@ -{ pkgs, ... }: +{ pkgs, configVars, ... }: +let + email = configVars.email.user; +in { programs.git = { enable = true; package = pkgs.gitAndTools.gitFull; userName = "Sam"; - userEmail = "samual.shop@proton.me"; + userEmail = "${email}"; aliases = { }; extraConfig = { pull.rebase = false; diff --git a/hosts/citadel/default.nix b/hosts/citadel/default.nix index 3ac3329..b119529 100644 --- a/hosts/citadel/default.nix +++ b/hosts/citadel/default.nix @@ -3,6 +3,7 @@ lib, pkgs, config, + configVars, ... }: let # Disko setup @@ -15,6 +16,8 @@ else "/dev/root_vg/root"; user = "sam"; impermanence = true; + pieholeIp = configVars.networking.addresses.piehole.ip; + gatewayIp = configVars.networking.addresses.gateway.ip; in { imports = [ # Create users for this host @@ -110,7 +113,7 @@ in { hostName = "citadel"; networkmanager.enable = true; enableIPv6 = false; - nameservers = ["10.0.10.60" "8.8.8.8"]; + nameservers = ["${pieholeIp}" "${gatewayIp}" "8.8.8.8"]; }; services.libinput.enable = true; diff --git a/hosts/common/core/default.nix b/hosts/common/core/default.nix index 1549749..0074988 100644 --- a/hosts/common/core/default.nix +++ b/hosts/common/core/default.nix @@ -37,6 +37,12 @@ in }; }; + nix.gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 30d"; + }; + environment.systemPackages = [ pkgs.rsync pkgs.curl diff --git a/hosts/common/core/sops.nix b/hosts/common/core/sops.nix index 6cb172f..fcd7601 100644 --- a/hosts/common/core/sops.nix +++ b/hosts/common/core/sops.nix @@ -1,13 +1,13 @@ -{ pkgs, lib, inputs, config, ... }: - -let +{ + lib, + inputs, + config, + ... +}: let secretsDirectory = builtins.toString inputs.nix-secrets; secretsFile = "${secretsDirectory}/secrets.yaml"; hasOptinPersistence = config.environment.persistence ? "/persist"; - hostname = config.networking.hostName; - -in -{ +in { imports = [ inputs.sops-nix.nixosModules.sops ]; @@ -17,7 +17,7 @@ in validateSopsFiles = false; age = { - sshKeyPaths = [ "${lib.optionalString hasOptinPersistence "/persist"}/etc/ssh/ssh_host_ed25519_key" ]; + sshKeyPaths = ["${lib.optionalString hasOptinPersistence "/persist"}/etc/ssh/ssh_host_ed25519_key"]; }; secrets = { "passwords/root".neededForUsers = true; diff --git a/hosts/common/optional/nixos-containers/jellyfin.nix b/hosts/common/optional/nixos-containers/jellyfin.nix index c9c2470..0925a52 100644 --- a/hosts/common/optional/nixos-containers/jellyfin.nix +++ b/hosts/common/optional/nixos-containers/jellyfin.nix @@ -1,16 +1,18 @@ { lib, pkgs, + configVars, ... }: let pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; - container_name = "jellyfin"; - container_ip = "10.0.10.6"; + containerName = "jellyfin"; + containerIp = configVars.networking.addresses.jellyfin.ip; + gatewayIp = configVars.networking.addresses.gateway.ip; in { environment.persistence."/persist" = { hideMounts = true; directories = [ - "/var/lib/nixos-containers/${container_name}" + "/var/lib/nixos-containers/${containerName}" ]; }; @@ -18,7 +20,7 @@ in { networking.nat.internalInterfaces = ["ve-+"]; networking.nat.externalInterface = "br0"; - containers.${container_name} = { + containers.${containerName} = { autoStart = true; privateNetwork = true; hostBridge = "br0"; @@ -40,10 +42,10 @@ in { ... }: { networking = { - defaultGateway = "10.0.10.1"; + defaultGateway = "${gatewayIp}"; interfaces.eth0.ipv4.addresses = [ { - "address" = "${container_ip}"; + "address" = "${containerIp}"; "prefixLength" = 24; } ]; diff --git a/hosts/common/optional/nixos-containers/nix-bitcoin.nix b/hosts/common/optional/nixos-containers/nix-bitcoin.nix index fb1242a..cc296d8 100644 --- a/hosts/common/optional/nixos-containers/nix-bitcoin.nix +++ b/hosts/common/optional/nixos-containers/nix-bitcoin.nix @@ -2,6 +2,7 @@ inputs, lib, config, + configVars, pkgs, ... }: let @@ -9,8 +10,10 @@ bitcoin-rpcpassword-public = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-rpcpassword-public".path; bitcoin-HMAC-privileged = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-HMAC-privileged".path; bitcoin-HMAC-public = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-HMAC-public".path; - container_name = "bitcoin-node"; - container_ip = "10.0.10.4"; + containerName = "bitcoin-node"; + containerIp = configVars.networking.addresses.bitcoin-node.ip; + gatewayIp = configVars.networking.addresses.gateway.ip; + allowip = configVars.networking.addresses.bitcoin-node.services.bitcoind.allowip; pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; in { sops.secrets = { @@ -23,7 +26,7 @@ in { environment.persistence."/persist" = { hideMounts = true; directories = [ - "/var/lib/nixos-containers/${container_name}" + "/var/lib/nixos-containers/${containerName}" ]; }; @@ -31,7 +34,7 @@ in { networking.nat.internalInterfaces = ["ve-+"]; networking.nat.externalInterface = "br0"; - containers.${container_name} = { + containers.${containerName} = { autoStart = true; privateNetwork = true; hostBridge = "br0"; @@ -85,8 +88,8 @@ in { jq ]; networking = { - defaultGateway = "10.0.10.1"; - interfaces.eth0.ipv4.addresses = [ { "address" = "${container_ip}"; "prefixLength" = 24; } ]; + defaultGateway = "${gatewayIp}"; + interfaces.eth0.ipv4.addresses = [ { "address" = "${containerIp}"; "prefixLength" = 24; } ]; firewall = { enable = true; allowedTCPPorts = [ @@ -120,7 +123,7 @@ in { rpc = { address = "0.0.0.0"; threads = 6; - allowip = ["10.0.0.0/8"]; + allowip = allowip; users = let name = "bitcoin"; in { diff --git a/hosts/common/optional/nixos-containers/postgres.nix b/hosts/common/optional/nixos-containers/postgres.nix index d53c182..c63a2f7 100644 --- a/hosts/common/optional/nixos-containers/postgres.nix +++ b/hosts/common/optional/nixos-containers/postgres.nix @@ -2,13 +2,15 @@ inputs, lib, config, + configVars, pkgs, ... }: let postgresPasswordPath = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/postgres/postgres/password".path; pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; - container_name = "postgres"; - container_ip = "10.0.10.5"; + containerName = "postgres"; + containerIp = configVars.networking.addresses.postgres.ip; + gatewayIp = configVars.networking.addresses.gateway.ip; in { sops.secrets = { "software/postgres/postgres/password" = { @@ -18,7 +20,7 @@ in { environment.persistence."/persist" = { hideMounts = true; directories = [ - "/var/lib/nixos-containers/${container_name}" + "/var/lib/nixos-containers/${containerName}" ]; }; @@ -26,7 +28,7 @@ in { networking.nat.internalInterfaces = ["ve-+"]; networking.nat.externalInterface = "br0"; - containers.${container_name} = { + containers.${containerName} = { autoStart = true; privateNetwork = true; hostBridge = "br0"; @@ -44,10 +46,10 @@ in { ... }: { networking = { - defaultGateway = "10.0.10.1"; + defaultGateway = "${gatewayIp}"; interfaces.eth0.ipv4.addresses = [ { - "address" = "${container_ip}"; + "address" = "${containerIp}"; "prefixLength" = 24; } ]; diff --git a/hosts/common/optional/printing.nix b/hosts/common/optional/printing.nix index e80b381..a534adc 100644 --- a/hosts/common/optional/printing.nix +++ b/hosts/common/optional/printing.nix @@ -1,4 +1,10 @@ -{pkgs, ...}: { +{ + pkgs, + configVars, + ... +}: let + serverIp = configVars.networking.addresses.merlin.ip; +in { services = { udev.packages = [pkgs.sane-airscan]; printing = { @@ -16,7 +22,7 @@ sane = { enable = true; extraBackends = [pkgs.sane-airscan]; - netConf = "10.0.10.2"; + netConf = "${serverIp}"; }; printers = { ensurePrinters = [ diff --git a/hosts/semita/default.nix b/hosts/semita/default.nix index aa1da1e..8af8e4b 100644 --- a/hosts/semita/default.nix +++ b/hosts/semita/default.nix @@ -2,6 +2,7 @@ inputs, lib, pkgs, + configVars, ... }: let # Disko setup @@ -14,6 +15,10 @@ else "/dev/root_vg/root"; user = "sam"; impermanence = true; + pieholeIp = configVars.networking.addresses.piehole.ip; + gatewayIp = configVars.networking.addresses.gateway.ip; + semitaIp = configVars.networking.addresses.semita.ip; + in { imports = [ # Create users for this host @@ -107,8 +112,8 @@ in { networking = { hostName = "semita"; - nameservers = ["10.0.10.60" "10.0.10.1" "8.8.8.8"]; - defaultGateway = "10.0.10.1"; + nameservers = ["${pieholeIp}" "${gatewayIp}" "8.8.8.8"]; + defaultGateway = "${gatewayIp}"; useDHCP = false; bridges = { br0 = { @@ -118,7 +123,7 @@ in { interfaces.br0 = { ipv4.addresses = [ { - "address" = "10.0.10.3"; + "address" = "${semitaIp}"; "prefixLength" = 24; } ]; diff --git a/hosts/sparky/default.nix b/hosts/sparky/default.nix index 8e70b37..4564812 100644 --- a/hosts/sparky/default.nix +++ b/hosts/sparky/default.nix @@ -1,37 +1,52 @@ -{ inputs, config, lib, pkgs, outputs, ... }: -let +{ + inputs, + config, + lib, + configVars, + ... +}: let # Disko setup fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence dev = "/dev/sda"; # depends on target hardware encrypted = false; # currrently only applies to btrfs - btrfsMountDevice = if encrypted then "/dev/mapper/crypted" else "/dev/root_vg/root"; + btrfsMountDevice = + if encrypted + then "/dev/mapper/crypted" + else "/dev/root_vg/root"; impermanence = true; -in -{ - imports = - [ - # Create users for this host - ../common/users/media + pieholeIp = configVars.networking.addresses.piehole.ip; + gatewayIp = configVars.networking.addresses.gateway.ip; +in { + imports = [ + # Create users for this host + ../common/users/media - # Disk configuration - inputs.disko.nixosModules.disko - (import ../common/disks { device = dev; impermanence = impermanence; fsType = fsType; encrypted = encrypted; }) + # Disk configuration + inputs.disko.nixosModules.disko + (import ../common/disks { + device = dev; + impermanence = impermanence; + fsType = fsType; + encrypted = encrypted; + }) - # Impermanence - (import ../common/disks/btrfs/impermanence.nix { btrfsMountDevice = btrfsMountDevice; lib = lib; }) + # Impermanence + (import ../common/disks/btrfs/impermanence.nix { + btrfsMountDevice = btrfsMountDevice; + lib = lib; + }) - # Import core options - ./hardware-configuration.nix - ../common/core + # Import core options + ./hardware-configuration.nix + ../common/core - # Import optional options - ../common/optional/openssh.nix - ../common/optional/persistence.nix - ../common/optional/nfs-mounts/media.nix - ../common/optional/gaming.nix - ../common/optional/printing.nix - - ]; + # Import optional options + ../common/optional/openssh.nix + ../common/optional/persistence.nix + ../common/optional/nfs-mounts/media.nix + ../common/optional/gaming.nix + ../common/optional/printing.nix + ]; boot = { loader = { @@ -40,12 +55,13 @@ in timeout = 3; }; }; - boot.kernelParams = [ "i915.enable_psr=0" ]; + boot.kernelParams = ["i915.enable_psr=0"]; networking = { hostName = "sparky"; networkmanager.enable = true; enableIPv6 = false; + nameservers = ["${pieholeIp}" "${gatewayIp}" "8.8.8.8"]; }; nixpkgs.config.allowUnfreePredicate = pkg: @@ -61,7 +77,7 @@ in services.xserver = { enable = true; - videoDrivers = [ "nvidia" ]; + videoDrivers = ["nvidia"]; displayManager.lightdm.enable = true; exportConfiguration = true; deviceSection = '' diff --git a/justfile b/justfile index ee49ac5..151dc88 100644 --- a/justfile +++ b/justfile @@ -14,6 +14,11 @@ rebuild-system: git add *.nix sudo nixos-rebuild switch --option eval-cache false --flake .#$(hostname) +# test full system rebuild from flake (stages changes and automatically detects host) +rebuild-system-test: + git add *.nix + sudo nixos-rebuild test --option eval-cache false --flake .#$(hostname) + # updates all flake inputs for system update-flake: nix flake update diff --git a/vars/default.nix b/vars/default.nix new file mode 100644 index 0000000..3e575d9 --- /dev/null +++ b/vars/default.nix @@ -0,0 +1,8 @@ +{ inputs, ... }: +{ + inherit (inputs.nix-secrets) + networking + email + ; + +}