sam
/
nixos
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add vars networking.addresses from nix-secrets

This commit is contained in:
Sam 2024-10-07 14:19:27 +01:00
parent 62a3630a5c
commit 5430e70bd4
16 changed files with 179 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
flake.lock
View File

@ -426,13 +426,12 @@
} }
}, },
"nix-secrets": { "nix-secrets": {
"flake": false,
"locked": { "locked": {
"lastModified": 1728169228, "lastModified": 1728307023,
"narHash": "sha256-WT6kWWqMQE4KBdziZ/uuJ9sPcVg+6QJoOdBPdKAD0gI=", "narHash": "sha256-0UW+bb5hXNeLgrBbHuwZLeP/yTSC12wHrArpzNW7/kw=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "e9709bbb9adc91fb6b4dab5b16e15546cc596695", "rev": "3db4dbfd1032f9fe9f5c898d74ea738a0a70395b",
"revCount": 165, "revCount": 176,
"type": "git", "type": "git",
"url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git" "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
}, },

12
flake.nix
View File

@ -53,7 +53,7 @@
nix-secrets = { nix-secrets = {
url = "git+ssh://git@git.bitlab21.com/sam/nix-secrets.git"; url = "git+ssh://git@git.bitlab21.com/sam/nix-secrets.git";
flake = false; inputs = { };
}; };
}; };
@ -69,7 +69,14 @@
"x86_64-linux" "x86_64-linux"
]; ];
forAllSystems = nixpkgs.lib.genAttrs systems; forAllSystems = nixpkgs.lib.genAttrs systems;
specialArgs = { inherit inputs outputs; }; inherit (nixpkgs) lib;
configVars = import ./vars { inherit inputs lib; };
specialArgs = {
inherit
inputs
outputs
configVars
; };
in in
{ {
packages = forAllSystems (system: import ./pkgs nixpkgs.legacyPackages.${system}); packages = forAllSystems (system: import ./pkgs nixpkgs.legacyPackages.${system});
@ -78,6 +85,7 @@
nixosModules = import ./modules/nixos; nixosModules = import ./modules/nixos;
homeManagerModules = import ./modules/home-manager; homeManagerModules = import ./modules/home-manager;
# System level configs # System level configs
nixosConfigurations = { nixosConfigurations = {
nixdev = nixpkgs.lib.nixosSystem { nixdev = nixpkgs.lib.nixosSystem {

2
home/common/optional/desktop/common/default.nix
View File

@ -18,5 +18,7 @@
pkgs.qgis pkgs.qgis
pkgs.mpv pkgs.mpv
pkgs.gnome.simple-scan pkgs.gnome.simple-scan
pkgs.pandoc
pkgs.texlive.combined.scheme-small
]; ];
} }

70
home/common/optional/desktop/common/firefox.nix
View File

@ -1,38 +1,51 @@
{ pkgs, config, ... }:
let
user = config.home.username;
in
{ {
pkgs,
config,
configVars,
...
}: let
user = config.home.username;
jellyfinIp = configVars.networking.addresses.jellyfin.ip;
jellyfinPort = configVars.networking.addresses.jellyfin.port;
in {
programs.firefox = { programs.firefox = {
enable = true; enable = true;
profiles.${user} = { profiles.${user} = {
search = { search = {
force = true; force = true;
default = "Searx"; default = "Searx";
order = [ "Searx" "DuckDuckGo" ]; order = ["Searx" "DuckDuckGo"];
engines = { engines = {
"Nix Packages" = { "Nix Packages" = {
urls = [{ urls = [
template = "https://search.nixos.org/packages"; {
params = [ template = "https://search.nixos.org/packages";
{ name = "type"; value = "packages"; } params = [
{ name = "query"; value = "{searchTerms}"; } {
]; name = "type";
}]; value = "packages";
}
{
name = "query";
value = "{searchTerms}";
}
];
}
];
icon = "''${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg"; icon = "''${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
definedAliases = [ "@np" ]; definedAliases = ["@np"];
}; };
"NixOS Wiki" = { "NixOS Wiki" = {
urls = [{ template = "https://nixos.wiki/index.php?search={searchTerms}"; }]; urls = [{template = "https://nixos.wiki/index.php?search={searchTerms}";}];
iconUpdateURL = "https://nixos.wiki/favicon.png"; iconUpdateURL = "https://nixos.wiki/favicon.png";
updateInterval = 24 * 60 * 60 * 1000; # every day updateInterval = 24 * 60 * 60 * 1000; # every day
definedAliases = [ "@nw" ]; definedAliases = ["@nw"];
}; };
"Searx" = { "Searx" = {
urls = [{ template = "http://10.0.10.35:8855/?q={searchTerms}"; }]; urls = [{template = "http://10.0.10.35:8855/?q={searchTerms}";}];
iconUpdateURL = "https://docs.searxng.org/_static/searxng-wordmark.svg"; iconUpdateURL = "https://docs.searxng.org/_static/searxng-wordmark.svg";
updateInterval = 24 * 60 * 60 * 1000; # every day updateInterval = 24 * 60 * 60 * 1000; # every day
definedAliases = [ "@searx" ]; definedAliases = ["@searx"];
}; };
"Bing".metaData.hidden = true; "Bing".metaData.hidden = true;
"Google".metaData.alias = "@g"; # builtin engines only support specifying one additional alias "Google".metaData.alias = "@g"; # builtin engines only support specifying one additional alias
@ -41,16 +54,18 @@ in
bookmarks = [ bookmarks = [
{ {
name = "wikipedia"; name = "toolbar";
tags = [ "wiki" ]; toolbar = true;
keyword = "wiki"; bookmarks = [
url = "https://en.wikipedia.org/wiki/Special:Search?search=%s&go=Go"; {
} name = "Jellyfin";
{ url = "http://${jellyfinIp}:${jellyfinPort}";
name = "bitlab21"; }
tags = [ "bitcoin" ]; {
keyword = "bitcoin"; name = "Nixos Package Search";
url = "https://bitlab21.com"; url = "https://search.nixos.org/packages";
}
];
} }
]; ];
@ -75,7 +90,6 @@ in
privacy-badger privacy-badger
zotero-connector zotero-connector
]; ];
}; };
}; };
} }

7
home/common/optional/git.nix
View File

@ -1,10 +1,13 @@
{ pkgs, ... }: { pkgs, configVars, ... }:
let
email = configVars.email.user;
in
{ {
programs.git = { programs.git = {
enable = true; enable = true;
package = pkgs.gitAndTools.gitFull; package = pkgs.gitAndTools.gitFull;
userName = "Sam"; userName = "Sam";
userEmail = "samual.shop@proton.me"; userEmail = "${email}";
aliases = { }; aliases = { };
extraConfig = { extraConfig = {
pull.rebase = false; pull.rebase = false;

5
hosts/citadel/default.nix
View File

@ -3,6 +3,7 @@
lib, lib,
pkgs, pkgs,
config, config,
configVars,
... ...
}: let }: let
# Disko setup # Disko setup
@ -15,6 +16,8 @@
else "/dev/root_vg/root"; else "/dev/root_vg/root";
user = "sam"; user = "sam";
impermanence = true; impermanence = true;
pieholeIp = configVars.networking.addresses.piehole.ip;
gatewayIp = configVars.networking.addresses.gateway.ip;
in { in {
imports = [ imports = [
# Create users for this host # Create users for this host
@ -110,7 +113,7 @@ in {
hostName = "citadel"; hostName = "citadel";
networkmanager.enable = true; networkmanager.enable = true;
enableIPv6 = false; enableIPv6 = false;
nameservers = ["10.0.10.60" "8.8.8.8"]; nameservers = ["${pieholeIp}" "${gatewayIp}" "8.8.8.8"];
}; };
services.libinput.enable = true; services.libinput.enable = true;

6
hosts/common/core/default.nix
View File

@ -37,6 +37,12 @@ in
}; };
}; };
nix.gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 30d";
};
environment.systemPackages = [ environment.systemPackages = [
pkgs.rsync pkgs.rsync
pkgs.curl pkgs.curl

16
hosts/common/core/sops.nix
View File

@ -1,13 +1,13 @@
{ pkgs, lib, inputs, config, ... }: {
lib,
let inputs,
config,
...
}: let
secretsDirectory = builtins.toString inputs.nix-secrets; secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml"; secretsFile = "${secretsDirectory}/secrets.yaml";
hasOptinPersistence = config.environment.persistence ? "/persist"; hasOptinPersistence = config.environment.persistence ? "/persist";
hostname = config.networking.hostName; in {
in
{
imports = [ imports = [
inputs.sops-nix.nixosModules.sops inputs.sops-nix.nixosModules.sops
]; ];
@ -17,7 +17,7 @@ in
validateSopsFiles = false; validateSopsFiles = false;
age = { age = {
sshKeyPaths = [ "${lib.optionalString hasOptinPersistence "/persist"}/etc/ssh/ssh_host_ed25519_key" ]; sshKeyPaths = ["${lib.optionalString hasOptinPersistence "/persist"}/etc/ssh/ssh_host_ed25519_key"];
}; };
secrets = { secrets = {
"passwords/root".neededForUsers = true; "passwords/root".neededForUsers = true;

14
hosts/common/optional/nixos-containers/jellyfin.nix
View File

@ -1,16 +1,18 @@
{ {
lib, lib,
pkgs, pkgs,
configVars,
... ...
}: let }: let
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
container_name = "jellyfin"; containerName = "jellyfin";
container_ip = "10.0.10.6"; containerIp = configVars.networking.addresses.jellyfin.ip;
gatewayIp = configVars.networking.addresses.gateway.ip;
in { in {
environment.persistence."/persist" = { environment.persistence."/persist" = {
hideMounts = true; hideMounts = true;
directories = [ directories = [
"/var/lib/nixos-containers/${container_name}" "/var/lib/nixos-containers/${containerName}"
]; ];
}; };
@ -18,7 +20,7 @@ in {
networking.nat.internalInterfaces = ["ve-+"]; networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "br0"; networking.nat.externalInterface = "br0";
containers.${container_name} = { containers.${containerName} = {
autoStart = true; autoStart = true;
privateNetwork = true; privateNetwork = true;
hostBridge = "br0"; hostBridge = "br0";
@ -40,10 +42,10 @@ in {
... ...
}: { }: {
networking = { networking = {
defaultGateway = "10.0.10.1"; defaultGateway = "${gatewayIp}";
interfaces.eth0.ipv4.addresses = [ interfaces.eth0.ipv4.addresses = [
{ {
"address" = "${container_ip}"; "address" = "${containerIp}";
"prefixLength" = 24; "prefixLength" = 24;
} }
]; ];

17
hosts/common/optional/nixos-containers/nix-bitcoin.nix
View File

@ -2,6 +2,7 @@
inputs, inputs,
lib, lib,
config, config,
configVars,
pkgs, pkgs,
... ...
}: let }: let
@ -9,8 +10,10 @@
bitcoin-rpcpassword-public = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-rpcpassword-public".path; bitcoin-rpcpassword-public = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-rpcpassword-public".path;
bitcoin-HMAC-privileged = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-HMAC-privileged".path; bitcoin-HMAC-privileged = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-HMAC-privileged".path;
bitcoin-HMAC-public = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-HMAC-public".path; bitcoin-HMAC-public = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-HMAC-public".path;
container_name = "bitcoin-node"; containerName = "bitcoin-node";
container_ip = "10.0.10.4"; containerIp = configVars.networking.addresses.bitcoin-node.ip;
gatewayIp = configVars.networking.addresses.gateway.ip;
allowip = configVars.networking.addresses.bitcoin-node.services.bitcoind.allowip;
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
in { in {
sops.secrets = { sops.secrets = {
@ -23,7 +26,7 @@ in {
environment.persistence."/persist" = { environment.persistence."/persist" = {
hideMounts = true; hideMounts = true;
directories = [ directories = [
"/var/lib/nixos-containers/${container_name}" "/var/lib/nixos-containers/${containerName}"
]; ];
}; };
@ -31,7 +34,7 @@ in {
networking.nat.internalInterfaces = ["ve-+"]; networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "br0"; networking.nat.externalInterface = "br0";
containers.${container_name} = { containers.${containerName} = {
autoStart = true; autoStart = true;
privateNetwork = true; privateNetwork = true;
hostBridge = "br0"; hostBridge = "br0";
@ -85,8 +88,8 @@ in {
jq jq
]; ];
networking = { networking = {
defaultGateway = "10.0.10.1"; defaultGateway = "${gatewayIp}";
interfaces.eth0.ipv4.addresses = [ { "address" = "${container_ip}"; "prefixLength" = 24; } ]; interfaces.eth0.ipv4.addresses = [ { "address" = "${containerIp}"; "prefixLength" = 24; } ];
firewall = { firewall = {
enable = true; enable = true;
allowedTCPPorts = [ allowedTCPPorts = [
@ -120,7 +123,7 @@ in {
rpc = { rpc = {
address = "0.0.0.0"; address = "0.0.0.0";
threads = 6; threads = 6;
allowip = ["10.0.0.0/8"]; allowip = allowip;
users = let users = let
name = "bitcoin"; name = "bitcoin";
in { in {

14
hosts/common/optional/nixos-containers/postgres.nix
View File

@ -2,13 +2,15 @@
inputs, inputs,
lib, lib,
config, config,
configVars,
pkgs, pkgs,
... ...
}: let }: let
postgresPasswordPath = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/postgres/postgres/password".path; postgresPasswordPath = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/postgres/postgres/password".path;
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
container_name = "postgres"; containerName = "postgres";
container_ip = "10.0.10.5"; containerIp = configVars.networking.addresses.postgres.ip;
gatewayIp = configVars.networking.addresses.gateway.ip;
in { in {
sops.secrets = { sops.secrets = {
"software/postgres/postgres/password" = { "software/postgres/postgres/password" = {
@ -18,7 +20,7 @@ in {
environment.persistence."/persist" = { environment.persistence."/persist" = {
hideMounts = true; hideMounts = true;
directories = [ directories = [
"/var/lib/nixos-containers/${container_name}" "/var/lib/nixos-containers/${containerName}"
]; ];
}; };
@ -26,7 +28,7 @@ in {
networking.nat.internalInterfaces = ["ve-+"]; networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "br0"; networking.nat.externalInterface = "br0";
containers.${container_name} = { containers.${containerName} = {
autoStart = true; autoStart = true;
privateNetwork = true; privateNetwork = true;
hostBridge = "br0"; hostBridge = "br0";
@ -44,10 +46,10 @@ in {
... ...
}: { }: {
networking = { networking = {
defaultGateway = "10.0.10.1"; defaultGateway = "${gatewayIp}";
interfaces.eth0.ipv4.addresses = [ interfaces.eth0.ipv4.addresses = [
{ {
"address" = "${container_ip}"; "address" = "${containerIp}";
"prefixLength" = 24; "prefixLength" = 24;
} }
]; ];

10
hosts/common/optional/printing.nix
View File

@ -1,4 +1,10 @@
{pkgs, ...}: { {
pkgs,
configVars,
...
}: let
serverIp = configVars.networking.addresses.merlin.ip;
in {
services = { services = {
udev.packages = [pkgs.sane-airscan]; udev.packages = [pkgs.sane-airscan];
printing = { printing = {
@ -16,7 +22,7 @@
sane = { sane = {
enable = true; enable = true;
extraBackends = [pkgs.sane-airscan]; extraBackends = [pkgs.sane-airscan];
netConf = "10.0.10.2"; netConf = "${serverIp}";
}; };
printers = { printers = {
ensurePrinters = [ ensurePrinters = [

11
hosts/semita/default.nix
View File

@ -2,6 +2,7 @@
inputs, inputs,
lib, lib,
pkgs, pkgs,
configVars,
... ...
}: let }: let
# Disko setup # Disko setup
@ -14,6 +15,10 @@
else "/dev/root_vg/root"; else "/dev/root_vg/root";
user = "sam"; user = "sam";
impermanence = true; impermanence = true;
pieholeIp = configVars.networking.addresses.piehole.ip;
gatewayIp = configVars.networking.addresses.gateway.ip;
semitaIp = configVars.networking.addresses.semita.ip;
in { in {
imports = [ imports = [
# Create users for this host # Create users for this host
@ -107,8 +112,8 @@ in {
networking = { networking = {
hostName = "semita"; hostName = "semita";
nameservers = ["10.0.10.60" "10.0.10.1" "8.8.8.8"]; nameservers = ["${pieholeIp}" "${gatewayIp}" "8.8.8.8"];
defaultGateway = "10.0.10.1"; defaultGateway = "${gatewayIp}";
useDHCP = false; useDHCP = false;
bridges = { bridges = {
br0 = { br0 = {
@ -118,7 +123,7 @@ in {
interfaces.br0 = { interfaces.br0 = {
ipv4.addresses = [ ipv4.addresses = [
{ {
"address" = "10.0.10.3"; "address" = "${semitaIp}";
"prefixLength" = 24; "prefixLength" = 24;
} }
]; ];

70
hosts/sparky/default.nix
View File

@ -1,37 +1,52 @@
{ inputs, config, lib, pkgs, outputs, ... }: {
let inputs,
config,
lib,
configVars,
...
}: let
# Disko setup # Disko setup
fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence
dev = "/dev/sda"; # depends on target hardware dev = "/dev/sda"; # depends on target hardware
encrypted = false; # currrently only applies to btrfs encrypted = false; # currrently only applies to btrfs
btrfsMountDevice = if encrypted then "/dev/mapper/crypted" else "/dev/root_vg/root"; btrfsMountDevice =
if encrypted
then "/dev/mapper/crypted"
else "/dev/root_vg/root";
impermanence = true; impermanence = true;
in pieholeIp = configVars.networking.addresses.piehole.ip;
{ gatewayIp = configVars.networking.addresses.gateway.ip;
imports = in {
[ imports = [
# Create users for this host # Create users for this host
../common/users/media ../common/users/media
# Disk configuration # Disk configuration
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
(import ../common/disks { device = dev; impermanence = impermanence; fsType = fsType; encrypted = encrypted; }) (import ../common/disks {
device = dev;
impermanence = impermanence;
fsType = fsType;
encrypted = encrypted;
})
# Impermanence # Impermanence
(import ../common/disks/btrfs/impermanence.nix { btrfsMountDevice = btrfsMountDevice; lib = lib; }) (import ../common/disks/btrfs/impermanence.nix {
btrfsMountDevice = btrfsMountDevice;
lib = lib;
})
# Import core options # Import core options
./hardware-configuration.nix ./hardware-configuration.nix
../common/core ../common/core
# Import optional options # Import optional options
../common/optional/openssh.nix ../common/optional/openssh.nix
../common/optional/persistence.nix ../common/optional/persistence.nix
../common/optional/nfs-mounts/media.nix ../common/optional/nfs-mounts/media.nix
../common/optional/gaming.nix ../common/optional/gaming.nix
../common/optional/printing.nix ../common/optional/printing.nix
];
];
boot = { boot = {
loader = { loader = {
@ -40,12 +55,13 @@ in
timeout = 3; timeout = 3;
}; };
}; };
boot.kernelParams = [ "i915.enable_psr=0" ]; boot.kernelParams = ["i915.enable_psr=0"];
networking = { networking = {
hostName = "sparky"; hostName = "sparky";
networkmanager.enable = true; networkmanager.enable = true;
enableIPv6 = false; enableIPv6 = false;
nameservers = ["${pieholeIp}" "${gatewayIp}" "8.8.8.8"];
}; };
nixpkgs.config.allowUnfreePredicate = pkg: nixpkgs.config.allowUnfreePredicate = pkg:
@ -61,7 +77,7 @@ in
services.xserver = { services.xserver = {
enable = true; enable = true;
videoDrivers = [ "nvidia" ]; videoDrivers = ["nvidia"];
displayManager.lightdm.enable = true; displayManager.lightdm.enable = true;
exportConfiguration = true; exportConfiguration = true;
deviceSection = '' deviceSection = ''

5
justfile
View File

@ -14,6 +14,11 @@ rebuild-system:
git add *.nix git add *.nix
sudo nixos-rebuild switch --option eval-cache false --flake .#$(hostname) sudo nixos-rebuild switch --option eval-cache false --flake .#$(hostname)
# test full system rebuild from flake (stages changes and automatically detects host)
rebuild-system-test:
git add *.nix
sudo nixos-rebuild test --option eval-cache false --flake .#$(hostname)
# updates all flake inputs for system # updates all flake inputs for system
update-flake: update-flake:
nix flake update nix flake update

8
vars/default.nix Normal file
View File

@ -0,0 +1,8 @@
{ inputs, ... }:
{
inherit (inputs.nix-secrets)
networking
email
;
}