add vars networking.addresses from nix-secrets

flake.lock

@@ -426,13 +426,12 @@
       }
     },
     "nix-secrets": {
-      "flake": false,
       "locked": {
-        "lastModified": 1728169228,
-        "narHash": "sha256-WT6kWWqMQE4KBdziZ/uuJ9sPcVg+6QJoOdBPdKAD0gI=",
+        "lastModified": 1728307023,
+        "narHash": "sha256-0UW+bb5hXNeLgrBbHuwZLeP/yTSC12wHrArpzNW7/kw=",
         "ref": "refs/heads/master",
-        "rev": "e9709bbb9adc91fb6b4dab5b16e15546cc596695",
-        "revCount": 165,
+        "rev": "3db4dbfd1032f9fe9f5c898d74ea738a0a70395b",
+        "revCount": 176,
         "type": "git",
         "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
       },

flake.nix

@@ -53,7 +53,7 @@
 
     nix-secrets = {
       url = "git+ssh://git@git.bitlab21.com/sam/nix-secrets.git";
-      flake = false;
+      inputs = { };
     };
   };
 
@@ -69,7 +69,14 @@
         "x86_64-linux"
       ];
       forAllSystems = nixpkgs.lib.genAttrs systems;
-      specialArgs = { inherit inputs outputs; };
+      inherit (nixpkgs) lib;
+      configVars = import ./vars { inherit inputs lib; };
+      specialArgs = { 
+        inherit 
+          inputs 
+          outputs
+          configVars
+          ; };
     in
     {
       packages = forAllSystems (system: import ./pkgs nixpkgs.legacyPackages.${system});
@@ -78,6 +85,7 @@
       nixosModules = import ./modules/nixos;
       homeManagerModules = import ./modules/home-manager;
 
+
       # System level configs
       nixosConfigurations = {
         nixdev = nixpkgs.lib.nixosSystem {

home/common/optional/desktop/common/default.nix

@@ -18,5 +18,7 @@
     pkgs.qgis
     pkgs.mpv
     pkgs.gnome.simple-scan
+    pkgs.pandoc
+    pkgs.texlive.combined.scheme-small
   ];
 }

home/common/optional/desktop/common/firefox.nix

@@ -1,38 +1,51 @@
-{ pkgs, config, ... }:
-let
-  user = config.home.username;
-in
 {
+  pkgs,
+  config,
+  configVars,
+  ...
+}: let
+  user = config.home.username;
+  jellyfinIp = configVars.networking.addresses.jellyfin.ip;
+  jellyfinPort = configVars.networking.addresses.jellyfin.port;
+in {
   programs.firefox = {
     enable = true;
     profiles.${user} = {
       search = {
         force = true;
         default = "Searx";
-        order = [ "Searx" "DuckDuckGo" ];
+        order = ["Searx" "DuckDuckGo"];
         engines = {
           "Nix Packages" = {
-            urls = [{
+            urls = [
+              {
                 template = "https://search.nixos.org/packages";
                 params = [
-                { name = "type"; value = "packages"; }
-                { name = "query"; value = "{searchTerms}"; }
+                  {
+                    name = "type";
+                    value = "packages";
+                  }
+                  {
+                    name = "query";
+                    value = "{searchTerms}";
+                  }
+                ];
+              }
             ];
-            }];
             icon = "''${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
-            definedAliases = [ "@np" ];
+            definedAliases = ["@np"];
           };
           "NixOS Wiki" = {
-            urls = [{ template = "https://nixos.wiki/index.php?search={searchTerms}"; }];
+            urls = [{template = "https://nixos.wiki/index.php?search={searchTerms}";}];
             iconUpdateURL = "https://nixos.wiki/favicon.png";
             updateInterval = 24 * 60 * 60 * 1000; # every day
-            definedAliases = [ "@nw" ];
+            definedAliases = ["@nw"];
           };
           "Searx" = {
-            urls = [{ template = "http://10.0.10.35:8855/?q={searchTerms}"; }];
+            urls = [{template = "http://10.0.10.35:8855/?q={searchTerms}";}];
             iconUpdateURL = "https://docs.searxng.org/_static/searxng-wordmark.svg";
             updateInterval = 24 * 60 * 60 * 1000; # every day
-            definedAliases = [ "@searx" ];
+            definedAliases = ["@searx"];
           };
           "Bing".metaData.hidden = true;
           "Google".metaData.alias = "@g"; # builtin engines only support specifying one additional alias
@@ -41,16 +54,18 @@ in
 
       bookmarks = [
         {
-          name = "wikipedia";
-          tags = [ "wiki" ];
-          keyword = "wiki";
-          url = "https://en.wikipedia.org/wiki/Special:Search?search=%s&go=Go";
+          name = "toolbar";
+          toolbar = true;
+          bookmarks = [
+            {
+              name = "Jellyfin";
+              url = "http://${jellyfinIp}:${jellyfinPort}";
             }
             {
-          name = "bitlab21";
-          tags = [ "bitcoin" ];
-          keyword = "bitcoin";
-          url = "https://bitlab21.com";
+              name = "Nixos Package Search";
+              url = "https://search.nixos.org/packages";
+            }
+          ];
         }
       ];
 
@@ -75,7 +90,6 @@ in
         privacy-badger
         zotero-connector
       ];
-
     };
   };
 }

home/common/optional/git.nix

@@ -1,10 +1,13 @@
-{ pkgs, ... }:
+{ pkgs, configVars, ... }:
+let
+  email = configVars.email.user;
+in
 {
   programs.git = {
     enable = true;
     package = pkgs.gitAndTools.gitFull;
     userName = "Sam";
-    userEmail = "samual.shop@proton.me";
+    userEmail = "${email}";
     aliases = { };
     extraConfig = {
       pull.rebase = false;

hosts/citadel/default.nix

@@ -3,6 +3,7 @@
   lib,
   pkgs,
   config,
+  configVars,
   ...
 }: let
   # Disko setup
@@ -15,6 +16,8 @@
     else "/dev/root_vg/root";
   user = "sam";
   impermanence = true;
+  pieholeIp = configVars.networking.addresses.piehole.ip;
+  gatewayIp = configVars.networking.addresses.gateway.ip;
 in {
   imports = [
     # Create users for this host
@@ -110,7 +113,7 @@ in {
     hostName = "citadel";
     networkmanager.enable = true;
     enableIPv6 = false;
-    nameservers = ["10.0.10.60" "8.8.8.8"];
+    nameservers = ["${pieholeIp}" "${gatewayIp}" "8.8.8.8"];
   };
 
   services.libinput.enable = true;

hosts/common/core/default.nix

@@ -37,6 +37,12 @@ in
     };
   };
 
+  nix.gc = {
+    automatic = true;
+    dates = "weekly";
+    options = "--delete-older-than 30d";
+  };
+
   environment.systemPackages = [
     pkgs.rsync
     pkgs.curl

hosts/common/core/sops.nix

@@ -1,13 +1,13 @@
-{ pkgs, lib, inputs, config, ... }:
-
-let
+{
+  lib,
+  inputs,
+  config,
+  ...
+}: let
   secretsDirectory = builtins.toString inputs.nix-secrets;
   secretsFile = "${secretsDirectory}/secrets.yaml";
   hasOptinPersistence = config.environment.persistence ? "/persist";
-  hostname = config.networking.hostName;
-
-in
-{
+in {
   imports = [
     inputs.sops-nix.nixosModules.sops
   ];
@@ -17,7 +17,7 @@ in
     validateSopsFiles = false;
 
     age = {
-      sshKeyPaths = [ "${lib.optionalString hasOptinPersistence "/persist"}/etc/ssh/ssh_host_ed25519_key" ];
+      sshKeyPaths = ["${lib.optionalString hasOptinPersistence "/persist"}/etc/ssh/ssh_host_ed25519_key"];
     };
     secrets = {
       "passwords/root".neededForUsers = true;

hosts/common/optional/nixos-containers/jellyfin.nix

@@ -1,16 +1,18 @@
 {
   lib,
   pkgs,
+  configVars,
   ...
 }: let
   pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
-  container_name = "jellyfin";
-  container_ip = "10.0.10.6";
+  containerName = "jellyfin";
+  containerIp = configVars.networking.addresses.jellyfin.ip;
+  gatewayIp = configVars.networking.addresses.gateway.ip;
 in {
   environment.persistence."/persist" = {
     hideMounts = true;
     directories = [
-      "/var/lib/nixos-containers/${container_name}"
+      "/var/lib/nixos-containers/${containerName}"
     ];
   };
 
@@ -18,7 +20,7 @@ in {
   networking.nat.internalInterfaces = ["ve-+"];
   networking.nat.externalInterface = "br0";
 
-  containers.${container_name} = {
+  containers.${containerName} = {
     autoStart = true;
     privateNetwork = true;
     hostBridge = "br0";
@@ -40,10 +42,10 @@ in {
       ...
     }: {
       networking = {
-        defaultGateway = "10.0.10.1";
+        defaultGateway = "${gatewayIp}";
         interfaces.eth0.ipv4.addresses = [
           {
-            "address" = "${container_ip}";
+            "address" = "${containerIp}";
             "prefixLength" = 24;
           }
         ];

hosts/common/optional/nixos-containers/nix-bitcoin.nix

@@ -2,6 +2,7 @@
   inputs,
   lib,
   config,
+  configVars,
   pkgs,
   ...
 }: let
@@ -9,8 +10,10 @@
   bitcoin-rpcpassword-public = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-rpcpassword-public".path;
   bitcoin-HMAC-privileged = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-HMAC-privileged".path;
   bitcoin-HMAC-public = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-HMAC-public".path;
-  container_name = "bitcoin-node";
-  container_ip = "10.0.10.4";
+  containerName = "bitcoin-node";
+  containerIp = configVars.networking.addresses.bitcoin-node.ip;
+  gatewayIp = configVars.networking.addresses.gateway.ip;
+  allowip = configVars.networking.addresses.bitcoin-node.services.bitcoind.allowip;
   pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
 in {
   sops.secrets = {
@@ -23,7 +26,7 @@ in {
   environment.persistence."/persist" = {
     hideMounts = true;
     directories = [
-      "/var/lib/nixos-containers/${container_name}"
+      "/var/lib/nixos-containers/${containerName}"
     ];
   };
 
@@ -31,7 +34,7 @@ in {
   networking.nat.internalInterfaces = ["ve-+"];
   networking.nat.externalInterface = "br0";
 
-  containers.${container_name} = {
+  containers.${containerName} = {
     autoStart = true;
     privateNetwork = true;
     hostBridge = "br0";
@@ -85,8 +88,8 @@ in {
         jq
       ];
       networking = {
-        defaultGateway = "10.0.10.1";
-        interfaces.eth0.ipv4.addresses = [ { "address" = "${container_ip}"; "prefixLength" = 24; } ];
+        defaultGateway = "${gatewayIp}";
+        interfaces.eth0.ipv4.addresses = [ { "address" = "${containerIp}"; "prefixLength" = 24; } ];
         firewall = {
           enable = true;
           allowedTCPPorts = [
@@ -120,7 +123,7 @@ in {
           rpc = {
             address = "0.0.0.0";
             threads = 6;
-            allowip = ["10.0.0.0/8"];
+            allowip = allowip;
             users = let
               name = "bitcoin";
             in {

hosts/common/optional/nixos-containers/postgres.nix

@@ -2,13 +2,15 @@
   inputs,
   lib,
   config,
+  configVars,
   pkgs,
   ...
 }: let
   postgresPasswordPath = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/postgres/postgres/password".path;
   pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
-  container_name = "postgres";
-  container_ip = "10.0.10.5";
+  containerName = "postgres";
+  containerIp = configVars.networking.addresses.postgres.ip;
+  gatewayIp = configVars.networking.addresses.gateway.ip;
 in {
   sops.secrets = {
     "software/postgres/postgres/password" = {
@@ -18,7 +20,7 @@ in {
   environment.persistence."/persist" = {
     hideMounts = true;
     directories = [
-      "/var/lib/nixos-containers/${container_name}"
+      "/var/lib/nixos-containers/${containerName}"
     ];
   };
 
@@ -26,7 +28,7 @@ in {
   networking.nat.internalInterfaces = ["ve-+"];
   networking.nat.externalInterface = "br0";
 
-  containers.${container_name} = {
+  containers.${containerName} = {
     autoStart = true;
     privateNetwork = true;
     hostBridge = "br0";
@@ -44,10 +46,10 @@ in {
       ...
     }: {
       networking = {
-        defaultGateway = "10.0.10.1";
+        defaultGateway = "${gatewayIp}";
         interfaces.eth0.ipv4.addresses = [
           {
-            "address" = "${container_ip}";
+            "address" = "${containerIp}";
             "prefixLength" = 24;
           }
         ];

hosts/common/optional/printing.nix

@@ -1,4 +1,10 @@
-{pkgs, ...}: {
+{
+  pkgs,
+  configVars,
+  ...
+}: let
+  serverIp = configVars.networking.addresses.merlin.ip;
+in {
   services = {
     udev.packages = [pkgs.sane-airscan];
     printing = {
@@ -16,7 +22,7 @@
     sane = {
       enable = true;
       extraBackends = [pkgs.sane-airscan];
-      netConf = "10.0.10.2";
+      netConf = "${serverIp}";
     };
     printers = {
       ensurePrinters = [

hosts/semita/default.nix

@@ -2,6 +2,7 @@
   inputs,
   lib,
   pkgs,
+  configVars,
   ...
 }: let
   # Disko setup
@@ -14,6 +15,10 @@
     else "/dev/root_vg/root";
   user = "sam";
   impermanence = true;
+  pieholeIp = configVars.networking.addresses.piehole.ip;
+  gatewayIp = configVars.networking.addresses.gateway.ip;
+  semitaIp = configVars.networking.addresses.semita.ip;
+
 in {
   imports = [
     # Create users for this host
@@ -107,8 +112,8 @@ in {
 
   networking = {
     hostName = "semita";
-    nameservers = ["10.0.10.60" "10.0.10.1" "8.8.8.8"];
-    defaultGateway = "10.0.10.1";
+    nameservers = ["${pieholeIp}" "${gatewayIp}" "8.8.8.8"];
+    defaultGateway = "${gatewayIp}";
     useDHCP = false;
     bridges = {
       br0 = {
@@ -118,7 +123,7 @@ in {
     interfaces.br0 = {
       ipv4.addresses = [
         {
-          "address" = "10.0.10.3";
+          "address" = "${semitaIp}";
           "prefixLength" = 24;
         }
       ];

hosts/sparky/default.nix

@@ -1,24 +1,40 @@
-{ inputs, config, lib, pkgs, outputs, ... }:
-let
+{
+  inputs,
+  config,
+  lib,
+  configVars,
+  ...
+}: let
   # Disko setup
   fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence
   dev = "/dev/sda"; # depends on target hardware
   encrypted = false; # currrently only applies to btrfs
-  btrfsMountDevice = if encrypted then "/dev/mapper/crypted" else "/dev/root_vg/root";
+  btrfsMountDevice =
+    if encrypted
+    then "/dev/mapper/crypted"
+    else "/dev/root_vg/root";
   impermanence = true;
-in
-{
-  imports =
-    [
+  pieholeIp = configVars.networking.addresses.piehole.ip;
+  gatewayIp = configVars.networking.addresses.gateway.ip;
+in {
+  imports = [
     # Create users for this host
     ../common/users/media
 
     # Disk configuration
     inputs.disko.nixosModules.disko
-      (import ../common/disks { device = dev; impermanence = impermanence; fsType = fsType; encrypted = encrypted; })
+    (import ../common/disks {
+      device = dev;
+      impermanence = impermanence;
+      fsType = fsType;
+      encrypted = encrypted;
+    })
 
     # Impermanence
-      (import ../common/disks/btrfs/impermanence.nix { btrfsMountDevice = btrfsMountDevice; lib = lib; })
+    (import ../common/disks/btrfs/impermanence.nix {
+      btrfsMountDevice = btrfsMountDevice;
+      lib = lib;
+    })
 
     # Import core options
     ./hardware-configuration.nix
@@ -30,7 +46,6 @@ in
     ../common/optional/nfs-mounts/media.nix
     ../common/optional/gaming.nix
     ../common/optional/printing.nix
-
   ];
 
   boot = {
@@ -40,12 +55,13 @@ in
       timeout = 3;
     };
   };
-  boot.kernelParams = [ "i915.enable_psr=0" ];
+  boot.kernelParams = ["i915.enable_psr=0"];
 
   networking = {
     hostName = "sparky";
     networkmanager.enable = true;
     enableIPv6 = false;
+    nameservers = ["${pieholeIp}" "${gatewayIp}" "8.8.8.8"];
   };
 
   nixpkgs.config.allowUnfreePredicate = pkg:
@@ -61,7 +77,7 @@ in
 
   services.xserver = {
     enable = true;
-    videoDrivers = [ "nvidia" ];
+    videoDrivers = ["nvidia"];
     displayManager.lightdm.enable = true;
     exportConfiguration = true;
     deviceSection = ''

justfile

@@ -14,6 +14,11 @@ rebuild-system:
   git add *.nix
   sudo nixos-rebuild switch --option eval-cache false --flake .#$(hostname)
 
+# test full system rebuild from flake (stages changes and automatically detects host)
+rebuild-system-test:
+  git add *.nix
+  sudo nixos-rebuild test --option eval-cache false --flake .#$(hostname)
+
 # updates all flake inputs for system
 update-flake:
   nix flake update

vars/default.nix

@@ -0,0 +1,8 @@
+{ inputs, ... }:
+{
+  inherit (inputs.nix-secrets)
+    networking
+    email
+    ;
+
+}