diff --git a/lib/default.nix b/lib/default.nix index c1600b45..8057ad3a 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -41,6 +41,7 @@ unfree ? false, ip ? null, ephemeral ? false, + deployment_type ? "containers", pkgs ? import inputs.${repo} { inherit system; config.allowUnfree = unfree; hostPlatform = system; }, pkgs-unstable ? import inputs.nixpkgs-unstable @@ -57,8 +58,8 @@ localAddress = "192.168.2.${ip}"; restartIfChanged = true; enableTun = true; - specialArgs = { inherit pkgs-unstable hostname username desktop theme system repo unfree stateVersion ip; }; - config = { lib, config, pkgs-unstable, hostname, username, desktop, theme, system, repo, stateVersion, ip, ... }: { + specialArgs = { inherit pkgs-unstable hostname username desktop theme system repo unfree stateVersion ip deployment_type; }; + config = { lib, config, pkgs-unstable, hostname, username, desktop, theme, system, repo, stateVersion, ip, deployment_type, ... }: { nixpkgs.pkgs = import inputs.${repo} { inherit system; config.allowUnfree = unfree; @@ -85,10 +86,11 @@ system ? "x86_64-linux", theme ? "default", type ? "default", - repo ? "nixpkgs-unstable" + repo ? "nixpkgs-unstable", + deployment_type ? "hosts", }: inputs.${repo}.lib.nixosSystem { specialArgs = { - inherit inputs outputs desktop hostname username hmStateVersion stateVersion gpu system theme self; + inherit inputs outputs desktop hostname username hmStateVersion stateVersion gpu system theme self deployment_type; # Some packages (ie, Vintage Story) I want to keep on unstable no matter what default repo I use pkgs-unstable = import inputs.nixpkgs-unstable { inherit system; @@ -116,10 +118,11 @@ theme ? "default", type ? "default", repo ? "nixpkgs", + deployment_type ? "hosts", unfree ? false }: inputs.${repo}.lib.nixosSystem { specialArgs = { - inherit inputs outputs desktop hostname username hmStateVersion stateVersion gpu system theme self; + inherit inputs outputs desktop hostname username hmStateVersion stateVersion gpu system theme self deployment_type; # Choose whether to pull from stable or unstable pkgs = import inputs.${repo} { inherit system; diff --git a/nixos/common/services/syncthing.nix b/nixos/common/services/syncthing.nix index 324e45c8..e213115f 100644 --- a/nixos/common/services/syncthing.nix +++ b/nixos/common/services/syncthing.nix @@ -1,16 +1,42 @@ -{pkgs, config, ... }: { - services.syncthing = { - settings = { - devices = { - "win10-desktop" = { - name = "win10-desktop"; - id = "VDAEJGQ-RA7GAT5-KLA7SRL-X2CV2EG-RMRMD6Z-TFE36JA-2TBBQG2-ED346AL"; - }; - "framework-server" = { # The docker container, not the host - name = "framework-server"; - id = "ULRNA7N-Q7WTZR3-PDQW52W-IWT4UOG-ABF5RCT-W6XJXOW-WQTJIWR-GBFUJQR"; - }; - }; +{pkgs, username, hostname, config, deployment_type, ... }: { + # Set up the secrets file: + sops.secrets."syncthing_cert" = { + owner = "root"; + sopsFile = ../../../secrets/${deployment_type}/${hostname}.yaml; + restartUnits = [ "syncthing.service" ]; + }; + sops.secrets."syncthing_key" = { + owner = "root"; + sopsFile = ../../../secrets/${deployment_type}/${hostname}.yaml; + restartUnits = [ "syncthing.service" ]; + }; + + services.syncthing = { + enable = true; + cert = "/run/secrets/syncthing_cert"; + key = "/run/secrets/syncthing_key"; + user = "${username}"; + configDir = "/home/${username}/.config/syncthing"; + overrideDevices = true; + overrideFolders = true; + settings = { + devices = { + "win10-desktop" = { + id = "VDAEJGQ-RA7GAT5-KLA7SRL-X2CV2EG-RMRMD6Z-TFE36JA-2TBBQG2-ED346AL"; }; + "framework-server" = { # The docker container, not the host + id = "ULRNA7N-Q7WTZR3-PDQW52W-IWT4UOG-ABF5RCT-W6XJXOW-WQTJIWR-GBFUJQR"; + }; + "nixos-framework" = { + id = "TT3EHRG-U6MMJUC-S3UPF2F-TRUMBPI-TC37RMI-BQ7TT5W-N7DIIWK-653TFAU"; + }; + "nixos-desktop" = { + id = "5VWSC5F-UKNQK7L-5XDJORY-SJXJUFC-D5QCNYX-YPQBJ4J-AFSVHWY-CXO3MQT"; + }; + "rdesktop" = { + id = "VJH2YXUG-Y2QTRZ5-Q2XEKLU-7MVETXQ-WRWDDLD-D4PCJ47-T4KVVNV-XXC6PA"; + }; + }; }; + }; } diff --git a/nixos/common/services/tailscale-autoconnect.nix b/nixos/common/services/tailscale-autoconnect.nix index b07c638b..56c01a6a 100644 --- a/nixos/common/services/tailscale-autoconnect.nix +++ b/nixos/common/services/tailscale-autoconnect.nix @@ -1,9 +1,9 @@ -{ hostname, ... }: { +{ hostname, deployment_type,... }: { # Generic Tailscale configs are in /nixos/common/services/tailscale.nix # Set up the secrets file: sops.secrets."tailscale_key" = { owner = "root"; - sopsFile = ../../../secrets/hosts/${hostname}.yaml; + sopsFile = ../../../secrets/${deployment_type}/${hostname}.yaml; restartUnits = [ "tailscaled.service" "tailscaled-autoconnect.service" diff --git a/nixos/containers/default.nix b/nixos/containers/default.nix index fa0e3ab5..c50c265f 100644 --- a/nixos/containers/default.nix +++ b/nixos/containers/default.nix @@ -9,53 +9,27 @@ ../common/services/telegraf.nix ../common/services/openssh.nix ../common/services/gnupg-agent.nix + ../common/services/tailscale.nix ]; - networking.interfaces.eth0.ipv4.addresses = [{ - address = "192.168.2.${ip}"; - prefixLength = 24; - }]; - - programs.fish.enable = true; - time.timeZone = "Asia/Tokyo"; - - # We can access the internet through this interface. - networking.defaultGateway = { - address = "192.168.2.1"; - interface = "eth0"; + networking = { + defaultGateway = { + address = "192.168.2.1"; + interface = "eth0"; + }; + interfaces = { + eth0.ipv4.addresses = [{ + address = "192.168.2.${ip}"; + prefixLength = 24; + }]; + }; }; + time.timeZone = "Asia/Tokyo"; boot.isContainer = true; system.stateVersion = stateVersion; - networking.hostName = "${hostname}"; - - # Set up the secrets file: - sops.secrets."tailscale_key" = { - owner = "root"; - sopsFile = ../../secrets/containers/${hostname}.yaml; - restartUnits = [ - "tailscaled.service" - "tailscaled-autoconnect.service" - ]; - }; - - services.tailscale = { - enable = true; - authKeyFile = "/run/secrets/tailscale_key"; - interfaceName = "tailscale0"; - extraUpFlags = [ - "--login-server=https://headscale.sysctl.io" - "--accept-dns" - "--accept-routes" - ]; - }; - - networking.firewall.interfaces.tailscale0.allowedTCPPorts = [ 22 ]; - networking.firewall.checkReversePath = "loose"; - networking.extraHosts = '' - 100.64.0.14 influx.sysctl.io - 100.64.0.14 loki.sysctl.io - ''; + networking.hostName = hostname; + programs.fish.enable = true; # Select internationalisation properties. i18n.defaultLocale = "en_US.UTF-8"; diff --git a/nixos/containers/rdesktop/default.nix b/nixos/containers/rdesktop/default.nix index b1180f8f..0b2ccd0e 100644 --- a/nixos/containers/rdesktop/default.nix +++ b/nixos/containers/rdesktop/default.nix @@ -1,4 +1,4 @@ -{ desktop, username, lib, ... }: { +{ pkgs, desktop, username, lib, ... }: { imports = [ ../../users/${username} ../../common/desktops/${desktop} @@ -6,6 +6,7 @@ ../../common/modules/fonts.nix ../../common/services/gnupg-agent.nix ../../common/software/cli/clean-hm.nix + ../../common/services/tailscale-autoconnect.nix ]; hardware.pulseaudio.enable = lib.mkDefault true; @@ -20,6 +21,10 @@ services.xrdp = { enable = true; openFirewall = true; - audio.enable = true; + audio = { + enable = true; + package = pkgs.pulseaudio-module-xrdp; + }; }; + } diff --git a/nixos/hosts/nixos-desktop/syncthing.nix b/nixos/hosts/nixos-desktop/syncthing.nix new file mode 100644 index 00000000..5afefc9a --- /dev/null +++ b/nixos/hosts/nixos-desktop/syncthing.nix @@ -0,0 +1,25 @@ +{ pkgs, config, hostname, username, ... }: { + imports = [ ../../common/services/syncthing.nix ]; + + services.syncthing = { + settings = { + folders = { + "kenshi-saves" = { + id = "kenshi"; + path = "/home/${username}/.steam/steam/steamapps/compatdata/233860/pfx/drive_c/users/steamuser/AppData/Local/kenshi/"; + devices = [ "framework-server" "win10-desktop" "nixos-desktop" "nixos-framework" ]; + }; + "world-of-warcraft" = { + id = "ergcw-ay6yg"; + path = "/home/${username}/Games/battlenet/drive_c/Program Files (x86)/World of Warcraft/"; + devices = [ "framework-server" "win10-desktop" "nixos-desktop" "nixos-framework" ]; + }; + "notes" = { + id = "notes"; + path = "/home/${username}/notes"; + devices = [ "framework-server" "win10-desktop" "nixos-desktop" "nixos-framework" ]; + }; + }; + }; + }; +} diff --git a/nixos/hosts/nixos-framework/syncthing.nix b/nixos/hosts/nixos-framework/syncthing.nix index 11964d6a..5afefc9a 100644 --- a/nixos/hosts/nixos-framework/syncthing.nix +++ b/nixos/hosts/nixos-framework/syncthing.nix @@ -1,37 +1,23 @@ { pkgs, config, hostname, username, ... }: { imports = [ ../../common/services/syncthing.nix ]; - # Set up the secrets file: - sops.secrets."syncthing-cert" = { - owner = "root"; - sopsFile = ../../../secrets/hosts/nixos-framework.yaml; - restartUnits = [ "syncthing.service" ]; - }; - sops.secrets."syncthing-key" = { - owner = "root"; - sopsFile = ../../../secrets/hosts/nixos-framework.yaml; - restartUnits = [ "syncthing.service" ]; - }; - services.syncthing = { - enable = true; - cert = "/run/secrets/syncthing-cert"; - key = "/run/secrets/syncthing-key"; - user = "${username}"; - configDir = "/home/${username}/.config/syncthing"; - overrideDevices = true; - overrideFolders = true; settings = { folders = { - "kenshi-saves" = { - id = "kenshi"; - path = "/home/${username}/.steam/steam/steamapps/compatdata/233860/pfx/drive_c/users/steamuser/AppData/Local/kenshi/"; - devices = [ "framework-server" "win10-desktop" ]; + "kenshi-saves" = { + id = "kenshi"; + path = "/home/${username}/.steam/steam/steamapps/compatdata/233860/pfx/drive_c/users/steamuser/AppData/Local/kenshi/"; + devices = [ "framework-server" "win10-desktop" "nixos-desktop" "nixos-framework" ]; }; "world-of-warcraft" = { - id = "ergcw-ay6yg"; - path = "/home/${username}/Games/battlenet/drive_c/Program Files (x86)/World of Warcraft/"; - devices = [ "framework-server" "win10-desktop" ]; + id = "ergcw-ay6yg"; + path = "/home/${username}/Games/battlenet/drive_c/Program Files (x86)/World of Warcraft/"; + devices = [ "framework-server" "win10-desktop" "nixos-desktop" "nixos-framework" ]; + }; + "notes" = { + id = "notes"; + path = "/home/${username}/notes"; + devices = [ "framework-server" "win10-desktop" "nixos-desktop" "nixos-framework" ]; }; }; }; diff --git a/nixos/minimal.nix b/nixos/minimal.nix index 969d7ea2..8cd6907c 100644 --- a/nixos/minimal.nix +++ b/nixos/minimal.nix @@ -12,6 +12,7 @@ # NixOS Modules ./common/modules/networking.nix # Initial Networking configs + ./common/services/tailscale.nix # Generlc tailscale installation ./common/modules/nixos.nix # Common NixOS Configurations ./users/${username} diff --git a/secrets/containers/rdesktop.yaml b/secrets/containers/rdesktop.yaml index 150823fc..cf6e0619 100644 --- a/secrets/containers/rdesktop.yaml +++ b/secrets/containers/rdesktop.yaml @@ -1,12 +1,14 @@ tailscale_key: ENC[AES256_GCM,data:qeTgvxO7OgzPkxMaoBNOrMWiKLslb2OGnF6MW0+II5TySw/oNuaA3AyhQUR91OIG,iv:T8M4y6xIBqbUn0jLsMwo5IeLYwOVsLmKc2RlEqWfcqo=,tag:1nthjRq8a1HsOW/P1xsVhw==,type:str] +syncthing-cert: ENC[AES256_GCM,data:vA98rPbw6q3ddMn7lYT0z7Mp4onAxKcl2gQ6Ib+OXiPAZDQXFCNNXulRwqm974J0UlIubrx5/eFLysU7NgwDUzTUDq5s5Lzz+DXTh/nlgYJKCeqh4BtU9PvcbuM7iknirwMctdbZIHQP5nR/JqFmLJ3Qfx7gGtp8cW34Iz64OLD5Vr8SEBgLj99f06eCU1B5Sy92kw4aPIwLr3Mc2d6KsO12dmpzNc6w9763DRdDjpvfZuceE1cfjmRhB1APCBZU/A0jgQnVJYXOp78zcpKWcIQu5owItJIdqNFLmqNltiA1n2bXUqRktbV9yyfJkmT9SK5NmoamvPE293y5yMtVIm+2amoPu73xzWNfMbSwW9ppLeIfKrvVWp3wLvNPbojZvWUiPpyYbUOkiPKY+vA97Ec+M7901bONh9zmCmS3atirZtp0Kn+Q/OTaakIlM+4yjioU81XuK3ZKDLPDV7dZ9piQH6NG3G8BSP6o+55P5Bv+asIlqzT1apk5ketXYztMIVIVp85vmfDqoXQZw7ZMLdEYDjxrzKq2pmlhbVF3J4ifDMaiKIuxODf841EPRsPeLl+qavnutXMCFohd7uzBEmjmNEbu4yJN8JY1jXw2+zQ5wVIKxBLionWxeBciZR5vTBrQ02BchLOHuyB+9LoLfX0xWagJOwPp+FuE+icK/LEATyAiEKHDJ7ArfC/l6MtnCLr+S4yusOcrVvyIqKbWh/Xv6gpyk8XhKdVogAn3xZI5G6JKCghfzgu7gcXIjDHvmer8WayPLm5O5tZ1rTssRMU17fa/2RCamnheOSQyttWmB6nbvhDWzxbeEFU+qktSbZHt053Fu76W0kGskypl8mKQVezjhnnvKZoPRXAjPPOJsOD2RiYz+WZlYFGws65O0VMfFVXjRaQ/MXmI1uA2ajp5yFmnzCZWkxGXEtt3iNSlH2WcMpHZ/AyjCchnhItlviayPDSUAqQRHnaL5QGvJph38mABWAvvdnvRVJwWSUB2kzK/Ln+BfUrpuev3XQsoBV2uB32HZGO+f792rTOxu6CTNW71u2e9r2Q=,iv:sxgS4uXhrsXihm97VJIykCzWYQl7IQi9LSAb/g5Rtoo=,tag:sKls61CfHuye+M6nPMCJWQ==,type:str] +syncthing-key: ENC[AES256_GCM,data:9DOCfKBs1zRMUq2J5CNmvF3xC50baV/ZzQ/UKDkRBts673ceB4Bnhz/kxv8GAHTiyC8Yvi6lGWnCcUhSFcGgse3A8QcvCAXZohEHgbUGLXtINHfY7OEK0coTlRrbWqFH5SE5fZLvOcilEEiq4AU5WNWjXcFqT/12mUMNtRM6J1ZhT3rJ0zkGDv850fcAtlTL/6v6ozJEpgQ5qn88KPTQRpHGfbw7ECbKVAF1rfEpoidw/+ybMpDU/HZKwW3spSWYeFJiT3RgqRcqiMv2p0Ab7QadBFyF5v5aPSV9kaROWNz1z3/8Z92Tkfb60mtwHVuXTe/8RHtvOL61Np/AKly3zD6z6rZouvB7Fp9mw064MphdNlru56SYQTYXWVgjvxVg,iv:/4q4tO9YZ2jlrxu2t/k+DqQJcB/g4SxdJGbWwZ5e6Ak=,tag:GQ825Br3yQA1D56o6xqoLQ==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: [] - lastmodified: "2024-05-08T09:06:05Z" - mac: ENC[AES256_GCM,data:SJRtqGrr8HWM867QHYkoe4i2/z5/LwrzSuxD0Jp3hJuXJvkngDDsC/2e0bPuzxqTS0M1gJuy43fGiZzfZ1KPqyiDlocuV5hUvvvUIX3DE8TfXO6arcamUo9uz7w/STz68IKw3PJTr4smaIZB+/usmSQpd3QhTe5pdVVAXIXJpCY=,iv:Fpbr3FIu0IxWVdMqWkOc4kBuCvGqT4sEiW6oRu1So3M=,tag:hMP7Ug3jKI4tl2w1LvUcAw==,type:str] + lastmodified: "2024-07-02T02:53:26Z" + mac: ENC[AES256_GCM,data:5kKCjjfmWFgnbiA+2u61AtIWpjlaA1heeb9w7oer3dCWnD8LB8jtx9rxLtwXUd69HiTwQN0Y9pPeZ4SxMdaE30aN0IDK3Q+g8FGfw8Z+Q79wrZz3VW56791UOFE0alkVlLifyGha/nfQQz3l048ZdnndiVfayuyiZW7wJKdPBq8=,iv:BdY0LTY7u2kjfj9pDh1yJKIv0TWRRMT8EkJ/PmP6g20=,tag:Ev/4C9Pw97+iuf8gQJpglA==,type:str] pgp: - created_at: "2024-05-06T12:29:58Z" enc: |- diff --git a/secrets/hosts/nixos-desktop.yaml b/secrets/hosts/nixos-desktop.yaml index a2a63abf..2a79500d 100644 --- a/secrets/hosts/nixos-desktop.yaml +++ b/secrets/hosts/nixos-desktop.yaml @@ -1,12 +1,14 @@ -tailscale_key: null +tailscale_key: ENC[AES256_GCM,data:n1fNK0Eklt0hZsgYctGbhbdIw3aSQLTJaO7adjXW8utcAMxIKFqEXb7fjqDhr5w5,iv:ZJaY0mj5DGwpFwM1BVxlDp3eFbGM3K8D5UlEtHiEF74=,tag:kSrnNt9/0m/+DxTN3XYVSA==,type:str] +syncthing-cert: ENC[AES256_GCM,data:rqELu6ii0MGRL/31SxitOBiLfxelISg0jsXy6btkjSChrrZf6K13Pc18SzQZRbrcT6VQ3r6kXdVzXCxMxecFxqjOw73YmMGwcxuN6XpS2y36jp5DI11dkGOpxfzii/2dQQJXfVd4tilanbqeD/YqEmihBrvScp+CHUMHHax0h4wxqHTeARM0lZALFkAD+K0hf5rBtBo46abBhiuZwDEaZxnGX54jBPpcuSaEoOXkhJM+YV1xfOv5UXAX9qc6WVZiu+O2xId0oYOmrJvP/BcVQPSG1AHSUzQxYoXI2uKqyKH6E9a0QtRPRGFmdOIpHbg+kRDpsxhhUBZy9Li6N2ValikMJ7Hy5Z4N5l0/LttBH/k8lOYseZDB4K7Pdejcf1PR7aEjRZmMP3PcBnid+VrJSpCY7+4mpy95IviHT+qwKJ2pOILbDtIzsJy5wcDtXtkknwiomvpVj4+okS5vUp7J6m90f2pa4k4RsIHUzBtQPfwODahJDMKJbboyR061JnRs9pL/wDMC2oiBgEjLZML+SGuHkECxsBultxxQJuZpAVZ+mnbx+5zty7jipozVToSOHxedF6zEOhXXUcfgZD9uf3cjtboFgFHUYmapaW6+Q8ZxeBCTY613uga2KQIBDsegljVGqWvuNtvAHBlzpxO8rlltg6mBCqiCACtI8cGbDB4lKboo7+diHN/DlrsK/Z//+i4B4MvU+5sD/bYVYeyeiaB/Zgonfl7eOZpqIv6oPdJxCeJkak3ULwuCqKBabpC+ydsQHDYT6UCloc5LvLlRlOvs1npl6f8R5Y9dkzuml5AV75POvSgzmz5p/L+oVJ7gnEN4YvZlau7bklhW43m1EA8l/1fELkfqQNuUvHbWp8fFZsm0r45LruqQzSVrWpaQNlRZeyrN3E2IQJ3v1PW3WWKKhwGDClH/w2Z/9rfvuyPnK36kpYUeACWweJmnmmel04Cq/wkHJheSYV3tkjoHMMUQkziPGJqdf4kROrCHw1QAizSX84nQGtn5fCORuz2om5w415s01XHCQ1mlSTS2n1lsA7y2EExVys0=,iv:3eEcW+3UkJNrD4++0KiFsNYwKWTOoRwY21eTejYCVZ8=,tag:aaf571FSOhN+X89CgjByLA==,type:str] +syncthing-key: ENC[AES256_GCM,data:MMkY/CVWjsflB+xWlOeztcwybTOBr/QSDR7LjLiGfmUue7MZ7FPuQtOPqSDZSGpaBxNTcMKEldm64zG1Am6WR8dNxYcr0SMPMX9Igs1PfNvtpWJxGJdnUZ6EfAcbfQp6kv1VNpyMQtRA5O+vaPlH1cwwJI3LxiJs9X7jaSB5QeuELEMW1KlBuqHf0SuQV4KE0abfpaHwrSls9AR98y1q1bQQ490KwrD4Kw0HwKvnLtH56nwc+fG1tgZeM19qr6vfxDrLzyKd7QP3IyAtvIyYk0FB9IEspbmyDACS0bTIB0DrLnOAeCqYZCWtdrR+SEcFnKzz2Msk9FQ1tUcAqxDqPEmo0bq39h/1oW+jTLZgJoqDYFQMfnK5qTDvv7XfdTe0,iv:r19IgMUuuT9vWOtyC9RGfspuMnjR4faFSosPfDDhWMc=,tag:+lCR9xsrCOoH5VxQhgiwGQ==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: [] - lastmodified: "2024-04-25T10:33:03Z" - mac: ENC[AES256_GCM,data:FbWd+kZJ2ZoK1VBE0bRjMQuOnHKQIaD5+QXZCMf4ns6Fb6sgC1JRM6Q7tarfrKIU7fv8V6zmboaLeyvyEb57L701MJNEK9MOLzqxOynpY1hC5sLyfxdCUnlDkSqa5dpbqmm2riZfObUeT5xa1ppIcsAXcNgcbYTT2l/vW/novho=,iv:Pzucs8pFX7iVAt/5GWNVMafT14ErSve9k4C70AVL52c=,tag:3CQAvaC5tiF0ei/NBbPNXw==,type:str] + lastmodified: "2024-07-02T02:52:12Z" + mac: ENC[AES256_GCM,data:UxVNqSeunW0zeXQE2TNhh8pGxioMJJK14+bAffh+n7OpdEmM46Vt5Bldb5WqGYUhTl4211TwovZtSO6iZuwEGWp1vOAowzHaB5Z4MWwS1ujOmw9wC6Fx5TK7L3nEcDDRfrKai2GHJw+aYdcoe7heH88rXXzsd38U2J82kKpRDYw=,iv:F4779t/JC5Id05/CdmSb0Mdu/Al11fhWXe2P0tB0G/k=,tag:RVa/kuHOh2cI1Ai/bvNFcA==,type:str] pgp: - created_at: "2024-05-06T12:29:52Z" enc: |-