Added deployment_type to some configs to facilitate better secret management, updated syncthing, etc

This commit is contained in:
albert 2024-07-02 17:54:14 +09:00
parent 1e868c6ae9
commit d9a41dfee8
Signed by: albert
GPG key ID: 3895DD267CA11BA9
10 changed files with 118 additions and 94 deletions

View file

@ -41,6 +41,7 @@
unfree ? false,
ip ? null,
ephemeral ? false,
deployment_type ? "containers",
pkgs ? import inputs.${repo}
{ inherit system; config.allowUnfree = unfree; hostPlatform = system; },
pkgs-unstable ? import inputs.nixpkgs-unstable
@ -57,8 +58,8 @@
localAddress = "192.168.2.${ip}";
restartIfChanged = true;
enableTun = true;
specialArgs = { inherit pkgs-unstable hostname username desktop theme system repo unfree stateVersion ip; };
config = { lib, config, pkgs-unstable, hostname, username, desktop, theme, system, repo, stateVersion, ip, ... }: {
specialArgs = { inherit pkgs-unstable hostname username desktop theme system repo unfree stateVersion ip deployment_type; };
config = { lib, config, pkgs-unstable, hostname, username, desktop, theme, system, repo, stateVersion, ip, deployment_type, ... }: {
nixpkgs.pkgs = import inputs.${repo} {
inherit system;
config.allowUnfree = unfree;
@ -85,10 +86,11 @@
system ? "x86_64-linux",
theme ? "default",
type ? "default",
repo ? "nixpkgs-unstable"
repo ? "nixpkgs-unstable",
deployment_type ? "hosts",
}: inputs.${repo}.lib.nixosSystem {
specialArgs = {
inherit inputs outputs desktop hostname username hmStateVersion stateVersion gpu system theme self;
inherit inputs outputs desktop hostname username hmStateVersion stateVersion gpu system theme self deployment_type;
# Some packages (ie, Vintage Story) I want to keep on unstable no matter what default repo I use
pkgs-unstable = import inputs.nixpkgs-unstable {
inherit system;
@ -116,10 +118,11 @@
theme ? "default",
type ? "default",
repo ? "nixpkgs",
deployment_type ? "hosts",
unfree ? false
}: inputs.${repo}.lib.nixosSystem {
specialArgs = {
inherit inputs outputs desktop hostname username hmStateVersion stateVersion gpu system theme self;
inherit inputs outputs desktop hostname username hmStateVersion stateVersion gpu system theme self deployment_type;
# Choose whether to pull from stable or unstable
pkgs = import inputs.${repo} {
inherit system;

View file

@ -1,16 +1,42 @@
{pkgs, config, ... }: {
services.syncthing = {
settings = {
devices = {
"win10-desktop" = {
name = "win10-desktop";
id = "VDAEJGQ-RA7GAT5-KLA7SRL-X2CV2EG-RMRMD6Z-TFE36JA-2TBBQG2-ED346AL";
};
"framework-server" = { # The docker container, not the host
name = "framework-server";
id = "ULRNA7N-Q7WTZR3-PDQW52W-IWT4UOG-ABF5RCT-W6XJXOW-WQTJIWR-GBFUJQR";
};
};
{pkgs, username, hostname, config, deployment_type, ... }: {
# Set up the secrets file:
sops.secrets."syncthing_cert" = {
owner = "root";
sopsFile = ../../../secrets/${deployment_type}/${hostname}.yaml;
restartUnits = [ "syncthing.service" ];
};
sops.secrets."syncthing_key" = {
owner = "root";
sopsFile = ../../../secrets/${deployment_type}/${hostname}.yaml;
restartUnits = [ "syncthing.service" ];
};
services.syncthing = {
enable = true;
cert = "/run/secrets/syncthing_cert";
key = "/run/secrets/syncthing_key";
user = "${username}";
configDir = "/home/${username}/.config/syncthing";
overrideDevices = true;
overrideFolders = true;
settings = {
devices = {
"win10-desktop" = {
id = "VDAEJGQ-RA7GAT5-KLA7SRL-X2CV2EG-RMRMD6Z-TFE36JA-2TBBQG2-ED346AL";
};
"framework-server" = { # The docker container, not the host
id = "ULRNA7N-Q7WTZR3-PDQW52W-IWT4UOG-ABF5RCT-W6XJXOW-WQTJIWR-GBFUJQR";
};
"nixos-framework" = {
id = "TT3EHRG-U6MMJUC-S3UPF2F-TRUMBPI-TC37RMI-BQ7TT5W-N7DIIWK-653TFAU";
};
"nixos-desktop" = {
id = "5VWSC5F-UKNQK7L-5XDJORY-SJXJUFC-D5QCNYX-YPQBJ4J-AFSVHWY-CXO3MQT";
};
"rdesktop" = {
id = "VJH2YXUG-Y2QTRZ5-Q2XEKLU-7MVETXQ-WRWDDLD-D4PCJ47-T4KVVNV-XXC6PA";
};
};
};
};
}

View file

@ -1,9 +1,9 @@
{ hostname, ... }: {
{ hostname, deployment_type,... }: {
# Generic Tailscale configs are in /nixos/common/services/tailscale.nix
# Set up the secrets file:
sops.secrets."tailscale_key" = {
owner = "root";
sopsFile = ../../../secrets/hosts/${hostname}.yaml;
sopsFile = ../../../secrets/${deployment_type}/${hostname}.yaml;
restartUnits = [
"tailscaled.service"
"tailscaled-autoconnect.service"

View file

@ -9,53 +9,27 @@
../common/services/telegraf.nix
../common/services/openssh.nix
../common/services/gnupg-agent.nix
../common/services/tailscale.nix
];
networking.interfaces.eth0.ipv4.addresses = [{
address = "192.168.2.${ip}";
prefixLength = 24;
}];
programs.fish.enable = true;
time.timeZone = "Asia/Tokyo";
# We can access the internet through this interface.
networking.defaultGateway = {
address = "192.168.2.1";
interface = "eth0";
networking = {
defaultGateway = {
address = "192.168.2.1";
interface = "eth0";
};
interfaces = {
eth0.ipv4.addresses = [{
address = "192.168.2.${ip}";
prefixLength = 24;
}];
};
};
time.timeZone = "Asia/Tokyo";
boot.isContainer = true;
system.stateVersion = stateVersion;
networking.hostName = "${hostname}";
# Set up the secrets file:
sops.secrets."tailscale_key" = {
owner = "root";
sopsFile = ../../secrets/containers/${hostname}.yaml;
restartUnits = [
"tailscaled.service"
"tailscaled-autoconnect.service"
];
};
services.tailscale = {
enable = true;
authKeyFile = "/run/secrets/tailscale_key";
interfaceName = "tailscale0";
extraUpFlags = [
"--login-server=https://headscale.sysctl.io"
"--accept-dns"
"--accept-routes"
];
};
networking.firewall.interfaces.tailscale0.allowedTCPPorts = [ 22 ];
networking.firewall.checkReversePath = "loose";
networking.extraHosts = ''
100.64.0.14 influx.sysctl.io
100.64.0.14 loki.sysctl.io
'';
networking.hostName = hostname;
programs.fish.enable = true;
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";

View file

@ -1,4 +1,4 @@
{ desktop, username, lib, ... }: {
{ pkgs, desktop, username, lib, ... }: {
imports = [
../../users/${username}
../../common/desktops/${desktop}
@ -6,6 +6,7 @@
../../common/modules/fonts.nix
../../common/services/gnupg-agent.nix
../../common/software/cli/clean-hm.nix
../../common/services/tailscale-autoconnect.nix
];
hardware.pulseaudio.enable = lib.mkDefault true;
@ -20,6 +21,10 @@
services.xrdp = {
enable = true;
openFirewall = true;
audio.enable = true;
audio = {
enable = true;
package = pkgs.pulseaudio-module-xrdp;
};
};
}

View file

@ -0,0 +1,25 @@
{ pkgs, config, hostname, username, ... }: {
imports = [ ../../common/services/syncthing.nix ];
services.syncthing = {
settings = {
folders = {
"kenshi-saves" = {
id = "kenshi";
path = "/home/${username}/.steam/steam/steamapps/compatdata/233860/pfx/drive_c/users/steamuser/AppData/Local/kenshi/";
devices = [ "framework-server" "win10-desktop" "nixos-desktop" "nixos-framework" ];
};
"world-of-warcraft" = {
id = "ergcw-ay6yg";
path = "/home/${username}/Games/battlenet/drive_c/Program Files (x86)/World of Warcraft/";
devices = [ "framework-server" "win10-desktop" "nixos-desktop" "nixos-framework" ];
};
"notes" = {
id = "notes";
path = "/home/${username}/notes";
devices = [ "framework-server" "win10-desktop" "nixos-desktop" "nixos-framework" ];
};
};
};
};
}

View file

@ -1,37 +1,23 @@
{ pkgs, config, hostname, username, ... }: {
imports = [ ../../common/services/syncthing.nix ];
# Set up the secrets file:
sops.secrets."syncthing-cert" = {
owner = "root";
sopsFile = ../../../secrets/hosts/nixos-framework.yaml;
restartUnits = [ "syncthing.service" ];
};
sops.secrets."syncthing-key" = {
owner = "root";
sopsFile = ../../../secrets/hosts/nixos-framework.yaml;
restartUnits = [ "syncthing.service" ];
};
services.syncthing = {
enable = true;
cert = "/run/secrets/syncthing-cert";
key = "/run/secrets/syncthing-key";
user = "${username}";
configDir = "/home/${username}/.config/syncthing";
overrideDevices = true;
overrideFolders = true;
settings = {
folders = {
"kenshi-saves" = {
id = "kenshi";
path = "/home/${username}/.steam/steam/steamapps/compatdata/233860/pfx/drive_c/users/steamuser/AppData/Local/kenshi/";
devices = [ "framework-server" "win10-desktop" ];
"kenshi-saves" = {
id = "kenshi";
path = "/home/${username}/.steam/steam/steamapps/compatdata/233860/pfx/drive_c/users/steamuser/AppData/Local/kenshi/";
devices = [ "framework-server" "win10-desktop" "nixos-desktop" "nixos-framework" ];
};
"world-of-warcraft" = {
id = "ergcw-ay6yg";
path = "/home/${username}/Games/battlenet/drive_c/Program Files (x86)/World of Warcraft/";
devices = [ "framework-server" "win10-desktop" ];
id = "ergcw-ay6yg";
path = "/home/${username}/Games/battlenet/drive_c/Program Files (x86)/World of Warcraft/";
devices = [ "framework-server" "win10-desktop" "nixos-desktop" "nixos-framework" ];
};
"notes" = {
id = "notes";
path = "/home/${username}/notes";
devices = [ "framework-server" "win10-desktop" "nixos-desktop" "nixos-framework" ];
};
};
};

View file

@ -12,6 +12,7 @@
# NixOS Modules
./common/modules/networking.nix # Initial Networking configs
./common/services/tailscale.nix # Generlc tailscale installation
./common/modules/nixos.nix # Common NixOS Configurations
./users/${username}

View file

@ -1,12 +1,14 @@
tailscale_key: ENC[AES256_GCM,data:qeTgvxO7OgzPkxMaoBNOrMWiKLslb2OGnF6MW0+II5TySw/oNuaA3AyhQUR91OIG,iv:T8M4y6xIBqbUn0jLsMwo5IeLYwOVsLmKc2RlEqWfcqo=,tag:1nthjRq8a1HsOW/P1xsVhw==,type:str]
syncthing-cert: ENC[AES256_GCM,data:vA98rPbw6q3ddMn7lYT0z7Mp4onAxKcl2gQ6Ib+OXiPAZDQXFCNNXulRwqm974J0UlIubrx5/eFLysU7NgwDUzTUDq5s5Lzz+DXTh/nlgYJKCeqh4BtU9PvcbuM7iknirwMctdbZIHQP5nR/JqFmLJ3Qfx7gGtp8cW34Iz64OLD5Vr8SEBgLj99f06eCU1B5Sy92kw4aPIwLr3Mc2d6KsO12dmpzNc6w9763DRdDjpvfZuceE1cfjmRhB1APCBZU/A0jgQnVJYXOp78zcpKWcIQu5owItJIdqNFLmqNltiA1n2bXUqRktbV9yyfJkmT9SK5NmoamvPE293y5yMtVIm+2amoPu73xzWNfMbSwW9ppLeIfKrvVWp3wLvNPbojZvWUiPpyYbUOkiPKY+vA97Ec+M7901bONh9zmCmS3atirZtp0Kn+Q/OTaakIlM+4yjioU81XuK3ZKDLPDV7dZ9piQH6NG3G8BSP6o+55P5Bv+asIlqzT1apk5ketXYztMIVIVp85vmfDqoXQZw7ZMLdEYDjxrzKq2pmlhbVF3J4ifDMaiKIuxODf841EPRsPeLl+qavnutXMCFohd7uzBEmjmNEbu4yJN8JY1jXw2+zQ5wVIKxBLionWxeBciZR5vTBrQ02BchLOHuyB+9LoLfX0xWagJOwPp+FuE+icK/LEATyAiEKHDJ7ArfC/l6MtnCLr+S4yusOcrVvyIqKbWh/Xv6gpyk8XhKdVogAn3xZI5G6JKCghfzgu7gcXIjDHvmer8WayPLm5O5tZ1rTssRMU17fa/2RCamnheOSQyttWmB6nbvhDWzxbeEFU+qktSbZHt053Fu76W0kGskypl8mKQVezjhnnvKZoPRXAjPPOJsOD2RiYz+WZlYFGws65O0VMfFVXjRaQ/MXmI1uA2ajp5yFmnzCZWkxGXEtt3iNSlH2WcMpHZ/AyjCchnhItlviayPDSUAqQRHnaL5QGvJph38mABWAvvdnvRVJwWSUB2kzK/Ln+BfUrpuev3XQsoBV2uB32HZGO+f792rTOxu6CTNW71u2e9r2Q=,iv:sxgS4uXhrsXihm97VJIykCzWYQl7IQi9LSAb/g5Rtoo=,tag:sKls61CfHuye+M6nPMCJWQ==,type:str]
syncthing-key: ENC[AES256_GCM,data:9DOCfKBs1zRMUq2J5CNmvF3xC50baV/ZzQ/UKDkRBts673ceB4Bnhz/kxv8GAHTiyC8Yvi6lGWnCcUhSFcGgse3A8QcvCAXZohEHgbUGLXtINHfY7OEK0coTlRrbWqFH5SE5fZLvOcilEEiq4AU5WNWjXcFqT/12mUMNtRM6J1ZhT3rJ0zkGDv850fcAtlTL/6v6ozJEpgQ5qn88KPTQRpHGfbw7ECbKVAF1rfEpoidw/+ybMpDU/HZKwW3spSWYeFJiT3RgqRcqiMv2p0Ab7QadBFyF5v5aPSV9kaROWNz1z3/8Z92Tkfb60mtwHVuXTe/8RHtvOL61Np/AKly3zD6z6rZouvB7Fp9mw064MphdNlru56SYQTYXWVgjvxVg,iv:/4q4tO9YZ2jlrxu2t/k+DqQJcB/g4SxdJGbWwZ5e6Ak=,tag:GQ825Br3yQA1D56o6xqoLQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2024-05-08T09:06:05Z"
mac: ENC[AES256_GCM,data:SJRtqGrr8HWM867QHYkoe4i2/z5/LwrzSuxD0Jp3hJuXJvkngDDsC/2e0bPuzxqTS0M1gJuy43fGiZzfZ1KPqyiDlocuV5hUvvvUIX3DE8TfXO6arcamUo9uz7w/STz68IKw3PJTr4smaIZB+/usmSQpd3QhTe5pdVVAXIXJpCY=,iv:Fpbr3FIu0IxWVdMqWkOc4kBuCvGqT4sEiW6oRu1So3M=,tag:hMP7Ug3jKI4tl2w1LvUcAw==,type:str]
lastmodified: "2024-07-02T02:53:26Z"
mac: ENC[AES256_GCM,data:5kKCjjfmWFgnbiA+2u61AtIWpjlaA1heeb9w7oer3dCWnD8LB8jtx9rxLtwXUd69HiTwQN0Y9pPeZ4SxMdaE30aN0IDK3Q+g8FGfw8Z+Q79wrZz3VW56791UOFE0alkVlLifyGha/nfQQz3l048ZdnndiVfayuyiZW7wJKdPBq8=,iv:BdY0LTY7u2kjfj9pDh1yJKIv0TWRRMT8EkJ/PmP6g20=,tag:Ev/4C9Pw97+iuf8gQJpglA==,type:str]
pgp:
- created_at: "2024-05-06T12:29:58Z"
enc: |-

View file

@ -1,12 +1,14 @@
tailscale_key: null
tailscale_key: ENC[AES256_GCM,data:n1fNK0Eklt0hZsgYctGbhbdIw3aSQLTJaO7adjXW8utcAMxIKFqEXb7fjqDhr5w5,iv:ZJaY0mj5DGwpFwM1BVxlDp3eFbGM3K8D5UlEtHiEF74=,tag:kSrnNt9/0m/+DxTN3XYVSA==,type:str]
syncthing-cert: ENC[AES256_GCM,data:rqELu6ii0MGRL/31SxitOBiLfxelISg0jsXy6btkjSChrrZf6K13Pc18SzQZRbrcT6VQ3r6kXdVzXCxMxecFxqjOw73YmMGwcxuN6XpS2y36jp5DI11dkGOpxfzii/2dQQJXfVd4tilanbqeD/YqEmihBrvScp+CHUMHHax0h4wxqHTeARM0lZALFkAD+K0hf5rBtBo46abBhiuZwDEaZxnGX54jBPpcuSaEoOXkhJM+YV1xfOv5UXAX9qc6WVZiu+O2xId0oYOmrJvP/BcVQPSG1AHSUzQxYoXI2uKqyKH6E9a0QtRPRGFmdOIpHbg+kRDpsxhhUBZy9Li6N2ValikMJ7Hy5Z4N5l0/LttBH/k8lOYseZDB4K7Pdejcf1PR7aEjRZmMP3PcBnid+VrJSpCY7+4mpy95IviHT+qwKJ2pOILbDtIzsJy5wcDtXtkknwiomvpVj4+okS5vUp7J6m90f2pa4k4RsIHUzBtQPfwODahJDMKJbboyR061JnRs9pL/wDMC2oiBgEjLZML+SGuHkECxsBultxxQJuZpAVZ+mnbx+5zty7jipozVToSOHxedF6zEOhXXUcfgZD9uf3cjtboFgFHUYmapaW6+Q8ZxeBCTY613uga2KQIBDsegljVGqWvuNtvAHBlzpxO8rlltg6mBCqiCACtI8cGbDB4lKboo7+diHN/DlrsK/Z//+i4B4MvU+5sD/bYVYeyeiaB/Zgonfl7eOZpqIv6oPdJxCeJkak3ULwuCqKBabpC+ydsQHDYT6UCloc5LvLlRlOvs1npl6f8R5Y9dkzuml5AV75POvSgzmz5p/L+oVJ7gnEN4YvZlau7bklhW43m1EA8l/1fELkfqQNuUvHbWp8fFZsm0r45LruqQzSVrWpaQNlRZeyrN3E2IQJ3v1PW3WWKKhwGDClH/w2Z/9rfvuyPnK36kpYUeACWweJmnmmel04Cq/wkHJheSYV3tkjoHMMUQkziPGJqdf4kROrCHw1QAizSX84nQGtn5fCORuz2om5w415s01XHCQ1mlSTS2n1lsA7y2EExVys0=,iv:3eEcW+3UkJNrD4++0KiFsNYwKWTOoRwY21eTejYCVZ8=,tag:aaf571FSOhN+X89CgjByLA==,type:str]
syncthing-key: ENC[AES256_GCM,data:MMkY/CVWjsflB+xWlOeztcwybTOBr/QSDR7LjLiGfmUue7MZ7FPuQtOPqSDZSGpaBxNTcMKEldm64zG1Am6WR8dNxYcr0SMPMX9Igs1PfNvtpWJxGJdnUZ6EfAcbfQp6kv1VNpyMQtRA5O+vaPlH1cwwJI3LxiJs9X7jaSB5QeuELEMW1KlBuqHf0SuQV4KE0abfpaHwrSls9AR98y1q1bQQ490KwrD4Kw0HwKvnLtH56nwc+fG1tgZeM19qr6vfxDrLzyKd7QP3IyAtvIyYk0FB9IEspbmyDACS0bTIB0DrLnOAeCqYZCWtdrR+SEcFnKzz2Msk9FQ1tUcAqxDqPEmo0bq39h/1oW+jTLZgJoqDYFQMfnK5qTDvv7XfdTe0,iv:r19IgMUuuT9vWOtyC9RGfspuMnjR4faFSosPfDDhWMc=,tag:+lCR9xsrCOoH5VxQhgiwGQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2024-04-25T10:33:03Z"
mac: ENC[AES256_GCM,data:FbWd+kZJ2ZoK1VBE0bRjMQuOnHKQIaD5+QXZCMf4ns6Fb6sgC1JRM6Q7tarfrKIU7fv8V6zmboaLeyvyEb57L701MJNEK9MOLzqxOynpY1hC5sLyfxdCUnlDkSqa5dpbqmm2riZfObUeT5xa1ppIcsAXcNgcbYTT2l/vW/novho=,iv:Pzucs8pFX7iVAt/5GWNVMafT14ErSve9k4C70AVL52c=,tag:3CQAvaC5tiF0ei/NBbPNXw==,type:str]
lastmodified: "2024-07-02T02:52:12Z"
mac: ENC[AES256_GCM,data:UxVNqSeunW0zeXQE2TNhh8pGxioMJJK14+bAffh+n7OpdEmM46Vt5Bldb5WqGYUhTl4211TwovZtSO6iZuwEGWp1vOAowzHaB5Z4MWwS1ujOmw9wC6Fx5TK7L3nEcDDRfrKai2GHJw+aYdcoe7heH88rXXzsd38U2J82kKpRDYw=,iv:F4779t/JC5Id05/CdmSb0Mdu/Al11fhWXe2P0tB0G/k=,tag:RVa/kuHOh2cI1Ai/bvNFcA==,type:str]
pgp:
- created_at: "2024-05-06T12:29:52Z"
enc: |-