dev.fron.io rc / e9e5181
global: rewrite nixus to toplevel and use secrets Tony Olagbaiye 11 months ago
12 changed file(s) with 280 addition(s) and 345 deletion(s). Raw diff Collapse all Expand all
0 { ... }:
0 { system ? builtins.currentSystem, ... }:
11
22 let
33 lock = builtins.fromJSON (builtins.readFile ./flake.lock);
1212 flake = flake-compat { src = ./.; };
1313 hostname = with builtins; head (split "\n" (readFile /etc/hostname));
1414 maybe = c: let result = builtins.tryEval c; in if result.success then result.value else {};
15 in { inherit flake-compat flake; self = flake.defaultNix; }
16 // maybe flake.defaultNix // maybe (flake.defaultNix.passthru or {})
17 // maybe flake.defaultNix.nixosConfigurations
18 // maybe flake.defaultNix.nixosConfigurations.${hostname}
19 // maybe flake.defaultNix.nixosConfigurations.${hostname}.config
20 // maybe { inherit (flake.defaultNix.nixosConfigurations.${hostname}.pkgs) lib; }
15 in rec { inherit flake-compat flake; self = flake.defaultNix; inputs = self.lib.inputs // { inherit self; }; }
16 // maybe flake.defaultNix // maybe (flake.defaultNix.lib or {})
17 // maybe flake.defaultNix.defaultPackage.${system}
18 // maybe flake.defaultNix.defaultPackage.${system}.config.nodes
19 // maybe flake.defaultNix.defaultPackage.${system}.config.nodes.${hostname}.configuration
20 // maybe { inherit (flake.defaultNix.defaultPackage.${system}.config.nodes.${hostname}.configuration._pkgs) pkgs lib; }
+0
-34
deploy/example/configuration.nix less more
0 { lib, pkgs, config, ... }: {
1
2 imports = [ ./hardware-configuration.nix ];
3
4 boot.loader.timeout = 10;
5 boot.loader.grub.device = "/dev/vda";
6 boot.kernelPackages = pkgs.linuxPackages_latest;
7
8 networking = {
9 useDHCP = false;
10 nameservers = [ "1.1.1.1" "1.0.0.1" ];
11 defaultGateway = "138.68.80.1";
12 usePredictableInterfaceNames = false;
13 interfaces.eth0 = {
14 ipv4.addresses = [{
15 address = "138.68.83.114";
16 prefixLength = 20;
17 }];
18 };
19 };
20
21 services.openssh.enable = true;
22 users.users.root.openssh.authorizedKeys.keys = [
23 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHjY4cuUk4IWgBgnEJSULkIHO+njUmIFP+WSWy7IobBs infinisil@vario"
24 ];
25
26 users.users.bob.group = "users";
27
28 secrets.files.foo.file = ./secret;
29 secrets.files.foo.user = "bob";
30 environment.etc.foo.source = config.secrets.files.foo.file;
31
32 system.stateVersion = "19.09";
33 }
+0
-23
deploy/example/default.nix less more
0 import ../. {} ({ config, ... }: {
1
2 defaults = { name, ... }: {
3 configuration = { lib, ... }: {
4 networking.hostName = lib.mkDefault name;
5 };
6
7 # Which nixpkgs version we want to use for this node
8 nixpkgs = fetchTarball {
9 url = "https://github.com/NixOS/nixpkgs/tarball/16fc531784ac226fb268cc59ad573d2746c109c1";
10 sha256 = "0qw1jpdfih9y0dycslapzfp8bl4z7vfg9c7qz176wghwybm4sx0a";
11 };
12 };
13
14 nodes.foo = { lib, config, ... }: {
15 # How to reach this node
16 host = "root@138.68.83.114";
17
18 # What configuration it should have
19 configuration = ./configuration.nix;
20 };
21
22 })
+0
-29
deploy/example/hardware-configuration.nix less more
0 # Do not modify this file! It was generated by ‘nixos-generate-config’
1 # and may be overwritten by future invocations. Please make changes
2 # to /etc/nixos/configuration.nix instead.
3 { modulesPath, config, lib, pkgs, ... }:
4
5 {
6 imports =
7 [ (modulesPath + "/profiles/qemu-guest.nix")
8 ];
9
10 boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_blk" ];
11 boot.initrd.kernelModules = [ ];
12 boot.kernelModules = [ "kvm-intel" ];
13 boot.extraModulePackages = [ ];
14
15 fileSystems."/" =
16 { device = "/dev/disk/by-uuid/48e3b830-ff84-4434-ac74-b57b2ca59842";
17 fsType = "ext4";
18 };
19
20 fileSystems."/boot/efi" =
21 { device = "/dev/disk/by-uuid/3EE0-2273";
22 fsType = "vfat";
23 };
24
25 swapDevices = [ ];
26
27 nix.maxJobs = lib.mkDefault 1;
28 }
+0
-1
deploy/example/secret less more
0 SECRET
4141
4242 # We make this derivation dependent on the secret itself, such that a
4343 # change of it causes a rebuild
44 secretHash = builtins.hashString "sha512" (builtins.readFile file);
45 # TODO: Switch to `builtins.hashFile "sha512" value`
46 # which requires Nix 2.3. The readFile way can cause an error when it
47 # contains null bytes
44 secretHash = builtins.hashFile "sha512" file;
4845 } (
4946 let
5047 validSecret = (config.user == null) || (config.group == null);
5956 '');
6057
6158 # Intersects the closure of a system with a set of secrets
62 requiredSecrets = pkgs: { system, secrets }: pkgs.stdenv.mkDerivation {
63 name = "required-secrets";
59 requiredSecrets = pkgs: { system, secrets, host, name, ... }: pkgs.stdenv.mkDerivation {
60 name = "${name}-required-secrets";
6461
6562 __structuredAttrs = true;
6663 preferLocalBuild = true;
10097 options.secrets = {
10198 baseDirectory = lib.mkOption {
10299 type = types.path;
103 default = "/var/lib/nixus-secrets";
100 default = "/var/lib/nixos/secrets";
104101 description = ''
105102 The persistent directory on the target host to store secrets in.
106103 '';
123120 includedSecrets = requiredSecrets pkgs {
124121 system = config.configuration.system.build.toplevel;
125122 secrets = config.configuration.secrets.files;
123 inherit (config) host;
124 name = config.configuration.networking.hostName;
126125 };
127126
128127 baseDir = config.configuration.secrets.baseDirectory;
132131 /*
133132
134133 Secret structure:
135 /var/lib/nixus-secrets/active root:root 0755 # Directory containing all active persisted secrets and data needed to support it
134 /var/lib/nixos/secrets/active root:root 0755 # Directory containing all active persisted secrets and data needed to support it
136135 |
137136 + included-secrets root:root 0440 # A file containing line-delimited json values describing all present secrets
138137 |
149148 |
150149 + <name> root:<group> 0040 # A file containing the secret <name>
151150
152 /var/lib/nixus-secrets/pending root:root 0755 # The same structure as /active, but this is only used during deployment to make it more atomic and simple to remove unneeded ones later
151 /var/lib/nixos/secrets/pending root:root 0755 # The same structure as /active, but this is only used during deployment to make it more atomic and simple to remove unneeded ones later
153152 # The only difference here is that no owners are set yet, since we can't yet know uid and gid
154153 */
155154
299299 in tryGetValue (builtins.tryEval (lib.concatMap lib.attrValues (lib.attrValues s6))));
300300 };
301301 in {
302 nixosConfigurations = let
302 nixosConfigurations = builtins.mapAttrs (host: node: let
303303 system = "x86_64-linux"; # So far it always is...
304 pkgs = pkgsForSystem system;
305 usr = {
306 utils = import ./lib/utils.nix {
307 inherit lib;
308 };
309 elisp = import ./lib/elisp.nix {
310 inherit lib;
311 pkgs = channels.lib.legacyPackages.${system};
312 };
313 dag = let dagLib = import ./lib/dag.nix lib lib;
314 in dagLib.dag // { inherit (dagLib) types; };
315 units = {
316 kilobytes = b: b * 1024;
317 megabytes = k: k * 1024;
318 gigabytes = m: m * 1024;
319 };
320 };
321
322 modulesFor = hostName: appendModules: let
323 specialArgs = {
324 inherit usr;
325 flake = inputs.self;
326 fetchPullRequest = fetchPullRequestForSystem system;
327
328 domains = import ./secrets/domains.nix;
329 hosts = import ./secrets/hosts.nix;
330
331 modules = systemModules ++ [{
332 _module.args = specialArgs;
333 }];
334 extraModules = [];
335 };
336
337 # External modules
338 inherit (inputs.home.nixosModules) home-manager;
339 inherit (inputs.dwarffs.nixosModules) dwarffs;
340 inherit (inputs.guix.nixosModules) guix;
341 inherit (inputs.construct.nixosModules) matrix-construct;
342 apparmor-nix = inputs.apparmor.nixosModule;
343
344 # Some common basic stuff
345 core = ./profiles/core.nix;
346
347 # The flake-ier common basic stuff
348 global = {
349 environment.etc."machine-id".text = builtins.hashString "md5" hostName;
350 environment.pathsToLink = [ "/share/bios" ];
351 networking = { inherit hostName; };
352
353 nix.package = lib.mkDefault pkgs.nixFlakes;
354 nix.registry = lib.mapAttrs (id: flake: {
355 inherit flake;
356 from = { inherit id; type = "indirect"; };
357 }) (inputs // { nixpkgs = inputs.master; });
358 nix.nixPath = [
359 "nixpkgs=${channels.pkgs}"
360 "nixos=${inputs.self}/configuration.nix"
361 "self=/run/current-system/flake/input/self/configuration.nix"
362 ];
363
364 system.configurationRevision = inputs.self.rev or "dirty";
365 system.nixos.versionSuffix = let inherit (inputs) self;
366 date = lib.substring 0 8 (self.lastModifiedDate or self.lastModified);
367 rev = self.shortRev or "dirty";
368 in lib.mkForce ".${date}.${rev}";
369
370 system.extraSystemBuilderCmds = (''
371
372 mkdir -p $out/flake/input
373
374 # Link first-class inputs
375 ${lib.concatMapStringsSep "\n" ({ name, value }: ''
376 ln -s '${value}' "$out/flake/input/${name}"
377 '') inputMap.n1}
378
379 # Link second-class inputs
380 ${(lib.concatMapStringsSep "\n" ({ name, value }: ''
381 ln -s '${value}' "$out/flake/input/${name}"
382 '') inputMap.n2)}
383
384 # Link third-class inputs (skipped)
385 ${lib.concatMapStringsSep "\n" ({ name, value }: ''
386 ln -s '${value}' "$out/flake/input/${name}"
387 '') inputMap.n3}
388
389 '');
390
391 system.activationScripts.etcnixos = ''
392 rm -f /etc/nixos && \
393 ln -sfn /run/current-system/flake/input/self /etc/nixos || \
394 true
395 '';
396
397 nixpkgs = {
398 pkgs = pkgs // {
399 iptables = pkgs.iptables-nftables-compat;
400 };
401 };
402 };
403
404 # Amend home-manager (inject modules, set common stuff)
405 home = { config, ... }: {
406 options.home-manager.users = lib.mkOption {
407 type = with lib.types; attrsOf (submoduleWith {
408 inherit specialArgs;
409 modules = let
410 flakeModules = import ./modules/home-manager.nix;
411 nixProfile = { lib, ... }: {
412 home.activation.disableNixEnv = lib.hm.dag.entryBefore ["installPackages"] ''
413 alias nix-env=true
414 '';
415 home.activation.installPackages = lib.mapAttrs (k: v: lib.mkForce v) (lib.hm.dag.entryAnywhere "true");
416 };
417 baduk = {
418 imports = [ (import inputs.baduk) ];
419 baduk.sabaki.engines = lib.mkDefault [];
420 };
421 impermanence = import "${inputs.impermanence}/home-manager.nix";
422 in flakeModules ++ [
423 nixProfile
424 baduk
425 ];
426 });
427 };
428
429 config.home-manager = {
430 useUserPackages = true;
431 useGlobalPkgs = true;
432 verbose = true;
433 };
434 };
435
436 # Hack in the gnupg secrets module (fix docbook)
437 gnupg = import "${inputs.pr93659}/nixos/modules/security/gnupg.nix";
438
439 # Plug in the impermanence module (not a flake :<)
440 impermanence = import "${inputs.impermanence}/nixos.nix";
441
442 # Set up any other pull request modules
443 iwd = { config, ... }: let
444 iwdModule = "services/networking/iwd.nix";
445 in {
446 disabledModules = [ iwdModule ];
447 imports = [
448 (import "${inputs.pr75800}/nixos/modules/${iwdModule}" {
449 inherit config pkgs;
450 lib = let
451 iwdLib = import "${inputs.pr75800}/lib/default.nix";
452 in lib // {
453 types = {
454 inherit (iwdLib.types) fixedLengthString lengthCheckedString;
455 } // lib.types;
456 };
457 })
458 ];
459 };
460
461 # Virtual machine builder (don't import otherwise)
462 vm = import "${channels.modules}/nixos/modules/virtualisation/qemu-vm.nix";
463
464 flakeModules = import ./modules/nixos.nix;
465
466 # Actual host config
467 configuration = import "${toString ./hosts}/${hostName}";
468
469 systemModules = flakeModules ++ [
470 core global iwd gnupg
471 dwarffs guix matrix-construct impermanence apparmor-nix
472 ];
473
474 userModules = [
475 home
476 home-manager
477 ];
478 in {
479 inherit system specialArgs;
480 modules = systemModules ++ userModules ++ [
481 configuration
482 ] ++ appendModules;
483 };
484 in usr.utils.recImport {
485 # Build a nixos system for each dir in ./hosts using modulesFor
486 dir = ./hosts;
487 _import = host: let
488 pkgs = channels.modules.legacyPackages.${system};
489 mkSystem = import "${patchNixpkgs pkgs}/nixos/lib/eval-config.nix";
490 vmConfig = (mkSystem (modulesFor host [vm])).config;
491 modules = modulesFor host [{
492 system.build = {
493 inherit (vmConfig.system.build) vm;
494 };
495 }];
496 in mkSystem modules // {
497 nixos = modules; # This is extra spicy, but vaguely needed for nixus?
498 };
499 };
500
501 # convenience...
304 pkgs = channels.modules.legacyPackages.${system};
305 in {
306 config = node.configuration;
307 }) inputs.self.defaultPackage.x86_64-linux.config.nodes;
308
502309 homeConfigurations = lib.genAttrs (builtins.attrNames inputs.self.nixosConfigurations)
503310 (host: inputs.self.nixosConfigurations.${host}.config.home-manager.users) //
504311 {
556363 });
557364
558365 defaultPackage = forAllSystems ({ pkgs, system, ... }:
559 import ./deploy rec {
366 import ./deploy {
560367 nixpkgs = patchNixpkgs (channels.modules.legacyPackages.${system});
561368 deploySystem = system;
562369 } ({ config, lib, ... }: let
563370 inherit (config) nodes;
371 system = {
372 deploy = system;
373 # no current exceptions
374 target = "x86_64-linux";
375 };
564376 in {
565377 defaults = { name, config, ... }: let
566 inherit (inputs.self.nixosConfigurations.${name}) nixos;
567 in {
568 host = "root@${nixos.specialArgs.hosts.wireguard.${name}}";
569
570 configuration = {
571 _module.args = nixos.specialArgs;
572 imports = nixos.modules;
573
574 secrets.baseDirectory = "/var/lib/secrets";
575
378 nixos = inputs.self.nixosModules.hosts.${system.target}.${name};
379
380 vmsystem = { modules, system, specialArgs, ... }: {
381 system.build.vm = (import "${patchNixpkgs pkgs}/nixos/lib/eval-config.nix" {
382 inherit system specialArgs;
383 modules = modules ++ [
384 (import "${channels.modules}/nixos/modules/virtualisation/qemu-vm.nix")
385 ];
386 }).config.system.build.toplevel;
387 };
388
389 linkage = let
390 inherit (inputs.self.defaultPackage.${system.deploy}.config) nodes;
391 in {
576392 # Link raw hosts on each host (non-recursively)
577393 system.extraSystemBuilderCmds = ''
578394 mkdir -p $out/flake/hosts
579395
580396 # Link other hosts (nonrecursively)
581397 ${lib.concatMapStringsSep "\n" ({ name, value }: ''
582 ln -s '${value.config.system.build.toplevel}' "$out/flake/hosts/${name}"
583 '') (lib.mapAttrsToList lib.nameValuePair inputs.self.nixosConfigurations)}
398 ln -s '${value.configuration.system.build.toplevel}' "$out/flake/hosts/${name}"
399 '') (lib.mapAttrsToList lib.nameValuePair nodes)}
584400
585401 # Link host containers
586402 ${lib.concatMapStringsSep "\n" (host@{ name, value }: ''
587403 mkdir -p $out/flake/container/${name}
588404 ${lib.concatMapStringsSep "\n" (container@{ name, value }: ''
589 ln -s '${value.config.system.build.toplevel}' "$out/flake/container/${host.name}/${name}"
590 '') (lib.mapAttrsToList lib.nameValuePair value.config.containers)}
591 '') (lib.mapAttrsToList lib.nameValuePair inputs.self.nixosConfigurations)}
405 ln -s '${value.configuration.system.build.toplevel}' "$out/flake/container/${host.name}/${name}"
406 '') (lib.mapAttrsToList lib.nameValuePair value.configuration.containers)}
407 '') (lib.mapAttrsToList lib.nameValuePair nodes)}
592408 '';
409 };
410 in {
411 host = "root@${nixos.specialArgs.hosts.wireguard.${name}}";
412
413 configuration = rec {
414 _module.args = nixos.specialArgs;
415 imports = nixos.modules ++ [
416 #linkage
417 vmsystem
418 { secrets.baseDirectory = "/var/lib/secrets/"; }
419 ];
593420 };
594421
595422 # Filter out "added to list of known hosts" spam from output
600427 pipeline -w { ${pkgs.gnugrep}/bin/grep --line-buffered -v "list of known hosts" }
601428 fdswap 2 1
602429 '';
603
604 ## Replace all usage of nix-copy-closure with `nix-copy`
605 #deployScriptPhases.nix-copy-alias = lib.dag.entryBefore ["copy-closure"] ''
606 # alias nix-copy-closure="nix copy"
607 #'';
608430
609431 # Git tag all systems and deployments
610432 deployScriptPhases.git-tag = let
625447 }
626448 '';
627449
450 privilegeEscalationCommand = []; # already root
451
628452 successTimeout = lib.mkDefault 120;
629453 switchTimeout = lib.mkDefault 120;
630454
635459 };
636460
637461 nodes = let
638 hosts = builtins.attrNames (builtins.removeAttrs inputs.self.nixosConfigurations [
462 hosts = builtins.attrNames (builtins.removeAttrs inputs.self.nixosModules.hosts.${system.target} [
639463 "image"
640464 ]);
641465 in (lib.genAttrs hosts (_: {})) // {
684508 nixosModules = let
685509 mergeAll = lib.fold lib.recursiveUpdate {};
686510 pathsToAttrs = map (file:
687 let cleanFile = lib.removeSuffix ".nix" (lib.removePrefix "./" (toString file));
511 let cleanFile = lib.removeSuffix ".nix" (lib.removePrefix "${toString ./.}/" (toString file));
688512 in lib.setAttrByPath (lib.splitString "/" cleanFile) (import file)
689513 );
690
691 moduleList = (import ./modules/nixos.nix) ++ (import ./modules/home-manager.nix);
692 profilesList = import ./profiles/list.nix;
693 in mergeAll (pathsToAttrs moduleList) // { profiles = mergeAll (pathsToAttrs profilesList); };
514 nixFilesOf = builtins.filter (lib.hasSuffix ".nix");
515
516 moduleList = (import ./modules/nixos.nix)
517 ++ (import ./modules/home-manager.nix);
518
519 profilesList = (lib.filesystem.listFilesRecursive ./profiles)
520 ++ (builtins.filter (f: ! builtins.hasAttr (builtins.baseNameOf f) (builtins.readDir ./users))
521 (lib.filesystem.listFilesRecursive ./users));
522 in (mergeAll (pathsToAttrs (nixFilesOf moduleList)))
523 // (mergeAll (pathsToAttrs (nixFilesOf profilesList)))
524 // {
525 hosts = forAllSystems ({ pkgs, system, ... }: (let
526 usr = {
527 utils = import ./lib/utils.nix {
528 inherit lib;
529 };
530 elisp = import ./lib/elisp.nix {
531 inherit lib;
532 pkgs = channels.lib.legacyPackages.${system};
533 };
534 dag = let dagLib = import ./lib/dag.nix lib lib;
535 in dagLib.dag // { inherit (dagLib) types; };
536 units = {
537 kilobytes = b: b * 1024;
538 megabytes = k: k * 1024;
539 gigabytes = m: m * 1024;
540 };
541 };
542
543 modulesFor = hostName: appendModules: let
544 specialArgs = {
545 inherit usr;
546 flake = inputs.self;
547 fetchPullRequest = fetchPullRequestForSystem system;
548
549 domains = import ./secrets/domains.nix;
550 hosts = import ./secrets/hosts.nix;
551
552 modules = systemModules ++ [
553 { _module.args = specialArgs; }
554 ];
555 extraModules = [];
556 };
557
558 # External modules
559 inherit (inputs.home.nixosModules) home-manager;
560 inherit (inputs.dwarffs.nixosModules) dwarffs;
561 inherit (inputs.guix.nixosModules) guix;
562 inherit (inputs.construct.nixosModules) matrix-construct;
563 apparmor-nix = inputs.apparmor.nixosModule;
564
565 # Some common basic stuff
566 core = ./profiles/core.nix;
567
568 # The flake-ier common basic stuff
569 global = {
570 environment.etc."machine-id".text = builtins.hashString "md5" hostName;
571 environment.pathsToLink = [ "/share/bios" ];
572 networking = { inherit hostName; };
573
574 nix.package = lib.mkDefault pkgs.nixFlakes;
575 nix.registry = lib.mapAttrs (id: flake: {
576 inherit flake;
577 from = { inherit id; type = "indirect"; };
578 }) (inputs // { nixpkgs = inputs.master; });
579 nix.nixPath = [
580 "nixpkgs=${channels.pkgs}"
581 "nixos=${inputs.self}/configuration.nix"
582 "self=/run/current-system/flake/input/self/configuration.nix"
583 ];
584
585 system.configurationRevision = inputs.self.rev or "dirty";
586 system.nixos.versionSuffix = let inherit (inputs) self;
587 date = lib.substring 0 8 (self.lastModifiedDate or self.lastModified);
588 rev = self.shortRev or "dirty";
589 in lib.mkForce ".${date}.${rev}";
590
591 system.extraSystemBuilderCmds = (''
592
593 mkdir -p $out/flake/input
594
595 # Link first-class inputs
596 ${lib.concatMapStringsSep "\n" ({ name, value }: ''
597 ln -s '${value}' "$out/flake/input/${name}"
598 '') inputMap.n1}
599
600 # Link second-class inputs
601 ${(lib.concatMapStringsSep "\n" ({ name, value }: ''
602 ln -s '${value}' "$out/flake/input/${name}"
603 '') inputMap.n2)}
604
605 # Link third-class inputs (skipped)
606 ${lib.concatMapStringsSep "\n" ({ name, value }: ''
607 ln -s '${value}' "$out/flake/input/${name}"
608 '') inputMap.n3}
609
610 '');
611
612 system.activationScripts.etcnixos = ''
613 rm -f /etc/nixos && \
614 ln -sfn /run/current-system/flake/input/self /etc/nixos || \
615 true
616 '';
617
618 nixpkgs = {
619 pkgs = pkgs // {
620 iptables = pkgs.iptables-nftables-compat;
621 };
622 };
623 };
624
625 # Amend home-manager (inject modules, set common stuff)
626 home = { config, ... }: {
627 options.home-manager.users = lib.mkOption {
628 type = with lib.types; attrsOf (submoduleWith {
629 inherit specialArgs;
630 modules = let
631 flakeModules = import ./modules/home-manager.nix;
632 nixProfile = { lib, ... }: {
633 home.activation.disableNixEnv = lib.hm.dag.entryBefore ["installPackages"] ''
634 alias nix-env=true
635 '';
636 home.activation.installPackages = lib.mapAttrs (k: v: lib.mkForce v) (lib.hm.dag.entryAnywhere "true");
637 };
638 baduk = {
639 imports = [ (import inputs.baduk) ];
640 baduk.sabaki.engines = lib.mkDefault [];
641 };
642 impermanence = import "${inputs.impermanence}/home-manager.nix";
643 in flakeModules ++ [
644 nixProfile
645 baduk
646 ];
647 });
648 };
649
650 config.home-manager = {
651 useUserPackages = true;
652 useGlobalPkgs = true;
653 verbose = true;
654 };
655 };
656
657 # Hack in the gnupg secrets module (fix docbook)
658 gnupg = import "${inputs.pr93659}/nixos/modules/security/gnupg.nix";
659
660 # Plug in the impermanence module (not a flake :<)
661 impermanence = import "${inputs.impermanence}/nixos.nix";
662
663 # Set up any other pull request modules
664 iwd = { config, ... }: let
665 iwdModule = "services/networking/iwd.nix";
666 in {
667 disabledModules = [ iwdModule ];
668 imports = [
669 (import "${inputs.pr75800}/nixos/modules/${iwdModule}" {
670 inherit config pkgs;
671 lib = let
672 iwdLib = import "${inputs.pr75800}/lib/default.nix";
673 in lib // {
674 types = {
675 inherit (iwdLib.types) fixedLengthString lengthCheckedString;
676 } // lib.types;
677 };
678 })
679 ];
680 };
681
682 flakeModules = import ./modules/nixos.nix;
683
684 # Actual host config
685 configuration = import "${toString ./hosts}/${hostName}";
686
687 systemModules = flakeModules ++ [
688 core global iwd gnupg
689 dwarffs guix matrix-construct impermanence apparmor-nix
690 ];
691
692 userModules = [
693 home
694 home-manager
695 ];
696 in {
697 inherit system specialArgs;
698 modules = systemModules ++ userModules ++ [
699 configuration
700 ] ++ appendModules;
701 };
702
703 forEachHost = do: usr.utils.recImport {
704 # Build a nixos system for each dir in ./hosts using modulesFor
705 dir = ./hosts;
706 _import = do;
707 };
708 in forEachHost (host: let
709 pkgs = channels.modules.legacyPackages.${system};
710 in modulesFor host [])));
711 };
694712
695713 devShell = forAllSystems ({ system, ... }:
696714 let
729747 }
730748 );
731749
732 passthru = rec {
750 lib = rec {
733751 inherit inputs channels config allSystems inputMap patchNixpkgs;
734752 patchedPkgs = patchNixpkgs (channels.modules.legacyPackages.x86_64-linux);
735753
736 #$ git config secrets.providers "nix eval --raw .#passthru.secrets"
754 #$ git config secrets.providers "nix eval --raw .#lib.secrets"
737755 secrets = with lib.strings; concatMapStringsSep "\n" (replaceStrings [" "] ["\\s"]) ([
738756 (import ./secrets/git.github.nix).oauth-token
739757 ] ++ (attrNames (import ./secrets/wifi.networks.nix))
749767 ++ (attrValues (import ./secrets/weechat.credentials.nix))
750768 ++ (attrValues (import ./secrets/domains.nix))
751769 ++ (lib.flatten (map attrValues (attrValues (import ./secrets/hosts.nix))))
770 ++ (attrValues (import ./secrets/hass.tuya.nix))
771 ++ (attrValues (import ./secrets/hydroxide.auth.nix))
772 ++ (attrValues (import ./secrets/ipfs.cluster.nix))
773 ++ (attrValues (import ./secrets/ipfs.repo.nix))
774 ++ (attrValues (import ./secrets/mastodon.twitter.nix))
775 ++ (attrValues (import ./secrets/matrix.synapse.nix))
776 ++ (attrValues (import ./secrets/nyxt.autofill.nix))
777 ++ (attrValues (import ./secrets/rescue.nix))
752778 );
753779 };
754780 };
284284 environment.etc."ssh/ssh_revoked_keys".text = "";
285285 environment.etc."ssh/ssh_user-ca.pub".source = ../../secrets/keys/deltassh/ssh_user-ca.pub;
286286 environment.etc."ssh/ssh_host-ca.pub".source = ../../secrets/keys/deltassh/ssh_host-ca.pub;
287 environment.etc."wireguard/private.key".source = ../../secrets/keys/wireguard/delta.key;
288287 }
+0
-12
profiles/list.nix less more
0 [
1 ./develop
2 ./develop/emacs
3 ./develop/tmux
4 ./develop/zsh
5 ./games
6 ./graphical
7 ./graphical/qutebrowser
8 ./graphical/sway
9 ./misc
10 ./virt
11 ]
3737 (peers.${to} ? publicKey)
3838 ];
3939 in {
40 environment.etc."wireguard/private.key".source = config.secrets.files.wireguard.file;
41
4042 networking.firewall.allowedUDPPorts =
4143 lib.mkIf (currentPeer ? "port") [ currentPeer.port ];
4244
4648 enable = true;
4749 interfaces.wg0 = {
4850 ips = [ "${currentPeer.ip}/${toString network}" ];
49 privateKeyFile = "/etc/wireguard/private.key";
51 privateKeyFile = "${config.secrets.files.wireguard.file}";
5052 generatePrivateKeyFile = false;
5153 listenPort = currentPeer.port or 51820;
5254
6466 };
6567
6668 systemd.services.wireguard-wg0.serviceConfig.Before = [ "sshd.service" ];
69
70 secrets.files = {
71 wireguard = {
72 file = ../../../secrets/keys/wireguard + "/${config.networking.hostName}.key";
73 #user = "root";
74 #group = "root";
75 };
76 };
6777 }