Compare commits
95 commits
Author | SHA1 | Date | |
---|---|---|---|
|
fb5b940d00 | ||
77880c6ede | |||
e12fc81658 | |||
4853aeec19 | |||
60a62f0288 | |||
5bea98a37f | |||
6fd0215a19 | |||
40e04843ef | |||
7f00516334 | |||
91eda3a0ae | |||
cdfd856296 | |||
8f8adf132c | |||
b3ae9ba314 | |||
1d2cb130cf | |||
cda6fff78b | |||
4a5c9228d1 | |||
8e46d4cde3 | |||
d577008fca | |||
232faef5c0 | |||
ad3d196a1e | |||
0b09d9e0a2 | |||
bbfbb002d5 | |||
aa16354a39 | |||
0743facbde | |||
ef09f73a5e | |||
bd614e1e2a | |||
589841c265 | |||
9080c75f6d | |||
6faa9df23b | |||
c9f1a9a362 | |||
6b1b4a74ad | |||
36ad39d4e5 | |||
f386e19d29 | |||
2ed2a77263 | |||
9347348d39 | |||
90bbd821b0 | |||
65726d62c0 | |||
f29847b7dc | |||
9710ec7174 | |||
9a656a435e | |||
4d73c4c4e3 | |||
95d9945158 | |||
e1ec40eca3 | |||
ea3f1daaf8 | |||
1746258f58 | |||
ff7fbbe7f2 | |||
bac0fd40b6 | |||
a2c3512a38 | |||
73ed8b7f1c | |||
|
b0fde95282 | ||
aac3d39b02 | |||
3f9cb151ee | |||
4e78dd2fae | |||
ab9f9ce991 | |||
9dc962a98c | |||
f7609d5cf2 | |||
|
f716996616 | ||
c3fb861612 | |||
|
75348f7c12 | ||
|
a7e3f533a9 | ||
46a97e6a06 | |||
f967160ad9 | |||
a148384093 | |||
49f86b0c5a | |||
361a93aa95 | |||
aa7c61019b | |||
cfe7efce10 | |||
5962560c87 | |||
21cbd69e02 | |||
7a450258d4 | |||
|
dcbfb0be74 | ||
|
78f156bb38 | ||
|
0b799c87b6 | ||
2bfb4f5c97 | |||
|
752b3d4d4c | ||
|
fdb40b4a4e | ||
|
c08d826457 | ||
|
c06df7e251 | ||
|
7848fa4d96 | ||
c09b1e8e17 | |||
40b9733f57 | |||
8a90755f14 | |||
|
1781bd41a2 | ||
|
63500d8dea | ||
0292da597f | |||
5731882500 | |||
|
6525287824 | ||
|
c173ba1404 | ||
e5980dca43 | |||
694067f075 | |||
5893ada5a2 | |||
f2fbebe6cb | |||
937fd13a51 | |||
a03162b769 | |||
955f7d1131 |
34 changed files with 1529 additions and 221 deletions
|
@ -2,13 +2,16 @@
|
|||
- &Lyn age18c6zws9wk9r7dxjqafwj2l2ex5mn5v8u6yrd2ys9ng8q09rsedpqm38jzv
|
||||
- &forgenite age1u4dtlq4lavqufzsqfqlsnu67u3x2t3d7ffxkqrah2des4dlxns2slegl38
|
||||
- &forgejo-ci age13pau3xqusxuczm9kwpxg4fdze4xhenfwmjw80ed7g336a8x7tqpqdqvjjj
|
||||
|
||||
- &wg-gateway age1xm5ewmhxsdn34c6h9v3hzs0ka0qvmywnkgw94j7r2cxpqh2c8v4q7h6qhd
|
||||
- &supernova age12lfan35k4gtq6mwm9llyea25usw3ap0xuzg90745qk0m0ws3cgespffkv2
|
||||
creation_rules:
|
||||
- path_regex: secrets/all/[^/]+\.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *Lyn
|
||||
- *forgenite
|
||||
- *wg-gateway
|
||||
- *supernova
|
||||
#hosts
|
||||
- path_regex: secrets/hosts/forgenite.yaml
|
||||
key_groups:
|
||||
|
|
360
flake.lock
360
flake.lock
|
@ -1,44 +1,229 @@
|
|||
{
|
||||
"nodes": {
|
||||
"crane": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"lanzaboote",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1717535930,
|
||||
"narHash": "sha256-1hZ/txnbd/RmiBPNUs7i8UQw2N89uAK3UzrGAWdnFfU=",
|
||||
"owner": "ipetkov",
|
||||
"repo": "crane",
|
||||
"rev": "55e7754ec31dac78980c8be45f8a28e80e370946",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "ipetkov",
|
||||
"repo": "crane",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"fenix-monthly": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"rust-analyzer-src": "rust-analyzer-src"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1735713283,
|
||||
"narHash": "sha256-xC6X49L55xo7AV+pAYclOj5UNWtBo/xx5aB5IehJD0M=",
|
||||
"owner": "nix-community",
|
||||
"repo": "fenix",
|
||||
"rev": "bfba822a4220b0e2c4dc7f36a35e4c8450cd9a9c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"ref": "monthly",
|
||||
"repo": "fenix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-compat": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1696426674,
|
||||
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-parts": {
|
||||
"inputs": {
|
||||
"nixpkgs-lib": [
|
||||
"lanzaboote",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1717285511,
|
||||
"narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-utils": {
|
||||
"inputs": {
|
||||
"systems": "systems"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1710146030,
|
||||
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-utils_2": {
|
||||
"inputs": {
|
||||
"systems": "systems_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1731533236,
|
||||
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"gitignore": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"lanzaboote",
|
||||
"pre-commit-hooks-nix",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1709087332,
|
||||
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "gitignore.nix",
|
||||
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "hercules-ci",
|
||||
"repo": "gitignore.nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"lanzaboote": {
|
||||
"inputs": {
|
||||
"crane": "crane",
|
||||
"flake-compat": "flake-compat",
|
||||
"flake-parts": "flake-parts",
|
||||
"flake-utils": "flake-utils",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
|
||||
"rust-overlay": "rust-overlay"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1718178907,
|
||||
"narHash": "sha256-eSZyrQ9uoPB9iPQ8Y5H7gAmAgAvCw3InStmU3oEjqsE=",
|
||||
"owner": "nix-community",
|
||||
"repo": "lanzaboote",
|
||||
"rev": "b627ccd97d0159214cee5c7db1412b75e4be6086",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"ref": "v0.4.1",
|
||||
"repo": "lanzaboote",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"microvm": {
|
||||
"inputs": {
|
||||
"flake-utils": "flake-utils_2",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"spectrum": "spectrum"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1736905611,
|
||||
"narHash": "sha256-eW6SfZRaOnOybBzhvEzu3iRL8IhwE0ETxUpnkErlqkE=",
|
||||
"owner": "astro",
|
||||
"repo": "microvm.nix",
|
||||
"rev": "a18d7ba1bb7fd4841191044ca7a7f895ef2adf3b",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "astro",
|
||||
"repo": "microvm.nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1725407940,
|
||||
"narHash": "sha256-tiN5Rlg/jiY0tyky+soJZoRzLKbPyIdlQ77xVgREDNM=",
|
||||
"lastModified": 1717794163,
|
||||
"narHash": "sha256-Ch6ZpFPVvi7Bb6gmmuufpTEFkXqa43pC94XMfU5FEt0=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "6f6c45b5134a8ee2e465164811e451dcb5ad86e3",
|
||||
"rev": "121f68ed7c6c32de5a8ce91a08ef25713d1c4755",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-24.05",
|
||||
"ref": "nixos-unstable-small",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-stable": {
|
||||
"locked": {
|
||||
"lastModified": 1721524707,
|
||||
"narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=",
|
||||
"lastModified": 1710695816,
|
||||
"narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "556533a23879fc7e5f98dd2e0b31a6911a213171",
|
||||
"rev": "614b4613980a522ba49f0d194531beddbb7220d3",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "release-24.05",
|
||||
"ref": "nixos-23.11",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1725634671,
|
||||
"narHash": "sha256-v3rIhsJBOMLR8e/RNWxr828tB+WywYIoajrZKFM+0Gg=",
|
||||
"lastModified": 1736798957,
|
||||
"narHash": "sha256-qwpCtZhSsSNQtK4xYGzMiyEDhkNzOCz/Vfu4oL2ETsQ=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "574d1eac1c200690e27b8eb4e24887f8df7ac27c",
|
||||
"rev": "9abb87b552b7f55ac8916b6fc9e5cb486656a2f3",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -50,11 +235,27 @@
|
|||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1725194671,
|
||||
"narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=",
|
||||
"lastModified": 1736867362,
|
||||
"narHash": "sha256-i/UJ5I7HoqmFMwZEH6vAvBxOrjjOJNU739lnZnhUln8=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c",
|
||||
"rev": "9c6b49aeac36e2ed73a8c472f1546f6d9cf1addc",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-24.11",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_3": {
|
||||
"locked": {
|
||||
"lastModified": 1731763621,
|
||||
"narHash": "sha256-ddcX4lQL0X05AYkrkV2LMFgGdRvgap7Ho8kgon3iWZk=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "c69a9bffbecde46b4b939465422ddc59493d3e4d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -64,24 +265,95 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"pre-commit-hooks-nix": {
|
||||
"inputs": {
|
||||
"flake-compat": [
|
||||
"lanzaboote",
|
||||
"flake-compat"
|
||||
],
|
||||
"gitignore": "gitignore",
|
||||
"nixpkgs": [
|
||||
"lanzaboote",
|
||||
"nixpkgs"
|
||||
],
|
||||
"nixpkgs-stable": "nixpkgs-stable"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1717664902,
|
||||
"narHash": "sha256-7XfBuLULizXjXfBYy/VV+SpYMHreNRHk9nKMsm1bgb4=",
|
||||
"owner": "cachix",
|
||||
"repo": "pre-commit-hooks.nix",
|
||||
"rev": "cc4d466cb1254af050ff7bdf47f6d404a7c646d1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "cachix",
|
||||
"repo": "pre-commit-hooks.nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs",
|
||||
"fenix-monthly": "fenix-monthly",
|
||||
"lanzaboote": "lanzaboote",
|
||||
"microvm": "microvm",
|
||||
"nixpkgs": "nixpkgs_2",
|
||||
"nixpkgs-unstable": "nixpkgs-unstable",
|
||||
"sops-nix": "sops-nix"
|
||||
}
|
||||
},
|
||||
"sops-nix": {
|
||||
"rust-analyzer-src": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1735659655,
|
||||
"narHash": "sha256-DQgwi3pwaasWWDfNtXIX0lW5KvxQ+qVhxO1J7l68Qcc=",
|
||||
"owner": "rust-lang",
|
||||
"repo": "rust-analyzer",
|
||||
"rev": "085ad107943996c344633d58f26467b05f8e2ff0",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "rust-lang",
|
||||
"ref": "nightly",
|
||||
"repo": "rust-analyzer",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"rust-overlay": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs_2",
|
||||
"nixpkgs-stable": "nixpkgs-stable"
|
||||
"flake-utils": [
|
||||
"lanzaboote",
|
||||
"flake-utils"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"lanzaboote",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1725540166,
|
||||
"narHash": "sha256-htc9rsTMSAY5ek+DB3tpntdD/es0eam2hJgO92bWSys=",
|
||||
"lastModified": 1717813066,
|
||||
"narHash": "sha256-wqbRwq3i7g5EHIui0bIi84mdqZ/It1AXBSLJ5tafD28=",
|
||||
"owner": "oxalica",
|
||||
"repo": "rust-overlay",
|
||||
"rev": "6dc3e45fe4aee36efeed24d64fc68b1f989d5465",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "oxalica",
|
||||
"repo": "rust-overlay",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"sops-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs_3"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1736808430,
|
||||
"narHash": "sha256-wlgdf/n7bJMLBheqt1jmPoxJFrUP6FByKQFXuM9YvIk=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "d9d781523a1463965cd1e1333a306e70d9feff07",
|
||||
"rev": "553c7cb22fed19fd60eb310423fdc93045c51ba8",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -89,6 +361,52 @@
|
|||
"repo": "sops-nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"spectrum": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1733308308,
|
||||
"narHash": "sha256-+RcbMAjSxV1wW5UpS9abIG1lFZC8bITPiFIKNnE7RLs=",
|
||||
"ref": "refs/heads/main",
|
||||
"rev": "80c9e9830d460c944c8f730065f18bb733bc7ee2",
|
||||
"revCount": 792,
|
||||
"type": "git",
|
||||
"url": "https://spectrum-os.org/git/spectrum"
|
||||
},
|
||||
"original": {
|
||||
"type": "git",
|
||||
"url": "https://spectrum-os.org/git/spectrum"
|
||||
}
|
||||
},
|
||||
"systems": {
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"systems_2": {
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"type": "github"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
|
|
67
flake.nix
67
flake.nix
|
@ -1,14 +1,45 @@
|
|||
{
|
||||
description = "Lyns flake";
|
||||
inputs = {
|
||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
|
||||
microvm.url = "github:astro/microvm.nix";
|
||||
microvm.inputs.nixpkgs.follows = "nixpkgs";
|
||||
lanzaboote.url = "github:nix-community/lanzaboote/v0.4.1";
|
||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
|
||||
sops-nix.url = "github:Mic92/sops-nix";
|
||||
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
|
||||
fenix-monthly = {
|
||||
url = "github:nix-community/fenix/monthly";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
outputs = {self, nixpkgs, nixpkgs-unstable, sops-nix }@inputs: let
|
||||
};
|
||||
outputs = {
|
||||
self,
|
||||
nixpkgs,
|
||||
nixpkgs-unstable,
|
||||
sops-nix,
|
||||
lanzaboote,
|
||||
microvm,
|
||||
fenix-monthly,
|
||||
} @ inputs: let
|
||||
imports = {
|
||||
imports = [
|
||||
sops-nix.nixosModules.sops
|
||||
passInputs
|
||||
mkLocalModsInput
|
||||
lanzaboote.nixosModules.lanzaboote
|
||||
inputs.microvm.nixosModules.host
|
||||
./hosts/network.nix
|
||||
./meta/wgautomesh
|
||||
];
|
||||
passInputs = ({lib,config,...}:{
|
||||
};
|
||||
overlays = {
|
||||
default = import ./pkgs/overlay.nix inputs;
|
||||
};
|
||||
passInputs = {
|
||||
lib,
|
||||
config,
|
||||
...
|
||||
}: {
|
||||
options.flakePath = lib.mkOption {type = lib.types.path;};
|
||||
config.flakePath = ./.;
|
||||
options.inputs = lib.mkOption {type = lib.types.attrs;};
|
||||
|
@ -17,27 +48,43 @@
|
|||
config.pkgsInstances = {
|
||||
unstable = import inputs.nixpkgs-unstable {system = config.nixpkgs.system;};
|
||||
};
|
||||
});
|
||||
config.nixpkgs.overlays = lib.attrValues overlays;
|
||||
};
|
||||
inherit (nixpkgs) lib;
|
||||
|
||||
mkLocalMods = import ./meta/mkLocalMods.nix {inherit lib;};
|
||||
mkLocalModsInput = mkLocalMods {
|
||||
prefix = ["lyn"];
|
||||
dir = ./modules;
|
||||
};
|
||||
in {
|
||||
nixosConfigurations = {
|
||||
"forgenite" = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
modules = [
|
||||
./hosts/forgenite
|
||||
sops-nix.nixosModules.sops
|
||||
passInputs
|
||||
(mkLocalMods {prefix = ["lyn"]; dir = ./modules;})
|
||||
imports
|
||||
];
|
||||
};
|
||||
"forgejo-ci" = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
modules = [
|
||||
./hosts/forgejo-ci
|
||||
sops-nix.nixosModules.sops
|
||||
passInputs
|
||||
(mkLocalMods {prefix = ["lyn"]; dir = ./modules;})
|
||||
imports
|
||||
];
|
||||
};
|
||||
"supernova" = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
modules = [
|
||||
./hosts/supernova
|
||||
imports
|
||||
];
|
||||
};
|
||||
"wg-gateway" = nixpkgs.lib.nixosSystem {
|
||||
system = "aarch64-linux";
|
||||
modules = [
|
||||
./hosts/wg-gateway
|
||||
imports
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
|
@ -1,10 +1,16 @@
|
|||
{ config, pkgs, lib, inputs, ... }: with config.lyn.lib; {
|
||||
imports =
|
||||
[
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
inputs,
|
||||
...
|
||||
}:
|
||||
with config.lyn.lib; {
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
./../../users/lyn
|
||||
];
|
||||
lyn.sops.secrets."hosts/forgejo-ci/forgejo_ci_token" = {};
|
||||
lyn.users.lyn.enable = true;
|
||||
lyn.kernel.latest.enable = true;
|
||||
lyn.kernel.hardened.enable = true;
|
||||
lyn.profiles.base.enable = true;
|
||||
|
@ -12,13 +18,9 @@
|
|||
lyn.services.forgejo-ci.enable = true;
|
||||
lyn.services.forgejo-ci.domain = "git.shibe.pro";
|
||||
lyn.services.forgejo-ci.instancename = "shibepro-ci";
|
||||
# Use UEFI
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
|
||||
networking.hostName = "forgejo-ci"; # Define your hostname.
|
||||
|
||||
# Firewall stuff:
|
||||
networking.firewall.enable = true;
|
||||
networking.firewall.allowPing = true;
|
||||
system.stateVersion = "23.05";
|
||||
}
|
||||
|
|
|
@ -1,13 +1,17 @@
|
|||
{ config, pkgs, lib, inputs, ... }: {
|
||||
imports =
|
||||
[
|
||||
./../../users/lyn
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
inputs,
|
||||
...
|
||||
}: {
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
lyn.sops.secrets."hosts/forgenite/forgejo_db_password".owner = "forgejo";
|
||||
|
||||
lyn.users.lyn.enable = true;
|
||||
lyn.kernel.latest.enable = true;
|
||||
lyn.kernel.hardened.enable =true;
|
||||
lyn.kernel.hardened.enable = true;
|
||||
lyn.profiles.base.enable = true;
|
||||
lyn.profiles.vm.enable = true;
|
||||
|
||||
|
@ -18,10 +22,6 @@
|
|||
lyn.services.forgejo.domain = "git.shibe.pro";
|
||||
networking.hostName = "forgenite"; # Define your hostname.
|
||||
|
||||
# Firewall stuff:
|
||||
networking.firewall.enable = true;
|
||||
networking.firewall.allowPing = true;
|
||||
|
||||
# This value determines the NixOS release from which the default
|
||||
# settings for stateful data, like file locations and database versions
|
||||
# on your system were taken. It's perfectly fine and recommended to leave
|
||||
|
@ -29,11 +29,4 @@
|
|||
# Before changing this value read the documentation for this option
|
||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
system.stateVersion = "24.05"; # Did you read the comment?
|
||||
|
||||
nix.gc = {
|
||||
automatic = true;
|
||||
persistent = true;
|
||||
options = "--delete-older-than 8d";
|
||||
};
|
||||
}
|
||||
|
||||
|
|
129
hosts/network.nix
Normal file
129
hosts/network.nix
Normal file
|
@ -0,0 +1,129 @@
|
|||
{
|
||||
lib,
|
||||
config,
|
||||
...
|
||||
}: let
|
||||
prefix = "lyn";
|
||||
|
||||
#hosts are defined here
|
||||
hosts = {
|
||||
wg-gateway = {
|
||||
wg = {
|
||||
enabled = true;
|
||||
pubkey = "Fknzk7lltkPKJZlF3KXWKGQXXSj7CUD9ev0ZEZtpbjY=";
|
||||
};
|
||||
IPv4 = {
|
||||
public = "78.47.226.47";
|
||||
# we use 10.35.0.0/16 as a range for private subnets, specifically 10.35.0.0/24 for wireguard peers
|
||||
internal = "10.35.0.3";
|
||||
};
|
||||
IPv6 = {
|
||||
public = "2a01:4f8:1c1b:d2db::";
|
||||
# 1aacabcafe is the global ID and 1337 is the wireguard peer subnet ID, resulting in the ULA fd1a:acab:cafe:1337::/64
|
||||
internal = "fd1a:acab:cafe:1337:8f4c:68cd::";
|
||||
};
|
||||
};
|
||||
supernova = {
|
||||
wg = {
|
||||
enabled = true;
|
||||
pubkey = "jdfbOnP0mFWFobtQunm0h6EtqOZiar9G9jngMU7b+Co=";
|
||||
port_v4 = 56052;
|
||||
};
|
||||
IPv4 = {
|
||||
# we use 10.35.0.0/16 as a range for private subnets, specifically 10.35.0.0/24 for wireguard peers
|
||||
internal = "10.35.0.2";
|
||||
};
|
||||
IPv6 = {
|
||||
# 1aacabcafe is the global ID and 1337 is the wireguard peer subnet ID, resulting in the ULA fd1a:acab:cafe:1337::/64
|
||||
internal = "fd1a:acab:cafe:1337:6722:3657::";
|
||||
};
|
||||
};
|
||||
};
|
||||
in {
|
||||
options = {
|
||||
${prefix} = {
|
||||
# defining the entire hosts part as a module
|
||||
network.hosts = lib.mkOption {
|
||||
type = lib.types.attrsOf (lib.types.submodule {
|
||||
options = {
|
||||
wg = lib.mkOption {
|
||||
type = lib.types.submodule {
|
||||
options = {
|
||||
enabled = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
description = "Enable WireGuard";
|
||||
};
|
||||
pubkey = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.str;
|
||||
default = null;
|
||||
description = "Public key for WireGuard";
|
||||
};
|
||||
port_v4 = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = 51820;
|
||||
description = "Port for WireGuard";
|
||||
};
|
||||
port_v6 = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = 51821;
|
||||
description = "Port for WireGuard";
|
||||
};
|
||||
};
|
||||
};
|
||||
description = "WireGuard configuration";
|
||||
};
|
||||
IPv4 = lib.mkOption {
|
||||
type = lib.types.submodule {
|
||||
options = {
|
||||
public = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.str;
|
||||
default = null;
|
||||
description = "Public IPv4 address";
|
||||
};
|
||||
internal = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "Wireguard-internal IPv4 address";
|
||||
};
|
||||
};
|
||||
};
|
||||
description = "IPv4 configuration";
|
||||
default = {};
|
||||
};
|
||||
IPv6 = lib.mkOption {
|
||||
type = lib.types.submodule {
|
||||
options = {
|
||||
public = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.str;
|
||||
default = null;
|
||||
description = "Public IPv6 address";
|
||||
};
|
||||
internal = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "Wireguard-internal IPv6 address";
|
||||
};
|
||||
};
|
||||
};
|
||||
description = "IPv6 configuration";
|
||||
default = {};
|
||||
};
|
||||
};
|
||||
});
|
||||
default = {};
|
||||
description = "All hosts in this network that this config should be aware of";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
${prefix}.network = {
|
||||
inherit hosts;
|
||||
};
|
||||
assertions = [
|
||||
{
|
||||
assertion = lib.any (host: host.IPv4 != null || host.IPv6 != null) (lib.attrValues hosts);
|
||||
message = "Either an IPv4 or IPv6 must be defined for each host";
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
71
hosts/supernova/default.nix
Normal file
71
hosts/supernova/default.nix
Normal file
|
@ -0,0 +1,71 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
inputs,
|
||||
...
|
||||
}:
|
||||
with config.lyn.lib; {
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
./virtualization.nix
|
||||
];
|
||||
lyn.kernel.latest.enable = true;
|
||||
lyn.profiles.base.enable = true;
|
||||
lyn.profiles.headless.enable = true;
|
||||
lyn.users.lyn.enable = true;
|
||||
lyn.users.ellie.enable = true;
|
||||
networking.hostName = "supernova";
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
# this is overridden by the secureboot profile, still here so the system retains a bootloader in case secure boot profile is disabled:
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
|
||||
# Firmware updates:
|
||||
services.fwupd.enable = true;
|
||||
|
||||
lyn.services.mkMesh = {
|
||||
enable = true;
|
||||
enable_upnp_portforward = true;
|
||||
};
|
||||
|
||||
##1##3##3##7##
|
||||
## Security ##
|
||||
##1##3##3##7##
|
||||
|
||||
# Kernel hardening
|
||||
lyn.kernel.hardened.enable = true;
|
||||
## Don't print any errors/logs to the console
|
||||
boot.consoleLogLevel = 0;
|
||||
|
||||
# Secure boot
|
||||
lyn.profiles.secureboot.enable = true;
|
||||
|
||||
# FDE + initrd stuff
|
||||
boot.kernelParams = ["ip=dhcp"];
|
||||
boot.loader.timeout = 2;
|
||||
boot.initrd = {
|
||||
availableKernelModules = ["r8169"];
|
||||
systemd.users.root.shell = "/bin/systemd-tty-ask-password-agent";
|
||||
secrets = {"/root/initrd-ssh-key" = "/root/initrd-ssh-key";};
|
||||
network = {
|
||||
enable = true;
|
||||
ssh = {
|
||||
enable = true;
|
||||
port = 2222;
|
||||
# WARNING: this key will be globally accessible through Nix store. Don't use the booted/decrypted systems host key here.
|
||||
hostKeys = [/root/initrd-ssh-key];
|
||||
# this includes the ssh keys of all users in the wheel group, but you can just specify some keys manually
|
||||
# authorizedKeys = [ "ssh-rsa ..." ];
|
||||
authorizedKeys = with lib;
|
||||
concatLists (mapAttrsToList (name: user:
|
||||
if elem "wheel" user.extraGroups
|
||||
then user.openssh.authorizedKeys.keys
|
||||
else [])
|
||||
config.users.users);
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
system.stateVersion = "24.05";
|
||||
}
|
71
hosts/supernova/hardware-configuration.nix
Normal file
71
hosts/supernova/hardware-configuration.nix
Normal file
|
@ -0,0 +1,71 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
modulesPath,
|
||||
...
|
||||
}: {
|
||||
imports = [
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod"];
|
||||
boot.initrd.kernelModules = ["dm-snapshot"];
|
||||
boot.kernelModules = ["kvm-amd"];
|
||||
boot.extraModulePackages = [];
|
||||
|
||||
boot.initrd.systemd.enable = true;
|
||||
boot.initrd.luks.devices = {
|
||||
"root" = {
|
||||
device = "/dev/disk/by-uuid/db8a5cf9-c54b-4e6a-b3f9-e6323eb962a6";
|
||||
# doubles SSD performance because r/w queue is unnecessary on SSDs
|
||||
bypassWorkqueues = true;
|
||||
};
|
||||
"chungus_1" = {
|
||||
device = "/dev/disk/by-uuid/2c02d324-df81-4c63-b1f8-16c411d1b34a";
|
||||
keyFile = "/sysroot/root/raid_keyfile";
|
||||
};
|
||||
"chungus_2" = {
|
||||
device = "/dev/disk/by-uuid/b642a13f-ddb8-4e25-b885-3eea3744a208";
|
||||
keyFile = "/sysroot/root/raid_keyfile";
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
fileSystems."/" = {
|
||||
device = "/dev/mapper/vg-root";
|
||||
fsType = "btrfs";
|
||||
options = ["x-systemd.device-timeout=0"];
|
||||
};
|
||||
|
||||
fileSystems."/boot" = {
|
||||
device = "/dev/disk/by-uuid/0374-0967";
|
||||
fsType = "vfat";
|
||||
options = ["fmask=0022" "dmask=0022" "umask=0077" "x-systemd.device-timeout=0"];
|
||||
};
|
||||
fileSystems."/mnt/chungus" = {
|
||||
device = "/dev/mapper/chungus_1";
|
||||
fsType = "btrfs";
|
||||
options = [ "defaults" "noatime" "compress=zstd" "space_cache=v2" "autodefrag" "subvol=main"];
|
||||
};
|
||||
swapDevices = [
|
||||
{
|
||||
device = "/dev/mapper/vg-swap";
|
||||
options = ["x-systemd.device-timeout=0"];
|
||||
}
|
||||
];
|
||||
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp6s0.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
}
|
3
hosts/supernova/virtualization.nix
Normal file
3
hosts/supernova/virtualization.nix
Normal file
|
@ -0,0 +1,3 @@
|
|||
{...}: {
|
||||
lyn.profiles.hypervisor.enable = true;
|
||||
}
|
41
hosts/wg-gateway/default.nix
Normal file
41
hosts/wg-gateway/default.nix
Normal file
|
@ -0,0 +1,41 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}: {
|
||||
imports = [
|
||||
# Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
lyn.kernel.latest.enable = true;
|
||||
lyn.profiles.base.enable = true;
|
||||
lyn.profiles.secureboot.enable = true;
|
||||
lyn.users.lyn.enable = true;
|
||||
|
||||
# network
|
||||
|
||||
lyn.services.mkMesh = {
|
||||
enable = true;
|
||||
enable_lan_discovery = false;
|
||||
};
|
||||
|
||||
networking.useDHCP = false;
|
||||
networking.hostName = "wg-gateway"; # Define your hostname.
|
||||
systemd.network.enable = true;
|
||||
systemd.network.networks."10-wan" = {
|
||||
matchConfig.Name = "enp1s0";
|
||||
networkConfig.DHCP = "ipv4";
|
||||
address = [
|
||||
"2a01:4f8:1c1b:d2db::/64"
|
||||
];
|
||||
routes = [
|
||||
{routeConfig.Gateway = "fe80::1";}
|
||||
];
|
||||
};
|
||||
|
||||
system.stateVersion = "24.05";
|
||||
}
|
38
hosts/wg-gateway/hardware-configuration.nix
Normal file
38
hosts/wg-gateway/hardware-configuration.nix
Normal file
|
@ -0,0 +1,38 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
modulesPath,
|
||||
...
|
||||
}: {
|
||||
imports = [
|
||||
(modulesPath + "/profiles/qemu-guest.nix")
|
||||
];
|
||||
boot.initrd.kernelModules = ["virtio_gpu"];
|
||||
boot.kernelParams = ["console=tty"];
|
||||
boot.initrd.availableKernelModules = ["xhci_pci" "virtio_scsi" "sr_mod"];
|
||||
boot.kernelModules = [];
|
||||
boot.extraModulePackages = [];
|
||||
|
||||
fileSystems."/" = {
|
||||
device = "/dev/disk/by-uuid/7cb49846-af34-40ec-b144-decc9c284e94";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/boot" = {
|
||||
device = "/dev/disk/by-uuid/BEFA-C7BC";
|
||||
fsType = "vfat";
|
||||
options = ["fmask=0077" "dmask=0077"];
|
||||
};
|
||||
|
||||
swapDevices = [
|
||||
{device = "/dev/disk/by-uuid/63e6e56c-9fbd-4bc2-a0e7-8be171565710";}
|
||||
];
|
||||
|
||||
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
|
||||
}
|
|
@ -1,7 +1,5 @@
|
|||
{
|
||||
imports = [
|
||||
./mkLocalMods.nix
|
||||
# ./enable.nix
|
||||
];
|
||||
}
|
||||
|
||||
|
|
|
@ -1,7 +0,0 @@
|
|||
{lib, config, ...}: {
|
||||
config.lyn.lib.enable = list: lib.genAttrs
|
||||
list
|
||||
(
|
||||
name: {enable = true;}
|
||||
);
|
||||
}
|
|
@ -1,26 +1,61 @@
|
|||
{lib, ...}:
|
||||
let
|
||||
{lib, ...}: let
|
||||
inherit (import ./packagesFromDirectoryRecursive.nix {inherit lib;}) packagesFromDirectoryRecursive;
|
||||
mapAttrKVs = mapFn: attrs: builtins.foldl' (acc: cur: acc // {${cur.key} = cur.value;}) {} (builtins.attrValues (builtins.mapAttrs mapFn attrs));
|
||||
#kv = key: value: {inherit key value;};
|
||||
recurseNaive = curPath: fn: mapAttrKVs (k: v: let
|
||||
recurseNaive = curPath: fn:
|
||||
mapAttrKVs (
|
||||
k: v: let
|
||||
match = builtins.match "(.*)[.]nix" k;
|
||||
in if v == "regular" && match != null then {key = builtins.elemAt match 0; value = fn (curPath + ("/" + k));}
|
||||
else if v == "directory" then {key = k; value = recurseNaive (curPath + ("/" + k)) fn;}
|
||||
else {key = null; value = null;}
|
||||
in
|
||||
if v == "regular" && match != null
|
||||
then {
|
||||
key = builtins.elemAt match 0;
|
||||
value = fn (curPath + ("/" + k));
|
||||
}
|
||||
else if v == "directory"
|
||||
then {
|
||||
key = k;
|
||||
value = recurseNaive (curPath + ("/" + k)) fn;
|
||||
}
|
||||
else {
|
||||
key = null;
|
||||
value = null;
|
||||
}
|
||||
) (builtins.readDir curPath);
|
||||
|
||||
getAttrKVsRec = prefix: as: lib.flatten (lib.mapAttrsToList (k: v:
|
||||
if lib.isAttrs v then getAttrKVsRec (prefix ++ [k]) v
|
||||
else [{path = prefix ++ [k]; value = v;}]
|
||||
) as);
|
||||
getAttrKVsRec = prefix: as:
|
||||
lib.flatten (lib.mapAttrsToList (
|
||||
k: v:
|
||||
if lib.isAttrs v
|
||||
then getAttrKVsRec (prefix ++ [k]) v
|
||||
else [
|
||||
{
|
||||
path = prefix ++ [k];
|
||||
value = v;
|
||||
}
|
||||
]
|
||||
)
|
||||
as);
|
||||
|
||||
getPathKVsRec = prefix: dir: getAttrKVsRec prefix (lib.packagesFromDirectoryRecursive { callPackage = path: x: path; directory = dir; });
|
||||
getPathKVsRec = prefix: dir:
|
||||
getAttrKVsRec prefix (packagesFromDirectoryRecursive {
|
||||
callPackage = path: x: path;
|
||||
directory = dir;
|
||||
});
|
||||
|
||||
unifyMod = (import ./modules-extracted.nix {lib = lib;}).unifyModuleSyntax;
|
||||
transformLocalMod = {path, value}: let
|
||||
modFn = if lib.isFunction (import value) then import value else (p: import value);
|
||||
transformLocalMod = {
|
||||
path,
|
||||
value,
|
||||
}: let
|
||||
modFn =
|
||||
if lib.isFunction (import value)
|
||||
then import value
|
||||
else (p: import value);
|
||||
newMod = p: let
|
||||
paramNew = p // {
|
||||
paramNew =
|
||||
p
|
||||
// {
|
||||
cfg = lib.getAttrFromPath path p.config;
|
||||
};
|
||||
|
||||
|
@ -32,22 +67,41 @@ let
|
|||
fileCtx = str: "${modUni._file} (mkLocalMods ${str})";
|
||||
enablePath = path ++ ["enable"];
|
||||
|
||||
imports = [ {
|
||||
imports = [
|
||||
{
|
||||
_file = fileCtx "`opt` processor";
|
||||
key = fileCtx "`opt` processor";
|
||||
options = lib.setAttrByPath path (modRaw.opt or {});
|
||||
} {
|
||||
}
|
||||
{
|
||||
_file = fileCtx "`enable` definition";
|
||||
key = fileCtx "`enable` definition";
|
||||
options = lib.setAttrByPath enablePath (lib.mkEnableOption (mod.desc or mod.description or mod.name or pathStr));
|
||||
} ({config, ...}: {
|
||||
}
|
||||
({config, ...}: {
|
||||
_file = fileCtx "config wrapper";
|
||||
key = fileCtx "config wrapper";
|
||||
config = lib.mkIf (lib.getAttrFromPath enablePath config) modUni.config;
|
||||
})];
|
||||
})
|
||||
];
|
||||
|
||||
newMod = modUni // { imports = modUni.imports ++ imports; config = {}; };
|
||||
in newMod; in lib.mirrorFunctionArgs modFn newMod;
|
||||
newMod =
|
||||
modUni
|
||||
// {
|
||||
imports = modUni.imports ++ imports;
|
||||
config = {};
|
||||
};
|
||||
in
|
||||
newMod;
|
||||
in
|
||||
lib.mirrorFunctionArgs modFn newMod;
|
||||
|
||||
mkLocalMods = {prefix ? [], dir}: { _file = "mkLocalMods collector"; imports = builtins.map transformLocalMod (getPathKVsRec prefix dir); };
|
||||
in mkLocalMods
|
||||
mkLocalMods = {
|
||||
prefix ? [],
|
||||
dir,
|
||||
}: {
|
||||
_file = "mkLocalMods collector";
|
||||
imports = builtins.map transformLocalMod (getPathKVsRec prefix dir);
|
||||
};
|
||||
in
|
||||
mkLocalMods
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
# https://github.com/NixOS/nixpkgs/blob/a5cfe012401cfebb4b2c28e74857b8ffe1402b4b/lib/modules.nix
|
||||
{ lib }:
|
||||
with lib.modules;
|
||||
let
|
||||
inherit (lib)
|
||||
{lib}:
|
||||
with lib.modules; let
|
||||
inherit
|
||||
(lib)
|
||||
addErrorContext
|
||||
all
|
||||
any
|
||||
|
@ -36,7 +36,8 @@ let
|
|||
optionalAttrs
|
||||
optionalString
|
||||
recursiveUpdate
|
||||
reverseList sort
|
||||
reverseList
|
||||
sort
|
||||
seq
|
||||
setAttrByPath
|
||||
substring
|
||||
|
@ -50,7 +51,8 @@ let
|
|||
zipAttrs
|
||||
zipAttrsWith
|
||||
;
|
||||
inherit (lib.options)
|
||||
inherit
|
||||
(lib.options)
|
||||
isOption
|
||||
mkOption
|
||||
showDefs
|
||||
|
@ -58,25 +60,29 @@ let
|
|||
showOption
|
||||
unknownModule
|
||||
;
|
||||
inherit (lib.strings)
|
||||
inherit
|
||||
(lib.strings)
|
||||
isConvertibleWithToString
|
||||
;
|
||||
|
||||
unifyModuleSyntax = file: key: m:
|
||||
let
|
||||
addMeta = config: if m ? meta
|
||||
then mkMerge [ config { meta = m.meta; } ]
|
||||
unifyModuleSyntax = file: key: m: let
|
||||
addMeta = config:
|
||||
if m ? meta
|
||||
then mkMerge [config {meta = m.meta;}]
|
||||
else config;
|
||||
addFreeformType = config: if m ? freeformType
|
||||
then mkMerge [ config { _module.freeformType = m.freeformType; } ]
|
||||
addFreeformType = config:
|
||||
if m ? freeformType
|
||||
then mkMerge [config {_module.freeformType = m.freeformType;}]
|
||||
else config;
|
||||
in
|
||||
if m ? config || m ? options then
|
||||
let badAttrs = removeAttrs m ["_class" "_file" "key" "disabledModules" "imports" "options" "config" "meta" "freeformType"]; in
|
||||
if badAttrs != {} then
|
||||
throw "Module `${key}' has an unsupported attribute `${head (attrNames badAttrs)}'. This is caused by introducing a top-level `config' or `options' attribute. Add configuration attributes immediately on the top level instead, or move all of them (namely: ${toString (attrNames badAttrs)}) into the explicit `config' attribute."
|
||||
else
|
||||
{ _file = toString m._file or file;
|
||||
if m ? config || m ? options
|
||||
then let
|
||||
badAttrs = removeAttrs m ["_class" "_file" "key" "disabledModules" "imports" "options" "config" "meta" "freeformType"];
|
||||
in
|
||||
if badAttrs != {}
|
||||
then throw "Module `${key}' has an unsupported attribute `${head (attrNames badAttrs)}'. This is caused by introducing a top-level `config' or `options' attribute. Add configuration attributes immediately on the top level instead, or move all of them (namely: ${toString (attrNames badAttrs)}) into the explicit `config' attribute."
|
||||
else {
|
||||
_file = toString m._file or file;
|
||||
_class = m._class or null;
|
||||
key = toString m.key or key;
|
||||
disabledModules = m.disabledModules or [];
|
||||
|
@ -87,7 +93,8 @@ let
|
|||
else
|
||||
# shorthand syntax
|
||||
throwIfNot (isAttrs m) "module ${file} (${key}) does not look like a module."
|
||||
{ _file = toString m._file or file;
|
||||
{
|
||||
_file = toString m._file or file;
|
||||
_class = m._class or null;
|
||||
key = toString m.key or key;
|
||||
disabledModules = m.disabledModules or [];
|
||||
|
@ -95,6 +102,4 @@ let
|
|||
options = {};
|
||||
config = addFreeformType (removeAttrs m ["_class" "_file" "key" "disabledModules" "require" "imports" "freeformType"]);
|
||||
};
|
||||
|
||||
|
||||
in {inherit unifyModuleSyntax;}
|
||||
|
|
55
meta/packagesFromDirectoryRecursive.nix
Normal file
55
meta/packagesFromDirectoryRecursive.nix
Normal file
|
@ -0,0 +1,55 @@
|
|||
{lib, ...}: with lib;{packagesFromDirectoryRecursive =
|
||||
{
|
||||
callPackage,
|
||||
directory,
|
||||
...
|
||||
} :
|
||||
let
|
||||
# Determine if a directory entry from `readDir` indicates a package or
|
||||
# directory of packages.
|
||||
directoryEntryIsPackage = basename: type:
|
||||
type == "directory" || hasSuffix ".nix" basename;
|
||||
|
||||
# List directory entries that indicate packages in the given `path`.
|
||||
packageDirectoryEntries = path:
|
||||
filterAttrs directoryEntryIsPackage (builtins.readDir path);
|
||||
|
||||
# Transform a directory entry (a `basename` and `type` pair) into a
|
||||
# package.
|
||||
directoryEntryToAttrPair = subdirectory: basename: type:
|
||||
let
|
||||
path = subdirectory + "/${basename}";
|
||||
in
|
||||
if type == "regular"
|
||||
then
|
||||
{
|
||||
name = removeSuffix ".nix" basename;
|
||||
value = callPackage path { };
|
||||
}
|
||||
else
|
||||
if type == "directory"
|
||||
then
|
||||
{
|
||||
name = basename;
|
||||
value = packagesFromDirectory path;
|
||||
}
|
||||
else
|
||||
throw
|
||||
''
|
||||
lib.filesystem.packagesFromDirectoryRecursive: Unsupported file type ${type} at path ${toString subdirectory}
|
||||
'';
|
||||
|
||||
# Transform a directory into a package but its edited to use default.nix because package.nix is nonstandard or
|
||||
# set of packages (otherwise).
|
||||
packagesFromDirectory = path:
|
||||
let
|
||||
defaultPackagePath = path + "/default.nix";
|
||||
in
|
||||
if pathExists defaultPackagePath
|
||||
then callPackage defaultPackagePath { }
|
||||
else mapAttrs'
|
||||
(directoryEntryToAttrPair path)
|
||||
(packageDirectoryEntries path);
|
||||
in
|
||||
packagesFromDirectory directory;
|
||||
}
|
180
meta/wgautomesh/default.nix
Normal file
180
meta/wgautomesh/default.nix
Normal file
|
@ -0,0 +1,180 @@
|
|||
{
|
||||
lib,
|
||||
config,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
with lib; let
|
||||
cfg = config.services.wgautomesh;
|
||||
settingsFormat = pkgs.formats.toml {};
|
||||
configFile =
|
||||
# Have to remove nulls manually as TOML generator will not just skip key
|
||||
# if value is null
|
||||
settingsFormat.generate "wgautomesh-config.toml"
|
||||
(filterAttrs (k: v: v != null)
|
||||
(mapAttrs
|
||||
(
|
||||
k: v:
|
||||
if k == "peers" || k == "interfaces"
|
||||
then map (e: filterAttrs (k: v: v != null) e) v
|
||||
else v
|
||||
)
|
||||
cfg.settings));
|
||||
runtimeConfigFile =
|
||||
if cfg.enableGossipEncryption
|
||||
then "/run/wgautomesh/wgautomesh.toml"
|
||||
else configFile;
|
||||
in {
|
||||
disabledModules = ["services/networking/wgautomesh.nix"];
|
||||
options.services.wgautomesh = {
|
||||
enable = mkEnableOption "the wgautomesh daemon";
|
||||
logLevel = mkOption {
|
||||
type = types.enum ["trace" "debug" "info" "warn" "error"];
|
||||
default = "info";
|
||||
description = "wgautomesh log level.";
|
||||
};
|
||||
enableGossipEncryption = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = "Enable encryption of gossip traffic.";
|
||||
};
|
||||
gossipSecretFile = mkOption {
|
||||
type = types.path;
|
||||
description = ''
|
||||
File containing the gossip secret, a shared secret key to use for gossip
|
||||
encryption. Required if `enableGossipEncryption` is set. This file
|
||||
may contain any arbitrary-length utf8 string. To generate a new gossip
|
||||
secret, use a command such as `openssl rand -base64 32`.
|
||||
'';
|
||||
};
|
||||
enablePersistence = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = "Enable persistence of Wireguard peer info between restarts.";
|
||||
};
|
||||
openFirewall = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = "Automatically open gossip port in firewall (recommended).";
|
||||
};
|
||||
settings = mkOption {
|
||||
type = types.submodule {
|
||||
freeformType = settingsFormat.type;
|
||||
options = {
|
||||
gossip_port = mkOption {
|
||||
type = types.port;
|
||||
description = ''
|
||||
wgautomesh gossip port, this MUST be the same number on all nodes in
|
||||
the wgautomesh network.
|
||||
'';
|
||||
default = 1666;
|
||||
};
|
||||
lan_discovery = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = "Enable discovery of peers on the same LAN using UDP broadcast.";
|
||||
};
|
||||
upnp_open_ports = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Enable UPnP IGD port forwarding to interfaces of this wgautomesh instance.";
|
||||
};
|
||||
interfaces = mkOption {
|
||||
type = types.listOf (types.submodule {
|
||||
options = {
|
||||
name = mkOption {
|
||||
type = types.str;
|
||||
};
|
||||
upnp_forward_ext_port_v4 = mkOption {
|
||||
type = types.nullOr types.port;
|
||||
default = null;
|
||||
description = ''
|
||||
Public port number to try to redirect to this machine's Wireguard
|
||||
daemon using UPnP IGD. Only used if the interface has IPv4 peers.
|
||||
'';
|
||||
};
|
||||
};
|
||||
});
|
||||
default = [];
|
||||
description = "wgautomesh interface settings.";
|
||||
};
|
||||
peers = mkOption {
|
||||
type = types.listOf (types.submodule {
|
||||
options = {
|
||||
pubkey = mkOption {
|
||||
type = types.str;
|
||||
description = "Wireguard public key of this peer.";
|
||||
};
|
||||
interface = mkOption {
|
||||
type = types.str;
|
||||
};
|
||||
port = mkOption {
|
||||
type = types.nullOr types.port;
|
||||
example = 51820;
|
||||
};
|
||||
address = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
Wireguard address of this peer (a single IP address, multiple
|
||||
addresses or address ranges are not supported).
|
||||
'';
|
||||
example = "10.0.0.42";
|
||||
};
|
||||
endpoint = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
description = ''
|
||||
Bootstrap endpoint for connecting to this Wireguard peer if no
|
||||
other address is known or none are working.
|
||||
'';
|
||||
default = null;
|
||||
example = "wgnode.mydomain.example";
|
||||
};
|
||||
};
|
||||
});
|
||||
default = [];
|
||||
description = "wgautomesh peer list.";
|
||||
};
|
||||
};
|
||||
};
|
||||
default = {};
|
||||
description = "Configuration for wgautomesh.";
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
services.wgautomesh.settings = {
|
||||
gossip_secret_file = mkIf cfg.enableGossipEncryption "$CREDENTIALS_DIRECTORY/gossip_secret";
|
||||
persist_file = mkIf cfg.enablePersistence "/var/lib/wgautomesh/state";
|
||||
};
|
||||
|
||||
systemd.services.wgautomesh = {
|
||||
path = [pkgs.wireguard-tools];
|
||||
environment = {RUST_LOG = "wgautomesh=${cfg.logLevel}";};
|
||||
description = "wgautomesh";
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
|
||||
ExecStart = "${getExe pkgs.wgautomesh} ${runtimeConfigFile}";
|
||||
Restart = "always";
|
||||
RestartSec = "30";
|
||||
LoadCredential = mkIf cfg.enableGossipEncryption ["gossip_secret:${cfg.gossipSecretFile}"];
|
||||
|
||||
ExecStartPre = mkIf cfg.enableGossipEncryption [
|
||||
'' ${pkgs.envsubst}/bin/envsubst \
|
||||
-i ${configFile} \
|
||||
-o ${runtimeConfigFile}''
|
||||
];
|
||||
|
||||
DynamicUser = true;
|
||||
StateDirectory = "wgautomesh";
|
||||
StateDirectoryMode = "0700";
|
||||
RuntimeDirectory = "wgautomesh";
|
||||
AmbientCapabilities = "CAP_NET_ADMIN";
|
||||
CapabilityBoundingSet = "CAP_NET_ADMIN";
|
||||
};
|
||||
wantedBy = ["multi-user.target"];
|
||||
};
|
||||
networking.firewall.allowedUDPPorts =
|
||||
mkIf cfg.openFirewall [cfg.settings.gossip_port];
|
||||
};
|
||||
}
|
|
@ -1,6 +1,7 @@
|
|||
{lib, pkgs, config, cfg, ...}: let
|
||||
ifApparmor = cfg.apparmor.enable;
|
||||
in {
|
||||
# TODO: Update this
|
||||
opt.apparmor.enable = lib.mkEnableOption "apparmor";
|
||||
boot.kernelPackages = let
|
||||
kernel = pkgs.linux-libre;
|
||||
|
|
|
@ -1,22 +1,38 @@
|
|||
{lib, config, pkgs, ...}: {
|
||||
lyn.sops.default.enable = true;
|
||||
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
||||
{
|
||||
lib,
|
||||
config,
|
||||
pkgs,
|
||||
...
|
||||
}: {
|
||||
lyn.sops.enable = true;
|
||||
nix.settings.experimental-features = ["nix-command" "flakes"];
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
nix.package = config.pkgsInstances.unstable.lix;
|
||||
environment.variables.EDITOR = "nvim";
|
||||
|
||||
#initialize mesh vpn secret
|
||||
lyn.sops.secrets."all/meshnetwork/gossip_secret" = {};
|
||||
|
||||
# TODO
|
||||
time.timeZone = "Europe/Berlin";
|
||||
|
||||
# Firewall base config:
|
||||
networking.firewall.enable = lib.mkDefault true;
|
||||
networking.firewall.allowPing = true;
|
||||
# SSH:
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
settings = {
|
||||
X11Forwarding = true;
|
||||
PermitRootLogin = "no";
|
||||
PermitRootLogin = "yes";
|
||||
PasswordAuthentication = false;
|
||||
KbdInteractiveAuthentication = false;
|
||||
};
|
||||
openFirewall = true;
|
||||
};
|
||||
# Disable password checking for wheel group users so we can solely rely on ssh keys
|
||||
|
||||
# Disable password checking for wheel group users so we can rely on ssh keys.
|
||||
# WARNING: This has an security impact!
|
||||
security.sudo.wheelNeedsPassword = false;
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
|
@ -27,4 +43,35 @@
|
|||
curl
|
||||
htop
|
||||
];
|
||||
# Use encrypted Quad9 DNS
|
||||
networking.nameservers = ["127.0.0.1" "::1"];
|
||||
services.dnscrypt-proxy2 = {
|
||||
enable = true;
|
||||
settings = {
|
||||
ipv6_servers = true;
|
||||
require_dnssec = true;
|
||||
|
||||
sources.public-resolvers = {
|
||||
urls = [
|
||||
"https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
|
||||
"https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
|
||||
];
|
||||
cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
|
||||
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
|
||||
};
|
||||
|
||||
# You can choose a specific set of servers from https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
|
||||
server_names = ["quad9-dnscrypt-ip4-nofilter-pri" "quad9-dnscrypt-ip6-nofilter-pri"];
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.dnscrypt-proxy2.serviceConfig = {
|
||||
StateDirectory = "dnscrypt-proxy";
|
||||
};
|
||||
|
||||
nix.gc = {
|
||||
automatic = true;
|
||||
persistent = true;
|
||||
options = "--delete-older-than 8d";
|
||||
};
|
||||
}
|
||||
|
|
5
modules/profiles/headless.nix
Normal file
5
modules/profiles/headless.nix
Normal file
|
@ -0,0 +1,5 @@
|
|||
{modulesPath, ...}: {
|
||||
imports = [
|
||||
(modulesPath + "/profiles/headless.nix")
|
||||
];
|
||||
}
|
8
modules/profiles/hypervisor.nix
Normal file
8
modules/profiles/hypervisor.nix
Normal file
|
@ -0,0 +1,8 @@
|
|||
{
|
||||
inputs,
|
||||
lib,
|
||||
...
|
||||
}: {
|
||||
microvm.host.enable = true;
|
||||
networking.useNetworkd = true;
|
||||
}
|
16
modules/profiles/secureboot.nix
Normal file
16
modules/profiles/secureboot.nix
Normal file
|
@ -0,0 +1,16 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}: {
|
||||
environment.systemPackages = [
|
||||
# For debugging and troubleshooting Secure Boot.
|
||||
pkgs.sbctl
|
||||
];
|
||||
boot.loader.systemd-boot.enable = lib.mkForce false;
|
||||
boot.lanzaboote = {
|
||||
enable = true;
|
||||
pkiBundle = "/etc/secureboot";
|
||||
};
|
||||
}
|
|
@ -1,5 +1,13 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
modulesPath,
|
||||
...
|
||||
}: {
|
||||
imports = [
|
||||
(modulesPath + "/profiles/qemu-guest.nix")
|
||||
];
|
||||
#enable qemu-guestagent
|
||||
services.qemuGuest.enable = true;
|
||||
}
|
|
@ -1,8 +1,14 @@
|
|||
{ config, pkgs, lib, inputs, cfg, ... }:
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
inputs,
|
||||
cfg,
|
||||
...
|
||||
}: {
|
||||
environment.systemPackages = with pkgs; [
|
||||
docker
|
||||
];
|
||||
];
|
||||
|
||||
# Enable docker
|
||||
virtualisation.docker = {
|
||||
|
|
|
@ -1,5 +1,12 @@
|
|||
{pkgs, lib, config, cfg, ...}:
|
||||
with lib; with builtins; {
|
||||
{
|
||||
pkgs,
|
||||
lib,
|
||||
config,
|
||||
cfg,
|
||||
...
|
||||
}:
|
||||
with lib;
|
||||
with builtins; {
|
||||
opt.domain = lib.mkOption {type = lib.types.str;};
|
||||
services.forgejo = {
|
||||
enable = true;
|
||||
|
|
109
modules/services/mkMesh.nix
Normal file
109
modules/services/mkMesh.nix
Normal file
|
@ -0,0 +1,109 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
cfg,
|
||||
...
|
||||
}: let
|
||||
buildInputs = [pkgs.wgautomesh];
|
||||
|
||||
prefix = "lyn";
|
||||
|
||||
# decrypt gossip secret
|
||||
# change this to comply with you secret management
|
||||
gossip_secret_path = config.sops.secrets."all/meshnetwork/gossip_secret".path;
|
||||
|
||||
# function to make a peerlist suitable for wgautomesh
|
||||
buildPeerlist = version: hosts: let
|
||||
#filter out hosts that have wg.enabled set to false
|
||||
wgEnabledHosts = lib.filterAttrs (_: host: host.wg.enabled or false) hosts;
|
||||
in
|
||||
lib.mapAttrsToList (name: host: {
|
||||
interface =
|
||||
if version == "IPv6"
|
||||
then "wg1"
|
||||
else "wg0";
|
||||
pubkey = host.wg.pubkey;
|
||||
#if there is no public IP, make endpoint null so wgautomesh knows it unknown. Else format it to a SocketAddr
|
||||
endpoint = host.${version}.public;
|
||||
port =
|
||||
if version == "IPv6"
|
||||
then host.wg.port_v6
|
||||
else host.wg.port_v4;
|
||||
address = host.${version}.internal;
|
||||
})
|
||||
wgEnabledHosts;
|
||||
|
||||
# helper vars to prettify
|
||||
meshnetwork = config.${prefix}.network;
|
||||
currentHost = meshnetwork.hosts.${config.networking.hostName};
|
||||
in {
|
||||
opt = {
|
||||
enable_upnp_portforward = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
description = "Whether to allow the wireguard port in the gateway using UPnP IGD. Necessary on some firewalls, might spam unnecessary debug messages on environments without IGD gateways.";
|
||||
default = false;
|
||||
};
|
||||
enable_lan_discovery = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
description = "Try to discover mesh devices on the same local network.";
|
||||
default = true;
|
||||
};
|
||||
};
|
||||
config = rec {
|
||||
networking.firewall = {
|
||||
allowedUDPPorts = [
|
||||
currentHost.wg.port_v4
|
||||
currentHost.wg.port_v6
|
||||
];
|
||||
# UPnP broadcast responses
|
||||
# credits: https://github.com/NixOS/nixpkgs/issues/161328
|
||||
extraPackages =
|
||||
if cfg.enable_upnp_portforward
|
||||
then [pkgs.ipset]
|
||||
else [];
|
||||
extraCommands =
|
||||
if cfg.enable_upnp_portforward
|
||||
then ''
|
||||
if ! ipset --quiet list upnp; then
|
||||
ipset create upnp hash:ip,port timeout 3
|
||||
fi
|
||||
iptables -A OUTPUT -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j SET --add-set upnp src,src --exist
|
||||
iptables -A nixos-fw -p udp -m set --match-set upnp dst,dst -j nixos-fw-accept
|
||||
''
|
||||
else "";
|
||||
};
|
||||
|
||||
networking.wireguard.interfaces.wg0 = {
|
||||
ips = ["${currentHost.IPv4.internal}/24"];
|
||||
listenPort = currentHost.wg.port_v4;
|
||||
privateKeyFile = "/var/lib/wireguard-keys/private";
|
||||
mtu = 1280;
|
||||
};
|
||||
networking.wireguard.interfaces.wg1 = {
|
||||
ips = ["${currentHost.IPv6.internal}/64"];
|
||||
listenPort = currentHost.wg.port_v6;
|
||||
privateKeyFile = "/var/lib/wireguard-keys/private";
|
||||
mtu = 1280;
|
||||
};
|
||||
|
||||
services.wgautomesh = {
|
||||
enable = true;
|
||||
settings = {
|
||||
interfaces =
|
||||
if cfg.enable_upnp_portforward
|
||||
then [
|
||||
{
|
||||
name = "wg0";
|
||||
upnp_forward_ext_port_v4 = config.networking.wireguard.interfaces.wg0.listenPort;
|
||||
}
|
||||
]
|
||||
else [];
|
||||
peers = buildPeerlist "IPv6" meshnetwork.hosts ++ buildPeerlist "IPv4" meshnetwork.hosts;
|
||||
lan_discovery = cfg.enable_lan_discovery;
|
||||
upnp_open_ports = cfg.enable_upnp_portforward;
|
||||
};
|
||||
gossipSecretFile = gossip_secret_path;
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,23 +1,27 @@
|
|||
{ pkgs, lib, config, ... }:
|
||||
let
|
||||
cfg = config.lyn.sops;
|
||||
in
|
||||
{
|
||||
pkgs,
|
||||
lib,
|
||||
config,
|
||||
...
|
||||
}: let
|
||||
cfg = config.lyn.sops;
|
||||
in {
|
||||
options.lyn.sops = with lib; {
|
||||
secrets = mkOption {
|
||||
type = types.attrs;
|
||||
default = { };
|
||||
default = {};
|
||||
};
|
||||
};
|
||||
config = {
|
||||
sops.secrets = lib.mapAttrs
|
||||
(name: value:
|
||||
let
|
||||
sops.secrets =
|
||||
lib.mapAttrs
|
||||
(name: value: let
|
||||
name_split = lib.splitString "/" name;
|
||||
in
|
||||
{
|
||||
sopsFile = config.flakePath + /secrets/${builtins.elemAt name_split 0}/${builtins.elemAt name_split 1}.yaml;
|
||||
} // value)
|
||||
}
|
||||
// value)
|
||||
cfg.secrets;
|
||||
};
|
||||
}
|
||||
|
|
15
modules/users/ellie/default.nix
Normal file
15
modules/users/ellie/default.nix
Normal file
|
@ -0,0 +1,15 @@
|
|||
{
|
||||
lib,
|
||||
pkgs,
|
||||
config,
|
||||
cfg,
|
||||
...
|
||||
}: {
|
||||
users.users.ellie = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["wheel"];
|
||||
packages = with pkgs; [
|
||||
];
|
||||
};
|
||||
users.users.ellie.openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKA4+3PkFptATzrWncxdj63SqZ747cDb8TqmdQFugvW7 ellie@card"];
|
||||
}
|
17
modules/users/lyn/default.nix
Normal file
17
modules/users/lyn/default.nix
Normal file
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
lib,
|
||||
pkgs,
|
||||
config,
|
||||
cfg,
|
||||
...
|
||||
}: {
|
||||
imports = [
|
||||
./ssh.nix
|
||||
];
|
||||
users.users.lyn = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["wheel"];
|
||||
packages = with pkgs; [
|
||||
];
|
||||
};
|
||||
}
|
7
modules/users/lyn/ssh.nix
Normal file
7
modules/users/lyn/ssh.nix
Normal file
|
@ -0,0 +1,7 @@
|
|||
{
|
||||
lib,
|
||||
config,
|
||||
...
|
||||
}: {
|
||||
users.users.lyn.openssh.authorizedKeys.keys = ["ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC7NUaBJOYgMnT2uUUUSB7gKaqqbgxXDghBkRqSGuZrAZzZYHlHH7nM6Re7+yOYMSoJGLaB4iaUDLSBBnyA6pLI= nixos_gitea@secretive.MacBook-Pro-(2).local"];
|
||||
}
|
21
pkgs/overlay.nix
Normal file
21
pkgs/overlay.nix
Normal file
|
@ -0,0 +1,21 @@
|
|||
inputs: final: prev: {
|
||||
wgautomesh = let
|
||||
toolchain = inputs.fenix-monthly.packages.${final.stdenv.hostPlatform.system}.latest.toolchain;
|
||||
cargo = toolchain;
|
||||
platform = final.makeRustPlatform {
|
||||
rustc = toolchain;
|
||||
cargo = toolchain;
|
||||
};
|
||||
wgam-nightly = prev.wgautomesh.override {rustPlatform = platform;};
|
||||
wgam-lyn = wgam-nightly.overrideAttrs (old: rec {
|
||||
src = builtins.fetchGit {
|
||||
url = "https://git.deuxfleurs.fr/lynatic/wgautomesh.git";
|
||||
rev = "7f844a2f5d67f788c3b2084fb3ab0c25b10928cc";
|
||||
};
|
||||
cargoDeps = platform.importCargoLock {
|
||||
lockFile = src + "/Cargo.lock";
|
||||
};
|
||||
});
|
||||
in
|
||||
wgam-lyn;
|
||||
}
|
50
secrets/all/meshnetwork.yaml
Normal file
50
secrets/all/meshnetwork.yaml
Normal file
|
@ -0,0 +1,50 @@
|
|||
all:
|
||||
meshnetwork:
|
||||
gossip_secret: ENC[AES256_GCM,data:tOaCG5NKxT3rRFORofRp/mGGufWWCnbkDJWwiqnTE0o8+MQ2sHn4+KMYLeM=,iv:GrBUnN58eoEE9ZwZLjKD7DNoVO9DMTqqbuyudqVPp+k=,tag:phqc6m+KqplbG49pqLfFkQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age18c6zws9wk9r7dxjqafwj2l2ex5mn5v8u6yrd2ys9ng8q09rsedpqm38jzv
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3SFJLSzBlQjdIVDdiaDVh
|
||||
NmZiVmRSUkJhd0dTNEtnVzdnQWp4Q1BQMWhzCm0yZFpZZ0tiS1UwMzFTdENubVps
|
||||
VENMVXhSNVFuK0dCekZSbTlFNkNFQ0UKLS0tIFh6bkcrcjBZN0hQM2dvZmFuNG41
|
||||
WHpFbUN5K2R4eGhnUlpNdEluS2pFZWMKeuR99KVd5bDwFvUz+NkcYBZ6nHFfEBBk
|
||||
k2sa4x6dlNnV/uPEeKbtmlbAjCwH3YaNFEodAnOoWE9Mh+UggWJ8DA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1u4dtlq4lavqufzsqfqlsnu67u3x2t3d7ffxkqrah2des4dlxns2slegl38
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1WHpwTVVzN3dBK2VSUE8w
|
||||
S3Z6VVpFaGk4M3I2SnArTXo4WHFWVlNRYVU4CkVDc2p5Z25OZDBOSFM3bXZIZ09R
|
||||
UlY0dWhOZTVndHlBZks2QmFwZ3lDV0EKLS0tIDhaak8wUW5mOWh2SXBqR3NubytO
|
||||
TXpUdnZkT0xCOEZmV2t3bkN3UC92cHcKdyr2W3KQoMV50HIyKfGFK8kjvUQC8E0p
|
||||
oC3Im2YPWOI2xcEMh15a/gN4xhQlBH5zvQjum9O4f6pdyNdVeZyHEg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1xm5ewmhxsdn34c6h9v3hzs0ka0qvmywnkgw94j7r2cxpqh2c8v4q7h6qhd
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQclM0WGdqTDVyRUxZZ3BX
|
||||
WXdJcDlHOHJMakpMd2JlQjBBbmI0dG9JSWdJCnNTSzV1U3FBK1I5dHU2L0RhSyty
|
||||
anFCRzR0NGhyeEx4QlZxY3RDYnRQUGMKLS0tIEw2UFdaNW5HeElBa1RQNFZCL2tC
|
||||
QnR2VVNmbEZIVWtOalpxYzlJVnlxajAKOSJY9r1BGcYt8VyAPWlrx/wRY7sKPF+n
|
||||
bII9Z3W9s0FzTbTdd2iHYqYnzXzdX33GZJactm/VrUCeqWIWOdgaGw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age12lfan35k4gtq6mwm9llyea25usw3ap0xuzg90745qk0m0ws3cgespffkv2
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMaUEyQ2FlZWdMRGpleEtS
|
||||
Qk4vNGc4WTVqeCtyYnJRTU92eC84bHFZc3h3CkgvWE0wOG1nbEZBRGpHeWZmTW5Q
|
||||
dCtFekhlRW9YVWNSWW1tWDVzR2cvLzAKLS0tIG5IWFBDazNyNTdNOXpIZk0xZENG
|
||||
eGY3b1VoMTFBTm9ZejFhdTUvb2ZtMU0KW1cO1em0Vwfg0RTYOTjc5RXgeDdd95KU
|
||||
JYZ+ZWhJZn9+BeJMPm/s3/+OnvCjnOM63sQ0Z3lrhoW0PtAyjz+9eQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-11-13T22:33:39Z"
|
||||
mac: ENC[AES256_GCM,data:z/YZszHebHnDiDfvSuyX1IrTcIPZK+YyH2qxg8UZ8ycSFx3XEk34ufx4rBXt8qRG2FIWuXW45GwTf+5PZZA9ov0ejVlVvbZOcR6VztIpt8i4gWUve4fkEC7cWN3SH1SCsJ2edY6KuQIEZAm6bfBWwAJS5ho40aKox5zBj1PU+FM=,iv:C7u6QRZcPDUcH9fbdSvhyY+cJD9wdlpoA1YcWaY9llY=,tag:L6RPamgmsfc3KJgWeQ3Abw==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.1
|
|
@ -1,11 +0,0 @@
|
|||
{lib,pkgs, config, ...}:{
|
||||
imports = [
|
||||
./ssh.nix
|
||||
];
|
||||
users.users.lyn = {
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel"];
|
||||
packages = with pkgs; [
|
||||
];
|
||||
};
|
||||
}
|
|
@ -1,3 +0,0 @@
|
|||
{lib, config, ...}: {
|
||||
users.users.lyn.openssh.authorizedKeys.keys = ["ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC7NUaBJOYgMnT2uUUUSB7gKaqqbgxXDghBkRqSGuZrAZzZYHlHH7nM6Re7+yOYMSoJGLaB4iaUDLSBBnyA6pLI= nixos_gitea@secretive.MacBook-Pro-(2).local"];
|
||||
}
|
Loading…
Reference in a new issue