treewide: lay base for shared configuration with darwin machines

flake.nix

@@ -128,14 +128,22 @@
         www-chvp-be.overlays.default
       ];
       commonModules = [
+        ./modules/shared
+      ];
+      nixosModules = [
         accentor.nixosModules.default
-        agenix.nixosModules.age
-        home-manager.nixosModule
+        agenix.nixosModules.default
+        home-manager.nixosModule.default
         lanzaboote.nixosModules.lanzaboote
         nixos-mailserver.nixosModule
         nix-index-database.nixosModules.nix-index
         ./modules
       ];
+      darwinModules = [
+        agenix.darwinModules.default
+        home-manager.darwinModules.default
+        ./modules/darwin
+      ];
       nixosSystem = system: name:
         let
           nixpkgs = nixpkgsForSystem system;
@@ -145,7 +153,7 @@
           inherit lib system;
           specialArgs = { modulesPath = toString (nixpkgs + "/nixos/modules"); };
           baseModules = import (nixpkgs + "/nixos/modules/module-list.nix");
-          modules = commonModules ++ [
+          modules = commonModules ++ nixosModules ++ [
             ({ config, ... }:
               {
                 nixpkgs = {
@@ -164,18 +172,36 @@
             ./machines/${name}
           ];
         };
+      darwinSystem = system: name:
+        let
+          nixpkgs = nixpkgsForSystem system;
+          lib = (import nixpkgs { inherit overlays system; }).lib;
+        in
+        darwin.lib.darwinSystem {
+          inherit lib system;
+          modules = commonModules ++ darwinModules ++ [
+            ({ config, ... }:
+              {
+                nixpkgs.pkgs = import nixpkgs {
+                  inherit overlays system;
+                  config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) config.chvp.base.nix.unfreePackages;
+                };
+                networking.hostName = name;
+                nix = {
+                  extraOptions = "extra-experimental-features = nix-command flakes";
+                  registry = (builtins.mapAttrs (name: v: { flake = v; }) inputs) // { nixpkgs = { flake = nixpkgs; }; };
+                };
+              })
+            ./machines/${name}
+            home-manager.darwinModules.home-manager
+          ];
+        };
       nixosConfigurations = {
         kholinar = nixosSystem "x86_64-linux" "kholinar";
         lasting-integrity = nixosSystem "x86_64-linux" "lasting-integrity";
         urithiru = nixosSystem "x86_64-linux" "urithiru";
       };
-      darwinConfigurations.thaylen-city = darwin.lib.darwinSystem {
-        system = "aarch64-darwin";
-        modules = [
-          ./machines/thaylen-city
-          home-manager.darwinModules.home-manager
-        ];
-      };
+      darwinConfigurations.thaylen-city = darwinSystem "aarch64-darwin" "thaylen-city";
       lsShells = builtins.readDir ./shells;
       shellFiles = builtins.filter (name: lsShells.${name} == "regular") (builtins.attrNames lsShells);
       shellNames = builtins.map (filename: builtins.head (builtins.split "\\." filename)) shellFiles;

machines/thaylen-city/default.nix

@@ -18,13 +18,9 @@
       upgrade = true;
     };
   };
-  networking = {
-    computerName = "Thaylen City";
-    hostName = "thaylen-city";
-  };
+  networking.computerName = "Thaylen City";
   nix = {
     extraOptions = ''
-      experimental-features = nix-command flakes
       keep-outputs = true
       keep-derivations = true
     '';

modules/base/network/wireguard.nix

@@ -128,26 +128,6 @@ in
           ];
         };
       };
-      services = {
-        udp2raw-server = lib.mkIf config.chvp.base.network.wireguard.server {
-          description = "UDP tunnel over TCP for wireguard";
-          wantedBy = [ "multi-user.target" ];
-          after = [ "network.target" ];
-          script = ''
-            ${pkgs.udp2raw}/bin/udp2raw -s -l 0.0.0.0:8080 -r 127.0.0.1:51820 \
-              -k "$(cat ${config.age.secrets."files/wireguard/udp2raw".path})"
-          '';
-        };
-        udp2raw-client = lib.mkIf config.chvp.base.network.wireguard.onCorporate {
-          description = "UDP tunnel over TCP for wireguard";
-          wantedBy = [ "multi-user.target" ];
-          after = [ "network.target" ];
-          script = ''
-            ${pkgs.udp2raw}/bin/udp2raw -c -l 127.0.0.1:51820 -r 54.38.222.69:8080 \
-              -k "$(cat ${config.age.secrets."files/wireguard/udp2raw".path})"
-          '';
-        };
-      };
     };
     age.secrets."files/wireguard/psk" = {
       file = ../../../secrets/files/wireguard/psk.age;
@@ -157,6 +137,5 @@ in
       file = ../../../secrets/files/wireguard + "/${config.networking.hostName}.privkey.age";
       owner = "systemd-network";
     };
-    age.secrets."files/wireguard/udp2raw".file = ../../../secrets/files/wireguard/udp2raw.age;
   };
 }

modules/darwin/default.nix

@@ -0,0 +1 @@
+{ ... }: { }

modules/shared/default.nix

@@ -0,0 +1 @@
+{ ... }: { }

secrets.nix

@@ -1,37 +1,45 @@
 let
   kholinar = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOL8MzChayhcVTfZvE3/ExwXpq2+LbihjzUVlKeIGoOL";
   lasting-integrity = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKJmeY7j5LxWVv3fKzqG4Bvg/ZhOp8iwk0utpyMWMSk";
+  thaylen-city = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK/6GDhlqX3/al9jx48DXS/uCwfwrdZty1rl6N8X8TZ8";
   urithiru = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrzOpyzDc5BVtAeb5//PnMRcp+9B+DjfU7p2YpaH6a2";
-  hosts = [
+  nixosHosts = [
     kholinar
     lasting-integrity
     urithiru
   ];
+  hosts = [
+    kholinar
+    lasting-integrity
+    thaylen-city
+    urithiru
+  ];
+  nixosLaptops = [
+    kholinar
+  ];
   laptops = [
     kholinar
+    thaylen-city
   ];
   servers = [
     lasting-integrity
     urithiru
   ];
-
   charlotte = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDb17zAg3zwvdYHNZqXSGYKseCz5281Ha6oOYPbwFYD"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJY5nXR/V6wcMRxugD7GTOF8kwfGnAT2CRuJ2Qi60vsm"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJLsSFEi4CGpkWIJxXJC78bhibrBRxClBbpS9n7PQGYL"
   ];
   users = charlotte;
 in
 {
-  "secrets/passwords/users/charlotte.age".publicKeys = hosts ++ users;
-  "secrets/passwords/users/root.age".publicKeys = hosts ++ users;
+  "secrets/passwords/users/charlotte.age".publicKeys = nixosHosts ++ users;
+  "secrets/passwords/users/root.age".publicKeys = nixosHosts ++ users;
 
   "secrets/authorized_keys/charlotte.age".publicKeys = hosts ++ users;
   "secrets/authorized_keys/root.age".publicKeys = hosts ++ users;
 
-  "secrets/passwords/networks.age".publicKeys = laptops ++ users;
+  "secrets/passwords/networks.age".publicKeys = nixosLaptops ++ users;
 
-  "secrets/passwords/ugent-mount-credentials.age".publicKeys = laptops ++ users;
-  "secrets/passwords/ugent-vpn.age".publicKeys = laptops ++ users;
   "secrets/files/programs/vpn/local.age".publicKeys = laptops ++ users;
   "secrets/files/programs/vpn/global.age".publicKeys = laptops ++ users;
 
@@ -48,7 +56,7 @@ in
   "secrets/passwords/services/mail/robbe_at_robbevanpetegem.be.age".publicKeys = [ lasting-integrity ] ++ users;
   "secrets/passwords/services/mail/robbe_at_vanpetegem.me.age".publicKeys = [ lasting-integrity ] ++ users;
   "secrets/passwords/services/mail/webmaster_at_vanpetegem.be.age".publicKeys = [ lasting-integrity ] ++ users;
-  "secrets/passwords/services/ssmtp-pass.age".publicKeys = hosts ++ users;
+  "secrets/passwords/services/ssmtp-pass.age".publicKeys = nixosHosts ++ users;
 
   "secrets/passwords/services/acme.age".publicKeys = servers ++ users;
 
@@ -72,12 +80,9 @@ in
 
   "secrets/passwords/services/nextcloud-admin.age".publicKeys = [ lasting-integrity ] ++ users;
 
-  "secrets/files/services/tunnel/key.age".publicKeys = [ lasting-integrity ] ++ users;
-  "secrets/files/services/tunnel/env.age".publicKeys = [ lasting-integrity ] ++ users;
-
   "secrets/passwords/services/data-basic-auth.age".publicKeys = [ urithiru ] ++ users;
 
-  "secrets/files/programs/ssh/host_configuration.age".publicKeys = hosts ++ users;
+  "secrets/files/programs/ssh/host_configuration.age".publicKeys = nixosHosts ++ users;
 
   "secrets/files/programs/transmission/config.json.age".publicKeys = [ urithiru ] ++ users;
 
@@ -95,7 +100,6 @@ in
   "secrets/files/wireguard/lasting-integrity.privkey.age".publicKeys = [ lasting-integrity ] ++ users;
   "secrets/files/wireguard/urithiru.privkey.age".publicKeys = [ urithiru ] ++ users;
   "secrets/files/wireguard/psk.age".publicKeys = hosts ++ users;
-  "secrets/files/wireguard/udp2raw.age".publicKeys = hosts ++ users;
 
   "secrets/data-access/ssh_host_rsa_key.age".publicKeys = [ urithiru ] ++ users;
   "secrets/data-access/ssh_host_rsa_key.pub.age".publicKeys = [ urithiru ] ++ users;

secrets/files/wireguard/kharbranth.privkey.age

@@ -1,11 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 umFZoA JYm4N9NduNbFMi0ohZsPpkVwo0pIBG2UP51vnhHVG00
-u4rMc/uBK7u5hyIMSMKPQ3ff/wHc8igjc/qQms/BJuU
--> ssh-ed25519 s9rb8g yHgBR6PDyvEoEqZK7SdUN7KnOiZkzHcg6HGIErNA/io
-AXFcDDCaDBRFqCUvx6XNpcJgxd082/auFKDKSBVr12Y
--> ssh-ed25519 yad4VQ eyXNg3ooMWudaxCaNhePhMi8gOzti3JN2ynf0gshcTw
-O1vNfqYE+HHAOEi0ud5EuOOkruQLcHbnUYxCySvoebM
--> 1|+Pa+x-grease lq
-OI+L
---- mg/v3GAOMz38E6uR1wRYHiz+yHO/wHyzEh5GQAXiFs8
-Ô`ÿXe«q~oÍw»ŠŒ’hò¡_e
¹"KÏÐDï
¶m,<2C>o
¯<>`FôàIØrîi®#‘"¶Ü@¶Ê¿=¦<2s1Øt)‚èAdxªæ

secrets/passwords/ugent-mount-credentials.age

@@ -1,13 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 umFZoA qG7k8V75DUqFmtjpSkCxig2RYWz21L6i3SuqP1QHNAE
-O0BbxXcFzuY0GjsYuyQw97/B5e0tGgllsr32tObdizQ
--> ssh-ed25519 aUd9Ng ZoRF2WBSIjF/IYb975m8PfHfNLJIeVj6BLHVpLiUCzU
-I5vM8xc2UgATwIbgmg2Y4RAUaRuqokvzEAud2xTOU/4
--> ssh-ed25519 s9rb8g vymfJnszAEn4W3fx/vaZ6Fd6uCr7Jt7Fm02UUXV0KQE
-rji5f+Q94cnUDXpvynWbWWCeXa2/9SJA53VBong69Ig
--> ssh-ed25519 yad4VQ mQ753Zazue/EIrIQglGdovSZHwiYqTQFTKwm9azOGU4
-IHarxvrAdaFCEkN14AaP72BkPsiWb7S8CeTTAUuy+e4
--> ;\k--grease }P6 l70)SFt
-iJMjf2O2jArRvJUTnW0
---- acjP6TMMvAH8AGbpNeaBou7I55nBYMTlsGI1NeZItYM
-ûf„RúÙ?t‘2¹ÛNN
™ô¢¾>”çC+sÌu ¤¦Uzb´	T«Ys¬Ú/«œm±|3@ŽP—H9†òì$…VÈöævTkBšRiñó2ºˆ|%