diff --git a/flake.nix b/flake.nix index ec08ca5c..b9602b68 100644 --- a/flake.nix +++ b/flake.nix @@ -128,14 +128,22 @@ www-chvp-be.overlays.default ]; commonModules = [ + ./modules/shared + ]; + nixosModules = [ accentor.nixosModules.default - agenix.nixosModules.age - home-manager.nixosModule + agenix.nixosModules.default + home-manager.nixosModule.default lanzaboote.nixosModules.lanzaboote nixos-mailserver.nixosModule nix-index-database.nixosModules.nix-index ./modules ]; + darwinModules = [ + agenix.darwinModules.default + home-manager.darwinModules.default + ./modules/darwin + ]; nixosSystem = system: name: let nixpkgs = nixpkgsForSystem system; @@ -145,7 +153,7 @@ inherit lib system; specialArgs = { modulesPath = toString (nixpkgs + "/nixos/modules"); }; baseModules = import (nixpkgs + "/nixos/modules/module-list.nix"); - modules = commonModules ++ [ + modules = commonModules ++ nixosModules ++ [ ({ config, ... }: { nixpkgs = { @@ -164,18 +172,36 @@ ./machines/${name} ]; }; + darwinSystem = system: name: + let + nixpkgs = nixpkgsForSystem system; + lib = (import nixpkgs { inherit overlays system; }).lib; + in + darwin.lib.darwinSystem { + inherit lib system; + modules = commonModules ++ darwinModules ++ [ + ({ config, ... }: + { + nixpkgs.pkgs = import nixpkgs { + inherit overlays system; + config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) config.chvp.base.nix.unfreePackages; + }; + networking.hostName = name; + nix = { + extraOptions = "extra-experimental-features = nix-command flakes"; + registry = (builtins.mapAttrs (name: v: { flake = v; }) inputs) // { nixpkgs = { flake = nixpkgs; }; }; + }; + }) + ./machines/${name} + home-manager.darwinModules.home-manager + ]; + }; nixosConfigurations = { kholinar = nixosSystem "x86_64-linux" "kholinar"; lasting-integrity = nixosSystem "x86_64-linux" "lasting-integrity"; urithiru = nixosSystem "x86_64-linux" "urithiru"; }; - darwinConfigurations.thaylen-city = darwin.lib.darwinSystem { - system = "aarch64-darwin"; - modules = [ - ./machines/thaylen-city - home-manager.darwinModules.home-manager - ]; - }; + darwinConfigurations.thaylen-city = darwinSystem "aarch64-darwin" "thaylen-city"; lsShells = builtins.readDir ./shells; shellFiles = builtins.filter (name: lsShells.${name} == "regular") (builtins.attrNames lsShells); shellNames = builtins.map (filename: builtins.head (builtins.split "\\." filename)) shellFiles; diff --git a/machines/thaylen-city/default.nix b/machines/thaylen-city/default.nix index 4bf430e5..222365e3 100644 --- a/machines/thaylen-city/default.nix +++ b/machines/thaylen-city/default.nix @@ -18,13 +18,9 @@ upgrade = true; }; }; - networking = { - computerName = "Thaylen City"; - hostName = "thaylen-city"; - }; + networking.computerName = "Thaylen City"; nix = { extraOptions = '' - experimental-features = nix-command flakes keep-outputs = true keep-derivations = true ''; diff --git a/modules/base/network/wireguard.nix b/modules/base/network/wireguard.nix index 704166f5..374d54a6 100644 --- a/modules/base/network/wireguard.nix +++ b/modules/base/network/wireguard.nix @@ -128,26 +128,6 @@ in ]; }; }; - services = { - udp2raw-server = lib.mkIf config.chvp.base.network.wireguard.server { - description = "UDP tunnel over TCP for wireguard"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - script = '' - ${pkgs.udp2raw}/bin/udp2raw -s -l 0.0.0.0:8080 -r 127.0.0.1:51820 \ - -k "$(cat ${config.age.secrets."files/wireguard/udp2raw".path})" - ''; - }; - udp2raw-client = lib.mkIf config.chvp.base.network.wireguard.onCorporate { - description = "UDP tunnel over TCP for wireguard"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - script = '' - ${pkgs.udp2raw}/bin/udp2raw -c -l 127.0.0.1:51820 -r 54.38.222.69:8080 \ - -k "$(cat ${config.age.secrets."files/wireguard/udp2raw".path})" - ''; - }; - }; }; age.secrets."files/wireguard/psk" = { file = ../../../secrets/files/wireguard/psk.age; @@ -157,6 +137,5 @@ in file = ../../../secrets/files/wireguard + "/${config.networking.hostName}.privkey.age"; owner = "systemd-network"; }; - age.secrets."files/wireguard/udp2raw".file = ../../../secrets/files/wireguard/udp2raw.age; }; } diff --git a/modules/darwin/default.nix b/modules/darwin/default.nix new file mode 100644 index 00000000..c915eb0a --- /dev/null +++ b/modules/darwin/default.nix @@ -0,0 +1 @@ +{ ... }: { } diff --git a/modules/shared/default.nix b/modules/shared/default.nix new file mode 100644 index 00000000..c915eb0a --- /dev/null +++ b/modules/shared/default.nix @@ -0,0 +1 @@ +{ ... }: { } diff --git a/secrets.nix b/secrets.nix index 8a3e4015..4c802381 100644 --- a/secrets.nix +++ b/secrets.nix @@ -1,37 +1,45 @@ let kholinar = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOL8MzChayhcVTfZvE3/ExwXpq2+LbihjzUVlKeIGoOL"; lasting-integrity = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKJmeY7j5LxWVv3fKzqG4Bvg/ZhOp8iwk0utpyMWMSk"; + thaylen-city = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK/6GDhlqX3/al9jx48DXS/uCwfwrdZty1rl6N8X8TZ8"; urithiru = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrzOpyzDc5BVtAeb5//PnMRcp+9B+DjfU7p2YpaH6a2"; - hosts = [ + nixosHosts = [ kholinar lasting-integrity urithiru ]; + hosts = [ + kholinar + lasting-integrity + thaylen-city + urithiru + ]; + nixosLaptops = [ + kholinar + ]; laptops = [ kholinar + thaylen-city ]; servers = [ lasting-integrity urithiru ]; - charlotte = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDb17zAg3zwvdYHNZqXSGYKseCz5281Ha6oOYPbwFYD" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJY5nXR/V6wcMRxugD7GTOF8kwfGnAT2CRuJ2Qi60vsm" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJLsSFEi4CGpkWIJxXJC78bhibrBRxClBbpS9n7PQGYL" ]; users = charlotte; in { - "secrets/passwords/users/charlotte.age".publicKeys = hosts ++ users; - "secrets/passwords/users/root.age".publicKeys = hosts ++ users; + "secrets/passwords/users/charlotte.age".publicKeys = nixosHosts ++ users; + "secrets/passwords/users/root.age".publicKeys = nixosHosts ++ users; "secrets/authorized_keys/charlotte.age".publicKeys = hosts ++ users; "secrets/authorized_keys/root.age".publicKeys = hosts ++ users; - "secrets/passwords/networks.age".publicKeys = laptops ++ users; + "secrets/passwords/networks.age".publicKeys = nixosLaptops ++ users; - "secrets/passwords/ugent-mount-credentials.age".publicKeys = laptops ++ users; - "secrets/passwords/ugent-vpn.age".publicKeys = laptops ++ users; "secrets/files/programs/vpn/local.age".publicKeys = laptops ++ users; "secrets/files/programs/vpn/global.age".publicKeys = laptops ++ users; @@ -48,7 +56,7 @@ in "secrets/passwords/services/mail/robbe_at_robbevanpetegem.be.age".publicKeys = [ lasting-integrity ] ++ users; "secrets/passwords/services/mail/robbe_at_vanpetegem.me.age".publicKeys = [ lasting-integrity ] ++ users; "secrets/passwords/services/mail/webmaster_at_vanpetegem.be.age".publicKeys = [ lasting-integrity ] ++ users; - "secrets/passwords/services/ssmtp-pass.age".publicKeys = hosts ++ users; + "secrets/passwords/services/ssmtp-pass.age".publicKeys = nixosHosts ++ users; "secrets/passwords/services/acme.age".publicKeys = servers ++ users; @@ -72,12 +80,9 @@ in "secrets/passwords/services/nextcloud-admin.age".publicKeys = [ lasting-integrity ] ++ users; - "secrets/files/services/tunnel/key.age".publicKeys = [ lasting-integrity ] ++ users; - "secrets/files/services/tunnel/env.age".publicKeys = [ lasting-integrity ] ++ users; - "secrets/passwords/services/data-basic-auth.age".publicKeys = [ urithiru ] ++ users; - "secrets/files/programs/ssh/host_configuration.age".publicKeys = hosts ++ users; + "secrets/files/programs/ssh/host_configuration.age".publicKeys = nixosHosts ++ users; "secrets/files/programs/transmission/config.json.age".publicKeys = [ urithiru ] ++ users; @@ -95,7 +100,6 @@ in "secrets/files/wireguard/lasting-integrity.privkey.age".publicKeys = [ lasting-integrity ] ++ users; "secrets/files/wireguard/urithiru.privkey.age".publicKeys = [ urithiru ] ++ users; "secrets/files/wireguard/psk.age".publicKeys = hosts ++ users; - "secrets/files/wireguard/udp2raw.age".publicKeys = hosts ++ users; "secrets/data-access/ssh_host_rsa_key.age".publicKeys = [ urithiru ] ++ users; "secrets/data-access/ssh_host_rsa_key.pub.age".publicKeys = [ urithiru ] ++ users; diff --git a/secrets/files/wireguard/kharbranth.privkey.age b/secrets/files/wireguard/kharbranth.privkey.age deleted file mode 100644 index 73f8aa0d..00000000 --- a/secrets/files/wireguard/kharbranth.privkey.age +++ /dev/null @@ -1,11 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 umFZoA JYm4N9NduNbFMi0ohZsPpkVwo0pIBG2UP51vnhHVG00 -u4rMc/uBK7u5hyIMSMKPQ3ff/wHc8igjc/qQms/BJuU --> ssh-ed25519 s9rb8g yHgBR6PDyvEoEqZK7SdUN7KnOiZkzHcg6HGIErNA/io -AXFcDDCaDBRFqCUvx6XNpcJgxd082/auFKDKSBVr12Y --> ssh-ed25519 yad4VQ eyXNg3ooMWudaxCaNhePhMi8gOzti3JN2ynf0gshcTw -O1vNfqYE+HHAOEi0ud5EuOOkruQLcHbnUYxCySvoebM --> 1|+Pa+x-grease lq -OI+L ---- mg/v3GAOMz38E6uR1wRYHiz+yHO/wHyzEh5GQAXiFs8 -`Xeq~owh_e "KD m,o`FIri#"@ʿ=<2s1t)Adx \ No newline at end of file diff --git a/secrets/files/wireguard/udp2raw.age b/secrets/files/wireguard/udp2raw.age deleted file mode 100644 index c5dba8bf..00000000 Binary files a/secrets/files/wireguard/udp2raw.age and /dev/null differ diff --git a/secrets/passwords/ugent-mount-credentials.age b/secrets/passwords/ugent-mount-credentials.age deleted file mode 100644 index 9b836fd2..00000000 --- a/secrets/passwords/ugent-mount-credentials.age +++ /dev/null @@ -1,13 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 umFZoA qG7k8V75DUqFmtjpSkCxig2RYWz21L6i3SuqP1QHNAE -O0BbxXcFzuY0GjsYuyQw97/B5e0tGgllsr32tObdizQ --> ssh-ed25519 aUd9Ng ZoRF2WBSIjF/IYb975m8PfHfNLJIeVj6BLHVpLiUCzU -I5vM8xc2UgATwIbgmg2Y4RAUaRuqokvzEAud2xTOU/4 --> ssh-ed25519 s9rb8g vymfJnszAEn4W3fx/vaZ6Fd6uCr7Jt7Fm02UUXV0KQE -rji5f+Q94cnUDXpvynWbWWCeXa2/9SJA53VBong69Ig --> ssh-ed25519 yad4VQ mQ753Zazue/EIrIQglGdovSZHwiYqTQFTKwm9azOGU4 -IHarxvrAdaFCEkN14AaP72BkPsiWb7S8CeTTAUuy+e4 --> ;\k--grease }P6 l70)SFt -iJMjf2O2jArRvJUTnW0 ---- acjP6TMMvAH8AGbpNeaBou7I55nBYMTlsGI1NeZItYM -fR?t2NN >C+suUzb TYs/m|3@PH9$VvTkBRi2|% \ No newline at end of file diff --git a/secrets/passwords/ugent-vpn.age b/secrets/passwords/ugent-vpn.age deleted file mode 100644 index 4b513283..00000000 Binary files a/secrets/passwords/ugent-vpn.age and /dev/null differ