From 3f958ff6d683c7c364f1965f78f177d1f9996539 Mon Sep 17 00:00:00 2001 From: Charlotte Van Petegem Date: Thu, 18 Jul 2024 11:01:12 +0200 Subject: [PATCH] treewide: lay base for shared configuration with darwin machines --- flake.nix | 46 ++++++++++++++---- machines/thaylen-city/default.nix | 6 +-- modules/base/network/wireguard.nix | 21 -------- modules/darwin/default.nix | 1 + modules/shared/default.nix | 1 + secrets.nix | 32 ++++++------ .../files/wireguard/kharbranth.privkey.age | 11 ----- secrets/files/wireguard/udp2raw.age | Bin 840 -> 0 bytes secrets/passwords/ugent-mount-credentials.age | 13 ----- secrets/passwords/ugent-vpn.age | Bin 1020 -> 0 bytes 10 files changed, 57 insertions(+), 74 deletions(-) create mode 100644 modules/darwin/default.nix create mode 100644 modules/shared/default.nix delete mode 100644 secrets/files/wireguard/kharbranth.privkey.age delete mode 100644 secrets/files/wireguard/udp2raw.age delete mode 100644 secrets/passwords/ugent-mount-credentials.age delete mode 100644 secrets/passwords/ugent-vpn.age diff --git a/flake.nix b/flake.nix index ec08ca5c..b9602b68 100644 --- a/flake.nix +++ b/flake.nix @@ -128,14 +128,22 @@ www-chvp-be.overlays.default ]; commonModules = [ + ./modules/shared + ]; + nixosModules = [ accentor.nixosModules.default - agenix.nixosModules.age - home-manager.nixosModule + agenix.nixosModules.default + home-manager.nixosModule.default lanzaboote.nixosModules.lanzaboote nixos-mailserver.nixosModule nix-index-database.nixosModules.nix-index ./modules ]; + darwinModules = [ + agenix.darwinModules.default + home-manager.darwinModules.default + ./modules/darwin + ]; nixosSystem = system: name: let nixpkgs = nixpkgsForSystem system; @@ -145,7 +153,7 @@ inherit lib system; specialArgs = { modulesPath = toString (nixpkgs + "/nixos/modules"); }; baseModules = import (nixpkgs + "/nixos/modules/module-list.nix"); - modules = commonModules ++ [ + modules = commonModules ++ nixosModules ++ [ ({ config, ... }: { nixpkgs = { @@ -164,18 +172,36 @@ ./machines/${name} ]; }; + darwinSystem = system: name: + let + nixpkgs = nixpkgsForSystem system; + lib = (import nixpkgs { inherit overlays system; }).lib; + in + darwin.lib.darwinSystem { + inherit lib system; + modules = commonModules ++ darwinModules ++ [ + ({ config, ... }: + { + nixpkgs.pkgs = import nixpkgs { + inherit overlays system; + config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) config.chvp.base.nix.unfreePackages; + }; + networking.hostName = name; + nix = { + extraOptions = "extra-experimental-features = nix-command flakes"; + registry = (builtins.mapAttrs (name: v: { flake = v; }) inputs) // { nixpkgs = { flake = nixpkgs; }; }; + }; + }) + ./machines/${name} + home-manager.darwinModules.home-manager + ]; + }; nixosConfigurations = { kholinar = nixosSystem "x86_64-linux" "kholinar"; lasting-integrity = nixosSystem "x86_64-linux" "lasting-integrity"; urithiru = nixosSystem "x86_64-linux" "urithiru"; }; - darwinConfigurations.thaylen-city = darwin.lib.darwinSystem { - system = "aarch64-darwin"; - modules = [ - ./machines/thaylen-city - home-manager.darwinModules.home-manager - ]; - }; + darwinConfigurations.thaylen-city = darwinSystem "aarch64-darwin" "thaylen-city"; lsShells = builtins.readDir ./shells; shellFiles = builtins.filter (name: lsShells.${name} == "regular") (builtins.attrNames lsShells); shellNames = builtins.map (filename: builtins.head (builtins.split "\\." filename)) shellFiles; diff --git a/machines/thaylen-city/default.nix b/machines/thaylen-city/default.nix index 4bf430e5..222365e3 100644 --- a/machines/thaylen-city/default.nix +++ b/machines/thaylen-city/default.nix @@ -18,13 +18,9 @@ upgrade = true; }; }; - networking = { - computerName = "Thaylen City"; - hostName = "thaylen-city"; - }; + networking.computerName = "Thaylen City"; nix = { extraOptions = '' - experimental-features = nix-command flakes keep-outputs = true keep-derivations = true ''; diff --git a/modules/base/network/wireguard.nix b/modules/base/network/wireguard.nix index 704166f5..374d54a6 100644 --- a/modules/base/network/wireguard.nix +++ b/modules/base/network/wireguard.nix @@ -128,26 +128,6 @@ in ]; }; }; - services = { - udp2raw-server = lib.mkIf config.chvp.base.network.wireguard.server { - description = "UDP tunnel over TCP for wireguard"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - script = '' - ${pkgs.udp2raw}/bin/udp2raw -s -l 0.0.0.0:8080 -r 127.0.0.1:51820 \ - -k "$(cat ${config.age.secrets."files/wireguard/udp2raw".path})" - ''; - }; - udp2raw-client = lib.mkIf config.chvp.base.network.wireguard.onCorporate { - description = "UDP tunnel over TCP for wireguard"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - script = '' - ${pkgs.udp2raw}/bin/udp2raw -c -l 127.0.0.1:51820 -r 54.38.222.69:8080 \ - -k "$(cat ${config.age.secrets."files/wireguard/udp2raw".path})" - ''; - }; - }; }; age.secrets."files/wireguard/psk" = { file = ../../../secrets/files/wireguard/psk.age; @@ -157,6 +137,5 @@ in file = ../../../secrets/files/wireguard + "/${config.networking.hostName}.privkey.age"; owner = "systemd-network"; }; - age.secrets."files/wireguard/udp2raw".file = ../../../secrets/files/wireguard/udp2raw.age; }; } diff --git a/modules/darwin/default.nix b/modules/darwin/default.nix new file mode 100644 index 00000000..c915eb0a --- /dev/null +++ b/modules/darwin/default.nix @@ -0,0 +1 @@ +{ ... }: { } diff --git a/modules/shared/default.nix b/modules/shared/default.nix new file mode 100644 index 00000000..c915eb0a --- /dev/null +++ b/modules/shared/default.nix @@ -0,0 +1 @@ +{ ... }: { } diff --git a/secrets.nix b/secrets.nix index 8a3e4015..4c802381 100644 --- a/secrets.nix +++ b/secrets.nix @@ -1,37 +1,45 @@ let kholinar = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOL8MzChayhcVTfZvE3/ExwXpq2+LbihjzUVlKeIGoOL"; lasting-integrity = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKJmeY7j5LxWVv3fKzqG4Bvg/ZhOp8iwk0utpyMWMSk"; + thaylen-city = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK/6GDhlqX3/al9jx48DXS/uCwfwrdZty1rl6N8X8TZ8"; urithiru = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrzOpyzDc5BVtAeb5//PnMRcp+9B+DjfU7p2YpaH6a2"; - hosts = [ + nixosHosts = [ kholinar lasting-integrity urithiru ]; + hosts = [ + kholinar + lasting-integrity + thaylen-city + urithiru + ]; + nixosLaptops = [ + kholinar + ]; laptops = [ kholinar + thaylen-city ]; servers = [ lasting-integrity urithiru ]; - charlotte = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDb17zAg3zwvdYHNZqXSGYKseCz5281Ha6oOYPbwFYD" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJY5nXR/V6wcMRxugD7GTOF8kwfGnAT2CRuJ2Qi60vsm" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJLsSFEi4CGpkWIJxXJC78bhibrBRxClBbpS9n7PQGYL" ]; users = charlotte; in { - "secrets/passwords/users/charlotte.age".publicKeys = hosts ++ users; - "secrets/passwords/users/root.age".publicKeys = hosts ++ users; + "secrets/passwords/users/charlotte.age".publicKeys = nixosHosts ++ users; + "secrets/passwords/users/root.age".publicKeys = nixosHosts ++ users; "secrets/authorized_keys/charlotte.age".publicKeys = hosts ++ users; "secrets/authorized_keys/root.age".publicKeys = hosts ++ users; - "secrets/passwords/networks.age".publicKeys = laptops ++ users; + "secrets/passwords/networks.age".publicKeys = nixosLaptops ++ users; - "secrets/passwords/ugent-mount-credentials.age".publicKeys = laptops ++ users; - "secrets/passwords/ugent-vpn.age".publicKeys = laptops ++ users; "secrets/files/programs/vpn/local.age".publicKeys = laptops ++ users; "secrets/files/programs/vpn/global.age".publicKeys = laptops ++ users; @@ -48,7 +56,7 @@ in "secrets/passwords/services/mail/robbe_at_robbevanpetegem.be.age".publicKeys = [ lasting-integrity ] ++ users; "secrets/passwords/services/mail/robbe_at_vanpetegem.me.age".publicKeys = [ lasting-integrity ] ++ users; "secrets/passwords/services/mail/webmaster_at_vanpetegem.be.age".publicKeys = [ lasting-integrity ] ++ users; - "secrets/passwords/services/ssmtp-pass.age".publicKeys = hosts ++ users; + "secrets/passwords/services/ssmtp-pass.age".publicKeys = nixosHosts ++ users; "secrets/passwords/services/acme.age".publicKeys = servers ++ users; @@ -72,12 +80,9 @@ in "secrets/passwords/services/nextcloud-admin.age".publicKeys = [ lasting-integrity ] ++ users; - "secrets/files/services/tunnel/key.age".publicKeys = [ lasting-integrity ] ++ users; - "secrets/files/services/tunnel/env.age".publicKeys = [ lasting-integrity ] ++ users; - "secrets/passwords/services/data-basic-auth.age".publicKeys = [ urithiru ] ++ users; - "secrets/files/programs/ssh/host_configuration.age".publicKeys = hosts ++ users; + "secrets/files/programs/ssh/host_configuration.age".publicKeys = nixosHosts ++ users; "secrets/files/programs/transmission/config.json.age".publicKeys = [ urithiru ] ++ users; @@ -95,7 +100,6 @@ in "secrets/files/wireguard/lasting-integrity.privkey.age".publicKeys = [ lasting-integrity ] ++ users; "secrets/files/wireguard/urithiru.privkey.age".publicKeys = [ urithiru ] ++ users; "secrets/files/wireguard/psk.age".publicKeys = hosts ++ users; - "secrets/files/wireguard/udp2raw.age".publicKeys = hosts ++ users; "secrets/data-access/ssh_host_rsa_key.age".publicKeys = [ urithiru ] ++ users; "secrets/data-access/ssh_host_rsa_key.pub.age".publicKeys = [ urithiru ] ++ users; diff --git a/secrets/files/wireguard/kharbranth.privkey.age b/secrets/files/wireguard/kharbranth.privkey.age deleted file mode 100644 index 73f8aa0d..00000000 --- a/secrets/files/wireguard/kharbranth.privkey.age +++ /dev/null @@ -1,11 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 umFZoA JYm4N9NduNbFMi0ohZsPpkVwo0pIBG2UP51vnhHVG00 -u4rMc/uBK7u5hyIMSMKPQ3ff/wHc8igjc/qQms/BJuU --> ssh-ed25519 s9rb8g yHgBR6PDyvEoEqZK7SdUN7KnOiZkzHcg6HGIErNA/io -AXFcDDCaDBRFqCUvx6XNpcJgxd082/auFKDKSBVr12Y --> ssh-ed25519 yad4VQ eyXNg3ooMWudaxCaNhePhMi8gOzti3JN2ynf0gshcTw -O1vNfqYE+HHAOEi0ud5EuOOkruQLcHbnUYxCySvoebM --> 1|+Pa+x-grease lq -OI+L ---- mg/v3GAOMz38E6uR1wRYHiz+yHO/wHyzEh5GQAXiFs8 -`Xeq~owh_e "KD m,o`FIri#"@ʿ=<2s1t)Adx \ No newline at end of file diff --git a/secrets/files/wireguard/udp2raw.age b/secrets/files/wireguard/udp2raw.age deleted file mode 100644 index c5dba8bfa2d7b43c49f0741dba826ece80aba745..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 840 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSH&2@{)cU15!OEmH@ z_9#iINHGsA2~G6%4>Yex@`*?()-N&7%1$jvHx2Lzk1(zz{E_P4TE)I=!3^BAw@ZGubaE)gas{ zKgGl&J0Qz7FVZk6-^blKv#=sGCAZSqvC7vyBAv^%(x4)|#L2?Ez&xWO*v}(3Cn>@` zH`3IvAS9$BwaPRx#nC*%&DAf<-vr&Z3~xubvOtAAH{(nXuf%YD?er+`;=G6ygA$M2 z!V=#~&%B&K=TM`xa>LNXs*sWhmtroLd|&6HLdWbfi@fkmQ*WP8Z$odd+!P-_7jFaq z!s5!}j2!b^BVQkbL`QVnECbS9odOk%Ekm7+{HqMYOCn26(zGL;{4$K3%8XpfyeqZK zvx~i*+{}#fqVkQ?-Lkp7++7p3Lp{r*^8CFGyfb_QvMSumb3%0 z_9!!Vtjgv}F3rdba5BoR(DyA*^Nz~%i}cRT%(5(r%qb2sjI1iQ2r+Rs^GLNY&cN_n zWnzj+SfD~=M!G>jK!J&oVXm2*r$J??yH}c7xq)e-iKThAxw*HQdqAmoak+PKRU}t_ zgmH03n!C2AZ?;QOl$Tphs$oTlVOC*wX}ErIu)9xbRiTrgXF)`eGdSLqe00-`QWJ|) z73?!TofV8@9MUy4Jrtq}Y6FZE!cCL8xO8=O70h!&4c!ckvO>b$UHr8p+(O;b9V;sW z@{4^#gDf12wY76oO#BVX3rZ_pxtd-{GknUKmn}KTI)BAW6%Q%iuXDG`<^1X8I`#k1 y9@ZGP?J@VRde?kf@+e!j-cc^2XlL8O|LO_{E$ybn8q7PFl=Sf9qrBqZEN%e#uof8r diff --git a/secrets/passwords/ugent-mount-credentials.age b/secrets/passwords/ugent-mount-credentials.age deleted file mode 100644 index 9b836fd2..00000000 --- a/secrets/passwords/ugent-mount-credentials.age +++ /dev/null @@ -1,13 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 umFZoA qG7k8V75DUqFmtjpSkCxig2RYWz21L6i3SuqP1QHNAE -O0BbxXcFzuY0GjsYuyQw97/B5e0tGgllsr32tObdizQ --> ssh-ed25519 aUd9Ng ZoRF2WBSIjF/IYb975m8PfHfNLJIeVj6BLHVpLiUCzU -I5vM8xc2UgATwIbgmg2Y4RAUaRuqokvzEAud2xTOU/4 --> ssh-ed25519 s9rb8g vymfJnszAEn4W3fx/vaZ6Fd6uCr7Jt7Fm02UUXV0KQE -rji5f+Q94cnUDXpvynWbWWCeXa2/9SJA53VBong69Ig --> ssh-ed25519 yad4VQ mQ753Zazue/EIrIQglGdovSZHwiYqTQFTKwm9azOGU4 -IHarxvrAdaFCEkN14AaP72BkPsiWb7S8CeTTAUuy+e4 --> ;\k--grease }P6 l70)SFt -iJMjf2O2jArRvJUTnW0 ---- acjP6TMMvAH8AGbpNeaBou7I55nBYMTlsGI1NeZItYM -fR?t2NN >C+suUzb TYs/m|3@PH9$VvTkBRi2|% \ No newline at end of file diff --git a/secrets/passwords/ugent-vpn.age b/secrets/passwords/ugent-vpn.age deleted file mode 100644 index 4b5132838bd19592946fd7266a5dbcbefab6c742..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1020 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSH&2@{)cT`C6Daubw zOY-vdH*ySdtuidkFv`j>aw>>4Ez&Mccg;7~56Cjg3eYc0FXnPCNH2>t&@K!xE66A* z$@MiVh=|AvDEAKXO-u~dFElI6HZTatH}m((w?MZoF*L=}FI^$hJ;c+|%cmqMOxrNO zD#OgPqAJoqC(St2EU7ZtvNX@rwK&YV(kRd~FP$qX%O@=(z%wMmz%0e7FgxEPDAUI% zKR3WHv&bc=&@9!((77-oz%#ofH6Pu!V#}f=i*$wb(2&Yv?Z7k-Z|$V~oIvx`u(XWg zFhe&VztW)Wd_PzB$^wG`r~J&k%up^<|M>%L0Q4^KkEUqoNdl zZOihCT+6Z?e=jFv{c?2MDic#o!U7c{0y6W>a?8@wjgtc-lfw)`jYDz_lZ(SEd>mcM zOiWS(L(24XoQsMqLM*rnTzo^#19L3=l1d}A4Jt}4ol=WTeF8%R&5{c|QX*U|BSRBC z12c_64bnljW$HOqW$LCEr6v}qDkNv88^@HCmnhi!lzRtqS>~m<8mC$sIA-K&rw961 zgt_~qg_Q@So0j=y`1uwD6nVRH>FVk#l$$0;<{PF|8JJl3RRt#o<%XM@hZ(0P{Uj2pV zb)Ra37Bd#__Ov;>mItmC;GAI8&*%KDc7x{n`uveuk|&TW$-=m!E2mvmx<@K| z(}|=Uo@sr&{&gEezVBvJx@TzJ=D^w`x@^V9Sq8uL9xVO)Ol1`p=Z~d(w>e%mdde@{ zr)ce~smH44vKL~uG@Vrz Te(lqGRiJ%+CIkEPLowL^Lk*57