diff --git a/config/host-config/lambda.nix b/config/host-config/lambda.nix index 578e2d5..beec181 100644 --- a/config/host-config/lambda.nix +++ b/config/host-config/lambda.nix @@ -22,19 +22,19 @@ in { }; }; - fudo.secrets = { - host-secrets.lambda = { - host-keytab = { - source-file = /state/secrets/kerberos/lambda.keytab; - target-file = "/etc/krb5.keytab"; - user = "root"; - }; - }; + # fudo.secrets = { + # host-secrets.lambda = { + # host-keytab = { + # source-file = /state/secrets/kerberos/lambda.keytab; + # target-file = "/etc/krb5.keytab"; + # user = "root"; + # }; + # }; - secret-group = "fudo-secrets"; - secret-users = [ "niten" ]; - secret-paths = [ "/state/secrets" ]; - }; + # secret-group = "fudo-secrets"; + # secret-users = [ "niten" ]; + # secret-paths = [ "/state/secrets" ]; + # }; fudo.games.valheim = { enable = true; diff --git a/config/host-config/limina.nix b/config/host-config/limina.nix index d25b30d..b18b204 100644 --- a/config/host-config/limina.nix +++ b/config/host-config/limina.nix @@ -63,20 +63,6 @@ in { network-definition = config.fudo.networks.${domain-name}; }; - secrets.host-secrets.limina = { - backplane-client-passwd = { - source-file = /state/secrets/backplane-client/limina.passwd; - target-file = "/srv/backplane/dns/client.passwd"; - user = config.fudo.client.dns.user; - }; - - host-keytab = { - source-file = /state/secrets/kerberos/limina.keytab; - target-file = "/etc/krb5.keytab"; - user = "root"; - }; - }; - client.dns = { enable = true; ipv4 = true; diff --git a/config/networks.nix b/config/networks.nix index 20ccb44..cfc4912 100644 --- a/config/networks.nix +++ b/config/networks.nix @@ -2,8 +2,8 @@ { config.fudo.networks = { - "rus.selby.ca" = import ./networks/rus.selby.ca.nix { inherit config lib; }; - "sea.fudo.org" = import ./networks/sea.fudo.org.nix { inherit config lib; }; - "informis.land" = import ./networks/informis.land.nix { inherit config lib; }; + "rus.selby.ca" = import ./networks/rus.selby.ca.nix; + "sea.fudo.org" = import ./networks/sea.fudo.org.nix; + "informis.land" = import ./networks/informis.land.nix; }; } diff --git a/initialize.nix b/initialize.nix index 27b703d..91c6a39 100644 --- a/initialize.nix +++ b/initialize.nix @@ -1,5 +1,4 @@ -{ hostname, site, domain, profile, build-timestamp, ... }: -{ config, lib, pkgs, ... }: +{ hostname, site, domain, profile, build-timestamp, config, lib, pkgs, ... }: let # Get info on this host so we know what to load @@ -9,8 +8,6 @@ in { imports = [ ./lib ./config - - #home-manager-module (config-dir + /hardware/${hostname}.nix) (config-dir + /host-config/${hostname}.nix) @@ -21,9 +18,10 @@ in { config = { instance = { - inherit hostname site domain profile build-timestamp; + inherit hostname build-timestamp; + local-site = site; + local-domain = domain; + local-profile = profile; }; - - nixpkgs.pkgs = pkgs; }; } diff --git a/lib/fudo/client/dns.nix b/lib/fudo/client/dns.nix index ff62fc1..97082a2 100644 --- a/lib/fudo/client/dns.nix +++ b/lib/fudo/client/dns.nix @@ -72,6 +72,7 @@ in { }; config = mkIf cfg.enable { + users.users = { "${cfg.user}" = { isSystemUser = true; diff --git a/lib/fudo/hosts.nix b/lib/fudo/hosts.nix index c9cc321..9a732d3 100644 --- a/lib/fudo/hosts.nix +++ b/lib/fudo/hosts.nix @@ -102,28 +102,44 @@ in { boot.tmpOnTmpfs = host-cfg.tmp-on-tmpfs; - fudo.secrets.host-secrets.${hostname} = let - keytab-file = - if (hasAttr hostname config.fudo.secrets.files.host-keytabs) then - config.fudo.secrets.files.host-keytabs.${hostname} - else null; + fudo = let + try-attr = attr: set: if (hasAttr attr set) then set.${attr} else null; + + files = config.fudo.secrets.files; + + keytab-file = try-attr hostname files.host-keytabs; build-private-key-file = - if (hasAttr hostname config.fudo.secrets.files.build-keypairs) then - config.fudo.secrets.files.build-keypairs.${hostname}.private-key - else null; + mapOptional + (keypair: keypair.private-key) + (try-attr hostname files.build-keypairs); + + backplane-passwd-source = try-attr hostname files.backplane-passwords; + + backplane-passwd-target = "/var/run/backplane/passwd"; in { - host-keytab = mkIf (keytab-file != null) { - source-file = keytab-file; - target-file = "/etc/krb5.keytab"; - user = "root"; + secrets.host-secrets.${hostname} = { + host-keytab = mkIf (keytab-file != null) { + source-file = keytab-file; + target-file = "/etc/krb5.keytab"; + user = "root"; + }; + + build-private-key = mkIf (build-private-key-file != null) { + source-file = build-private-key-file; + target-file = "/var/run/nix-build/host.key"; + user = "root"; + }; + + backplane-passwd = mkIf (backplane-passwd-source != null) { + source-file = backplane-passwd-source; + target-file = backplane-passwd-target; + user = config.fudo.client.dns.user; + }; }; - build-private-key = mkIf (build-private-key-file != null) { - source-file = build-private-key-file; - target-file = "/var/run/nix-build/host.key"; - user = "root"; - }; + client.dns.password-file = mkIf (backplane-passwd != null) + backplane-password-target; }; programs.adb.enable = host-cfg.android-dev; diff --git a/lib/instance.nix b/lib/instance.nix index 951cfb7..1ef9048 100644 --- a/lib/instance.nix +++ b/lib/instance.nix @@ -27,6 +27,11 @@ in { description = "Site name of the current local host."; }; + local-profile = mkOption { + type = str; + description = "Profile name of the current local host."; + }; + local-admins = mkOption { type = listOf str; description = "List of users who should have admin access to the local host.";