nix
/
nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Working flake-based nixops config

This commit is contained in:
niten 2021-10-08 15:26:19 -07:00
parent 5a48c78b48
commit a323dbdd9c
7 changed files with 59 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
config/host-config/lambda.nix
View File

@ -22,19 +22,19 @@ in {
}; };
}; };
fudo.secrets = { # fudo.secrets = {
host-secrets.lambda = { # host-secrets.lambda = {
host-keytab = { # host-keytab = {
source-file = /state/secrets/kerberos/lambda.keytab; # source-file = /state/secrets/kerberos/lambda.keytab;
target-file = "/etc/krb5.keytab"; # target-file = "/etc/krb5.keytab";
user = "root"; # user = "root";
}; # };
}; # };
secret-group = "fudo-secrets"; # secret-group = "fudo-secrets";
secret-users = [ "niten" ]; # secret-users = [ "niten" ];
secret-paths = [ "/state/secrets" ]; # secret-paths = [ "/state/secrets" ];
}; # };
fudo.games.valheim = { fudo.games.valheim = {
enable = true; enable = true;

14
config/host-config/limina.nix
View File

@ -63,20 +63,6 @@ in {
network-definition = config.fudo.networks.${domain-name}; network-definition = config.fudo.networks.${domain-name};
}; };
secrets.host-secrets.limina = {
backplane-client-passwd = {
source-file = /state/secrets/backplane-client/limina.passwd;
target-file = "/srv/backplane/dns/client.passwd";
user = config.fudo.client.dns.user;
};
host-keytab = {
source-file = /state/secrets/kerberos/limina.keytab;
target-file = "/etc/krb5.keytab";
user = "root";
};
};
client.dns = { client.dns = {
enable = true; enable = true;
ipv4 = true; ipv4 = true;

6
config/networks.nix
View File

@ -2,8 +2,8 @@
{ {
config.fudo.networks = { config.fudo.networks = {
"rus.selby.ca" = import ./networks/rus.selby.ca.nix { inherit config lib; }; "rus.selby.ca" = import ./networks/rus.selby.ca.nix;
"sea.fudo.org" = import ./networks/sea.fudo.org.nix { inherit config lib; }; "sea.fudo.org" = import ./networks/sea.fudo.org.nix;
"informis.land" = import ./networks/informis.land.nix { inherit config lib; }; "informis.land" = import ./networks/informis.land.nix;
}; };
} }

12
initialize.nix
View File

@ -1,5 +1,4 @@
{ hostname, site, domain, profile, build-timestamp, ... }: { hostname, site, domain, profile, build-timestamp, config, lib, pkgs, ... }:
{ config, lib, pkgs, ... }:
let let
# Get info on this host so we know what to load # Get info on this host so we know what to load
@ -9,8 +8,6 @@ in {
imports = [ imports = [
./lib ./lib
./config ./config
#home-manager-module
(config-dir + /hardware/${hostname}.nix) (config-dir + /hardware/${hostname}.nix)
(config-dir + /host-config/${hostname}.nix) (config-dir + /host-config/${hostname}.nix)
@ -21,9 +18,10 @@ in {
config = { config = {
instance = { instance = {
inherit hostname site domain profile build-timestamp; inherit hostname build-timestamp;
local-site = site;
local-domain = domain;
local-profile = profile;
}; };
nixpkgs.pkgs = pkgs;
}; };
} }

1
lib/fudo/client/dns.nix
View File

@ -72,6 +72,7 @@ in {
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
users.users = { users.users = {
"${cfg.user}" = { "${cfg.user}" = {
isSystemUser = true; isSystemUser = true;

50
lib/fudo/hosts.nix
View File

@ -102,28 +102,44 @@ in {
boot.tmpOnTmpfs = host-cfg.tmp-on-tmpfs; boot.tmpOnTmpfs = host-cfg.tmp-on-tmpfs;
fudo.secrets.host-secrets.${hostname} = let fudo = let
keytab-file = try-attr = attr: set: if (hasAttr attr set) then set.${attr} else null;
if (hasAttr hostname config.fudo.secrets.files.host-keytabs) then
config.fudo.secrets.files.host-keytabs.${hostname} files = config.fudo.secrets.files;
else null;
keytab-file = try-attr hostname files.host-keytabs;
build-private-key-file = build-private-key-file =
if (hasAttr hostname config.fudo.secrets.files.build-keypairs) then mapOptional
config.fudo.secrets.files.build-keypairs.${hostname}.private-key (keypair: keypair.private-key)
else null; (try-attr hostname files.build-keypairs);
backplane-passwd-source = try-attr hostname files.backplane-passwords;
backplane-passwd-target = "/var/run/backplane/passwd";
in { in {
host-keytab = mkIf (keytab-file != null) { secrets.host-secrets.${hostname} = {
source-file = keytab-file; host-keytab = mkIf (keytab-file != null) {
target-file = "/etc/krb5.keytab"; source-file = keytab-file;
user = "root"; target-file = "/etc/krb5.keytab";
user = "root";
};
build-private-key = mkIf (build-private-key-file != null) {
source-file = build-private-key-file;
target-file = "/var/run/nix-build/host.key";
user = "root";
};
backplane-passwd = mkIf (backplane-passwd-source != null) {
source-file = backplane-passwd-source;
target-file = backplane-passwd-target;
user = config.fudo.client.dns.user;
};
}; };
build-private-key = mkIf (build-private-key-file != null) { client.dns.password-file = mkIf (backplane-passwd != null)
source-file = build-private-key-file; backplane-password-target;
target-file = "/var/run/nix-build/host.key";
user = "root";
};
}; };
programs.adb.enable = host-cfg.android-dev; programs.adb.enable = host-cfg.android-dev;

5
lib/instance.nix
View File

@ -27,6 +27,11 @@ in {
description = "Site name of the current local host."; description = "Site name of the current local host.";
}; };
local-profile = mkOption {
type = str;
description = "Profile name of the current local host.";
};
local-admins = mkOption { local-admins = mkOption {
type = listOf str; type = listOf str;
description = "List of users who should have admin access to the local host."; description = "List of users who should have admin access to the local host.";