nix
/
nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Upgrade to 22.05 (and much else)

This commit is contained in:
niten 2022-06-01 13:57:58 -07:00
parent e9e61e24d4
commit a4ba216d71
16 changed files with 548 additions and 368 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

112
config/host-config/lambda.nix
View File

@ -84,65 +84,65 @@ in {
Defaults lecture = never
'';
services.nginx = {
enable = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedGzipSettings = true;
# services.nginx = {
# enable = true;
# recommendedOptimisation = true;
# recommendedProxySettings = true;
# recommendedGzipSettings = true;
virtualHosts."home.sea.fudo.org" = {
locations."/" = {
proxyPass = "http://localhost:${toString home-assistant-port}";
proxyWebsockets = true;
};
};
};
virtualisation = {
docker = {
enable = true;
enableOnBoot = true;
autoPrune = { enable = true; };
};
oci-containers = {
backend = "docker";
containers = {
home-assistant = {
image = "homeassistant/home-assistant:stable";
autoStart = true;
environment.TZ = config.time.timeZone;
# ports = [ "${toString home-assistant-port}:8123" ];
volumes = [ "/state/services/home-assistant:/config" ];
extraOptions = [ "--network=host" "--device=/dev/ttyACM0" ];
};
# shinobi = {
# image = "shinobisystems/shinobi:latest";
# ports = [ "${shinobi-port}:8080" ];
# volumes = [
# "/state/shinobi/plugins:/home/Shinobi/plugins"
# "/state/shinobi/config:/home/Shinobi/config"
# "/state/shinobi/videos:/home/Shinobi/videos"
# "/state/shinobi/db-data:/var/lib/mysql"
# "/etc/localtime:/etc/localtime:ro"
# ];
# virtualHosts."home.sea.fudo.org" = {
# locations."/" = {
# proxyPass = "http://localhost:${toString home-assistant-port}";
# proxyWebsockets = true;
# };
# shinobi-od = {
# image = "shinobisystems/shinobi-tensorflow:latest";
# volumes =
# [ "/srv/shinobi/od-config:/home/Shinobi/docker-plugins/tensorflow" ];
# ports = [ "${shinobi-od-port}:8082" ];
# environment = {
# PLUGIN_HOST = "panopticon.sea.fudo.org";
# PLUGIN_PORT = shinobi-port;
# PLUGIN_KEY = "30sWllylOxsDcE4vQXEPaXNfe5DiB3";
# };
# };
# photoprism = { image = "photoprism/photoprism"; };
};
};
};
# virtualisation = {
# docker = {
# enable = true;
# enableOnBoot = true;
# autoPrune = { enable = true; };
# };
# oci-containers = {
# backend = "docker";
# containers = {
# home-assistant = {
# image = "homeassistant/home-assistant:stable";
# autoStart = true;
# environment.TZ = config.time.timeZone;
# # ports = [ "${toString home-assistant-port}:8123" ];
# volumes = [ "/state/services/home-assistant:/config" ];
# extraOptions = [ "--network=host" "--device=/dev/ttyACM0" ];
# };
# # shinobi = {
# # image = "shinobisystems/shinobi:latest";
# # ports = [ "${shinobi-port}:8080" ];
# # volumes = [
# # "/state/shinobi/plugins:/home/Shinobi/plugins"
# # "/state/shinobi/config:/home/Shinobi/config"
# # "/state/shinobi/videos:/home/Shinobi/videos"
# # "/state/shinobi/db-data:/var/lib/mysql"
# # "/etc/localtime:/etc/localtime:ro"
# # ];
# # };
# # shinobi-od = {
# # image = "shinobisystems/shinobi-tensorflow:latest";
# # volumes =
# # [ "/srv/shinobi/od-config:/home/Shinobi/docker-plugins/tensorflow" ];
# # ports = [ "${shinobi-od-port}:8082" ];
# # environment = {
# # PLUGIN_HOST = "panopticon.sea.fudo.org";
# # PLUGIN_PORT = shinobi-port;
# # PLUGIN_KEY = "30sWllylOxsDcE4vQXEPaXNfe5DiB3";
# # };
# # };
# # photoprism = { image = "photoprism/photoprism"; };
# };
# };
# };
}

12
config/host-config/legatus.nix
View File

@ -31,9 +31,7 @@ in {
security.acme.email = "admin@legatus.fudo.org";
systemd.tmpfiles.rules = [
"L /etc/adjtime - - - - /state/etc/adjtime"
];
systemd.tmpfiles.rules = [ "L /etc/adjtime - - - - /state/etc/adjtime" ];
environment.systemPackages = local-packages;
@ -69,10 +67,14 @@ in {
ipropd-keytab = host-secrets.heimdal-ipropd-keytab.target-file;
};
};
chat = {
state-directory = "/state/services/chat";
external-interface = "extif0";
};
};
secrets.host-secrets.legatus = let
files = config.fudo.secrets.files;
secrets.host-secrets.legatus = let files = config.fudo.secrets.files;
in {
# postgres-keytab = {
# source-file = files.service-keytabs.procul.postgres;

6
config/host-config/nostromo.nix
View File

@ -24,7 +24,10 @@ in {
# Hopefully this'll help with NFS...
boot.kernelModules = [ "rpcsec_gss_krb5" ];
services.nfs = {
services = {
murmur.enable = true;
nfs = {
# See ../user-config.nix for the user@REALM -> user mapping
server = {
enable = true;
@ -40,6 +43,7 @@ in {
'';
};
};
};
systemd = {
tmpfiles.rules = [ "d /state/services 0755 root root - -" ];

20
config/host-config/procul.nix
View File

@ -12,8 +12,7 @@ let
site = config.fudo.sites.${site-name};
host-fqdn = "${hostname}.${domain-name}";
local-networks =
domain.local-networks ++ site.local-networks;
local-networks = domain.local-networks ++ site.local-networks;
local-packages = with pkgs; [ ldns.examples ];
@ -23,8 +22,7 @@ let
host-certs = config.fudo.acme.host-domains.${hostname};
grafana-database-password =
pkgs.lib.passwd.stablerandom-passwd-file
grafana-database-password = pkgs.lib.passwd.stablerandom-passwd-file
"grafana-database-password-${hostname}"
"grafana-database-password-${hostname}-${config.instance.build-seed}";
@ -136,8 +134,7 @@ in {
# };
};
secrets.host-secrets.procul = let
files = config.fudo.secrets.files;
secrets.host-secrets.procul = let files = config.fudo.secrets.files;
in {
# postgres-keytab = {
# source-file = files.service-keytabs.procul.postgres;
@ -199,9 +196,7 @@ in {
allowed-networks = [ "1.1.1.1/32" "1.0.0.1/32" "localhost" "link-local" ];
};
services.mail-server = {
state-directory = "/srv/mailserver";
};
services.mail-server = { state-directory = "/srv/mailserver"; };
# mail-server = {
# enable = true;
@ -257,6 +252,7 @@ in {
state-directory = "/var/lib/kerberos";
master-key-file = host-secrets.heimdal-master-key.target-file;
};
ldap.state-directory = "/state/services/ldap";
};
dns.zones."informis.land" = {
enable = true;
@ -303,8 +299,7 @@ in {
};
gituser = {
password-file =
host-secrets.postgres-gitea-password.target-file;
password-file = host-secrets.postgres-gitea-password.target-file;
databases = {
git = {
access = "CONNECT";
@ -332,8 +327,7 @@ in {
state-dir = "/srv/git/state";
database = {
user = "gituser";
password-file =
host-secrets.gitea-database-password.target-file;
password-file = host-secrets.gitea-database-password.target-file;
hostname = "127.0.0.1";
name = "git";
};

53
config/host-config/wormhole0.nix
View File

@ -2,6 +2,7 @@
with lib;
let
hostname = "wormhole0";
primary-ip = "10.0.0.3";
state-dir = "/state";
zigbee2mqtt-statedir = "${state-dir}/services/zigbee2mqtt";
@ -13,19 +14,17 @@ let
mosquitto-user = config.systemd.services.mosquitto.serviceConfig.User;
zigbee2mqtt-passwd-file =
pkgs.lib.passwd.random-passwd-file "zigbee2mqtt-passwd" 20;
home-assistant-passwd-file =
pkgs.lib.passwd.stablerandom-passwd-file "home-assistant-passwd"
pkgs.lib.passwd.stablerandom-passwd-file "zigbee2mqtt-passwd"
config.instance.build-seed;
host-secrets = config.fudo.secrets.host-secrets.wormhole0;
host-secrets = config.fudo.secrets.host-secrets.${hostname};
host-passwds = config.fudo.secrets.files.service-passwords.${hostname};
in {
boot.kernel.sysctl = { "net.ipv4.ip_forward" = true; };
networking = {
hostName = "wormhole0";
hostName = hostname;
firewall.enable = false;
@ -55,17 +54,27 @@ in {
dhcpcd.extraConfig = concatStringsSep "\n" [ "nogateway" ];
};
fudo.secrets.host-secrets.wormhole0 = {
fudo.secrets.host-secrets.${hostname} = {
mosquitto-zigbee2mqtt-passwd = {
source-file = zigbee2mqtt-passwd-file;
target-file = "/run/mosquitto-secrets/zigbee2mqtt.passwd";
user = mosquitto-user;
};
mosquitto-home-assistant-passwd = {
source-file = home-assistant-passwd-file;
source-file = host-passwds.mosquitto-home-assistant;
target-file = "/run/mosquitto-secrets/home-assistant.passwd";
user = mosquitto-user;
};
mosquitto-niten-passwd = {
source-file = host-passwds.mosquitto-niten;
target-file = "/run/mosquitto-secrets/niten.passwd";
user = mosquitto-user;
};
mosquitto-xiaoxuan-passwd = {
source-file = host-passwds.mosquitto-xiaoxuan;
target-file = "/run/mosquitto-secrets/xiaoxuan.passwd";
user = mosquitto-user;
};
};
systemd = {
@ -82,9 +91,14 @@ in {
};
};
zigbee2mqtt.after =
[ config.fudo.secrets.secret-target "mosquitto.service" ];
mosquitto.after = [ config.fudo.secrets.secret-target ];
zigbee2mqtt = {
after = [ config.fudo.secrets.secret-target "mosquitto.service" ];
restartIfChanged = true;
};
mosquitto = {
after = [ config.fudo.secrets.secret-target ];
restartIfChanged = true;
};
};
tmpfiles.rules = [
@ -104,7 +118,6 @@ in {
in { dialout.members = [ zigbee2mqtt-user ]; };
services = {
blueman.enable = true;
openssh.hostKeys = [
{
path = "${state-dir}/ssh/ssh_host_rsa_key";
@ -148,6 +161,14 @@ in {
host-secrets.mosquitto-home-assistant-passwd.target-file;
acl = [ "readwrite #" ];
};
niten = {
passwordFile = host-secrets.mosquitto-niten-passwd.target-file;
acl = [ "readwrite #" ];
};
xiaoxuan = {
passwordFile = host-secrets.mosquitto-xiaoxuan-passwd.target-file;
acl = [ "readwrite #" ];
};
};
}];
};
@ -155,6 +176,7 @@ in {
zigbee2mqtt = {
enable = true;
dataDir = zigbee2mqtt-statedir;
package = pkgs.pkgsUnstable.zigbee2mqtt;
settings = {
homeassistant = true;
permit_join = true;
@ -167,8 +189,15 @@ in {
# described https://www.zigbee2mqtt.io/guide/configuration/mqtt.html#server-connection
# Weird, though.
};
advanced.log_level = "debug";
};
};
avahi = {
enable = true;
reflector = true;
interfaces = [ "intif0" "worm0" ];
};
};
virtualisation = {

11
config/host-config/wormhole0/converters/AQSZB-110.js Normal file
View File

@ -0,0 +1,11 @@
const definition = {
zigbeeModel: ['AQSZB-110'],
model: 'AQSZB-110',
vendor: 'Frient',
description: 'Frient Air Quarity Sensor',
fromZigbee: [fz.temperature],
toZigbee: [],
exposes: [e.battery(), e.temperature(), e.humidity()],
};
module.exports = definition;

6
config/profile-config/common-ui.nix
View File

@ -51,9 +51,15 @@ in {
};
pulse.enable = true;
jack.enable = true;
media-session = {
enable = true;
config.alsa-monitor = { api.alsa.headroom = 1024; };
};
};
udev.packages = with pkgs; [ via ];
};
security = {
rtkit.enable = true;
sudo.extraConfig = "Defaults lecture = never";

3
config/profile-config/desktop.nix
View File

@ -1,7 +1,6 @@
{ config, lib, pkgs, ... }:
with lib;
{
with lib; {
imports = [ ./common-ui.nix ];
networking.networkmanager.enable = mkForce false;

13
config/profile-config/server.nix
View File

@ -47,13 +47,20 @@ in {
config = {
environment = {
systemPackages = with pkgs;
[ emacs-nox reboot-if-necessary test-config ];
systemPackages = with pkgs; [ emacs-nox reboot-if-necessary test-config ];
};
networking.networkmanager.enable = mkForce false;
services.xserver.enable = false;
services = {
nginx = {
recommendedProxySettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedTlsSettings = true;
};
xserver.enable = false;
};
sound.enable = false;
hardware.pulseaudio.enable = false;

149
config/service/chat.nix Normal file
View File

@ -0,0 +1,149 @@
{ config, lib, pkgs, ... }@toplevel:
with lib;
let
cfg = config.fudo.services.chat;
hostname = config.instance.hostname;
domain-name = config.instance.local-domain;
domain = config.fudo.domains.${domain-name};
chat-server = domain.chat-server;
isChatServer = hostname == chat-server;
chat-fqdn = "${cfg.host-alias}.${domain-name}";
mail-server = "mail.${domain-name}";
host-ip = "192.168.19.1";
container-ip = "192.168.19.2";
host-secrets = config.fudo.secrets.host-secrets.${hostname};
seed = config.instance.build-seed;
mattermost-mail-passwd-file =
pkgs.lib.passwd.stablerandom-passwd-file "mattermost-email" seed;
in {
options.fudo.services.chat = with types; {
host-alias = mkOption {
type = str;
description = "CNAME to use for the chat server.";
default = "chat";
};
site-name = mkOption {
type = str;
description = "Name of the chat site.";
default = "Fudo Chat";
};
state-directory = mkOption {
type = str;
description =
"Path at which to store chat server state. Must be persistent.";
};
external-interface = mkOption {
type = str;
description = "Public-facing external interface, for outgoing traffic.";
};
};
config = mkIf (chat-server != null) {
networking.nat = mkIf isChatServer {
enable = true;
internalInterfaces = [ "ve-fudo-chat" ];
externalInterface = cfg.external-interface;
};
fudo = {
users.chat = {
uid = 20001;
primary-group = "fudo";
common-name = cfg.site-name;
ldap-hashed-passwd = pkgs.lib.passwd.hash-ldap-passwd "mattermost-chat"
mattermost-mail-passwd-file;
};
zones.${domain.zone}.aliases.chat =
pkgs.lib.network.host-fqdn config chat-server;
};
systemd.tmpfiles.rules = mkIf isChatServer [
"d ${cfg.state-directory}/mattermost 0700 - - - -"
"d ${cfg.state-directory}/postgresql 0700 - - - -"
];
services.nginx = mkIf isChatServer {
enable = true;
recommendedProxySettings = true;
virtualHosts."${chat-fqdn}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://${container-ip}:1234";
proxyWebsockets = true;
};
};
};
containers.fudo-chat = mkIf isChatServer {
ephemeral = true;
privateNetwork = true;
hostAddress = host-ip;
localAddress = container-ip;
autoStart = true;
bindMounts = {
"/var/lib/mattermost" = {
hostPath = "${cfg.state-directory}/mattermost";
isReadOnly = false;
};
"/var/lib/postgresql" = {
hostPath = "${cfg.state-directory}/postgresql";
isReadOnly = false;
};
};
config = { config, lib, ... }: {
networking = {
defaultGateway = host-ip;
firewall.enable = false;
};
systemd.tmpfiles.rules = [
"d /var/lib/mattermost 700 ${config.services.mattermost.user} - - -"
"d /var/lib/postgresql 700 ${config.systemd.services.postgresql.serviceConfig.User} - - -"
];
services = {
postgresql.dataDir = "/var/lib/postgresql";
mattermost = {
enable = true;
siteUrl = "https://${chat-fqdn}";
siteName = cfg.site-name;
statePath = "/var/lib/mattermost";
listenAddress = "${container-ip}:1234";
localDatabaseCreate = true;
extraConfig = {
EmailSettings = {
RequireEmailVerification = true;
SMTPServer = mail-server;
SMTPPort = "587";
ConnectionSecurity = "STARTTLS";
EnableSMTPAuth = true;
SMTPUsername = "chat";
# TODO: Ugh
SMTPPassword = readFile mattermost-mail-passwd-file;
SendEmailNotifications = true;
FeedbackEmail = "chat@${domain-name}";
FeedbackName = cfg.site-name;
};
EnableEmailNotifications = true;
};
};
};
};
};
};
}

1
config/services.nix
View File

@ -3,6 +3,7 @@
{
imports = [
./service/backplane.nix
./service/chat.nix
./service/chute.nix
./service/dns.nix
./service/fudo-auth.nix

181
config/site-config/seattle.nix
View File

@ -77,110 +77,97 @@ in {
};
};
systemd = {
# paths.host-keytab-modified = {
# wantedBy = [ "multi-user.target" ];
# pathConfig = {
# PathChanged = "/etc/krb5.keytab";
# Unit = "host-keytab-modified.service";
# };
# };
# services.host-keytab-modified = {
# description = "Operations to execute when keytab is changed.";
# script = "${pkgs.systemd}/bin/systemctl restart rpc-gssd.service";
# };
services = {
# host-keytab-watcher = {
# wantedBy = [ "rpc-gssd.service" "rpc-svcgssd.service" ];
# before = [ "rpc-gssd.service" "rpc-svcgssd.service" ];
# serviceConfig = {
# ExecStart = "${pkgs.coreutils}/bin/sleep 500";
# TimeoutStartSec = "3600";
# RemainAfterExit = true;
# };
# };
rpc-gssd = {
systemd.services = {
host-keytab-watcher = {
wantedBy = [
"rpc-gssd-override.service"
"rpc-svcgssd-override.service"
"auth-rpcgss-module.service"
];
before = [
"rpc-gssd-override.service"
"rpc-svcgssd-override.service"
"auth-rpcgss-module.service"
];
after = [ config.fudo.secrets.secret-target ];
unitConfig = { ConditionPathExists = mkForce [ ]; };
};
rpc-svcgssd = {
after = [ config.fudo.secrets.secret-target ];
unitConfig = { ConditionPathExists = mkForce [ ]; };
};
serviceConfig = {
ExecStartPre = "${pkgs.coreutils}/bin/test -f /etc/krb5.keytab";
ExecStart = "${pkgs.coreutils}/bin/true";
TimeoutStartSec = "360";
RemainAfterExit = true;
Restart = "on-failure";
RestartSec = "2";
};
};
# systemd = {
# ## This fails if the filesystems already exist
# # tmpfiles.rules = [
# # "d /net/documents - root sea-documents - -"
# # "d /net/downloads - root sea-downloads - -"
# # "d /net/projects - root sea-projects - -"
# # ];
auth-rpcgss-module.enable = false;
rpc-gssd.enable = false;
rpc-svcgssd.enable = false;
# mounts = let
# mkOpts =
# concatStringsSep ",";
# in [
# {
# enable = true;
# what = "nostromo.${local-domain}:/export/documents";
# where = "/net/documents";
# type = "nfs";
# options = mkOpts [
# "vers=4"
# "minorversion=2"
# "sec=krb5p"
# "x-systemd.automount"
# "proto=tcp"
# ];
# description = "sea-store documents on encrypted filesysem.";
# }
# {
# enable = true;
# what = "nostromo.${local-domain}:/export/downloads";
# where = "/net/downloads";
# type = "nfs";
# options = mkOpts [
# "vers=4"
# "minorversion=2"
# "sec=krb5i"
# "x-systemd.automount"
# "proto=tcp"
# ];
# description = "sea-store downloads on encrypted filesysem.";
# }
# {
# enable = true;
# what = "nostromo.${local-domain}:/export/projects";
# where = "/net/projects";
# type = "nfs";
# options = mkOpts [
# "vers=4"
# "minorversion=2"
# "sec=krb5p"
# "x-systemd.automount"
# "proto=tcp"
# ];
# description = "sea-store projects on encrypted filesysem.";
# }
# ];
# };
auth-rpcgss-module-override = {
description = "Kernel Module supporting RPCSEC_GSS";
before = [
"gssproxy.service"
"rpc-svcgssd-override.service"
"rpc-gssd-override.service"
];
wantedBy = [ "nfs-client.target" "nfs-server.target" ];
wants = [
"gssproxy.service"
"rpc-svcgssd-override.service"
"rpc-gssd-override.service"
"host-keytab-watcher.service"
];
after = [ "host-keytab-watcher.service" ];
partOf = [ "nfs-utils.service" "nfs-server.service" ];
unitConfig = {
DefaultDependencies = false;
ConditionPathExists =
[ "|!/run/gssproxy.pid" "|!/proc/net/rpc/use-gss-proxy" ];
};
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.kmod}/bin/modprobe -q auth_rpcgss";
RemainAfterExit = true;
};
};
rpc-gssd-override = {
description = "RPC security service for NFS client and server";
wantedBy = [ "auth-rpcgss-module.service" ];
conflicts = [ "umount.target" ];
after = [ "host-keytab-watcher.service" "rpc_pipefs.target" ];
wants = [ "host-keytab-watcher.service" ];
requires = [ "rpc_pipefs.target" ];
partOf = [ "nfs-utils.service" ];
unitConfig.DefaultDependencies = false;
serviceConfig = {
Type = "forking";
ExecStart = "${pkgs.nfs-utils}/bin/rpc.gssd";
};
};
rpc-svcgssd-override = {
description = "RPC security service for NFS server";
wantedBy = [ "auth-rpcgss-module.service" ];
after =
[ "host-keytab-watcher.service" "local-fs.target" "gssproxy.service" ];
wants = [ "host-keytab-watcher.service" ];
partOf = [ "nfs-utils.service" "nfs-server.service" ];
unitConfig = {
DefaultDependencies = false;
ConditionPathExists =
[ "|!/run/gssproxy.pid" "|!/proc/net/rpc/use-gss-proxy" ];
};
serviceConfig = {
Type = "forking";
ExecStart = "${pkgs.nfs-utils}/bin/rpc.svcgssd";
};
};
};
services.printing = {
enable = true;
drivers = [
# pkgs.brlaser
# pkgs.brgenml1lpr
pkgs.brgenml1cupswrapper
# pkgs.hll2380dw-cups
# pkgs.hll2380dw-lpr
];
drivers = [ pkgs.brgenml1cupswrapper ];
};
# environment.systemPackages = with pkgs; [ hll2380dw-cups ];
}

22
config/users.nix
View File

@ -470,12 +470,12 @@
};
# Used to send messages from the chat server
chat = {
uid = 10111;
primary-group = "fudo";
common-name = "Fudo Chat";
ldap-hashed-passwd = "{SSHA}XDYAM2JE4PXssywRzO4tVSbn5lUZOgg7";
};
# chat = {
# uid = 10111;
# primary-group = "fudo";
# common-name = "Fudo Chat";
# ldap-hashed-passwd = "{SSHA}XDYAM2JE4PXssywRzO4tVSbn5lUZOgg7";
# };
kevinyinjunjie = {
uid = 10112;
@ -507,5 +507,15 @@
"$6$a1q2Duoe35hd5$IaZGXPfqyGv9uq5DQm7DZq0vIHsUs39sLktBiBBqMiwl/f/Z4jSvNZLJp9DZJYe5u2qGBYh1ca.jsXvQA8FPZ/";
email = "viator@informis.land";
};
jasper = {
uid = 10116;
primary-group = "selby";
common-name = "Jasper";
login-hashed-passwd =
"$6$ggREeoA2HUmXDDbh$zPEyroAAiSPKseTb.qt4ByLaYBhV08x0hqOz4dnt4wEqcaWtOpBt3UoTpHxyDc2/inMzkRggBwfr.Zm0vI7mp1";
ldap-hashed-passwd = "{SSHA}5OCmPaKrkEG3Q4DOWibsPweuBShsMAz2";
email = "jasper@selby.ca";
};
};
}

3
configuration.nix
View File

@ -7,9 +7,8 @@ let
in {
imports = [
(initialize {
hostname = local.hostname;
inherit (local) pkgs hostname;
home-manager-package = <home-manager>;
pkgs = pkgs;
include-secrets = false;
})
];

82
flake.lock
View File

@ -162,11 +162,11 @@
"rotate-text": "rotate-text"
},
"locked": {
"lastModified": 1645751511,
"narHash": "sha256-i3cMaHdaxwfeJEKVgk3Sxx/IRfjwNcThaCMcq4uv9jg=",
"lastModified": 1649509049,
"narHash": "sha256-gLmRO2gPqjLPmFBhgFkl1nbBzJlNV0lmXMzapbw9qac=",
"owner": "nix-community",
"repo": "nix-doom-emacs",
"rev": "ef434602f6f2a8b469d1b01f9edff4f5b6d7f555",
"rev": "f3f40f333c3214c9614c23b6abd1ae498af3e5b5",
"type": "github"
},
"original": {
@ -195,11 +195,11 @@
"doom-snippets": {
"flake": false,
"locked": {
"lastModified": 1645652740,
"narHash": "sha256-ci5QsTkzmfSd7Pfoe+RActuSOmMY2TvJL7f2giCwNEI=",
"lastModified": 1646222996,
"narHash": "sha256-YhOnoNSpmcKNJg+aS/829zqXStMkKWXWf1pulHEBcpQ=",
"owner": "hlissner",
"repo": "doom-snippets",
"rev": "02aca23fef94fc7a58836fd1812d62e731249fa3",
"rev": "f61c23ece1ad47c0522059ac45085fd283ce4452",
"type": "github"
},
"original": {
@ -211,11 +211,11 @@
"emacs-overlay": {
"flake": false,
"locked": {
"lastModified": 1645953123,
"narHash": "sha256-Be06ikbfQTuRwsU6nxNbMSvSUOzmGzDOLBKXFMekrcA=",
"lastModified": 1649586061,
"narHash": "sha256-gFAHrrY0i71WIP16FGo3pgNKTZ5m5L6FtQsOYpne9gk=",
"owner": "nix-community",
"repo": "emacs-overlay",
"rev": "058e38892484c1ab517c890b0aaee5d53565a494",
"rev": "16262a84ef07fb0e8cfc592b65d786b086840065",
"type": "github"
},
"original": {
@ -388,11 +388,11 @@
]
},
"locked": {
"lastModified": 1649111994,
"narHash": "sha256-KVRN3pahTca8gCcppDgr+hY+6xeCL0nQUpLT/l2uGS8=",
"lastModified": 1653253887,
"narHash": "sha256-Z88Ck6nCW+zOfsxtHa+7hB2uPPuHotAkpRZqE2KoyF8=",
"ref": "master",
"rev": "1e478f59eaadd1b3e857045ad812b45c9bad238f",
"revCount": 89,
"rev": "52b7da1ceccb919787685875a21a1d2356c6cc1f",
"revCount": 93,
"type": "git",
"url": "https://git.fudo.org/fudo-nix/entities.git"
},
@ -413,11 +413,11 @@
]
},
"locked": {
"lastModified": 1649445221,
"narHash": "sha256-g2QZSTNDv42oxFI1+zt/rGIvPHM52RZ8olPFru/7Mnc=",
"lastModified": 1654020774,
"narHash": "sha256-iOdg/2Jl3Mh1UiJF8vLvW5KnJ5osGJIukmL/7F6RQ3k=",
"ref": "master",
"rev": "8d94134bff85ed39d371b7dd895a9265c5b161b2",
"revCount": 138,
"rev": "b9db0696c37275021c3fcbf810cd42522ebc405b",
"revCount": 160,
"type": "git",
"url": "https://git.fudo.org/fudo-nix/home.git"
},
@ -443,7 +443,7 @@
},
"fudo-lib_2": {
"locked": {
"narHash": "sha256-fBiGlPgqsl5t08IlV1sehtAaOAI2eJqCXKQgdnwMzy0=",
"narHash": "sha256-IZsP2NrqUbz0p3KeTnT7U8RjvSkHODmJTePBSGNmlxw=",
"path": "/state/fudo-lib",
"type": "path"
},
@ -454,11 +454,11 @@
},
"fudo-pkgs": {
"locked": {
"lastModified": 1643841844,
"narHash": "sha256-rmTIL94RQQaFhMHCopmeFUVAoP71nSA6sB46riDq2Ik=",
"lastModified": 1648662131,
"narHash": "sha256-wOJyR8xFQQhZ7gjK+sj3rJND8ORIHPuINNfQsdjM0BE=",
"ref": "master",
"rev": "7e02ad0e7d9ac42605ed318e9d76364ec1d339ec",
"revCount": 41,
"rev": "c5180cbacd66673a3e8fcd0ce2c4abff119bbe93",
"revCount": 54,
"type": "git",
"url": "https://git.fudo.org/fudo-nix/pkgs.git"
},
@ -497,7 +497,7 @@
"ssh-keypairs": "ssh-keypairs"
},
"locked": {
"narHash": "sha256-sDzbS0AnaNCrdiYR3oEsFljzxw128JsVx4exBNAjZo0=",
"narHash": "sha256-N3N5RSPFSF/+tA3uqnBkhiiSNzBqsWsUBLXAqG1YS7c=",
"path": "/state/secrets",
"type": "path"
},
@ -556,11 +556,11 @@
]
},
"locked": {
"lastModified": 1643933536,
"narHash": "sha256-yRmsWAG4DnLxLIUtlaZsl0kH7rN5xSoyNRlf0YZrcH4=",
"lastModified": 1648834319,
"narHash": "sha256-i5Aj4Aw64D/A0X6XW5LxSS4XBnYj7gMz+kN4dpsbdk8=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "2860d7e3bb350f18f7477858f3513f9798896831",
"rev": "0bdbdea2e26c984b096f4f7d10e3c88536a980b0",
"type": "github"
},
"original": {
@ -585,11 +585,11 @@
"niten-doom-config": {
"flake": false,
"locked": {
"lastModified": 1640017877,
"narHash": "sha256-9twZfDxSjX87NHzuEQXkm1Q037YS98jPQv3Hw4Uktiw=",
"lastModified": 1649611838,
"narHash": "sha256-O8+LwXi52WZHQrZRfjW+QwI99ppBiBpYQcWYNgqY+iU=",
"ref": "master",
"rev": "3d990cdf82fc7d5a6c8fd033e8bcf460fb27df1b",
"revCount": 37,
"rev": "c45feb7fd8acb0730dfc76ddd993773da5411b82",
"revCount": 38,
"type": "git",
"url": "https://git.fudo.org/niten/doom-emacs.git"
},
@ -631,11 +631,11 @@
},
"nixpkgsUnstable": {
"locked": {
"lastModified": 1649225869,
"narHash": "sha256-u1zLtPmQzhT9mNXyM8Ey9pk7orDrIKdwooeGDEXm5xM=",
"lastModified": 1653931853,
"narHash": "sha256-O3wncIouj9x7gBPntzHeK/Hkmm9M1SGlYq7JI7saTAE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b6966d911da89e5a7301aaef8b4f0a44c77e103c",
"rev": "f1c167688a6f81f4a51ab542e5f476c8c595e457",
"type": "github"
},
"original": {
@ -739,11 +739,11 @@
"org": {
"flake": false,
"locked": {
"lastModified": 1645557265,
"narHash": "sha256-vBOWOOfdUbvpTkqs2Lx+OCPfUdZdzAOdGxzHBSAslmo=",
"lastModified": 1646280299,
"narHash": "sha256-ZNkOfB8o2OHTh2t/ci8uv8aoV3I5IfAgIIOP3azD6eU=",
"owner": "emacs-straight",
"repo": "org-mode",
"rev": "282a01f22159b4855071ffd54a9ae6ce681c3690",
"rev": "91681fc03334285dc0879fcb9a27583bd7ab9782",
"type": "github"
},
"original": {
@ -815,11 +815,11 @@
"revealjs": {
"flake": false,
"locked": {
"lastModified": 1645450091,
"narHash": "sha256-3fM1hKCbuIy8HzBv9JjjZW/RwE1CKeq++delBhbSvys=",
"lastModified": 1646820626,
"narHash": "sha256-J3bcoO/42FcPIqCU7ORiV7dcvJDKtEHG8N7/stEQqDg=",
"owner": "hakimel",
"repo": "reveal.js",
"rev": "5e12c6aeb7a37acca7ca22c0bd29548f9ff282ea",
"rev": "37861335a225a3cc9f67e98977aceda3c2a9eca9",
"type": "github"
},
"original": {
@ -872,7 +872,7 @@
"service-passwords": {
"flake": false,
"locked": {
"narHash": "sha256-4xEJlPU+KeBtQuFqRlB1bzJMXUQ6a+DT2v3OptaHyTg=",
"narHash": "sha256-vnxG3as7SVq0yIXKsf3qHM58Sv6Dcm7NPg+kLg4QtNs=",
"path": "/state/secrets/service-passwords",
"type": "path"
},
@ -896,7 +896,7 @@
"ssh-keypairs": {
"flake": false,
"locked": {
"narHash": "sha256-TlRfaYFuJxLUCarxZ1XYnW8PruKyYO5RErVGo5hTgo4=",
"narHash": "sha256-pla2J8HmPHBVDp/2m/22lctwd6VvmJ2cik5n68jf3VY=",
"path": "/state/secrets/ssh-keypairs",
"type": "path"
},

100
flake.nix
View File

@ -2,7 +2,7 @@
description = "Fudo Host Configuration";
inputs = {
nixpkgs.url = "nixpkgs/nixos-21.05";
nixpkgs.url = "nixpkgs/nixos-22.05";
fudo-home = {
url = "git+https://git.fudo.org/fudo-nix/home.git";
@ -30,46 +30,37 @@
chuteUnstable.url = "git+https://git.fudo.org/chute/chute.git?ref=master";
nixpkgsUnstable.url = "nixpkgs/nixos-unstable";
# zigbee2mqtt-converters.url = "path:/net/projects/niten/zigbee2mqtt-converters";
};
outputs = { self,
nixpkgs,
fudo-home,
fudo-lib,
fudo-entities,
fudo-pkgs,
fudo-secrets,
chute,
chuteUnstable,
nixpkgsUnstable,
... } @ inputs:
outputs = { self, nixpkgs, fudo-home, fudo-lib, fudo-entities, fudo-pkgs
, fudo-secrets, chute, chuteUnstable, nixpkgsUnstable,
# zigbee2mqtt-converters,
... }@inputs:
with nixpkgs.lib;
let
fudo-nixos-hosts = filterAttrs
(hostname: hostOpts: hostOpts.nixos-system)
(fudo-entities.entities.hosts);
fudo-nixos-hosts = filterAttrs (hostname: hostOpts: hostOpts.nixos-system)
fudo-entities.entities.hosts;
fudo-networks = fudo-entities.entities.networks;
unstable-for = arch: import nixpkgsUnstable {
unstable-for = arch:
import nixpkgsUnstable {
system = arch;
config = {
allowUnfree = true;
permittedInsecurePackages = [
"openssh-with-gssapi-8.4p1"
];
permittedInsecurePackages = [ "openssh-with-gssapi-8.4p1" ];
};
};
pkgs-for = arch: let
unstable = unstable-for arch;
pkgs-for = arch:
let unstable = unstable-for arch;
in import nixpkgs {
system = arch;
config = {
allowUnfree = true;
permittedInsecurePackages = [
"openssh-with-gssapi-8.4p1"
];
permittedInsecurePackages = [ "openssh-with-gssapi-8.4p1" ];
};
overlays = [
fudo-lib.overlay
@ -78,25 +69,22 @@
chute = chute.packages.${arch}.chute;
chuteUnstable = chuteUnstable.packages.${arch}.chute;
})
(final: prev: {
nyxt = unstable.nyxt;
})
(final: prev: { pkgsUnstable = unstable; })
(final: prev: { nyxt = unstable.nyxt; })
];
};
latest-modified-timestamp = head
(sort (a: b: a > b)
latest-modified-timestamp = head (sort (a: b: a > b)
(map (input: toInt input.lastModifiedDate)
(filter (input: hasAttr "lastModifiedDate" input)
(attrValues inputs))));
concat-timestamp = timestamp:
toInt (substring 0 10 (toString timestamp));
concat-timestamp = timestamp: toInt (substring 0 10 (toString timestamp));
common-host-config = hostname: hostOpts: let
common-host-config = hostname: hostOpts:
let
config-dir = ./config;
build-timestamp =
concat-timestamp latest-modified-timestamp;
build-timestamp = concat-timestamp latest-modified-timestamp;
in { config, ... }: {
imports = [
fudo-home.nixosModule
@ -104,23 +92,22 @@
fudo-lib.nixosModule
fudo-entities.nixosModule
# zigbee2mqtt-converters.nixosModule
./config
(config-dir + /hardware/${hostname}.nix)
(config-dir + /host-config/${hostname}.nix)
(config-dir + /profile-config/${hostOpts.profile}.nix)
(config-dir + /domain-config/${hostOpts.domain}.nix)
(config-dir + /site-config/${hostOpts.site}.nix)
(config-dir + "/hardware/${hostname}.nix")
(config-dir + "/host-config/${hostname}.nix")
(config-dir + "/profile-config/${hostOpts.profile}.nix")
(config-dir + "/domain-config/${hostOpts.domain}.nix")
(config-dir + "/site-config/${hostOpts.site}.nix")
];
config = let
pkgs = pkgs-for hostOpts.arch;
config = let pkgs = pkgs-for hostOpts.arch;
in {
instance = let
build-seed = builtins.readFile
config.fudo.secrets.files.build-seed;
in {
inherit hostname build-timestamp build-seed;
};
build-seed =
builtins.readFile config.fudo.secrets.files.build-seed;
in { inherit hostname build-timestamp build-seed; };
environment.etc.nixos-live.source = ./.;
@ -132,33 +119,28 @@
fudo-lib.flake = fudo-lib;
fudo-pkgs.flake = fudo-pkgs;
};
nixPath = let
lib = nixpkgs.lib;
in lib.mkDefault (lib.mkBefore [
"nixpkgs=${nixpkgs}"
]);
nixPath = let lib = nixpkgs.lib;
in lib.mkDefault (lib.mkBefore [ "nixpkgs=${nixpkgs}" ]);
};
nixpkgs.pkgs = pkgs;
};
};
nixos-host-config = hostname: hostOpts: let
system = hostOpts.arch;
nixos-host-config = hostname: hostOpts:
let system = hostOpts.arch;
in nixosSystem {
inherit system;
modules = [
(common-host-config hostname hostOpts)
];
modules = [ (common-host-config hostname hostOpts) ];
};
nixops-host-config = hostname: hostOpts: let
zone-hosts = fudo-entities.entities.zones.${hostOpts.domain}.hosts;
nixops-host-config = hostname: hostOpts:
let zone-hosts = fudo-entities.entities.zones.${hostOpts.domain}.hosts;
in {
imports = [
(common-host-config hostname hostOpts)
({ ... }: {
(_: {
config.deployment.targetHost =
zone-hosts.${hostname}.ipv4-address;
})