maralorn/nixos-config
1
0
Fork 0
Code Wiki Activity

agenix support

Browse source
This commit is contained in:
Malte 2023-01-31 22:37:18 +01:00
parent 106f2a204d
commit 55a541d555
11 changed files with 91 additions and 45 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

44
flake.lock
View file

@ -1,5 +1,48 @@
{ {
"nodes": { "nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1675176355,
"narHash": "sha256-Qjxh5cmN56siY97mzmBLI1+cdjXSPqmfPVsKxBvHmwI=",
"owner": "ryantm",
"repo": "agenix",
"rev": "b7ffcfe77f817d9ee992640ba1f270718d197f28",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1673295039,
"narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -129,6 +172,7 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix",
"flake-parts": "flake-parts", "flake-parts": "flake-parts",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"pre-commit-hooks-nix": "pre-commit-hooks-nix" "pre-commit-hooks-nix": "pre-commit-hooks-nix"

30
flake.nix
View file

@ -5,13 +5,15 @@
}; };
inputs = { inputs = {
agenix = {
url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs";
};
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs"; flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
pre-commit-hooks-nix = { pre-commit-hooks-nix = {
url = "github:cachix/pre-commit-hooks.nix"; url = "github:cachix/pre-commit-hooks.nix";
inputs = { inputs.nixpkgs.follows = "nixpkgs";
nixpkgs.follows = "nixpkgs";
};
}; };
}; };
@ -27,18 +29,28 @@
systems = ["x86_64-linux"]; systems = ["x86_64-linux"];
perSystem = { perSystem = {
self', self',
inputs',
pkgs, pkgs,
config, config,
lib, lib,
... ...
}: let }: let
packages = import ./packages {inherit pkgs;}; inherit (import ./packages {inherit pkgs;}) haskellPackagesOverlay selectHaskellPackages;
in { hpkgs = pkgs.haskellPackages.override {
devShells.default = packages.shell { overrides = haskellPackagesOverlay;
shellHook = config.pre-commit.installationScript;
}; };
inherit (packages) packages; in {
legacyPackages = {inherit (packages) haskellPackagesOverlay;}; devShells.default = hpkgs.shellFor {
packages = hpkgs: (builtins.attrValues (selectHaskellPackages hpkgs));
shellHook = config.pre-commit.installationScript;
buildInputs = [
hpkgs.haskell-language-server
pkgs.cabal-install
inputs'.agenix.packages.default
];
};
packages = selectHaskellPackages hpkgs;
legacyPackages = {inherit haskellPackagesOverlay;};
pre-commit = { pre-commit = {
check.enable = true; check.enable = true;

16
nixos/machines/apollo/configuration.nix
View file

@ -41,19 +41,11 @@ in {
hostName = "apollo"; hostName = "apollo";
domain = "m-0.eu"; domain = "m-0.eu";
networkmanager.enable = true; networkmanager.enable = true;
firewall = {
allowedTCPPorts = [
4713 # pulseaudio
];
allowedUDPPorts = [
4713 # pulseaudio
];
};
wireguard.interfaces = { wireguard.interfaces = {
m0wire = { m0wire = {
allowedIPsAsRoutes = false; allowedIPsAsRoutes = false;
ips = ["${hosts.apollo-wg}/112" "${hosts.vpn.apollo}/64"]; ips = ["${hosts.apollo-wg}/112" "${hosts.vpn.apollo}/64"];
privateKeyFile = pkgs.privatePath "wireguard/apollo-private"; privateKeyFile = config.age.secrets."wireguard/apollo-private".path;
peers = [ peers = [
{ {
publicKey = wireguard.pub.hera; publicKey = wireguard.pub.hera;
@ -61,7 +53,7 @@ in {
# endpoint = # endpoint =
# "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}"; # "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}";
endpoint = "[${hosts.hera-v4}]:${builtins.toString wireguard.port}"; endpoint = "[${hosts.hera-v4}]:${builtins.toString wireguard.port}";
presharedKeyFile = pkgs.privatePath "wireguard/psk"; presharedKeyFile = config.age.secrets."wireguard/psk".path;
persistentKeepalive = 25; persistentKeepalive = 25;
} }
]; ];
@ -96,8 +88,8 @@ in {
group = "users"; group = "users";
user = "maralorn"; user = "maralorn";
openDefaultPorts = true; openDefaultPorts = true;
cert = pkgs.privatePath "syncthing/apollo/cert.pem"; cert = config.age.secrets."syncthing/apollo/cert.pem".path;
key = pkgs.privatePath "syncthing/apollo/key.pem"; key = config.age.secrets."syncthing/apollo/key.pem".path;
} }
// syncthing.declarativeWith ["hera" "zeus" "pegasus"] "/home/maralorn/media"; // syncthing.declarativeWith ["hera" "zeus" "pegasus"] "/home/maralorn/media";
}; };

2
nixos/machines/fluffy/configuration.nix
View file

@ -121,7 +121,7 @@ in {
publicKey = wireguard.pub.hera; publicKey = wireguard.pub.hera;
allowedIPs = ["${hosts.vpn.prefix}::/64"]; allowedIPs = ["${hosts.vpn.prefix}::/64"];
endpoint = "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}"; endpoint = "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}";
presharedKeyFile = pkgs.privatePath "wireguard/psk"; presharedKeyFile = config.age.secrets."wireguard/psk".path;
persistentKeepalive = 25; persistentKeepalive = 25;
} }
]; ];

10
nixos/machines/hera/network.nix
View file

@ -62,28 +62,28 @@ in {
wireguard.interfaces = { wireguard.interfaces = {
m0wire = { m0wire = {
ips = ["${hosts.hera-wg}/112" "${hosts.vpn.hera}/64"]; ips = ["${hosts.hera-wg}/112" "${hosts.vpn.hera}/64"];
privateKeyFile = pkgs.privatePath "wireguard/hera-private"; privateKeyFile = config.age.secrets."wireguard/hera-private".path;
listenPort = wireguard.port; listenPort = wireguard.port;
peers = [ peers = [
{ {
publicKey = wireguard.pub.zeus; publicKey = wireguard.pub.zeus;
allowedIPs = ["${hosts.zeus-wg}/128" "${hosts.vpn.zeus}/128"]; allowedIPs = ["${hosts.zeus-wg}/128" "${hosts.vpn.zeus}/128"];
presharedKeyFile = pkgs.privatePath "wireguard/psk"; presharedKeyFile = config.age.secrets."wireguard/psk".path;
} }
{ {
publicKey = wireguard.pub.apollo; publicKey = wireguard.pub.apollo;
allowedIPs = ["${hosts.apollo-wg}/128" "${hosts.vpn.apollo}/128"]; allowedIPs = ["${hosts.apollo-wg}/128" "${hosts.vpn.apollo}/128"];
presharedKeyFile = pkgs.privatePath "wireguard/psk"; presharedKeyFile = config.age.secrets."wireguard/psk".path;
} }
{ {
publicKey = wireguard.pub.fluffy; publicKey = wireguard.pub.fluffy;
allowedIPs = ["${hosts.vpn.fluffy}/128"]; allowedIPs = ["${hosts.vpn.fluffy}/128"];
presharedKeyFile = pkgs.privatePath "wireguard/psk"; presharedKeyFile = config.age.secrets."wireguard/psk".path;
} }
{ {
publicKey = wireguard.pub.pegasus; publicKey = wireguard.pub.pegasus;
allowedIPs = ["${hosts.vpn.pegasus}/128"]; allowedIPs = ["${hosts.vpn.pegasus}/128"];
presharedKeyFile = pkgs.privatePath "wireguard/psk"; presharedKeyFile = config.age.secrets."wireguard/psk".path;
} }
]; ];
}; };

2
nixos/machines/zeus/configuration.nix
View file

@ -137,7 +137,7 @@ in {
publicKey = wireguard.pub.hera; publicKey = wireguard.pub.hera;
allowedIPs = ["::/0"]; allowedIPs = ["::/0"];
endpoint = "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}"; endpoint = "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}";
presharedKeyFile = pkgs.privatePath "wireguard/psk"; presharedKeyFile = config.age.secrets."wireguard/psk".path;
persistentKeepalive = 25; persistentKeepalive = 25;
} }
]; ];

2
nixos/roles/admin.nix
View file

@ -4,8 +4,8 @@
lib, lib,
... ...
}: let }: let
passwordFile = pkgs.privatePath "pam-login-password";
openssh.authorizedKeys.keys = pkgs.privateValue [] "ssh-keys"; openssh.authorizedKeys.keys = pkgs.privateValue [] "ssh-keys";
passwordFile = config.age.secrets.pam-login-password.path;
in { in {
users.users = { users.users = {
maralorn = { maralorn = {

6
nixos/roles/default.nix
View file

@ -19,6 +19,7 @@ in {
]; ];
imports = [ imports = [
(builtins.getFlake "github:ryantm/agenix").nixosModules.default
(networkingModule "firewall-iptables") (networkingModule "firewall-iptables")
(networkingModule "firewall-nftables") (networkingModule "firewall-nftables")
(networkingModule "firewall") (networkingModule "firewall")
@ -30,6 +31,11 @@ in {
./admin.nix ./admin.nix
]; ];
age.secrets = (import ../../private/secret-config.nix).module-config {
inherit (config.networking) hostName;
inherit lib;
};
i18n = { i18n = {
defaultLocale = "en_DK.UTF-8"; defaultLocale = "en_DK.UTF-8";
supportedLocales = ["en_DK.UTF-8/UTF-8" "de_DE.UTF-8/UTF-8" "en_US.UTF-8/UTF-8"]; supportedLocales = ["en_DK.UTF-8/UTF-8" "de_DE.UTF-8/UTF-8" "en_US.UTF-8/UTF-8"];

7
overlays/packages.nix
View file

@ -1 +1,6 @@
_: prev: (import ../packages {pkgs = prev.unstable;}).packages _: prev: let
inherit (import ../packages {pkgs = prev;}) haskellPackagesOverlay selectHaskellPackages;
in
selectHaskellPackages (prev.unstable.haskellPackages.override {
overrides = haskellPackagesOverlay;
})

15
packages/default.nix
View file

@ -35,9 +35,6 @@
prev.matrix-client; prev.matrix-client;
aeson-schemas = unmarkBroken (dontCheck prev.aeson-schemas); aeson-schemas = unmarkBroken (dontCheck prev.aeson-schemas);
}; };
hpkgs = pkgs.haskellPackages.override {
overrides = haskellPackagesOverlay;
};
selectHaskellPackages = attrs: lib.mapAttrs (name: _: attrs.${name}) myHaskellPackages; selectHaskellPackages = attrs: lib.mapAttrs (name: _: attrs.${name}) myHaskellPackages;
myHaskellPackages = { myHaskellPackages = {
wizards-dialog = cleanCabalPackage { wizards-dialog = cleanCabalPackage {
@ -62,15 +59,5 @@
}; };
}; };
in { in {
packages = selectHaskellPackages hpkgs; inherit selectHaskellPackages haskellPackagesOverlay;
inherit haskellPackagesOverlay;
shell = args:
hpkgs.shellFor ({
packages = hpkgs: (builtins.attrValues (selectHaskellPackages hpkgs));
buildInputs = [
hpkgs.haskell-language-server
pkgs.cabal-install
];
}
// args);
} }

2
private

@ -1 +1 @@
Subproject commit ea5c59c88c6a963fed4a31b6a3c31b424c4ae091 Subproject commit 4970e368d9b554df2881b16cdb5d1712fcfbf575