From 3b37b97c76a4310c014bff9f47fb10fade365191 Mon Sep 17 00:00:00 2001 From: Victor Mignot Date: Tue, 30 Jul 2024 20:42:59 +0200 Subject: [PATCH] Switch to colmena + drop some options + introduce okeanos + reworks --- .sops.yaml | 9 +++ configurations/camelot/default.nix | 39 +-------- configurations/camelot/hardware.nix | 38 +++++++++ configurations/fuyuki/default.nix | 76 ++---------------- configurations/fuyuki/hardware.nix | 52 ++++++++++++ configurations/fuyuki/wireguard.nix | 20 +++++ configurations/london/default.nix | 48 +---------- configurations/london/hardware.nix | 45 +++++++++++ configurations/okeanos/default.nix | 38 +++++++++ configurations/okeanos/hardware.nix | 15 ++++ configurations/okeanos/secrets/secrets.yaml | 33 ++++++++ configurations/okeanos/unbound.nix | 71 +++++++++++++++++ configurations/okeanos/wireguard.nix | 37 +++++++++ flake.lock | 26 +++--- flake.nix | 88 +++++++++++++-------- machines.nix | 24 ++++-- modules/common/boot.nix | 68 ++++------------ modules/common/default.nix | 24 ------ modules/common/filesystem.nix | 66 ---------------- modules/common/hardware.nix | 9 ++- modules/common/network.nix | 29 ------- modules/server/default.nix | 1 + modules/server/network.nix | 10 +-- modules/workstation/default.nix | 7 +- 24 files changed, 484 insertions(+), 389 deletions(-) create mode 100644 configurations/camelot/hardware.nix create mode 100644 configurations/fuyuki/hardware.nix create mode 100644 configurations/fuyuki/wireguard.nix create mode 100644 configurations/london/hardware.nix create mode 100644 configurations/okeanos/default.nix create mode 100644 configurations/okeanos/hardware.nix create mode 100644 configurations/okeanos/secrets/secrets.yaml create mode 100644 configurations/okeanos/unbound.nix create mode 100644 configurations/okeanos/wireguard.nix delete mode 100644 modules/common/filesystem.nix diff --git a/.sops.yaml b/.sops.yaml index 1c0b37e..f2a6579 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -3,6 +3,7 @@ keys: - &london_dala age19m7s6rl4l88nv0f7el70k9u9mv6fd0nq5nw5a3f6p3ffzch274lsksu3y7 - &camelot_system age1qp54d5gzvpyedcv26uckz7lmy2a48m27astawa62hkey59qgmg8setufp5 - &fuyuki_system age1lpk05l443jd7ra27hssvkc9xctpl990dy78tghmr4e8x7lfndy3qwhakwm + - &okeanos_system age1mj6xs9qpl9xn5kwk82matuyyus75j2dysdmpvtqer5jvk8uknp8s2ttp32 - &pgp_dala 2763F2B50E63CE401A3EB9C040DE2FEE4D3C5E2C creation_rules: @@ -36,3 +37,11 @@ creation_rules: - *fuyuki_system pgp: - *pgp_dala + + # Okenaos + - path_regex: configurations/okeanos/secrets/secrets.yaml$ + key_groups: + - age: + - *okeanos_system + pgp: + - *pgp_dala diff --git a/configurations/camelot/default.nix b/configurations/camelot/default.nix index b59ca0f..d9df8a1 100644 --- a/configurations/camelot/default.nix +++ b/configurations/camelot/default.nix @@ -5,40 +5,9 @@ ... }: { - boot.initrd.availableKernelModules = [ - "xhci_pci" - "ahci" - "nvme" - "usbhid" - "usb_storage" - "sd_mod" - ]; - boot.initrd.kernelModules = [ "dm-snapshot" ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - boot.swraid.enable = true; - powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; - - filesystems = [ - { - mountpoint = "/"; - deviceUUID = "966d0ec0-7a7b-4987-91cf-6493e9f5126c"; - fsType = "ext4"; - } - { - mountpoint = "/srv"; - deviceUUID = "329fe696-ad2f-4a86-b45f-8b143daf02d2"; - fsType = "ext4"; - } - { - mountpoint = "/boot"; - deviceUUID = "901B-0D68"; - fsType = "vfat"; - } - ]; imports = [ + ./hardware.nix ./jellyfin.nix ./wireguard.nix ./nextcloud.nix @@ -47,10 +16,6 @@ ./forgejo.nix ]; - swapDeviceUUID = "a7c628ab-c5cb-4094-89d0-19b153fbead4"; - - server.networking.enableSSH = true; - services.nginx = { enable = true; clientMaxBodySize = "40m"; @@ -67,8 +32,6 @@ git ]; - hwAccelerationGPU = "intel"; - # System secrets sops = { gnupg.sshKeyPaths = [ ]; diff --git a/configurations/camelot/hardware.nix b/configurations/camelot/hardware.nix new file mode 100644 index 0000000..5c66776 --- /dev/null +++ b/configurations/camelot/hardware.nix @@ -0,0 +1,38 @@ +{ lib, config, ... }: +{ + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "nvme" + "usbhid" + "usb_storage" + "sd_mod" + ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + boot.swraid.enable = true; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/966d0ec0-7a7b-4987-91cf-6493e9f5126c"; + fsType = "ext4"; + }; + + "/srv" = { + device = "/dev/disk/by-uuid/329fe696-ad2f-4a86-b45f-8b143daf02d2"; + fsType = "ext4"; + }; + + "/boot" = { + device = "/dev/disk/by-uuid/901B-0D68"; + fsType = "vfat"; + }; + }; + + swapDevices = [ { device = "/dev/disk/by-uuid/a7c628ab-c5cb-4094-89d0-19b153fbead4"; } ]; + + hwAccelerationGPU = "intel"; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/configurations/fuyuki/default.nix b/configurations/fuyuki/default.nix index dde385e..c550a08 100644 --- a/configurations/fuyuki/default.nix +++ b/configurations/fuyuki/default.nix @@ -6,65 +6,21 @@ ... }: { - boot.initrd.availableKernelModules = [ - "xhci_pci" - "nvme" - "usb_storage" - "sd_mod" + + imports = [ + ./hardware.nix + ./wireguard.nix ]; - boot.initrd.kernelModules = [ - "dm-snapshot" - "i915" - ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; - services.tlp.enable = true; + + deployment.targetHost = null; + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; useLatestKernel = true; - hwAccelerationGPU = "intel"; isProfessional = false; allowUnfreePackages = true; keymap = "us"; - luksDevices = [ - { - name = "crypted-nixos"; - deviceUUID = "401036ff-8ad8-4738-a249-85391dac0430"; - isPreLVM = true; - } - ]; - - filesystems = [ - { - mountpoint = "/"; - deviceUUID = "663f1c4a-dce6-48b2-b8e2-a602e812c49b"; - fsType = "ext4"; - } - - { - mountpoint = "/boot"; - deviceUUID = "3F42-7C9B"; - fsType = "vfat"; - } - - { - mountpoint = "/nix"; - deviceUUID = "148a5295-396b-495b-b46e-1fa4e99cf9d0"; - fsType = "ext4"; - } - - { - mountpoint = "/home"; - deviceUUID = "16b6bd32-465c-4a42-a082-df42d912e5e5"; - fsType = "ext4"; - } - ]; - - swapDeviceUUID = "0bc27219-00dd-4ae9-b946-ab65a68cbdf1"; - sops = { gnupg.sshKeyPaths = [ ]; age = { @@ -75,24 +31,6 @@ secrets.wg0_private = { }; }; - networking.wg-quick.interfaces.wg0 = { - address = [ "10.100.0.3/24" ]; - listenPort = 51820; - privateKeyFile = config.sops.secrets.wg0_private.path; - - dns = [ "10.100.0.1" ]; - - peers = [ - # RockPro 64 - { - publicKey = "XVmG3/rNsCqc8KCmOx3+UUn9DJOnJ40Uxid5JGdChR4="; - endpoint = "${extraInfo.wireguard.rockProEndpoint}:51820"; - allowedIPs = [ "10.100.0.1/32" ]; - persistentKeepalive = 25; - } - ]; - }; - machineUsers = { dala = { description = "Dala"; diff --git a/configurations/fuyuki/hardware.nix b/configurations/fuyuki/hardware.nix new file mode 100644 index 0000000..d018fbc --- /dev/null +++ b/configurations/fuyuki/hardware.nix @@ -0,0 +1,52 @@ +{ lib, config, ... }: +{ + boot.initrd.availableKernelModules = [ + "xhci_pci" + "nvme" + "usb_storage" + "sd_mod" + ]; + boot.initrd.kernelModules = [ + "dm-snapshot" + "i915" + ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + hwAccelerationGPU = "intel"; + + boot.initrd.luks.devices = { + crypted-nixos = { + device = "401036ff-8ad8-4738-a249-85391dac0430"; + preLVM = true; + }; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/663f1c4a-dce6-48b2-b8e2-a602e812c49b"; + fsType = "ext4"; + }; + + "/boot" = { + device = "/dev/disk/by-uuid/3F42-7C9B"; + fsType = "vfat"; + }; + + "/nix" = { + device = "/dev/disk/by-uuid/148a5295-396b-495b-b46e-1fa4e99cf9d0"; + fsType = "ext4"; + }; + + "/home" = { + device = "/dev/disk/by-uuid/16b6bd32-465c-4a42-a082-df42d912e5e5"; + fsType = "ext4"; + }; + }; + + swapDevices = [ { device = "/dev/disk/by-uuid/0bc27219-00dd-4ae9-b946-ab65a68cbdf1"; } ]; + + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + services.tlp.enable = true; +} diff --git a/configurations/fuyuki/wireguard.nix b/configurations/fuyuki/wireguard.nix new file mode 100644 index 0000000..0e29425 --- /dev/null +++ b/configurations/fuyuki/wireguard.nix @@ -0,0 +1,20 @@ +{ config, extraInfo, ... }: +{ + networking.wg-quick.interfaces.wg0 = { + address = [ "10.100.0.3/24" ]; + listenPort = 51820; + privateKeyFile = config.sops.secrets.wg0_private.path; + + dns = [ "10.100.0.1" ]; + + peers = [ + # RockPro 64 + { + publicKey = "XVmG3/rNsCqc8KCmOx3+UUn9DJOnJ40Uxid5JGdChR4="; + endpoint = "${extraInfo.wireguard.rockProEndpoint}:51820"; + allowedIPs = [ "10.100.0.1/32" ]; + persistentKeepalive = 25; + } + ]; + }; +} diff --git a/configurations/london/default.nix b/configurations/london/default.nix index 8885be9..0d26ac6 100644 --- a/configurations/london/default.nix +++ b/configurations/london/default.nix @@ -6,56 +6,14 @@ ... }: { - boot.initrd.availableKernelModules = [ - "nvme" - "xhci_pci" - "ahci" - "usbhid" - ]; - boot.initrd.kernelModules = [ "dm-snapshot" ]; - boot.extraModulePackages = [ ]; - hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + imports = [ ./hardware.nix ]; # Meta isProfessional = false; - # Volumes - luksDevices = [ - { - name = "crypted-nixos"; - deviceUUID = "5a1ac4ae-d74f-4599-bc5a-fc0a3501a196"; - isPreLVM = true; - } - ]; - - filesystems = [ - { - mountpoint = "/"; - deviceUUID = "8dd700f8-7bf7-426c-8869-d31687e343df"; - fsType = "ext4"; - } - - { - mountpoint = "/boot"; - deviceUUID = "F2B6-C8CA"; - fsType = "vfat"; - } - - { - mountpoint = "/nix"; - deviceUUID = "b7a643f6-a78e-4e32-a1a3-22b321465bf6"; - fsType = "ext4"; - } - - { - mountpoint = "/home"; - deviceUUID = "e26f6727-3712-4830-b8e8-fdbce5e3584b"; - fsType = "ext4"; - } - ]; - - swapDeviceUUID = "5fe5e76b-df3d-43ce-abf9-d2b63078df09"; + deployment.targetHost = null; + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; # Linux kernel useLatestKernel = true; diff --git a/configurations/london/hardware.nix b/configurations/london/hardware.nix new file mode 100644 index 0000000..8881232 --- /dev/null +++ b/configurations/london/hardware.nix @@ -0,0 +1,45 @@ +{ lib, config, ... }: +{ + boot.initrd.availableKernelModules = [ + "nvme" + "xhci_pci" + "ahci" + "usbhid" + ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.extraModulePackages = [ ]; + + # Volumes + boot.initrd.luks.devices = { + crypted-nixos = { + device = "/dev/disk/by-uuid/5a1ac4ae-d74f-4599-bc5a-fc0a3501a196"; + preLVM = true; + }; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/8dd700f8-7bf7-426c-8869-d31687e343df"; + fsType = "ext4"; + }; + + "/boot" = { + device = "/dev/disk/by-uuid/F2B6-C8CA"; + fsType = "vfat"; + }; + + "/nix" = { + device = "/dev/disk/by-uuid/b7a643f6-a78e-4e32-a1a3-22b321465bf6"; + fsType = "ext4"; + }; + + "/home" = { + device = "/dev/disk/by-uuid/e26f6727-3712-4830-b8e8-fdbce5e3584b"; + fsType = "ext4"; + }; + }; + + swapDevices = [ { device = "/dev/disk/by-uuid/5fe5e76b-df3d-43ce-abf9-d2b63078df09"; } ]; + + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/configurations/okeanos/default.nix b/configurations/okeanos/default.nix new file mode 100644 index 0000000..f907f23 --- /dev/null +++ b/configurations/okeanos/default.nix @@ -0,0 +1,38 @@ +{ pkgs, lib, ... }: + +{ + + imports = [ + ./hardware.nix + ./unbound.nix + ./wireguard.nix + ]; + + # Use the extlinux boot loader. (NixOS wants to enable GRUB by default) + boot.loader.grub.enable = false; + enableSystemdBoot = false; + # Enables the generation of /boot/extlinux/extlinux.conf + boot.loader.generic-extlinux-compatible.enable = true; + + machineUsers = { + dala = { + description = "Dala"; + groups = [ "wheel" ]; + uid = 1000; + shell = pkgs.bash; + }; + }; + + sops = { + gnupg.sshKeyPaths = [ ]; + age = { + sshKeyPaths = [ ]; + keyFile = "/var/lib/sops-nix/key.txt"; + }; + defaultSopsFile = ./secrets/secrets.yaml; + secrets = { + wg0_private = { }; + }; + }; + +} diff --git a/configurations/okeanos/hardware.nix b/configurations/okeanos/hardware.nix new file mode 100644 index 0000000..8e89e45 --- /dev/null +++ b/configurations/okeanos/hardware.nix @@ -0,0 +1,15 @@ +{ lib, ... }: +{ + boot.initrd.availableKernelModules = [ ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/1544d801-dbc4-492b-ae30-892f4d4cc349"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; +} diff --git a/configurations/okeanos/secrets/secrets.yaml b/configurations/okeanos/secrets/secrets.yaml new file mode 100644 index 0000000..c3f02fc --- /dev/null +++ b/configurations/okeanos/secrets/secrets.yaml @@ -0,0 +1,33 @@ +wg0_private: ENC[AES256_GCM,data:f+W43KoNREeBSTbmVK1Z+G5KAGhsKFQZYXR7/rAViNgEjobAUbaq03RYfZE=,iv:FjuEkb4xhXq1UqG+8USKpG59DbbPbfbzfyu02mvFR9g=,tag:izOWkkeyhE7FizxVOEvabQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1mj6xs9qpl9xn5kwk82matuyyus75j2dysdmpvtqer5jvk8uknp8s2ttp32 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLUjRrVkZpTjJLa2JCbnJy + MEpBaFRFRzdIWENEMmZDbWNIbWxZRHk2NmgwCnZtVFpLejYvaUhjcFJGU0tHUnhu + ZEo1UDZ0VythdDZkYVpMMUlyL2dINkkKLS0tIHFUMUpWUlBqUjltdVg2bFo1N2FS + VWN1UnlDajAxbE1ySStHQmhDajVReGcKr9nNx6jVFjU1xEC8dw2yZlx3xHusSzPY + 5dOglp4QVfFm3WjLXrfiIa09dPnKCiRswy33tshfWCObwEvvuOFoTQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-07-30T11:25:30Z" + mac: ENC[AES256_GCM,data:aC/QmbhvtNepBYp2pstcxh1a458caCVBEV5dw04aZzqqflLOT4zzoyrDPBGd8PV2sqzoC0K23bpxz5LcvzwHmHAiLaewOfT++/+VZ7d+4G3oAkZsDW4S4Zat4IJDQE6Rf2SjbltMGMxALvKj4qZNzeFYZRMLd2vj7FsnXGSEhG0=,iv:DtyXx+bSzXMvXc/ucTn1VK/YBkXerj+s0RPimJPjMPs=,tag:Vu4mrMt3N1xMPDaBR1Lg4g==,type:str] + pgp: + - created_at: "2024-07-30T11:24:39Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4D0ZiEKlLM+TsSAQdAGrKWvgORZik4MmMVAlf4LVC7RuWCoJpwZJsXgCLDkQEw + vq1SJTftj2mSLPgJh1b1UkWIoScJIxh3Dw87XYe2sFQ5AvwoNI9932KfbETt3MB3 + 1GgBCQIQbrhFZNgQQoTpzLilPprVqpBEIiz2mfQiTUyCvmKhHVkKIykaxTtwH8dt + mwG0/dRryUyHLUtoQ1P/9danDRZfllHGXwEqo7BetVGuItLtaUoc59C8dRYB+zDv + gyG5IlOUShUhNg== + =fM1u + -----END PGP MESSAGE----- + fp: 2763F2B50E63CE401A3EB9C040DE2FEE4D3C5E2C + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/configurations/okeanos/unbound.nix b/configurations/okeanos/unbound.nix new file mode 100644 index 0000000..af02958 --- /dev/null +++ b/configurations/okeanos/unbound.nix @@ -0,0 +1,71 @@ +{ extraInfo, ... }: +let + localIps = extraInfo.hostsLocalIps; +in +{ + # Resolvconf + networking.nameservers = [ + "127.0.0.1" + "::1" + ]; + + # DNS resolver configuration + services.adguardhome.enable = true; + + networking.firewall = { + allowedUDPPorts = [ 53 ]; + allowedTCPPorts = [ + 80 + 443 + ]; + }; + + services.unbound = { + enable = true; + settings = { + server = { + interface = [ "127.0.0.1" ]; + port = "5354"; + access-control = [ "127.0.0.0/8 allow" ]; + + root-hints = "/var/lib/unbound/root.hints"; + + do-ip4 = true; + do-tcp = true; + do-udp = true; + + do-ip6 = false; + prefer-ip6 = false; + + harden-glue = true; + harden-dnssec-stripped = true; + use-caps-for-id = false; + + edns-buffer-size = 1232; + prefetch = true; + + so-rcvbuf = "1m"; + private-address = [ + "192.168.0.0/16" + "10.0.0.0/24" + ]; + + # Do not check DNSSEC for ntp.org, as RockPro64 has no BIOS battery + domain-insecure = [ "ntp.org" ]; + + }; + + remote-control = { + control-enable = true; + }; + + local-data = [ + "\"london A ${localIps.london}\"" + "\"camelot A ${localIps.camelot}\"" + "\"okeanos A ${localIps.okeanos}\"" + "\"fuyuki A ${localIps.fuyuki}\"" + ]; + + }; + }; +} diff --git a/configurations/okeanos/wireguard.nix b/configurations/okeanos/wireguard.nix new file mode 100644 index 0000000..66475f7 --- /dev/null +++ b/configurations/okeanos/wireguard.nix @@ -0,0 +1,37 @@ +{ config, pkgs, ... }: +{ + environment.systemPackages = with pkgs; [ wireguard-tools ]; + + networking.firewall.allowedUDPPorts = [ 51820 ]; + networking.wg-quick.interfaces.wg0 = { + address = [ "10.100.0.1/8" ]; + + listenPort = 51820; + privateKeyFile = config.sops.secrets.wg0_private.path; + + peers = [ + { + # PC Portable + publicKey = "maCF41/gOh5p0BBgOh0x9S/ourGSM7qrFfEgmB+XGHY="; + allowedIPs = [ "10.100.0.3" ]; + } + + { + # PC Fixe + publicKey = "AvW61c9iSO0NiMrXpPsdeWigTO3JTCadqY5Wq5xLPH8="; + allowedIPs = [ "10.100.0.4" ]; + } + + { + # Mate 20 Pro + publicKey = "JoW+Iwysip46WWKJINneXWWG2YszzKEKlI3dW4SIjg0="; + allowedIPs = [ "10.100.0.5" ]; + } + # Camelot + { + publicKey = "lDGxdsruARpkOlZHCkdkNg4v+eEU9m+jt0VO0v747gk="; + allowedIPs = [ "10.100.0.6" ]; + } + ]; + }; +} diff --git a/flake.lock b/flake.lock index 2dd290e..9cf0d18 100644 --- a/flake.lock +++ b/flake.lock @@ -23,11 +23,11 @@ }, "extra-config": { "locked": { - "lastModified": 1712861099, - "narHash": "sha256-IRN1siAfi/JY5mVRrEepdNIA6Q6K/LSR4ifX34pRe04=", + "lastModified": 1722362784, + "narHash": "sha256-BREwW6SlaX5kshXXRCkDgJUVvgf+Wd1/icSx6jALPR0=", "ref": "refs/heads/main", - "rev": "98fe4b816f2b3d9f2cdb0765c08156bea9ab72de", - "revCount": 4, + "rev": "14fdbdd08db2759d733a6f349e1920c0c636c6d1", + "revCount": 5, "type": "git", "url": "ssh://forgejo@git.dalaran.fr/dala/nixos-config-extra.git" }, @@ -204,11 +204,11 @@ ] }, "locked": { - "lastModified": 1722119539, - "narHash": "sha256-2kU90liMle0vKR8exJx1XM4hZh9CdNgZGHCTbeA9yzY=", + "lastModified": 1722321190, + "narHash": "sha256-WeVWVRqkgrbLzmk6FfJoloJ7Xe7HWD27Pv950IUG2kI=", "owner": "nix-community", "repo": "home-manager", - "rev": "d0240a064db3987eb4d5204cf2400bc4452d9922", + "rev": "4fcd54df7cbb1d79cbe81209909ee8514d6b17a4", "type": "github" }, "original": { @@ -346,11 +346,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1722087241, - "narHash": "sha256-2ShmEaFi0kJVOEEu5gmlykN5dwjWYWYUJmlRTvZQRpU=", + "lastModified": 1722221733, + "narHash": "sha256-sga9SrrPb+pQJxG1ttJfMPheZvDOxApFfwXCFO0H9xw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8c50662509100d53229d4be607f1a3a31157fa12", + "rev": "12bf09802d77264e441f48e25459c10c93eada2e", "type": "github" }, "original": { @@ -378,11 +378,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1722062969, - "narHash": "sha256-QOS0ykELUmPbrrUGmegAUlpmUFznDQeR4q7rFhl8eQg=", + "lastModified": 1722185531, + "narHash": "sha256-veKR07psFoJjINLC8RK4DiLniGGMgF3QMlS4tb74S6k=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b73c2221a46c13557b1b3be9c2070cc42cf01eb3", + "rev": "52ec9ac3b12395ad677e8b62106f0b98c1f8569d", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index af1ab17..e23293f 100644 --- a/flake.nix +++ b/flake.nix @@ -51,53 +51,75 @@ }: let machines = import ./machines.nix; - in - { - nixosConfigurations = builtins.mapAttrs ( - name: value: - let - nixpkgs = if value.nixpkgsUnstable then nixpkgs-unstable else nixpkgs-stable; - lix-module = if value.nixpkgsUnstable then lix-module-unstable else lix-module-stable; - in - nixpkgs.lib.nixosSystem { - system = value.system; - - specialArgs = { - machineInfos = { - hostname = name; - } // value; - - sopsHmModule = sops-nix.homeManagerModules.sops; - - extraInfo = extra-config.extraSecrets; - }; - - modules = [ + lixModules = { + stable = lix-module-stable; + unstable = lix-module-unstable; + }; + nixpkgsVersions = { + stable = nixpkgs-stable; + unstable = nixpkgs-unstable; + }; + machinesNodes = builtins.mapAttrs ( + name: config: + { ... }: + { + imports = [ + lixModules.${config.nixpkgs}.nixosModules.default ./configurations/${name} - ./modules/common - (if (value.machineType == "workstation") then ./modules/workstation else ./modules/server) + (if (config.type == "workstation") then ./modules/workstation else ./modules/server) ( - if (value.machineType == "workstation" && value.enableHomeManager) then + if (config.type == "workstation" && config.enableHomeManager) then home-manager.nixosModules.home-manager else { } ) - sops-nix.nixosModules.sops - lix-module.nixosModules.default - lanzaboote.nixosModules.lanzaboote + (if (config.system == "x86_64-linux") then lanzaboote.nixosModules.lanzaboote else { }) ]; + + deployment.allowLocalDeployment = config.localDeployment; + + networking.hostName = name; + system.stateVersion = config.stateVersion; } ) machines; + buildOptionnalSpecialArgsForMachine = + config: + { + machineProps = config; + } + // (if config.enableHomeManager then { sopsHmModule = sops-nix.homeManagerModules.sops; } else { }); + in + { + colmena = { + meta = { + name = "dala's infrastructure"; + + # Here we have to set this value because colmena needs it, but it will be overriden on all hosts + # by the nodeNixpkgs attribute + nixpkgs = import nixpkgsVersions.stable { system = "x86_64-linux"; }; + + nodeNixpkgs = builtins.mapAttrs ( + name: config: import nixpkgsVersions.${config.nixpkgs} { system = config.system; } + ) machines; + + nodeSpecialArgs = builtins.mapAttrs ( + name: config: + { extraInfo = extra-config.extraSecrets; } // (buildOptionnalSpecialArgsForMachine config) + ) machines; + }; + + defaults = + { ... }: + { + imports = [ sops-nix.nixosModules.sops ]; + }; + } // machinesNodes; formatter = builtins.listToAttrs ( map (system: { name = system; - value = nixpkgs-unstable.legacyPackages.${system}.nixfmt-rfc-style; + value = nixpkgsVersions.unstable.legacyPackages.${system}.nixfmt-rfc-style; }) flake-utils.lib.defaultSystems ); - - hydraJobs = { - nixos = builtins.mapAttrs (_: cfg: cfg.config.system.build.toplevel) self.nixosConfigurations; - }; }; } diff --git a/machines.nix b/machines.nix index a6d424d..6ff609b 100644 --- a/machines.nix +++ b/machines.nix @@ -1,25 +1,37 @@ { london = { - machineType = "workstation"; - nixpkgsUnstable = true; + type = "workstation"; + nixpkgs = "unstable"; system = "x86_64-linux"; enableHomeManager = true; stateVersion = "23.11"; + localDeployment = true; }; camelot = { - machineType = "server"; - nixpkgsUnstable = false; + type = "server"; + nixpkgs = "stable"; system = "x86_64-linux"; enableHomeManager = false; stateVersion = "23.11"; + localDeployment = false; }; fuyuki = { - machineType = "workstation"; - nixpkgsUnstable = true; + type = "workstation"; + nixpkgs = "unstable"; system = "x86_64-linux"; enableHomeManager = true; stateVersion = "22.05"; + localDeployment = true; + }; + + okeanos = { + type = "server"; + nixpkgs = "stable"; + system = "aarch64-linux"; + enableHomeManager = false; + stateVersion = "23.05"; + localDeployment = false; }; } diff --git a/modules/common/boot.nix b/modules/common/boot.nix index ebdc71d..623e7e4 100644 --- a/modules/common/boot.nix +++ b/modules/common/boot.nix @@ -2,35 +2,10 @@ lib, config, pkgs, + machineProps, ... }: with lib; -let - luksDevicesModule = types.submodule { - options.name = mkOption { - type = types.str; - description = '' - The partition name. - ''; - }; - - options.deviceUUID = mkOption { - type = types.str; - description = '' - The partition device UUID. - ''; - }; - - options.isPreLVM = mkOption { - type = types.bool; - default = false; - example = true; - description = '' - Whether the decrypted partition will be a LVM device. - ''; - }; - }; -in { options.enableSystemdBoot = mkOption { type = types.bool; @@ -42,31 +17,20 @@ in ''; }; - options.luksDevices = mkOption { - type = types.listOf luksDevicesModule; - default = [ ]; - description = '' - List of LUKS devices. - ''; - }; - - config = { - boot.initrd.luks.devices = builtins.listToAttrs ( - map (fs: { - name = fs.name; - value = { - device = "/dev/disk/by-uuid/${fs.deviceUUID}"; - preLVM = fs.isPreLVM; - }; - }) config.luksDevices + config.environment.systemPackages = lib.mkIf config.enableSystemdBoot [ pkgs.sbctl ]; + config.boot = + { + loader.systemd-boot.enable = false; + } + // ( + if config.enableSystemdBoot then + { + lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; + } + else + { } ); - - boot.loader.systemd-boot.enable = false; - boot.lanzaboote = lib.mkIf config.enableSystemdBoot { - enable = true; - pkiBundle = "/etc/secureboot"; - }; - - environment.systemPackages = lib.mkIf config.enableSystemdBoot [ pkgs.sbctl ]; - }; } diff --git a/modules/common/default.nix b/modules/common/default.nix index 93b2217..23bc08e 100644 --- a/modules/common/default.nix +++ b/modules/common/default.nix @@ -2,14 +2,12 @@ lib, config, pkgs, - machineInfos, modulesPath, ... }: with lib; { imports = [ - ./filesystem.nix ./boot.nix ./linux.nix ./nix.nix @@ -19,18 +17,6 @@ with lib; (modulesPath + "/installer/scan/not-detected.nix") ]; - options.machineType = mkOption { - type = types.enum [ - "workstation" - "server" - ]; - default = "workstation"; - example = "server"; - description = '' - What is the type of this machine. - ''; - }; - options.isProfessional = mkOption { type = types.bool; default = false; @@ -50,9 +36,6 @@ with lib; }; config = { - machineType = machineInfos.machineType; - system.stateVersion = machineInfos.stateVersion; - networking.hostName = machineInfos.hostname; virtualisation.docker.enable = config.enableDocker; # Only enable fish shell if there is at least one user using it. @@ -63,12 +46,5 @@ with lib; # We always want to disable the X server as only workstation use windows manager # and they always use wayland. services.xserver.enable = false; - - assertions = [ - { - assertion = !(config.machineType == "server" && config.isProfessional); - message = "Only workstations can be professionnal hardware"; - } - ]; }; } diff --git a/modules/common/filesystem.nix b/modules/common/filesystem.nix deleted file mode 100644 index 8ef42c0..0000000 --- a/modules/common/filesystem.nix +++ /dev/null @@ -1,66 +0,0 @@ -{ lib, config, ... }: -with lib; -let - fsModule = types.submodule { - options = { - - mountpoint = mkOption { - type = types.str; - description = '' - The filesystem mountpoint. - ''; - }; - - deviceUUID = mkOption { - type = types.str; - description = '' - The volume UUID. - ''; - }; - - fsType = mkOption { - type = types.str; - description = '' - The volume filesystem. - ''; - }; - }; - }; -in -{ - options.filesystems = mkOption { - type = types.listOf fsModule; - default = [ ]; - example = [ - { - mountpoint = "/"; - deviceUUID = "XXXXX-YYYYYY-AJDKKSKSJ"; - fsType = "ext4"; - } - ]; - description = '' - The machine filesystem tree description. - ''; - }; - - options.swapDeviceUUID = mkOption { - type = types.nullOr types.str; - default = null; - }; - - config = { - fileSystems = builtins.listToAttrs ( - map (fs: { - name = fs.mountpoint; - value = { - device = "/dev/disk/by-uuid/${fs.deviceUUID}"; - fsType = fs.fsType; - }; - }) config.filesystems - ); - - swapDevices = mkIf (config.swapDeviceUUID != null) [ - { device = "/dev/disk/by-uuid/${config.swapDeviceUUID}"; } - ]; - }; -} diff --git a/modules/common/hardware.nix b/modules/common/hardware.nix index 4245a92..4263d44 100644 --- a/modules/common/hardware.nix +++ b/modules/common/hardware.nix @@ -2,8 +2,12 @@ lib, config, pkgs, + machineProps, ... }: +let + hwAccelerationOptionPath = if (machineProps == "unstable") then "graphics" else "opengl"; +in with lib; { options.hwAccelerationGPU = mkOption { @@ -24,10 +28,9 @@ with lib; config = { boot.kernelParams = mkIf (config.hwAccelerationGPU == "intel") [ "i915.enable_guc=2" ]; - hardware.opengl = { + # Small hack as this option path changes between 24.05 and unstable + hardware.${hwAccelerationOptionPath} = { enable = config.hwAccelerationGPU != null; - driSupport = true; - driSupport32Bit = true; extraPackages = with pkgs; [ (mkIf (config.hwAccelerationGPU == "intel") intel-media-driver) (mkIf (config.hwAccelerationGPU == "intel") intel-compute-runtime) diff --git a/modules/common/network.nix b/modules/common/network.nix index 093a339..93a3fb3 100644 --- a/modules/common/network.nix +++ b/modules/common/network.nix @@ -1,38 +1,9 @@ { lib, config, ... }: with lib; { - options.enableFirewall = mkOption { - type = types.bool; - default = true; - example = false; - description = '' - Whether or not to enable firewall. - ''; - }; - - options.extraAllowedTCPPorts = mkOption { - type = types.listOf types.port; - default = [ ]; - example = [ 53 ]; - description = '' - List of custom TCP ports to open in the firewall. - ''; - }; - - options.extraAllowedUDPPorts = mkOption { - type = types.listOf types.port; - default = [ ]; - example = [ 53 ]; - description = '' - List of custom UDP ports to open in the firewall. - ''; - }; - config = { networking.networkmanager.enable = true; networking.useDHCP = mkDefault true; networking.firewall.enable = true; - networking.firewall.allowedTCPPorts = config.extraAllowedTCPPorts; - networking.firewall.allowedUDPPorts = config.extraAllowedUDPPorts; }; } diff --git a/modules/server/default.nix b/modules/server/default.nix index fd360ce..14d81f4 100644 --- a/modules/server/default.nix +++ b/modules/server/default.nix @@ -1,5 +1,6 @@ { imports = [ + ../common ./network.nix ./nginx.nix ]; diff --git a/modules/server/network.nix b/modules/server/network.nix index 7bb13a6..ae06ce3 100644 --- a/modules/server/network.nix +++ b/modules/server/network.nix @@ -1,14 +1,8 @@ { lib, config, ... }: with lib; { - options.server.networking.enableSSH = mkOption { - type = types.bool; - default = true; - example = false; - }; - config = { - services.openssh = mkIf config.server.networking.enableSSH { + services.openssh = { enable = true; settings = { StrictModes = true; @@ -21,7 +15,7 @@ with lib; networking.firewall.allowedTCPPorts = [ (mkIf config.services.nginx.enable 80) (mkIf config.services.nginx.enable 443) - (mkIf config.server.networking.enableSSH 22) + (mkIf config.services.openssh.enable 22) ]; }; } diff --git a/modules/workstation/default.nix b/modules/workstation/default.nix index ef5f110..53e0d81 100644 --- a/modules/workstation/default.nix +++ b/modules/workstation/default.nix @@ -2,7 +2,7 @@ lib, config, pkgs, - machineInfos, + machineProps, sopsHmModule, ... }: @@ -10,6 +10,7 @@ with lib; { imports = [ + ../common ./sound.nix ./desktop.nix ./bluetooth.nix @@ -25,7 +26,7 @@ with lib; }; config = { - enableHomeManager = machineInfos.enableHomeManager; + enableHomeManager = machineProps.enableHomeManager; home-manager.useGlobalPkgs = mkIf config.enableHomeManager true; home-manager.useUserPackages = mkIf config.enableHomeManager true; @@ -43,7 +44,7 @@ with lib; { home.username = name; home.homeDirectory = "/home/${name}"; - home.stateVersion = machineInfos.stateVersion; + home.stateVersion = machineProps.stateVersion; programs.home-manager.enable = true; enableFishShell = value.shell == pkgs.fish; isProfessional = config.isProfessional;