diff --git a/common/default.nix b/common/default.nix index 2bad15e..9df144c 100644 --- a/common/default.nix +++ b/common/default.nix @@ -11,6 +11,8 @@ ./pc ]; + nix.flakes.enable = true; + system.stateVersion = "21.11"; networking.useDHCP = false; diff --git a/common/pia.nix b/common/pia.nix index a127c18..c13ad51 100644 --- a/common/pia.nix +++ b/common/pia.nix @@ -85,7 +85,7 @@ YDQ8z9v+DMO6iwyIDRiU disable-occ -auth-user-pass /run/secrets/pia-login.conf +auth-user-pass /run/agenix/pia-login.conf ''; autoStart = true; # up = "echo nameserver $nameserver | ${pkgs.openresolv}/sbin/resolvconf -m 0 -a $dev"; diff --git a/flake.nix b/flake.nix index 5471b87..138e367 100644 --- a/flake.nix +++ b/flake.nix @@ -36,25 +36,64 @@ nixosConfigurations = let nixpkgs = inputs.nixpkgs; + + modules = [ + ./common + inputs.simple-nixos-mailserver.nixosModule + inputs.agenix.nixosModule + inputs.dailybuild_modules.nixosModule + inputs.archivebox.nixosModule + ({ lib, ... }: { + config.environment.systemPackages = [ inputs.agenix.defaultPackage.${system} ]; + + # because nixos specialArgs doesn't work for containers... need to pass in inputs a different way + options.inputs = lib.mkOption { default = inputs; }; + options.currentSystem = lib.mkOption { default = system; }; + }) + ]; + + mkVpnContainer = container_config: { + ephemeral = true; + autoStart = true; + bindMounts = { + "/var/lib" = { + hostPath = "/var/lib/"; + isReadOnly = false; + }; + "/run/agenix" = { + hostPath = "/run/agenix"; + isReadOnly = true; + }; + "/dev/fuse" = { + hostPath = "/dev/fuse"; + isReadOnly = false; + }; + }; + enableTun = true; + privateNetwork = true; + hostAddress = "172.16.100.1"; + localAddress = "172.16.100.2"; + + config = { config, pkgs, lib, ... }: { + imports = modules ++ [container_config]; + + networking.firewall.enable = lib.mkForce false; + pia.enable = true; + + # run it's own DNS resolver + networking.useHostResolvConf = false; + services.resolved.enable = true; + }; + }; + mkSystem = system: nixpkgs: path: nixpkgs.lib.nixosSystem { inherit system; - modules = [ - path - ./common - inputs.simple-nixos-mailserver.nixosModule - inputs.agenix.nixosModule - inputs.dailybuild_modules.nixosModule - inputs.archivebox.nixosModule - ({ lib, ... }: { - config.environment.systemPackages = [ inputs.agenix.defaultPackage.${system} ]; - - # because nixos specialArgs doesn't work for containers... need to pass in inputs a different way - options.inputs = lib.mkOption { default = inputs; }; - options.currentSystem = lib.mkOption { default = system; }; - }) - ]; - # specialArgs = {}; + modules = [path] ++ modules; + + specialArgs = { + inherit mkVpnContainer; + }; }; in { diff --git a/machines/compute/common.nix b/machines/compute/common.nix index 6edb628..cd51b68 100644 --- a/machines/compute/common.nix +++ b/machines/compute/common.nix @@ -13,8 +13,6 @@ }; }; - nix.flakes.enable = true; - system.autoUpgrade.enable = true; networking.interfaces.eth0.useDHCP = true; diff --git a/machines/liza/configuration.nix b/machines/liza/configuration.nix index 8824ed7..b5be44c 100644 --- a/machines/liza/configuration.nix +++ b/machines/liza/configuration.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, ... }: +{ config, pkgs, lib, mkVpnContainer, ... }: let mta-sts-web = { @@ -18,8 +18,6 @@ in { # 5synsrjgvfzywruomjsfvfwhhlgxqhyofkzeqt2eisyijvjvebnu2xyd.onion - nix.flakes.enable = true; - firmware.x86_64.enable = true; bios = { enable = true; @@ -50,19 +48,19 @@ in { listenWeb = 443; enableWebHttps = true; # dataDirs - serviceEnvironmentFile = "/run/secrets/peertube-init"; + serviceEnvironmentFile = "/run/agenix/peertube-init"; # settings database = { createLocally = true; - passwordFile = "/run/secrets/peertube-db-pw"; + passwordFile = "/run/agenix/peertube-db-pw"; }; redis = { createLocally = true; - passwordFile = "/run/secrets/peertube-redis-pw"; + passwordFile = "/run/agenix/peertube-redis-pw"; }; smtp = { createLocally = false; - passwordFile = "/run/secrets/peertube-smtp"; + passwordFile = "/run/agenix/peertube-smtp"; }; }; services.nginx.virtualHosts."tube.neet.space" = { @@ -81,7 +79,7 @@ in { services.searx = { enable = true; - environmentFile = "/run/secrets/searx"; + environmentFile = "/run/agenix/searx"; settings = { server.port = 43254; server.secret_key = "@SEARX_SECRET_KEY@"; @@ -123,57 +121,12 @@ in { }; # wrap radio in a VPN - containers.vpn-continer = { - ephemeral = true; - autoStart = true; - bindMounts = { - "/var/lib" = { - hostPath = "/var/lib/"; - isReadOnly = false; - }; - "/run/secrets" = { - hostPath = "/run/secrets"; - isReadOnly = true; - }; - "/dev/fuse" = { - hostPath = "/dev/fuse"; - isReadOnly = false; - }; - }; - enableTun = true; - privateNetwork = true; - hostAddress = "172.16.100.1"; - localAddress = "172.16.100.2"; - - config = { - imports = [ - ../../common - config.inputs.agenix.nixosModules.age - ]; - - # because nixos specialArgs doesn't work for containers... need to pass in inputs a different way - options.inputs = lib.mkOption { default = config.inputs; }; - options.currentSystem = lib.mkOption { default = config.currentSystem; }; - - config = { - pia.enable = true; - nixpkgs.pkgs = pkgs; - - networking.firewall.enable = false; - - # run it's own DNS resolver - networking.useHostResolvConf = false; - services.resolved.enable = true; - - services.radio = { - enable = true; - host = "radio.neet.space"; - }; - }; + containers.vpn-container = mkVpnContainer { + services.radio = { + enable = true; + host = "radio.neet.space"; }; }; - # load the secret on behalf of the container - age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf; services.drastikbot = { enable = true; @@ -250,7 +203,7 @@ in { ]; loginAccounts = { "jeremy@runyan.org" = { - hashedPasswordFile = "/run/secrets/email-pw"; + hashedPasswordFile = "/run/agenix/email-pw"; aliases = [ "@neet.space" "@neet.cloud" "@neet.dev" "@runyan.org" "@runyan.rocks" @@ -283,7 +236,7 @@ in { hostName = "neet.cloud"; config.dbtype = "sqlite"; config.adminuser = "jeremy"; - config.adminpassFile = "/run/secrets/nextcloud-pw"; + config.adminpassFile = "/run/agenix/nextcloud-pw"; autoUpdateApps.enable = true; }; age.secrets.nextcloud-pw = { @@ -300,7 +253,7 @@ in { enable = true; ip = "192.168.99.1"; domain = "tun.neet.dev"; - passwordFile = "/run/secrets/iodine"; + passwordFile = "/run/agenix/iodine"; }; age.secrets.iodine.file = ../../secrets/iodine.age; networking.firewall.allowedUDPPorts = [ 53 ]; diff --git a/machines/nat/configuration.nix b/machines/nat/configuration.nix index 5ef6006..5a9a832 100644 --- a/machines/nat/configuration.nix +++ b/machines/nat/configuration.nix @@ -5,8 +5,6 @@ ./hardware-configuration.nix ]; - nix.flakes.enable = true; - efi.enable = true; networking.hostName = "nat"; diff --git a/machines/neet.dev/configuration.nix b/machines/neet.dev/configuration.nix index a6deb27..609e4b9 100644 --- a/machines/neet.dev/configuration.nix +++ b/machines/neet.dev/configuration.nix @@ -7,8 +7,6 @@ # wt6nczjfvtba6pvjt2qtevwjpq4gcbz46bwjz4hboehgecyqmzqgwnqd.onion - nix.flakes.enable = true; - firmware.x86_64.enable = true; bios = { enable = true; diff --git a/machines/ray/configuration.nix b/machines/ray/configuration.nix index 726b372..fbd523c 100644 --- a/machines/ray/configuration.nix +++ b/machines/ray/configuration.nix @@ -9,8 +9,6 @@ ./nvidia.nix ]; - nix.flakes.enable = true; - firmware.x86_64.enable = true; efi.enable = true; diff --git a/machines/reg/configuration.nix b/machines/reg/configuration.nix index d8a4700..10e8127 100644 --- a/machines/reg/configuration.nix +++ b/machines/reg/configuration.nix @@ -9,8 +9,6 @@ boot.kernelPackages = pkgs.linuxPackages_5_12; - nix.flakes.enable = true; - firmware.x86_64.enable = true; efi.enable = true; diff --git a/machines/storage/s0/configuration.nix b/machines/storage/s0/configuration.nix index d73db84..5d811ad 100644 --- a/machines/storage/s0/configuration.nix +++ b/machines/storage/s0/configuration.nix @@ -8,8 +8,6 @@ # nsw2zwifzyl42mbhabayjo42b2kkq3wd3dqyl6efxsz6pvmgm5cup5ad.onion - nix.flakes.enable = true; - networking.hostName = "s0"; boot.loader.grub.enable = false;