13 changed files with 90 additions and 175 deletions
--- a/common/default.nix
+++ b/common/default.nix
@ -11,8 +11,6 @@
    ./pc
  ];
  nix.flakes.enable = true;
  system.stateVersion = "21.11";
  networking.useDHCP = false;
--- a/common/pia.nix
+++ b/common/pia.nix
@ -85,7 +85,7 @@ YDQ8z9v+DMO6iwyIDRiU
 </ca>
 disable-occ
-auth-user-pass /run/agenix/pia-login.conf
+auth-user-pass /run/secrets/pia-login.conf
          '';
          autoStart = true;
 #          up = "echo nameserver $nameserver | ${pkgs.openresolv}/sbin/resolvconf -m 0 -a $dev";
--- a/common/server/default.nix
+++ b/common/server/default.nix
@ -12,6 +12,5 @@
    ./gitea.nix
    ./privatebin/privatebin.nix
    ./radio.nix
    ./samba.nix
  ];
 }
--- a/common/server/samba.nix
+++ b/common/server/samba.nix
@ -1,88 +0,0 @@
 { config, lib, pkgs, ... }:
 {
  config = lib.mkIf config.services.samba.enable {
    services.samba = {
      openFirewall = true;
      package = pkgs.sambaFull; # printer sharing
      securityType = "user";
      # should this be on?
      nsswins = true;
      extraConfig = ''
        workgroup = HOME
        server string = smbnix
        netbios name = smbnix
        security = user 
        use sendfile = yes
        min protocol = smb2
        guest account = nobody
        map to guest = bad user
        # printing
        load printers = yes
        printing = cups
        printcap name = cups
      '';
      shares = {
        public = {
          path = "/data/samba/Public";
          browseable = "yes";
          "read only" = "no";
          "guest ok" = "yes";
          "create mask" = "0644";
          "directory mask" = "0755";
          "force user" = "googlebot";
          "force group" = "public_data";
        };
        private = {
          path = "/data/samba/Private";
          browseable = "yes";
          "read only" = "no";
          "guest ok" = "no";
          "create mask" = "0644";
          "directory mask" = "0755";
          "force user" = "googlebot";
          "force group" = "users";
        };
        printers = {
          comment = "All Printers";
          path = "/var/spool/samba";
          public = "yes";
          browseable = "yes";
          # to allow user 'guest account' to print.
          "guest ok" = "yes";
          writable = "no";
          printable = "yes";
          "create mode" = 0700;
        };
      };
    };
    # Windows discovery of samba server
    services.samba-wsdd = {
      enable = true;
      # are these needed?
      workgroup = "HOME";
      hoplimit = 3;
      discovery = true;
    };
    networking.firewall.allowedTCPPorts = [ 5357 ];
    networking.firewall.allowedUDPPorts = [ 3702 ];
    # Printer discovery
    # (is this needed?)
    services.avahi.enable = true;
    services.avahi.nssmdns = true;
    # printer sharing
    systemd.tmpfiles.rules = [
      "d /var/spool/samba 1777 root root -"
    ];
    users.groups.public_data = {};
  };
 }
--- a/flake.nix
+++ b/flake.nix
@ -36,64 +36,25 @@
    nixosConfigurations =
    let
      nixpkgs = inputs.nixpkgs;
      modules = [
        ./common
        inputs.simple-nixos-mailserver.nixosModule
        inputs.agenix.nixosModule
        inputs.dailybuild_modules.nixosModule
        inputs.archivebox.nixosModule
        ({ lib, ... }: {
          config.environment.systemPackages = [ inputs.agenix.defaultPackage.${system} ];
          # because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
          options.inputs = lib.mkOption { default = inputs; };
          options.currentSystem = lib.mkOption { default = system; };
        })
      ];
      mkVpnContainer = container_config: {
        ephemeral = true;
        autoStart = true;
        bindMounts = {
          "/var/lib" = {
            hostPath = "/var/lib/";
            isReadOnly = false;
          };
          "/run/agenix" = {
            hostPath = "/run/agenix";
            isReadOnly = true;
          };
          "/dev/fuse" = {
            hostPath = "/dev/fuse";
            isReadOnly = false;
          };
        };
        enableTun = true;
        privateNetwork = true;
        hostAddress = "172.16.100.1";
        localAddress = "172.16.100.2";
        config = { config, pkgs, lib, ... }: {
          imports = modules ++ [container_config];
          networking.firewall.enable = lib.mkForce false;
          pia.enable = true;
          # run it's own DNS resolver
          networking.useHostResolvConf = false;
          services.resolved.enable = true;
        };
      };
      mkSystem = system: nixpkgs: path:
        nixpkgs.lib.nixosSystem {
          inherit system;
-          modules = [path] ++ modules;
+          modules = [
-
+            path
-          specialArgs = {
+            ./common
-            inherit mkVpnContainer;
+            inputs.simple-nixos-mailserver.nixosModule
-          };
+            inputs.agenix.nixosModule
            inputs.dailybuild_modules.nixosModule
            inputs.archivebox.nixosModule
            ({ lib, ... }: {
              config.environment.systemPackages = [ inputs.agenix.defaultPackage.${system} ];
              # because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
              options.inputs = lib.mkOption { default = inputs; };
              options.currentSystem = lib.mkOption { default = system; };
            })
          ];
          # specialArgs = {};
        };
    in
    {
--- a/machines/compute/common.nix
+++ b/machines/compute/common.nix
@ -13,6 +13,8 @@
    };
  };
  nix.flakes.enable = true;
  system.autoUpgrade.enable = true;
  networking.interfaces.eth0.useDHCP = true;
--- a/machines/liza/configuration.nix
+++ b/machines/liza/configuration.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, mkVpnContainer, ... }:
+{ config, pkgs, lib, ... }:
 let
  mta-sts-web = {
@ -18,6 +18,8 @@ in {
  # 5synsrjgvfzywruomjsfvfwhhlgxqhyofkzeqt2eisyijvjvebnu2xyd.onion
  nix.flakes.enable = true;
  firmware.x86_64.enable = true;
  bios = {
    enable = true;
@ -48,19 +50,19 @@ in {
    listenWeb = 443;
    enableWebHttps = true;
    # dataDirs
-    serviceEnvironmentFile = "/run/agenix/peertube-init";
+    serviceEnvironmentFile = "/run/secrets/peertube-init";
    # settings
    database = {
      createLocally = true;
-      passwordFile = "/run/agenix/peertube-db-pw";
+      passwordFile = "/run/secrets/peertube-db-pw";
    };
    redis = {
      createLocally = true;
-      passwordFile = "/run/agenix/peertube-redis-pw";
+      passwordFile = "/run/secrets/peertube-redis-pw";
    };
    smtp = {
      createLocally = false;
-      passwordFile = "/run/agenix/peertube-smtp";
+      passwordFile = "/run/secrets/peertube-smtp";
    };
  };
  services.nginx.virtualHosts."tube.neet.space" = {
@ -79,7 +81,7 @@ in {
  services.searx = {
    enable = true;
-    environmentFile = "/run/agenix/searx";
+    environmentFile = "/run/secrets/searx";
    settings = {
      server.port = 43254;
      server.secret_key = "@SEARX_SECRET_KEY@";
@ -121,12 +123,57 @@ in {
  };
  # wrap radio in a VPN
-  containers.vpn-container = mkVpnContainer {
+  containers.vpn-continer = {
-    services.radio = {
+    ephemeral = true;
-      enable = true;
+    autoStart = true;
-      host = "radio.neet.space";
+    bindMounts = {
      "/var/lib" = {
        hostPath = "/var/lib/";
        isReadOnly = false;
      };
      "/run/secrets" = {
        hostPath = "/run/secrets";
        isReadOnly = true;
      };
      "/dev/fuse" = {
        hostPath = "/dev/fuse";
        isReadOnly = false;
      };
    };
    enableTun = true;
    privateNetwork = true;
    hostAddress = "172.16.100.1";
    localAddress = "172.16.100.2";
    config = {
      imports = [
        ../../common
        config.inputs.agenix.nixosModules.age
      ];
      # because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
      options.inputs = lib.mkOption { default = config.inputs; };
      options.currentSystem = lib.mkOption { default = config.currentSystem; };
      config = {
        pia.enable = true;
        nixpkgs.pkgs = pkgs;
        networking.firewall.enable = false;
        # run it's own DNS resolver
        networking.useHostResolvConf = false;
        services.resolved.enable = true;
        services.radio = {
          enable = true;
          host = "radio.neet.space";
        };
      };
    };
  };
  # load the secret on behalf of the container
  age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
  services.drastikbot = {
    enable = true;
@ -203,7 +250,7 @@ in {
    ];
    loginAccounts = {
      "jeremy@runyan.org" = {
-        hashedPasswordFile = "/run/agenix/email-pw";
+        hashedPasswordFile = "/run/secrets/email-pw";
        aliases = [
          "@neet.space" "@neet.cloud" "@neet.dev"
          "@runyan.org" "@runyan.rocks"
@ -236,7 +283,7 @@ in {
    hostName = "neet.cloud";
    config.dbtype = "sqlite";
    config.adminuser = "jeremy";
-    config.adminpassFile = "/run/agenix/nextcloud-pw";
+    config.adminpassFile = "/run/secrets/nextcloud-pw";
    autoUpdateApps.enable = true;
  };
  age.secrets.nextcloud-pw = {
@ -253,7 +300,7 @@ in {
    enable = true;
    ip = "192.168.99.1";
    domain = "tun.neet.dev";
-    passwordFile = "/run/agenix/iodine";
+    passwordFile = "/run/secrets/iodine";
  };
  age.secrets.iodine.file = ../../secrets/iodine.age;
  networking.firewall.allowedUDPPorts = [ 53 ];
--- a/machines/nat/configuration.nix
+++ b/machines/nat/configuration.nix
@ -5,6 +5,8 @@
    ./hardware-configuration.nix
  ];
  nix.flakes.enable = true;
  efi.enable = true;
  networking.hostName = "nat";
--- a/machines/neet.dev/configuration.nix
+++ b/machines/neet.dev/configuration.nix
@ -7,6 +7,8 @@
  # wt6nczjfvtba6pvjt2qtevwjpq4gcbz46bwjz4hboehgecyqmzqgwnqd.onion
  nix.flakes.enable = true;
  firmware.x86_64.enable = true;
  bios = {
    enable = true;
--- a/machines/ray/configuration.nix
+++ b/machines/ray/configuration.nix
@ -9,6 +9,8 @@
    ./nvidia.nix
  ];
  nix.flakes.enable = true;
  firmware.x86_64.enable = true;
  efi.enable = true;
--- a/machines/reg/configuration.nix
+++ b/machines/reg/configuration.nix
@ -9,6 +9,8 @@
  boot.kernelPackages = pkgs.linuxPackages_5_12;
  nix.flakes.enable = true;
  firmware.x86_64.enable = true;
  efi.enable = true;
--- a/machines/storage/s0/configuration.nix
+++ b/machines/storage/s0/configuration.nix
@ -8,6 +8,8 @@
  # nsw2zwifzyl42mbhabayjo42b2kkq3wd3dqyl6efxsz6pvmgm5cup5ad.onion
  nix.flakes.enable = true;
  networking.hostName = "s0";
  boot.loader.grub.enable = false;
@ -24,13 +26,4 @@
  users.users.googlebot.packages = with pkgs; [
    bcachefs-tools
  ];
  services.samba.enable = true;
  services.plex = {
    enable = true;
    openFirewall = true;
    dataDir = "/data/plex";
  };
  users.users.${config.services.plex.user}.extraGroups = [ "public_data" ];
 }
--- a/machines/storage/s0/hardware-configuration.nix
+++ b/machines/storage/s0/hardware-configuration.nix
@ -33,12 +33,7 @@
      fsType = "vfat";
    };
-  swapDevices = [
+  swapDevices = [ ];
    {
      device = "/dev/mmcblk1p2";
      randomEncryption.enable = true;
    }
  ];
  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
  # Per-interface useDHCP will be mandatory in the future, so this generated config