zuckerberg/nix-config
zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

Compare commits

base: zuckerberg:71baa09bd2a17919aa62c4678187ebba28b925a4
Branches Tags
zuckerberg:master
zuckerberg:stage
zuckerberg:rpi-hotspot
zuckerberg:attic
zuckerberg:kexec_luks2
zuckerberg:pia-client
..
compare: zuckerberg:e72e19b7e82e79aa0b7a10894906c82bced33fb8
Branches Tags
zuckerberg:stage
zuckerberg:master
zuckerberg:rpi-hotspot
zuckerberg:attic
zuckerberg:kexec_luks2
zuckerberg:pia-client

2 Commits
71baa09bd2 ... e72e19b7e8

Author SHA1 Message Date
Zuckerberg
e72e19b7e8 Fix auto upgrade 2023-04-21 18:58:54 -06:00
Zuckerberg
03603119e5 Fix invalid import issue. 2023-04-21 18:57:06 -06:00
4 changed files with 104 additions and 86 deletions
Show Stats Expand all files Collapse all files

2
common/auto-update.nix
View File

@ -9,7 +9,7 @@ in
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
system.autoUpgrade = { system.autoUpgrade = {
flake = "git+https://git.neet.dev/zuckerberg/nix-config.git"; flake = "git+https://git.neet.dev/zuckerberg/nix-config.git";
flags = [ "--recreate-lock-file" ]; # ignore lock file, just pull the latest flags = [ "--recreate-lock-file" "--no-write-lock-file" ]; # ignore lock file, just pull the latest
}; };
}; };
} }

178
common/machine-info/default.nix
View File

@ -12,100 +12,110 @@ in
./roles.nix ./roles.nix
]; ];
options.machines.hosts = lib.mkOption { options.machines = {
type = lib.types.attrsOf # For some reason (presumably a bug), using the best value of "../../machines"
(lib.types.submodule { # as the path causes nix to search for invalid paths for flake imports but *not*
options = { # secrets.nix for agenix.
machinesPath = lib.mkOption {
type = lib.types.path;
default = ../..;
};
hostNames = lib.mkOption { hosts = lib.mkOption {
type = lib.types.listOf lib.types.str; type = lib.types.attrsOf
description = '' (lib.types.submodule {
List of hostnames for this machine. The first one is the default so it is the target of deployments. options = {
Used for automatically trusting hosts for ssh connections.
'';
};
arch = lib.mkOption { hostNames = lib.mkOption {
type = lib.types.enum [ "x86_64-linux" "aarch64-linux" ]; type = lib.types.listOf lib.types.str;
description = '' description = ''
The architecture of this machine. List of hostnames for this machine. The first one is the default so it is the target of deployments.
''; Used for automatically trusting hosts for ssh connections.
}; '';
};
systemRoles = lib.mkOption { arch = lib.mkOption {
type = lib.types.listOf lib.types.str; # TODO: maybe use an enum? type = lib.types.enum [ "x86_64-linux" "aarch64-linux" ];
description = '' description = ''
The set of roles this machine holds. Affects secrets available. (TODO add service config as well using this info) The architecture of this machine.
''; '';
}; };
hostKey = lib.mkOption { systemRoles = lib.mkOption {
type = lib.types.str; type = lib.types.listOf lib.types.str; # TODO: maybe use an enum?
description = '' description = ''
The system ssh host key of this machine. Used for automatically trusting hosts for ssh connections The set of roles this machine holds. Affects secrets available. (TODO add service config as well using this info)
and for decrypting secrets with agenix. '';
''; };
};
remoteUnlock = lib.mkOption { hostKey = lib.mkOption {
default = null; type = lib.types.str;
type = lib.types.nullOr (lib.types.submodule { description = ''
options = { The system ssh host key of this machine. Used for automatically trusting hosts for ssh connections
and for decrypting secrets with agenix.
'';
};
remoteUnlock = lib.mkOption {
default = null;
type = lib.types.nullOr (lib.types.submodule {
options = {
hostKey = lib.mkOption {
type = lib.types.str;
description = ''
The system ssh host key of this machine used for luks boot unlocking only.
'';
};
clearnetHost = lib.mkOption {
default = null;
type = lib.types.nullOr lib.types.str;
description = ''
The hostname resolvable over clearnet used to luks boot unlock this machine
'';
};
onionHost = lib.mkOption {
default = null;
type = lib.types.nullOr lib.types.str;
description = ''
The hostname resolvable over tor used to luks boot unlock this machine
'';
};
hostKey = lib.mkOption {
type = lib.types.str;
description = ''
The system ssh host key of this machine used for luks boot unlocking only.
'';
}; };
});
};
clearnetHost = lib.mkOption { userKeys = lib.mkOption {
default = null; default = [ ];
type = lib.types.nullOr lib.types.str; type = lib.types.listOf lib.types.str;
description = '' description = ''
The hostname resolvable over clearnet used to luks boot unlock this machine The list of user keys. Each key here can be used to log into all other systems as `googlebot`.
'';
};
onionHost = lib.mkOption { TODO: consider auto populating other programs that use ssh keys such as gitea
default = null; '';
type = lib.types.nullOr lib.types.str; };
description = ''
The hostname resolvable over tor used to luks boot unlock this machine deployKeys = lib.mkOption {
''; default = [ ];
}; type = lib.types.listOf lib.types.str;
description = ''
The list of deployment keys. Each key here can be used to log into all other systems as `root`.
'';
};
configurationPath = lib.mkOption {
type = lib.types.path;
description = ''
The path to this machine's configuration directory.
'';
};
};
});
}; };
});
userKeys = lib.mkOption { };
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
The list of user keys. Each key here can be used to log into all other systems as `googlebot`.
TODO: consider auto populating other programs that use ssh keys such as gitea
'';
};
deployKeys = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
The list of deployment keys. Each key here can be used to log into all other systems as `root`.
'';
};
configurationPath = lib.mkOption {
type = lib.types.path;
description = ''
The path to this machine's configuration directory.
'';
};
};
});
}; };
config = { config = {
@ -193,6 +203,6 @@ in
in in
lib.concatMap (d: propertiesFiles' "${dir}/${d}" d) dirPaths ++ builtins.map (p: { "${dirName}" = p; }) propFiles; lib.concatMap (d: propertiesFiles' "${dir}/${d}" d) dirPaths ++ builtins.map (p: { "${dirName}" = p; }) propFiles;
in in
properties ../../machines; properties config.machines.machinesPath;
}; };
} }

6
common/machine-info/moduleless.nix
View File

@ -2,6 +2,7 @@
{ nixpkgs ? import <nixpkgs> { } { nixpkgs ? import <nixpkgs> { }
, assertionsModule ? <nixpkgs/nixos/modules/misc/assertions.nix> , assertionsModule ? <nixpkgs/nixos/modules/misc/assertions.nix>
, machinesPath ? null
}: }:
{ {
@ -10,6 +11,11 @@
modules = [ modules = [
./default.nix ./default.nix
assertionsModule assertionsModule
{
config = nixpkgs.lib.mkIf (machinesPath != null) {
machines.machinesPath = machinesPath;
};
}
]; ];
}).config.machines; }).config.machines;
} }

4
secrets/secrets.nix
View File

@ -1,6 +1,8 @@
let let
lib = (import <nixpkgs> { }).lib; lib = (import <nixpkgs> { }).lib;
sshKeys = (import ../common/machine-info/moduleless.nix { }).machines.ssh; sshKeys = (import ../common/machine-info/moduleless.nix {
machinesPath = ../machines;
}).machines.ssh;
# add userkeys to all roles so that I can r/w the secrets from my personal computers # add userkeys to all roles so that I can r/w the secrets from my personal computers
roles = lib.mapAttrs (role: hosts: hosts ++ sshKeys.userKeys) sshKeys.hostKeysByRole; roles = lib.mapAttrs (role: hosts: hosts ++ sshKeys.userKeys) sshKeys.hostKeysByRole;