zuckerberg/nix-config
zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

Compare commits

base: zuckerberg:e72e19b7e82e79aa0b7a10894906c82bced33fb8
Branches Tags
zuckerberg:master
zuckerberg:stage
zuckerberg:rpi-hotspot
zuckerberg:attic
zuckerberg:kexec_luks2
zuckerberg:pia-client
..
compare: zuckerberg:71baa09bd2a17919aa62c4678187ebba28b925a4
Branches Tags
zuckerberg:stage
zuckerberg:master
zuckerberg:rpi-hotspot
zuckerberg:attic
zuckerberg:kexec_luks2
zuckerberg:pia-client

No commits in common. "e72e19b7e82e79aa0b7a10894906c82bced33fb8" and "71baa09bd2a17919aa62c4678187ebba28b925a4" have entirely different histories.
e72e19b7e8 ... 71baa09bd2

4 changed files with 95 additions and 113 deletions
Show Stats Expand all files Collapse all files

2
common/auto-update.nix
View File

@ -9,7 +9,7 @@ in
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
system.autoUpgrade = { system.autoUpgrade = {
flake = "git+https://git.neet.dev/zuckerberg/nix-config.git"; flake = "git+https://git.neet.dev/zuckerberg/nix-config.git";
flags = [ "--recreate-lock-file" "--no-write-lock-file" ]; # ignore lock file, just pull the latest flags = [ "--recreate-lock-file" ]; # ignore lock file, just pull the latest
}; };
}; };
} }

196
common/machine-info/default.nix
View File

@ -12,110 +12,100 @@ in
./roles.nix ./roles.nix
]; ];
options.machines = { options.machines.hosts = lib.mkOption {
# For some reason (presumably a bug), using the best value of "../../machines" type = lib.types.attrsOf
# as the path causes nix to search for invalid paths for flake imports but *not* (lib.types.submodule {
# secrets.nix for agenix. options = {
machinesPath = lib.mkOption {
type = lib.types.path;
default = ../..;
};
hosts = lib.mkOption {
type = lib.types.attrsOf
(lib.types.submodule {
options = {
hostNames = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = ''
List of hostnames for this machine. The first one is the default so it is the target of deployments.
Used for automatically trusting hosts for ssh connections.
'';
};
arch = lib.mkOption {
type = lib.types.enum [ "x86_64-linux" "aarch64-linux" ];
description = ''
The architecture of this machine.
'';
};
systemRoles = lib.mkOption {
type = lib.types.listOf lib.types.str; # TODO: maybe use an enum?
description = ''
The set of roles this machine holds. Affects secrets available. (TODO add service config as well using this info)
'';
};
hostKey = lib.mkOption {
type = lib.types.str;
description = ''
The system ssh host key of this machine. Used for automatically trusting hosts for ssh connections
and for decrypting secrets with agenix.
'';
};
remoteUnlock = lib.mkOption {
default = null;
type = lib.types.nullOr (lib.types.submodule {
options = {
hostKey = lib.mkOption {
type = lib.types.str;
description = ''
The system ssh host key of this machine used for luks boot unlocking only.
'';
};
clearnetHost = lib.mkOption {
default = null;
type = lib.types.nullOr lib.types.str;
description = ''
The hostname resolvable over clearnet used to luks boot unlock this machine
'';
};
onionHost = lib.mkOption {
default = null;
type = lib.types.nullOr lib.types.str;
description = ''
The hostname resolvable over tor used to luks boot unlock this machine
'';
};
};
});
};
userKeys = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
The list of user keys. Each key here can be used to log into all other systems as `googlebot`.
TODO: consider auto populating other programs that use ssh keys such as gitea
'';
};
deployKeys = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
The list of deployment keys. Each key here can be used to log into all other systems as `root`.
'';
};
configurationPath = lib.mkOption {
type = lib.types.path;
description = ''
The path to this machine's configuration directory.
'';
};
hostNames = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = ''
List of hostnames for this machine. The first one is the default so it is the target of deployments.
Used for automatically trusting hosts for ssh connections.
'';
}; };
});
}; arch = lib.mkOption {
type = lib.types.enum [ "x86_64-linux" "aarch64-linux" ];
description = ''
The architecture of this machine.
'';
};
systemRoles = lib.mkOption {
type = lib.types.listOf lib.types.str; # TODO: maybe use an enum?
description = ''
The set of roles this machine holds. Affects secrets available. (TODO add service config as well using this info)
'';
};
hostKey = lib.mkOption {
type = lib.types.str;
description = ''
The system ssh host key of this machine. Used for automatically trusting hosts for ssh connections
and for decrypting secrets with agenix.
'';
};
remoteUnlock = lib.mkOption {
default = null;
type = lib.types.nullOr (lib.types.submodule {
options = {
hostKey = lib.mkOption {
type = lib.types.str;
description = ''
The system ssh host key of this machine used for luks boot unlocking only.
'';
};
clearnetHost = lib.mkOption {
default = null;
type = lib.types.nullOr lib.types.str;
description = ''
The hostname resolvable over clearnet used to luks boot unlock this machine
'';
};
onionHost = lib.mkOption {
default = null;
type = lib.types.nullOr lib.types.str;
description = ''
The hostname resolvable over tor used to luks boot unlock this machine
'';
};
};
});
};
userKeys = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
The list of user keys. Each key here can be used to log into all other systems as `googlebot`.
TODO: consider auto populating other programs that use ssh keys such as gitea
'';
};
deployKeys = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
The list of deployment keys. Each key here can be used to log into all other systems as `root`.
'';
};
configurationPath = lib.mkOption {
type = lib.types.path;
description = ''
The path to this machine's configuration directory.
'';
};
};
});
}; };
config = { config = {
@ -203,6 +193,6 @@ in
in in
lib.concatMap (d: propertiesFiles' "${dir}/${d}" d) dirPaths ++ builtins.map (p: { "${dirName}" = p; }) propFiles; lib.concatMap (d: propertiesFiles' "${dir}/${d}" d) dirPaths ++ builtins.map (p: { "${dirName}" = p; }) propFiles;
in in
properties config.machines.machinesPath; properties ../../machines;
}; };
} }

6
common/machine-info/moduleless.nix
View File

@ -2,7 +2,6 @@
{ nixpkgs ? import <nixpkgs> { } { nixpkgs ? import <nixpkgs> { }
, assertionsModule ? <nixpkgs/nixos/modules/misc/assertions.nix> , assertionsModule ? <nixpkgs/nixos/modules/misc/assertions.nix>
, machinesPath ? null
}: }:
{ {
@ -11,11 +10,6 @@
modules = [ modules = [
./default.nix ./default.nix
assertionsModule assertionsModule
{
config = nixpkgs.lib.mkIf (machinesPath != null) {
machines.machinesPath = machinesPath;
};
}
]; ];
}).config.machines; }).config.machines;
} }

4
secrets/secrets.nix
View File

@ -1,8 +1,6 @@
let let
lib = (import <nixpkgs> { }).lib; lib = (import <nixpkgs> { }).lib;
sshKeys = (import ../common/machine-info/moduleless.nix { sshKeys = (import ../common/machine-info/moduleless.nix { }).machines.ssh;
machinesPath = ../machines;
}).machines.ssh;
# add userkeys to all roles so that I can r/w the secrets from my personal computers # add userkeys to all roles so that I can r/w the secrets from my personal computers
roles = lib.mapAttrs (role: hosts: hosts ++ sshKeys.userKeys) sshKeys.hostKeysByRole; roles = lib.mapAttrs (role: hosts: hosts ++ sshKeys.userKeys) sshKeys.hostKeysByRole;