From 89505a91cdb1df0383c1952fb59243291b834b74 Mon Sep 17 00:00:00 2001 From: Kat Inskip Date: Sat, 27 Jan 2024 20:07:28 -0800 Subject: [PATCH] feat: replaced deploy system, migrated to infrastructure's methodologies --- default.nix | 12 ++- devShell.nix | 5 +- flake.lock | 28 ++++++ flake.nix | 13 ++- meta.nix | 95 -------------------- nixos/base/nixpkgs.nix | 5 ++ outputs.nix | 33 +++++++ overlays/default.nix | 11 +-- patchedInputs.nix | 33 +++---- std.nix | 84 +++++++++++++++++ systems/ct/config.nix | 17 ++++ systems/ct/nixos.nix | 12 --- systems/default.nix | 151 +++++++++++++++++++++++++++++++ systems/hakurei/config.nix | 132 +++++++++++++++++++++++++++ systems/hakurei/nixos.nix | 126 -------------------------- systems/kuwubernetes/config.nix | 98 ++++++++++++++++++++ systems/kuwubernetes/nixos.nix | 92 ------------------- systems/mediabox/config.nix | 155 ++++++++++++++++++++++++++++++++ systems/mediabox/nixos.nix | 148 ------------------------------ systems/tei/config.nix | 76 ++++++++++++++++ systems/tei/nixos.nix | 67 -------------- systems/tewi/config.nix | 86 ++++++++++++++++++ systems/tewi/nixos.nix | 81 ----------------- tree.nix | 13 ++- 24 files changed, 919 insertions(+), 654 deletions(-) delete mode 100644 meta.nix create mode 100644 nixos/base/nixpkgs.nix create mode 100644 outputs.nix create mode 100644 std.nix create mode 100644 systems/ct/config.nix delete mode 100644 systems/ct/nixos.nix create mode 100644 systems/default.nix create mode 100644 systems/hakurei/config.nix delete mode 100644 systems/hakurei/nixos.nix create mode 100644 systems/kuwubernetes/config.nix delete mode 100644 systems/kuwubernetes/nixos.nix create mode 100644 systems/mediabox/config.nix delete mode 100644 systems/mediabox/nixos.nix create mode 100644 systems/tei/config.nix delete mode 100644 systems/tei/nixos.nix create mode 100644 systems/tewi/config.nix delete mode 100644 systems/tewi/nixos.nix diff --git a/default.nix b/default.nix index 96737074..c5eb5a4b 100644 --- a/default.nix +++ b/default.nix @@ -1 +1,11 @@ -import ./meta.nix { inputs = import ./inputs.nix; system = builtins.currentSystem; } +let + lock = builtins.fromJSON (builtins.readFile ./flake.lock); + flakeCompat = fetchTarball { + url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz"; + sha256 = lock.nodes.flake-compat.locked.narHash; + }; + kittywitch = import flakeCompat { + src = ./.; + }; +in + kittywitch.defaultNix diff --git a/devShell.nix b/devShell.nix index c4c832f3..21fcd6fd 100644 --- a/devShell.nix +++ b/devShell.nix @@ -2,8 +2,8 @@ inputs, system, }: let - meta = import ./meta.nix {inherit inputs system;}; - inherit (meta) pkgs; + meta = import ./outputs.nix {inherit inputs;}; + pkgs = meta.legacyPackages.${system}; nf-actions = pkgs.writeShellScriptBin "nf-actions" '' NF_CONFIG_FILES=($NF_CONFIG_ROOT/ci/{nodes,flake-cron}.nix) for f in "''${NF_CONFIG_FILES[@]}"; do @@ -79,6 +79,7 @@ in nf-deadnix nf-kustomize nf-argocd + deploy-rs ]; shellHook = '' export NIX_BIN_DIR=$(dirname $(readlink -f $(type -P nix))) diff --git a/flake.lock b/flake.lock index c814bec2..b7321291 100644 --- a/flake.lock +++ b/flake.lock @@ -34,6 +34,33 @@ "type": "github" } }, + "deploy-rs": { + "inputs": { + "flake-compat": [ + "flake-compat" + ], + "nixpkgs": [ + "nixpkgs" + ], + "utils": [ + "flake-utils" + ] + }, + "locked": { + "lastModified": 1704875591, + "narHash": "sha256-eWRLbqRcrILgztU/m/k7CYLzETKNbv0OsT2GjkaNm8A=", + "owner": "serokell", + "repo": "deploy-rs", + "rev": "1776009f1f3fb2b5d236b84d9815f2edee463a9b", + "type": "github" + }, + "original": { + "owner": "serokell", + "ref": "master", + "repo": "deploy-rs", + "type": "github" + } + }, "fl-config": { "locked": { "lastModified": 1653159448, @@ -170,6 +197,7 @@ "inputs": { "arcexprs": "arcexprs", "ci": "ci", + "deploy-rs": "deploy-rs", "flake-compat": "flake-compat", "flake-utils": "flake-utils", "nixpkgs": "nixpkgs", diff --git a/flake.nix b/flake.nix index 4b7c7306..9ef3df92 100644 --- a/flake.nix +++ b/flake.nix @@ -28,6 +28,14 @@ inputs.std.follows = "std"; inputs.nixpkgs.follows = "nixpkgs"; }; + deploy-rs = { + url = "github:serokell/deploy-rs/master"; + inputs = { + flake-compat.follows = "flake-compat"; + nixpkgs.follows = "nixpkgs"; + utils.follows = "flake-utils"; + }; + }; systemd2mqtt = { url = "github:arcnmx/systemd2mqtt"; inputs = { @@ -46,7 +54,9 @@ ]; }; - outputs = { + outputs = inputs: import ./outputs.nix {inherit inputs;}; + /* + outputs = { self, nixpkgs, flake-utils, @@ -69,4 +79,5 @@ }) self.legacyPackages.x86_64-linux.network.nodes; }; + */ } diff --git a/meta.nix b/meta.nix deleted file mode 100644 index fa21b7c4..00000000 --- a/meta.nix +++ /dev/null @@ -1,95 +0,0 @@ -{ - inputs, - system ? builtins.currentSystem or "x86_64-linux", - ... -}: let - patchedInputs = import ./patchedInputs.nix {inherit inputs system;}; - pkgs = import ./overlays { - inherit system; - inputs = patchedInputs; - }; - inherit (pkgs) lib; - tree = import ./tree.nix { - inherit lib; - inputs = patchedInputs; - }; - root = ./.; # Required for modules/meta/imports.nix to find hosts - nixfiles = tree.impure; - - eval = let - inherit (config.network.nixos) builder; - mapNixosNodes = lib.mapAttrs (name: args: builder ({ - inherit name; - } // args)); - nixosNodes = [ - { - network.nodes = mapNixosNodes { - tewi = { - imports = [ - ./systems/tewi/nixos.nix - nixfiles.nixos.base - ]; - }; - tei = { - imports = [ - ./systems/tei/nixos.nix - nixfiles.nixos.base - ]; - }; - mediabox = { - imports = [ - ./systems/mediabox/nixos.nix - nixfiles.nixos.base - ]; - }; - reisen-ct = { - imports = [ - ./systems/ct/nixos.nix - nixfiles.nixos.base - ]; - }; - kuwubernetes = { - imports = [ - ./systems/kuwubernetes/nixos.nix - nixfiles.nixos.base - ]; - }; - hakurei = { - imports = [ - ./systems/hakurei/nixos.nix - nixfiles.nixos.base - ]; - }; - }; - } - ]; - in - lib.evalModules { - modules = - [ - nixfiles.modules.meta - { - _module.args.pkgs = lib.mkDefault pkgs; - } - ] - ++ nixosNodes; - - specialArgs = - { - inherit root tree; - inputs = patchedInputs; - meta = self; - } - // nixfiles; - }; - - inherit (eval) config; - self = - config - // { - inherit pkgs lib tree; - inputs = patchedInputs; - } - // nixfiles; -in - self diff --git a/nixos/base/nixpkgs.nix b/nixos/base/nixpkgs.nix new file mode 100644 index 00000000..880105c5 --- /dev/null +++ b/nixos/base/nixpkgs.nix @@ -0,0 +1,5 @@ +_: { + nixpkgs = { + config.allowUnfree = true; + }; +} diff --git a/outputs.nix b/outputs.nix new file mode 100644 index 00000000..5340a259 --- /dev/null +++ b/outputs.nix @@ -0,0 +1,33 @@ +{inputs}: let + patchedInputs = import ./patchedInputs.nix {inherit inputs;}; + inherit + (import ./overlays { + inputs = patchedInputs; + }) + pkgs + ; + inherit (inputs.nixpkgs) lib; + tree = import ./tree.nix { + inherit pkgs; + inputs = patchedInputs; + }; + systems = import ./systems { + inherit inputs lib std pkgs; + tree = tree.impure; + }; + shells = + inputs.flake-utils.lib.eachDefaultSystem + (system: rec { + devShells.default = import ./devShell.nix {inherit system inputs;}; + }); + std = import ./std.nix {inherit inputs;}; + inherit (std) set; + checks = set.map (_: deployLib: deployLib.deployChecks inputs.self.deploy) inputs.deploy-rs.lib; +in + { + inherit tree std lib checks; + inputs = patchedInputs; + legacyPackages = pkgs; + } + // systems + // shells diff --git a/overlays/default.nix b/overlays/default.nix index ac7b5359..06238e3a 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -1,8 +1,5 @@ -{ - inputs, - system ? builtins.currentSystem, - ... -} @ args: let +{inputs, ...} @ args: +inputs.flake-utils.lib.eachDefaultSystem (system: { pkgs = import inputs.nixpkgs { inherit system; overlays = @@ -10,6 +7,7 @@ (import ./nur {inherit inputs;}) (import ./local) (import ./lib) + inputs.deploy-rs.overlay (final: prev: { jemalloc = if final.hostPlatform != "aarch64-darwin" @@ -31,5 +29,4 @@ ]; }; }; -in - pkgs +}) diff --git a/patchedInputs.nix b/patchedInputs.nix index 54ba2f31..ae6c82b7 100644 --- a/patchedInputs.nix +++ b/patchedInputs.nix @@ -1,21 +1,24 @@ { inputs, - system, + system ? builtins.currentSystem or "x86_64-linux", ... }: let - pkgs = import ./overlays {inherit inputs system;}; # A local import of nixpkgs without patching. + pkgs = import inputs.nixpkgs { + inherit system; + config.allowUnfree = true; + }; in inputs - // { - nixpkgs = pkgs.applyPatches { - name = "nixpkgs"; - src = inputs.nixpkgs; - patches = [ - # https://github.com/NixOS/nixpkgs/pull/275896 - (pkgs.fetchpatch { - url = "https://github.com/NixOS/nixpkgs/pull/275896.patch"; - sha256 = "sha256-boJLCdgamzX0fhLifdsxsFF/f7oXZwWJ7+WAkcA2GBg="; - }) - ]; - }; -} + // { + nixpkgs = pkgs.applyPatches { + name = "nixpkgs"; + src = inputs.nixpkgs; + patches = [ + # https://github.com/NixOS/nixpkgs/pull/275896 + (pkgs.fetchpatch { + url = "https://github.com/NixOS/nixpkgs/pull/275896.patch"; + sha256 = "sha256-boJLCdgamzX0fhLifdsxsFF/f7oXZwWJ7+WAkcA2GBg="; + }) + ]; + }; + } diff --git a/std.nix b/std.nix new file mode 100644 index 00000000..74357ddb --- /dev/null +++ b/std.nix @@ -0,0 +1,84 @@ +{inputs, ...}: let + std = let + baseStd = inputs.std.lib; + inherit (baseStd) set function list bool types optional tuple; + mergeWith = let + append = { + path, + values, + canMerge, + mapToSet, + }: let + mergeWith' = values: + mergeWith { + inherit canMerge mapToSet path; + sets = list.map (v: (mapToSet path v).value) values; + }; + mergeUntil = list.findIndex (function.not (canMerge path)) values; + len = list.length values; + in + if len == 0 + then {} + else if len == 1 + then list.unsafeHead values + else if list.all (canMerge path) values + then mergeWith' values + else + optional.match mergeUntil { + just = i: let + split = list.splitAt i values; + in + if i > 0 + then mergeWith' split._0 + else list.unsafeHead values; + nothing = list.unsafeHead values; + }; + in + { + canMerge ? path: v: optional.isJust (mapToSet path v), + mapToSet ? _: v: bool.toOptional (types.attrs.check v) v, + path ? [], + sets, + }: + set.mapZip (name: values: + append { + path = path ++ list.One name; + inherit canMerge mapToSet values; + }) + sets; + merge = sets: + mergeWith { + inherit sets; + }; + remap = f: s: set.fromList (list.map f (set.toList s)); + renames = names: + remap ({ + _0, + _1, + }: + tuple.tuple2 (names.${_0} or _0) _1); + rename = oldName: newName: renames {${oldName} = newName;}; + in + merge [ + baseStd + { + function = { + pipe = list.foldl' (function.flip function.compose) function.id; + }; + set = { + inherit merge mergeWith remap renames rename; + recursiveMap = f: s: let + recurse = str: s: let + g = str1: str2: + if types.attrs.check str2 + then f (str ++ [str1]) (recurse (str ++ [str1]) str2) + else f (str ++ [str1]) str2; + in + set.map g s; + in + f [] (recurse [] s); + }; + } + ]; +in + std diff --git a/systems/ct/config.nix b/systems/ct/config.nix new file mode 100644 index 00000000..b7ab88fd --- /dev/null +++ b/systems/ct/config.nix @@ -0,0 +1,17 @@ +_: { + arch = "x86_64"; + type = "NixOS"; + modules = [ + ({ + meta, + lib, + ... + }: { + imports = with meta; [ + nixos.reisen-ct + ]; + + system.stateVersion = "23.11"; + }) + ]; +} diff --git a/systems/ct/nixos.nix b/systems/ct/nixos.nix deleted file mode 100644 index c84c0e2e..00000000 --- a/systems/ct/nixos.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ - meta, - lib, - ... -}: { - imports = with meta; - [ - nixos.reisen-ct - ]; - - system.stateVersion = "23.11"; -} diff --git a/systems/default.nix b/systems/default.nix new file mode 100644 index 00000000..af1de589 --- /dev/null +++ b/systems/default.nix @@ -0,0 +1,151 @@ +{ + inputs, + tree, + pkgs, + lib, + std, + system ? builtins.currentSystem or "x86_64-linux", + ... +}: let + # The purpose of this file is to set up the host module which allows assigning of the system, e.g. aarch64-linux and the builder used with less pain. + inherit (lib.modules) evalModules mkOptionDefault; + inherit (std) string types optional set list; + defaultSpecialArgs = { + inherit inputs std; + meta = tree; + }; + hostModule = { + config, + machine, + ... + }: { + options = let + inherit (lib.types) str listOf attrs unspecified attrsOf nullOr; + jsonType = (pkgs.${system}.formats.json {}).type; + inherit (lib.options) mkOption; + in { + arch = mkOption { + description = "Processor architecture of the host"; + type = str; + default = "x86_64"; + }; + type = mkOption { + description = "Operating system type of the host"; + type = str; + default = "NixOS"; + }; + folder = mkOption { + type = str; + internal = true; + }; + system = mkOption { + type = str; + internal = true; + }; + modules = mkOption { + type = listOf unspecified; + }; + specialArgs = mkOption { + type = attrs; + internal = true; + }; + builder = mkOption { + type = unspecified; + internal = true; + }; + deploy = mkOption { + type = nullOr jsonType; + }; + }; + config = { + deploy = { + sshUser = mkOptionDefault "root"; + user = mkOptionDefault "root"; + sshOpts = mkOptionDefault ["-p" "${builtins.toString (builtins.head inputs.self.nixosConfigurations.${machine}.config.services.openssh.ports)}"]; + autoRollback = mkOptionDefault true; + magicRollback = mkOptionDefault true; + fastConnection = mkOptionDefault false; + profiles.system = { + user = "root"; + path = inputs.deploy-rs.lib.${system}.activate.nixos inputs.self.nixosConfigurations.${machine}; + }; + }; + system = let + kernel = + { + nixos = "linux"; + macos = "darwin"; + darwin = "darwin"; + linux = "linux"; + } + .${string.toLower config.type}; + in "${config.arch}-${kernel}"; + folder = + { + nixos = "nixos"; + macos = "darwin"; + darwin = "darwin"; + linux = "linux"; + } + .${string.toLower config.type}; + modules = with tree; [ + # per-OS modules + tree.modules.${config.folder} + # per-OS configuration + tree.${config.folder}.base + ]; + builder = + { + nixos = let + lib = inputs.nixpkgs.lib.extend (self: super: + import (inputs.arcexprs + "/lib") { + inherit super; + lib = self; + isOverlayLib = true; + }); + sys = args: + lib.nixosSystem ({ + inherit lib; + } + // args); + in + sys; + darwin = inputs.darwin.lib.darwinSystem; + macos = inputs.darwin.lib.darwinSystem; + } + .${string.toLower config.type}; + specialArgs = + { + name = machine; + inherit machine; + systemType = config.folder; + inherit (config) system; + } + // defaultSpecialArgs; + }; + }; + hostConfigs = set.map (name: path: + evalModules { + modules = [ + hostModule + path + ]; + specialArgs = + defaultSpecialArgs + // { + inherit name; + machine = name; + }; + }) + (set.map (_: c: c.config) tree.systems); + processHost = name: cfg: let + host = cfg.config; + in { + deploy.nodes.${name} = host.deploy; + + "${host.folder}Configurations".${name} = host.builder { + inherit (host) system modules specialArgs; + }; + }; +in + set.merge (set.mapToValues processHost hostConfigs) diff --git a/systems/hakurei/config.nix b/systems/hakurei/config.nix new file mode 100644 index 00000000..a6b1ea9b --- /dev/null +++ b/systems/hakurei/config.nix @@ -0,0 +1,132 @@ +_: { + arch = "x86_64"; + type = "NixOS"; + modules = [ + ({ + config, + meta, + lib, + access, + ... + }: let + inherit (lib.modules) mkIf mkMerge; + mediabox = access.systemFor "mediabox"; + tei = access.systemFor "tei"; + inherit (mediabox.services) plex; + inherit (tei.services) kanidm; + in { + imports = let + inherit (meta) nixos; + in [ + nixos.sops + nixos.base + nixos.reisen-ct + nixos.tailscale + nixos.cloudflared + nixos.ddclient + nixos.acme + nixos.nginx + nixos.access.nginx + nixos.access.global + nixos.access.gensokyo + nixos.access.kanidm + nixos.access.proxmox + nixos.access.plex + ./reisen-ssh.nix + ]; + + sops.secrets.cloudflared-tunnel-hakurei = { + owner = config.services.cloudflared.user; + }; + + services.cloudflared = let + tunnelId = "964121e3-b3a9-4cc1-8480-954c4728b604"; + in { + tunnels.${tunnelId} = { + default = "http_status:404"; + credentialsFile = config.sops.secrets.cloudflared-tunnel-hakurei.path; + ingress = { + "prox.${config.networking.domain}".service = "http://localhost"; + ${config.networking.domain}.service = "http://localhost"; + }; + }; + }; + + security.acme.certs = let + inherit (config.services) nginx tailscale; + inherit (nginx) access; + in { + ${access.kanidm.domain} = { + inherit (nginx) group; + extraDomainNames = mkMerge [ + [access.kanidm.localDomain] + (mkIf kanidm.server.ldap.enable [ + access.kanidm.ldapDomain + access.kanidm.ldapLocalDomain + ]) + (mkIf tailscale.enable [ + access.kanidm.tailDomain + ]) + (mkIf (kanidm.server.ldap.enable && tailscale.enable) [ + access.kanidm.ldapTailDomain + ]) + ]; + }; + ${access.proxmox.domain} = { + inherit (nginx) group; + extraDomainNames = mkMerge [ + [access.proxmox.localDomain] + (mkIf config.services.tailscale.enable [ + access.proxmox.tailDomain + ]) + ]; + }; + ${access.plex.domain} = { + inherit (nginx) group; + extraDomainNames = [access.plex.localDomain]; + }; + }; + + services.nginx = let + inherit (config.services.nginx) access; + in { + access.plex = assert plex.enable; { + url = "http://${mediabox.networking.access.hostnameForNetwork.local}:32400"; + }; + access.kanidm = assert kanidm.enableServer; { + inherit (kanidm.server.frontend) domain port; + host = tei.networking.access.hostnameForNetwork.local; + ldapPort = kanidm.server.ldap.port; + ldapEnable = kanidm.server.ldap.enable; + }; + virtualHosts = { + ${access.kanidm.domain} = { + useACMEHost = access.kanidm.domain; + }; + ${access.proxmox.domain} = { + useACMEHost = access.proxmox.domain; + }; + ${access.plex.domain} = { + addSSL = true; + useACMEHost = access.plex.domain; + }; + }; + }; + + systemd.network.networks.eth0 = { + name = "eth0"; + matchConfig = { + MACAddress = "BC:24:11:C4:66:A7"; + Type = "ether"; + }; + address = ["10.1.1.41/24"]; + gateway = ["10.1.1.1"]; + DHCP = "no"; + }; + + sops.defaultSopsFile = ./secrets.yaml; + + system.stateVersion = "23.11"; + }) + ]; +} diff --git a/systems/hakurei/nixos.nix b/systems/hakurei/nixos.nix deleted file mode 100644 index 54fed05d..00000000 --- a/systems/hakurei/nixos.nix +++ /dev/null @@ -1,126 +0,0 @@ -{ - config, - meta, - lib, - access, - ... -}: let - inherit (lib.modules) mkIf mkMerge; - mediabox = access.systemFor "mediabox"; - tei = access.systemFor "tei"; - inherit (mediabox.services) plex; - inherit (tei.services) kanidm; -in { - imports = let - inherit (meta) nixos; - in [ - nixos.sops - nixos.base - nixos.reisen-ct - nixos.tailscale - nixos.cloudflared - nixos.ddclient - nixos.acme - nixos.nginx - nixos.access.nginx - nixos.access.global - nixos.access.gensokyo - nixos.access.kanidm - nixos.access.proxmox - nixos.access.plex - ./reisen-ssh.nix - ]; - - sops.secrets.cloudflared-tunnel-hakurei = { - owner = config.services.cloudflared.user; - }; - - services.cloudflared = let - tunnelId = "964121e3-b3a9-4cc1-8480-954c4728b604"; - in { - tunnels.${tunnelId} = { - default = "http_status:404"; - credentialsFile = config.sops.secrets.cloudflared-tunnel-hakurei.path; - ingress = { - "prox.${config.networking.domain}".service = "http://localhost"; - ${config.networking.domain}.service = "http://localhost"; - }; - }; - }; - - security.acme.certs = let - inherit (config.services) nginx tailscale; - inherit (nginx) access; - in { - ${access.kanidm.domain} = { - inherit (nginx) group; - extraDomainNames = mkMerge [ - [ access.kanidm.localDomain ] - (mkIf kanidm.server.ldap.enable [ - access.kanidm.ldapDomain - access.kanidm.ldapLocalDomain - ]) - (mkIf tailscale.enable [ - access.kanidm.tailDomain - ]) - (mkIf (kanidm.server.ldap.enable && tailscale.enable) [ - access.kanidm.ldapTailDomain - ]) - ]; - }; - ${access.proxmox.domain} = { - inherit (nginx) group; - extraDomainNames = mkMerge [ - [ access.proxmox.localDomain ] - (mkIf config.services.tailscale.enable [ - access.proxmox.tailDomain - ]) - ]; - }; - ${access.plex.domain} = { - inherit (nginx) group; - extraDomainNames = [ access.plex.localDomain ]; - }; - }; - - services.nginx = let - inherit (config.services.nginx) access; - in { - access.plex = assert plex.enable; { - url = "http://${mediabox.networking.access.hostnameForNetwork.local}:32400"; - }; - access.kanidm = assert kanidm.enableServer; { - inherit (kanidm.server.frontend) domain port; - host = tei.networking.access.hostnameForNetwork.local; - ldapPort = kanidm.server.ldap.port; - ldapEnable = kanidm.server.ldap.enable; - }; - virtualHosts = { - ${access.kanidm.domain} = { - useACMEHost = access.kanidm.domain; - }; - ${access.proxmox.domain} = { - useACMEHost = access.proxmox.domain; - }; - ${access.plex.domain} = { - addSSL = true; - useACMEHost = access.plex.domain; - }; - }; - }; - - systemd.network.networks.eth0 = { - name = "eth0"; - matchConfig = { - MACAddress = "BC:24:11:C4:66:A7"; - Type = "ether"; - }; - address = [ "10.1.1.41/24" ]; - gateway = [ "10.1.1.1" ]; - DHCP = "no"; - }; - - sops.defaultSopsFile = ./secrets.yaml; - - system.stateVersion = "23.11"; -} diff --git a/systems/kuwubernetes/config.nix b/systems/kuwubernetes/config.nix new file mode 100644 index 00000000..fe1460a4 --- /dev/null +++ b/systems/kuwubernetes/config.nix @@ -0,0 +1,98 @@ +_: { + arch = "x86_64"; + type = "NixOS"; + modules = [ + ({ + config, + meta, + lib, + modulesPath, + ... + }: let + inherit (lib.attrsets) genAttrs nameValuePair; + inherit (builtins) listToAttrs; + dexFiles = [ + "ca-key.pem" + "ca.pem" + "ca.srl" + "csr.pem" + "key.pem" + "req.cnf" + ]; + in { + imports = with meta; [ + (modulesPath + "/profiles/qemu-guest.nix") + nixos.sops + nixos.cloudflared + nixos.k8s + ]; + + boot = { + initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; + loader.grub.device = "/dev/sda"; + }; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/5ab5efe2-0250-4bf1-8fd6-3725cdd15031"; + fsType = "ext4"; + }; + + swapDevices = [ + {device = "/dev/disk/by-uuid/b374e454-7af5-46fc-b949-24e38a2216d5";} + ]; + + networking.interfaces.ens18.useDHCP = true; + + sops.secrets = let + dexCommon = { + owner = "kubernetes"; + }; + in + { + cloudflare_kubernetes_tunnel = { + owner = config.services.cloudflared.user; + }; + } + // (genAttrs (map (name: "dex-${name}") dexFiles) (_: dexCommon)); + + environment.etc = listToAttrs (map (name: nameValuePair "dex-ssl/${name}" {source = config.sops.secrets."dex-${name}".path;}) dexFiles); + + services.cloudflared = let + tunnelId = "3dde2376-1dd1-4282-b5a4-aba272594976"; + in { + tunnels.${tunnelId} = { + default = "http_status:404"; + credentialsFile = config.sops.secrets.cloudflare_kubernetes_tunnel.path; + ingress = { + "k8s.gensokyo.zone" = { + service = "https://localhost:6443"; + originRequest.noTLSVerify = true; + }; + }; + }; + }; + + systemd.network.networks.ens18 = { + name = "ens18"; + matchConfig = { + MACAddress = "BC:24:11:49:FE:DC"; + Type = "ether"; + }; + address = ["10.1.1.42/24"]; + gateway = ["10.1.1.1"]; + DHCP = "no"; + }; + + sops.defaultSopsFile = ./secrets.yaml; + + system.stateVersion = "23.11"; + }) + ]; +} diff --git a/systems/kuwubernetes/nixos.nix b/systems/kuwubernetes/nixos.nix deleted file mode 100644 index c2c0f581..00000000 --- a/systems/kuwubernetes/nixos.nix +++ /dev/null @@ -1,92 +0,0 @@ -{ - config, - meta, - lib, - modulesPath, - ... -}: let - inherit (lib.attrsets) genAttrs nameValuePair; - inherit (builtins) listToAttrs; - dexFiles = [ - "ca-key.pem" - "ca.pem" - "ca.srl" - "csr.pem" - "key.pem" - "req.cnf" - ]; -in { - imports = with meta; [ - (modulesPath + "/profiles/qemu-guest.nix") - nixos.sops - nixos.cloudflared - nixos.k8s - ]; - - boot = { - initrd.availableKernelModules = [ - "ata_piix" - "uhci_hcd" - "virtio_pci" - "virtio_scsi" - "sd_mod" - "sr_mod" - ]; - loader.grub.device = "/dev/sda"; - }; - - fileSystems."/" = { - device = "/dev/disk/by-uuid/5ab5efe2-0250-4bf1-8fd6-3725cdd15031"; - fsType = "ext4"; - }; - - swapDevices = [ - {device = "/dev/disk/by-uuid/b374e454-7af5-46fc-b949-24e38a2216d5";} - ]; - - networking.interfaces.ens18.useDHCP = true; - - sops.secrets = let - dexCommon = { - owner = "kubernetes"; - }; - in - { - cloudflare_kubernetes_tunnel = { - owner = config.services.cloudflared.user; - }; - } - // (genAttrs (map (name: "dex-${name}") dexFiles) (_: dexCommon)); - - environment.etc = listToAttrs (map (name: nameValuePair "dex-ssl/${name}" {source = config.sops.secrets."dex-${name}".path;}) dexFiles); - - services.cloudflared = let - tunnelId = "3dde2376-1dd1-4282-b5a4-aba272594976"; - in { - tunnels.${tunnelId} = { - default = "http_status:404"; - credentialsFile = config.sops.secrets.cloudflare_kubernetes_tunnel.path; - ingress = { - "k8s.gensokyo.zone" = { - service = "https://localhost:6443"; - originRequest.noTLSVerify = true; - }; - }; - }; - }; - - systemd.network.networks.ens18 = { - name = "ens18"; - matchConfig = { - MACAddress = "BC:24:11:49:FE:DC"; - Type = "ether"; - }; - address = [ "10.1.1.42/24" ]; - gateway = [ "10.1.1.1" ]; - DHCP = "no"; - }; - - sops.defaultSopsFile = ./secrets.yaml; - - system.stateVersion = "23.11"; -} diff --git a/systems/mediabox/config.nix b/systems/mediabox/config.nix new file mode 100644 index 00000000..1e8bdd34 --- /dev/null +++ b/systems/mediabox/config.nix @@ -0,0 +1,155 @@ +_: { + deploy.hostname = "mediabox.local.gensokyo.zone"; + arch = "x86_64"; + type = "NixOS"; + modules = [ + ({ + config, + meta, + lib, + pkgs, + ... + }: let + inherit (lib.modules) mkIf mkMerge; + inherit (lib.attrsets) mapAttrs mapAttrsToList; + inherit (lib.strings) removePrefix; + inherit (config.services) deluge plex tautulli ombi sonarr radarr bazarr lidarr readarr prowlarr cloudflared; + kyuuto = "/mnt/kyuuto-media"; + kyuuto-library = kyuuto + "/library"; + plexLibrary = { + "/mnt/Anime".hostPath = kyuuto-library + "/anime"; + "/mnt/Shows".hostPath = kyuuto-library + "/tv"; + "/mnt/Movies".hostPath = kyuuto-library + "/movies"; + "/mnt/Music".hostPath = kyuuto-library + "/music"; + }; + in { + imports = let + inherit (meta) nixos; + in [ + nixos.reisen-ct + nixos.sops + nixos.nginx + nixos.access.plex + nixos.cloudflared + + # media + nixos.plex + nixos.tautulli + nixos.ombi + nixos.deluge + nixos.mediatomb + + # yarr harr fiddle dee dee >w< + nixos.radarr + nixos.sonarr + nixos.bazarr + nixos.lidarr + nixos.readarr + nixos.prowlarr + ]; + + sops.secrets.cloudflare_mediabox_tunnel = { + owner = cloudflared.user; + }; + + services.cloudflared = let + tunnelId = "6a3c1863-d879-462f-b5d5-7c6ddf476d0e"; + inherit (config.networking) domain; + in { + tunnels.${tunnelId} = { + default = "http_status:404"; + credentialsFile = config.sops.secrets.cloudflare_mediabox_tunnel.path; + ingress = { + "tautulli.${domain}".service = "http://localhost:${toString tautulli.port}"; + "ombi.${domain}".service = "http://localhost:${toString ombi.port}"; + "sonarr.${domain}".service = "http://localhost:${toString sonarr.port}"; + "radarr.${domain}".service = "http://localhost:${toString radarr.port}"; + "bazarr.${domain}".service = "http://localhost:${toString bazarr.listenPort}"; + "lidarr.${domain}".service = "http://localhost:${toString lidarr.port}"; + "readarr.${domain}".service = "http://localhost:${toString readarr.port}"; + "prowlarr.${domain}".service = "http://localhost:${toString prowlarr.port}"; + "deluge.${domain}".service = "http://localhost:${toString deluge.web.port}"; + }; + }; + }; + + services.mediatomb = { + serverName = "tewi"; + mediaDirectories = let + mkLibraryDir = dir: { + path = kyuuto-library + "/${dir}"; + mountPoint = kyuuto-library; + }; + libraryDir = { + path = kyuuto-library; + mountPoint = kyuuto-library; + subdirectories = + mapAttrsToList ( + _: {hostPath, ...}: + removePrefix "${kyuuto-library}/" hostPath + ) + plexLibrary + ++ ["tlmc" "music-raw"]; + }; + in + [libraryDir] ++ map mkLibraryDir ["tlmc" "music-raw" "lewd"]; + }; + + hardware.opengl = { + enable = true; + extraPackages = with pkgs; [mesa.drivers vaapiVdpau libvdpau-va-gl]; + }; + + fileSystems = let + bind = { + fsType = "none"; + options = ["bind" "nofail"]; + }; + fsPlex = mapAttrs (_: {hostPath, ...}: + mkMerge [ + bind + { + device = hostPath; + } + ]) + plexLibrary; + fsDeluge = { + "${deluge.downloadDir}" = mkIf deluge.enable (mkMerge [ + bind + { + device = kyuuto + "/downloads/deluge/download"; + } + ]); + }; + in + mkMerge [ + fsPlex + (mkIf deluge.enable fsDeluge) + ]; + + systemd.services.deluged = mkIf deluge.enable { + unitConfig.RequiresMountsFor = [ + "${deluge.downloadDir}" + ]; + }; + systemd.services.plex = mkIf plex.enable { + unitConfig.RequiresMountsFor = mapAttrsToList (path: _: path) plexLibrary; + }; + + systemd.network.networks.eth0 = { + name = "eth0"; + matchConfig = { + MACAddress = "BC:24:11:34:F4:A8"; + Type = "ether"; + }; + address = ["10.1.1.44/24"]; + gateway = ["10.1.1.1"]; + DHCP = "no"; + }; + + sops.defaultSopsFile = ./secrets.yaml; + + system.stateVersion = "21.05"; + }) + ]; +} diff --git a/systems/mediabox/nixos.nix b/systems/mediabox/nixos.nix deleted file mode 100644 index 9bd48577..00000000 --- a/systems/mediabox/nixos.nix +++ /dev/null @@ -1,148 +0,0 @@ -{ - config, - meta, - lib, - pkgs, - ... -}: let - inherit (lib.modules) mkIf mkMerge; - inherit (lib.attrsets) mapAttrs mapAttrsToList; - inherit (lib.strings) removePrefix; - inherit (config.services) deluge plex tautulli ombi sonarr radarr bazarr lidarr readarr prowlarr cloudflared; - kyuuto = "/mnt/kyuuto-media"; - kyuuto-library = kyuuto + "/library"; - plexLibrary = { - "/mnt/Anime".hostPath = kyuuto-library + "/anime"; - "/mnt/Shows".hostPath = kyuuto-library + "/tv"; - "/mnt/Movies".hostPath = kyuuto-library + "/movies"; - "/mnt/Music".hostPath = kyuuto-library + "/music"; - }; -in { - imports = let - inherit (meta) nixos; - in [ - nixos.reisen-ct - nixos.sops - nixos.nginx - nixos.access.plex - nixos.cloudflared - - # media - nixos.plex - nixos.tautulli - nixos.ombi - nixos.deluge - nixos.mediatomb - - # yarr harr fiddle dee dee >w< - nixos.radarr - nixos.sonarr - nixos.bazarr - nixos.lidarr - nixos.readarr - nixos.prowlarr - ]; - - sops.secrets.cloudflare_mediabox_tunnel = { - owner = cloudflared.user; - }; - - services.cloudflared = let - tunnelId = "6a3c1863-d879-462f-b5d5-7c6ddf476d0e"; - inherit (config.networking) domain; - in { - tunnels.${tunnelId} = { - default = "http_status:404"; - credentialsFile = config.sops.secrets.cloudflare_mediabox_tunnel.path; - ingress = { - "tautulli.${domain}".service = "http://localhost:${toString tautulli.port}"; - "ombi.${domain}".service = "http://localhost:${toString ombi.port}"; - "sonarr.${domain}".service = "http://localhost:${toString sonarr.port}"; - "radarr.${domain}".service = "http://localhost:${toString radarr.port}"; - "bazarr.${domain}".service = "http://localhost:${toString bazarr.listenPort}"; - "lidarr.${domain}".service = "http://localhost:${toString lidarr.port}"; - "readarr.${domain}".service = "http://localhost:${toString readarr.port}"; - "prowlarr.${domain}".service = "http://localhost:${toString prowlarr.port}"; - "deluge.${domain}".service = "http://localhost:${toString deluge.web.port}"; - }; - }; - }; - - services.mediatomb = { - serverName = "tewi"; - mediaDirectories = let - mkLibraryDir = dir: { - path = kyuuto-library + "/${dir}"; - mountPoint = kyuuto-library; - }; - libraryDir = { - path = kyuuto-library; - mountPoint = kyuuto-library; - subdirectories = - mapAttrsToList ( - _: {hostPath, ...}: - removePrefix "${kyuuto-library}/" hostPath - ) - plexLibrary - ++ ["tlmc" "music-raw"]; - }; - in - [libraryDir] ++ map mkLibraryDir ["tlmc" "music-raw" "lewd"]; - }; - - hardware.opengl = { - enable = true; - extraPackages = with pkgs; [mesa.drivers vaapiVdpau libvdpau-va-gl]; - }; - - fileSystems = let - bind = { - fsType = "none"; - options = ["bind" "nofail"]; - }; - fsPlex = mapAttrs (_: {hostPath, ...}: - mkMerge [ - bind - { - device = hostPath; - } - ]) - plexLibrary; - fsDeluge = { - "${deluge.downloadDir}" = mkIf deluge.enable (mkMerge [ - bind - { - device = kyuuto + "/downloads/deluge/download"; - } - ]); - }; - in - mkMerge [ - fsPlex - (mkIf deluge.enable fsDeluge) - ]; - - systemd.services.deluged = mkIf deluge.enable { - unitConfig.RequiresMountsFor = [ - "${deluge.downloadDir}" - ]; - }; - systemd.services.plex = mkIf plex.enable { - unitConfig.RequiresMountsFor = mapAttrsToList (path: _: path) plexLibrary; - }; - - systemd.network.networks.eth0 = { - name = "eth0"; - matchConfig = { - MACAddress = "BC:24:11:34:F4:A8"; - Type = "ether"; - }; - address = ["10.1.1.44/24"]; - gateway = ["10.1.1.1"]; - DHCP = "no"; - }; - - sops.defaultSopsFile = ./secrets.yaml; - - system.stateVersion = "21.05"; -} diff --git a/systems/tei/config.nix b/systems/tei/config.nix new file mode 100644 index 00000000..c2829b0d --- /dev/null +++ b/systems/tei/config.nix @@ -0,0 +1,76 @@ +_: { + arch = "x86_64"; + type = "NixOS"; + modules = [ + ({ + config, + lib, + meta, + pkgs, + ... + }: let + inherit (lib.modules) mkIf mkMerge; + inherit (config.services) kanidm mosquitto home-assistant; + in { + imports = let + inherit (meta) nixos; + in [ + nixos.reisen-ct + nixos.sops + nixos.tailscale + nixos.cloudflared + nixos.postgres + nixos.nginx + nixos.access.zigbee2mqtt + nixos.access.home-assistant + nixos.vouch + nixos.kanidm + nixos.mosquitto + nixos.home-assistant + nixos.zigbee2mqtt + nixos.syncplay + ./cloudflared.nix + ]; + + sops.defaultSopsFile = ./secrets.yaml; + + services.kanidm = { + package = + lib.warnIf + (pkgs.kanidm.version != "1.1.0-rc.15") + "upstream kanidm may have localhost oauth2 support now!" + pkgs.kanidm-develop; + }; + + networking.firewall = { + interfaces.local.allowedTCPPorts = mkMerge [ + (mkIf kanidm.enableServer [ + kanidm.server.frontend.port + (mkIf kanidm.server.ldap.enable kanidm.server.ldap.port) + ]) + (mkIf home-assistant.enable [ + home-assistant.config.http.server_port + ]) + (mkIf mosquitto.enable (map ( + listener: + listener.port + ) + mosquitto.listeners)) + ]; + }; + + systemd.network.networks.eth0 = { + name = "eth0"; + matchConfig = { + MACAddress = "BC:24:11:CC:66:57"; + Type = "ether"; + }; + address = ["10.1.1.39/24"]; + gateway = ["10.1.1.1"]; + DHCP = "no"; + }; + + system.stateVersion = "23.11"; + }) + ]; +} diff --git a/systems/tei/nixos.nix b/systems/tei/nixos.nix deleted file mode 100644 index e101d78a..00000000 --- a/systems/tei/nixos.nix +++ /dev/null @@ -1,67 +0,0 @@ -{ - config, - lib, - meta, - pkgs, - ... -}: let - inherit (lib.modules) mkIf mkMerge; - inherit (config.services) kanidm mosquitto home-assistant; -in { - imports = let - inherit (meta) nixos; - in [ - nixos.reisen-ct - nixos.sops - nixos.tailscale - nixos.cloudflared - nixos.postgres - nixos.nginx - nixos.access.zigbee2mqtt - nixos.access.home-assistant - nixos.vouch - nixos.kanidm - nixos.mosquitto - nixos.home-assistant - nixos.zigbee2mqtt - nixos.syncplay - ./cloudflared.nix - ]; - - sops.defaultSopsFile = ./secrets.yaml; - - services.kanidm = { - package = lib.warnIf - (pkgs.kanidm.version != "1.1.0-rc.15") - "upstream kanidm may have localhost oauth2 support now!" - pkgs.kanidm-develop; - }; - - networking.firewall = { - interfaces.local.allowedTCPPorts = mkMerge [ - (mkIf kanidm.enableServer [ - kanidm.server.frontend.port - (mkIf kanidm.server.ldap.enable kanidm.server.ldap.port) - ]) - (mkIf home-assistant.enable [ - home-assistant.config.http.server_port - ]) - (mkIf mosquitto.enable (map (listener: - listener.port - ) mosquitto.listeners)) - ]; - }; - - systemd.network.networks.eth0 = { - name = "eth0"; - matchConfig = { - MACAddress = "BC:24:11:CC:66:57"; - Type = "ether"; - }; - address = [ "10.1.1.39/24" ]; - gateway = [ "10.1.1.1" ]; - DHCP = "no"; - }; - - system.stateVersion = "23.11"; -} diff --git a/systems/tewi/config.nix b/systems/tewi/config.nix new file mode 100644 index 00000000..7d9b1497 --- /dev/null +++ b/systems/tewi/config.nix @@ -0,0 +1,86 @@ +_: { + arch = "x86_64"; + type = "NixOS"; + modules = [ + ({ + meta, + config, + lib, + pkgs, + modulesPath, + ... + }: { + imports = with meta; [ + (modulesPath + "/installer/scan/not-detected.nix") + nixos.sops + nixos.tailscale + ]; + + services.kanidm.serverSettings.db_fs_type = "zfs"; + services.tailscale.advertiseExitNode = true; + services.postgresql.package = pkgs.postgresql_14; + + sops.defaultSopsFile = ./secrets.yaml; + + networking = { + useNetworkd = true; + useDHCP = false; + }; + services.resolved.enable = true; + + boot = { + loader = { + systemd-boot = { + enable = true; + }; + efi = { + canTouchEfiVariables = true; + }; + }; + initrd = { + availableKernelModules = ["xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"]; + }; + kernelModules = ["kvm-intel"]; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/6c5d82b1-5d11-4c72-96c6-5f90e6ce57f5"; + fsType = "ext4"; + }; + "/boot" = { + device = "/dev/disk/by-uuid/85DC-72FA"; + fsType = "vfat"; + }; + }; + systemd = { + network = { + networks.eno1 = { + inherit (config.systemd.network.links.eno1) matchConfig; + networkConfig = { + DHCP = "yes"; + DNSDefaultRoute = true; + MulticastDNS = true; + }; + linkConfig.Multicast = true; + }; + links.eno1 = { + matchConfig = { + Type = "ether"; + Driver = "e1000e"; + }; + linkConfig = { + WakeOnLan = "magic"; + }; + }; + }; + }; + + swapDevices = lib.singleton { + device = "/dev/disk/by-uuid/137605d3-5e3f-47c8-8070-6783ce651932"; + }; + + system.stateVersion = "21.05"; + }) + ]; +} diff --git a/systems/tewi/nixos.nix b/systems/tewi/nixos.nix deleted file mode 100644 index f785b568..00000000 --- a/systems/tewi/nixos.nix +++ /dev/null @@ -1,81 +0,0 @@ -{ - meta, - config, - lib, - pkgs, - modulesPath, - ... -}: { - imports = with meta; - [ - (modulesPath + "/installer/scan/not-detected.nix") - nixos.sops - nixos.tailscale - ]; - - services.kanidm.serverSettings.db_fs_type = "zfs"; - services.tailscale.advertiseExitNode = true; - services.postgresql.package = pkgs.postgresql_14; - - sops.defaultSopsFile = ./secrets.yaml; - - networking = { - useNetworkd = true; - useDHCP = false; - }; - services.resolved.enable = true; - - boot = { - loader = { - systemd-boot = { - enable = true; - }; - efi = { - canTouchEfiVariables = true; - }; - }; - initrd = { - availableKernelModules = ["xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"]; - }; - kernelModules = ["kvm-intel"]; - }; - - fileSystems = { - "/" = { - device = "/dev/disk/by-uuid/6c5d82b1-5d11-4c72-96c6-5f90e6ce57f5"; - fsType = "ext4"; - }; - "/boot" = { - device = "/dev/disk/by-uuid/85DC-72FA"; - fsType = "vfat"; - }; - }; - systemd = { - network = { - networks.eno1 = { - inherit (config.systemd.network.links.eno1) matchConfig; - networkConfig = { - DHCP = "yes"; - DNSDefaultRoute = true; - MulticastDNS = true; - }; - linkConfig.Multicast = true; - }; - links.eno1 = { - matchConfig = { - Type = "ether"; - Driver = "e1000e"; - }; - linkConfig = { - WakeOnLan = "magic"; - }; - }; - }; - }; - - swapDevices = lib.singleton { - device = "/dev/disk/by-uuid/137605d3-5e3f-47c8-8070-6783ce651932"; - }; - - system.stateVersion = "21.05"; -} diff --git a/tree.nix b/tree.nix index ea1fa489..c2a20fc7 100644 --- a/tree.nix +++ b/tree.nix @@ -1,8 +1,4 @@ -{ - inputs, - lib, - ... -}: (inputs.tree.tree { +{inputs, ...}: (inputs.tree.tree { inherit inputs; folder = ./.; config = { @@ -12,7 +8,6 @@ "inputs" "default" "patchedInputs" - "mkTree" "outputs" "tree" "flake" @@ -20,6 +15,11 @@ "inputs" ]; }; + systems = { + excludes = [ + "default" + ]; + }; "modules/nixos" = { functor = { external = with (import (inputs.arcexprs + "/modules")).nixos; [ @@ -54,7 +54,6 @@ "nixos/*".functor = { enable = true; }; - "system".functor.enable = true; "hardware".evaluateDefault = true; "nixos/cross".evaluateDefault = true; "hardware/*".evaluateDefault = true;