diff --git a/systems/ct/config.nix b/systems/ct/config.nix deleted file mode 100644 index b7ab88fd..00000000 --- a/systems/ct/config.nix +++ /dev/null @@ -1,17 +0,0 @@ -_: { - arch = "x86_64"; - type = "NixOS"; - modules = [ - ({ - meta, - lib, - ... - }: { - imports = with meta; [ - nixos.reisen-ct - ]; - - system.stateVersion = "23.11"; - }) - ]; -} diff --git a/systems/ct/default.nix b/systems/ct/default.nix new file mode 100644 index 00000000..ea396fa3 --- /dev/null +++ b/systems/ct/default.nix @@ -0,0 +1,7 @@ +_: { + arch = "x86_64"; + type = "NixOS"; + modules = [ + ./nixos.nix + ]; +} diff --git a/systems/ct/nixos.nix b/systems/ct/nixos.nix new file mode 100644 index 00000000..7b2790e2 --- /dev/null +++ b/systems/ct/nixos.nix @@ -0,0 +1,11 @@ +{ + meta, + lib, + ... +}: { + imports = with meta; [ + nixos.reisen-ct + ]; + + system.stateVersion = "23.11"; +} diff --git a/systems/default.nix b/systems/default.nix index af1de589..fc31babc 100644 --- a/systems/default.nix +++ b/systems/default.nix @@ -137,7 +137,7 @@ machine = name; }; }) - (set.map (_: c: c.config) tree.systems); + (set.map (_: c: c) tree.systems); processHost = name: cfg: let host = cfg.config; in { diff --git a/systems/hakurei/config.nix b/systems/hakurei/config.nix deleted file mode 100644 index 19e2cca3..00000000 --- a/systems/hakurei/config.nix +++ /dev/null @@ -1,133 +0,0 @@ -_: { - deploy.hostname = "hakurei.local.gensokyo.zone"; - arch = "x86_64"; - type = "NixOS"; - modules = [ - ({ - config, - meta, - lib, - access, - ... - }: let - inherit (lib.modules) mkIf mkMerge; - mediabox = access.systemFor "mediabox"; - tei = access.systemFor "tei"; - inherit (mediabox.services) plex; - inherit (tei.services) kanidm; - in { - imports = let - inherit (meta) nixos; - in [ - nixos.sops - nixos.base - nixos.reisen-ct - nixos.tailscale - nixos.cloudflared - nixos.ddclient - nixos.acme - nixos.nginx - nixos.access.nginx - nixos.access.global - nixos.access.gensokyo - nixos.access.kanidm - nixos.access.proxmox - nixos.access.plex - ./reisen-ssh.nix - ]; - - sops.secrets.cloudflared-tunnel-hakurei = { - owner = config.services.cloudflared.user; - }; - - services.cloudflared = let - tunnelId = "964121e3-b3a9-4cc1-8480-954c4728b604"; - in { - tunnels.${tunnelId} = { - default = "http_status:404"; - credentialsFile = config.sops.secrets.cloudflared-tunnel-hakurei.path; - ingress = { - "prox.${config.networking.domain}".service = "http://localhost"; - ${config.networking.domain}.service = "http://localhost"; - }; - }; - }; - - security.acme.certs = let - inherit (config.services) nginx tailscale; - inherit (nginx) access; - in { - ${access.kanidm.domain} = { - inherit (nginx) group; - extraDomainNames = mkMerge [ - [access.kanidm.localDomain] - (mkIf kanidm.server.ldap.enable [ - access.kanidm.ldapDomain - access.kanidm.ldapLocalDomain - ]) - (mkIf tailscale.enable [ - access.kanidm.tailDomain - ]) - (mkIf (kanidm.server.ldap.enable && tailscale.enable) [ - access.kanidm.ldapTailDomain - ]) - ]; - }; - ${access.proxmox.domain} = { - inherit (nginx) group; - extraDomainNames = mkMerge [ - [access.proxmox.localDomain] - (mkIf config.services.tailscale.enable [ - access.proxmox.tailDomain - ]) - ]; - }; - ${access.plex.domain} = { - inherit (nginx) group; - extraDomainNames = [access.plex.localDomain]; - }; - }; - - services.nginx = let - inherit (config.services.nginx) access; - in { - access.plex = assert plex.enable; { - url = "http://${mediabox.networking.access.hostnameForNetwork.local}:32400"; - }; - access.kanidm = assert kanidm.enableServer; { - inherit (kanidm.server.frontend) domain port; - host = tei.networking.access.hostnameForNetwork.local; - ldapPort = kanidm.server.ldap.port; - ldapEnable = kanidm.server.ldap.enable; - }; - virtualHosts = { - ${access.kanidm.domain} = { - useACMEHost = access.kanidm.domain; - }; - ${access.proxmox.domain} = { - useACMEHost = access.proxmox.domain; - }; - ${access.plex.domain} = { - addSSL = true; - useACMEHost = access.plex.domain; - }; - }; - }; - - systemd.network.networks.eth0 = { - name = "eth0"; - matchConfig = { - MACAddress = "BC:24:11:C4:66:A7"; - Type = "ether"; - }; - address = ["10.1.1.41/24"]; - gateway = ["10.1.1.1"]; - DHCP = "no"; - }; - - sops.defaultSopsFile = ./secrets.yaml; - - system.stateVersion = "23.11"; - }) - ]; -} diff --git a/systems/hakurei/default.nix b/systems/hakurei/default.nix new file mode 100644 index 00000000..1bdc4637 --- /dev/null +++ b/systems/hakurei/default.nix @@ -0,0 +1,8 @@ +_: { + deploy.hostname = "hakurei.local.gensokyo.zone"; + arch = "x86_64"; + type = "NixOS"; + modules = [ + ./nixos.nix + ]; +} diff --git a/systems/hakurei/nixos.nix b/systems/hakurei/nixos.nix new file mode 100644 index 00000000..119c6a51 --- /dev/null +++ b/systems/hakurei/nixos.nix @@ -0,0 +1,126 @@ +{ + config, + meta, + lib, + access, + ... +}: let + inherit (lib.modules) mkIf mkMerge; + mediabox = access.systemFor "mediabox"; + tei = access.systemFor "tei"; + inherit (mediabox.services) plex; + inherit (tei.services) kanidm; +in { + imports = let + inherit (meta) nixos; + in [ + nixos.sops + nixos.base + nixos.reisen-ct + nixos.tailscale + nixos.cloudflared + nixos.ddclient + nixos.acme + nixos.nginx + nixos.access.nginx + nixos.access.global + nixos.access.gensokyo + nixos.access.kanidm + nixos.access.proxmox + nixos.access.plex + ./reisen-ssh.nix + ]; + + sops.secrets.cloudflared-tunnel-hakurei = { + owner = config.services.cloudflared.user; + }; + + services.cloudflared = let + tunnelId = "964121e3-b3a9-4cc1-8480-954c4728b604"; + in { + tunnels.${tunnelId} = { + default = "http_status:404"; + credentialsFile = config.sops.secrets.cloudflared-tunnel-hakurei.path; + ingress = { + "prox.${config.networking.domain}".service = "http://localhost"; + ${config.networking.domain}.service = "http://localhost"; + }; + }; + }; + + security.acme.certs = let + inherit (config.services) nginx tailscale; + inherit (nginx) access; + in { + ${access.kanidm.domain} = { + inherit (nginx) group; + extraDomainNames = mkMerge [ + [access.kanidm.localDomain] + (mkIf kanidm.server.ldap.enable [ + access.kanidm.ldapDomain + access.kanidm.ldapLocalDomain + ]) + (mkIf tailscale.enable [ + access.kanidm.tailDomain + ]) + (mkIf (kanidm.server.ldap.enable && tailscale.enable) [ + access.kanidm.ldapTailDomain + ]) + ]; + }; + ${access.proxmox.domain} = { + inherit (nginx) group; + extraDomainNames = mkMerge [ + [access.proxmox.localDomain] + (mkIf config.services.tailscale.enable [ + access.proxmox.tailDomain + ]) + ]; + }; + ${access.plex.domain} = { + inherit (nginx) group; + extraDomainNames = [access.plex.localDomain]; + }; + }; + + services.nginx = let + inherit (config.services.nginx) access; + in { + access.plex = assert plex.enable; { + url = "http://${mediabox.networking.access.hostnameForNetwork.local}:32400"; + }; + access.kanidm = assert kanidm.enableServer; { + inherit (kanidm.server.frontend) domain port; + host = tei.networking.access.hostnameForNetwork.local; + ldapPort = kanidm.server.ldap.port; + ldapEnable = kanidm.server.ldap.enable; + }; + virtualHosts = { + ${access.kanidm.domain} = { + useACMEHost = access.kanidm.domain; + }; + ${access.proxmox.domain} = { + useACMEHost = access.proxmox.domain; + }; + ${access.plex.domain} = { + addSSL = true; + useACMEHost = access.plex.domain; + }; + }; + }; + + systemd.network.networks.eth0 = { + name = "eth0"; + matchConfig = { + MACAddress = "BC:24:11:C4:66:A7"; + Type = "ether"; + }; + address = ["10.1.1.41/24"]; + gateway = ["10.1.1.1"]; + DHCP = "no"; + }; + + sops.defaultSopsFile = ./secrets.yaml; + + system.stateVersion = "23.11"; +} diff --git a/systems/kuwubernetes/config.nix b/systems/kuwubernetes/config.nix deleted file mode 100644 index fe1460a4..00000000 --- a/systems/kuwubernetes/config.nix +++ /dev/null @@ -1,98 +0,0 @@ -_: { - arch = "x86_64"; - type = "NixOS"; - modules = [ - ({ - config, - meta, - lib, - modulesPath, - ... - }: let - inherit (lib.attrsets) genAttrs nameValuePair; - inherit (builtins) listToAttrs; - dexFiles = [ - "ca-key.pem" - "ca.pem" - "ca.srl" - "csr.pem" - "key.pem" - "req.cnf" - ]; - in { - imports = with meta; [ - (modulesPath + "/profiles/qemu-guest.nix") - nixos.sops - nixos.cloudflared - nixos.k8s - ]; - - boot = { - initrd.availableKernelModules = [ - "ata_piix" - "uhci_hcd" - "virtio_pci" - "virtio_scsi" - "sd_mod" - "sr_mod" - ]; - loader.grub.device = "/dev/sda"; - }; - - fileSystems."/" = { - device = "/dev/disk/by-uuid/5ab5efe2-0250-4bf1-8fd6-3725cdd15031"; - fsType = "ext4"; - }; - - swapDevices = [ - {device = "/dev/disk/by-uuid/b374e454-7af5-46fc-b949-24e38a2216d5";} - ]; - - networking.interfaces.ens18.useDHCP = true; - - sops.secrets = let - dexCommon = { - owner = "kubernetes"; - }; - in - { - cloudflare_kubernetes_tunnel = { - owner = config.services.cloudflared.user; - }; - } - // (genAttrs (map (name: "dex-${name}") dexFiles) (_: dexCommon)); - - environment.etc = listToAttrs (map (name: nameValuePair "dex-ssl/${name}" {source = config.sops.secrets."dex-${name}".path;}) dexFiles); - - services.cloudflared = let - tunnelId = "3dde2376-1dd1-4282-b5a4-aba272594976"; - in { - tunnels.${tunnelId} = { - default = "http_status:404"; - credentialsFile = config.sops.secrets.cloudflare_kubernetes_tunnel.path; - ingress = { - "k8s.gensokyo.zone" = { - service = "https://localhost:6443"; - originRequest.noTLSVerify = true; - }; - }; - }; - }; - - systemd.network.networks.ens18 = { - name = "ens18"; - matchConfig = { - MACAddress = "BC:24:11:49:FE:DC"; - Type = "ether"; - }; - address = ["10.1.1.42/24"]; - gateway = ["10.1.1.1"]; - DHCP = "no"; - }; - - sops.defaultSopsFile = ./secrets.yaml; - - system.stateVersion = "23.11"; - }) - ]; -} diff --git a/systems/kuwubernetes/default.nix b/systems/kuwubernetes/default.nix new file mode 100644 index 00000000..ea396fa3 --- /dev/null +++ b/systems/kuwubernetes/default.nix @@ -0,0 +1,7 @@ +_: { + arch = "x86_64"; + type = "NixOS"; + modules = [ + ./nixos.nix + ]; +} diff --git a/systems/kuwubernetes/nixos.nix b/systems/kuwubernetes/nixos.nix new file mode 100644 index 00000000..0f0e8e87 --- /dev/null +++ b/systems/kuwubernetes/nixos.nix @@ -0,0 +1,92 @@ +{ + config, + meta, + lib, + modulesPath, + ... +}: let + inherit (lib.attrsets) genAttrs nameValuePair; + inherit (builtins) listToAttrs; + dexFiles = [ + "ca-key.pem" + "ca.pem" + "ca.srl" + "csr.pem" + "key.pem" + "req.cnf" + ]; +in { + imports = with meta; [ + (modulesPath + "/profiles/qemu-guest.nix") + nixos.sops + nixos.cloudflared + nixos.k8s + ]; + + boot = { + initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; + loader.grub.device = "/dev/sda"; + }; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/5ab5efe2-0250-4bf1-8fd6-3725cdd15031"; + fsType = "ext4"; + }; + + swapDevices = [ + {device = "/dev/disk/by-uuid/b374e454-7af5-46fc-b949-24e38a2216d5";} + ]; + + networking.interfaces.ens18.useDHCP = true; + + sops.secrets = let + dexCommon = { + owner = "kubernetes"; + }; + in + { + cloudflare_kubernetes_tunnel = { + owner = config.services.cloudflared.user; + }; + } + // (genAttrs (map (name: "dex-${name}") dexFiles) (_: dexCommon)); + + environment.etc = listToAttrs (map (name: nameValuePair "dex-ssl/${name}" {source = config.sops.secrets."dex-${name}".path;}) dexFiles); + + services.cloudflared = let + tunnelId = "3dde2376-1dd1-4282-b5a4-aba272594976"; + in { + tunnels.${tunnelId} = { + default = "http_status:404"; + credentialsFile = config.sops.secrets.cloudflare_kubernetes_tunnel.path; + ingress = { + "k8s.gensokyo.zone" = { + service = "https://localhost:6443"; + originRequest.noTLSVerify = true; + }; + }; + }; + }; + + systemd.network.networks.ens18 = { + name = "ens18"; + matchConfig = { + MACAddress = "BC:24:11:49:FE:DC"; + Type = "ether"; + }; + address = ["10.1.1.42/24"]; + gateway = ["10.1.1.1"]; + DHCP = "no"; + }; + + sops.defaultSopsFile = ./secrets.yaml; + + system.stateVersion = "23.11"; +} diff --git a/systems/mediabox/config.nix b/systems/mediabox/config.nix deleted file mode 100644 index aef1945a..00000000 --- a/systems/mediabox/config.nix +++ /dev/null @@ -1,130 +0,0 @@ -_: { - deploy.hostname = "mediabox.local.gensokyo.zone"; - arch = "x86_64"; - type = "NixOS"; - modules = [ - ({ - config, - meta, - lib, - pkgs, - ... - }: let - inherit (lib.modules) mkIf mkMerge; - inherit (lib.attrsets) mapAttrs mapAttrsToList; - inherit (lib.strings) removePrefix; - inherit (config.services) deluge plex tautulli ombi sonarr radarr bazarr lidarr readarr prowlarr cloudflared; - kyuuto = "/mnt/kyuuto-media"; - kyuuto-library = kyuuto + "/library"; - plexLibrary = { - "/mnt/Anime".hostPath = kyuuto-library + "/anime"; - "/mnt/Shows".hostPath = kyuuto-library + "/tv"; - "/mnt/Movies".hostPath = kyuuto-library + "/movies"; - "/mnt/Music".hostPath = kyuuto-library + "/music"; - }; - in { - imports = let - inherit (meta) nixos; - in [ - nixos.reisen-ct - nixos.sops - nixos.nginx - nixos.access.plex - nixos.cloudflared - - # media - nixos.plex - nixos.tautulli - nixos.ombi - nixos.deluge - nixos.mediatomb - - # yarr harr fiddle dee dee >w< - nixos.radarr - nixos.sonarr - nixos.bazarr - nixos.lidarr - nixos.readarr - nixos.prowlarr - ]; - - services.mediatomb = { - serverName = "tewi"; - mediaDirectories = let - mkLibraryDir = dir: { - path = kyuuto-library + "/${dir}"; - mountPoint = kyuuto-library; - }; - libraryDir = { - path = kyuuto-library; - mountPoint = kyuuto-library; - subdirectories = - mapAttrsToList ( - _: {hostPath, ...}: - removePrefix "${kyuuto-library}/" hostPath - ) - plexLibrary - ++ ["tlmc" "music-raw"]; - }; - in - [libraryDir] ++ map mkLibraryDir ["tlmc" "music-raw" "lewd"]; - }; - - hardware.opengl = { - enable = true; - extraPackages = with pkgs; [mesa.drivers vaapiVdpau libvdpau-va-gl]; - }; - - fileSystems = let - bind = { - fsType = "none"; - options = ["bind" "nofail"]; - }; - fsPlex = mapAttrs (_: {hostPath, ...}: - mkMerge [ - bind - { - device = hostPath; - } - ]) - plexLibrary; - fsDeluge = { - "${deluge.downloadDir}" = mkIf deluge.enable (mkMerge [ - bind - { - device = kyuuto + "/downloads/deluge/download"; - } - ]); - }; - in - mkMerge [ - fsPlex - (mkIf deluge.enable fsDeluge) - ]; - - systemd.services.deluged = mkIf deluge.enable { - unitConfig.RequiresMountsFor = [ - "${deluge.downloadDir}" - ]; - }; - systemd.services.plex = mkIf plex.enable { - unitConfig.RequiresMountsFor = mapAttrsToList (path: _: path) plexLibrary; - }; - - systemd.network.networks.eth0 = { - name = "eth0"; - matchConfig = { - MACAddress = "BC:24:11:34:F4:A8"; - Type = "ether"; - }; - address = ["10.1.1.44/24"]; - gateway = ["10.1.1.1"]; - DHCP = "no"; - }; - - sops.defaultSopsFile = ./secrets.yaml; - - system.stateVersion = "21.05"; - }) - ]; -} diff --git a/systems/mediabox/default.nix b/systems/mediabox/default.nix new file mode 100644 index 00000000..dbafc582 --- /dev/null +++ b/systems/mediabox/default.nix @@ -0,0 +1,8 @@ +_: { + deploy.hostname = "mediabox.local.gensokyo.zone"; + arch = "x86_64"; + type = "NixOS"; + modules = [ + ./nixos.nix + ]; +} diff --git a/systems/mediabox/nixos.nix b/systems/mediabox/nixos.nix new file mode 100644 index 00000000..169da2a0 --- /dev/null +++ b/systems/mediabox/nixos.nix @@ -0,0 +1,123 @@ +{ + config, + meta, + lib, + pkgs, + ... +}: let + inherit (lib.modules) mkIf mkMerge; + inherit (lib.attrsets) mapAttrs mapAttrsToList; + inherit (lib.strings) removePrefix; + inherit (config.services) deluge plex tautulli ombi sonarr radarr bazarr lidarr readarr prowlarr cloudflared; + kyuuto = "/mnt/kyuuto-media"; + kyuuto-library = kyuuto + "/library"; + plexLibrary = { + "/mnt/Anime".hostPath = kyuuto-library + "/anime"; + "/mnt/Shows".hostPath = kyuuto-library + "/tv"; + "/mnt/Movies".hostPath = kyuuto-library + "/movies"; + "/mnt/Music".hostPath = kyuuto-library + "/music"; + }; +in { + imports = let + inherit (meta) nixos; + in [ + nixos.reisen-ct + nixos.sops + nixos.nginx + nixos.access.plex + nixos.cloudflared + + # media + nixos.plex + nixos.tautulli + nixos.ombi + nixos.deluge + nixos.mediatomb + + # yarr harr fiddle dee dee >w< + nixos.radarr + nixos.sonarr + nixos.bazarr + nixos.lidarr + nixos.readarr + nixos.prowlarr + ]; + + services.mediatomb = { + serverName = "tewi"; + mediaDirectories = let + mkLibraryDir = dir: { + path = kyuuto-library + "/${dir}"; + mountPoint = kyuuto-library; + }; + libraryDir = { + path = kyuuto-library; + mountPoint = kyuuto-library; + subdirectories = + mapAttrsToList ( + _: {hostPath, ...}: + removePrefix "${kyuuto-library}/" hostPath + ) + plexLibrary + ++ ["tlmc" "music-raw"]; + }; + in + [libraryDir] ++ map mkLibraryDir ["tlmc" "music-raw" "lewd"]; + }; + + hardware.opengl = { + enable = true; + extraPackages = with pkgs; [mesa.drivers vaapiVdpau libvdpau-va-gl]; + }; + + fileSystems = let + bind = { + fsType = "none"; + options = ["bind" "nofail"]; + }; + fsPlex = mapAttrs (_: {hostPath, ...}: + mkMerge [ + bind + { + device = hostPath; + } + ]) + plexLibrary; + fsDeluge = { + "${deluge.downloadDir}" = mkIf deluge.enable (mkMerge [ + bind + { + device = kyuuto + "/downloads/deluge/download"; + } + ]); + }; + in + mkMerge [ + fsPlex + (mkIf deluge.enable fsDeluge) + ]; + + systemd.services.deluged = mkIf deluge.enable { + unitConfig.RequiresMountsFor = [ + "${deluge.downloadDir}" + ]; + }; + systemd.services.plex = mkIf plex.enable { + unitConfig.RequiresMountsFor = mapAttrsToList (path: _: path) plexLibrary; + }; + + systemd.network.networks.eth0 = { + name = "eth0"; + matchConfig = { + MACAddress = "BC:24:11:34:F4:A8"; + Type = "ether"; + }; + address = ["10.1.1.44/24"]; + gateway = ["10.1.1.1"]; + DHCP = "no"; + }; + + sops.defaultSopsFile = ./secrets.yaml; + + system.stateVersion = "21.05"; +} diff --git a/systems/tei/config.nix b/systems/tei/config.nix deleted file mode 100644 index c2829b0d..00000000 --- a/systems/tei/config.nix +++ /dev/null @@ -1,76 +0,0 @@ -_: { - arch = "x86_64"; - type = "NixOS"; - modules = [ - ({ - config, - lib, - meta, - pkgs, - ... - }: let - inherit (lib.modules) mkIf mkMerge; - inherit (config.services) kanidm mosquitto home-assistant; - in { - imports = let - inherit (meta) nixos; - in [ - nixos.reisen-ct - nixos.sops - nixos.tailscale - nixos.cloudflared - nixos.postgres - nixos.nginx - nixos.access.zigbee2mqtt - nixos.access.home-assistant - nixos.vouch - nixos.kanidm - nixos.mosquitto - nixos.home-assistant - nixos.zigbee2mqtt - nixos.syncplay - ./cloudflared.nix - ]; - - sops.defaultSopsFile = ./secrets.yaml; - - services.kanidm = { - package = - lib.warnIf - (pkgs.kanidm.version != "1.1.0-rc.15") - "upstream kanidm may have localhost oauth2 support now!" - pkgs.kanidm-develop; - }; - - networking.firewall = { - interfaces.local.allowedTCPPorts = mkMerge [ - (mkIf kanidm.enableServer [ - kanidm.server.frontend.port - (mkIf kanidm.server.ldap.enable kanidm.server.ldap.port) - ]) - (mkIf home-assistant.enable [ - home-assistant.config.http.server_port - ]) - (mkIf mosquitto.enable (map ( - listener: - listener.port - ) - mosquitto.listeners)) - ]; - }; - - systemd.network.networks.eth0 = { - name = "eth0"; - matchConfig = { - MACAddress = "BC:24:11:CC:66:57"; - Type = "ether"; - }; - address = ["10.1.1.39/24"]; - gateway = ["10.1.1.1"]; - DHCP = "no"; - }; - - system.stateVersion = "23.11"; - }) - ]; -} diff --git a/systems/tei/default.nix b/systems/tei/default.nix new file mode 100644 index 00000000..ea396fa3 --- /dev/null +++ b/systems/tei/default.nix @@ -0,0 +1,7 @@ +_: { + arch = "x86_64"; + type = "NixOS"; + modules = [ + ./nixos.nix + ]; +} diff --git a/systems/tei/nixos.nix b/systems/tei/nixos.nix new file mode 100644 index 00000000..314ae710 --- /dev/null +++ b/systems/tei/nixos.nix @@ -0,0 +1,70 @@ +{ + config, + lib, + meta, + pkgs, + ... +}: let + inherit (lib.modules) mkIf mkMerge; + inherit (config.services) kanidm mosquitto home-assistant; +in { + imports = let + inherit (meta) nixos; + in [ + nixos.reisen-ct + nixos.sops + nixos.tailscale + nixos.cloudflared + nixos.postgres + nixos.nginx + nixos.access.zigbee2mqtt + nixos.access.home-assistant + nixos.vouch + nixos.kanidm + nixos.mosquitto + nixos.home-assistant + nixos.zigbee2mqtt + nixos.syncplay + ./cloudflared.nix + ]; + + sops.defaultSopsFile = ./secrets.yaml; + + services.kanidm = { + package = + lib.warnIf + (pkgs.kanidm.version != "1.1.0-rc.15") + "upstream kanidm may have localhost oauth2 support now!" + pkgs.kanidm-develop; + }; + + networking.firewall = { + interfaces.local.allowedTCPPorts = mkMerge [ + (mkIf kanidm.enableServer [ + kanidm.server.frontend.port + (mkIf kanidm.server.ldap.enable kanidm.server.ldap.port) + ]) + (mkIf home-assistant.enable [ + home-assistant.config.http.server_port + ]) + (mkIf mosquitto.enable (map ( + listener: + listener.port + ) + mosquitto.listeners)) + ]; + }; + + systemd.network.networks.eth0 = { + name = "eth0"; + matchConfig = { + MACAddress = "BC:24:11:CC:66:57"; + Type = "ether"; + }; + address = ["10.1.1.39/24"]; + gateway = ["10.1.1.1"]; + DHCP = "no"; + }; + + system.stateVersion = "23.11"; +} diff --git a/systems/tewi/config.nix b/systems/tewi/config.nix deleted file mode 100644 index 7d9b1497..00000000 --- a/systems/tewi/config.nix +++ /dev/null @@ -1,86 +0,0 @@ -_: { - arch = "x86_64"; - type = "NixOS"; - modules = [ - ({ - meta, - config, - lib, - pkgs, - modulesPath, - ... - }: { - imports = with meta; [ - (modulesPath + "/installer/scan/not-detected.nix") - nixos.sops - nixos.tailscale - ]; - - services.kanidm.serverSettings.db_fs_type = "zfs"; - services.tailscale.advertiseExitNode = true; - services.postgresql.package = pkgs.postgresql_14; - - sops.defaultSopsFile = ./secrets.yaml; - - networking = { - useNetworkd = true; - useDHCP = false; - }; - services.resolved.enable = true; - - boot = { - loader = { - systemd-boot = { - enable = true; - }; - efi = { - canTouchEfiVariables = true; - }; - }; - initrd = { - availableKernelModules = ["xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"]; - }; - kernelModules = ["kvm-intel"]; - }; - - fileSystems = { - "/" = { - device = "/dev/disk/by-uuid/6c5d82b1-5d11-4c72-96c6-5f90e6ce57f5"; - fsType = "ext4"; - }; - "/boot" = { - device = "/dev/disk/by-uuid/85DC-72FA"; - fsType = "vfat"; - }; - }; - systemd = { - network = { - networks.eno1 = { - inherit (config.systemd.network.links.eno1) matchConfig; - networkConfig = { - DHCP = "yes"; - DNSDefaultRoute = true; - MulticastDNS = true; - }; - linkConfig.Multicast = true; - }; - links.eno1 = { - matchConfig = { - Type = "ether"; - Driver = "e1000e"; - }; - linkConfig = { - WakeOnLan = "magic"; - }; - }; - }; - }; - - swapDevices = lib.singleton { - device = "/dev/disk/by-uuid/137605d3-5e3f-47c8-8070-6783ce651932"; - }; - - system.stateVersion = "21.05"; - }) - ]; -} diff --git a/systems/tewi/default.nix b/systems/tewi/default.nix new file mode 100644 index 00000000..ea396fa3 --- /dev/null +++ b/systems/tewi/default.nix @@ -0,0 +1,7 @@ +_: { + arch = "x86_64"; + type = "NixOS"; + modules = [ + ./nixos.nix + ]; +} diff --git a/systems/tewi/nixos.nix b/systems/tewi/nixos.nix new file mode 100644 index 00000000..36953ea4 --- /dev/null +++ b/systems/tewi/nixos.nix @@ -0,0 +1,80 @@ +{ + meta, + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = with meta; [ + (modulesPath + "/installer/scan/not-detected.nix") + nixos.sops + nixos.tailscale + ]; + + services.kanidm.serverSettings.db_fs_type = "zfs"; + services.tailscale.advertiseExitNode = true; + services.postgresql.package = pkgs.postgresql_14; + + sops.defaultSopsFile = ./secrets.yaml; + + networking = { + useNetworkd = true; + useDHCP = false; + }; + services.resolved.enable = true; + + boot = { + loader = { + systemd-boot = { + enable = true; + }; + efi = { + canTouchEfiVariables = true; + }; + }; + initrd = { + availableKernelModules = ["xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"]; + }; + kernelModules = ["kvm-intel"]; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/6c5d82b1-5d11-4c72-96c6-5f90e6ce57f5"; + fsType = "ext4"; + }; + "/boot" = { + device = "/dev/disk/by-uuid/85DC-72FA"; + fsType = "vfat"; + }; + }; + systemd = { + network = { + networks.eno1 = { + inherit (config.systemd.network.links.eno1) matchConfig; + networkConfig = { + DHCP = "yes"; + DNSDefaultRoute = true; + MulticastDNS = true; + }; + linkConfig.Multicast = true; + }; + links.eno1 = { + matchConfig = { + Type = "ether"; + Driver = "e1000e"; + }; + linkConfig = { + WakeOnLan = "magic"; + }; + }; + }; + }; + + swapDevices = lib.singleton { + device = "/dev/disk/by-uuid/137605d3-5e3f-47c8-8070-6783ce651932"; + }; + + system.stateVersion = "21.05"; +} diff --git a/tree.nix b/tree.nix index c2a20fc7..ba61eb56 100644 --- a/tree.nix +++ b/tree.nix @@ -20,6 +20,9 @@ "default" ]; }; + "systems/*" = { + aliasDefault = true; + }; "modules/nixos" = { functor = { external = with (import (inputs.arcexprs + "/modules")).nixos; [