diff --git a/.github/workflows/niv-update.yml b/.github/workflows/niv-update.yml index 067bef60..74f08621 100644 --- a/.github/workflows/niv-update.yml +++ b/.github/workflows/niv-update.yml @@ -5,6 +5,15 @@ env: CI_PLATFORM: gh-actions OPENSSH_PRIVATE_KEY: ${{ secrets.OPENSSH_PRIVATE_KEY }} jobs: + ci: + name: ci + runs-on: ubuntu-latest + steps: + - id: aarch64 + name: prepare for aarch64 builds + run: 'sudo aarch64binfmt + + ' ci-check: name: niv-update check runs-on: ubuntu-latest diff --git a/.github/workflows/nodes.yml b/.github/workflows/nodes.yml index 47936349..01d59bff 100644 --- a/.github/workflows/nodes.yml +++ b/.github/workflows/nodes.yml @@ -117,6 +117,15 @@ jobs: command: ci-build-cache quiet: false stdin: ${{ runner.temp }}/ci.build.cache + ci: + name: ci + runs-on: ubuntu-latest + steps: + - id: aarch64 + name: prepare for aarch64 builds + run: 'sudo aarch64binfmt + + ' ci-check: name: nodes check runs-on: ubuntu-latest @@ -142,6 +151,63 @@ jobs: args: -u .github/workflows/nodes.yml .ci/workflow.yml attrs: nixpkgs.diffutils command: diff + daiyousei: + name: nodes-daiyousei + runs-on: ubuntu-latest + steps: + - id: checkout + name: git clone + uses: actions/checkout@v1 + with: + submodules: false + - id: nix-install + name: nix install + uses: arcnmx/ci/actions/nix/install@master + - id: ci-setup + name: nix setup + uses: arcnmx/ci/actions/nix/run@master + with: + attrs: ci.job.daiyousei.run.bootstrap + quiet: false + - id: ci-dirty + name: nix test dirty + uses: arcnmx/ci/actions/nix/run@master + with: + attrs: ci.job.daiyousei.run.test + command: ci-build-dirty + quiet: false + stdout: ${{ runner.temp }}/ci.build.dirty + - id: ci-test + name: nix test build + uses: arcnmx/ci/actions/nix/run@master + with: + attrs: ci.job.daiyousei.run.test + command: ci-build-realise + ignore-exit-code: true + quiet: false + stdin: ${{ runner.temp }}/ci.build.dirty + - env: + CI_EXIT_CODE: ${{ steps.ci-test.outputs.exit-code }} + id: ci-summary + name: nix test results + uses: arcnmx/ci/actions/nix/run@master + with: + attrs: ci.job.daiyousei.run.test + command: ci-build-summarise + quiet: false + stdin: ${{ runner.temp }}/ci.build.dirty + stdout: ${{ runner.temp }}/ci.build.cache + - env: + CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }} + id: ci-cache + if: always() + name: nix test cache + uses: arcnmx/ci/actions/nix/run@master + with: + attrs: ci.job.daiyousei.run.test + command: ci-build-cache + quiet: false + stdin: ${{ runner.temp }}/ci.build.cache ostara: name: nodes-ostara runs-on: ubuntu-latest diff --git a/ci/niv-cron.nix b/ci/niv-cron.nix index 07be6a4c..8f8a4bb4 100644 --- a/ci/niv-cron.nix +++ b/ci/niv-cron.nix @@ -4,9 +4,31 @@ with lib; { ci.gh-actions.enable = true; ci.gh-actions.export = true; + nix.config.extraPlatforms = "aarch64-linux"; + gh-actions.env.OPENSSH_PRIVATE_KEY = "\${{ secrets.OPENSSH_PRIVATE_KEY }}"; gh-actions.env.CACHIX_SIGNING_KEY = "\${{ secrets.CACHIX_SIGNING_KEY }}"; + # ensure sources are fetched and available in the local store before evaluating host configs + environment.bootstrap = { + aarch64binfmt = + let + makeQemuWrapper = name: '' + mkdir -f /run/binfmt + rm -f /run/binfmt/${name} + cat > /run/binfmt/${name} << 'EOF' + #!${channels.cipkgs.bash}/bin/sh + exec -- ${channels.cipkgs.qemu}/bin/qemu-${name} "$@" + EOF + chmod +x /run/binfmt/${name} + ''; in + channels.cipkgs.writeShellScriptBin "aarch64binfmt" '' + ${makeQemuWrapper "aarch64"} + mount binfmt_misc -t binfmt_misc /proc/sys/fs/binfmt_misc + echo ':aarch64-linux:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xb7\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\x00\xff\xfe\xff\xff\xff:/run/binfmt/aarch64:' > /proc/sys/fs/binfmt_misc/register + ''; + }; + gh-actions = { on = let @@ -27,6 +49,13 @@ with lib; { cron = "0 0 * * *"; }]; }; + jobs.ci.step.aarch64 = { + order = 201; + name = "prepare for aarch64 builds"; + run = '' + sudo aarch64binfmt + ''; + }; }; channels = { diff --git a/ci/nodes.nix b/ci/nodes.nix index 97c60656..d2e49ed7 100644 --- a/ci/nodes.nix +++ b/ci/nodes.nix @@ -1,11 +1,39 @@ -{ lib, channels, env, ... }: with lib; { +{ lib, config, channels, env, ... }: with lib; { name = "nodes"; ci.gh-actions.enable = true; ci.gh-actions.export = true; channels.nixfiles.path = ../.; + nix.config.extraPlatforms = "aarch64-linux"; + + gh-actions = { + jobs.ci.step.aarch64 = { + order = 201; + name = "prepare for aarch64 builds"; + run = '' + sudo aarch64binfmt + ''; + }; + }; + # ensure sources are fetched and available in the local store before evaluating host configs environment.bootstrap = { + aarch64binfmt = + let + makeQemuWrapper = name: '' + mkdir -f /run/binfmt + rm -f /run/binfmt/${name} + cat > /run/binfmt/${name} << 'EOF' + #!${channels.cipkgs.bash}/bin/sh + exec -- ${channels.cipkgs.qemu}/bin/qemu-${name} "$@" + EOF + chmod +x /run/binfmt/${name} + ''; in + channels.cipkgs.writeShellScriptBin "aarch64binfmt" '' + ${makeQemuWrapper "aarch64"} + mount binfmt_misc -t binfmt_misc /proc/sys/fs/binfmt_misc + echo ':aarch64-linux:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xb7\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\x00\xff\xfe\xff\xff\xff:/run/binfmt/aarch64:' > /proc/sys/fs/binfmt_misc/register + ''; sourceCache = channels.cipkgs.runCommand "sources" { srcs = attrNames channels.nixfiles.sourceCache.local; diff --git a/config/hosts/daiyousei/nixos.nix b/config/hosts/daiyousei/nixos.nix index b2d85965..f41b7b0e 100644 --- a/config/hosts/daiyousei/nixos.nix +++ b/config/hosts/daiyousei/nixos.nix @@ -12,7 +12,7 @@ in services.nginx ]; - deploy.tf.providers.local = {}; + deploy.tf.providers.local = { }; nixpkgs.localSystem = systems.examples.aarch64-multiplatform // { system = "aarch64-linux"; diff --git a/config/modules/home/secrets.nix b/config/modules/home/secrets.nix index 767023bb..f31d2255 100644 --- a/config/modules/home/secrets.nix +++ b/config/modules/home/secrets.nix @@ -29,11 +29,11 @@ in secrets = { variables = mkOption { type = types.attrsOf secretType; - default = {}; + default = { }; }; repo = mkOption { type = types.attrsOf repoSecretType; - default = {}; + default = { }; }; }; }; diff --git a/config/modules/meta/network.nix b/config/modules/meta/network.nix index bbbaeb42..5ec092e2 100644 --- a/config/modules/meta/network.nix +++ b/config/modules/meta/network.nix @@ -31,12 +31,14 @@ with lib; config = { nixpkgs = { system = mkDefault pkgs.system; - pkgs = let - pkgsReval = import pkgs.path { - inherit (config.nixpkgs) localSystem crossSystem; - inherit (pkgs) overlays config; - }; - in mkDefault (if config.nixpkgs.config == pkgs.config && config.nixpkgs.localSystem.system == pkgs.targetPlatform.system then pkgs else pkgsReval); + pkgs = + let + pkgsReval = import pkgs.path { + inherit (config.nixpkgs) localSystem crossSystem; + inherit (pkgs) overlays config; + }; + in + mkDefault (if config.nixpkgs.config == pkgs.config && config.nixpkgs.localSystem.system == pkgs.targetPlatform.system then pkgs else pkgsReval); }; }; }; diff --git a/config/modules/nixos/secrets.nix b/config/modules/nixos/secrets.nix index fafb1e48..6b92ace6 100644 --- a/config/modules/nixos/secrets.nix +++ b/config/modules/nixos/secrets.nix @@ -32,11 +32,11 @@ in }; variables = mkOption { type = types.attrsOf secretType; - default = {}; + default = { }; }; repo = mkOption { type = types.attrsOf repoSecretType; - default = {}; + default = { }; }; }; }; @@ -44,14 +44,16 @@ in { kw.secrets.variables = lib.mkMerge (mapAttrsToList (username: user: user.kw.secrets.variables) config.home-manager.users); } - (mkIf (cfg.variables != {}) { - deploy.tf.variables = mapAttrs' (name: content: - nameValuePair name ({ - value.shellCommand = "${cfg.command} ${content.path}" + optionalString (content.field != "") " -f ${content.field}"; - type = "string"; - sensitive = true; - }) - ) cfg.variables; + (mkIf (cfg.variables != { }) { + deploy.tf.variables = mapAttrs' + (name: content: + nameValuePair name ({ + value.shellCommand = "${cfg.command} ${content.path}" + optionalString (content.field != "") " -f ${content.field}"; + type = "string"; + sensitive = true; + }) + ) + cfg.variables; }) ]; } diff --git a/config/modules/nixos/yggdrasil.nix b/config/modules/nixos/yggdrasil.nix index 20402003..5ea6d6f3 100644 --- a/config/modules/nixos/yggdrasil.nix +++ b/config/modules/nixos/yggdrasil.nix @@ -4,10 +4,11 @@ with lib; let cfg = config.network.yggdrasil; - calcAddr = pubkey: lib.readFile (pkgs.runCommandNoCC "calcaddr-${pubkey}" {} '' + calcAddr = pubkey: lib.readFile (pkgs.runCommandNoCC "calcaddr-${pubkey}" { } '' echo '{ EncryptionPublicKey: "${pubkey}" }' | ${config.services.yggdrasil.package}/bin/yggdrasil -useconf -address | tr -d '\n' > $out '').outPath; -in { +in +{ options.network.yggdrasil = { enable = mkEnableOption "Enable the yggdrasil-based private hexnet"; pubkey = mkOption { @@ -32,7 +33,7 @@ in { listen.endpoints = mkOption { type = types.listOf types.str; description = "Endpoints to listen on"; - default = []; + default = [ ]; }; dns.enable = mkOption { type = types.bool; @@ -52,27 +53,27 @@ in { tunnel.localV6 = mkOption { type = types.listOf types.str; description = "v6 subnets to expose"; - default = []; + default = [ ]; }; tunnel.localV4 = mkOption { type = types.listOf types.str; description = "v4 subnets to expose"; - default = []; + default = [ ]; }; tunnel.remoteV6 = mkOption { type = types.attrsOf types.str; description = "Extra v6 subnets to route"; - default = {}; + default = { }; }; tunnel.remoteV4 = mkOption { type = types.attrsOf types.str; description = "Extra v4 subnets to route"; - default = {}; + default = { }; }; extra.pubkeys = mkOption { type = types.attrsOf types.str; description = "Additional hosts to allow into the network. Keys won't be added to definition host."; - default = {}; + default = { }; example = { host = "0000000000000000000000000000000000000000000000000000000000000000"; }; }; extra.addresses = mkOption { @@ -83,73 +84,84 @@ in { extra.localV6 = mkOption { type = types.listOf types.str; description = "v6 subnets to expose, but not route"; - default = []; + default = [ ]; }; extra.localV4 = mkOption { type = types.listOf types.str; description = "v4 subnets to expose, but not route"; - default = []; + default = [ ]; }; }; - config = mkIf cfg.enable (let - yggConfigs = filter ( - c: c.enable && (cfg.pubkey != c.pubkey) - ) ( - mapAttrsToList (_: node: node.network.yggdrasil or { enable = false; pubkey = null; }) meta.network.nodes - ); - pubkeys = flatten (map (c: [ c.pubkey ] ++ (attrValues c.extra.pubkeys)) yggConfigs); - in { - assertions = [ - { - assertion = !(cfg.listen.enable && (cfg.listen.endpoints == [])); - message = "Specify network.yggdrasil.listen.endpoints"; - } - ]; + config = mkIf cfg.enable ( + let + yggConfigs = filter + ( + c: c.enable && (cfg.pubkey != c.pubkey) + ) + ( + mapAttrsToList (_: node: node.network.yggdrasil or { enable = false; pubkey = null; }) meta.network.nodes + ); + pubkeys = flatten (map (c: [ c.pubkey ] ++ (attrValues c.extra.pubkeys)) yggConfigs); + in + { + assertions = [ + { + assertion = !(cfg.listen.enable && (cfg.listen.endpoints == [ ])); + message = "Specify network.yggdrasil.listen.endpoints"; + } + ]; - networking.firewall.trustedInterfaces = mkIf cfg.trust [ "yggdrasil" ]; + networking.firewall.trustedInterfaces = mkIf cfg.trust [ "yggdrasil" ]; - services.yggdrasil = { - enable = true; - persistentKeys = true; - config = { - AllowedEncryptionPublicKeys = pubkeys; - IfName = "yggdrasil"; - Listen = cfg.listen.endpoints; - Peers = lib.flatten (map (c: c.listen.endpoints) (filter (c: c.listen.enable) yggConfigs)); - SessionFirewall = { - Enable = true; - AllowFromRemote = false; - WhitelistEncryptionPublicKeys = pubkeys; - }; - TunnelRouting = let - subnets = v: ( - listToAttrs (flatten (map (c: map (net: nameValuePair net c.pubkey) c.tunnel."localV${toString v}") yggConfigs)) - ) // cfg.tunnel."remoteV${toString v}"; - in { - Enable = true; - IPv4LocalSubnets = cfg.tunnel.localV4 ++ cfg.extra.localV4; - IPv6LocalSubnets = cfg.tunnel.localV6 ++ cfg.extra.localV6; - IPv4RemoteSubnets = subnets 4; - IPv6RemoteSubnets = subnets 6; + services.yggdrasil = { + enable = true; + persistentKeys = true; + config = { + AllowedEncryptionPublicKeys = pubkeys; + IfName = "yggdrasil"; + Listen = cfg.listen.endpoints; + Peers = lib.flatten (map (c: c.listen.endpoints) (filter (c: c.listen.enable) yggConfigs)); + SessionFirewall = { + Enable = true; + AllowFromRemote = false; + WhitelistEncryptionPublicKeys = pubkeys; + }; + TunnelRouting = + let + subnets = v: ( + listToAttrs (flatten (map (c: map (net: nameValuePair net c.pubkey) c.tunnel."localV${toString v}") yggConfigs)) + ) // cfg.tunnel."remoteV${toString v}"; + in + { + Enable = true; + IPv4LocalSubnets = cfg.tunnel.localV4 ++ cfg.extra.localV4; + IPv6LocalSubnets = cfg.tunnel.localV6 ++ cfg.extra.localV6; + IPv4RemoteSubnets = subnets 4; + IPv6RemoteSubnets = subnets 6; + }; }; }; - }; - systemd.services.yggdrasil.postStart = let - yggTun = config.services.yggdrasil.config.TunnelRouting; - addNets = v: nets: concatMapStringsSep "\n" (net: "${pkgs.iproute}/bin/ip -${toString v} route add ${net} dev yggdrasil") (attrNames nets); - in "sleep 1\n" + (concatMapStringsSep "\n" (v: addNets v yggTun."IPv${toString v}RemoteSubnets") [ 4 6 ]); + systemd.services.yggdrasil.postStart = + let + yggTun = config.services.yggdrasil.config.TunnelRouting; + addNets = v: nets: concatMapStringsSep "\n" (net: "${pkgs.iproute}/bin/ip -${toString v} route add ${net} dev yggdrasil") (attrNames nets); + in + "sleep 1\n" + (concatMapStringsSep "\n" (v: addNets v yggTun."IPv${toString v}RemoteSubnets") [ 4 6 ]); - system.build.yggdrasilTemplate = let - json = builtins.toJSON { - inherit (config.services.yggdrasil.config) Peers SessionFirewall TunnelRouting; - EncryptionPublicKey = ""; - EncryptionPrivateKey = ""; - SigningPublicKey = ""; - SigningPrivateKey = ""; - }; - in pkgs.runCommandNoCC "yggdrasil-template.json" {} - "echo '${json}' | ${config.services.yggdrasil.package}/bin/yggdrasil -useconf -normaliseconf > $out"; - }); + system.build.yggdrasilTemplate = + let + json = builtins.toJSON { + inherit (config.services.yggdrasil.config) Peers SessionFirewall TunnelRouting; + EncryptionPublicKey = ""; + EncryptionPrivateKey = ""; + SigningPublicKey = ""; + SigningPrivateKey = ""; + }; + in + pkgs.runCommandNoCC "yggdrasil-template.json" { } + "echo '${json}' | ${config.services.yggdrasil.package}/bin/yggdrasil -useconf -normaliseconf > $out"; + } + ); } diff --git a/config/profiles/base/secrets.nix b/config/profiles/base/secrets.nix index 6118be0f..3e395ae8 100644 --- a/config/profiles/base/secrets.nix +++ b/config/profiles/base/secrets.nix @@ -7,7 +7,9 @@ external = true; }; - kw.secrets.command = let - bitw = pkgs.writeShellScriptBin "bitw" ''${pkgs.rbw-bitw}/bin/bitw -p gpg://${config.kw.secrets.repo.bitw.source} "$@"''; - in "${bitw}/bin/bitw get"; + kw.secrets.command = + let + bitw = pkgs.writeShellScriptBin "bitw" ''${pkgs.rbw-bitw}/bin/bitw -p gpg://${config.kw.secrets.repo.bitw.source} "$@"''; + in + "${bitw}/bin/bitw get"; } diff --git a/config/profiles/cross/aarch64.nix b/config/profiles/cross/aarch64.nix index b9b9c0c0..ccca0a3a 100644 --- a/config/profiles/cross/aarch64.nix +++ b/config/profiles/cross/aarch64.nix @@ -1,11 +1,10 @@ - { pkgs, config, lib, ... }: with lib; { boot.binfmt = { emulatedSystems = [ "aarch64-linux" ]; /* - registrations.aarch64-linux = { + registrations.aarch64-linux = { interpreter = mkForce "${pkgs.qemu-vfio or pkgs.qemu}/bin/qemu-aarch64"; - }; + }; */ }; } diff --git a/config/profiles/cross/armv7.nix b/config/profiles/cross/armv7.nix index 0cd9653c..f633f99c 100644 --- a/config/profiles/cross/armv7.nix +++ b/config/profiles/cross/armv7.nix @@ -1,6 +1,6 @@ { config, ... }: { nix = { - binaryCaches = [ "https://arm.cachix.org/" ]; - binaryCachePublicKeys = [ "arm.cachix.org-1:5BZ2kjoL1q6nWhlnrbAl+G7ThY7+HaBRD9PZzqZkbnM=" ]; + binaryCaches = [ "https://arm.cachix.org/" ]; + binaryCachePublicKeys = [ "arm.cachix.org-1:5BZ2kjoL1q6nWhlnrbAl+G7ThY7+HaBRD9PZzqZkbnM=" ]; }; } diff --git a/config/profiles/hardware/oracle/common.nix b/config/profiles/hardware/oracle/common.nix index e6703f59..a84ea76d 100644 --- a/config/profiles/hardware/oracle/common.nix +++ b/config/profiles/hardware/oracle/common.nix @@ -39,7 +39,7 @@ in type = with types; nullOr int; default = null; }; - publicV6 = mkOption { + publicV6 = mkOption { type = with types; nullOr int; default = null; }; @@ -168,8 +168,8 @@ in }; lifecycle.ignoreChanges = [ "source_details[0].source_id" - ]; - connection = { + ]; + connection = { type = "ssh"; user = "root"; host = tf.lib.tf.terraformSelf "public_ip"; @@ -186,31 +186,31 @@ in }; }; } - ( - let - protoValues = { - TCP = 6; - UDP = 17; - }; - inherit (config.networking) firewall; - ipv4 = "0.0.0.0/0"; - ipv6 = "::/0"; - mapPort = source: protocol: port: { - provider = "oci"; - type = "core_network_security_group_security_rule"; - inputs = { - network_security_group_id = tf.resources.firewall_group.refAttr "id"; - inherit protocol source; - direction = "INGRESS"; - ${if protocol == protoValues.TCP then "tcp_options" else "udp_options"} = { - destination_port_range = - if isAttrs port then { - min = port.from; - max = port.to; - } else { - min = port; - max = port; - }; + ( + let + protoValues = { + TCP = 6; + UDP = 17; + }; + inherit (config.networking) firewall; + ipv4 = "0.0.0.0/0"; + ipv6 = "::/0"; + mapPort = source: protocol: port: { + provider = "oci"; + type = "core_network_security_group_security_rule"; + inputs = { + network_security_group_id = tf.resources.firewall_group.refAttr "id"; + inherit protocol source; + direction = "INGRESS"; + ${if protocol == protoValues.TCP then "tcp_options" else "udp_options"} = { + destination_port_range = + if isAttrs port then { + min = port.from; + max = port.to; + } else { + min = port; + max = port; + }; }; }; }; @@ -221,11 +221,11 @@ in types = [ "Ports" "PortRanges" ]; in interface: concatMap (type: concatMap (proto: (concatMap (port: (mapAll protoValues.${proto}) port) interface."allowed${proto}${type}")) protos) types; - rules = concatMap mapAllForInterface ([ firewall ] ++ map (interface: firewall.interfaces.${interface}) config.network.firewall.public.interfaces); - # TODO: use `count` and index into a fancy json or something? - in - listToAttrs (imap0 (i: rule: nameValuePair "firewall${toString i}" rule) rules) + rules = concatMap mapAllForInterface ([ firewall ] ++ map (interface: firewall.interfaces.${interface}) config.network.firewall.public.interfaces); + # TODO: use `count` and index into a fancy json or something? + in + listToAttrs (imap0 (i: rule: nameValuePair "firewall${toString i}" rule) rules) )]; - }; }; - } + }; +} diff --git a/config/services/fusionpbx/default.nix b/config/services/fusionpbx/default.nix index bd751d16..a0ace593 100644 --- a/config/services/fusionpbx/default.nix +++ b/config/services/fusionpbx/default.nix @@ -7,11 +7,12 @@ cname = { inherit (config.network.addresses.private) target; }; }; - kw.secrets.variables = mapListToAttrs (field: - nameValuePair "fusionpbx-${field}" { - path = "services/fusionpbx"; - inherit field; - }) ["username" "password"]; + kw.secrets.variables = mapListToAttrs + (field: + nameValuePair "fusionpbx-${field}" { + path = "services/fusionpbx"; + inherit field; + }) [ "username" "password" ]; secrets.files.fusionpbx_env = { text = '' diff --git a/config/services/knot/default.nix b/config/services/knot/default.nix index 694b821c..6b3562f1 100644 --- a/config/services/knot/default.nix +++ b/config/services/knot/default.nix @@ -13,7 +13,7 @@ udp.ports = [ 53 ]; }; -/* environment.etc."katdns/zones/dork.dev.zone".text = let + /* environment.etc."katdns/zones/dork.dev.zone".text = let dns = pkgs.dns; in dns.lib.toString "dork.dev" (import ./dork.dev.nix { inherit dns lib; }); */ diff --git a/config/services/mail/default.nix b/config/services/mail/default.nix index f2e0fbf2..c9db6192 100644 --- a/config/services/mail/default.nix +++ b/config/services/mail/default.nix @@ -4,48 +4,56 @@ with lib; let domains = [ "kittywitch" "dork" ]; -in { +in +{ imports = [ sources.nixos-mailserver.outPath ]; - kw.secrets.variables = listToAttrs (map (field: - nameValuePair "mail-${field}-hash" { - path = "secrets/mail-kittywitch"; - field = "${field}-hash"; - }) ["gitea" "kat"] - ++ map (domain: + kw.secrets.variables = listToAttrs (map + (field: + nameValuePair "mail-${field}-hash" { + path = "secrets/mail-kittywitch"; + field = "${field}-hash"; + }) [ "gitea" "kat" ] + ++ map + (domain: nameValuePair "mail-domainkey-${domain}" { path = "secrets/mail-${domain}"; field = "notes"; - }) domains); + }) + domains); - deploy.tf.dns.records = lib.mkMerge (map (domain: let - zoneGet = domain: if domain == "dork" then "dork.dev." else config.network.dns.zone; - in { - "services_mail_${domain}_mx" = { - zone = zoneGet domain; - mx = { - priority = 10; - target = "${config.network.addresses.public.domain}."; + deploy.tf.dns.records = lib.mkMerge (map + (domain: + let + zoneGet = domain: if domain == "dork" then "dork.dev." else config.network.dns.zone; + in + { + "services_mail_${domain}_mx" = { + zone = zoneGet domain; + mx = { + priority = 10; + target = "${config.network.addresses.public.domain}."; + }; }; - }; - "services_mail_${domain}_spf" = { - zone = zoneGet domain; - txt.value = "v=spf1 ip4:${config.network.addresses.public.nixos.ipv4.address} ip6:${config.network.addresses.public.nixos.ipv6.address} -all"; - }; + "services_mail_${domain}_spf" = { + zone = zoneGet domain; + txt.value = "v=spf1 ip4:${config.network.addresses.public.nixos.ipv4.address} ip6:${config.network.addresses.public.nixos.ipv6.address} -all"; + }; - "services_mail_${domain}_dmarc" = { - zone = zoneGet domain; - domain = "_dmarc"; - txt.value = "v=DMARC1; p=none"; - }; + "services_mail_${domain}_dmarc" = { + zone = zoneGet domain; + domain = "_dmarc"; + txt.value = "v=DMARC1; p=none"; + }; - "services_mail_${domain}_domainkey" = { - zone = zoneGet domain; - domain = "mail._domainkey"; - txt.value = tf.variables."mail-domainkey-${domain}".ref; - }; - }) domains); + "services_mail_${domain}_domainkey" = { + zone = zoneGet domain; + domain = "mail._domainkey"; + txt.value = tf.variables."mail-domainkey-${domain}".ref; + }; + }) + domains); secrets.files = { mail-kat-hash = { diff --git a/config/services/matrix/default.nix b/config/services/matrix/default.nix index 3ffe806f..2377fbf4 100644 --- a/config/services/matrix/default.nix +++ b/config/services/matrix/default.nix @@ -13,14 +13,17 @@ with lib; LC_CTYPE = "C"; ''; - kw.secrets.variables = (mapListToAttrs (field: - nameValuePair "mautrix-telegram-${field}" { - path = "secrets/mautrix-telegram"; - inherit field; - }) ["api-hash" "api-id" "as-token" "hs-token"] - // { matrix-registration = { + kw.secrets.variables = (mapListToAttrs + (field: + nameValuePair "mautrix-telegram-${field}" { + path = "secrets/mautrix-telegram"; + inherit field; + }) [ "api-hash" "api-id" "as-token" "hs-token" ] + // { + matrix-registration = { path = "secrets/matrix-registration"; - }; }); + }; + }); secrets.files.mautrix-telegram-env = { text = '' diff --git a/config/services/syncplay/default.nix b/config/services/syncplay/default.nix index f89e0e46..13e7c4f4 100644 --- a/config/services/syncplay/default.nix +++ b/config/services/syncplay/default.nix @@ -4,13 +4,16 @@ with lib; { - kw.secrets.variables = let - fieldAdapt = field: if field == "pass" then "password" else field; - in mapListToAttrs (field: - nameValuePair "syncplay-${field}" { - path = "services/media/syncplay"; - field = fieldAdapt field; - }) ["pass" "salt"]; + kw.secrets.variables = + let + fieldAdapt = field: if field == "pass" then "password" else field; + in + mapListToAttrs + (field: + nameValuePair "syncplay-${field}" { + path = "services/media/syncplay"; + field = fieldAdapt field; + }) [ "pass" "salt" ]; users.users.syncplay = { isSystemUser = true; }; diff --git a/config/services/znc/default.nix b/config/services/znc/default.nix index 60b91826..20f86a37 100644 --- a/config/services/znc/default.nix +++ b/config/services/znc/default.nix @@ -50,25 +50,30 @@ in { network.firewall.public.tcp.ports = singleton 5001; - kw.secrets.variables = let - fieldAdapt = field: if field == "cert" then "notes" else if field == "pass" then "password" else field; - in listToAttrs (concatMap (network: - map (field: - nameValuePair "znc-${network}-${field}" { - path = "social/irc/${network}"; - field = fieldAdapt field; - }) ["cert" "pass"] - ) ["liberachat" "espernet"] - ++ map (field: - nameValuePair "znc-softnet-${field}" { - path = "social/irc/softnet"; - field = fieldAdapt field; - }) ["cert" "address"] - ++ singleton (nameValuePair "znc-savebuff-pass" { + kw.secrets.variables = + let + fieldAdapt = field: if field == "cert" then "notes" else if field == "pass" then "password" else field; + in + listToAttrs (concatMap + (network: + map + (field: + nameValuePair "znc-${network}-${field}" { + path = "social/irc/${network}"; + field = fieldAdapt field; + }) [ "cert" "pass" ] + ) [ "liberachat" "espernet" ] + ++ map + (field: + nameValuePair "znc-softnet-${field}" { + path = "social/irc/softnet"; + field = fieldAdapt field; + }) [ "cert" "address" ] + ++ singleton (nameValuePair "znc-savebuff-pass" { path = "social/irc/znc"; field = "savebuff"; }) - ); + ); secrets.files.softnet-cert = { text = tf.variables.znc-softnet-cert.ref; diff --git a/config/targets/common/default.nix b/config/targets/common/default.nix index e5441801..8e3bb284 100644 --- a/config/targets/common/default.nix +++ b/config/targets/common/default.nix @@ -27,7 +27,7 @@ }; }; - dns.zones = genAttrs ["kittywit.ch." "dork.dev."] (_: { + dns.zones = genAttrs [ "kittywit.ch." "dork.dev." ] (_: { provider = "dns.katdns"; }); } diff --git a/config/targets/rinnosuke-domains/default.nix b/config/targets/rinnosuke-domains/default.nix index 76b24c3c..a28533b9 100644 --- a/config/targets/rinnosuke-domains/default.nix +++ b/config/targets/rinnosuke-domains/default.nix @@ -1,6 +1,7 @@ { config, ... }: -let rinnosuke = config.network.nodes.rinnosuke; in { +let rinnosuke = config.network.nodes.rinnosuke; in +{ deploy.targets.rinnosuke-domains.tf = { dns.records = { node_public_rinnosuke_v4 = { diff --git a/config/users/kat/personal/taskwarrior.nix b/config/users/kat/personal/taskwarrior.nix index f5471be4..bb369a96 100644 --- a/config/users/kat/personal/taskwarrior.nix +++ b/config/users/kat/personal/taskwarrior.nix @@ -3,13 +3,16 @@ with lib; { - kw.secrets.variables = let - fieldAdapt = field: if field == "key" then "notes" else field; - in mapListToAttrs (field: - nameValuePair "taskwarrior-${field}" { - path = "services/taskwarrior"; - field = fieldAdapt field; - }) ["key" "credentials"]; + kw.secrets.variables = + let + fieldAdapt = field: if field == "key" then "notes" else field; + in + mapListToAttrs + (field: + nameValuePair "taskwarrior-${field}" { + path = "services/taskwarrior"; + field = fieldAdapt field; + }) [ "key" "credentials" ]; secrets.files = { taskw_key = { diff --git a/nix/sources.json b/nix/sources.json index b75275ed..e7f5a526 100644 --- a/nix/sources.json +++ b/nix/sources.json @@ -17,10 +17,10 @@ "homepage": null, "owner": "arcnmx", "repo": "nixexprs", - "rev": "c294222dc0cfeb77fc1ee281e21121581b831e08", - "sha256": "06z5ql2sfwh4526pgwnx93firyaaa4l2xsqxivkm2diyhmr1jm65", + "rev": "5bf9fb9e07b6dfefd0134c57db667c7c75ed0119", + "sha256": "0pvz1swflmyyyzx5yzfflr1llsfw38pax03vac83pc8y0r78f84h", "type": "tarball", - "url": "https://github.com/arcnmx/nixexprs/archive/c294222dc0cfeb77fc1ee281e21121581b831e08.tar.gz", + "url": "https://github.com/arcnmx/nixexprs/archive/5bf9fb9e07b6dfefd0134c57db667c7c75ed0119.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "ci": { @@ -41,10 +41,10 @@ "homepage": "", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "9f17ba1ed9c8b2012c0a1a41edf3d02936aa4def", - "sha256": "1qsgzswm04c7wnkk7d0ik7dahgxyxm1c0kpv8yhjk9g1gikwnxbz", + "rev": "3475b81d1c14509c9ebfae1e53366b28acaa2b6b", + "sha256": "0amksnxwk86pbb8w2zab7sycijyn0d3636877dfhdbdqkzck233g", "type": "tarball", - "url": "https://github.com/nix-community/emacs-overlay/archive/9f17ba1ed9c8b2012c0a1a41edf3d02936aa4def.tar.gz", + "url": "https://github.com/nix-community/emacs-overlay/archive/3475b81d1c14509c9ebfae1e53366b28acaa2b6b.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "hexchen": { @@ -159,10 +159,10 @@ "homepage": "https://nur.nix-community.org/", "owner": "nix-community", "repo": "NUR", - "rev": "45f8470f72f1c8989ae5fe23c6cc343ae3463a97", - "sha256": "0py76bjfiqncvxvald35gjgvhlg304d1yhmk0qvc22ar8k3dqckm", + "rev": "d2cdb44f12b82d9d207b6e6596cc9d2a2e1361eb", + "sha256": "01gs4vvhq4i71l9q7xlb3py4kadq2s7acdndkvdk2lk3l8d13qm1", "type": "tarball", - "url": "https://github.com/nix-community/NUR/archive/45f8470f72f1c8989ae5fe23c6cc343ae3463a97.tar.gz", + "url": "https://github.com/nix-community/NUR/archive/d2cdb44f12b82d9d207b6e6596cc9d2a2e1361eb.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "tf-nix": { @@ -171,10 +171,10 @@ "homepage": null, "owner": "arcnmx", "repo": "tf-nix", - "rev": "509bdbb0768e033fc1d8b7a4bc7b2ec8e141806a", - "sha256": "1h48lh55j8jpknl4zica6b6q402r5nj816sz1k7dqy607y0pfcrb", + "rev": "d57b4335aa35781420b7d064d3d77141004c44e9", + "sha256": "0xfl305yaz6xlgaz2jxp4qpibqsyh2hjgibvyxbqqcx0frs9bvya", "type": "tarball", - "url": "https://github.com/arcnmx/tf-nix/archive/509bdbb0768e033fc1d8b7a4bc7b2ec8e141806a.tar.gz", + "url": "https://github.com/arcnmx/tf-nix/archive/d57b4335aa35781420b7d064d3d77141004c44e9.tar.gz", "url_template": "https://github.com///archive/.tar.gz" } } diff --git a/overlays/exprs b/overlays/exprs index 68a371ce..a7802617 160000 --- a/overlays/exprs +++ b/overlays/exprs @@ -1 +1 @@ -Subproject commit 68a371ce344cd66e646d58dd3658fc7c0615f768 +Subproject commit a78026175487423769ac2667e618a896af63c5b0 diff --git a/shell.nix b/shell.nix index a4c845bc..b147a7e7 100644 --- a/shell.nix +++ b/shell.nix @@ -70,6 +70,7 @@ pkgs.mkShell { shellHook = '' export HOME_HOSTNAME=$(hostname -s) export HOME_UID=$(id -u) + export CI_PLATFORM="impure" export NIX_PATH="$NIX_PATH:home=${toString ./.}" ''; }