From 6335f5bb3a94cccb79440c57bb2f5f86d89ef183 Mon Sep 17 00:00:00 2001 From: Andre Date: Thu, 16 May 2024 20:08:57 -0400 Subject: [PATCH] Move config stuff out of secrets --- flake.lock | 25 ++++++++++-- flake.nix | 68 +++++++++++++++++-------------- hosts/Haven/start-haven.sh | 54 +++++++++--------------- modules/autoimport.nix | 10 +---- modules/base/nix.nix | 2 +- modules/users/aires/default.nix | 8 +++- modules/users/gremlin/default.nix | 8 +++- modules/users/root/default.nix | 16 ++++++++ nix-secrets | 2 +- 9 files changed, 108 insertions(+), 85 deletions(-) create mode 100644 modules/users/root/default.nix diff --git a/flake.lock b/flake.lock index 3851494..b91bab9 100644 --- a/flake.lock +++ b/flake.lock @@ -218,11 +218,11 @@ ] }, "locked": { - "lastModified": 1715863402, - "narHash": "sha256-WbNIHMe+NPRtn7AwFhIDYwMWwgTNJ5pVUXfcdhxv8ek=", + "lastModified": 1715885250, + "narHash": "sha256-IUFYAl3158Ig5vySnRBHoPReb2/S97bjodCo6FhzJv4=", "ref": "refs/heads/main", - "rev": "36dbb9dbfbac2b72c431a3a934258079931d0065", - "revCount": 80, + "rev": "53d713eb486f21d653af3ef3528e9a19ecfc45e5", + "revCount": 81, "type": "git", "url": "https://git.lix.systems/lix-project/nixos-module" }, @@ -247,6 +247,22 @@ "type": "github" } }, + "nix-secrets": { + "flake": false, + "locked": { + "lastModified": 1715904475, + "narHash": "sha256-5PyOjPdOhzX5qHq3ywwSsYCQT5OmWv870DlSYyuJBh4=", + "ref": "refs/heads/main", + "rev": "0bc545bf36759ca1ab67e2718bc5771eca72d02f", + "revCount": 23, + "type": "git", + "url": "file:///home/aires/Development/nix-configuration/nix-secrets" + }, + "original": { + "type": "git", + "url": "file:///home/aires/Development/nix-configuration/nix-secrets" + } + }, "nixos-hardware": { "locked": { "lastModified": 1715529644, @@ -349,6 +365,7 @@ "lix": "lix", "lix-module": "lix-module", "nix-flatpak": "nix-flatpak", + "nix-secrets": "nix-secrets", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs_2" } diff --git a/flake.nix b/flake.nix index 7108ff2..1330880 100644 --- a/flake.nix +++ b/flake.nix @@ -33,6 +33,12 @@ inputs.nixpkgs.follows = "nixpkgs"; # Use system packages list where available }; + # "Secrets management" + nix-secrets = { + url = "git+file:///home/aires/Development/nix-configuration/nix-secrets"; + flake = false; + }; + # TODO: Add Disko - https://github.com/nix-community/disko }; @@ -45,6 +51,7 @@ home-manager, nixos-hardware, lix-module, + nix-secrets, ... }: let @@ -57,32 +64,31 @@ config.allowUnfree = true; # Define shared modules and imports - defaultModules = { - base = [ - { - _module.args = { - inherit inputs; - }; - } - ./modules/autoimport.nix - lix-module.nixosModules.default - lanzaboote.nixosModules.lanzaboote - nix-flatpak.nixosModules.nix-flatpak - home-manager.nixosModules.home-manager - { - home-manager = { - /* - When running, Home Manager will use the global package cache. - It will also back up any files that it would otherwise overwrite. - The originals will have the extension shown below. - */ - useGlobalPkgs = true; - useUserPackages = true; - backupFileExtension = "home-manager-backup"; - }; - } - ]; - }; + defaultModules = [ + { + _module.args = { + inherit inputs; + }; + } + ./modules/autoimport.nix + (import nix-secrets) + lix-module.nixosModules.default + lanzaboote.nixosModules.lanzaboote + nix-flatpak.nixosModules.nix-flatpak + home-manager.nixosModules.home-manager + { + home-manager = { + /* + When running, Home Manager will use the global package cache. + It will also back up any files that it would otherwise overwrite. + The originals will have the extension shown below. + */ + useGlobalPkgs = true; + useUserPackages = true; + backupFileExtension = "home-manager-backup"; + }; + } + ]; in { formatter = forAllSystems (pkgs: pkgs.nixfmt-rfc-style); @@ -90,7 +96,7 @@ Dimaga = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; - modules = defaultModules.base ++ [ + modules = defaultModules ++ [ nixos-hardware.nixosModules.common-cpu-intel ./hosts/Dimaga ]; @@ -98,7 +104,7 @@ Haven = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; - modules = defaultModules.base ++ [ + modules = defaultModules ++ [ nixos-hardware.nixosModules.common-cpu-amd-pstate ./hosts/Haven ]; @@ -106,7 +112,7 @@ Khanda = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; - modules = defaultModules.base ++ [ + modules = defaultModules ++ [ nixos-hardware.nixosModules.microsoft-surface-pro-9 ./hosts/Khanda ]; @@ -114,7 +120,7 @@ Pihole = nixpkgs.lib.nixosSystem { system = "aarch64-linux"; - modules = defaultModules.base ++ [ + modules = defaultModules ++ [ nixos-hardware.nixosModules.raspberry-pi-4 ./hosts/Pihole ]; @@ -122,7 +128,7 @@ Shura = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; - modules = defaultModules.base ++ [ + modules = defaultModules ++ [ nixos-hardware.nixosModules.lenovo-legion-16arha7 ./hosts/Shura ]; diff --git a/hosts/Haven/start-haven.sh b/hosts/Haven/start-haven.sh index c66dbae..5b87350 100644 --- a/hosts/Haven/start-haven.sh +++ b/hosts/Haven/start-haven.sh @@ -10,42 +10,26 @@ fi # Immediately exit on any errors set -e -echo "Unlocking storage partition:" -# RAID 5 -cryptsetup luksOpen /dev/md/Sapana storage - -# mount local storage +# Unlock and mount storage directory if we haven't already if [ ! -f /dev/mapper/storage ]; then - mount /dev/mapper/storage /storage - - if [ $? -eq "0" ]; then - echo "Unlocking backup partition:" - # 4 TB HDD, partition #2 - cryptsetup luksOpen /dev/disk/by-uuid/8dc60329-d27c-4a4a-b76a-861b1e28400e backups --key-file /storage/backups_partition.key - mount /dev/mapper/backups /backups - - echo "Storage and backup partitions mounted." - - echo "Starting Duplicacy:" - systemctl start duplicacy-web.service - if [ $? -eq "0" ]; then - echo "Duplicacy started." - else - echo "Failed to start Duplicacy." - fi - - echo "Starting SyncThing:" - systemctl --machine aires@.host --user start syncthing.service - if [ $? -eq "0" ]; then - echo "SyncThing started." - else - echo "Failed to start SyncThing." - fi - else - echo "Failed to mount storage partition." - fi -else - echo "Failed to unlock storage and/or backup partition(s)." + echo "Unlocking storage partition:" + cryptsetup luksOpen /dev/md/Sapana storage + mount /dev/mapper/storage /storage + echo "Storage partition mounted." fi +#echo "Unlocking backup partition:" +# 4 TB HDD, partition #2 +#cryptsetup luksOpen /dev/disk/by-uuid/8dc60329-d27c-4a4a-b76a-861b1e28400e backups --key-file /storage/backups_partition.key +#mount /dev/mapper/backups /backups +#echo "Storage and backup partitions mounted." + +echo "Starting Duplicacy:" +systemctl start duplicacy-web.service +echo "Duplicacy started." + +echo "Starting SyncThing:" +systemctl --machine aires@.host --user start syncthing.service +echo "SyncThing started." + exit 0 diff --git a/modules/autoimport.nix b/modules/autoimport.nix index 5df9245..d6955fd 100644 --- a/modules/autoimport.nix +++ b/modules/autoimport.nix @@ -3,14 +3,6 @@ { lib, ... }: with lib; let - # Fetch secrets - # IMPORTANT: Make sure this repo exists on the filesystem first! - nix-secrets = builtins.fetchGit { - url = "/home/aires/Development/nix-configuration/nix-secrets"; - ref = "main"; - rev = "aed06e8c1f0d018fde197ae4e096012ed80cd08b"; - }; - # Recursively constructs an attrset of a given folder, recursing on directories, value of attrs is the filetype getDir = dir: @@ -33,5 +25,5 @@ let ); in { - imports = [ "${nix-secrets}" ] ++ validFiles ./.; + imports = validFiles ./.; } diff --git a/modules/base/nix.nix b/modules/base/nix.nix index 1056b13..19d9dd6 100644 --- a/modules/base/nix.nix +++ b/modules/base/nix.nix @@ -50,7 +50,7 @@ "nixos-test" "kvm" "benchmark" - "big-parllel" + "big-parallel" ]; } ]; diff --git a/modules/users/aires/default.nix b/modules/users/aires/default.nix index bb0fb26..d3680fe 100644 --- a/modules/users/aires/default.nix +++ b/modules/users/aires/default.nix @@ -85,6 +85,12 @@ with lib; }; }; + # Set up SSH + ssh = { + enable = true; + matchBlocks = config.secrets.users.aires.sshConfig; + }; + # Set up Zsh zsh = { oh-my-zsh = { @@ -100,8 +106,6 @@ with lib; }; }; - # SSH set up in nix-secrets - # Gnome settings specific to aires on Shura dconf.settings = lib.mkIf (config.networking.hostName == "Shura") { "org/gnome/desktop/interface" = { diff --git a/modules/users/gremlin/default.nix b/modules/users/gremlin/default.nix index 1b12f30..2004f7c 100644 --- a/modules/users/gremlin/default.nix +++ b/modules/users/gremlin/default.nix @@ -87,6 +87,12 @@ with lib; }; }; + # Set up SSH + ssh = { + enable = true; + matchBlocks = config.secrets.users.gremlin.sshConfig; + }; + # Set up Zsh zsh = { # Install and source the p10k theme @@ -107,8 +113,6 @@ with lib; }; }; }; - - # SSH entries set in nix-secrets }; }) diff --git a/modules/users/root/default.nix b/modules/users/root/default.nix new file mode 100644 index 0000000..94fbd77 --- /dev/null +++ b/modules/users/root/default.nix @@ -0,0 +1,16 @@ +{ + config, + home-manager, + lib, + ... +}: +{ + # Give root user access to run remote builds + home-manager.users.root = { + home.stateVersion = "24.05"; + programs.ssh = lib.mkIf config.nix.distributedBuilds { + enable = true; + matchBlocks = config.secrets.users.root.sshConfig; + }; + }; +} diff --git a/nix-secrets b/nix-secrets index aed06e8..0bc545b 160000 --- a/nix-secrets +++ b/nix-secrets @@ -1 +1 @@ -Subproject commit aed06e8c1f0d018fde197ae4e096012ed80cd08b +Subproject commit 0bc545bf36759ca1ab67e2718bc5771eca72d02f