From f7afa33a13d66aa1d9dec2c139d1551fbbd55167 Mon Sep 17 00:00:00 2001 From: Lucy Hochkamp Date: Thu, 23 Oct 2025 16:20:45 +0200 Subject: [PATCH] update --- flake.lock | 136 +++++++++++++++++++------ flake.nix | 170 ++++++++++++++++++++------------ hm-modules/firefox.nix | 10 +- instances/ds9/default.nix | 17 ++-- instances/picard/default.nix | 10 +- instances/theseus/default.nix | 13 ++- modules/desktop/niri.nix | 8 +- modules/desktop/waybar/cal.nix | 28 +++--- modules/module-list.nix | 1 + modules/presets/server.nix | 1 - modules/services/monitoring.nix | 16 +-- modules/services/wireguard.nix | 78 +++++++++------ modules/system/meta.nix | 8 ++ modules/system/user.nix | 1 + 14 files changed, 319 insertions(+), 178 deletions(-) create mode 100644 modules/system/meta.nix diff --git a/flake.lock b/flake.lock index 744dbfc0..7a14a408 100644 --- a/flake.lock +++ b/flake.lock @@ -46,6 +46,30 @@ "type": "github" } }, + "colmena": { + "inputs": { + "flake-compat": "flake-compat_2", + "flake-utils": "flake-utils_2", + "nixpkgs": [ + "nixpkgs" + ], + "stable": "stable" + }, + "locked": { + "lastModified": 1684127108, + "narHash": "sha256-01bfuSY4gnshhtqA1EJCw2CMsKkAx+dHS+sEpQ2+EAQ=", + "owner": "zhaofengli", + "repo": "colmena", + "rev": "5fdd743a11e7291bd8ac1e169d62ba6156c99be4", + "type": "github" + }, + "original": { + "owner": "zhaofengli", + "ref": "release-0.4.x", + "repo": "colmena", + "type": "github" + } + }, "crane": { "locked": { "lastModified": 1731098351, @@ -78,6 +102,22 @@ } }, "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_3": { "flake": false, "locked": { "lastModified": 1696426674, @@ -175,6 +215,21 @@ } }, "flake-utils_2": { + "locked": { + "lastModified": 1659877975, + "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { "inputs": { "systems": "systems_3" }, @@ -222,11 +277,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1760323106, - "narHash": "sha256-HqVZwIwpDviDB1daJY/pPzkMKAC+dj5y0rDWEJbuKsE=", + "lastModified": 1761141169, + "narHash": "sha256-5IZjbTvP5dNTD8CbEYlNbicdGcbCN9SC9ksMm2ZEXH0=", "owner": "helix-editor", "repo": "helix", - "rev": "10c6a100c6e93b0dc175bf2f8b5a1afd66aebe2a", + "rev": "d79cce4e4bfc24dd204f1b294c899ed73f7e9453", "type": "github" }, "original": { @@ -242,11 +297,11 @@ ] }, "locked": { - "lastModified": 1760312644, - "narHash": "sha256-U9SkK45314urw9P7MmjhEgiQwwD/BTj+T3HTuz1JU1Q=", + "lastModified": 1761191301, + "narHash": "sha256-xsRL2Oyb4YRZZ1Tu4WzR2uFg1n931bH+PfLdFcqtLg8=", "owner": "nix-community", "repo": "home-manager", - "rev": "e121f3773fa596ecaba5b22e518936a632d72a90", + "rev": "4958aafe7b237dc1e857fb0c916efff72075048f", "type": "github" }, "original": { @@ -317,7 +372,7 @@ "lanzaboote": { "inputs": { "crane": "crane", - "flake-compat": "flake-compat_2", + "flake-compat": "flake-compat_3", "flake-parts": "flake-parts_2", "nixpkgs": [ "nixpkgs" @@ -422,11 +477,11 @@ "rust-overlay": "rust-overlay_3" }, "locked": { - "lastModified": 1759395653, - "narHash": "sha256-sv9J1z6CrTPf9lRJLyCN90fZVdQz7LFeX7pIlInH8BQ=", + "lastModified": 1760940149, + "narHash": "sha256-KbM47vD6E0cx+v4jYQZ8mD5N186AKm2CQlyh34TW58U=", "owner": "YaLTeR", "repo": "niri", - "rev": "ba6e5e082a79901dc89b0d49c5da1b769d652aec", + "rev": "b3245b81a6ed8edfaf5388a74d2e0a23c24941e5", "type": "github" }, "original": { @@ -463,11 +518,11 @@ ] }, "locked": { - "lastModified": 1760241904, - "narHash": "sha256-OD7QnaGEVNdukYEbJbUNWPsvnDrpbZOZxVIk6Pt9Jhw=", + "lastModified": 1760846226, + "narHash": "sha256-xmU8kAsRprJiTGBTaGrwmjBP3AMA9ltlrxHKFuy5JWc=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "c9f5ea45f25652ec2f771f9426ccacb21cbbaeaa", + "rev": "5024e1901239a76b7bf94a4cd27f3507e639d49e", "type": "github" }, "original": { @@ -478,11 +533,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1760106635, - "narHash": "sha256-2GoxVaKWTHBxRoeUYSjv0AfSOx4qw5CWSFz2b+VolKU=", + "lastModified": 1760958188, + "narHash": "sha256-2m1S4jl+GEDtlt2QqeHil8Ny456dcGSKJAM7q3j/BFU=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "9ed85f8afebf2b7478f25db0a98d0e782c0ed903", + "rev": "d6645c340ef7d821602fd2cd199e8d1eed10afbc", "type": "github" }, "original": { @@ -494,11 +549,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1760038930, - "narHash": "sha256-Oncbh0UmHjSlxO7ErQDM3KM0A5/Znfofj2BSzlHLeVw=", + "lastModified": 1761114652, + "narHash": "sha256-f/QCJM/YhrV/lavyCVz8iU3rlZun6d+dAiC3H+CDle4=", "owner": "nixos", "repo": "nixpkgs", - "rev": "0b4defa2584313f3b781240b29d61f6f9f7e0df3", + "rev": "01f116e4df6a15f4ccdffb1bcd41096869fb385c", "type": "github" }, "original": { @@ -525,11 +580,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1760353201, - "narHash": "sha256-lApR6u9s3ymKIAXofVPS+eo/y6HO8OrUp8Hl0S30tOE=", + "lastModified": 1761228883, + "narHash": "sha256-8jKkT4Yc8I/PnDczaD9diDcJkckwP7WAstQcYbMSo4s=", "owner": "nixos", "repo": "nixpkgs", - "rev": "d559772cb55d806536aef3cf4ba3f7ce25fe4be9", + "rev": "0cfbb4d10f6e813e6e9750fbf5396747cf3b6212", "type": "github" }, "original": { @@ -635,6 +690,7 @@ "root": { "inputs": { "authentik": "authentik", + "colmena": "colmena", "helix": "helix", "home-manager": "home-manager", "impermanence": "impermanence", @@ -767,11 +823,11 @@ ] }, "locked": { - "lastModified": 1760240450, - "narHash": "sha256-sa9bS9jSyc4vH0jSWrUsPGdqtMvDwmkLg971ntWOo2U=", + "lastModified": 1760998189, + "narHash": "sha256-ee2e1/AeGL5X8oy/HXsZQvZnae6XfEVdstGopKucYLY=", "owner": "Mic92", "repo": "sops-nix", - "rev": "41fd1f7570c89f645ee0ada0be4e2d3c4b169549", + "rev": "5a7d18b5c55642df5c432aadb757140edfeb70b3", "type": "github" }, "original": { @@ -780,6 +836,22 @@ "type": "github" } }, + "stable": { + "locked": { + "lastModified": 1669735802, + "narHash": "sha256-qtG/o/i5ZWZLmXw108N2aPiVsxOcidpHJYNkT45ry9Q=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "731cc710aeebecbf45a258e977e8b68350549522", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1689347949, @@ -874,18 +946,18 @@ }, "xwayland-satellite": { "inputs": { - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils_3", "nixpkgs": [ "nixpkgs-master" ], "rust-overlay": "rust-overlay_5" }, "locked": { - "lastModified": 1759707084, - "narHash": "sha256-0pkftKs6/LReNvxw7DVTN2AJEheZVgyeK0Aarbagi70=", + "lastModified": 1761173223, + "narHash": "sha256-FumZh+fPRaKXkl9Y1uTh5KV7Io/AyOZso+UkqLhLArs=", "owner": "Supreeeme", "repo": "xwayland-satellite", - "rev": "a9188e70bd748118b4d56a529871b9de5adb9988", + "rev": "bf745144acda1343934e9a094cf9458a54d57889", "type": "github" }, "original": { @@ -902,11 +974,11 @@ ] }, "locked": { - "lastModified": 1760329437, - "narHash": "sha256-TbTTbn2pr0urylodXUi0r9sUB/AjvaZuLclG4b0wLp8=", + "lastModified": 1761180075, + "narHash": "sha256-V4WLeUQ4gCGZiVihlXWBOZ/1FNcL0jM4zgTY1haJLvY=", "owner": "0xc000022070", "repo": "zen-browser-flake", - "rev": "df8f0729adfcb72b1e6bb2751f92dec0f54283c3", + "rev": "771a2604606905d8c0ffe3b818dc2cc5bd1405d8", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 2c6a78b7..3f8f6c0a 100644 --- a/flake.nix +++ b/flake.nix @@ -12,6 +12,8 @@ sops-nix.url = "github:Mic92/sops-nix"; sops-nix.inputs.nixpkgs.follows = "nixpkgs"; impermanence.url = "github:nix-community/impermanence"; + colmena.url = "github:zhaofengli/colmena/release-0.4.x"; + colmena.inputs.nixpkgs.follows = "nixpkgs"; # software lanzaboote = { @@ -37,7 +39,7 @@ mtxclient.flake = false; nix-ci.url = "git+https://git.xyno.systems/xyno/nix-ci"; nix-ci.inputs.nixpkgs.follows = "nixpkgs"; - + nix-index-database.url = "github:nix-community/nix-index-database"; nix-index-database.inputs.nixpkgs.follows = "nixpkgs"; @@ -62,6 +64,7 @@ self, nixpkgs, nixpkgs-master, + colmena, ... }: let @@ -102,71 +105,110 @@ inputs.nix-index-database.nixosModules.nix-index ] ++ (import ./modules/module-list.nix); - in - { - overlays.default = - final: prev: - ( - { - unstable = import nixpkgs-master { - system = prev.system; - config.allowUnfree = true; - }; - } - // (import ./overlays inputs final prev) - ); - - nixosConfigurations = lib.xyno.loadInstances ./instances (modules); - devShells."x86_64-linux".default = - let - pkgs = genPkgs "x86_64-linux"; - in - pkgs.mkShell { - packages = [ - pkgs.nixfmt-rfc-style - pkgs.nil - pkgs.sops - (pkgs.runCommand "nix-config-bin" { } '' - mkdir -p $out/bin - cp ${./bin}/* $out/bin - '') - ]; - SOPS_CONFIG = (pkgs.callPackage ./sops.nix { instanceConfigs = lib.xyno.getDirs ./instances; }); - - }; - hydraJobs.systems = lib.foldl' lib.recursiveUpdate { } [ - (builtins.mapAttrs ( - host: config: - lib.foldl' lib.recursiveUpdate { } ([ - { - inherit (config.config.system.build) toplevel; - kernel = config.config.boot.kernelPackages.kernel; - } - ]) - ) self.nixosConfigurations) + systems = [ + "x86_64-linux" + "aarch64-linux" ]; - hydraJobs.fods = { - caddy = self.nixosConfigurations.ds9.config.services.caddy.package; - }; - - packages."x86_64-linux" = + forEachSystem = f: (map (x: f x) systems); + importConfigs = + n: + map (x: { + ${x} = {nodes, ...}: { + networking.hostName = x; + imports = modules ++ [ (./instances/${x}) ]; + _module.args.otherNodes = lib.filterAttrs (n: v: n != x) nodes; + }; + }) n; + in + lib.foldl' lib.recursiveUpdate { } ( + [ + { + colmenaHive = colmena.lib.makeHive ( + lib.foldl' lib.recursiveUpdate + { + meta = { + specialArgs = { inherit inputs; }; + nixpkgs = genPkgs "x86_64-linux"; + }; + deployment.privilegeEscalationCommand = [ + "run0" + "--unit=colmena-apply" + ]; + } + (importConfigs [ + "ds9" + "picard" + "theseus" + ]) + ); + overlays.default = + final: prev: + ( + { + unstable = import nixpkgs-master { + system = prev.system; + config.allowUnfree = true; + }; + } + // (import ./overlays inputs final prev) + ); + hydraJobs.systems = lib.foldl' lib.recursiveUpdate { } [ + (builtins.mapAttrs ( + host: config: + lib.foldl' lib.recursiveUpdate { } ([ + { + inherit (config.config.system.build) toplevel; + kernel = config.config.boot.kernelPackages.kernel; + } + ]) + ) self.colmenaHive.nodes) + ]; + hydraJobs.fods = { + caddy = self.nixosConfigurations.ds9.config.services.caddy.package; + }; + } + ] + ++ (forEachSystem ( + system: let - pkgs = genPkgs "x86_64-linux"; + pkgs = genPkgs system; in { - nix = pkgs.unstable.lixPackageSets.latest.lix; - inherit (pkgs) nix-fast-build attic-client jq nix-ci; - }; - checks."x86_64-linux"."nixos" = - let - pkgs = genPkgs "x86_64-linux"; - in - pkgs.testers.runNixOSTest { - imports = (import ./modules/test-list.nix); - node.specialArgs = { inherit inputs; }; - extraBaseModules.imports = modules; - extraBaseModules.services.openssh.enable = true; - node.pkgsReadOnly = false; - }; - }; + + devShells.${system}.default = pkgs.mkShell { + packages = [ + pkgs.nixfmt-rfc-style + pkgs.nil + pkgs.sops + (pkgs.runCommand "nix-config-bin" { } '' + mkdir -p $out/bin + cp ${./bin}/* $out/bin + '') + pkgs.colmena + ] + ++ (lib.attrValues self.packages.${system}); + SOPS_CONFIG = (pkgs.callPackage ./sops.nix { instanceConfigs = lib.xyno.getDirs ./instances; }); + + }; + + packages.${system} = { + nix = pkgs.unstable.lixPackageSets.latest.lix; + inherit (pkgs) + nix-fast-build + attic-client + jq + nix-ci + ; + }; + checks.${system}."nixos" = pkgs.testers.runNixOSTest { + imports = (import ./modules/test-list.nix); + node.specialArgs = { inherit inputs; }; + extraBaseModules.imports = modules; + extraBaseModules.services.openssh.enable = true; + node.pkgsReadOnly = false; + }; + } + )) + ); + } diff --git a/hm-modules/firefox.nix b/hm-modules/firefox.nix index b88ec901..a930af34 100644 --- a/hm-modules/firefox.nix +++ b/hm-modules/firefox.nix @@ -53,17 +53,11 @@ in install_url = moz "german_dictionary_de_de_for_sp"; }; "uBlock0@raymondhill.net" = { - default_area = "menupanel"; + default_area = "navbar"; install_url = moz "ublock-origin"; installation_mode = "force_installed"; private_browsing = true; }; - "uMatrix@raymondhill.net" = { - default_area = "menupanel"; - install_url = moz "umatrix"; - installation_mode = "force_installed"; - private_browsing = true; - }; "vimium-c@gdh1995.cn" = { default_area = "navbar"; install_url = moz "vimium-c"; @@ -367,6 +361,8 @@ in ]; "user-filters" = ''marketplace.visualstudio.com##+js(rpnt, script, /"(DisableVSCodeDownloadButtonEnabled|Microsoft\\.VisualStudio\\.Services\\.Gallery\\.DisableVSCodeDownloadButton)":true/, "$1":false)''; + "hostnameSwitchesString" = + "no-large-media: behind-the-scene false\nno-remote-fonts: * true\nno-csp-reports: * true"; }; }; diff --git a/instances/ds9/default.nix b/instances/ds9/default.nix index fa78af95..a324215e 100644 --- a/instances/ds9/default.nix +++ b/instances/ds9/default.nix @@ -1,12 +1,11 @@ { - sopsKey = "fada7e7be28e186e463ad745a38d17f36849d8a7"; - modules = [ ./configuration.nix ]; - hostName = "ds9"; - publicHostname = "ds9.hailsatan.eu"; - prometheusServer = true; - wg = { - pubKey = "aZvSeAhKG3B5I2My5IqQoSlntMzbCHM6OU92WEScohc="; - # server = true; - # v4 = "10.13.12.1"; + imports = [ ./configuration.nix ]; + xyno.services.monitoring.prometheusServer = true; + xyno.meta = { + sopsKey = "fada7e7be28e186e463ad745a38d17f36849d8a7"; + }; + xyno.services.wireguard.pubKey = "aZvSeAhKG3B5I2My5IqQoSlntMzbCHM6OU92WEScohc="; + deployment = { + targetHost = "ds9.hailsatan.eu"; }; } diff --git a/instances/picard/default.nix b/instances/picard/default.nix index e0e71eac..0ec4bcd9 100644 --- a/instances/picard/default.nix +++ b/instances/picard/default.nix @@ -1,10 +1,8 @@ { - modules = [ ./configuration.nix ]; - sopsKey = "b730b2bf54eb792a14bfd3e68c14c08894376c5f"; - hostName = "picard"; - publicHostname = "xyno.space"; - # prometheusServer = true; - wg = { + imports = [ ./configuration.nix ]; + xyno.meta.sopsKey = "b730b2bf54eb792a14bfd3e68c14c08894376c5f"; + deployment.targetHost = "xyno.space"; + xyno.services.wireguard = { pubKey = "7JcdTbWfsyGWhJM1Rk9Y4xZVLPHcTmoG/Ne/AFCYKFs="; server = true; v4 = "10.13.12.1"; diff --git a/instances/theseus/default.nix b/instances/theseus/default.nix index 9a769c61..543cca7d 100644 --- a/instances/theseus/default.nix +++ b/instances/theseus/default.nix @@ -1,8 +1,11 @@ { - modules = [ ./configuration.nix ]; - hostName = "theseus"; - sopsKey = "4019fd893bba15618c2f93a38ef418ce360bc418"; - wg = { - pubKey = ""; + imports = [ ./configuration.nix ]; + deployment = { + targetHost = null; + allowLocalDeployment = true; + }; + xyno.meta.sopsKey = "4019fd893bba15618c2f93a38ef418ce360bc418"; + xyno.services.wireguard = { + # pubKey = ""; }; } diff --git a/modules/desktop/niri.nix b/modules/desktop/niri.nix index fd4115fd..f93e1d31 100644 --- a/modules/desktop/niri.nix +++ b/modules/desktop/niri.nix @@ -333,6 +333,9 @@ in Mod+Shift+P { power-off-monitors; } Super+Backslash { focus-workspace "scratchpad"; } } + hotkey-overlay { + skip-at-startup + } layout { // center-focused-column "always" gaps 8 @@ -349,9 +352,10 @@ in tab-indicator { hide-when-single-tab - position "top" + position "bottom" place-within-column - width 8 + width 12 + length total-proportion=0.8 gap 8 } } diff --git a/modules/desktop/waybar/cal.nix b/modules/desktop/waybar/cal.nix index 552d1ff6..0cc35d99 100644 --- a/modules/desktop/waybar/cal.nix +++ b/modules/desktop/waybar/cal.nix @@ -58,21 +58,23 @@ let # It would be ideal to determine _when_ the current event ends, and set the # timeout accordinly. That would require parsing khal's output a bit more. while true; do - (inotifywait \ - --event modify \ - --event create \ - --event delete \ - --event close_write \ - --event moved_to \ - --event move \ - --monitor \ - --timeout 120 \ - --recursive \ - "$HOME/.calendars" 2> /dev/null) || true | \ - while read -r _; do + # (inotifywait \ + # --event modify \ + # --event create \ + # --event delete \ + # --event close_write \ + # --event moved_to \ + # --event move \ + # --monitor \ + # --timeout 120 \ + # --recursive \ + # "$HOME/.calendars" 2> /dev/null) || true | \ + # while read -r _; do + # TODO: fix inotify stuff render + sleep 30 # timeout 3 cat || true # debounce for 3s, https://stackoverflow.com/a/69945839 - done + # done done ''; diff --git a/modules/module-list.nix b/modules/module-list.nix index ba53f42e..65fff1c0 100644 --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -28,6 +28,7 @@ ./services/monitoring.nix ./services/wireguard.nix ./system/impermanence.nix + ./system/meta.nix ./system/user.nix ./user-services/khal.nix ./user-services/syncthing.nix diff --git a/modules/presets/server.nix b/modules/presets/server.nix index f34cc249..fd7e100d 100644 --- a/modules/presets/server.nix +++ b/modules/presets/server.nix @@ -25,7 +25,6 @@ in ]; # theseus environment.etc."msmtprc".enable = false; - sops.defaultSopsFile = ../../secrets/common.yaml; sops.secrets = lib.mkMerge ( [ { diff --git a/modules/services/monitoring.nix b/modules/services/monitoring.nix index b104987f..e8726b1d 100644 --- a/modules/services/monitoring.nix +++ b/modules/services/monitoring.nix @@ -2,18 +2,16 @@ pkgs, lib, config, - instanceConfig, - instanceConfigs, - # inputs, + otherNodes, ... }: with lib; let cfg = config.xyno.services.monitoring; - firstInstanceWithPromServer = (builtins.head ( - builtins.filter (x: x ? prometheusServer && x.prometheusServer) (attrValues instanceConfigs) - )).hostName; + firstInstanceWithPromServer = if cfg.prometheusServer then config.networking.hostName else (builtins.head ( + attrValues (filterAttrs (n: v: v.config.xyno.services.monitoring.prometheusServer) (otherNodes)) + )).config.networking.hostName; vmBasicAuthUsername = "xyno-monitoring"; in { @@ -24,6 +22,10 @@ in default = "http://${firstInstanceWithPromServer}.${config.xyno.services.wireguard.monHostsDomain}:8428/api/v1/write"; description = "where prometheus metrics should be pushed to"; }; + options.xyno.services.monitoring.prometheusServer = mkOption { + type = types.bool; + default = false; + }; options.xyno.services.monitoring.exporters = mkOption { type = types.attrsOf (types.either types.int types.str); description = "names of exporters and their ports (to open fw and generate prometheus config)"; @@ -64,7 +66,7 @@ in }; }) - (mkIf (cfg.enable && instanceConfig ? prometheusServer && instanceConfig.prometheusServer) { + (mkIf (cfg.enable && cfg.prometheusServer) { xyno.impermanence.directories = [ "/var/lib/${config.services.victoriametrics.stateDir}" ]; sops.secrets."victoriametrics/basicAuthPassword" = { reloadUnits = [ "victoriametrics.service" ]; diff --git a/modules/services/wireguard.nix b/modules/services/wireguard.nix index 90323987..d9dc22ba 100644 --- a/modules/services/wireguard.nix +++ b/modules/services/wireguard.nix @@ -2,14 +2,13 @@ pkgs, lib, config, - instanceConfigs, - instanceConfig, + otherNodes, ... }: with lib; let - wgServer = instanceConfig ? wg.server && instanceConfig.wg.server; cfg = config.xyno.services.wireguard; + wgServer = cfg.server; ula = cfg.ula; ulaPrefix = "${ula}:1337"; # /64 for normal vpn monitoringUlaPrefix = "${ula}:2337"; # /64 for monitoring @@ -25,51 +24,50 @@ let in "${prefix}:${localPart}"; # peers list for networkd - filteredConfigs = builtins.filter (x: x.hostName != config.networking.hostName) ( - attrValues instanceConfigs - ); - wgPeersLists = map ( + wgPeersLists = attrValues (mapAttrs ( c: + let + hasV4 = c.xyno.services.wireguard.v4 && cfg.v4; + isServer = c.xyno.services.wireguard.server; + publicHostname = c.deployment.targetHost; + pubKey = c.xyno.services.wireguard.pubKey; + in ( - (optional (c ? publicHostname) { + (optional (publicHostname != null) { # if peer is publicly on the internet AllowedIPs = - (optionals (c ? wg.server && c.wg.server) [ - # is server + (optionals (isServer) [ "::/0" ]) - ++ (optionals (c ? wg.server && c.wg.server && c ? wg.v4 && instanceConfig ? wg.v4) [ - # both client and server have a v4 + ++ (optionals (isServer && hasV4) [ "0.0.0.0/0" ]) - ++ (optionals (!c ? wg.server || !c.wg.server) [ - # is not server - "${genUlaForHost ulaPrefix c.hostName}/128" # if a host is reachable but shouldn't play server, send only to the hosts ip + ++ (optionals (!isServer) [ + "${genUlaForHost ulaPrefix c.networking.hostName}/128" # if a host is reachable but shouldn't play server, send only to the hosts ip ]) - ++ (optionals ((!c ? wg.server || !c.wg.server) && c ? wg.v4 && instanceConfig ? wg.v4) [ - # no server, no ipv4 yay + ++ (optionals ((!isServer) && hasV4) [ "${c.wg.v4}/32" ]); RouteTable = 1000; - Endpoint = "${c.publicHostname}:51820"; + Endpoint = "${publicHostname}:51820"; PersistentKeepalive = 25; - PublicKey = c.wg.pubKey; + PublicKey = pubKey; PresharedKeyFile = config.sops.secrets."wg/psk".path; }) - ++ (optional ((!c ? publicHostname) && wgServer && (c ? wg.pubKey)) { + ++ (optional ((publicHostname == null) && wgServer && (pubKey != null)) { # if this is the server and the peer isn't reachable on the internet AllowedIPs = [ "${genUlaForHost ulaPrefix c.hostName}/128" "${genUlaForHost monitoringUlaPrefix c.hostName}/128" ] - ++ (optionals (c ? wg.v4 && instanceConfig ? wg.v4) [ + ++ (optionals (hasV4) [ "${c.wg.v4}/32" ]); - PublicKey = c.wg.pubKey; + PublicKey = pubKey; PresharedKeyFile = config.sops.secrets."wg/psk".path; }) ) - ) filteredConfigs; + ) otherNodes); wgPeers = flatten wgPeersLists; in { @@ -94,18 +92,34 @@ in type = types.str; default = genUlaForHost monitoringUlaPrefix config.networking.hostName; }; + options.xyno.services.wireguard.pubKey = mkOption { + type = types.nullOr types.str; + default = null; + }; + options.xyno.services.wireguard.server = mkOption { + type = types.bool; + default = false; + }; + options.xyno.services.wireguard.v4 = mkOption { + type = types.nullOr types.str; + default = null; + + }; config = mkIf cfg.enable { # TODO: add a all traffic through this network networking.hosts = (mapAttrs' ( - n: v: nameValuePair (genUlaForHost ulaPrefix v.hostName) [ "${v.hostName}.${cfg.hostsDomain}" ] - ) instanceConfigs) + n: v: + nameValuePair (genUlaForHost ulaPrefix v.networking.hostName) [ + "${v.networking.hostName}.${cfg.hostsDomain}" + ] + ) otherNodes) // (mapAttrs' ( n: v: - nameValuePair (genUlaForHost monitoringUlaPrefix v.hostName) [ - "${v.hostName}.${cfg.monHostsDomain}" + nameValuePair (genUlaForHost monitoringUlaPrefix v.networking.hostName) [ + "${v.networking.hostName}.${cfg.monHostsDomain}" ] - ) instanceConfigs); + ) otherNodes); networking.firewall.allowedUDPPorts = optional wgServer 51820; networking.firewall.interfaces."wg0".allowedUDPPorts = optional wgServer 53; systemd.network.netdevs."99-wg0" = { @@ -126,15 +140,15 @@ in matchConfig.Name = "wg0"; networkConfig = { Description = "xyno wireguard"; - IPMasquerade = mkIf (instanceConfig ? wg.server && instanceConfig.wg.server) "both"; - IPv4Forwarding = (instanceConfig ? wg.server && instanceConfig.wg.server); - IPv6Forwarding = (instanceConfig ? wg.server && instanceConfig.wg.server); + IPMasquerade = mkIf wgServer "both"; + IPv4Forwarding = wgServer; + IPv6Forwarding = wgServer; }; address = [ "${(genUlaForHost ulaPrefix config.networking.hostName)}/64" "${(genUlaForHost monitoringUlaPrefix config.networking.hostName)}/64" ] - ++ (optionals (instanceConfig ? wg.v4) [ "${instanceConfig.wg.v4}/24" ]); + ++ (optionals (cfg.v4) [ "${cfg.v4}/24" ]); }; systemd.network.networks."51-wg0-all-traffic" = { matchConfig.Name = "wg0"; diff --git a/modules/system/meta.nix b/modules/system/meta.nix new file mode 100644 index 00000000..76eabcdb --- /dev/null +++ b/modules/system/meta.nix @@ -0,0 +1,8 @@ +{lib,...}: with lib;{ + options.xyno.meta = { + sopsKey = mkOption { type = types.text; }; + }; + config = { + sops.defaultSopsFile = ../../secrets/common.yaml; + }; +} diff --git a/modules/system/user.nix b/modules/system/user.nix index cbeeb6ff..c5f940b4 100644 --- a/modules/system/user.nix +++ b/modules/system/user.nix @@ -17,6 +17,7 @@ in config = lib.mkIf cfg.enable { environment.homeBinInPath = true; nix.settings.trusted-users = [cfg.name]; + users.groups.plugdev = {}; users.users.${cfg.name} = { openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/oMAi5jyQsNohfhcSH2ItisTpBGB0WtYTVxJYKKqhj"]; # theseus isNormalUser = true;