refactor(nix): cleanup toplevel flake

2024-08-25 00:28:11 -05:00 · 2024-08-25 00:28:11 -05:00 · c27bdf76cd
commit c27bdf76cd
parent d9db6e1938
12 changed files with 60 additions and 81 deletions
--- a/flake.nix
+++ b/flake.nix
@ -188,25 +188,7 @@
      });
      nixosConfigurations =
        let
-          lib = (import ./lib { lib = nixpkgs.lib; }) // nixpkgs.lib;
-          persist-dir = "/persist";
-          defaults = {
-            config = {
-              environment.etc.machine-id.source = "${persist-dir}/ephemeral/etc/machine-id";
-              environment.persistence.save = {
-                hideMounts = true;
-                persistentStoragePath = "${persist-dir}/save";
-              };
-              environment.persistence.ephemeral = {
-                persistentStoragePath = "${persist-dir}/ephemeral";
-                hideMounts = true;
-                directories = [
-                  "/var/lib"
-                  "/etc/nixos"
-                ];
-              };
-            };
-          };
+          clib = (import ./lib { lib = nixpkgs.lib; });
        in
        {
          orion =
@ -220,12 +202,9 @@
                inherit inputs;
                inherit outputs;
                inherit hostname;
-                inherit lib;
-                inherit persist-dir;
-                root-disk = "/dev/nvme0n1";
+                inherit clib;
              };
              modules = [
-                defaults
                ./modules/btrfs-rollback.nix
                inputs.impermanence.nixosModules.impermanence
                inputs.agenix.nixosModules.default
@ -234,7 +213,7 @@
                  config =
                    (import "${self}/secrets" {
                      agenix = false;
-                      inherit lib;
+                      inherit clib;
                    }).${hostname};
                }
                ./hosts/${hostname}
@ -251,13 +230,9 @@
                inherit inputs;
                inherit hostname;
                inherit nixpkgs;
-                inherit lib;
-                inherit persist-dir;
-                root-disk = "/dev/nvme0n1";
-                fqdn = "orion-technologies.io";
+                inherit clib;
              };
              modules = [
-                defaults
                ./modules/btrfs-rollback.nix
                inputs.impermanence.nixosModules.impermanence
                inputs.agenix.nixosModules.default
@ -268,7 +243,7 @@
                  config =
                    (import "${self}/secrets" {
                      agenix = false;
-                      inherit lib;
+                      inherit clib;
                    }).${hostname};
                }
                ./hosts/${hostname}
--- a/hosts/luna/default.nix
+++ b/hosts/luna/default.nix
@ -1,7 +1,7 @@
-{ lib, ... }:
+{ clib, ... }:
 {
  imports = (
-    lib.recurseFilesInDirs [
+    clib.recurseFilesInDirs [
      ./os
      ./modules
    ] ".nix"
--- a/hosts/luna/modules/monitoring/auditd.nix
+++ b/hosts/luna/modules/monitoring/auditd.nix
@ -1,9 +1,4 @@
-{
-  persist-dir,
-  pkgs,
-  config,
-  ...
-}:
+{ pkgs, config, ... }:
 let
  laurel-user = "_laurel";
 in
@ -145,7 +140,7 @@ in
    "-a always,exit -F arch=b64 -S open -F dir=/opt -F success=0 -F key=unauthedfileaccess"
    "-a always,exit -F arch=b64 -S open -F dir=/boot -F success=0 -F key=unauthedfileaccess"
    "-a always,exit -F arch=b64 -S open -F dir=/nix -F success=0 -F key=unauthedfileaccess"
-    "-a always,exit -F arch=b64 -S open -F dir=${persist-dir} -F success=0 -F key=unauthedfileaccess"
+    "-a always,exit -F arch=b64 -S open -F dir=/persist -F success=0 -F key=unauthedfileaccess"

    # File deletion events by users
    "-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=-1 -F key=delete"
--- a/hosts/luna/modules/monitoring/grafana.nix
+++ b/hosts/luna/modules/monitoring/grafana.nix
@ -1,11 +1,6 @@
-{
-  config,
-  pkgs,
-  fqdn,
-  ...
-}:
+{ config, ... }:
 let
-  grafana_host = "grafana.${fqdn}";
+  grafana_host = "grafana.orion-technologies.io";
 in
 {
  services = {
--- a/hosts/luna/modules/monitoring/prometheus.nix
+++ b/hosts/luna/modules/monitoring/prometheus.nix
@ -1,11 +1,6 @@
-{
-  config,
-  fqdn,
-  pkgs,
-  ...
-}:
+{ config, pkgs, ... }:
 let
-  prometheus_host = "prometheus.${fqdn}";
+  prometheus_host = "prometheus.orion-technologies.io";
 in
 {
  services = {
--- a/hosts/luna/modules/services/gitea.nix
+++ b/hosts/luna/modules/services/gitea.nix
@ -1,13 +1,12 @@
 {
  config,
-  fqdn,
  inputs,
  pkgs,
  lib,
  ...
 }:
 let
-  gitea_host = "git.${fqdn}";
+  gitea_host = "git.orion-technologies.io";
  # TODO: Move this docker image out to a separate package and NixOS Module
  # Huge thank you to https://icewind.nl/entry/gitea-actions-nix/ -- wouldn't have figured this out
  # without that post 🙂
--- a/hosts/luna/modules/services/lakewatch.nix
+++ b/hosts/luna/modules/services/lakewatch.nix
@ -1,4 +1,4 @@
-{ config, fqdn, ... }:
+{ config, ... }:
 {
  services.lakewatch-api = {
    enable = true;
@ -14,7 +14,7 @@
      passwordFile = config.age.secrets.lakewatch-db-pass.path;
    };
  };
-  services.nginx.virtualHosts."lakewatch.${fqdn}" = {
+  services.nginx.virtualHosts."lakewatch.orion-technologies.io" = {
    forceSSL = true;
    enableACME = true;
    locations."/".proxyPass = "http://${config.services.lakewatch-api.host}:${builtins.toString config.services.lakewatch-api.port}";
--- a/hosts/luna/modules/services/nginx.nix
+++ b/hosts/luna/modules/services/nginx.nix
@ -1,9 +1,4 @@
-{
-  inputs,
-  pkgs,
-  fqdn,
-  ...
-}:
+{ inputs, pkgs, ... }:
 {
  services.nginx = {
    enable = true;
@ -19,7 +14,7 @@
  };

  services.nginx.virtualHosts = {
-    "blog.${fqdn}" = {
+    "blog.orion-technologies.io" = {
      forceSSL = true;
      enableACME = true;
      globalRedirect = "price-hiller.com";
--- a/hosts/luna/os/fs.nix
+++ b/hosts/luna/os/fs.nix
@ -1,10 +1,22 @@
+{ lib, ... }:
+let
+  root-disk = "/dev/nvme0n1";
+  persist-dir = "/persist";
+in
 {
-  lib,
-  root-disk,
-  persist-dir,
-  ...
-}:
-{
+  environment.etc.machine-id.source = "${persist-dir}/ephemeral/etc/machine-id";
+  environment.persistence.save = {
+    hideMounts = true;
+    persistentStoragePath = "${persist-dir}/save";
+  };
+  environment.persistence.ephemeral = {
+    persistentStoragePath = "${persist-dir}/ephemeral";
+    hideMounts = true;
+    directories = [
+      "/var/lib"
+      "/etc/nixos"
+    ];
+  };
  services = {
    fstrim.enable = true;
    btrfs.autoScrub = {
@ -12,7 +24,7 @@
      fileSystems = [
        "/"
        "/nix"
-        "/persist"
+        "${persist-dir}"
      ];
    };
    snapper = {
--- a/hosts/orion/default.nix
+++ b/hosts/orion/default.nix
@ -1,7 +1,7 @@
-{ pkgs, lib, ... }:
+{ pkgs, clib, ... }:
 {
  imports = (
-    lib.recurseFilesInDirs [
+    clib.recurseFilesInDirs [
      ./os
      ./modules
    ] ".nix"
--- a/hosts/orion/os/fs.nix
+++ b/hosts/orion/os/fs.nix
@ -1,9 +1,8 @@
-{
-  lib,
-  root-disk,
-  persist-dir,
-  ...
-}:
+{ lib, ... }:
+let
+  root-disk = "/dev/nvme0n1";
+  persist-dir = "/persist";
+in
 {
  services = {
    fstrim.enable = true;
@ -17,6 +16,20 @@
    };
  };

+  environment.etc.machine-id.source = "${persist-dir}/ephemeral/etc/machine-id";
+  environment.persistence.save = {
+    hideMounts = true;
+    persistentStoragePath = "${persist-dir}/save";
+  };
+  environment.persistence.ephemeral = {
+    persistentStoragePath = "${persist-dir}/ephemeral";
+    hideMounts = true;
+    directories = [
+      "/var/lib"
+      "/etc/nixos"
+    ];
+  };
+
  fileSystems."${persist-dir}".neededForBoot = true;

  disko.devices = {
--- a/secrets/default.nix
+++ b/secrets/default.nix
@ -1,6 +1,6 @@
 {
  agenix ? false,
-  lib ? import ../lib { },
+  clib ? import ../clib { },
 }:
 let
  masterKeys = [
@ -54,7 +54,7 @@ if agenix then
 else
  (builtins.mapAttrs (
    host: secrets:
-    (lib.recursiveMerge (
+    (clib.recursiveMerge (
      builtins.map (secretName: { age.secrets.${secretName}.file = ./${secrets.${secretName}}; }) (
        builtins.attrNames hosts.${host}
      )