From e44ec3cba7356080c8fefb9cc78cb82b847cfda2 Mon Sep 17 00:00:00 2001 From: Price Hiller Date: Sun, 25 Aug 2024 00:28:11 -0500 Subject: [PATCH] refactor(nix): overhaul nixos configurations --- flake.nix | 35 +++----------------- hosts/luna/default.nix | 4 +-- hosts/luna/modules/monitoring/auditd.nix | 9 ++--- hosts/luna/modules/monitoring/grafana.nix | 9 ++--- hosts/luna/modules/monitoring/prometheus.nix | 9 ++--- hosts/luna/modules/services/gitea.nix | 3 +- hosts/luna/modules/services/lakewatch.nix | 4 +-- hosts/luna/modules/services/nginx.nix | 9 ++--- hosts/luna/os/fs.nix | 26 +++++++++++---- hosts/orion/default.nix | 4 +-- hosts/orion/os/fs.nix | 25 ++++++++++---- secrets/default.nix | 4 +-- 12 files changed, 60 insertions(+), 81 deletions(-) diff --git a/flake.nix b/flake.nix index 3e719efc..93badd77 100644 --- a/flake.nix +++ b/flake.nix @@ -188,25 +188,7 @@ }); nixosConfigurations = let - lib = (import ./lib { lib = nixpkgs.lib; }) // nixpkgs.lib; - persist-dir = "/persist"; - defaults = { - config = { - environment.etc.machine-id.source = "${persist-dir}/ephemeral/etc/machine-id"; - environment.persistence.save = { - hideMounts = true; - persistentStoragePath = "${persist-dir}/save"; - }; - environment.persistence.ephemeral = { - persistentStoragePath = "${persist-dir}/ephemeral"; - hideMounts = true; - directories = [ - "/var/lib" - "/etc/nixos" - ]; - }; - }; - }; + clib = (import ./lib { lib = nixpkgs.lib; }); in { orion = @@ -220,12 +202,9 @@ inherit inputs; inherit outputs; inherit hostname; - inherit lib; - inherit persist-dir; - root-disk = "/dev/nvme0n1"; + inherit clib; }; modules = [ - defaults ./modules/btrfs-rollback.nix inputs.impermanence.nixosModules.impermanence inputs.agenix.nixosModules.default @@ -234,7 +213,7 @@ config = (import "${self}/secrets" { agenix = false; - inherit lib; + inherit clib; }).${hostname}; } ./hosts/${hostname} @@ -251,13 +230,9 @@ inherit inputs; inherit hostname; inherit nixpkgs; - inherit lib; - inherit persist-dir; - root-disk = "/dev/nvme0n1"; - fqdn = "orion-technologies.io"; + inherit clib; }; modules = [ - defaults ./modules/btrfs-rollback.nix inputs.impermanence.nixosModules.impermanence inputs.agenix.nixosModules.default @@ -268,7 +243,7 @@ config = (import "${self}/secrets" { agenix = false; - inherit lib; + inherit clib; }).${hostname}; } ./hosts/${hostname} diff --git a/hosts/luna/default.nix b/hosts/luna/default.nix index 6d24c80a..7315d0c7 100644 --- a/hosts/luna/default.nix +++ b/hosts/luna/default.nix @@ -1,7 +1,7 @@ -{ lib, ... }: +{ clib, ... }: { imports = ( - lib.recurseFilesInDirs [ + clib.recurseFilesInDirs [ ./os ./modules ] ".nix" diff --git a/hosts/luna/modules/monitoring/auditd.nix b/hosts/luna/modules/monitoring/auditd.nix index bcf65abe..1c26f76f 100644 --- a/hosts/luna/modules/monitoring/auditd.nix +++ b/hosts/luna/modules/monitoring/auditd.nix @@ -1,9 +1,4 @@ -{ - persist-dir, - pkgs, - config, - ... -}: +{ pkgs, config, ... }: let laurel-user = "_laurel"; in @@ -145,7 +140,7 @@ in "-a always,exit -F arch=b64 -S open -F dir=/opt -F success=0 -F key=unauthedfileaccess" "-a always,exit -F arch=b64 -S open -F dir=/boot -F success=0 -F key=unauthedfileaccess" "-a always,exit -F arch=b64 -S open -F dir=/nix -F success=0 -F key=unauthedfileaccess" - "-a always,exit -F arch=b64 -S open -F dir=${persist-dir} -F success=0 -F key=unauthedfileaccess" + "-a always,exit -F arch=b64 -S open -F dir=/persist -F success=0 -F key=unauthedfileaccess" # File deletion events by users "-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=-1 -F key=delete" diff --git a/hosts/luna/modules/monitoring/grafana.nix b/hosts/luna/modules/monitoring/grafana.nix index d9dc5137..8462a0a6 100644 --- a/hosts/luna/modules/monitoring/grafana.nix +++ b/hosts/luna/modules/monitoring/grafana.nix @@ -1,11 +1,6 @@ -{ - config, - pkgs, - fqdn, - ... -}: +{ config, ... }: let - grafana_host = "grafana.${fqdn}"; + grafana_host = "grafana.orion-technologies.io"; in { services = { diff --git a/hosts/luna/modules/monitoring/prometheus.nix b/hosts/luna/modules/monitoring/prometheus.nix index 555dad7c..8db01250 100644 --- a/hosts/luna/modules/monitoring/prometheus.nix +++ b/hosts/luna/modules/monitoring/prometheus.nix @@ -1,11 +1,6 @@ -{ - config, - fqdn, - pkgs, - ... -}: +{ config, pkgs, ... }: let - prometheus_host = "prometheus.${fqdn}"; + prometheus_host = "prometheus.orion-technologies.io"; in { services = { diff --git a/hosts/luna/modules/services/gitea.nix b/hosts/luna/modules/services/gitea.nix index 8ed6f9af..7be50356 100644 --- a/hosts/luna/modules/services/gitea.nix +++ b/hosts/luna/modules/services/gitea.nix @@ -1,13 +1,12 @@ { config, - fqdn, inputs, pkgs, lib, ... }: let - gitea_host = "git.${fqdn}"; + gitea_host = "git.orion-technologies.io"; # TODO: Move this docker image out to a separate package and NixOS Module # Huge thank you to https://icewind.nl/entry/gitea-actions-nix/ -- wouldn't have figured this out # without that post 🙂 diff --git a/hosts/luna/modules/services/lakewatch.nix b/hosts/luna/modules/services/lakewatch.nix index 83f11840..831f0db3 100644 --- a/hosts/luna/modules/services/lakewatch.nix +++ b/hosts/luna/modules/services/lakewatch.nix @@ -1,4 +1,4 @@ -{ config, fqdn, ... }: +{ config, ... }: { services.lakewatch-api = { enable = true; @@ -14,7 +14,7 @@ passwordFile = config.age.secrets.lakewatch-db-pass.path; }; }; - services.nginx.virtualHosts."lakewatch.${fqdn}" = { + services.nginx.virtualHosts."lakewatch.orion-technologies.io" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://${config.services.lakewatch-api.host}:${builtins.toString config.services.lakewatch-api.port}"; diff --git a/hosts/luna/modules/services/nginx.nix b/hosts/luna/modules/services/nginx.nix index 48cb295a..a33d719c 100644 --- a/hosts/luna/modules/services/nginx.nix +++ b/hosts/luna/modules/services/nginx.nix @@ -1,9 +1,4 @@ -{ - inputs, - pkgs, - fqdn, - ... -}: +{ inputs, pkgs, ... }: { services.nginx = { enable = true; @@ -19,7 +14,7 @@ }; services.nginx.virtualHosts = { - "blog.${fqdn}" = { + "blog.orion-technologies.io" = { forceSSL = true; enableACME = true; globalRedirect = "price-hiller.com"; diff --git a/hosts/luna/os/fs.nix b/hosts/luna/os/fs.nix index 887782ee..e7cfdc00 100644 --- a/hosts/luna/os/fs.nix +++ b/hosts/luna/os/fs.nix @@ -1,10 +1,22 @@ +{ lib, ... }: +let + root-disk = "/dev/nvme0n1"; + persist-dir = "/persist"; +in { - lib, - root-disk, - persist-dir, - ... -}: -{ + environment.etc.machine-id.source = "${persist-dir}/ephemeral/etc/machine-id"; + environment.persistence.save = { + hideMounts = true; + persistentStoragePath = "${persist-dir}/save"; + }; + environment.persistence.ephemeral = { + persistentStoragePath = "${persist-dir}/ephemeral"; + hideMounts = true; + directories = [ + "/var/lib" + "/etc/nixos" + ]; + }; services = { fstrim.enable = true; btrfs.autoScrub = { @@ -12,7 +24,7 @@ fileSystems = [ "/" "/nix" - "/persist" + "${persist-dir}" ]; }; snapper = { diff --git a/hosts/orion/default.nix b/hosts/orion/default.nix index f39732d5..b6c9c21e 100644 --- a/hosts/orion/default.nix +++ b/hosts/orion/default.nix @@ -1,7 +1,7 @@ -{ pkgs, lib, ... }: +{ pkgs, clib, ... }: { imports = ( - lib.recurseFilesInDirs [ + clib.recurseFilesInDirs [ ./os ./modules ] ".nix" diff --git a/hosts/orion/os/fs.nix b/hosts/orion/os/fs.nix index 7c054c13..25b80bb7 100644 --- a/hosts/orion/os/fs.nix +++ b/hosts/orion/os/fs.nix @@ -1,9 +1,8 @@ -{ - lib, - root-disk, - persist-dir, - ... -}: +{ lib, ... }: +let + root-disk = "/dev/nvme0n1"; + persist-dir = "/persist"; +in { services = { fstrim.enable = true; @@ -17,6 +16,20 @@ }; }; + environment.etc.machine-id.source = "${persist-dir}/ephemeral/etc/machine-id"; + environment.persistence.save = { + hideMounts = true; + persistentStoragePath = "${persist-dir}/save"; + }; + environment.persistence.ephemeral = { + persistentStoragePath = "${persist-dir}/ephemeral"; + hideMounts = true; + directories = [ + "/var/lib" + "/etc/nixos" + ]; + }; + fileSystems."${persist-dir}".neededForBoot = true; disko.devices = { diff --git a/secrets/default.nix b/secrets/default.nix index a038940e..3e840044 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -1,6 +1,6 @@ { agenix ? false, - lib ? import ../lib { }, + clib ? import ../clib { }, }: let masterKeys = [ @@ -54,7 +54,7 @@ if agenix then else (builtins.mapAttrs ( host: secrets: - (lib.recursiveMerge ( + (clib.recursiveMerge ( builtins.map (secretName: { age.secrets.${secretName}.file = ./${secrets.${secretName}}; }) ( builtins.attrNames hosts.${host} )