refactor(nix): overhaul nixos configurations
Some checks failed
Check Formatting of Files / Check-Formatting (push) Has been cancelled
Some checks failed
Check Formatting of Files / Check-Formatting (push) Has been cancelled
This commit is contained in:
parent
d9db6e1938
commit
e44ec3cba7
35
flake.nix
35
flake.nix
@ -188,25 +188,7 @@
|
|||||||
});
|
});
|
||||||
nixosConfigurations =
|
nixosConfigurations =
|
||||||
let
|
let
|
||||||
lib = (import ./lib { lib = nixpkgs.lib; }) // nixpkgs.lib;
|
clib = (import ./lib { lib = nixpkgs.lib; });
|
||||||
persist-dir = "/persist";
|
|
||||||
defaults = {
|
|
||||||
config = {
|
|
||||||
environment.etc.machine-id.source = "${persist-dir}/ephemeral/etc/machine-id";
|
|
||||||
environment.persistence.save = {
|
|
||||||
hideMounts = true;
|
|
||||||
persistentStoragePath = "${persist-dir}/save";
|
|
||||||
};
|
|
||||||
environment.persistence.ephemeral = {
|
|
||||||
persistentStoragePath = "${persist-dir}/ephemeral";
|
|
||||||
hideMounts = true;
|
|
||||||
directories = [
|
|
||||||
"/var/lib"
|
|
||||||
"/etc/nixos"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
orion =
|
orion =
|
||||||
@ -220,12 +202,9 @@
|
|||||||
inherit inputs;
|
inherit inputs;
|
||||||
inherit outputs;
|
inherit outputs;
|
||||||
inherit hostname;
|
inherit hostname;
|
||||||
inherit lib;
|
inherit clib;
|
||||||
inherit persist-dir;
|
|
||||||
root-disk = "/dev/nvme0n1";
|
|
||||||
};
|
};
|
||||||
modules = [
|
modules = [
|
||||||
defaults
|
|
||||||
./modules/btrfs-rollback.nix
|
./modules/btrfs-rollback.nix
|
||||||
inputs.impermanence.nixosModules.impermanence
|
inputs.impermanence.nixosModules.impermanence
|
||||||
inputs.agenix.nixosModules.default
|
inputs.agenix.nixosModules.default
|
||||||
@ -234,7 +213,7 @@
|
|||||||
config =
|
config =
|
||||||
(import "${self}/secrets" {
|
(import "${self}/secrets" {
|
||||||
agenix = false;
|
agenix = false;
|
||||||
inherit lib;
|
inherit clib;
|
||||||
}).${hostname};
|
}).${hostname};
|
||||||
}
|
}
|
||||||
./hosts/${hostname}
|
./hosts/${hostname}
|
||||||
@ -251,13 +230,9 @@
|
|||||||
inherit inputs;
|
inherit inputs;
|
||||||
inherit hostname;
|
inherit hostname;
|
||||||
inherit nixpkgs;
|
inherit nixpkgs;
|
||||||
inherit lib;
|
inherit clib;
|
||||||
inherit persist-dir;
|
|
||||||
root-disk = "/dev/nvme0n1";
|
|
||||||
fqdn = "orion-technologies.io";
|
|
||||||
};
|
};
|
||||||
modules = [
|
modules = [
|
||||||
defaults
|
|
||||||
./modules/btrfs-rollback.nix
|
./modules/btrfs-rollback.nix
|
||||||
inputs.impermanence.nixosModules.impermanence
|
inputs.impermanence.nixosModules.impermanence
|
||||||
inputs.agenix.nixosModules.default
|
inputs.agenix.nixosModules.default
|
||||||
@ -268,7 +243,7 @@
|
|||||||
config =
|
config =
|
||||||
(import "${self}/secrets" {
|
(import "${self}/secrets" {
|
||||||
agenix = false;
|
agenix = false;
|
||||||
inherit lib;
|
inherit clib;
|
||||||
}).${hostname};
|
}).${hostname};
|
||||||
}
|
}
|
||||||
./hosts/${hostname}
|
./hosts/${hostname}
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
{ lib, ... }:
|
{ clib, ... }:
|
||||||
{
|
{
|
||||||
imports = (
|
imports = (
|
||||||
lib.recurseFilesInDirs [
|
clib.recurseFilesInDirs [
|
||||||
./os
|
./os
|
||||||
./modules
|
./modules
|
||||||
] ".nix"
|
] ".nix"
|
||||||
|
@ -1,9 +1,4 @@
|
|||||||
{
|
{ pkgs, config, ... }:
|
||||||
persist-dir,
|
|
||||||
pkgs,
|
|
||||||
config,
|
|
||||||
...
|
|
||||||
}:
|
|
||||||
let
|
let
|
||||||
laurel-user = "_laurel";
|
laurel-user = "_laurel";
|
||||||
in
|
in
|
||||||
@ -145,7 +140,7 @@ in
|
|||||||
"-a always,exit -F arch=b64 -S open -F dir=/opt -F success=0 -F key=unauthedfileaccess"
|
"-a always,exit -F arch=b64 -S open -F dir=/opt -F success=0 -F key=unauthedfileaccess"
|
||||||
"-a always,exit -F arch=b64 -S open -F dir=/boot -F success=0 -F key=unauthedfileaccess"
|
"-a always,exit -F arch=b64 -S open -F dir=/boot -F success=0 -F key=unauthedfileaccess"
|
||||||
"-a always,exit -F arch=b64 -S open -F dir=/nix -F success=0 -F key=unauthedfileaccess"
|
"-a always,exit -F arch=b64 -S open -F dir=/nix -F success=0 -F key=unauthedfileaccess"
|
||||||
"-a always,exit -F arch=b64 -S open -F dir=${persist-dir} -F success=0 -F key=unauthedfileaccess"
|
"-a always,exit -F arch=b64 -S open -F dir=/persist -F success=0 -F key=unauthedfileaccess"
|
||||||
|
|
||||||
# File deletion events by users
|
# File deletion events by users
|
||||||
"-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=-1 -F key=delete"
|
"-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=-1 -F key=delete"
|
||||||
|
@ -1,11 +1,6 @@
|
|||||||
{
|
{ config, ... }:
|
||||||
config,
|
|
||||||
pkgs,
|
|
||||||
fqdn,
|
|
||||||
...
|
|
||||||
}:
|
|
||||||
let
|
let
|
||||||
grafana_host = "grafana.${fqdn}";
|
grafana_host = "grafana.orion-technologies.io";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services = {
|
services = {
|
||||||
|
@ -1,11 +1,6 @@
|
|||||||
{
|
{ config, pkgs, ... }:
|
||||||
config,
|
|
||||||
fqdn,
|
|
||||||
pkgs,
|
|
||||||
...
|
|
||||||
}:
|
|
||||||
let
|
let
|
||||||
prometheus_host = "prometheus.${fqdn}";
|
prometheus_host = "prometheus.orion-technologies.io";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services = {
|
services = {
|
||||||
|
@ -1,13 +1,12 @@
|
|||||||
{
|
{
|
||||||
config,
|
config,
|
||||||
fqdn,
|
|
||||||
inputs,
|
inputs,
|
||||||
pkgs,
|
pkgs,
|
||||||
lib,
|
lib,
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
let
|
let
|
||||||
gitea_host = "git.${fqdn}";
|
gitea_host = "git.orion-technologies.io";
|
||||||
# TODO: Move this docker image out to a separate package and NixOS Module
|
# TODO: Move this docker image out to a separate package and NixOS Module
|
||||||
# Huge thank you to https://icewind.nl/entry/gitea-actions-nix/ -- wouldn't have figured this out
|
# Huge thank you to https://icewind.nl/entry/gitea-actions-nix/ -- wouldn't have figured this out
|
||||||
# without that post 🙂
|
# without that post 🙂
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
{ config, fqdn, ... }:
|
{ config, ... }:
|
||||||
{
|
{
|
||||||
services.lakewatch-api = {
|
services.lakewatch-api = {
|
||||||
enable = true;
|
enable = true;
|
||||||
@ -14,7 +14,7 @@
|
|||||||
passwordFile = config.age.secrets.lakewatch-db-pass.path;
|
passwordFile = config.age.secrets.lakewatch-db-pass.path;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
services.nginx.virtualHosts."lakewatch.${fqdn}" = {
|
services.nginx.virtualHosts."lakewatch.orion-technologies.io" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
locations."/".proxyPass = "http://${config.services.lakewatch-api.host}:${builtins.toString config.services.lakewatch-api.port}";
|
locations."/".proxyPass = "http://${config.services.lakewatch-api.host}:${builtins.toString config.services.lakewatch-api.port}";
|
||||||
|
@ -1,9 +1,4 @@
|
|||||||
{
|
{ inputs, pkgs, ... }:
|
||||||
inputs,
|
|
||||||
pkgs,
|
|
||||||
fqdn,
|
|
||||||
...
|
|
||||||
}:
|
|
||||||
{
|
{
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
@ -19,7 +14,7 @@
|
|||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts = {
|
services.nginx.virtualHosts = {
|
||||||
"blog.${fqdn}" = {
|
"blog.orion-technologies.io" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
globalRedirect = "price-hiller.com";
|
globalRedirect = "price-hiller.com";
|
||||||
|
@ -1,10 +1,22 @@
|
|||||||
|
{ lib, ... }:
|
||||||
|
let
|
||||||
|
root-disk = "/dev/nvme0n1";
|
||||||
|
persist-dir = "/persist";
|
||||||
|
in
|
||||||
{
|
{
|
||||||
lib,
|
environment.etc.machine-id.source = "${persist-dir}/ephemeral/etc/machine-id";
|
||||||
root-disk,
|
environment.persistence.save = {
|
||||||
persist-dir,
|
hideMounts = true;
|
||||||
...
|
persistentStoragePath = "${persist-dir}/save";
|
||||||
}:
|
};
|
||||||
{
|
environment.persistence.ephemeral = {
|
||||||
|
persistentStoragePath = "${persist-dir}/ephemeral";
|
||||||
|
hideMounts = true;
|
||||||
|
directories = [
|
||||||
|
"/var/lib"
|
||||||
|
"/etc/nixos"
|
||||||
|
];
|
||||||
|
};
|
||||||
services = {
|
services = {
|
||||||
fstrim.enable = true;
|
fstrim.enable = true;
|
||||||
btrfs.autoScrub = {
|
btrfs.autoScrub = {
|
||||||
@ -12,7 +24,7 @@
|
|||||||
fileSystems = [
|
fileSystems = [
|
||||||
"/"
|
"/"
|
||||||
"/nix"
|
"/nix"
|
||||||
"/persist"
|
"${persist-dir}"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
snapper = {
|
snapper = {
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
{ pkgs, lib, ... }:
|
{ pkgs, clib, ... }:
|
||||||
{
|
{
|
||||||
imports = (
|
imports = (
|
||||||
lib.recurseFilesInDirs [
|
clib.recurseFilesInDirs [
|
||||||
./os
|
./os
|
||||||
./modules
|
./modules
|
||||||
] ".nix"
|
] ".nix"
|
||||||
|
@ -1,9 +1,8 @@
|
|||||||
{
|
{ lib, ... }:
|
||||||
lib,
|
let
|
||||||
root-disk,
|
root-disk = "/dev/nvme0n1";
|
||||||
persist-dir,
|
persist-dir = "/persist";
|
||||||
...
|
in
|
||||||
}:
|
|
||||||
{
|
{
|
||||||
services = {
|
services = {
|
||||||
fstrim.enable = true;
|
fstrim.enable = true;
|
||||||
@ -17,6 +16,20 @@
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
environment.etc.machine-id.source = "${persist-dir}/ephemeral/etc/machine-id";
|
||||||
|
environment.persistence.save = {
|
||||||
|
hideMounts = true;
|
||||||
|
persistentStoragePath = "${persist-dir}/save";
|
||||||
|
};
|
||||||
|
environment.persistence.ephemeral = {
|
||||||
|
persistentStoragePath = "${persist-dir}/ephemeral";
|
||||||
|
hideMounts = true;
|
||||||
|
directories = [
|
||||||
|
"/var/lib"
|
||||||
|
"/etc/nixos"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
fileSystems."${persist-dir}".neededForBoot = true;
|
fileSystems."${persist-dir}".neededForBoot = true;
|
||||||
|
|
||||||
disko.devices = {
|
disko.devices = {
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
{
|
{
|
||||||
agenix ? false,
|
agenix ? false,
|
||||||
lib ? import ../lib { },
|
clib ? import ../clib { },
|
||||||
}:
|
}:
|
||||||
let
|
let
|
||||||
masterKeys = [
|
masterKeys = [
|
||||||
@ -54,7 +54,7 @@ if agenix then
|
|||||||
else
|
else
|
||||||
(builtins.mapAttrs (
|
(builtins.mapAttrs (
|
||||||
host: secrets:
|
host: secrets:
|
||||||
(lib.recursiveMerge (
|
(clib.recursiveMerge (
|
||||||
builtins.map (secretName: { age.secrets.${secretName}.file = ./${secrets.${secretName}}; }) (
|
builtins.map (secretName: { age.secrets.${secretName}.file = ./${secrets.${secretName}}; }) (
|
||||||
builtins.attrNames hosts.${host}
|
builtins.attrNames hosts.${host}
|
||||||
)
|
)
|
||||||
|
Loading…
Reference in New Issue
Block a user