refactor(nix): overhaul nixos configurations
Some checks failed
Check Formatting of Files / Check-Formatting (push) Has been cancelled

This commit is contained in:
Price Hiller 2024-08-25 00:28:11 -05:00
parent d9db6e1938
commit e44ec3cba7
Signed by: Price
GPG Key ID: C3FADDE7A8534BEB
12 changed files with 60 additions and 81 deletions

View File

@ -188,25 +188,7 @@
}); });
nixosConfigurations = nixosConfigurations =
let let
lib = (import ./lib { lib = nixpkgs.lib; }) // nixpkgs.lib; clib = (import ./lib { lib = nixpkgs.lib; });
persist-dir = "/persist";
defaults = {
config = {
environment.etc.machine-id.source = "${persist-dir}/ephemeral/etc/machine-id";
environment.persistence.save = {
hideMounts = true;
persistentStoragePath = "${persist-dir}/save";
};
environment.persistence.ephemeral = {
persistentStoragePath = "${persist-dir}/ephemeral";
hideMounts = true;
directories = [
"/var/lib"
"/etc/nixos"
];
};
};
};
in in
{ {
orion = orion =
@ -220,12 +202,9 @@
inherit inputs; inherit inputs;
inherit outputs; inherit outputs;
inherit hostname; inherit hostname;
inherit lib; inherit clib;
inherit persist-dir;
root-disk = "/dev/nvme0n1";
}; };
modules = [ modules = [
defaults
./modules/btrfs-rollback.nix ./modules/btrfs-rollback.nix
inputs.impermanence.nixosModules.impermanence inputs.impermanence.nixosModules.impermanence
inputs.agenix.nixosModules.default inputs.agenix.nixosModules.default
@ -234,7 +213,7 @@
config = config =
(import "${self}/secrets" { (import "${self}/secrets" {
agenix = false; agenix = false;
inherit lib; inherit clib;
}).${hostname}; }).${hostname};
} }
./hosts/${hostname} ./hosts/${hostname}
@ -251,13 +230,9 @@
inherit inputs; inherit inputs;
inherit hostname; inherit hostname;
inherit nixpkgs; inherit nixpkgs;
inherit lib; inherit clib;
inherit persist-dir;
root-disk = "/dev/nvme0n1";
fqdn = "orion-technologies.io";
}; };
modules = [ modules = [
defaults
./modules/btrfs-rollback.nix ./modules/btrfs-rollback.nix
inputs.impermanence.nixosModules.impermanence inputs.impermanence.nixosModules.impermanence
inputs.agenix.nixosModules.default inputs.agenix.nixosModules.default
@ -268,7 +243,7 @@
config = config =
(import "${self}/secrets" { (import "${self}/secrets" {
agenix = false; agenix = false;
inherit lib; inherit clib;
}).${hostname}; }).${hostname};
} }
./hosts/${hostname} ./hosts/${hostname}

View File

@ -1,7 +1,7 @@
{ lib, ... }: { clib, ... }:
{ {
imports = ( imports = (
lib.recurseFilesInDirs [ clib.recurseFilesInDirs [
./os ./os
./modules ./modules
] ".nix" ] ".nix"

View File

@ -1,9 +1,4 @@
{ { pkgs, config, ... }:
persist-dir,
pkgs,
config,
...
}:
let let
laurel-user = "_laurel"; laurel-user = "_laurel";
in in
@ -145,7 +140,7 @@ in
"-a always,exit -F arch=b64 -S open -F dir=/opt -F success=0 -F key=unauthedfileaccess" "-a always,exit -F arch=b64 -S open -F dir=/opt -F success=0 -F key=unauthedfileaccess"
"-a always,exit -F arch=b64 -S open -F dir=/boot -F success=0 -F key=unauthedfileaccess" "-a always,exit -F arch=b64 -S open -F dir=/boot -F success=0 -F key=unauthedfileaccess"
"-a always,exit -F arch=b64 -S open -F dir=/nix -F success=0 -F key=unauthedfileaccess" "-a always,exit -F arch=b64 -S open -F dir=/nix -F success=0 -F key=unauthedfileaccess"
"-a always,exit -F arch=b64 -S open -F dir=${persist-dir} -F success=0 -F key=unauthedfileaccess" "-a always,exit -F arch=b64 -S open -F dir=/persist -F success=0 -F key=unauthedfileaccess"
# File deletion events by users # File deletion events by users
"-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=-1 -F key=delete" "-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=-1 -F key=delete"

View File

@ -1,11 +1,6 @@
{ { config, ... }:
config,
pkgs,
fqdn,
...
}:
let let
grafana_host = "grafana.${fqdn}"; grafana_host = "grafana.orion-technologies.io";
in in
{ {
services = { services = {

View File

@ -1,11 +1,6 @@
{ { config, pkgs, ... }:
config,
fqdn,
pkgs,
...
}:
let let
prometheus_host = "prometheus.${fqdn}"; prometheus_host = "prometheus.orion-technologies.io";
in in
{ {
services = { services = {

View File

@ -1,13 +1,12 @@
{ {
config, config,
fqdn,
inputs, inputs,
pkgs, pkgs,
lib, lib,
... ...
}: }:
let let
gitea_host = "git.${fqdn}"; gitea_host = "git.orion-technologies.io";
# TODO: Move this docker image out to a separate package and NixOS Module # TODO: Move this docker image out to a separate package and NixOS Module
# Huge thank you to https://icewind.nl/entry/gitea-actions-nix/ -- wouldn't have figured this out # Huge thank you to https://icewind.nl/entry/gitea-actions-nix/ -- wouldn't have figured this out
# without that post 🙂 # without that post 🙂

View File

@ -1,4 +1,4 @@
{ config, fqdn, ... }: { config, ... }:
{ {
services.lakewatch-api = { services.lakewatch-api = {
enable = true; enable = true;
@ -14,7 +14,7 @@
passwordFile = config.age.secrets.lakewatch-db-pass.path; passwordFile = config.age.secrets.lakewatch-db-pass.path;
}; };
}; };
services.nginx.virtualHosts."lakewatch.${fqdn}" = { services.nginx.virtualHosts."lakewatch.orion-technologies.io" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/".proxyPass = "http://${config.services.lakewatch-api.host}:${builtins.toString config.services.lakewatch-api.port}"; locations."/".proxyPass = "http://${config.services.lakewatch-api.host}:${builtins.toString config.services.lakewatch-api.port}";

View File

@ -1,9 +1,4 @@
{ { inputs, pkgs, ... }:
inputs,
pkgs,
fqdn,
...
}:
{ {
services.nginx = { services.nginx = {
enable = true; enable = true;
@ -19,7 +14,7 @@
}; };
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"blog.${fqdn}" = { "blog.orion-technologies.io" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
globalRedirect = "price-hiller.com"; globalRedirect = "price-hiller.com";

View File

@ -1,10 +1,22 @@
{ lib, ... }:
let
root-disk = "/dev/nvme0n1";
persist-dir = "/persist";
in
{ {
lib, environment.etc.machine-id.source = "${persist-dir}/ephemeral/etc/machine-id";
root-disk, environment.persistence.save = {
persist-dir, hideMounts = true;
... persistentStoragePath = "${persist-dir}/save";
}: };
{ environment.persistence.ephemeral = {
persistentStoragePath = "${persist-dir}/ephemeral";
hideMounts = true;
directories = [
"/var/lib"
"/etc/nixos"
];
};
services = { services = {
fstrim.enable = true; fstrim.enable = true;
btrfs.autoScrub = { btrfs.autoScrub = {
@ -12,7 +24,7 @@
fileSystems = [ fileSystems = [
"/" "/"
"/nix" "/nix"
"/persist" "${persist-dir}"
]; ];
}; };
snapper = { snapper = {

View File

@ -1,7 +1,7 @@
{ pkgs, lib, ... }: { pkgs, clib, ... }:
{ {
imports = ( imports = (
lib.recurseFilesInDirs [ clib.recurseFilesInDirs [
./os ./os
./modules ./modules
] ".nix" ] ".nix"

View File

@ -1,9 +1,8 @@
{ { lib, ... }:
lib, let
root-disk, root-disk = "/dev/nvme0n1";
persist-dir, persist-dir = "/persist";
... in
}:
{ {
services = { services = {
fstrim.enable = true; fstrim.enable = true;
@ -17,6 +16,20 @@
}; };
}; };
environment.etc.machine-id.source = "${persist-dir}/ephemeral/etc/machine-id";
environment.persistence.save = {
hideMounts = true;
persistentStoragePath = "${persist-dir}/save";
};
environment.persistence.ephemeral = {
persistentStoragePath = "${persist-dir}/ephemeral";
hideMounts = true;
directories = [
"/var/lib"
"/etc/nixos"
];
};
fileSystems."${persist-dir}".neededForBoot = true; fileSystems."${persist-dir}".neededForBoot = true;
disko.devices = { disko.devices = {

View File

@ -1,6 +1,6 @@
{ {
agenix ? false, agenix ? false,
lib ? import ../lib { }, clib ? import ../clib { },
}: }:
let let
masterKeys = [ masterKeys = [
@ -54,7 +54,7 @@ if agenix then
else else
(builtins.mapAttrs ( (builtins.mapAttrs (
host: secrets: host: secrets:
(lib.recursiveMerge ( (clib.recursiveMerge (
builtins.map (secretName: { age.secrets.${secretName}.file = ./${secrets.${secretName}}; }) ( builtins.map (secretName: { age.secrets.${secretName}.file = ./${secrets.${secretName}}; }) (
builtins.attrNames hosts.${host} builtins.attrNames hosts.${host}
) )