palo/nixos-config
palo/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

clanCore -> clan.core

Browse source
This commit is contained in:
Ingolf Wagner 2024-06-19 13:19:55 +02:00
parent 5d9d4cfd23
commit 441b7e062f
No known key found for this signature in database
GPG key ID: 76BF5F1928B9618B
22 changed files with 62 additions and 61 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
components/network/syncthing.nix
View file

@ -13,13 +13,13 @@ with lib; {
# networking.firewall.interfaces."gummybears".allowedTCPPorts = [ 8384 ];
clanCore.facts.services.syncthing = factsGenerator.syncthing { };
clan.core.facts.services.syncthing = factsGenerator.syncthing { };
services.syncthing = {
guiAddress = lib.mkDefault "${config.networking.hostName}.private:8384";
overrideDevices = lib.mkDefault true;
key = config.clanCore.facts.services.syncthing.secret."syncthing.key".path;
cert = config.clanCore.facts.services.syncthing.secret."syncthing.cert".path;
key = config.clan.core.facts.services.syncthing.secret."syncthing.key".path;
cert = config.clan.core.facts.services.syncthing.secret."syncthing.cert".path;
settings.devices =
let
device = machine: id: {

4
components/network/tinc/private.nix
View file

@ -61,11 +61,11 @@ in
{
networking.firewall.trustedInterfaces = [ "tinc.${network}" ];
clanCore.facts.services.tinc_private = factsGenerator.tinc { name = "private"; };
clan.core.facts.services.tinc_private = factsGenerator.tinc { name = "private"; };
services.tinc.networks = {
${network} = {
ed25519PrivateKeyFile = config.clanCore.facts.services.tinc_private.secret."tinc.private.ed25519_key.priv".path;
ed25519PrivateKeyFile = config.clan.core.facts.services.tinc_private.secret."tinc.private.ed25519_key.priv".path;
interfaceType = "tap";
extraConfig = ''
LocalDiscovery = yes

4
components/network/tinc/secret.nix
View file

@ -19,11 +19,11 @@ let
network = "secret";
in
{
clanCore.facts.services.tinc_secret = factsGenerator.tinc { name = "secret"; };
clan.core.facts.services.tinc_secret = factsGenerator.tinc { name = "secret"; };
services.tinc.networks = {
${network} = {
ed25519PrivateKeyFile = config.clanCore.facts.services.tinc_secret.secret."tinc.secret.ed25519_key.priv".path;
ed25519PrivateKeyFile = config.clan.core.facts.services.tinc_secret.secret."tinc.secret.ed25519_key.priv".path;
extraConfig = ''
LocalDiscovery = yes
Port = ${toString port}

6
components/nixos/tor-ssh.nix
View file

@ -64,11 +64,11 @@ with types;
#};
# tor setup
clanCore.facts.services.initrd_tor = factsGenerator.tor { name = "initrd"; };
clan.core.facts.services.initrd_tor = factsGenerator.tor { name = "initrd"; };
boot.initrd.secrets = {
"/etc/tor/onion/bootup/tor.priv" = config.clanCore.facts.services.initrd_tor.secret."tor.initrd.priv".path;
"/etc/tor/onion/bootup/hostname" = config.clanCore.facts.services.initrd_tor.secret."tor.initrd.hostname".path;
"/etc/tor/onion/bootup/tor.priv" = config.clan.core.facts.services.initrd_tor.secret."tor.initrd.priv".path;
"/etc/tor/onion/bootup/hostname" = config.clan.core.facts.services.initrd_tor.secret."tor.initrd.hostname".path;
};
#boot.initrd.extraUtilsCommands = ''

2
machines/cherry/configuration.nix
View file

@ -20,7 +20,7 @@
];
#clanCore.facts.services =
#clan.core.facts.services =
# let
# promptKey = key:
# {

4
machines/cherry/hardware-configuration/default.nix
View file

@ -12,8 +12,8 @@
# ZFS stuff
# ---------
boot.supportedFilesystems = [ "zfs" ];
clanCore.facts.services.zfs = factsGenerator.zfs { };
networking.hostId = config.clanCore.facts.services.zfs.public."zfs.hostId".value;
clan.core.facts.services.zfs = factsGenerator.zfs { };
networking.hostId = config.clan.core.facts.services.zfs.public."zfs.hostId".value;
services.zfs.autoSnapshot.enable = true;
# todo not needed anymore if srvos is used

6
machines/cherry/network-tinc_retiolum.nix
View file

@ -1,14 +1,14 @@
{ config, factsGenerator, ... }:
{
clanCore.facts.services.tinc_retiolum = factsGenerator.tinc { name = "retiolum"; };
clan.core.facts.services.tinc_retiolum = factsGenerator.tinc { name = "retiolum"; };
networking.retiolum.port = 720;
networking.retiolum.nodename = "cherry";
services.tinc.networks.retiolum = {
ed25519PrivateKeyFile = config.clanCore.facts.services.tinc_retiolum.secret."tinc.retiolum.ed25519_key.priv".path;
rsaPrivateKeyFile = config.clanCore.facts.services.tinc_retiolum.secret."tinc.retiolum.rsa_key.priv".path;
ed25519PrivateKeyFile = config.clan.core.facts.services.tinc_retiolum.secret."tinc.retiolum.ed25519_key.priv".path;
rsaPrivateKeyFile = config.clan.core.facts.services.tinc_retiolum.secret."tinc.retiolum.rsa_key.priv".path;
};
#fileSystems."/retiolum/sicily" = {

8
machines/cherry/network-wireguard.nix
View file

@ -1,8 +1,8 @@
{ config, factsGenerator, clanLib, ... }:
{
networking.firewall.allowedUDPPorts = [ 51820 ];
clanCore.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
clanCore.facts.services.wireguard_ip = factsGenerator.public {
clan.core.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
clan.core.facts.services.wireguard_ip = factsGenerator.public {
"wireguard.wg0.cidr" = "10.100.0.7/32";
"wireguard.wg0.ip" = "10.100.0.7";
};
@ -13,10 +13,10 @@
# https://www.procustodibus.com/blog/2020/11/wireguard-hub-and-spoke-config/
wg0 = {
address = [
config.clanCore.facts.services.wireguard_ip.public."wireguard.wg0.cidr".value
config.clan.core.facts.services.wireguard_ip.public."wireguard.wg0.cidr".value
];
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
privateKeyFile = config.clanCore.facts.services.wireguard.secret."wireguard.wg0.key".path;
privateKeyFile = config.clan.core.facts.services.wireguard.secret."wireguard.wg0.key".path;
mtu = 1280;
peers = [

4
machines/chungus/hardware-configuration/default.nix
View file

@ -10,8 +10,8 @@
boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!)
boot.supportedFilesystems = [ "zfs" ];
clanCore.facts.services.zfs = factsGenerator.zfs { };
networking.hostId = toString config.clanCore.facts.services.zfs.public."zfs.hostId".value;
clan.core.facts.services.zfs = factsGenerator.zfs { };
networking.hostId = toString config.clan.core.facts.services.zfs.public."zfs.hostId".value;
services.zfs = {
autoSnapshot.enable = true;
autoScrub.enable = true;

6
machines/chungus/network-tinc-retiolum.nix
View file

@ -1,12 +1,12 @@
{ config, factsGenerator, ... }:
{
clanCore.facts.services.tinc_retiolum = factsGenerator.tinc { name = "retiolum"; };
clan.core.facts.services.tinc_retiolum = factsGenerator.tinc { name = "retiolum"; };
networking.retiolum.port = 720;
networking.retiolum.nodename = "centauri";
services.tinc.networks.retiolum = {
ed25519PrivateKeyFile = config.clanCore.facts.services.tinc_retiolum.secret."tinc.retiolum.ed25519_key.priv".path;
rsaPrivateKeyFile = config.clanCore.facts.services.tinc_retiolum.secret."tinc.retiolum.rsa_key.priv".path;
ed25519PrivateKeyFile = config.clan.core.facts.services.tinc_retiolum.secret."tinc.retiolum.ed25519_key.priv".path;
rsaPrivateKeyFile = config.clan.core.facts.services.tinc_retiolum.secret."tinc.retiolum.rsa_key.priv".path;
};
}

8
machines/chungus/network-wireguard.nix
View file

@ -1,8 +1,8 @@
{ config, factsGenerator, clanLib, ... }:
{
networking.firewall.allowedUDPPorts = [ 51820 ];
clanCore.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
clanCore.facts.services.wireguard_ip = factsGenerator.public {
clan.core.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
clan.core.facts.services.wireguard_ip = factsGenerator.public {
"wireguard.wg0.cidr" = "10.100.0.2/32";
"wireguard.wg0.ip" = "10.100.0.2";
};
@ -13,10 +13,10 @@
# https://www.procustodibus.com/blog/2020/11/wireguard-hub-and-spoke-config/
wg0 = {
address = [
config.clanCore.facts.services.wireguard_ip.public."wireguard.wg0.cidr".value
config.clan.core.facts.services.wireguard_ip.public."wireguard.wg0.cidr".value
];
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
privateKeyFile = config.clanCore.facts.services.wireguard.secret."wireguard.wg0.key".path;
privateKeyFile = config.clan.core.facts.services.wireguard.secret."wireguard.wg0.key".path;
mtu = 1280;
peers = [

4
machines/chungus/services-s3.nix
View file

@ -1,12 +1,12 @@
{ config, factsGenerator, ... }:
{
clanCore.facts.services.s3 = factsGenerator.password { name = "root"; service = "s3"; };
clan.core.facts.services.s3 = factsGenerator.password { name = "root"; service = "s3"; };
services.minio = {
enable = true;
region = "home";
rootCredentialsFile = config.clanCore.facts.services.s3.secret."s3.root".path;
rootCredentialsFile = config.clan.core.facts.services.s3.secret."s3.root".path;
};
services.nginx = {

12
machines/chungus/sync-rbackup.nix
View file

@ -3,33 +3,33 @@ let
tld = config.clan.static-hosts.topLevelDomain;
in
{
clanCore.facts.services.rbackup = factsGenerator.ssh { name = "rbackup"; };
clan.core.facts.services.rbackup = factsGenerator.ssh { name = "rbackup"; };
# todo : replace all of them with syncoid
rbackup.plans = {
git = {
sshKeyPath = config.clanCore.facts.services.rbackup.secret."ssh.rbackup.id_ed25519".path;
sshKeyPath = config.clan.core.facts.services.rbackup.secret."ssh.rbackup.id_ed25519".path;
src = "root@orbi.${tld}:/var/lib/forgejo/";
dst = "/mirror/git";
};
taskwarrior = {
sshKeyPath = config.clanCore.facts.services.rbackup.secret."ssh.rbackup.id_ed25519".path;
sshKeyPath = config.clan.core.facts.services.rbackup.secret."ssh.rbackup.id_ed25519".path;
src = "root@orbi.${tld}:/var/lib/taskserver/";
dst = "/mirror/taskwarrior";
};
vaultwarden = {
sshKeyPath = config.clanCore.facts.services.rbackup.secret."ssh.rbackup.id_ed25519".path;
sshKeyPath = config.clan.core.facts.services.rbackup.secret."ssh.rbackup.id_ed25519".path;
src = "root@orbi.${tld}:/var/lib/bitwarden_rs/";
dst = "/mirror/vaultwarden";
};
radarr = {
sshKeyPath = config.clanCore.facts.services.rbackup.secret."ssh.rbackup.id_ed25519".path;
sshKeyPath = config.clan.core.facts.services.rbackup.secret."ssh.rbackup.id_ed25519".path;
src = "root@orbi.${tld}:/media/arr/radarr";
dst = "/media/arr/radarr";
delete = false;
};
sonarr = {
sshKeyPath = config.clanCore.facts.services.rbackup.secret."ssh.rbackup.id_ed25519".path;
sshKeyPath = config.clan.core.facts.services.rbackup.secret."ssh.rbackup.id_ed25519".path;
src = "root@orbi.${tld}:/media/arr/sonarr";
dst = "/media/arr/sonarr";
delete = false;

4
machines/chungus/sync-syncoid.nix
View file

@ -4,13 +4,13 @@ let
in
{
clanCore.facts.services.syncoid = factsGenerator.ssh { name = "syncoid"; };
clan.core.facts.services.syncoid = factsGenerator.ssh { name = "syncoid"; };
systemd.tmpfiles.settings.syncoid = {
"/run/facts/ssh.syncoid.id_ed25519"."C+" = {
user = config.services.syncoid.user;
group = config.services.syncoid.group;
mode = "400";
argument = config.clanCore.facts.services.syncoid.secret."ssh.syncoid.id_ed25519".path;
argument = config.clan.core.facts.services.syncoid.secret."ssh.syncoid.id_ed25519".path;
};
};

8
machines/chungus/taskwarrior-autotag.nix
View file

@ -2,7 +2,7 @@
{
clanCore.facts.services.taskserver = {
clan.core.facts.services.taskserver = {
secret."taskserver.ca" = { };
secret."taskserver.cert" = { };
secret."taskserver.key" = { };
@ -34,9 +34,9 @@
credentials = "1337/palo/ad40dce8-4b38-4011-b032-60a91b6f22cd";
caFile = config.clanCore.facts.services.taskserver.secret."taskserver.ca".path;
certificateFile = config.clanCore.facts.services.taskserver.secret."taskserver.cert".path;
keyFile = config.clanCore.facts.services.taskserver.secret."taskserver.key".path;
caFile = config.clan.core.facts.services.taskserver.secret."taskserver.ca".path;
certificateFile = config.clan.core.facts.services.taskserver.secret."taskserver.cert".path;
keyFile = config.clan.core.facts.services.taskserver.secret."taskserver.key".path;
};
}

6
machines/cream/network-tinc_retiolum.nix
View file

@ -1,14 +1,14 @@
{ config, factsGenerator, ... }:
{
clanCore.facts.services.tinc_retiolum = factsGenerator.tinc { name = "retiolum"; };
clan.core.facts.services.tinc_retiolum = factsGenerator.tinc { name = "retiolum"; };
networking.retiolum.port = 720;
networking.retiolum.nodename = "sol";
services.tinc.networks.retiolum = {
ed25519PrivateKeyFile = config.clanCore.facts.services.tinc_retiolum.secret."tinc.retiolum.ed25519_key.priv".path;
rsaPrivateKeyFile = config.clanCore.facts.services.tinc_retiolum.secret."tinc.retiolum.rsa_key.priv".path;
ed25519PrivateKeyFile = config.clan.core.facts.services.tinc_retiolum.secret."tinc.retiolum.ed25519_key.priv".path;
rsaPrivateKeyFile = config.clan.core.facts.services.tinc_retiolum.secret."tinc.retiolum.rsa_key.priv".path;
};
#fileSystems."/retiolum/sicily" = {

8
machines/cream/network-wireguard.nix
View file

@ -1,8 +1,8 @@
{ config, factsGenerator, clanLib, ... }:
{
networking.firewall.allowedUDPPorts = [ 51820 ];
clanCore.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
clanCore.facts.services.wireguard_ip = factsGenerator.public {
clan.core.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
clan.core.facts.services.wireguard_ip = factsGenerator.public {
"wireguard.wg0.cidr" = "10.100.0.6/32";
"wireguard.wg0.ip" = "10.100.0.6";
};
@ -13,10 +13,10 @@
# https://www.procustodibus.com/blog/2020/11/wireguard-hub-and-spoke-config/
wg0 = {
address = [
config.clanCore.facts.services.wireguard_ip.public."wireguard.wg0.cidr".value
config.clan.core.facts.services.wireguard_ip.public."wireguard.wg0.cidr".value
];
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
privateKeyFile = config.clanCore.facts.services.wireguard.secret."wireguard.wg0.key".path;
privateKeyFile = config.clan.core.facts.services.wireguard.secret."wireguard.wg0.key".path;
mtu = 1280;
peers = [

4
machines/orbi/hardware-configuration/default.nix
View file

@ -51,8 +51,8 @@ in
boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!)
boot.supportedFilesystems = [ "zfs" ];
clanCore.facts.services.zfs = factsGenerator.zfs { };
networking.hostId = config.clanCore.facts.services.zfs.public."zfs.hostId".value;
clan.core.facts.services.zfs = factsGenerator.zfs { };
networking.hostId = config.clan.core.facts.services.zfs.public."zfs.hostId".value;
systemd.network.networks."10-uplink".networkConfig.Address = ipv6.address;
boot.initrd.systemd.network.networks."10-uplink" = config.systemd.network.networks."10-uplink";

8
machines/orbi/media-nextcloud.nix
View file

@ -51,8 +51,8 @@ in
};
};
clanCore.facts.services.nextcloud_root = factsGenerator.password { service = "nextcloud"; name = "root"; };
clanCore.facts.services.nextcloud_database = factsGenerator.password { service = "nextcloud"; name = "database"; };
clan.core.facts.services.nextcloud_root = factsGenerator.password { service = "nextcloud"; name = "root"; };
clan.core.facts.services.nextcloud_database = factsGenerator.password { service = "nextcloud"; name = "database"; };
# Container Setup
# ===============
@ -64,12 +64,12 @@ in
bindMounts = {
rootpassword = {
hostPath = config.clanCore.facts.services.nextcloud_root.secret."nextcloud.root".path;
hostPath = config.clan.core.facts.services.nextcloud_root.secret."nextcloud.root".path;
mountPoint = "/run/secrets/nextcloud.root.intput";
isReadOnly = true;
};
databasepassword = {
hostPath = config.clanCore.facts.services.nextcloud_database.secret."nextcloud.database".path;
hostPath = config.clan.core.facts.services.nextcloud_database.secret."nextcloud.database".path;
mountPoint = "/run/secrets/nextcloud.database.input";
isReadOnly = true;
};

6
machines/orbi/network-wireguard.nix
View file

@ -13,8 +13,8 @@ let
in
{
networking.firewall.allowedUDPPorts = [ 51820 ];
clanCore.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
clanCore.facts.services.wireguard_ip = factsGenerator.public {
clan.core.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
clan.core.facts.services.wireguard_ip = factsGenerator.public {
"wireguard.wg0.endpoint" = "95.216.66.212:51820";
"wireguard.wg0.cidr" = "10.100.0.1/24";
"wireguard.wg0.ip" = "10.100.0.1";
@ -29,7 +29,7 @@ in
wg0 = {
address = [ "10.100.0.1/32" ];
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
privateKeyFile = config.clanCore.facts.services.wireguard.secret."wireguard.wg0.key".path;
privateKeyFile = config.clan.core.facts.services.wireguard.secret."wireguard.wg0.key".path;
mtu = 1280;
postUp = ''

1
machines/orbi/service-photoprism.nix
View file

@ -23,6 +23,7 @@ in
services.photoprism = {
enable = true;
port = photoprismPort;
package = pkgs.unstable-small.photoprism;
originalsPath = "/var/lib/private/photoprism/originals";
address = "0.0.0.0";
settings = {

4
machines/orbi/social-matrix-terranix.nix
View file

@ -11,7 +11,7 @@ let
synapse_port = 8008;
federation_port = 8448;
shared_secret = config.clanCore.facts.services.matrix_terranix.secret."matrix-synapse.terranix.registration_shared_secret.yml";
shared_secret = config.clan.core.facts.services.matrix_terranix.secret."matrix-synapse.terranix.registration_shared_secret.yml";
matrix_create_user = pkgs.writers.writeBashBin "matrix-create-user-${name}" ''
${pkgs.matrix-synapse}/bin/register_new_matrix_user \
@ -48,7 +48,7 @@ in
networking.firewall.allowedTCPPorts = [ 80 443 federation_port ];
networking.firewall.allowedUDPPorts = [ 80 443 federation_port ];
clanCore.facts.services.matrix_terranix = factsGenerator.matrix-synapse { name = "terranix"; };
clan.core.facts.services.matrix_terranix = factsGenerator.matrix-synapse { name = "terranix"; };
environment.systemPackages = [ matrix_create_user ];