mirror of
https://github.com/oddlama/nix-config.git
synced 2025-10-10 23:00:39 +02:00
refactor: split apps into own files
This commit is contained in:
parent
9c3142aa71
commit
83a543b266
14 changed files with 193 additions and 81 deletions
13
README.md
13
README.md
|
@ -26,7 +26,12 @@ This is my personal nix config.
|
|||
- not yet ready for publicized: my main development machine, powerful home server, some services ... (still in transition from gentoo :/)
|
||||
- `modules/` additional NixOS modules that are not yet upstreamed.
|
||||
- `nix/` library functions and plumbing
|
||||
- `apps.nix` Additional runnable actions for this flake (**WIP:** infrastructure graph renderer)
|
||||
- `apps/` Additional runnable actions for this flake
|
||||
- `default.nix` Collects all apps and generates a definition for a specified system
|
||||
- `draw-graph.nix` (**WIP:** infrastructure graph renderer)
|
||||
- `format-secrets.nix` Runs the code formatter on the secret .nix files
|
||||
- `generate-initrd-keys.nix` Generates initrd hostkeys for each host if they don't exist yet (for setup)
|
||||
- `generate-wireguard-keys.nix` Generates wireguard keys for each server-and-peer pair
|
||||
- `checks.nix` pre-commit-hooks for this repository
|
||||
- `colmena.nix` Setup for distributed deployment using colmena (actually defines all NixOS hosts)
|
||||
- `dev-shell.nix` Environment setup for `nix develop` for using this flake
|
||||
|
@ -48,6 +53,12 @@ This is my personal nix config.
|
|||
|
||||
...
|
||||
|
||||
- add hosts/<name>
|
||||
- fill meta.nix
|
||||
- fill net.nix
|
||||
- todo: hostid (move to nodeSecrets)
|
||||
- generate-initrd-keys
|
||||
|
||||
#### New secret
|
||||
|
||||
...
|
||||
|
|
|
@ -75,7 +75,7 @@
|
|||
|
||||
apps =
|
||||
agenix-rekey.defineApps self pkgs self.nodes
|
||||
// import ./nix/apps.nix inputs system;
|
||||
// import ./nix/apps inputs system;
|
||||
checks = import ./nix/checks.nix inputs system;
|
||||
devShells.default = import ./nix/dev-shell.nix inputs system;
|
||||
formatter = pkgs.alejandra;
|
||||
|
|
|
@ -87,9 +87,10 @@ in {
|
|||
stateVersion = "23.05";
|
||||
};
|
||||
|
||||
systemd = {
|
||||
enableUnifiedCgroupHierarchy = true;
|
||||
network.wait-online.anyInterface = true;
|
||||
systemd.enableUnifiedCgroupHierarchy = true;
|
||||
systemd.network = {
|
||||
enable = true;
|
||||
wait-online.anyInterface = true;
|
||||
};
|
||||
|
||||
users.mutableUsers = false;
|
||||
|
|
1
hosts/ward/grafana.nix
Normal file
1
hosts/ward/grafana.nix
Normal file
|
@ -0,0 +1 @@
|
|||
{}
|
|
@ -1,4 +1,7 @@
|
|||
{nodeSecrets, ...}: {
|
||||
{nodeSecrets, ...}: let
|
||||
wgName = "wg-vms";
|
||||
wgPort = 51820;
|
||||
in {
|
||||
networking.hostId = "49ce3b71";
|
||||
|
||||
systemd.network.networks = {
|
||||
|
@ -17,4 +20,42 @@
|
|||
dhcpV6Config.RouteMetric = 20;
|
||||
};
|
||||
};
|
||||
|
||||
#systemd.network.netdevs."20-${wgName}" = {
|
||||
# netdevConfig = {
|
||||
# Kind = "wireguard";
|
||||
# Name = "${wgName}";
|
||||
# Description = "Wireguard network ${wgName}";
|
||||
# };
|
||||
# wireguardConfig = {
|
||||
# PrivateKeyFile = wireguardPrivateKey wgName nodeMeta.name;
|
||||
# ListenPort = wgPort;
|
||||
# };
|
||||
# wireguardPeers = [
|
||||
# {
|
||||
# wireguardPeerConfig = {
|
||||
# PublicKey = wireguardPublicKey wgName nodeMeta.name;;
|
||||
# PresharedKey = wireguardPresharedKey wgName nodeMeta.name;;
|
||||
# AllowedIPs = [ "10.66.66.10/32" ];
|
||||
# PersistentKeepalive = 25;
|
||||
# };
|
||||
# }
|
||||
# {
|
||||
# wireguardPeerConfig = {
|
||||
# AllowedIPs = [ "10.66.66.100/32" ];
|
||||
# PersistentKeepalive = 25;
|
||||
# };
|
||||
# }
|
||||
# ];
|
||||
#};
|
||||
#networks."20-${wgName}" = {
|
||||
# matchConfig.Name = wgName;
|
||||
# networkConfig = {
|
||||
# Address = "10.66.66.1/24";
|
||||
# IPForward = "ipv4";
|
||||
# };
|
||||
#};
|
||||
|
||||
#extra.wireguard.servers.home = {
|
||||
#};
|
||||
}
|
||||
|
|
1
hosts/ward/node_exporter.nix
Normal file
1
hosts/ward/node_exporter.nix
Normal file
|
@ -0,0 +1 @@
|
|||
{}
|
1
hosts/ward/prometheus.nix
Normal file
1
hosts/ward/prometheus.nix
Normal file
|
@ -0,0 +1 @@
|
|||
{}
|
1
hosts/ward/samba.nix
Normal file
1
hosts/ward/samba.nix
Normal file
|
@ -0,0 +1 @@
|
|||
{}
|
75
nix/apps.nix
75
nix/apps.nix
|
@ -1,75 +0,0 @@
|
|||
{self, ...}: system: let
|
||||
mkApp = drv: {
|
||||
type = "app";
|
||||
program = "${drv}";
|
||||
};
|
||||
pkgs = self.pkgs.${system};
|
||||
mapAttrsToLines = f: attrs: pkgs.lib.concatStringsSep "\n" (pkgs.lib.mapAttrsToList f attrs);
|
||||
filterMapAttrsToLines = filter: f: attrs: pkgs.lib.concatStringsSep "\n" (pkgs.lib.mapAttrsToList f (pkgs.lib.filterAttrs filter attrs));
|
||||
in
|
||||
with pkgs.lib; {
|
||||
draw-graph = let
|
||||
renderNode = nodeName: node: let
|
||||
renderNic = nicName: nic: ''
|
||||
nic_${nicName}: ${
|
||||
if hasInfix "wlan" nicName
|
||||
then "📶"
|
||||
else "🖧"
|
||||
} ${self.hosts.${nodeName}.physical_connections.${nicName}} {
|
||||
shape: sql_table
|
||||
MAC: ${nic.matchConfig.MACAddress}
|
||||
}
|
||||
'';
|
||||
in ''
|
||||
${nodeName}: {
|
||||
${filterMapAttrsToLines (_: v: v.matchConfig ? MACAddress) renderNic node.config.systemd.network.networks}
|
||||
}
|
||||
'';
|
||||
graph = ''
|
||||
${mapAttrsToLines renderNode self.nodes}
|
||||
'';
|
||||
in
|
||||
mkApp (pkgs.writeShellScript "draw-graph" ''
|
||||
set -euo pipefail
|
||||
echo "${graph}"
|
||||
'');
|
||||
generate-initrd-keys = let
|
||||
generateHostKey = node: ''
|
||||
if [[ ! -f ${escapeShellArg node.config.rekey.secrets.initrd_host_ed25519_key.file} ]]; then
|
||||
ssh-keygen -t ed25519 -N "" -f /tmp/1
|
||||
TODO
|
||||
fi
|
||||
'';
|
||||
in
|
||||
mkApp (pkgs.writeShellScript "generate-initrd-keys" ''
|
||||
set -euo pipefail
|
||||
${mapAttrsToLines generateHostKey self.nodes}
|
||||
'');
|
||||
format-secrets = let
|
||||
isAbsolutePath = x: substring 0 1 x == "/";
|
||||
masterIdentityArgs = concatMapStrings (x: ''-i ${escapeShellArg x} '') self.secrets.masterIdentities;
|
||||
extraEncryptionPubkeys =
|
||||
concatMapStrings (
|
||||
x:
|
||||
if isAbsolutePath x
|
||||
then ''-R ${escapeShellArg x} ''
|
||||
else ''-r ${escapeShellArg x} ''
|
||||
)
|
||||
self.secrets.extraEncryptionPubkeys;
|
||||
formatSecret = path: ''
|
||||
'';
|
||||
in
|
||||
mkApp (pkgs.writeShellScript "format-secrets" ''
|
||||
set -euo pipefail
|
||||
[[ -d .git ]] && [[ -f flake.nix ]] || { echo "[1;31merror:[m Please execute this from the project's root folder (the folder with flake.nix)" >&2; exit 1; }
|
||||
for f in $(find . -type f -name '*.nix.age'); do
|
||||
echo "Formatting $f ..."
|
||||
decrypted=$(${./rage-decrypt.sh} --print-out-path "$f" ${concatStringsSep " " self.secrets.masterIdentities}) \
|
||||
|| { echo "[1;31merror:[m Failed to decrypt!" >&2; exit 1; }
|
||||
formatted=$(${pkgs.alejandra}/bin/alejandra --quiet < "$decrypted") \
|
||||
|| { echo "[1;31merror:[m Failed to format $decrypted!" >&2; exit 1; }
|
||||
${pkgs.rage}/bin/rage -e ${masterIdentityArgs} ${extraEncryptionPubkeys} <<< "$formatted" > "$f" \
|
||||
|| { echo "[1;31merror:[m Failed to re-encrypt!" >&2; exit 1; }
|
||||
done
|
||||
'');
|
||||
}
|
20
nix/apps/default.nix
Normal file
20
nix/apps/default.nix
Normal file
|
@ -0,0 +1,20 @@
|
|||
{self, ...} @ inputs: system: let
|
||||
pkgs = self.pkgs.${system};
|
||||
inherit
|
||||
(pkgs.lib)
|
||||
nameValuePair
|
||||
removeSuffix
|
||||
;
|
||||
mkApp = drv: {
|
||||
type = "app";
|
||||
program = "${drv}";
|
||||
};
|
||||
args = inputs // {inherit pkgs;};
|
||||
apps = [
|
||||
./draw-graph.nix
|
||||
./format-secrets.nix
|
||||
./generate-initrd-keys.nix
|
||||
./generate-wireguard-keys.nix
|
||||
];
|
||||
in
|
||||
builtins.listToAttrs (map (appPath: nameValuePair (removeSuffix ".nix" (builtins.baseNameOf appPath)) (mkApp (import appPath args))) apps)
|
38
nix/apps/draw-graph.nix
Normal file
38
nix/apps/draw-graph.nix
Normal file
|
@ -0,0 +1,38 @@
|
|||
{
|
||||
self,
|
||||
pkgs,
|
||||
...
|
||||
}: let
|
||||
inherit
|
||||
(pkgs.lib)
|
||||
concatStringsSep
|
||||
filterAttrs
|
||||
hasInfix
|
||||
mapAttrsToList
|
||||
;
|
||||
mapAttrsToLines = f: attrs: concatStringsSep "\n" (mapAttrsToList f attrs);
|
||||
filterMapAttrsToLines = filter: f: attrs: concatStringsSep "\n" (mapAttrsToList f (filterAttrs filter attrs));
|
||||
renderNode = nodeName: node: let
|
||||
renderNic = nicName: nic: ''
|
||||
nic_${nicName}: ${
|
||||
if hasInfix "wlan" nicName
|
||||
then "📶"
|
||||
else "🖧"
|
||||
} ${self.hosts.${nodeName}.physicalConnections.${nicName}} {
|
||||
shape: sql_table
|
||||
MAC: ${nic.matchConfig.MACAddress}
|
||||
}
|
||||
'';
|
||||
in ''
|
||||
${nodeName}: {
|
||||
${filterMapAttrsToLines (_: v: v.matchConfig ? MACAddress) renderNic node.config.systemd.network.networks}
|
||||
}
|
||||
'';
|
||||
graph = ''
|
||||
${mapAttrsToLines renderNode self.nodes}
|
||||
'';
|
||||
in
|
||||
pkgs.writeShellScript "draw-graph" ''
|
||||
set -euo pipefail
|
||||
echo "${graph}"
|
||||
''
|
36
nix/apps/format-secrets.nix
Normal file
36
nix/apps/format-secrets.nix
Normal file
|
@ -0,0 +1,36 @@
|
|||
{
|
||||
self,
|
||||
pkgs,
|
||||
...
|
||||
}: let
|
||||
inherit
|
||||
(pkgs.lib)
|
||||
concatMapStrings
|
||||
concatStringsSep
|
||||
escapeShellArg
|
||||
substring
|
||||
;
|
||||
isAbsolutePath = x: substring 0 1 x == "/";
|
||||
masterIdentityArgs = concatMapStrings (x: ''-i ${escapeShellArg x} '') self.secrets.masterIdentities;
|
||||
extraEncryptionPubkeys =
|
||||
concatMapStrings (
|
||||
x:
|
||||
if isAbsolutePath x
|
||||
then ''-R ${escapeShellArg x} ''
|
||||
else ''-r ${escapeShellArg x} ''
|
||||
)
|
||||
self.secrets.extraEncryptionPubkeys;
|
||||
in
|
||||
pkgs.writeShellScript "format-secrets" ''
|
||||
set -euo pipefail
|
||||
[[ -d .git ]] && [[ -f flake.nix ]] || { echo "[1;31merror:[m Please execute this from the project's root folder (the folder with flake.nix)" >&2; exit 1; }
|
||||
for f in $(find . -type f -name '*.nix.age'); do
|
||||
echo "Formatting $f ..."
|
||||
decrypted=$(${../rage-decrypt.sh} --print-out-path "$f" ${concatStringsSep " " self.secrets.masterIdentities}) \
|
||||
|| { echo "[1;31merror:[m Failed to decrypt!" >&2; exit 1; }
|
||||
formatted=$(${pkgs.alejandra}/bin/alejandra --quiet < "$decrypted") \
|
||||
|| { echo "[1;31merror:[m Failed to format $decrypted!" >&2; exit 1; }
|
||||
${pkgs.rage}/bin/rage -e ${masterIdentityArgs} ${extraEncryptionPubkeys} <<< "$formatted" > "$f" \
|
||||
|| { echo "[1;31merror:[m Failed to re-encrypt!" >&2; exit 1; }
|
||||
done
|
||||
''
|
25
nix/apps/generate-initrd-keys.nix
Normal file
25
nix/apps/generate-initrd-keys.nix
Normal file
|
@ -0,0 +1,25 @@
|
|||
{
|
||||
self,
|
||||
pkgs,
|
||||
...
|
||||
}: let
|
||||
inherit
|
||||
(pkgs.lib)
|
||||
escapeShellArg
|
||||
concatStringsSep
|
||||
mapAttrsToList
|
||||
;
|
||||
mapAttrsToLines = f: attrs: concatStringsSep "\n" (mapAttrsToList f attrs);
|
||||
generateHostKey = node: ''
|
||||
if [[ ! -f ${escapeShellArg node.config.rekey.secrets.initrd_host_ed25519_key.file} ]]; then
|
||||
echo TODOOOOO
|
||||
exit 1
|
||||
ssh-keygen -t ed25519 -N "" -f /tmp/1
|
||||
TODO
|
||||
fi
|
||||
'';
|
||||
in
|
||||
pkgs.writeShellScript "generate-initrd-keys" ''
|
||||
set -euo pipefail
|
||||
${mapAttrsToLines generateHostKey self.nodes}
|
||||
''
|
11
nix/apps/generate-wireguard-keys.nix
Normal file
11
nix/apps/generate-wireguard-keys.nix
Normal file
|
@ -0,0 +1,11 @@
|
|||
{
|
||||
self,
|
||||
pkgs,
|
||||
...
|
||||
}: let
|
||||
inherit (pkgs.lib) escapeShellArg;
|
||||
in
|
||||
pkgs.writeShellScript "generate-wireguard-keys" ''
|
||||
set -euo pipefail
|
||||
echo TODO
|
||||
''
|
Loading…
Add table
Add a link
Reference in a new issue