forked from mirrors_public/oddlama_nix-config
chore: use agenix, enable initrd networking
This commit is contained in:
parent
855bff0a6f
commit
b68021b3a4
8 changed files with 79 additions and 83 deletions
88
flake.lock
generated
88
flake.lock
generated
|
@ -2,17 +2,17 @@
|
||||||
"nodes": {
|
"nodes": {
|
||||||
"agenix": {
|
"agenix": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
|
"darwin": "darwin",
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
"ragenix",
|
|
||||||
"nixpkgs"
|
"nixpkgs"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1673301561,
|
"lastModified": 1676134447,
|
||||||
"narHash": "sha256-gRUWHbBAtMuPDJQXotoI8u6+3DGBIUZHkyQWpIv7WpM=",
|
"narHash": "sha256-PU+6hKp7wbxCCRF5RO5g//Q0G+Rhbj92VrprvXtTOlc=",
|
||||||
"owner": "ryantm",
|
"owner": "ryantm",
|
||||||
"repo": "agenix",
|
"repo": "agenix",
|
||||||
"rev": "42d371d861a227149dc9a7e03350c9ab8b8ddd68",
|
"rev": "6053c559c59ca0ebd57330cd356964f85befaff8",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -26,11 +26,11 @@
|
||||||
"flake-utils": "flake-utils"
|
"flake-utils": "flake-utils"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1675778630,
|
"lastModified": 1676148182,
|
||||||
"narHash": "sha256-RS69eIBvUrH8wUYYQiwcc8TMOQH52xd6e5NaoDEr4zw=",
|
"narHash": "sha256-oyZpFRBMluuD0TFPGE3FredFdXvbgvyUiX6nziPjX0k=",
|
||||||
"owner": "oddlama",
|
"owner": "oddlama",
|
||||||
"repo": "agenix-rekey",
|
"repo": "agenix-rekey",
|
||||||
"rev": "8602e836b406af6e06ef2b3b78ff8eb7569e2e4d",
|
"rev": "100a27170a2943288ede749efde41e22d524370e",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -64,6 +64,28 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"darwin": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"agenix",
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1673295039,
|
||||||
|
"narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
|
||||||
|
"owner": "lnl7",
|
||||||
|
"repo": "nix-darwin",
|
||||||
|
"rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "lnl7",
|
||||||
|
"ref": "master",
|
||||||
|
"repo": "nix-darwin",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"flake-compat": {
|
"flake-compat": {
|
||||||
"flake": false,
|
"flake": false,
|
||||||
"locked": {
|
"locked": {
|
||||||
|
@ -257,33 +279,9 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"ragenix": {
|
|
||||||
"inputs": {
|
|
||||||
"agenix": "agenix",
|
|
||||||
"flake-utils": [
|
|
||||||
"flake-utils"
|
|
||||||
],
|
|
||||||
"nixpkgs": [
|
|
||||||
"nixpkgs"
|
|
||||||
],
|
|
||||||
"rust-overlay": "rust-overlay"
|
|
||||||
},
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1675293936,
|
|
||||||
"narHash": "sha256-xaObOxlMiZ8noXbXWfoUJrCjVZ8oc9HBblc/MeCq7fc=",
|
|
||||||
"owner": "yaxitech",
|
|
||||||
"repo": "ragenix",
|
|
||||||
"rev": "325733b734aa4cc4d6b19f1169e6672cad4128ca",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "yaxitech",
|
|
||||||
"repo": "ragenix",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"root": {
|
"root": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
|
"agenix": "agenix",
|
||||||
"agenix-rekey": "agenix-rekey",
|
"agenix-rekey": "agenix-rekey",
|
||||||
"colmena": "colmena",
|
"colmena": "colmena",
|
||||||
"flake-utils": "flake-utils_2",
|
"flake-utils": "flake-utils_2",
|
||||||
|
@ -292,35 +290,9 @@
|
||||||
"nixos-hardware": "nixos-hardware",
|
"nixos-hardware": "nixos-hardware",
|
||||||
"nixpkgs": "nixpkgs",
|
"nixpkgs": "nixpkgs",
|
||||||
"pre-commit-hooks": "pre-commit-hooks",
|
"pre-commit-hooks": "pre-commit-hooks",
|
||||||
"ragenix": "ragenix",
|
|
||||||
"templates": "templates"
|
"templates": "templates"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"rust-overlay": {
|
|
||||||
"inputs": {
|
|
||||||
"flake-utils": [
|
|
||||||
"ragenix",
|
|
||||||
"flake-utils"
|
|
||||||
],
|
|
||||||
"nixpkgs": [
|
|
||||||
"ragenix",
|
|
||||||
"nixpkgs"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1673662873,
|
|
||||||
"narHash": "sha256-/YOtiDKPUXKKpIhsAds11llfC42ScGW27bbHnNZebco=",
|
|
||||||
"owner": "oxalica",
|
|
||||||
"repo": "rust-overlay",
|
|
||||||
"rev": "90163bbbadce526f8b248a5fe545b06c59597108",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "oxalica",
|
|
||||||
"repo": "rust-overlay",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"stable": {
|
"stable": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1669735802,
|
"lastModified": 1669735802,
|
||||||
|
|
24
flake.nix
24
flake.nix
|
@ -25,9 +25,8 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
agenix-rekey.url = "github:oddlama/agenix-rekey";
|
agenix-rekey.url = "github:oddlama/agenix-rekey";
|
||||||
ragenix = {
|
agenix = {
|
||||||
url = "github:yaxitech/ragenix";
|
url = "github:ryantm/agenix";
|
||||||
inputs.flake-utils.follows = "flake-utils";
|
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -60,7 +59,24 @@
|
||||||
config.allowUnfree = true;
|
config.allowUnfree = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
apps = agenix-rekey.defineApps self pkgs self.nodes;
|
apps =
|
||||||
|
agenix-rekey.defineApps self pkgs self.nodes
|
||||||
|
// {
|
||||||
|
generate-initrd-keys = flake-utils.mkApp {
|
||||||
|
drv = let
|
||||||
|
generateHostKey = node: ''
|
||||||
|
if [[ ! -f ${node.config.rekey.secrets.initrd_host_ed25519_key.file} ]]; then
|
||||||
|
ssh-keygen -t ed25519 -N "" -f /tmp/1
|
||||||
|
TODO
|
||||||
|
fi
|
||||||
|
'';
|
||||||
|
in
|
||||||
|
pkgs.writeShellScript "generate-initrd-keys" ''
|
||||||
|
set -euo pipefail
|
||||||
|
${pkgs.lib.concatStringsSep "\n" (pkgs.lib.mapAttrsToList generateHostKey self.nodes)}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
checks = import ./nix/checks.nix inputs system;
|
checks = import ./nix/checks.nix inputs system;
|
||||||
devShells.default = import ./nix/dev-shell.nix inputs system;
|
devShells.default = import ./nix/dev-shell.nix inputs system;
|
||||||
formatter = pkgs.alejandra;
|
formatter = pkgs.alejandra;
|
||||||
|
|
|
@ -5,15 +5,17 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.network.networks = {
|
systemd.network.networks = {
|
||||||
wired = {
|
"10-lan0" = {
|
||||||
DHCP = "yes";
|
DHCP = "yes";
|
||||||
matchConfig.MACAddress = "00:00:00:00:00:00";
|
matchConfig.MACAddress = "00:00:00:00:00:00";
|
||||||
|
networkConfig.IPv6PrivacyExtensions = "kernel";
|
||||||
dhcpV4Config.RouteMetric = 10;
|
dhcpV4Config.RouteMetric = 10;
|
||||||
dhcpV6Config.RouteMetric = 10;
|
dhcpV6Config.RouteMetric = 10;
|
||||||
};
|
};
|
||||||
wireless = {
|
"10-wlan0" = {
|
||||||
DHCP = "yes";
|
DHCP = "yes";
|
||||||
matchConfig.MACAddress = "00:00:00:00:00:00";
|
matchConfig.MACAddress = "00:00:00:00:00:00";
|
||||||
|
networkConfig.IPv6PrivacyExtensions = "kernel";
|
||||||
dhcpV4Config.RouteMetric = 40;
|
dhcpV4Config.RouteMetric = 40;
|
||||||
dhcpV6Config.RouteMetric = 40;
|
dhcpV6Config.RouteMetric = 40;
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,21 +1,22 @@
|
||||||
{
|
{
|
||||||
networking = {
|
networking = {
|
||||||
hostId = "49ce3b71";
|
hostId = "49ce3b71";
|
||||||
wireless.iwd.enable = true;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.network.networks = {
|
systemd.network.networks = {
|
||||||
enp1s0 = {
|
"10-lan0" = {
|
||||||
DHCP = "yes";
|
DHCP = "yes";
|
||||||
matchConfig.MACAddress = "00:00:00:00:00:00";
|
matchConfig.MACAddress = "00:00:00:00:00:00";
|
||||||
|
networkConfig.IPv6PrivacyExtensions = "kernel";
|
||||||
dhcpV4Config.RouteMetric = 10;
|
dhcpV4Config.RouteMetric = 10;
|
||||||
dhcpV6Config.RouteMetric = 10;
|
dhcpV6Config.RouteMetric = 10;
|
||||||
};
|
};
|
||||||
enp2s0 = {
|
"10-lan1" = {
|
||||||
DHCP = "yes";
|
DHCP = "yes";
|
||||||
matchConfig.MACAddress = "00:00:00:00:00:00";
|
matchConfig.MACAddress = "00:00:00:00:00:00";
|
||||||
dhcpV4Config.RouteMetric = 10;
|
networkConfig.IPv6PrivacyExtensions = "kernel";
|
||||||
dhcpV6Config.RouteMetric = 10;
|
dhcpV4Config.RouteMetric = 20;
|
||||||
|
dhcpV6Config.RouteMetric = 20;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -46,7 +46,8 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
useDHCP = lib.mkForce false;
|
# FIXME: would like to use mkForce false for useDHCP, but nixpkgs#215908 blocks that.
|
||||||
|
useDHCP = true;
|
||||||
useNetworkd = true;
|
useNetworkd = true;
|
||||||
wireguard.enable = true;
|
wireguard.enable = true;
|
||||||
dhcpcd.enable = false;
|
dhcpcd.enable = false;
|
||||||
|
|
|
@ -1,4 +1,17 @@
|
||||||
{
|
{
|
||||||
|
config,
|
||||||
|
name,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
rekey.secrets.initrd_host_ed25519_key.file = ../../hosts/${name}/initrd_host_ed25519_key.age;
|
||||||
|
|
||||||
|
boot.initrd.network.enable = true;
|
||||||
|
boot.initrd.network.ssh = {
|
||||||
|
enable = true;
|
||||||
|
port = 4;
|
||||||
|
hostKeys = [config.rekey.secrets.initrd_host_ed25519_key.path];
|
||||||
|
};
|
||||||
|
|
||||||
services.sshd.enable = true;
|
services.sshd.enable = true;
|
||||||
services.openssh = {
|
services.openssh = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
#impermanence,
|
#impermanence,
|
||||||
nixos-hardware,
|
nixos-hardware,
|
||||||
nixpkgs,
|
nixpkgs,
|
||||||
ragenix,
|
agenix,
|
||||||
agenix-rekey,
|
agenix-rekey,
|
||||||
templates,
|
templates,
|
||||||
...
|
...
|
||||||
|
@ -28,7 +28,7 @@ with nixpkgs.lib; let
|
||||||
(../hosts + "/${hostName}")
|
(../hosts + "/${hostName}")
|
||||||
home-manager.nixosModules.default
|
home-manager.nixosModules.default
|
||||||
#impermanence.nixosModules.default
|
#impermanence.nixosModules.default
|
||||||
ragenix.nixosModules.age
|
agenix.nixosModules.default
|
||||||
agenix-rekey.nixosModules.default
|
agenix-rekey.nixosModules.default
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,17 +1,8 @@
|
||||||
{
|
{nixpkgs, ...}:
|
||||||
nixpkgs,
|
|
||||||
ragenix,
|
|
||||||
...
|
|
||||||
}:
|
|
||||||
with nixpkgs.lib; let
|
with nixpkgs.lib; let
|
||||||
localOverlays =
|
localOverlays =
|
||||||
mapAttrs'
|
mapAttrs'
|
||||||
(f: _: nameValuePair (removeSuffix ".nix" f) (import (./overlays + "/${f}")))
|
(f: _: nameValuePair (removeSuffix ".nix" f) (import (./overlays + "/${f}")))
|
||||||
(builtins.readDir ./overlays);
|
(builtins.readDir ./overlays);
|
||||||
in
|
in
|
||||||
localOverlays
|
localOverlays // {default = composeManyExtensions (attrValues localOverlays);}
|
||||||
// {
|
|
||||||
default =
|
|
||||||
composeManyExtensions ((attrValues localOverlays)
|
|
||||||
++ [ragenix.overlays.default]);
|
|
||||||
}
|
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue