diff options
Diffstat (limited to 'nix')
| -rw-r--r-- | nix/flake/apps.nix | 16 | ||||
| -rw-r--r-- | nix/flake/checks.nix | 42 | ||||
| -rw-r--r-- | nix/flake/devshells.nix | 57 | ||||
| -rw-r--r-- | nix/flake/formatter.nix | 17 | ||||
| -rw-r--r-- | nix/flake/hosts.nix | 184 | ||||
| -rw-r--r-- | nix/flake/overlays.nix | 21 | ||||
| -rw-r--r-- | nix/flake/packages.nix | 13 | ||||
| -rw-r--r-- | nix/modules/default-darwin.nix | 7 | ||||
| -rw-r--r-- | nix/modules/default.nix | 7 | ||||
| -rw-r--r-- | nix/modules/fcuny-net.nix | 70 | ||||
| -rw-r--r-- | nix/modules/home.nix | 38 | ||||
| -rw-r--r-- | nix/modules/host-config.nix | 15 | ||||
| -rw-r--r-- | nix/profiles/darwin.nix | 46 | ||||
| -rw-r--r-- | nix/profiles/disk/vm.nix | 55 | ||||
| -rw-r--r-- | nix/profiles/git-server.nix | 25 | ||||
| -rw-r--r-- | nix/profiles/hardware/synology.nix | 23 | ||||
| -rw-r--r-- | nix/profiles/home-manager.nix | 36 | ||||
| -rw-r--r-- | nix/profiles/nix.nix | 47 | ||||
| -rw-r--r-- | nix/profiles/server.nix | 85 | ||||
| -rw-r--r-- | nix/scripts/common.nix | 81 | ||||
| -rw-r--r-- | nix/scripts/darwin.nix | 38 | ||||
| -rw-r--r-- | nix/scripts/default.nix | 20 | ||||
| -rw-r--r-- | nix/scripts/linux.nix | 19 | ||||
| -rw-r--r-- | nix/tofu/backups.nix | 42 | ||||
| -rw-r--r-- | nix/tofu/dns.nix | 138 |
25 files changed, 0 insertions, 1142 deletions
diff --git a/nix/flake/apps.nix b/nix/flake/apps.nix deleted file mode 100644 index ef764eb..0000000 --- a/nix/flake/apps.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ ... }: -{ - perSystem = - { pkgs, ... }: - let - mkFcunyNet = import ../../src/fcuny.net { inherit pkgs; }; - in - { - apps = { - "fcuny_net-serve" = { - type = "app"; - program = "${mkFcunyNet.serve}/bin/serve-fcuny-net"; - }; - }; - }; -} diff --git a/nix/flake/checks.nix b/nix/flake/checks.nix deleted file mode 100644 index 87d4a7f..0000000 --- a/nix/flake/checks.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ inputs, ... }: -{ - perSystem = - { system, pkgs, ... }: - let - treefmtEval = inputs.treefmt-nix.lib.evalModule pkgs { - projectRootFile = "flake.nix"; - programs = { - nixfmt.enable = true; - deadnix.enable = true; - }; - }; - - mkPreCommitHooks = - src: - inputs.pre-commit-hooks.lib.${system}.run { - inherit src; - hooks = { - check-merge-conflicts.enable = true; - deadnix.enable = true; - detect-private-keys.enable = true; - end-of-file-fixer.enable = true; - mixed-line-endings.enable = true; - shellcheck = { - enable = true; - excludes = [ "\\.envrc$" ]; - }; - flake-checker.enable = true; - treefmt = { - enable = true; - entry = "${treefmtEval.config.build.wrapper}/bin/treefmt --ci"; - }; - trim-trailing-whitespace.enable = true; - }; - }; - in - { - checks = { - pre-commit-check = mkPreCommitHooks ./.; - }; - }; -} diff --git a/nix/flake/devshells.nix b/nix/flake/devshells.nix deleted file mode 100644 index 339a8f4..0000000 --- a/nix/flake/devshells.nix +++ /dev/null @@ -1,57 +0,0 @@ -{ inputs, ... }: -{ - perSystem = - { system, pkgs, ... }: - let - treefmtEval = inputs.treefmt-nix.lib.evalModule pkgs { - projectRootFile = "flake.nix"; - programs = { - nixfmt.enable = true; - deadnix.enable = true; - }; - }; - - mkPreCommitHooks = - src: - inputs.pre-commit-hooks.lib.${system}.run { - inherit src; - hooks = { - check-merge-conflicts.enable = true; - deadnix.enable = true; - detect-private-keys.enable = true; - end-of-file-fixer.enable = true; - mixed-line-endings.enable = true; - shellcheck = { - enable = true; - excludes = [ "\\.envrc$" ]; - }; - flake-checker.enable = true; - treefmt = { - enable = true; - entry = "${treefmtEval.config.build.wrapper}/bin/treefmt --ci"; - }; - trim-trailing-whitespace.enable = true; - }; - }; - - pre-commit-check = mkPreCommitHooks ./.; - scripts = import ../../nix/scripts { - inherit pkgs system inputs; - }; - in - { - devShells = { - default = pkgs.mkShellNoCC { - inherit (pre-commit-check) shellHook; - packages = - with pkgs; - [ - nixos-rebuild - git - inputs.agenix.packages."${system}".default - ] - ++ scripts.all; - }; - }; - }; -} diff --git a/nix/flake/formatter.nix b/nix/flake/formatter.nix deleted file mode 100644 index 44c0190..0000000 --- a/nix/flake/formatter.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ inputs, ... }: -{ - perSystem = - { pkgs, ... }: - let - treefmtEval = inputs.treefmt-nix.lib.evalModule pkgs { - projectRootFile = "flake.nix"; - programs = { - nixfmt.enable = true; - deadnix.enable = true; - }; - }; - in - { - formatter = treefmtEval.config.build.wrapper; - }; -} diff --git a/nix/flake/hosts.nix b/nix/flake/hosts.nix deleted file mode 100644 index d3454bf..0000000 --- a/nix/flake/hosts.nix +++ /dev/null @@ -1,184 +0,0 @@ -{ - inputs, - self, - withSystem, - ... -}: -let - inherit (inputs.nixpkgs.lib // builtins) - filterAttrs - foldl' - makeOverridable - mapAttrs' - mapAttrsToList - mkForce - mkIf - nixosSystem - readDir - replaceStrings - substring - ; - - inherit (inputs.darwin.lib) darwinSystem; - - nixSettings = { - nix.registry.nixpkgs = { - flake = inputs.nixpkgs; - }; - }; - - mapSystems = - dir: mapAttrsToList (name: _: name) (filterAttrs (_: type: type == "directory") (readDir dir)); - - mapHosts = foldl' ( - hosts: system: - hosts - // (mapAttrs' ( - filename: _: - let - name = replaceStrings [ ".nix" ] [ "" ] filename; - in - { - inherit name; - value = { - inherit system; - hostconf = "${self}/machines/nixos/${system}/${filename}"; - }; - } - ) (builtins.readDir "${self}/machines/nixos/${system}")) - ) { }; - - mapMacs = foldl' ( - hosts: system: - hosts - // (mapAttrs' ( - filename: _: - let - name = replaceStrings [ ".nix" ] [ "" ] filename; - in - { - inherit name; - value = { - inherit system; - hostconf = "${self}/machines/darwin/${system}/${filename}"; - }; - } - ) (builtins.readDir "${self}/machines/darwin/${system}")) - ) { }; - - defaultModules = [ - nixSettings - inputs.agenix.nixosModules.age - inputs.disko.nixosModules.disko - inputs.home-manager.nixosModules.home-manager - "${self}/nix/modules/default.nix" - ]; - - darwinDefaultModules = [ - nixSettings - inputs.agenix.darwinModules.age - inputs.home-manager.darwinModules.home-manager - "${self}/nix/modules/default-darwin.nix" - ]; - - darwinConfigurations = mapAttrs' ( - name: conf: - let - inherit (conf) system hostconf; - adminUser = { - name = "fcuny"; - userinfo = { - email = "franck@fcuny.net"; - fullName = "Franck Cuny"; - }; - }; - in - { - inherit name; - value = withSystem system ( - { pkgs, ... }: - makeOverridable darwinSystem { - inherit system; - specialArgs = { - hostName = name; - inherit adminUser; - inherit self; - inherit inputs; - }; - modules = - [ - { inherit adminUser; } - { - nixpkgs.pkgs = pkgs; - nixpkgs.hostPlatform = system; - system.stateVersion = 5; - environment.systemPackages = [ - pkgs.git - ]; - } - ] - ++ darwinDefaultModules - ++ [ - hostconf - ]; - } - ); - } - ) (mapMacs (mapSystems "${self}/machines/darwin")); - - nixosConfigurations = mapAttrs' ( - name: conf: - let - inherit (conf) system hostconf; - adminUser = { - name = "fcuny"; - userinfo = { - email = "franck@fcuny.net"; - fullName = "Franck Cuny"; - }; - }; - in - { - inherit name; - value = withSystem system ( - { pkgs, ... }: - makeOverridable nixosSystem { - inherit system; - specialArgs = { - hostName = name; - inherit adminUser; - inherit self; - hostConfigurations = mapAttrs' (name: conf: { - inherit name; - value = conf.config; - }) nixosConfigurations; - inherit inputs; - }; - modules = - [ - { - inherit adminUser; - } - { - system.configurationRevision = mkIf (self ? rev) self.rev; - system.nixos.versionSuffix = mkForce "git.${substring 0 11 inputs.nixpkgs.rev}"; - nixpkgs.pkgs = pkgs; - environment.systemPackages = [ - pkgs.git - ]; - } - ] - ++ defaultModules - ++ [ - hostconf - ]; - } - ); - } - ) (mapHosts (mapSystems "${self}/machines/nixos")); -in -{ - flake = { - inherit nixosConfigurations darwinConfigurations; - }; -} diff --git a/nix/flake/overlays.nix b/nix/flake/overlays.nix deleted file mode 100644 index 83eadd0..0000000 --- a/nix/flake/overlays.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ inputs, self, ... }: -{ - - flake.overlays.default = _final: prev: { - llmPython = prev.callPackage "${self}/pkgs/llmPython/" { }; - }; - - perSystem = - { system, ... }: - { - _module.args.pkgs = import inputs.nixpkgs { - inherit system; - config.allowUnfree = true; - overlays = [ - inputs.agenix.overlays.default - inputs.emacs-overlay.overlay - self.overlays.default - ]; - }; - }; -} diff --git a/nix/flake/packages.nix b/nix/flake/packages.nix deleted file mode 100644 index a166803..0000000 --- a/nix/flake/packages.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ ... }: -{ - perSystem = - { pkgs, ... }: - let - mkFcunyNet = import ../../src/fcuny.net { inherit pkgs; }; - in - { - packages = { - "fcuny_net" = mkFcunyNet.site; - }; - }; -} diff --git a/nix/modules/default-darwin.nix b/nix/modules/default-darwin.nix deleted file mode 100644 index b42a079..0000000 --- a/nix/modules/default-darwin.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: -{ - imports = [ - ./home.nix - ./host-config.nix - ]; -} diff --git a/nix/modules/default.nix b/nix/modules/default.nix deleted file mode 100644 index b42a079..0000000 --- a/nix/modules/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: -{ - imports = [ - ./home.nix - ./host-config.nix - ]; -} diff --git a/nix/modules/fcuny-net.nix b/nix/modules/fcuny-net.nix deleted file mode 100644 index eb5bf95..0000000 --- a/nix/modules/fcuny-net.nix +++ /dev/null @@ -1,70 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: - -let - cfg = config.services.fcuny-net; - - # Import your site - you'll need to adjust the path relative to this module - fcunyNet = import ../../src/fcuny.net { inherit pkgs; }; -in -{ - options.services.fcuny-net = { - enable = lib.mkEnableOption "fcuny.net static site"; - - domain = lib.mkOption { - type = lib.types.str; - default = "fcuny.net"; - description = "Domain name for the site"; - }; - - port = lib.mkOption { - type = lib.types.port; - default = 80; - description = "Port to serve the site on"; - }; - - enableSSL = lib.mkOption { - type = lib.types.bool; - default = false; - description = "Enable SSL/TLS with Let's Encrypt"; - }; - }; - - config = lib.mkIf cfg.enable { - services.nginx = { - enable = true; - virtualHosts.${cfg.domain} = { - root = fcunyNet.site; - - # SSL configuration - enableACME = cfg.enableSSL; - forceSSL = cfg.enableSSL; - - locations."/" = { - tryFiles = "$uri $uri/ =404"; - }; - - extraConfig = '' - # Cache static assets - location ~* \.(css|js|png|jpg|jpeg|gif|ico|svg)$ { - expires 1y; - add_header Cache-Control "public, immutable"; - } - ''; - }; - }; - - # Open firewall - networking.firewall.allowedTCPPorts = [ cfg.port ] ++ lib.optional cfg.enableSSL 443; - - # ACME/Let's Encrypt setup if SSL is enabled - security.acme = lib.mkIf cfg.enableSSL { - acceptTerms = true; - defaults.email = "franck@fcuny.net"; - }; - }; -} diff --git a/nix/modules/home.nix b/nix/modules/home.nix deleted file mode 100644 index 6b6b518..0000000 --- a/nix/modules/home.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ - userProfiles, - lib, - ... -}: -let - inherit (lib) mkOption; - inherit (lib.types) - submodule - listOf - attrsOf - str - ; -in -{ - options = { - home = mkOption { - type = attrsOf ( - submodule ( - { name, ... }: - { - options = { - name = mkOption { - type = str; - default = name; - }; - profiles = mkOption { - type = listOf str; - apply = map (v: userProfiles.${v}); - }; - }; - } - ) - ); - default = { }; - }; - }; -} diff --git a/nix/modules/host-config.nix b/nix/modules/host-config.nix deleted file mode 100644 index b10d85f..0000000 --- a/nix/modules/host-config.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ lib, ... }: -let - inherit (lib) mkOption; - inherit (lib.types) - attrs - ; -in -{ - options = { - adminUser = mkOption { - type = attrs; - default = { }; - }; - }; -} diff --git a/nix/profiles/darwin.nix b/nix/profiles/darwin.nix deleted file mode 100644 index e355b72..0000000 --- a/nix/profiles/darwin.nix +++ /dev/null @@ -1,46 +0,0 @@ -{ ... }: -{ - system.defaults = { - dock = { - autohide = true; - dashboard-in-overlay = false; - launchanim = false; # Don't animate opening applications. - mru-spaces = false; # donβt rearrange spaces based on the most recent use - orientation = "left"; - show-recents = false; - showhidden = false; - tilesize = 60; # Default is 64. - wvous-br-corner = 1; # Disable Notes hot corner. - }; - finder.AppleShowAllExtensions = true; - - CustomUserPreferences = { - "com.apple.desktopservices" = { - # Avoid creating .DS_Store files on network or USB volumes - DSDontWriteNetworkStores = true; - DSDontWriteUSBStores = true; - }; - }; - - # Requires the directory to already exist. - # See system.activationScripts.postUserActivation - screencapture.location = "~/Documents/screenshots"; - SoftwareUpdate.AutomaticallyInstallMacOSUpdates = true; - }; - - system.keyboard = { - enableKeyMapping = true; - remapCapsLockToControl = true; - }; - - # TODO: - The `system.activationScripts.postUserActivation` option has - # been removed, as all activation now takes place as `root`. Please - # restructure your custom activation scripts appropriately, - # potentially using `sudo` if you need to run commands as a user. - # system.activationScripts.postUserActivation.text = '' - # mkdir -p ~/Documents/screenshots - # ''; - - # Touch ID for sudo auth - security.pam.services.sudo_local.touchIdAuth = true; -} diff --git a/nix/profiles/disk/vm.nix b/nix/profiles/disk/vm.nix deleted file mode 100644 index 1641339..0000000 --- a/nix/profiles/disk/vm.nix +++ /dev/null @@ -1,55 +0,0 @@ -{ lib, ... }: -{ - disko.devices = { - disk.disk1 = { - device = lib.mkDefault "/dev/sda"; - type = "disk"; - content = { - type = "gpt"; - partitions = { - boot = { - name = "boot"; - size = "1M"; - type = "EF02"; - }; - esp = { - name = "ESP"; - size = "500M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - }; - }; - root = { - name = "root"; - size = "100%"; - content = { - type = "lvm_pv"; - vg = "pool"; - }; - }; - }; - }; - }; - lvm_vg = { - pool = { - type = "lvm_vg"; - lvs = { - root = { - size = "100%FREE"; - content = { - type = "filesystem"; - format = "ext4"; - mountpoint = "/"; - mountOptions = [ - "defaults" - ]; - }; - }; - }; - }; - }; - }; -} diff --git a/nix/profiles/git-server.nix b/nix/profiles/git-server.nix deleted file mode 100644 index 27eebc7..0000000 --- a/nix/profiles/git-server.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ pkgs, ... }: -{ - services.gitolite = { - enable = true; - adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"; - user = "git"; - group = "git"; - extraGitoliteRc = '' - # Make dirs/files group readable, needed for webserver/cgit. (Default - # setting is 0077.) - $RC{UMASK} = 0027; - $RC{GIT_CONFIG_KEYS} = 'cgit.desc cgit.hide cgit.ignore cgit.owner'; - $RC{LOCAL_CODE} = "$rc{GL_ADMIN_BASE}/local"; - push( @{$RC{ENABLE}}, 'symbolic-ref' ); - ''; - }; - - # let's make sure the default branch is `main'. - systemd.tmpfiles.rules = [ - "C /var/lib/gitolite/.gitconfig - git git 0644 ${pkgs.writeText "gitolite-gitconfig" '' - [init] - defaultBranch = main - ''}" - ]; -} diff --git a/nix/profiles/hardware/synology.nix b/nix/profiles/hardware/synology.nix deleted file mode 100644 index ad1fd3f..0000000 --- a/nix/profiles/hardware/synology.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ lib, modulesPath, ... }: -{ - imports = [ - (modulesPath + "/profiles/qemu-guest.nix") - (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ - "ata_piix" - "uhci_hcd" - "virtio_pci" - "virtio_scsi" - "sd_mod" - "sr_mod" - ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; - - swapDevices = [ ]; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/nix/profiles/home-manager.nix b/nix/profiles/home-manager.nix deleted file mode 100644 index 3a81cce..0000000 --- a/nix/profiles/home-manager.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ - self, - hostName, - inputs, - config, - adminUser, - ... -}: -{ - home-manager.extraSpecialArgs = - { - inherit - self - hostName - inputs - adminUser - ; - } - // { - mainConfig = config; - configPath = "${self}/configs/users/fcuny"; - }; - - home-manager.sharedModules = [ - inputs.agenix.homeManagerModules.default - "${self}/users/modules/userinfo.nix" - { - nixpkgs.overlays = [ - inputs.agenix.overlays.default - inputs.emacs-overlay.overlay - self.overlays.default - ]; - nixpkgs.config.allowUnfree = true; - } - ]; -} diff --git a/nix/profiles/nix.nix b/nix/profiles/nix.nix deleted file mode 100644 index acfe151..0000000 --- a/nix/profiles/nix.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ lib, pkgs, ... }: -{ - nix = { - extraOptions = '' - tarball-ttl = 900 - ''; - gc = { - automatic = true; - options = "--delete-older-than 7d"; - interval = { - Weekday = 0; - Hour = 0; - Minute = 0; - }; - }; - optimise = { - automatic = true; - interval = { - Weekday = 0; - Hour = 0; - Minute = 0; - }; - }; - package = pkgs.nixVersions.stable; - settings = { - trusted-substituters = [ - "https://cachix.cachix.org" - "https://nixpkgs.cachix.org" - "https://nix-community.cachix.org" - ]; - trusted-public-keys = [ - "cachix.cachix.org-1:eWNHQldwUO7G2VkjpnjDbWwy4KQ/HNxht7H4SSoMckM=" - "nixpkgs.cachix.org-1:q91R6hxbwFvDqTSDKwDAV4T5PxqXGxswD8vhONFMeOE=" - "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - ]; - trusted-users = [ - "@admin" - "fcuny" - ]; - experimental-features = lib.mkDefault [ - "nix-command" - "flakes" - ]; - }; - }; -} diff --git a/nix/profiles/server.nix b/nix/profiles/server.nix deleted file mode 100644 index 1588314..0000000 --- a/nix/profiles/server.nix +++ /dev/null @@ -1,85 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -{ - - imports = [ - ./nix.nix - ]; - - time.timeZone = "America/Los_Angeles"; - - # Don't require password for sudo - security.sudo.wheelNeedsPassword = false; - - # Virtualization settings - virtualisation.docker.enable = true; - - # Select internationalisation properties. - i18n = { - defaultLocale = "en_US.UTF-8"; - }; - - boot.loader.systemd-boot.enable = true; - boot.kernelPackages = pkgs.linuxPackages_latest; - - environment.systemPackages = with pkgs; [ - curl - fd - fish - git - htop - jq - mtr - pciutils - powertop - ripgrep - tcpdump - traceroute - vim - ]; - - boot.kernel.sysctl = { - "net.ipv4.tcp_fastopen" = 3; - "net.ipv4.tcp_tw_reuse" = 1; - }; - - networking = { - firewall = { - enable = false; - allowPing = true; - logRefusedConnections = false; - }; - useNetworkd = lib.mkDefault true; - }; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. - networking.useDHCP = lib.mkDefault true; - - # Default to systemd-networkd usage. - systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP; - - # Use systemd-resolved for DoT support. - services.resolved = { - enable = true; - dnssec = "false"; - extraConfig = '' - DNSOverTLS=yes - ''; - }; - - # Used by systemd-resolved, not directly by resolv.conf. - networking.nameservers = [ - "8.8.8.8#dns.google" - "1.0.0.1#cloudflare-dns.com" - ]; - - ## disable that slow "building man-cache" step - documentation.man.generateCaches = lib.mkForce false; -} diff --git a/nix/scripts/common.nix b/nix/scripts/common.nix deleted file mode 100644 index b457ea2..0000000 --- a/nix/scripts/common.nix +++ /dev/null @@ -1,81 +0,0 @@ -{ pkgs }: -let - tofuSetup = '' - tofu_setup() { - # Ensure bucket exists - ${pkgs.google-cloud-sdk}/bin/gcloud storage buckets describe \ - gs://fcuny-infra-tofu-state \ - --project=fcuny-infra \ - --quiet || \ - ${pkgs.google-cloud-sdk}/bin/gcloud storage buckets create \ - gs://fcuny-infra-tofu-state \ - --project=fcuny-infra \ - --uniform-bucket-level-access \ - --public-access-prevention \ - --location=us-west1 \ - --default-storage-class=STANDARD \ - --quiet - - # Setup temp directory - TMPDIR=$(mktemp -d) - trap 'rm -rf "$TMPDIR"' EXIT - - # Install terraform configs - ${pkgs.coreutils}/bin/install -Dm 0644 ${ - import ../tofu/backups.nix { - inherit pkgs; - } - } "$TMPDIR/backups/backups.tf.json" - - ${pkgs.coreutils}/bin/install -Dm 0644 ${ - import ../tofu/dns.nix { - inherit pkgs; - } - } "$TMPDIR/cloudflare/cloudflare-dns.tf.json" - - # Initialize both workspaces - ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/backups" init - ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/cloudflare" init - - # Fetch Cloudflare API token - CLOUDFLARE_API_TOKEN=$(${pkgs._1password-cli}/bin/op --account my.1password.com read "op://Private/mcwt3evuidhalk3dfz4tqpzdpa/credential") - } - ''; -in -[ - (pkgs.writeScriptBin "update-deps" "nix flake update --commit-lock-file") - - (pkgs.writeShellScriptBin "gcloud-auth" '' - set -xeuo pipefail - ${pkgs.google-cloud-sdk}/bin/gcloud auth print-identity-token > /dev/null 2>&1 || \ - ${pkgs.google-cloud-sdk}/bin/gcloud auth login --quiet - ${pkgs.google-cloud-sdk}/bin/gcloud auth application-default print-access-token > /dev/null 2>&1 || \ - ${pkgs.google-cloud-sdk}/bin/gcloud auth application-default login --quiet - '') - - (pkgs.writeShellScriptBin "tofu-plan" '' - set -xeuo pipefail - - ${tofuSetup} - tofu_setup - - echo "=== Planning backups ===" - ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/backups" plan - - echo "=== Planning cloudflare ===" - CLOUDFLARE_API_TOKEN="$CLOUDFLARE_API_TOKEN" ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/cloudflare" plan - '') - - (pkgs.writeShellScriptBin "tofu-apply" '' - set -xeuo pipefail - - ${tofuSetup} - tofu_setup - - echo "=== Applying backups ===" - ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/backups" apply -auto-approve - - echo "=== Applying cloudflare ===" - CLOUDFLARE_API_TOKEN="$CLOUDFLARE_API_TOKEN" ${pkgs.opentofu}/bin/tofu -chdir="$TMPDIR/cloudflare" apply -auto-approve - '') -] diff --git a/nix/scripts/darwin.nix b/nix/scripts/darwin.nix deleted file mode 100644 index c1bbbde..0000000 --- a/nix/scripts/darwin.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ - pkgs, - system, - inputs, -}: -[ - (pkgs.writeScriptBin "nbuild" '' - set -e - echo "> Running darwin-rebuild build..." - ${inputs.darwin.packages.${system}.darwin-rebuild}/bin/darwin-rebuild build --flake . - echo "> darwin-rebuild build was successful β
" - echo "> macOS config was successfully applied π" - '') - - (pkgs.writeScriptBin "nswitch" '' - set -e - echo "> Running darwin-rebuild switch..." - ${inputs.darwin.packages.${system}.darwin-rebuild}/bin/darwin-rebuild switch --flake . - echo "> darwin-rebuild build was successful β
" - echo "> macOS config was successfully applied π" - '') - - (pkgs.writeScriptBin "switch-vm-synology" '' - set -e - echo "> Running nixos-rebuild switch ..." - ${pkgs.nixos-rebuild}/bin/nixos-rebuild switch --keep-going --flake .#vm-synology --target-host vm-synology --build-host vm-synology --fast --use-remote-sudo --use-substitutes - echo "> nixos-rebuild switch was successful β
" - '') - - (pkgs.writeScriptBin "sync-agenix-key" '' - set -e - echo "> Copying agenix SSH key from 1password ..." - mkdir -p ~/.ssh - ${pkgs._1password-cli}/bin/op --account my.1password.com read "op://Private/agenix/private key?ssh-format=openssh" > ~/.ssh/agenix - ${pkgs._1password-cli}/bin/op --account my.1password.com read "op://Private/agenix/public key" > ~/.ssh/agenix.pub - echo "> agenix SSH key copied successfully π" - '') -] diff --git a/nix/scripts/default.nix b/nix/scripts/default.nix deleted file mode 100644 index 90851df..0000000 --- a/nix/scripts/default.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ - pkgs, - system, - inputs, -}: -let - common = import ./common.nix { inherit pkgs; }; - darwin = import ./darwin.nix { inherit pkgs system inputs; }; - linux = import ./linux.nix { inherit pkgs system inputs; }; -in -{ - common = common; - darwin = if pkgs.lib.hasSuffix "darwin" system then darwin else [ ]; - linux = if pkgs.lib.hasSuffix "linux" system then linux else [ ]; - - all = - common - ++ (if pkgs.lib.hasSuffix "darwin" system then darwin else [ ]) - ++ (if pkgs.lib.hasSuffix "linux" system then linux else [ ]); -} diff --git a/nix/scripts/linux.nix b/nix/scripts/linux.nix deleted file mode 100644 index b44c86f..0000000 --- a/nix/scripts/linux.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ - pkgs, -}: -[ - (pkgs.writeScriptBin "nbuild" '' - set -e - echo "> Running nixos-rebuild build..." - sudo nixos-rebuild build --flake . - echo "> nixos-rebuild build was successful β
" - '') - - (pkgs.writeScriptBin "nswitch" '' - set -e - echo "> Running nixos-rebuild switch..." - sudo nixos-rebuild switch --flake . - echo "> nixos-rebuild switch was successful β
" - echo "> NixOS config was successfully applied π" - '') -] diff --git a/nix/tofu/backups.nix b/nix/tofu/backups.nix deleted file mode 100644 index e76ed2e..0000000 --- a/nix/tofu/backups.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ - pkgs, -}: -pkgs.writeTextFile { - name = "backups.tf.json"; - text = builtins.toJSON ([ - { - terraform = { - backend = { - gcs = { - bucket = "fcuny-infra-tofu-state"; - prefix = "backups"; - }; - }; - }; - } - { - provider = { - google = [ - { - project = "fcuny-infra"; - region = "us-west1"; - } - ]; - }; - } - { - resource = { - google_storage_bucket = { - "backups" = { - name = "fcuny-infra-backups"; - location = "us-west1"; - uniform_bucket_level_access = true; - force_destroy = true; - public_access_prevention = "enforced"; - storage_class = "NEARLINE"; - }; - }; - }; - } - ]); -} diff --git a/nix/tofu/dns.nix b/nix/tofu/dns.nix deleted file mode 100644 index df0ed65..0000000 --- a/nix/tofu/dns.nix +++ /dev/null @@ -1,138 +0,0 @@ -{ - pkgs, -}: -let - zoneId = "6878e48b5cb81c7d789040632153719d"; - zoneName = "fcuny.net"; - - # Helper function to create DNS records with common fields - mkRecord = - type: name: content: extra: - { - inherit name type; - zone_id = zoneId; - ttl = 1; - proxied = false; - content = content; - } - // extra; - - # Helper for A records (typically proxied) - mkARecord = name: ip: mkRecord "A" name ip { proxied = true; }; - - # Helper for CNAME records - mkCNAME = name: target: mkRecord "CNAME" name target { }; - - # Helper for MX records - mkMXRecord = - priority: target: - mkRecord "MX" zoneName target { - inherit priority; - }; - - # Helper for SRV records with data block - mkSRVRecord = name: port: target: weight: priority: { - inherit name; - type = "SRV"; - zone_id = zoneId; - ttl = 1; - proxied = false; - priority = priority; - data = { - inherit - port - target - weight - priority - ; - }; - }; - - # Helper for TXT records - mkTXTRecord = name: content: mkRecord "TXT" name content { }; - -in -pkgs.writeTextFile { - name = "cloudflare-dns.tf.json"; - text = builtins.toJSON ([ - { - terraform = { - required_providers = { - cloudflare = { - source = "cloudflare/cloudflare"; - version = "~> 4.0"; - }; - }; - backend = { - gcs = { - bucket = "fcuny-infra-tofu-state"; - prefix = "cloudflare-dns"; - }; - }; - }; - } - { - provider = { - cloudflare = [ { } ]; - }; - } - { - # Use data source for existing zone instead of managing it - data = { - cloudflare_zone = { - "main" = { - name = zoneName; - }; - }; - }; - } - { - resource = { - cloudflare_record = { - # A records for root domain - "cname_root_0" = mkARecord zoneName "185.199.108.153"; - "cname_root_1" = mkARecord zoneName "185.199.110.153"; - "cname_root_2" = mkARecord zoneName "185.199.109.153"; - "cname_root_3" = mkARecord zoneName "185.199.111.153"; - - # DKIM CNAME records - "cname_dkim_0" = mkCNAME "fm1._domainkey" "fm1.fcuny.net.dkim.fmhosted.com" // { - ttl = 60; - }; - "cname_dkim_1" = mkCNAME "fm2._domainkey" "fm2.fcuny.net.dkim.fmhosted.com" // { - ttl = 60; - }; - "cname_dkim_2" = mkCNAME "fm3._domainkey" "fm3.fcuny.net.dkim.fmhosted.com" // { - ttl = 60; - }; - - # Git subdomain via Cloudflare tunnel - "cname_git" = mkCNAME "git" "b5d5071d-3c09-4379-9d6c-0684c478f151.cfargotunnel.com" // { - proxied = true; - }; - - # MX records - "mx_0" = mkMXRecord 10 "in1-smtp.messagingengine.com"; - "mx_1" = mkMXRecord 20 "in2-smtp.messagingengine.com"; - - # SPF TXT record - "txt_spf" = mkTXTRecord zoneName "v=spf1 include:spf.messagingengine.com ?all"; - }; - }; - } - { - resource = { - cloudflare_record = { - # SRV records for email services - "srv_caldavs" = mkSRVRecord "_caldavs._tcp" 443 "caldav.fastmail.com" 1 0; - "srv_caldav" = mkSRVRecord "_caldav._tcp" 0 "." 0 0; - "srv_carddavs" = mkSRVRecord "_carddavs._tcp" 443 "carddav.fastmail.com" 1 0; - "srv_carddav" = mkSRVRecord "_carddav._tcp" 0 "." 0 0; - "srv_imaps" = mkSRVRecord "_imaps._tcp" 993 "imap.fastmail.com" 1 0; - "srv_imap" = mkSRVRecord "_imap._tcp" 0 "." 0 0; - "srv_smtp" = mkSRVRecord "_submission._tcp" 587 "smtp.fastmail.com" 1 0; - }; - }; - } - ]); -} |