From 574137b8aeb0de239a083a61c285dfc0345e05b3 Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Tue, 12 Aug 2025 09:35:09 -0700 Subject: move each machine configuration to a folder This will give me a bit more flexibility to configure things per machine in the future. --- flake/hosts.nix | 103 ++++++++---------- machines/darwin/aarch64-darwin/HQ-KWNY2VH41P.nix | 57 ---------- .../aarch64-darwin/HQ-KWNY2VH41P/default.nix | 57 ++++++++++ machines/darwin/aarch64-darwin/mba-m2.nix | 73 ------------- machines/darwin/aarch64-darwin/mba-m2/default.nix | 73 +++++++++++++ machines/nixos/x86_64-linux/digitalocean.nix | 119 --------------------- machines/nixos/x86_64-linux/do-rproxy/default.nix | 119 +++++++++++++++++++++ .../nixos/x86_64-linux/synology-vm/default.nix | 110 +++++++++++++++++++ machines/nixos/x86_64-linux/vm-synology.nix | 110 ------------------- scripts/darwin.nix | 14 +-- 10 files changed, 410 insertions(+), 425 deletions(-) delete mode 100644 machines/darwin/aarch64-darwin/HQ-KWNY2VH41P.nix create mode 100644 machines/darwin/aarch64-darwin/HQ-KWNY2VH41P/default.nix delete mode 100644 machines/darwin/aarch64-darwin/mba-m2.nix create mode 100644 machines/darwin/aarch64-darwin/mba-m2/default.nix delete mode 100644 machines/nixos/x86_64-linux/digitalocean.nix create mode 100644 machines/nixos/x86_64-linux/do-rproxy/default.nix create mode 100644 machines/nixos/x86_64-linux/synology-vm/default.nix delete mode 100644 machines/nixos/x86_64-linux/vm-synology.nix diff --git a/flake/hosts.nix b/flake/hosts.nix index d855a4a..41e983d 100644 --- a/flake/hosts.nix +++ b/flake/hosts.nix @@ -15,7 +15,6 @@ let mkIf nixosSystem readDir - replaceStrings substring ; @@ -33,37 +32,25 @@ let mapHosts = foldl' ( hosts: system: hosts - // (mapAttrs' ( - filename: _: - let - name = replaceStrings [ ".nix" ] [ "" ] filename; - in - { - inherit name; - value = { - inherit system; - hostconf = "${self}/machines/nixos/${system}/${filename}"; - }; - } - ) (builtins.readDir "${self}/machines/nixos/${system}")) + // (mapAttrs' (name: _: { + inherit name; + value = { + inherit system; + hostconf = "${self}/machines/nixos/${system}/${name}"; + }; + }) (builtins.readDir "${self}/machines/nixos/${system}")) ) { }; mapMacs = foldl' ( hosts: system: hosts - // (mapAttrs' ( - filename: _: - let - name = replaceStrings [ ".nix" ] [ "" ] filename; - in - { - inherit name; - value = { - inherit system; - hostconf = "${self}/machines/darwin/${system}/${filename}"; - }; - } - ) (builtins.readDir "${self}/machines/darwin/${system}")) + // (mapAttrs' (name: _: { + inherit name; + value = { + inherit system; + hostconf = "${self}/machines/darwin/${system}/${name}"; + }; + }) (builtins.readDir "${self}/machines/darwin/${system}")) ) { }; defaultModules = [ @@ -105,22 +92,21 @@ let inherit self; inherit inputs; }; - modules = - [ - { inherit adminUser; } - { - nixpkgs.pkgs = pkgs; - nixpkgs.hostPlatform = system; - system.stateVersion = 5; - environment.systemPackages = [ - pkgs.git - ]; - } - ] - ++ darwinDefaultModules - ++ [ - hostconf - ]; + modules = [ + { inherit adminUser; } + { + nixpkgs.pkgs = pkgs; + nixpkgs.hostPlatform = system; + system.stateVersion = 5; + environment.systemPackages = [ + pkgs.git + ]; + } + ] + ++ darwinDefaultModules + ++ [ + hostconf + ]; } ); } @@ -155,22 +141,21 @@ let }) nixosConfigurations; inherit inputs; }; - modules = - [ - { inherit adminUser; } - { - system.configurationRevision = mkIf (self ? rev) self.rev; - system.nixos.versionSuffix = mkForce "git.${substring 0 11 inputs.nixpkgs.rev}"; - nixpkgs.pkgs = pkgs; - environment.systemPackages = [ - pkgs.git - ]; - } - ] - ++ defaultModules - ++ [ - hostconf - ]; + modules = [ + { inherit adminUser; } + { + system.configurationRevision = mkIf (self ? rev) self.rev; + system.nixos.versionSuffix = mkForce "git.${substring 0 11 inputs.nixpkgs.rev}"; + nixpkgs.pkgs = pkgs; + environment.systemPackages = [ + pkgs.git + ]; + } + ] + ++ defaultModules + ++ [ + hostconf + ]; } ); } diff --git a/machines/darwin/aarch64-darwin/HQ-KWNY2VH41P.nix b/machines/darwin/aarch64-darwin/HQ-KWNY2VH41P.nix deleted file mode 100644 index 3b8cab7..0000000 --- a/machines/darwin/aarch64-darwin/HQ-KWNY2VH41P.nix +++ /dev/null @@ -1,57 +0,0 @@ -{ - adminUser, - pkgs, - self, - ... -}: -{ - - imports = [ - "${self}/profiles/home-manager.nix" - "${self}/profiles/darwin.nix" - ]; - - system.primaryUser = adminUser.name; - - fonts.packages = with pkgs; [ - source-code-pro - ]; - - # The user should already exist, but we need to set this up so Nix knows - # what our home directory is (https://github.com/LnL7/nix-darwin/issues/423). - users = { - users.${adminUser.name} = { - home = "/Users/${adminUser.name}"; - shell = pkgs.fish; - }; - }; - - environment.shells = [ pkgs.fish ]; - - programs.fish.enable = true; - programs.fish.shellInit = '' - # Nix - if test -e '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.fish' - source '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.fish' - end - # End Nix - ''; - - programs.ssh.knownHosts = { - "github.com".publicKey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl"; - }; - - home-manager.users.${adminUser.name} = { - home.stateVersion = "23.05"; - home.username = "${adminUser.name}"; - home.homeDirectory = "/Users/${adminUser.name}"; - home.packages = with pkgs; [ grpcurl ]; - imports = [ - "${self}/home/profiles/mac.nix" - "${self}/home/profiles/work.nix" - ]; - inherit (adminUser) userinfo; - programs.git.userEmail = "fcuny@roblox.com"; - }; -} diff --git a/machines/darwin/aarch64-darwin/HQ-KWNY2VH41P/default.nix b/machines/darwin/aarch64-darwin/HQ-KWNY2VH41P/default.nix new file mode 100644 index 0000000..3b8cab7 --- /dev/null +++ b/machines/darwin/aarch64-darwin/HQ-KWNY2VH41P/default.nix @@ -0,0 +1,57 @@ +{ + adminUser, + pkgs, + self, + ... +}: +{ + + imports = [ + "${self}/profiles/home-manager.nix" + "${self}/profiles/darwin.nix" + ]; + + system.primaryUser = adminUser.name; + + fonts.packages = with pkgs; [ + source-code-pro + ]; + + # The user should already exist, but we need to set this up so Nix knows + # what our home directory is (https://github.com/LnL7/nix-darwin/issues/423). + users = { + users.${adminUser.name} = { + home = "/Users/${adminUser.name}"; + shell = pkgs.fish; + }; + }; + + environment.shells = [ pkgs.fish ]; + + programs.fish.enable = true; + programs.fish.shellInit = '' + # Nix + if test -e '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.fish' + source '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.fish' + end + # End Nix + ''; + + programs.ssh.knownHosts = { + "github.com".publicKey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl"; + }; + + home-manager.users.${adminUser.name} = { + home.stateVersion = "23.05"; + home.username = "${adminUser.name}"; + home.homeDirectory = "/Users/${adminUser.name}"; + home.packages = with pkgs; [ grpcurl ]; + imports = [ + "${self}/home/profiles/mac.nix" + "${self}/home/profiles/work.nix" + ]; + inherit (adminUser) userinfo; + programs.git.userEmail = "fcuny@roblox.com"; + }; +} diff --git a/machines/darwin/aarch64-darwin/mba-m2.nix b/machines/darwin/aarch64-darwin/mba-m2.nix deleted file mode 100644 index 737c4a4..0000000 --- a/machines/darwin/aarch64-darwin/mba-m2.nix +++ /dev/null @@ -1,73 +0,0 @@ -{ - adminUser, - pkgs, - self, - ... -}: -{ - - age = { - secrets = { - ssh-remote-builder = { - file = "${self}/secrets/ssh-remote-builder.age"; - }; - }; - }; - - imports = [ - "${self}/profiles/home-manager.nix" - "${self}/profiles/darwin.nix" - "${self}/profiles/remote-builder.nix" - ]; - - system.primaryUser = adminUser.name; - - # https://github.com/nix-darwin/nix-darwin/issues/1339 - ids.gids.nixbld = 30000; - - networking.hostName = "mba-m2"; - - fonts.packages = with pkgs; [ - source-code-pro - ]; - - # The user should already exist, but we need to set this up so Nix knows - # what our home directory is (https://github.com/LnL7/nix-darwin/issues/423). - users = { - users.${adminUser.name} = { - home = "/Users/${adminUser.name}"; - shell = pkgs.fish; - }; - }; - - environment.shells = [ pkgs.fish ]; - - programs.fish.enable = true; - programs.fish.shellInit = '' - # Nix - if test -e '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.fish' - source '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.fish' - end - # End Nix - ''; - - programs.ssh.knownHosts = { - "github.com".publicKey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl"; - }; - - home-manager.users.${adminUser.name} = { - home.stateVersion = "23.05"; - home.username = "${adminUser.name}"; - home.homeDirectory = "/Users/${adminUser.name}"; - home.packages = with pkgs; [ - element-desktop - zoom-us - ]; - imports = [ - "${self}/home/profiles/mac.nix" - "${self}/home/profiles/media.nix" - ]; - inherit (adminUser) userinfo; - }; -} diff --git a/machines/darwin/aarch64-darwin/mba-m2/default.nix b/machines/darwin/aarch64-darwin/mba-m2/default.nix new file mode 100644 index 0000000..737c4a4 --- /dev/null +++ b/machines/darwin/aarch64-darwin/mba-m2/default.nix @@ -0,0 +1,73 @@ +{ + adminUser, + pkgs, + self, + ... +}: +{ + + age = { + secrets = { + ssh-remote-builder = { + file = "${self}/secrets/ssh-remote-builder.age"; + }; + }; + }; + + imports = [ + "${self}/profiles/home-manager.nix" + "${self}/profiles/darwin.nix" + "${self}/profiles/remote-builder.nix" + ]; + + system.primaryUser = adminUser.name; + + # https://github.com/nix-darwin/nix-darwin/issues/1339 + ids.gids.nixbld = 30000; + + networking.hostName = "mba-m2"; + + fonts.packages = with pkgs; [ + source-code-pro + ]; + + # The user should already exist, but we need to set this up so Nix knows + # what our home directory is (https://github.com/LnL7/nix-darwin/issues/423). + users = { + users.${adminUser.name} = { + home = "/Users/${adminUser.name}"; + shell = pkgs.fish; + }; + }; + + environment.shells = [ pkgs.fish ]; + + programs.fish.enable = true; + programs.fish.shellInit = '' + # Nix + if test -e '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.fish' + source '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.fish' + end + # End Nix + ''; + + programs.ssh.knownHosts = { + "github.com".publicKey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl"; + }; + + home-manager.users.${adminUser.name} = { + home.stateVersion = "23.05"; + home.username = "${adminUser.name}"; + home.homeDirectory = "/Users/${adminUser.name}"; + home.packages = with pkgs; [ + element-desktop + zoom-us + ]; + imports = [ + "${self}/home/profiles/mac.nix" + "${self}/home/profiles/media.nix" + ]; + inherit (adminUser) userinfo; + }; +} diff --git a/machines/nixos/x86_64-linux/digitalocean.nix b/machines/nixos/x86_64-linux/digitalocean.nix deleted file mode 100644 index 1a011e1..0000000 --- a/machines/nixos/x86_64-linux/digitalocean.nix +++ /dev/null @@ -1,119 +0,0 @@ -{ - adminUser, - config, - lib, - modulesPath, - self, - ... -}: -{ - age = { - secrets = { - wireguard = { - file = "${self}/secrets/do/wireguard.age"; - }; - }; - }; - - imports = [ - (modulesPath + "/profiles/qemu-guest.nix") - (modulesPath + "/virtualisation/digital-ocean-config.nix") - "${self}/profiles/home-manager.nix" - "${self}/profiles/admin-user/user.nix" - "${self}/profiles/admin-user/home-manager.nix" - "${self}/profiles/disk/vm.nix" - "${self}/profiles/server.nix" - ]; - - disko.devices.disk.disk1.device = "/dev/vda"; - - # do not use DHCP, as DigitalOcean provisions IPs using cloud-init - networking.useDHCP = lib.mkForce false; - - networking.hostName = "do-jump"; - - boot.loader.grub = { - efiSupport = true; - efiInstallAsRemovable = true; - }; - - home-manager.users.${adminUser.name} = { - imports = [ - "${self}/home/profiles/minimal.nix" - ]; - }; - - # this one seems to always be broken - systemd.services.growpart.enable = false; - - # in order to get networking setup we need to enable it in cloud-init - # Disables all modules that do not work with NixOS - # Based on https://github.com/nix-community/nixos-anywhere-examples/blob/7f945ff0ae676c0eb77360b892add91328dd1f17/digitalocean.nix - services.cloud-init = { - enable = true; - network.enable = true; - settings = { - datasource_list = [ - "ConfigDrive" - "Digitalocean" - ]; - datasource.ConfigDrive = { }; - datasource.Digitalocean = { }; - # Based on https://github.com/canonical/cloud-init/blob/main/config/cloud.cfg.tmpl - cloud_init_modules = [ - "seed_random" - "bootcmd" - "write_files" - "growpart" - "resizefs" - "set_hostname" - "update_hostname" - "set_password" - ]; - cloud_config_modules = [ - "ssh-import-id" - "keyboard" - "runcmd" - "disable_ec2_metadata" - ]; - cloud_final_modules = [ - "write_files_deferred" - "puppet" - "chef" - "ansible" - "mcollective" - "salt_minion" - "reset_rmc" - "scripts_per_once" - "scripts_per_boot" - "scripts_user" - "ssh_authkey_fingerprints" - "keys_to_console" - "install_hotplug" - "phone_home" - "final_message" - ]; - }; - }; - - networking.wireguard = { - enable = true; - interfaces.wg0 = { - ips = [ "10.100.0.50/32" ]; - listenPort = 51871; - privateKeyFile = config.age.secrets.wireguard.path; - peers = [ - { - publicKey = "bJZyQoemudGJQox8Iegebm23c4BNVIxRPy1kmI2l904="; - allowedIPs = [ "10.100.0.0/24" ]; - persistentKeepalive = 25; - } - ]; - }; - }; - - networking.firewall.trustedInterfaces = [ "wg0" ]; - networking.firewall.allowedUDPPorts = [ 51871 ]; - - system.stateVersion = "25.05"; # Did you read the comment? -} diff --git a/machines/nixos/x86_64-linux/do-rproxy/default.nix b/machines/nixos/x86_64-linux/do-rproxy/default.nix new file mode 100644 index 0000000..1a011e1 --- /dev/null +++ b/machines/nixos/x86_64-linux/do-rproxy/default.nix @@ -0,0 +1,119 @@ +{ + adminUser, + config, + lib, + modulesPath, + self, + ... +}: +{ + age = { + secrets = { + wireguard = { + file = "${self}/secrets/do/wireguard.age"; + }; + }; + }; + + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + (modulesPath + "/virtualisation/digital-ocean-config.nix") + "${self}/profiles/home-manager.nix" + "${self}/profiles/admin-user/user.nix" + "${self}/profiles/admin-user/home-manager.nix" + "${self}/profiles/disk/vm.nix" + "${self}/profiles/server.nix" + ]; + + disko.devices.disk.disk1.device = "/dev/vda"; + + # do not use DHCP, as DigitalOcean provisions IPs using cloud-init + networking.useDHCP = lib.mkForce false; + + networking.hostName = "do-jump"; + + boot.loader.grub = { + efiSupport = true; + efiInstallAsRemovable = true; + }; + + home-manager.users.${adminUser.name} = { + imports = [ + "${self}/home/profiles/minimal.nix" + ]; + }; + + # this one seems to always be broken + systemd.services.growpart.enable = false; + + # in order to get networking setup we need to enable it in cloud-init + # Disables all modules that do not work with NixOS + # Based on https://github.com/nix-community/nixos-anywhere-examples/blob/7f945ff0ae676c0eb77360b892add91328dd1f17/digitalocean.nix + services.cloud-init = { + enable = true; + network.enable = true; + settings = { + datasource_list = [ + "ConfigDrive" + "Digitalocean" + ]; + datasource.ConfigDrive = { }; + datasource.Digitalocean = { }; + # Based on https://github.com/canonical/cloud-init/blob/main/config/cloud.cfg.tmpl + cloud_init_modules = [ + "seed_random" + "bootcmd" + "write_files" + "growpart" + "resizefs" + "set_hostname" + "update_hostname" + "set_password" + ]; + cloud_config_modules = [ + "ssh-import-id" + "keyboard" + "runcmd" + "disable_ec2_metadata" + ]; + cloud_final_modules = [ + "write_files_deferred" + "puppet" + "chef" + "ansible" + "mcollective" + "salt_minion" + "reset_rmc" + "scripts_per_once" + "scripts_per_boot" + "scripts_user" + "ssh_authkey_fingerprints" + "keys_to_console" + "install_hotplug" + "phone_home" + "final_message" + ]; + }; + }; + + networking.wireguard = { + enable = true; + interfaces.wg0 = { + ips = [ "10.100.0.50/32" ]; + listenPort = 51871; + privateKeyFile = config.age.secrets.wireguard.path; + peers = [ + { + publicKey = "bJZyQoemudGJQox8Iegebm23c4BNVIxRPy1kmI2l904="; + allowedIPs = [ "10.100.0.0/24" ]; + persistentKeepalive = 25; + } + ]; + }; + }; + + networking.firewall.trustedInterfaces = [ "wg0" ]; + networking.firewall.allowedUDPPorts = [ 51871 ]; + + system.stateVersion = "25.05"; # Did you read the comment? +} diff --git a/machines/nixos/x86_64-linux/synology-vm/default.nix b/machines/nixos/x86_64-linux/synology-vm/default.nix new file mode 100644 index 0000000..05d4d8c --- /dev/null +++ b/machines/nixos/x86_64-linux/synology-vm/default.nix @@ -0,0 +1,110 @@ +{ + lib, + adminUser, + config, + self, + ... +}: +{ + age = { + secrets = { + restic_gcs_credentials = { + file = "${self}/secrets/restic_gcs_credentials.age"; + }; + restic_password = { + file = "${self}/secrets/restic_password.age"; + }; + cloudflared-tunnel = { + file = "${self}/secrets/cloudflared_cragmont.age"; + }; + cloudflared-cert = { + file = "${self}/secrets/cloudflared_cert.age"; + }; + nas_client_credentials = { + file = "${self}/secrets/nas_client.age"; + }; + wireguard = { + file = "${self}/secrets/vm-synology/wireguard.age"; + }; + }; + }; + + imports = [ + "${self}/profiles/home-manager.nix" + "${self}/profiles/admin-user/user.nix" + "${self}/profiles/admin-user/home-manager.nix" + "${self}/profiles/hardware/synology.nix" + "${self}/profiles/disk/vm.nix" + "${self}/profiles/server.nix" + "${self}/profiles/git-server.nix" + ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.efi.canTouchEfiVariables = true; + boot.loader.systemd-boot.enable = true; + + networking.hostName = "vm-synology"; + networking.useDHCP = lib.mkDefault true; + systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP; + + home-manager.users.${adminUser.name} = { + imports = [ + "${self}/home/profiles/minimal.nix" + ]; + }; + + my.modules.nas-client = { + enable = true; + volumes = { + data = { + server = "192.168.1.68"; + remotePath = "backups"; + mountPoint = "/data/backups"; + uid = adminUser.uid; + }; + }; + }; + + my.modules.backups = { + enable = true; + passwordFile = config.age.secrets.restic_password.path; + remote = { + googleProjectId = "fcuny-infra"; + googleCredentialsFile = config.age.secrets.restic_gcs_credentials.path; + }; + }; + + users.users.builder = { + openssh.authorizedKeys.keys = [ + # my personal key + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi" + # remote builder ssh key + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFGxdplt9WwGjdhoYkmPe2opZMJShtpqnGCI+swrgvw" + ]; + isNormalUser = true; + group = "nogroup"; + }; + + nix.settings.trusted-users = [ "builder" ]; + + networking.wireguard = { + enable = true; + interfaces.wg0 = { + ips = [ "10.100.0.40/32" ]; + listenPort = 51871; + privateKeyFile = config.age.secrets.wireguard.path; + peers = [ + { + publicKey = "I+l/sWtfXcdunz2nZ05rlDexGew30ZuDxL0DVTTK318="; + allowedIPs = [ "10.100.0.0/24" ]; + endpoint = "165.232.158.110:51871"; + persistentKeepalive = 25; + } + ]; + }; + }; + + networking.firewall.allowedUDPPorts = [ 51871 ]; + + system.stateVersion = "23.11"; # Did you read the comment? +} diff --git a/machines/nixos/x86_64-linux/vm-synology.nix b/machines/nixos/x86_64-linux/vm-synology.nix deleted file mode 100644 index 05d4d8c..0000000 --- a/machines/nixos/x86_64-linux/vm-synology.nix +++ /dev/null @@ -1,110 +0,0 @@ -{ - lib, - adminUser, - config, - self, - ... -}: -{ - age = { - secrets = { - restic_gcs_credentials = { - file = "${self}/secrets/restic_gcs_credentials.age"; - }; - restic_password = { - file = "${self}/secrets/restic_password.age"; - }; - cloudflared-tunnel = { - file = "${self}/secrets/cloudflared_cragmont.age"; - }; - cloudflared-cert = { - file = "${self}/secrets/cloudflared_cert.age"; - }; - nas_client_credentials = { - file = "${self}/secrets/nas_client.age"; - }; - wireguard = { - file = "${self}/secrets/vm-synology/wireguard.age"; - }; - }; - }; - - imports = [ - "${self}/profiles/home-manager.nix" - "${self}/profiles/admin-user/user.nix" - "${self}/profiles/admin-user/home-manager.nix" - "${self}/profiles/hardware/synology.nix" - "${self}/profiles/disk/vm.nix" - "${self}/profiles/server.nix" - "${self}/profiles/git-server.nix" - ]; - - # Use the systemd-boot EFI boot loader. - boot.loader.efi.canTouchEfiVariables = true; - boot.loader.systemd-boot.enable = true; - - networking.hostName = "vm-synology"; - networking.useDHCP = lib.mkDefault true; - systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP; - - home-manager.users.${adminUser.name} = { - imports = [ - "${self}/home/profiles/minimal.nix" - ]; - }; - - my.modules.nas-client = { - enable = true; - volumes = { - data = { - server = "192.168.1.68"; - remotePath = "backups"; - mountPoint = "/data/backups"; - uid = adminUser.uid; - }; - }; - }; - - my.modules.backups = { - enable = true; - passwordFile = config.age.secrets.restic_password.path; - remote = { - googleProjectId = "fcuny-infra"; - googleCredentialsFile = config.age.secrets.restic_gcs_credentials.path; - }; - }; - - users.users.builder = { - openssh.authorizedKeys.keys = [ - # my personal key - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi" - # remote builder ssh key - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFGxdplt9WwGjdhoYkmPe2opZMJShtpqnGCI+swrgvw" - ]; - isNormalUser = true; - group = "nogroup"; - }; - - nix.settings.trusted-users = [ "builder" ]; - - networking.wireguard = { - enable = true; - interfaces.wg0 = { - ips = [ "10.100.0.40/32" ]; - listenPort = 51871; - privateKeyFile = config.age.secrets.wireguard.path; - peers = [ - { - publicKey = "I+l/sWtfXcdunz2nZ05rlDexGew30ZuDxL0DVTTK318="; - allowedIPs = [ "10.100.0.0/24" ]; - endpoint = "165.232.158.110:51871"; - persistentKeepalive = 25; - } - ]; - }; - }; - - networking.firewall.allowedUDPPorts = [ 51871 ]; - - system.stateVersion = "23.11"; # Did you read the comment? -} diff --git a/scripts/darwin.nix b/scripts/darwin.nix index ec97d20..44a0fcd 100644 --- a/scripts/darwin.nix +++ b/scripts/darwin.nix @@ -18,28 +18,28 @@ echo "> macOS config was successfully applied 🚀" '') - (pkgs.writeScriptBin "build-vm-synology" '' + (pkgs.writeScriptBin "build-synology-vm" '' set -e echo "> Running nixos-rebuild build ..." - ${pkgs.nixos-rebuild}/bin/nixos-rebuild build --keep-going --flake .#vm-synology --target-host vm-synology --build-host vm-synology --fast --use-remote-sudo --use-substitutes + ${pkgs.nixos-rebuild}/bin/nixos-rebuild build --keep-going --flake .#synology-vm --target-host 192.168.1.151 --build-host 192.168.1.151 --fast --use-remote-sudo --use-substitutes echo "> nixos-rebuild build was successful ✅" '') - (pkgs.writeScriptBin "switch-vm-synology" '' + (pkgs.writeScriptBin "switch-synology-vm" '' set -e echo "> Running nixos-rebuild switch ..." - ${pkgs.nixos-rebuild}/bin/nixos-rebuild switch --keep-going --flake .#vm-synology --target-host vm-synology --build-host vm-synology --fast --use-remote-sudo --use-substitutes + ${pkgs.nixos-rebuild}/bin/nixos-rebuild switch --keep-going --flake .#synology-vm --target-host 192.168.1.151 --build-host 192.168.1.151 --fast --use-remote-sudo --use-substitutes echo "> nixos config successfully applied 🚀" '') - (pkgs.writeScriptBin "build-do" '' + (pkgs.writeScriptBin "build-do-rproxy" '' set -e echo "> Running nixos-rebuild build ..." - ${pkgs.nixos-rebuild}/bin/nixos-rebuild build --keep-going --flake .#digitalocean --target-host 165.232.158.110 --build-host 165.232.158.110 --fast --use-remote-sudo --use-substitutes + ${pkgs.nixos-rebuild}/bin/nixos-rebuild build --keep-going --flake .#do-rproxy --target-host 165.232.158.110 --build-host 165.232.158.110 --fast --use-remote-sudo --use-substitutes echo "> nixos-rebuild build was successful ✅" '') - (pkgs.writeScriptBin "switch-do" '' + (pkgs.writeScriptBin "switch-do-rproxy" '' set -e echo "> Running nixos-rebuild switch ..." ${pkgs.nixos-rebuild}/bin/nixos-rebuild switch --keep-going --flake .#digitalocean --target-host 165.232.158.110 --build-host 165.232.158.110 --fast --use-remote-sudo --use-substitutes -- cgit v1.2.3