Split organ config into modules

KubqoA · Sep 16, 2024 · a0dc61a · a0dc61a
1 parent a6c38b1
commit a0dc61a
Show file tree

Hide file tree

Showing 10 changed files with 260 additions and 235 deletions.
diff --git a/hosts/harmonium/default.nix b/hosts/harmonium/default.nix
@@ -4,11 +4,15 @@
   inputs,
   ...
 }: {
-  imports = [
-    inputs.lanzaboote.nixosModules.lanzaboote
-    inputs.nixos-hardware.nixosModules.lenovo-thinkpad-p14s-amd-gen2
-    ./hardware-configuration.nix
-  ];
+  imports =
+    [
+      inputs.lanzaboote.nixosModules.lanzaboote
+      inputs.nixos-hardware.nixosModules.lenovo-thinkpad-p14s-amd-gen2
+      ./hardware-configuration.nix
+    ]
+    ++ lib._.moduleImports [
+      "common/nix"
+    ];
 
   hardware.enableAllFirmware = true;
   nixpkgs.config.allowUnfree = true;
@@ -63,26 +67,6 @@
     shell = pkgs.zsh;
   };
 
-  # Enable support for nix commands and flakes
-  nix.settings.experimental-features = ["nix-command" "flakes"];
-
-  # Pinning the registry to the system pkgs on NixOS
-  nix.registry.nixpkgs.flake = inputs.nixpkgs;
-
-  # Perform garbage collection weekly to maintain low disk usage
-  nix.gc = {
-    automatic = true;
-    dates = "weekly";
-    options = "--delete-older-than 1w";
-  };
-
-  # Optimize storage
-  # You can also manually optimize the store via:
-  #    nix-store --optimise
-  # Refer to the following link for more details:
-  # https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-auto-optimise-store
-  nix.settings.auto-optimise-store = true;
-
   # Lanzaboote currently replaces the systemd-boot module.
   # This setting is usually set to true in configuration.nix
   # generated at installation time. So we force it to false

diff --git a/hosts/nyckelharpa/default.nix b/hosts/nyckelharpa/default.nix
@@ -1,21 +1,11 @@
 {
+  lib,
   pkgs,
   self,
   system,
   ...
 }: {
-  imports = [./homebrew.nix];
-
-  # Necessary for using flakes on this system.
-  nix = {
-    package = pkgs.nix;
-    settings.experimental-features = "nix-command flakes";
-    extraOptions = ''
-      auto-optimise-store = true
-      experimental-features = nix-command flakes
-      extra-platforms = aarch64-darwin
-    '';
-  };
+  imports = [./homebrew.nix] ++ lib._.moduleImports ["common/nix"];
 
   # Auto upgrade nix package and the daemon service.
   services.nix-daemon.enable = true;

diff --git a/hosts/organ/default.nix b/hosts/organ/default.nix
@@ -1,24 +1,23 @@
 {
   config,
-  inputs,
   lib,
   pkgs,
   ...
-}: let
-  ipv4 = "116.203.250.61";
-  ipv6 = "2a01:4f8:c012:58f4::";
-  tailnet = "ide-vega.ts.net";
-  tailscaleIpv4 = "100.67.2.27";
-  tailscaleIpv6 = "fd7a:115c:a1e0::f101:21b";
-in {
-  imports = [
-    ./hardware-configuration.nix
-  ];
-
-  age.secrets = lib._.defineSecrets ["organ-jakub-password-hash" "organ-tailscale-auth-key"] {
-    "organ-jakubarbetme-tsig" = {owner = "named";};
-    "organ-git-ssh-key" = {owner = "git"; mode="0600";};
-  };
+}: {
+  imports =
+    [
+      ./dns.nix
+      ./git.nix
+      ./hardware-configuration.nix
+      ./networking.nix
+      ./nginx.nix
+      ./tailscale.nix
+    ]
+    ++ lib._.moduleImports [
+      "common/nix"
+    ];
+
+  age.secrets = lib._.defineSecrets ["organ-jakub-password-hash"] {};
 
   users.users = {
     jakub = {
@@ -28,32 +27,8 @@ in {
       extraGroups = ["wheel"];
       shell = pkgs.zsh;
     };
-    git = {
-      isNormalUser = true;
-      description = "soft-serve proxy user";
-      shell = let
-        soft-serve-proxy = pkgs.writeShellScriptBin "soft-serve-proxy" ''
-          #!/bin/bash
-          if [ "$1" = "-c" ]; then
-            shift
-            exec ${pkgs.openssh}/bin/ssh -p 23231 localhost "$@"
-          else
-            exec ${pkgs.openssh}/bin/ssh -p 23231 localhost "$@"
-          fi
-        '';
-      in "${soft-serve-proxy}/bin/soft-serve-proxy";
-    };
   };
 
-  system.activationScripts.git-ssh-key = let
-    sshDir = "${config.users.users.git.home}/.ssh";
-  in ''
-    mkdir -p ${sshDir}
-    chown -R git:users ${sshDir}
-    chmod 700 ${sshDir}
-    ln -sf ${config.age.secrets.organ-git-ssh-key.path} ${sshDir}/id_ed25519;
-  '';
-
   environment.systemPackages = with pkgs; [
     git
     curl
@@ -63,93 +38,10 @@ in {
 
   programs.zsh.enable = true;
 
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "[email protected]";
-  };
-
   services = {
-    # Used to define DNS records for jakubarbet.me domain and
-    # replicate them to dns.he.net servers
-    bind = {
-      enable = true;
-      listenOn = ["127.0.0.1" "0.0.0.0"];
-      listenOnIpv6 = ["::1" "::"];
-      forwarders = config.networking.nameservers;
-      extraConfig = ''
-        include "${config.age.secrets.organ-jakubarbetme-tsig.path}";
-      '';
-      zones."jakubarbet.me" = {
-        master = true;
-        file = ./jakubarbet.me.conf;
-        slaves = ["key jakubarbet.me"];
-        extraConfig = ''
-          also-notify {
-            216.218.130.2 key jakubarbet.me;
-            2001:470:100::2 key jakubarbet.me;
-          };
-        '';
-      };
-    };
-    # Used to define DNS override for organ.jakubarbet.me to tailscale IPs
-    # so devices connected to the tailnet can access the site which is behind
-    # an tailscale-auth protection
-    dnsmasq = {
-      enable = true;
-      settings = {
-        bind-interfaces = true;
-        listen-address = "${tailscaleIpv4},${tailscaleIpv6}";
-        address = ["/organ.jakubarbet.me/${tailscaleIpv4}" "/organ.jakubarbet.me/${tailscaleIpv6}"];
-      };
-    };
-    nginx = {
-      enable = true;
-      recommendedProxySettings = true;
-      recommendedTlsSettings = true;
-      virtualHosts."git.jakubarbet.me" = {
-        enableACME = true;
-	forceSSL = true;
-	locations."/" = {
-	  proxyPass = "http://localhost:23232";
-	};
-      };
-      virtualHosts."organ.jakubarbet.me" = {
-        enableACME = true;
-        forceSSL = true;
-        extraConfig = ''
-          proxy_intercept_errors on;
-          error_page 401 /unauthorized.html;
-        '';
-        locations."/unauthorized.html" = {
-          root = "/srv/www/organ.jakubarbet.me";
-          extraConfig = "internal;";
-        };
-        locations."/syncthing/" = {
-          extraConfig = "auth_request /auth;";
-          proxyPass = "http://localhost:8384/";
-        };
-      };
-      tailscaleAuth = {
-        enable = true;
-        expectedTailnet = tailnet;
-        virtualHosts = ["organ.jakubarbet.me"];
-      };
-    };
     openssh = {
       enable = true;
-      settings = {
-        PermitRootLogin = "prohibit-password";
-        PasswordAuthentication = false;
-      };
-    };
-    soft-serve = {
-      enable = true;
-      settings = {
-        name = "Jakub's repos";
-	ssh.public_url = "ssh://[email protected]";
-	http.public_url = "https://git.jakubarbet.me";
-	initial_admin_keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICccFGBTx80CNOVaPBGxO9HzuAZ8rKTy7Ua6ZKJBLXev"];
-      };
+      settings.PasswordAuthentication = false;
     };
     syncthing = {
       enable = true;
@@ -159,95 +51,24 @@ in {
       # https://docs.syncthing.net/users/config.html#config-option-gui.insecureskiphostcheck
       settings.gui.insecureSkipHostcheck = true;
     };
-    tailscale = {
-      enable = true;
-      authKeyFile = config.age.secrets.organ-tailscale-auth-key.path;
-      useRoutingFeatures = "server";
-      openFirewall = true;
-      extraUpFlags = ["--advertiseTags tag:ssh"];
-      extraSetFlags = [
-        "--ssh"
-        "--advertise-exit-node" # offer to be exit node internet traffic for tailnet
-        "--advertise-connector" # offer to be app connector for domain specific internet traffic for tailnet
-      ];
-    };
   };
 
-  # Bind ports:
-  # - 53 TCP/UDP for zone transfers
-  # Nginx ports
-  # - 80 and 443 TCP
   # Syncthing ports:
   # - 22000 TCP and/or UDP for sync traffic
   # - 21027/UDP for discovery
   # source: https://docs.syncthing.net/users/firewall.html
   networking.firewall = {
-    enable = true;
-    trustedInterfaces = lib.optionals config.services.tailscale.enable [config.services.tailscale.interfaceName];
     allowedTCPPorts =
-      []
-      ++ lib.optionals config.services.bind.enable [53]
-      ++ lib.optionals config.services.nginx.enable [80 443]
-      ++ lib.optionals config.services.syncthing.enable [22000]
+      lib.optionals config.services.syncthing.enable [22000]
       ++ lib.optionals config.services.syncthing.relay.enable [
         config.services.syncthing.relay.port
         config.services.syncthing.relay.statusPort
       ];
-    allowedUDPPorts =
-      []
-      ++ lib.optionals config.services.bind.enable [53]
-      ++ lib.optionals config.services.syncthing.enable [22000 21027];
-  };
-
-  nix = {
-    # Enable support for nix commands and flakes
-    settings.experimental-features = ["nix-command" "flakes"];
-
-    # Pinning the registry to the system pkgs on NixOS
-    registry.nixpkgs.flake = inputs.nixpkgs;
-
-    # Perform garbage collection weekly to maintain low disk usage
-    gc = {
-      automatic = true;
-      dates = "weekly";
-      options = "--delete-older-than 1w";
-    };
-
-    # Optimize storage
-    # You can also manually optimize the store via:
-    #    nix-store --optimise
-    # Refer to the following link for more details:
-    # https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-auto-optimise-store
-    settings.auto-optimise-store = true;
+    allowedUDPPorts = lib.optionals config.services.syncthing.enable [22000 21027];
   };
 
   time.timeZone = "Europe/Prague";
 
-  networking = {
-    hostName = "organ";
-    useDHCP = false;
-    nameservers = ["1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001"];
-  };
-
-  systemd.network = {
-    enable = true;
-    networks."10-wan" = {
-      matchConfig.Name = "enp1s0";
-      networkConfig.DHCP = "no";
-      address = [
-        "${ipv4}/32"
-        "${ipv6}/64"
-      ];
-      routes = [
-        {
-          Gateway = "172.31.1.1";
-          GatewayOnLink = true;
-        }
-        {Gateway = "fe80::1";}
-      ];
-    };
-  };
-
   boot.loader = {
     systemd-boot.enable = true;
     systemd-boot.configurationLimit = 5;

diff --git a/hosts/organ/dns.nix b/hosts/organ/dns.nix
@@ -0,0 +1,39 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  ipv4 = "116.203.250.61";
+  ipv6 = "2a01:4f8:c012:58f4::";
+in {
+  age.secrets = lib._.defineSecrets [] {
+    "organ-jakubarbetme-tsig" = {owner = "named";};
+  };
+
+  # Used to define DNS records for jakubarbet.me domain and
+  # replicate them to dns.he.net servers
+  services.bind = {
+    enable = true;
+    listenOn = [ipv4 "127.0.0.1"];
+    listenOnIpv6 = [ipv6 "::1"];
+    extraConfig = ''
+      include "${config.age.secrets.organ-jakubarbetme-tsig.path}";
+    '';
+    zones."jakubarbet.me" = {
+      master = true;
+      file = ./jakubarbet.me.conf;
+      slaves = ["key jakubarbet.me"];
+      extraConfig = ''
+        also-notify {
+          216.218.130.2 key jakubarbet.me;
+          2001:470:100::2 key jakubarbet.me;
+        };
+      '';
+    };
+  };
+
+  # Bind ports:
+  # - 53 TCP/UDP for zone transfers
+  networking.firewall.allowedTCPPorts = [53];
+  networking.firewall.allowedUDPPorts = [53];
+}