diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..d35108f --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,9 @@ +keys: + - &admin_fern age1n9q3cspp4a6qvjv9xaf00e5d5za3d8upz4akj2fh6zt5ly3ahans3vpx5x + - &server_firefox-syncserver age1hrvts2jkdclk3f9atjry7chuakt5n9qmlwfwsdlcnmc88ld3ysuqz6ejge +creation_rules: + - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *admin_fern + - *server_firefox-syncserver \ No newline at end of file diff --git a/configuration/containers/firefox-syncserver.nix b/configuration/containers/firefox-syncserver.nix deleted file mode 100644 index 3bf62a1..0000000 --- a/configuration/containers/firefox-syncserver.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ pkgs, ... }: -{ - services.mysql.package = pkgs.mariadb; - - services.firefox-syncserver = { - enable = true; - secrets = ./firefox-syncserver.env; - settings.host = "0.0.0.0"; - singleNode = { - enable = true; - hostname = "0.0.0.0"; - url = "https://fxsync.fern.garden"; - capacity = 1; - }; - }; - - networking.firewall.allowedTCPPorts = [ 5000 ]; - - system.stateVersion = "25.05"; -} diff --git a/configuration/server/common.nix b/configuration/server/common.nix new file mode 100644 index 0000000..c204671 --- /dev/null +++ b/configuration/server/common.nix @@ -0,0 +1,10 @@ +{ + # Passwordless sudo + security.sudo.wheelNeedsPassword = false; + + # Enable all terminfo (for ghostty) + environment.enableAllTerminfo = true; + + # Enable SSH server + services.openssh.enable = true; +} diff --git a/configuration/server/containers/common.nix b/configuration/server/containers/common.nix new file mode 100644 index 0000000..e84039f --- /dev/null +++ b/configuration/server/containers/common.nix @@ -0,0 +1,8 @@ +{ modulesPath, ... }: +{ + # Import Proxmox LXC configuration. + imports = [ + (modulesPath + "/virtualisation/proxmox-lxc.nix") + ]; +} + diff --git a/configuration/server/containers/firefox-syncserver.nix b/configuration/server/containers/firefox-syncserver.nix new file mode 100644 index 0000000..e4b4836 --- /dev/null +++ b/configuration/server/containers/firefox-syncserver.nix @@ -0,0 +1,26 @@ +{ config, pkgs, secrets, ... }: +{ + # Secrets. + sops = { + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + defaultSopsFile = "${secrets}/sops.yaml"; + secrets."firefox_syncserver/sync_master_secret" = {}; + }; + + # syncserver-rs service. + services.mysql.package = pkgs.mariadb; + + services.firefox-syncserver = { + enable = true; + secrets = config.sops.secrets."firefox_syncserver/sync_master_secret".path; + settings.host = "0.0.0.0"; + singleNode = { + enable = true; + hostname = "0.0.0.0"; + url = "https://fxsync.fern.garden"; + capacity = 1; + }; + }; + + networking.firewall.allowedTCPPorts = [ 5000 ]; +} diff --git a/configuration/containers/technitium.nix b/configuration/server/containers/technitium.nix similarity index 72% rename from configuration/containers/technitium.nix rename to configuration/server/containers/technitium.nix index 9ed062f..e75ca4d 100644 --- a/configuration/containers/technitium.nix +++ b/configuration/server/containers/technitium.nix @@ -3,6 +3,4 @@ enable = true; openFirewall = true; }; - - system.stateVersion = "25.05"; } diff --git a/configuration/vm.nix b/configuration/server/docker.nix similarity index 63% rename from configuration/vm.nix rename to configuration/server/docker.nix index c1b47d6..78f4321 100755 --- a/configuration/vm.nix +++ b/configuration/server/docker.nix @@ -1,13 +1,4 @@ { - # Configure the bootloader. - boot.loader.grub = { - enable = true; - device = "/dev/sda"; - }; - - # Enable QEMU guest agent - services.qemuGuest.enable = true; - # Define a user account. users.users.docker = { isNormalUser = true; @@ -27,17 +18,6 @@ # Auto login services.getty.autologinUser = "docker"; - # Passwordless sudo - security.sudo.wheelNeedsPassword = false; - - # Enable all terminfo (for ghostty) - environment.enableAllTerminfo = true; - - # Enable SSH server - services.openssh.enable = true; - # Enable docker - virtualisation.docker = { - enable = true; - }; + virtualisation.docker.enable = true; } diff --git a/configuration/server/vm.nix b/configuration/server/vm.nix new file mode 100644 index 0000000..9761851 --- /dev/null +++ b/configuration/server/vm.nix @@ -0,0 +1,30 @@ +{ lib, modulesPath, ... }: +{ + # Import qemu guest configuration. + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + # Load kernel modules. + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + "sd_mod" + ]; + + boot.kernelModules = [ "kvm-intel" ]; + + # Enable DHCP. + networking.useDHCP = lib.mkDefault true; + + # Configure the bootloader. + boot.loader.grub = { + enable = true; + device = "/dev/sda"; + }; + + # Enable QEMU guest agent + services.qemuGuest.enable = true; +} diff --git a/flake.lock b/flake.lock index ce4c560..4cea764 100755 --- a/flake.lock +++ b/flake.lock @@ -176,6 +176,22 @@ "type": "github" } }, + "nixpkgs_3": { + "locked": { + "lastModified": 1744868846, + "narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "pre-commit-hooks-nix": { "inputs": { "flake-compat": [ @@ -208,7 +224,9 @@ "fluffychat2": "fluffychat2", "lanzaboote": "lanzaboote", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_2", + "secrets": "secrets", + "sops-nix": "sops-nix" } }, "rust-overlay": { @@ -231,6 +249,41 @@ "repo": "rust-overlay", "type": "github" } + }, + "secrets": { + "flake": false, + "locked": { + "lastModified": 1751952212, + "narHash": "sha256-2W/h9pas2gJrRtrZYzBxXUZ99i6W3xXtfiIxOI19rhs=", + "ref": "main", + "rev": "11bb31b71e2ef6795c9b0184f9e10e2946071ed8", + "revCount": 1, + "type": "git", + "url": "ssh://git@docker.local:222/fern/secrets" + }, + "original": { + "ref": "main", + "type": "git", + "url": "ssh://git@docker.local:222/fern/secrets" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_3" + }, + "locked": { + "lastModified": 1751606940, + "narHash": "sha256-KrDPXobG7DFKTOteqdSVeL1bMVitDcy7otpVZWDE6MA=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "3633fc4acf03f43b260244d94c71e9e14a2f6e0d", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index b859fcc..a73feb3 100755 --- a/flake.nix +++ b/flake.nix @@ -5,6 +5,11 @@ nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; # Stable nixpkgs. lanzaboote.url = "github:nix-community/lanzaboote"; # Secure boot. nixos-hardware.url = "github:NixOS/nixos-hardware"; # Hardware specific config. + sops-nix.url = "github:Mic92/sops-nix"; # Secrets management. + secrets = { + url = "git+ssh://git@docker.local:222/fern/secrets?ref=main"; + flake = false; + }; # Secrets repo. # Updated packages. fluffychat2.url = "github:NixOS/nixpkgs?ref=pull/419632/head"; # FluffyChat 2.0.0 @@ -17,11 +22,13 @@ nixpkgs, lanzaboote, nixos-hardware, + sops-nix, fluffychat2, feishin0_17, ... }: { + # ThinkPad T480 nixosConfigurations.muskduck = nixpkgs.lib.nixosSystem rec { system = "x86_64-linux"; @@ -38,10 +45,13 @@ ./configuration/common.nix ./configuration/desktop.nix - ./hardware-configuration/muskduck.nix # Include the results of the hardware scan. + + ./hosts/muskduck.nix # Include the results of the hardware scan. ]; }; + ### Proxmox Guests ### + nixosConfigurations.vm-minecraft = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; @@ -49,8 +59,12 @@ { networking.hostName = "minecraft"; } ./configuration/common.nix - ./configuration/vm.nix - ./hardware-configuration/vm-minecraft.nix # Include the results of the hardware scan. + + ./configuration/server/common.nix + ./configuration/server/vm.nix + ./configuration/server/docker.nix + + ./hosts/vm-minecraft.nix # Include the results of the hardware scan. ]; }; @@ -61,8 +75,12 @@ { networking.hostName = "docker"; } ./configuration/common.nix - ./configuration/vm.nix - ./hardware-configuration/vm-docker.nix # Include the results of the hardware scan. + + ./configuration/server/common.nix + ./configuration/server/vm.nix + ./configuration/server/docker.nix + + ./hosts/vm-docker.nix # Include the results of the hardware scan. ]; }; @@ -70,19 +88,35 @@ system = "x86_64-linux"; modules = [ - (nixpkgs + "/nixos/modules/virtualisation/proxmox-lxc.nix") { networking.hostName = "technitium"; } - ./configuration/containers/technitium.nix + + ./configuration/common.nix + + ./configuration/server/common.nix + ./configuration/server/containers/common.nix + + ./configuration/server/containers/technitium.nix ]; }; nixosConfigurations.lxc-firefox-syncserver = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; + + specialArgs = { + secrets = builtins.toString inputs.secrets; + }; modules = [ - (nixpkgs + "/nixos/modules/virtualisation/proxmox-lxc.nix") + sops-nix.nixosModules.sops + { networking.hostName = "firefox-syncserver"; } - ./configuration/containers/firefox-syncserver.nix + + ./configuration/common.nix + + ./configuration/server/common.nix + ./configuration/server/containers/common.nix + + ./configuration/server/containers/firefox-syncserver.nix ]; }; }; diff --git a/hardware-configuration/vm-docker.nix b/hardware-configuration/vm-docker.nix deleted file mode 100644 index bf8baa4..0000000 --- a/hardware-configuration/vm-docker.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ lib, modulesPath, ... }: - -{ - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/cac60222-9b38-4938-8b17-5fddd67e8e26"; - fsType = "ext4"; - }; - - fileSystems."/home/docker/volumes" = - { device = "/dev/disk/by-uuid/95461a94-ad91-43b9-b502-2b5d4496b84e"; - fsType = "ext4"; - }; - - swapDevices = - [ { device = "/dev/disk/by-uuid/025beadb-a89b-4abe-8d0c-b55401316319"; } - ]; - - networking.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} \ No newline at end of file diff --git a/hardware-configuration/vm-minecraft.nix b/hardware-configuration/vm-minecraft.nix deleted file mode 100644 index 94342a3..0000000 --- a/hardware-configuration/vm-minecraft.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ lib, modulesPath, ... }: - -{ - imports = [ - (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ - "ata_piix" - "uhci_hcd" - "virtio_pci" - "virtio_scsi" - "sd_mod" - ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = { - device = "/dev/disk/by-uuid/cbd70e61-fcdc-4b1f-af03-d3da8a2866ea"; - fsType = "ext4"; - }; - - fileSystems."/home/docker/volumes" = { - device = "/dev/disk/by-uuid/3730e48a-8784-4c49-8692-473c9b4bc8c3"; - fsType = "ext4"; - }; - - swapDevices = [ - { device = "/dev/disk/by-uuid/3123f58e-63a9-44fa-ac29-3e79dc520b8f"; } - ]; - - networking.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/hardware-configuration/muskduck.nix b/hosts/muskduck.nix similarity index 100% rename from hardware-configuration/muskduck.nix rename to hosts/muskduck.nix diff --git a/hosts/vm-docker.nix b/hosts/vm-docker.nix new file mode 100644 index 0000000..63a62ea --- /dev/null +++ b/hosts/vm-docker.nix @@ -0,0 +1,15 @@ +{ + fileSystems."/" = { + device = "/dev/disk/by-uuid/cac60222-9b38-4938-8b17-5fddd67e8e26"; + fsType = "ext4"; + }; + + fileSystems."/home/docker/volumes" = { + device = "/dev/disk/by-uuid/95461a94-ad91-43b9-b502-2b5d4496b84e"; + fsType = "ext4"; + }; + + swapDevices = [ + { device = "/dev/disk/by-uuid/025beadb-a89b-4abe-8d0c-b55401316319"; } + ]; +} diff --git a/hosts/vm-minecraft.nix b/hosts/vm-minecraft.nix new file mode 100644 index 0000000..8ebb758 --- /dev/null +++ b/hosts/vm-minecraft.nix @@ -0,0 +1,15 @@ +{ + fileSystems."/" = { + device = "/dev/disk/by-uuid/cbd70e61-fcdc-4b1f-af03-d3da8a2866ea"; + fsType = "ext4"; + }; + + fileSystems."/home/docker/volumes" = { + device = "/dev/disk/by-uuid/3730e48a-8784-4c49-8692-473c9b4bc8c3"; + fsType = "ext4"; + }; + + swapDevices = [ + { device = "/dev/disk/by-uuid/3123f58e-63a9-44fa-ac29-3e79dc520b8f"; } + ]; +}