Modularise config. Add sops-nix for secrets management.

2025-07-08 14:09:35 +08:00 · 2025-07-08 14:09:35 +08:00 · a348413d83
commit a348413d83
parent 02fdb4707d
15 changed files with 211 additions and 119 deletions
--- a/configuration/containers/firefox-syncserver.nix
+++ b/configuration/containers/firefox-syncserver.nix
@ -1,20 +0,0 @@
-{ pkgs, ... }:
-{
-  services.mysql.package = pkgs.mariadb;
-
-  services.firefox-syncserver = {
-    enable = true;
-    secrets = ./firefox-syncserver.env;
-    settings.host = "0.0.0.0";
-    singleNode = {
-      enable = true;
-      hostname = "0.0.0.0";
-      url = "https://fxsync.fern.garden";
-      capacity = 1;
-    };
-  };
-
-  networking.firewall.allowedTCPPorts = [ 5000 ];
-
-  system.stateVersion = "25.05";
-}
--- a/configuration/server/common.nix
+++ b/configuration/server/common.nix
@ -0,0 +1,10 @@
+{
+  # Passwordless sudo
+  security.sudo.wheelNeedsPassword = false;
+
+  # Enable all terminfo (for ghostty)
+  environment.enableAllTerminfo = true;
+
+  # Enable SSH server
+  services.openssh.enable = true;
+}
--- a/configuration/server/containers/common.nix
+++ b/configuration/server/containers/common.nix
@ -0,0 +1,8 @@
+{ modulesPath, ... }:
+{
+  # Import Proxmox LXC configuration.
+  imports = [
+    (modulesPath + "/virtualisation/proxmox-lxc.nix")
+  ];
+}
+
--- a/configuration/server/containers/firefox-syncserver.nix
+++ b/configuration/server/containers/firefox-syncserver.nix
@ -0,0 +1,26 @@
+{ config, pkgs, secrets, ... }:
+{
+  # Secrets.
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    defaultSopsFile = "${secrets}/sops.yaml";
+    secrets."firefox_syncserver/sync_master_secret" = {};
+  };
+
+  # syncserver-rs service.
+  services.mysql.package = pkgs.mariadb;
+
+  services.firefox-syncserver = {
+    enable = true;
+    secrets = config.sops.secrets."firefox_syncserver/sync_master_secret".path;
+    settings.host = "0.0.0.0";
+    singleNode = {
+      enable = true;
+      hostname = "0.0.0.0";
+      url = "https://fxsync.fern.garden";
+      capacity = 1;
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 5000 ];
+}
--- a/configuration/server/containers/technitium.nix
+++ b/configuration/server/containers/technitium.nix
@ -3,6 +3,4 @@
    enable = true;
    openFirewall = true;
  };
-
-  system.stateVersion = "25.05";
 }
--- a/configuration/server/docker.nix
+++ b/configuration/server/docker.nix
@ -1,13 +1,4 @@
 {
-  # Configure the bootloader.
-  boot.loader.grub = {
-    enable = true;
-    device = "/dev/sda";
-  };
-  
-  # Enable QEMU guest agent
-  services.qemuGuest.enable = true;
-
  # Define a user account.
  users.users.docker = {
    isNormalUser = true;
@ -27,17 +18,6 @@
  # Auto login
  services.getty.autologinUser = "docker";

-  # Passwordless sudo
-  security.sudo.wheelNeedsPassword = false;
-
-  # Enable all terminfo (for ghostty)
-  environment.enableAllTerminfo = true;
-
-  # Enable SSH server
-  services.openssh.enable = true;
-
  # Enable docker
-  virtualisation.docker = {
-    enable = true;
-  };
+  virtualisation.docker.enable = true;
 }
--- a/configuration/server/vm.nix
+++ b/configuration/server/vm.nix
@ -0,0 +1,30 @@
+{ lib, modulesPath, ... }:
+{
+  # Import qemu guest configuration.
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  # Load kernel modules.
+  boot.initrd.availableKernelModules = [
+    "ata_piix"
+    "uhci_hcd"
+    "virtio_pci"
+    "virtio_scsi"
+    "sd_mod"
+  ];
+
+  boot.kernelModules = [ "kvm-intel" ];
+
+  # Enable DHCP.
+  networking.useDHCP = lib.mkDefault true;
+
+  # Configure the bootloader.
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/sda";
+  };
+
+  # Enable QEMU guest agent
+  services.qemuGuest.enable = true;
+}