Modularise config. Add sops-nix for secrets management.

2025-07-08 14:09:35 +08:00 · 2025-07-08 14:09:35 +08:00 · a348413d83
commit a348413d83
parent 02fdb4707d
15 changed files with 211 additions and 119 deletions
--- a/configuration/server/common.nix
+++ b/configuration/server/common.nix
@ -0,0 +1,10 @@
+{
+  # Passwordless sudo
+  security.sudo.wheelNeedsPassword = false;
+
+  # Enable all terminfo (for ghostty)
+  environment.enableAllTerminfo = true;
+
+  # Enable SSH server
+  services.openssh.enable = true;
+}
--- a/configuration/server/containers/common.nix
+++ b/configuration/server/containers/common.nix
@ -0,0 +1,8 @@
+{ modulesPath, ... }:
+{
+  # Import Proxmox LXC configuration.
+  imports = [
+    (modulesPath + "/virtualisation/proxmox-lxc.nix")
+  ];
+}
+
--- a/configuration/server/containers/firefox-syncserver.nix
+++ b/configuration/server/containers/firefox-syncserver.nix
@ -0,0 +1,26 @@
+{ config, pkgs, secrets, ... }:
+{
+  # Secrets.
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    defaultSopsFile = "${secrets}/sops.yaml";
+    secrets."firefox_syncserver/sync_master_secret" = {};
+  };
+
+  # syncserver-rs service.
+  services.mysql.package = pkgs.mariadb;
+
+  services.firefox-syncserver = {
+    enable = true;
+    secrets = config.sops.secrets."firefox_syncserver/sync_master_secret".path;
+    settings.host = "0.0.0.0";
+    singleNode = {
+      enable = true;
+      hostname = "0.0.0.0";
+      url = "https://fxsync.fern.garden";
+      capacity = 1;
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 5000 ];
+}
--- a/configuration/server/containers/technitium.nix
+++ b/configuration/server/containers/technitium.nix
@ -0,0 +1,6 @@
+{
+  services.technitium-dns-server = {
+    enable = true;
+    openFirewall = true;
+  };
+}
--- a/configuration/server/docker.nix
+++ b/configuration/server/docker.nix
@ -0,0 +1,23 @@
+{
+  # Define a user account.
+  users.users.docker = {
+    isNormalUser = true;
+    linger = true;
+    extraGroups = [
+      "wheel"
+      "docker"
+    ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETPyuxUVEmYyEW6PVC6BXqkhULHd/RvMm8fMbYhjTMV fern@muskduck"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzW4epTmK01kGVXcuAXUNJQPltnogf4uab9FA5m8S3n fern@pardalote"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBEJYq1fMxVOzCMfE/td6DtWS8nUk76U9seYD3Z9RYAz u0_a399@fairywren"
+      "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIMoJvPcUJDVVzO4dHROCFNlgJdDZSP5xyPx2s40zcx5QAAAABHNzaDo= YubiKey5NFC"
+    ];
+  };
+
+  # Auto login
+  services.getty.autologinUser = "docker";
+
+  # Enable docker
+  virtualisation.docker.enable = true;
+}
--- a/configuration/server/vm.nix
+++ b/configuration/server/vm.nix
@ -0,0 +1,30 @@
+{ lib, modulesPath, ... }:
+{
+  # Import qemu guest configuration.
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  # Load kernel modules.
+  boot.initrd.availableKernelModules = [
+    "ata_piix"
+    "uhci_hcd"
+    "virtio_pci"
+    "virtio_scsi"
+    "sd_mod"
+  ];
+
+  boot.kernelModules = [ "kvm-intel" ];
+
+  # Enable DHCP.
+  networking.useDHCP = lib.mkDefault true;
+
+  # Configure the bootloader.
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/sda";
+  };
+
+  # Enable QEMU guest agent
+  services.qemuGuest.enable = true;
+}