fern/flock
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Modularise config. Add sops-nix for secrets management.

Browse source
This commit is contained in:
Fern Garden 2025-07-08 14:09:35 +08:00
parent 02fdb4707d
commit a348413d83
15 changed files with 211 additions and 119 deletions
Download patch file Download diff file Expand all files Collapse all files

9
.sops.yaml Normal file
View file

@ -0,0 +1,9 @@
keys:
- &admin_fern age1n9q3cspp4a6qvjv9xaf00e5d5za3d8upz4akj2fh6zt5ly3ahans3vpx5x
- &server_firefox-syncserver age1hrvts2jkdclk3f9atjry7chuakt5n9qmlwfwsdlcnmc88ld3ysuqz6ejge
creation_rules:
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
key_groups:
- age:
- *admin_fern
- *server_firefox-syncserver

20
configuration/containers/firefox-syncserver.nix
View file

@ -1,20 +0,0 @@
{ pkgs, ... }:
{
services.mysql.package = pkgs.mariadb;
services.firefox-syncserver = {
enable = true;
secrets = ./firefox-syncserver.env;
settings.host = "0.0.0.0";
singleNode = {
enable = true;
hostname = "0.0.0.0";
url = "https://fxsync.fern.garden";
capacity = 1;
};
};
networking.firewall.allowedTCPPorts = [ 5000 ];
system.stateVersion = "25.05";
}

10
configuration/server/common.nix Normal file
View file

@ -0,0 +1,10 @@
{
# Passwordless sudo
security.sudo.wheelNeedsPassword = false;
# Enable all terminfo (for ghostty)
environment.enableAllTerminfo = true;
# Enable SSH server
services.openssh.enable = true;
}

8
configuration/server/containers/common.nix Normal file
View file

@ -0,0 +1,8 @@
{ modulesPath, ... }:
{
# Import Proxmox LXC configuration.
imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix")
];
}

26
configuration/server/containers/firefox-syncserver.nix Normal file
View file

@ -0,0 +1,26 @@
{ config, pkgs, secrets, ... }:
{
# Secrets.
sops = {
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = "${secrets}/sops.yaml";
secrets."firefox_syncserver/sync_master_secret" = {};
};
# syncserver-rs service.
services.mysql.package = pkgs.mariadb;
services.firefox-syncserver = {
enable = true;
secrets = config.sops.secrets."firefox_syncserver/sync_master_secret".path;
settings.host = "0.0.0.0";
singleNode = {
enable = true;
hostname = "0.0.0.0";
url = "https://fxsync.fern.garden";
capacity = 1;
};
};
networking.firewall.allowedTCPPorts = [ 5000 ];
}

2
configuration/containers/technitium.nix → configuration/server/containers/technitium.nix
View file

@ -3,6 +3,4 @@
enable = true; enable = true;
openFirewall = true; openFirewall = true;
}; };
system.stateVersion = "25.05";
} }

22
configuration/vm.nix → configuration/server/docker.nix
View file

@ -1,13 +1,4 @@
{ {
# Configure the bootloader.
boot.loader.grub = {
enable = true;
device = "/dev/sda";
};
# Enable QEMU guest agent
services.qemuGuest.enable = true;
# Define a user account. # Define a user account.
users.users.docker = { users.users.docker = {
isNormalUser = true; isNormalUser = true;
@ -27,17 +18,6 @@
# Auto login # Auto login
services.getty.autologinUser = "docker"; services.getty.autologinUser = "docker";
# Passwordless sudo
security.sudo.wheelNeedsPassword = false;
# Enable all terminfo (for ghostty)
environment.enableAllTerminfo = true;
# Enable SSH server
services.openssh.enable = true;
# Enable docker # Enable docker
virtualisation.docker = { virtualisation.docker.enable = true;
enable = true;
};
} }

30
configuration/server/vm.nix Normal file
View file

@ -0,0 +1,30 @@
{ lib, modulesPath, ... }:
{
# Import qemu guest configuration.
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
# Load kernel modules.
boot.initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"virtio_pci"
"virtio_scsi"
"sd_mod"
];
boot.kernelModules = [ "kvm-intel" ];
# Enable DHCP.
networking.useDHCP = lib.mkDefault true;
# Configure the bootloader.
boot.loader.grub = {
enable = true;
device = "/dev/sda";
};
# Enable QEMU guest agent
services.qemuGuest.enable = true;
}

55
flake.lock generated
View file

@ -176,6 +176,22 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_3": {
"locked": {
"lastModified": 1744868846,
"narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"pre-commit-hooks-nix": { "pre-commit-hooks-nix": {
"inputs": { "inputs": {
"flake-compat": [ "flake-compat": [
@ -208,7 +224,9 @@
"fluffychat2": "fluffychat2", "fluffychat2": "fluffychat2",
"lanzaboote": "lanzaboote", "lanzaboote": "lanzaboote",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_2",
"secrets": "secrets",
"sops-nix": "sops-nix"
} }
}, },
"rust-overlay": { "rust-overlay": {
@ -231,6 +249,41 @@
"repo": "rust-overlay", "repo": "rust-overlay",
"type": "github" "type": "github"
} }
},
"secrets": {
"flake": false,
"locked": {
"lastModified": 1751952212,
"narHash": "sha256-2W/h9pas2gJrRtrZYzBxXUZ99i6W3xXtfiIxOI19rhs=",
"ref": "main",
"rev": "11bb31b71e2ef6795c9b0184f9e10e2946071ed8",
"revCount": 1,
"type": "git",
"url": "ssh://git@docker.local:222/fern/secrets"
},
"original": {
"ref": "main",
"type": "git",
"url": "ssh://git@docker.local:222/fern/secrets"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1751606940,
"narHash": "sha256-KrDPXobG7DFKTOteqdSVeL1bMVitDcy7otpVZWDE6MA=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "3633fc4acf03f43b260244d94c71e9e14a2f6e0d",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

52
flake.nix
View file

@ -5,6 +5,11 @@
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; # Stable nixpkgs. nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; # Stable nixpkgs.
lanzaboote.url = "github:nix-community/lanzaboote"; # Secure boot. lanzaboote.url = "github:nix-community/lanzaboote"; # Secure boot.
nixos-hardware.url = "github:NixOS/nixos-hardware"; # Hardware specific config. nixos-hardware.url = "github:NixOS/nixos-hardware"; # Hardware specific config.
sops-nix.url = "github:Mic92/sops-nix"; # Secrets management.
secrets = {
url = "git+ssh://git@docker.local:222/fern/secrets?ref=main";
flake = false;
}; # Secrets repo.
# Updated packages. # Updated packages.
fluffychat2.url = "github:NixOS/nixpkgs?ref=pull/419632/head"; # FluffyChat 2.0.0 fluffychat2.url = "github:NixOS/nixpkgs?ref=pull/419632/head"; # FluffyChat 2.0.0
@ -17,11 +22,13 @@
nixpkgs, nixpkgs,
lanzaboote, lanzaboote,
nixos-hardware, nixos-hardware,
sops-nix,
fluffychat2, fluffychat2,
feishin0_17, feishin0_17,
... ...
}: }:
{ {
# ThinkPad T480
nixosConfigurations.muskduck = nixpkgs.lib.nixosSystem rec { nixosConfigurations.muskduck = nixpkgs.lib.nixosSystem rec {
system = "x86_64-linux"; system = "x86_64-linux";
@ -38,10 +45,13 @@
./configuration/common.nix ./configuration/common.nix
./configuration/desktop.nix ./configuration/desktop.nix
./hardware-configuration/muskduck.nix # Include the results of the hardware scan.
./hosts/muskduck.nix # Include the results of the hardware scan.
]; ];
}; };
### Proxmox Guests ###
nixosConfigurations.vm-minecraft = nixpkgs.lib.nixosSystem { nixosConfigurations.vm-minecraft = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
@ -49,8 +59,12 @@
{ networking.hostName = "minecraft"; } { networking.hostName = "minecraft"; }
./configuration/common.nix ./configuration/common.nix
./configuration/vm.nix
./hardware-configuration/vm-minecraft.nix # Include the results of the hardware scan. ./configuration/server/common.nix
./configuration/server/vm.nix
./configuration/server/docker.nix
./hosts/vm-minecraft.nix # Include the results of the hardware scan.
]; ];
}; };
@ -61,8 +75,12 @@
{ networking.hostName = "docker"; } { networking.hostName = "docker"; }
./configuration/common.nix ./configuration/common.nix
./configuration/vm.nix
./hardware-configuration/vm-docker.nix # Include the results of the hardware scan. ./configuration/server/common.nix
./configuration/server/vm.nix
./configuration/server/docker.nix
./hosts/vm-docker.nix # Include the results of the hardware scan.
]; ];
}; };
@ -70,19 +88,35 @@
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
(nixpkgs + "/nixos/modules/virtualisation/proxmox-lxc.nix")
{ networking.hostName = "technitium"; } { networking.hostName = "technitium"; }
./configuration/containers/technitium.nix
./configuration/common.nix
./configuration/server/common.nix
./configuration/server/containers/common.nix
./configuration/server/containers/technitium.nix
]; ];
}; };
nixosConfigurations.lxc-firefox-syncserver = nixpkgs.lib.nixosSystem { nixosConfigurations.lxc-firefox-syncserver = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs = {
secrets = builtins.toString inputs.secrets;
};
modules = [ modules = [
(nixpkgs + "/nixos/modules/virtualisation/proxmox-lxc.nix") sops-nix.nixosModules.sops
{ networking.hostName = "firefox-syncserver"; } { networking.hostName = "firefox-syncserver"; }
./configuration/containers/firefox-syncserver.nix
./configuration/common.nix
./configuration/server/common.nix
./configuration/server/containers/common.nix
./configuration/server/containers/firefox-syncserver.nix
]; ];
}; };
}; };

30
hardware-configuration/vm-docker.nix
View file

@ -1,30 +0,0 @@
{ lib, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/cac60222-9b38-4938-8b17-5fddd67e8e26";
fsType = "ext4";
};
fileSystems."/home/docker/volumes" =
{ device = "/dev/disk/by-uuid/95461a94-ad91-43b9-b502-2b5d4496b84e";
fsType = "ext4";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/025beadb-a89b-4abe-8d0c-b55401316319"; }
];
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

36
hardware-configuration/vm-minecraft.nix
View file

@ -1,36 +0,0 @@
{ lib, modulesPath, ... }:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"virtio_pci"
"virtio_scsi"
"sd_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/cbd70e61-fcdc-4b1f-af03-d3da8a2866ea";
fsType = "ext4";
};
fileSystems."/home/docker/volumes" = {
device = "/dev/disk/by-uuid/3730e48a-8784-4c49-8692-473c9b4bc8c3";
fsType = "ext4";
};
swapDevices = [
{ device = "/dev/disk/by-uuid/3123f58e-63a9-44fa-ac29-3e79dc520b8f"; }
];
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

0
hardware-configuration/muskduck.nix → hosts/muskduck.nix
View file

15
hosts/vm-docker.nix Normal file
View file

@ -0,0 +1,15 @@
{
fileSystems."/" = {
device = "/dev/disk/by-uuid/cac60222-9b38-4938-8b17-5fddd67e8e26";
fsType = "ext4";
};
fileSystems."/home/docker/volumes" = {
device = "/dev/disk/by-uuid/95461a94-ad91-43b9-b502-2b5d4496b84e";
fsType = "ext4";
};
swapDevices = [
{ device = "/dev/disk/by-uuid/025beadb-a89b-4abe-8d0c-b55401316319"; }
];
}

15
hosts/vm-minecraft.nix Normal file
View file

@ -0,0 +1,15 @@
{
fileSystems."/" = {
device = "/dev/disk/by-uuid/cbd70e61-fcdc-4b1f-af03-d3da8a2866ea";
fsType = "ext4";
};
fileSystems."/home/docker/volumes" = {
device = "/dev/disk/by-uuid/3730e48a-8784-4c49-8692-473c9b4bc8c3";
fsType = "ext4";
};
swapDevices = [
{ device = "/dev/disk/by-uuid/3123f58e-63a9-44fa-ac29-3e79dc520b8f"; }
];
}