diff --git a/hosts/chidi/default.nix b/hosts/chidi/default.nix index b3ecfcd..838728b 100644 --- a/hosts/chidi/default.nix +++ b/hosts/chidi/default.nix @@ -6,6 +6,8 @@ ... }: { imports = [ + ./secrets.nix + ./syncthing.nix ../../modules/syncthing.nix ../../profiles/core.nix ../../profiles/darwin.nix @@ -19,30 +21,6 @@ networking.hostName = "chidi"; networking.computerName = "Chidi"; - sops.age.keyFile = "/Users/${user}/.config/sops/age/keys.txt"; - - sops.secrets = { - chidi-syncthing-cert = { - sopsFile = ../../secrets/chidi-syncthing-cert; - format = "binary"; - owner = user; - path = "/Users/${user}/.config/syncthing/cert.pem"; - }; - chidi-syncthing-key = { - sopsFile = ../../secrets/chidi-syncthing-key; - format = "binary"; - owner = user; - path = "/Users/${user}/.config/syncthing/key.pem"; - }; - }; - - services.syncthing.settings.folders = { - "Projects/Work" = { - path = "/Users/${user}/Projects/Work"; - devices = ["tahani" "chidi"]; - }; - }; - home-manager.users.${user} = { imports = [ inputs.nixvim.homeModules.nixvim diff --git a/hosts/chidi/secrets.nix b/hosts/chidi/secrets.nix new file mode 100644 index 0000000..c660d41 --- /dev/null +++ b/hosts/chidi/secrets.nix @@ -0,0 +1,18 @@ +{user, ...}: { + sops.age.keyFile = "/Users/${user}/.config/sops/age/keys.txt"; + + sops.secrets = { + chidi-syncthing-cert = { + sopsFile = ../../secrets/chidi-syncthing-cert; + format = "binary"; + owner = user; + path = "/Users/${user}/.config/syncthing/cert.pem"; + }; + chidi-syncthing-key = { + sopsFile = ../../secrets/chidi-syncthing-key; + format = "binary"; + owner = user; + path = "/Users/${user}/.config/syncthing/key.pem"; + }; + }; +} diff --git a/hosts/chidi/syncthing.nix b/hosts/chidi/syncthing.nix new file mode 100644 index 0000000..7db603a --- /dev/null +++ b/hosts/chidi/syncthing.nix @@ -0,0 +1,8 @@ +{user, ...}: { + services.syncthing.settings.folders = { + "Projects/Work" = { + path = "/Users/${user}/Projects/Work"; + devices = ["tahani" "chidi"]; + }; + }; +} diff --git a/hosts/jason/default.nix b/hosts/jason/default.nix index f97cc62..1fe2f6d 100644 --- a/hosts/jason/default.nix +++ b/hosts/jason/default.nix @@ -4,6 +4,8 @@ ... }: { imports = [ + ./secrets.nix + ./syncthing.nix ../../modules/syncthing.nix ../../profiles/core.nix ../../profiles/darwin.nix @@ -17,32 +19,6 @@ networking.hostName = "jason"; networking.computerName = "Jason"; - services.syncthing.settings.folders = { - "Projects/Personal" = { - path = "/Users/${user}/Projects/Personal"; - devices = ["tahani" "jason"]; - }; - }; - - sops.age.keyFile = "/Users/${user}/.config/sops/age/keys.txt"; - sops.age.sshKeyPaths = []; - sops.gnupg.sshKeyPaths = []; - - sops.secrets = { - jason-syncthing-cert = { - sopsFile = ../../secrets/jason-syncthing-cert; - format = "binary"; - owner = user; - path = "/Users/${user}/.config/syncthing/cert.pem"; - }; - jason-syncthing-key = { - sopsFile = ../../secrets/jason-syncthing-key; - format = "binary"; - owner = user; - path = "/Users/${user}/.config/syncthing/key.pem"; - }; - }; - home-manager.users.${user} = { imports = [ inputs.nixvim.homeModules.nixvim diff --git a/hosts/jason/secrets.nix b/hosts/jason/secrets.nix new file mode 100644 index 0000000..4225bd3 --- /dev/null +++ b/hosts/jason/secrets.nix @@ -0,0 +1,20 @@ +{user, ...}: { + sops.age.keyFile = "/Users/${user}/.config/sops/age/keys.txt"; + sops.age.sshKeyPaths = []; + sops.gnupg.sshKeyPaths = []; + + sops.secrets = { + jason-syncthing-cert = { + sopsFile = ../../secrets/jason-syncthing-cert; + format = "binary"; + owner = user; + path = "/Users/${user}/.config/syncthing/cert.pem"; + }; + jason-syncthing-key = { + sopsFile = ../../secrets/jason-syncthing-key; + format = "binary"; + owner = user; + path = "/Users/${user}/.config/syncthing/key.pem"; + }; + }; +} diff --git a/hosts/jason/syncthing.nix b/hosts/jason/syncthing.nix new file mode 100644 index 0000000..12c2a78 --- /dev/null +++ b/hosts/jason/syncthing.nix @@ -0,0 +1,8 @@ +{user, ...}: { + services.syncthing.settings.folders = { + "Projects/Personal" = { + path = "/Users/${user}/Projects/Personal"; + devices = ["tahani" "jason"]; + }; + }; +} diff --git a/hosts/michael/default.nix b/hosts/michael/default.nix index 056272f..0fa55e2 100644 --- a/hosts/michael/default.nix +++ b/hosts/michael/default.nix @@ -11,6 +11,8 @@ (modulesPath + "/profiles/qemu-guest.nix") ./disk-config.nix ./hardware-configuration.nix + ./openssh.nix + ./secrets.nix ../../profiles/core.nix ../../profiles/fail2ban.nix ../../profiles/gitea.nix @@ -20,11 +22,6 @@ inputs.sops-nix.nixosModules.sops ]; - sops.secrets.litestream = { - sopsFile = ../../secrets/michael-litestream; - format = "binary"; - }; - home-manager.users.${user} = { pkgs, lib, @@ -52,13 +49,5 @@ ]; }; - services.openssh = { - enable = true; - settings = { - PermitRootLogin = "yes"; - PasswordAuthentication = false; - }; - }; - networking.hostName = hostname; } diff --git a/hosts/michael/openssh.nix b/hosts/michael/openssh.nix new file mode 100644 index 0000000..7b61c7e --- /dev/null +++ b/hosts/michael/openssh.nix @@ -0,0 +1,9 @@ +{...}: { + services.openssh = { + enable = true; + settings = { + PermitRootLogin = "yes"; + PasswordAuthentication = false; + }; + }; +} diff --git a/hosts/michael/secrets.nix b/hosts/michael/secrets.nix new file mode 100644 index 0000000..96effd0 --- /dev/null +++ b/hosts/michael/secrets.nix @@ -0,0 +1,6 @@ +{...}: { + sops.secrets.litestream = { + sopsFile = ../../secrets/michael-litestream; + format = "binary"; + }; +} diff --git a/hosts/mindy/default.nix b/hosts/mindy/default.nix index 9eb2d8e..5276c45 100644 --- a/hosts/mindy/default.nix +++ b/hosts/mindy/default.nix @@ -11,6 +11,9 @@ (modulesPath + "/profiles/qemu-guest.nix") ./disk-config.nix ./hardware-configuration.nix + ./openssh.nix + ./pgbackrest.nix + ./secrets.nix ../../modules/pgbackrest.nix ../../profiles/core.nix ../../profiles/fail2ban.nix @@ -21,19 +24,6 @@ inputs.sops-nix.nixosModules.sops ]; - sops.secrets.mindy-pgbackrest = { - sopsFile = ../../secrets/mindy-pgbackrest; - format = "binary"; - owner = "postgres"; - group = "postgres"; - }; - - my.pgbackrest = { - enable = true; - secretFile = "/run/secrets/mindy-pgbackrest"; - s3.bucket = "mindy-pgbackrest"; - }; - home-manager.users.${user} = { pkgs, lib, @@ -61,14 +51,6 @@ ]; }; - services.openssh = { - enable = true; - settings = { - PermitRootLogin = "yes"; - PasswordAuthentication = false; - }; - }; - virtualisation.docker.enable = true; networking.hostName = hostname; diff --git a/hosts/mindy/openssh.nix b/hosts/mindy/openssh.nix new file mode 100644 index 0000000..7b61c7e --- /dev/null +++ b/hosts/mindy/openssh.nix @@ -0,0 +1,9 @@ +{...}: { + services.openssh = { + enable = true; + settings = { + PermitRootLogin = "yes"; + PasswordAuthentication = false; + }; + }; +} diff --git a/hosts/mindy/pgbackrest.nix b/hosts/mindy/pgbackrest.nix new file mode 100644 index 0000000..d1f219b --- /dev/null +++ b/hosts/mindy/pgbackrest.nix @@ -0,0 +1,7 @@ +{...}: { + my.pgbackrest = { + enable = true; + secretFile = "/run/secrets/mindy-pgbackrest"; + s3.bucket = "mindy-pgbackrest"; + }; +} diff --git a/hosts/mindy/secrets.nix b/hosts/mindy/secrets.nix new file mode 100644 index 0000000..c61eda9 --- /dev/null +++ b/hosts/mindy/secrets.nix @@ -0,0 +1,8 @@ +{...}: { + sops.secrets.mindy-pgbackrest = { + sopsFile = ../../secrets/mindy-pgbackrest; + format = "binary"; + owner = "postgres"; + group = "postgres"; + }; +} diff --git a/hosts/tahani/adguardhome.nix b/hosts/tahani/adguardhome.nix new file mode 100644 index 0000000..979f783 --- /dev/null +++ b/hosts/tahani/adguardhome.nix @@ -0,0 +1,21 @@ +{...}: { + services.adguardhome = { + enable = true; + port = 10000; + settings = { + dns = { + upstream_dns = [ + "1.1.1.1" + "1.0.0.1" + ]; + }; + filtering = { + protection_enabled = true; + filtering_enabled = true; + safe_search = { + enabled = false; + }; + }; + }; + }; +} diff --git a/hosts/tahani/default.nix b/hosts/tahani/default.nix index d2b0d61..96b3a5f 100644 --- a/hosts/tahani/default.nix +++ b/hosts/tahani/default.nix @@ -1,12 +1,17 @@ { - config, - hostname, - user, inputs, + pkgs, + user, constants, ... }: { imports = [ + ./adguardhome.nix + ./networking.nix + ./openssh.nix + ./paperless.nix + ./secrets.nix + ./syncthing.nix ../../profiles/core.nix ../../profiles/nixos.nix ../../profiles/syncthing.nix @@ -54,120 +59,5 @@ programs.git.settings.user.email = "christoph@schmatzler.com"; }; - services.adguardhome = { - enable = true; - port = 10000; - settings = { - dns = { - upstream_dns = [ - "1.1.1.1" - "1.0.0.1" - ]; - }; - filtering = { - protection_enabled = true; - filtering_enabled = true; - safe_search = { - enabled = false; - }; - }; - }; - }; - - virtualisation.docker = { - enable = true; - }; - - services.openssh = { - enable = true; - settings = { - PermitRootLogin = "prohibit-password"; - PasswordAuthentication = false; - }; - }; - - fileSystems."/" = { - device = "/dev/disk/by-label/NIXROOT"; - fsType = "ext4"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-label/NIXBOOT"; - fsType = "vfat"; - }; - - networking = { - hostName = hostname; - useDHCP = false; - interfaces.eno1.ipv4.addresses = [ - { - address = "192.168.1.10"; - prefixLength = 24; - } - ]; - defaultGateway = "192.168.1.1"; - nameservers = ["1.1.1.1"]; - firewall = { - enable = true; - trustedInterfaces = ["eno1" "tailscale0"]; - allowedUDPPorts = [config.services.tailscale.port]; - allowedTCPPorts = [22 5555]; - checkReversePath = "loose"; - }; - }; - - sops.secrets = { - tahani-syncthing-cert = { - sopsFile = ../../secrets/tahani-syncthing-cert; - format = "binary"; - owner = user; - path = "/home/${user}/.config/syncthing/cert.pem"; - }; - tahani-syncthing-key = { - sopsFile = ../../secrets/tahani-syncthing-key; - format = "binary"; - owner = user; - path = "/home/${user}/.config/syncthing/key.pem"; - }; - tahani-paperless-password = { - sopsFile = ../../secrets/tahani-paperless-password; - format = "binary"; - }; - }; - - services.syncthing.settings.folders = { - "Projects/Personal" = { - path = "/home/${user}/Projects/Personal"; - devices = ["tahani" "jason"]; - }; - "Projects/Work" = { - path = "/home/${user}/Projects/Work"; - devices = ["tahani" "chidi"]; - }; - }; - - services.redis.servers.paperless = { - enable = true; - port = 6379; - bind = "127.0.0.1"; - settings = { - maxmemory = "256mb"; - maxmemory-policy = "allkeys-lru"; - }; - }; - - services.paperless = { - enable = true; - address = "0.0.0.0"; - passwordFile = config.sops.secrets.tahani-paperless-password.path; - settings = { - PAPERLESS_DBENGINE = "sqlite"; - PAPERLESS_REDIS = "redis://127.0.0.1:6379"; - PAPERLESS_CONSUMER_IGNORE_PATTERN = [ - ".DS_STORE/*" - "desktop.ini" - ]; - PAPERLESS_OCR_LANGUAGE = "deu+eng"; - }; - }; + virtualisation.docker.enable = true; } diff --git a/hosts/tahani/networking.nix b/hosts/tahani/networking.nix new file mode 100644 index 0000000..a519902 --- /dev/null +++ b/hosts/tahani/networking.nix @@ -0,0 +1,31 @@ +{config, hostname, ...}: { + networking = { + hostName = hostname; + useDHCP = false; + interfaces.eno1.ipv4.addresses = [ + { + address = "192.168.1.10"; + prefixLength = 24; + } + ]; + defaultGateway = "192.168.1.1"; + nameservers = ["1.1.1.1"]; + firewall = { + enable = true; + trustedInterfaces = ["eno1" "tailscale0"]; + allowedUDPPorts = [config.services.tailscale.port]; + allowedTCPPorts = [22 5555]; + checkReversePath = "loose"; + }; + }; + + fileSystems."/" = { + device = "/dev/disk/by-label/NIXROOT"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-label/NIXBOOT"; + fsType = "vfat"; + }; +} diff --git a/hosts/tahani/openssh.nix b/hosts/tahani/openssh.nix new file mode 100644 index 0000000..7295e35 --- /dev/null +++ b/hosts/tahani/openssh.nix @@ -0,0 +1,9 @@ +{...}: { + services.openssh = { + enable = true; + settings = { + PermitRootLogin = "prohibit-password"; + PasswordAuthentication = false; + }; + }; +} diff --git a/hosts/tahani/paperless.nix b/hosts/tahani/paperless.nix new file mode 100644 index 0000000..0ca3a5f --- /dev/null +++ b/hosts/tahani/paperless.nix @@ -0,0 +1,26 @@ +{config, ...}: { + services.redis.servers.paperless = { + enable = true; + port = 6379; + bind = "127.0.0.1"; + settings = { + maxmemory = "256mb"; + maxmemory-policy = "allkeys-lru"; + }; + }; + + services.paperless = { + enable = true; + address = "0.0.0.0"; + passwordFile = config.sops.secrets.tahani-paperless-password.path; + settings = { + PAPERLESS_DBENGINE = "sqlite"; + PAPERLESS_REDIS = "redis://127.0.0.1:6379"; + PAPERLESS_CONSUMER_IGNORE_PATTERN = [ + ".DS_STORE/*" + "desktop.ini" + ]; + PAPERLESS_OCR_LANGUAGE = "deu+eng"; + }; + }; +} diff --git a/hosts/tahani/secrets.nix b/hosts/tahani/secrets.nix new file mode 100644 index 0000000..fc28381 --- /dev/null +++ b/hosts/tahani/secrets.nix @@ -0,0 +1,20 @@ +{user, ...}: { + sops.secrets = { + tahani-syncthing-cert = { + sopsFile = ../../secrets/tahani-syncthing-cert; + format = "binary"; + owner = user; + path = "/home/${user}/.config/syncthing/cert.pem"; + }; + tahani-syncthing-key = { + sopsFile = ../../secrets/tahani-syncthing-key; + format = "binary"; + owner = user; + path = "/home/${user}/.config/syncthing/key.pem"; + }; + tahani-paperless-password = { + sopsFile = ../../secrets/tahani-paperless-password; + format = "binary"; + }; + }; +} diff --git a/hosts/tahani/syncthing.nix b/hosts/tahani/syncthing.nix new file mode 100644 index 0000000..dab632d --- /dev/null +++ b/hosts/tahani/syncthing.nix @@ -0,0 +1,12 @@ +{user, ...}: { + services.syncthing.settings.folders = { + "Projects/Personal" = { + path = "/home/${user}/Projects/Personal"; + devices = ["tahani" "jason"]; + }; + "Projects/Work" = { + path = "/home/${user}/Projects/Work"; + devices = ["tahani" "chidi"]; + }; + }; +}