refactor

hosts/chidi/default.nix

@@ -6,6 +6,8 @@
 	...
 }: {
 	imports = [
+		./secrets.nix
+		./syncthing.nix
 		../../modules/syncthing.nix
 		../../profiles/core.nix
 		../../profiles/darwin.nix
@@ -19,30 +21,6 @@
 	networking.hostName = "chidi";
 	networking.computerName = "Chidi";
 
-	sops.age.keyFile = "/Users/${user}/.config/sops/age/keys.txt";
-
-	sops.secrets = {
-		chidi-syncthing-cert = {
-			sopsFile = ../../secrets/chidi-syncthing-cert;
-			format = "binary";
-			owner = user;
-			path = "/Users/${user}/.config/syncthing/cert.pem";
-		};
-		chidi-syncthing-key = {
-			sopsFile = ../../secrets/chidi-syncthing-key;
-			format = "binary";
-			owner = user;
-			path = "/Users/${user}/.config/syncthing/key.pem";
-		};
-	};
-
-	services.syncthing.settings.folders = {
-		"Projects/Work" = {
-			path = "/Users/${user}/Projects/Work";
-			devices = ["tahani" "chidi"];
-		};
-	};
-
 	home-manager.users.${user} = {
 		imports = [
 			inputs.nixvim.homeModules.nixvim

hosts/chidi/secrets.nix

@@ -0,0 +1,18 @@
+{user, ...}: {
+	sops.age.keyFile = "/Users/${user}/.config/sops/age/keys.txt";
+
+	sops.secrets = {
+		chidi-syncthing-cert = {
+			sopsFile = ../../secrets/chidi-syncthing-cert;
+			format = "binary";
+			owner = user;
+			path = "/Users/${user}/.config/syncthing/cert.pem";
+		};
+		chidi-syncthing-key = {
+			sopsFile = ../../secrets/chidi-syncthing-key;
+			format = "binary";
+			owner = user;
+			path = "/Users/${user}/.config/syncthing/key.pem";
+		};
+	};
+}

hosts/chidi/syncthing.nix

@@ -0,0 +1,8 @@
+{user, ...}: {
+	services.syncthing.settings.folders = {
+		"Projects/Work" = {
+			path = "/Users/${user}/Projects/Work";
+			devices = ["tahani" "chidi"];
+		};
+	};
+}

hosts/jason/default.nix

@@ -4,6 +4,8 @@
 	...
 }: {
 	imports = [
+		./secrets.nix
+		./syncthing.nix
 		../../modules/syncthing.nix
 		../../profiles/core.nix
 		../../profiles/darwin.nix
@@ -17,32 +19,6 @@
 	networking.hostName = "jason";
 	networking.computerName = "Jason";
 
-	services.syncthing.settings.folders = {
-		"Projects/Personal" = {
-			path = "/Users/${user}/Projects/Personal";
-			devices = ["tahani" "jason"];
-		};
-	};
-
-	sops.age.keyFile = "/Users/${user}/.config/sops/age/keys.txt";
-	sops.age.sshKeyPaths = [];
-	sops.gnupg.sshKeyPaths = [];
-
-	sops.secrets = {
-		jason-syncthing-cert = {
-			sopsFile = ../../secrets/jason-syncthing-cert;
-			format = "binary";
-			owner = user;
-			path = "/Users/${user}/.config/syncthing/cert.pem";
-		};
-		jason-syncthing-key = {
-			sopsFile = ../../secrets/jason-syncthing-key;
-			format = "binary";
-			owner = user;
-			path = "/Users/${user}/.config/syncthing/key.pem";
-		};
-	};
-
 	home-manager.users.${user} = {
 		imports = [
 			inputs.nixvim.homeModules.nixvim

hosts/jason/secrets.nix

@@ -0,0 +1,20 @@
+{user, ...}: {
+	sops.age.keyFile = "/Users/${user}/.config/sops/age/keys.txt";
+	sops.age.sshKeyPaths = [];
+	sops.gnupg.sshKeyPaths = [];
+
+	sops.secrets = {
+		jason-syncthing-cert = {
+			sopsFile = ../../secrets/jason-syncthing-cert;
+			format = "binary";
+			owner = user;
+			path = "/Users/${user}/.config/syncthing/cert.pem";
+		};
+		jason-syncthing-key = {
+			sopsFile = ../../secrets/jason-syncthing-key;
+			format = "binary";
+			owner = user;
+			path = "/Users/${user}/.config/syncthing/key.pem";
+		};
+	};
+}

hosts/jason/syncthing.nix

@@ -0,0 +1,8 @@
+{user, ...}: {
+	services.syncthing.settings.folders = {
+		"Projects/Personal" = {
+			path = "/Users/${user}/Projects/Personal";
+			devices = ["tahani" "jason"];
+		};
+	};
+}

hosts/michael/default.nix

@@ -11,6 +11,8 @@
 		(modulesPath + "/profiles/qemu-guest.nix")
 		./disk-config.nix
 		./hardware-configuration.nix
+		./openssh.nix
+		./secrets.nix
 		../../profiles/core.nix
 		../../profiles/fail2ban.nix
 		../../profiles/gitea.nix
@@ -20,11 +22,6 @@
 		inputs.sops-nix.nixosModules.sops
 	];
 
-	sops.secrets.litestream = {
-		sopsFile = ../../secrets/michael-litestream;
-		format = "binary";
-	};
-
 	home-manager.users.${user} = {
 		pkgs,
 		lib,
@@ -52,13 +49,5 @@
 		];
 	};
 
-	services.openssh = {
-		enable = true;
-		settings = {
-			PermitRootLogin = "yes";
-			PasswordAuthentication = false;
-		};
-	};
-
 	networking.hostName = hostname;
 }

hosts/michael/openssh.nix

@@ -0,0 +1,9 @@
+{...}: {
+	services.openssh = {
+		enable = true;
+		settings = {
+			PermitRootLogin = "yes";
+			PasswordAuthentication = false;
+		};
+	};
+}

hosts/michael/secrets.nix

@@ -0,0 +1,6 @@
+{...}: {
+	sops.secrets.litestream = {
+		sopsFile = ../../secrets/michael-litestream;
+		format = "binary";
+	};
+}

hosts/mindy/default.nix

@@ -11,6 +11,9 @@
 		(modulesPath + "/profiles/qemu-guest.nix")
 		./disk-config.nix
 		./hardware-configuration.nix
+		./openssh.nix
+		./pgbackrest.nix
+		./secrets.nix
 		../../modules/pgbackrest.nix
 		../../profiles/core.nix
 		../../profiles/fail2ban.nix
@@ -21,19 +24,6 @@
 		inputs.sops-nix.nixosModules.sops
 	];
 
-	sops.secrets.mindy-pgbackrest = {
-		sopsFile = ../../secrets/mindy-pgbackrest;
-		format = "binary";
-		owner = "postgres";
-		group = "postgres";
-	};
-
-	my.pgbackrest = {
-		enable = true;
-		secretFile = "/run/secrets/mindy-pgbackrest";
-		s3.bucket = "mindy-pgbackrest";
-	};
-
 	home-manager.users.${user} = {
 		pkgs,
 		lib,
@@ -61,14 +51,6 @@
 		];
 	};
 
-	services.openssh = {
-		enable = true;
-		settings = {
-			PermitRootLogin = "yes";
-			PasswordAuthentication = false;
-		};
-	};
-
 	virtualisation.docker.enable = true;
 
 	networking.hostName = hostname;

hosts/mindy/openssh.nix

@@ -0,0 +1,9 @@
+{...}: {
+	services.openssh = {
+		enable = true;
+		settings = {
+			PermitRootLogin = "yes";
+			PasswordAuthentication = false;
+		};
+	};
+}

hosts/mindy/pgbackrest.nix

@@ -0,0 +1,7 @@
+{...}: {
+	my.pgbackrest = {
+		enable = true;
+		secretFile = "/run/secrets/mindy-pgbackrest";
+		s3.bucket = "mindy-pgbackrest";
+	};
+}

hosts/mindy/secrets.nix

@@ -0,0 +1,8 @@
+{...}: {
+	sops.secrets.mindy-pgbackrest = {
+		sopsFile = ../../secrets/mindy-pgbackrest;
+		format = "binary";
+		owner = "postgres";
+		group = "postgres";
+	};
+}

hosts/tahani/adguardhome.nix

@@ -0,0 +1,21 @@
+{...}: {
+	services.adguardhome = {
+		enable = true;
+		port = 10000;
+		settings = {
+			dns = {
+				upstream_dns = [
+					"1.1.1.1"
+					"1.0.0.1"
+				];
+			};
+			filtering = {
+				protection_enabled = true;
+				filtering_enabled = true;
+				safe_search = {
+					enabled = false;
+				};
+			};
+		};
+	};
+}

hosts/tahani/default.nix

@@ -1,12 +1,17 @@
 {
-	config,
-	hostname,
-	user,
 	inputs,
+	pkgs,
+	user,
 	constants,
 	...
 }: {
 	imports = [
+		./adguardhome.nix
+		./networking.nix
+		./openssh.nix
+		./paperless.nix
+		./secrets.nix
+		./syncthing.nix
 		../../profiles/core.nix
 		../../profiles/nixos.nix
 		../../profiles/syncthing.nix
@@ -54,120 +59,5 @@
 		programs.git.settings.user.email = "christoph@schmatzler.com";
 	};
 
-	services.adguardhome = {
-		enable = true;
-		port = 10000;
-		settings = {
-			dns = {
-				upstream_dns = [
-					"1.1.1.1"
-					"1.0.0.1"
-				];
-			};
-			filtering = {
-				protection_enabled = true;
-				filtering_enabled = true;
-				safe_search = {
-					enabled = false;
-				};
-			};
-		};
-	};
-
-	virtualisation.docker = {
-		enable = true;
-	};
-
-	services.openssh = {
-		enable = true;
-		settings = {
-			PermitRootLogin = "prohibit-password";
-			PasswordAuthentication = false;
-		};
-	};
-
-	fileSystems."/" = {
-		device = "/dev/disk/by-label/NIXROOT";
-		fsType = "ext4";
-	};
-
-	fileSystems."/boot" = {
-		device = "/dev/disk/by-label/NIXBOOT";
-		fsType = "vfat";
-	};
-
-	networking = {
-		hostName = hostname;
-		useDHCP = false;
-		interfaces.eno1.ipv4.addresses = [
-			{
-				address = "192.168.1.10";
-				prefixLength = 24;
-			}
-		];
-		defaultGateway = "192.168.1.1";
-		nameservers = ["1.1.1.1"];
-		firewall = {
-			enable = true;
-			trustedInterfaces = ["eno1" "tailscale0"];
-			allowedUDPPorts = [config.services.tailscale.port];
-			allowedTCPPorts = [22 5555];
-			checkReversePath = "loose";
-		};
-	};
-
-	sops.secrets = {
-		tahani-syncthing-cert = {
-			sopsFile = ../../secrets/tahani-syncthing-cert;
-			format = "binary";
-			owner = user;
-			path = "/home/${user}/.config/syncthing/cert.pem";
-		};
-		tahani-syncthing-key = {
-			sopsFile = ../../secrets/tahani-syncthing-key;
-			format = "binary";
-			owner = user;
-			path = "/home/${user}/.config/syncthing/key.pem";
-		};
-		tahani-paperless-password = {
-			sopsFile = ../../secrets/tahani-paperless-password;
-			format = "binary";
-		};
-	};
-
-	services.syncthing.settings.folders = {
-		"Projects/Personal" = {
-			path = "/home/${user}/Projects/Personal";
-			devices = ["tahani" "jason"];
-		};
-		"Projects/Work" = {
-			path = "/home/${user}/Projects/Work";
-			devices = ["tahani" "chidi"];
-		};
-	};
-
-	services.redis.servers.paperless = {
-		enable = true;
-		port = 6379;
-		bind = "127.0.0.1";
-		settings = {
-			maxmemory = "256mb";
-			maxmemory-policy = "allkeys-lru";
-		};
-	};
-
-	services.paperless = {
-		enable = true;
-		address = "0.0.0.0";
-		passwordFile = config.sops.secrets.tahani-paperless-password.path;
-		settings = {
-			PAPERLESS_DBENGINE = "sqlite";
-			PAPERLESS_REDIS = "redis://127.0.0.1:6379";
-			PAPERLESS_CONSUMER_IGNORE_PATTERN = [
-				".DS_STORE/*"
-				"desktop.ini"
-			];
-			PAPERLESS_OCR_LANGUAGE = "deu+eng";
-		};
-	};
+	virtualisation.docker.enable = true;
 }

hosts/tahani/networking.nix

@@ -0,0 +1,31 @@
+{config, hostname, ...}: {
+	networking = {
+		hostName = hostname;
+		useDHCP = false;
+		interfaces.eno1.ipv4.addresses = [
+			{
+				address = "192.168.1.10";
+				prefixLength = 24;
+			}
+		];
+		defaultGateway = "192.168.1.1";
+		nameservers = ["1.1.1.1"];
+		firewall = {
+			enable = true;
+			trustedInterfaces = ["eno1" "tailscale0"];
+			allowedUDPPorts = [config.services.tailscale.port];
+			allowedTCPPorts = [22 5555];
+			checkReversePath = "loose";
+		};
+	};
+
+	fileSystems."/" = {
+		device = "/dev/disk/by-label/NIXROOT";
+		fsType = "ext4";
+	};
+
+	fileSystems."/boot" = {
+		device = "/dev/disk/by-label/NIXBOOT";
+		fsType = "vfat";
+	};
+}

hosts/tahani/openssh.nix

@@ -0,0 +1,9 @@
+{...}: {
+	services.openssh = {
+		enable = true;
+		settings = {
+			PermitRootLogin = "prohibit-password";
+			PasswordAuthentication = false;
+		};
+	};
+}

hosts/tahani/paperless.nix

@@ -0,0 +1,26 @@
+{config, ...}: {
+	services.redis.servers.paperless = {
+		enable = true;
+		port = 6379;
+		bind = "127.0.0.1";
+		settings = {
+			maxmemory = "256mb";
+			maxmemory-policy = "allkeys-lru";
+		};
+	};
+
+	services.paperless = {
+		enable = true;
+		address = "0.0.0.0";
+		passwordFile = config.sops.secrets.tahani-paperless-password.path;
+		settings = {
+			PAPERLESS_DBENGINE = "sqlite";
+			PAPERLESS_REDIS = "redis://127.0.0.1:6379";
+			PAPERLESS_CONSUMER_IGNORE_PATTERN = [
+				".DS_STORE/*"
+				"desktop.ini"
+			];
+			PAPERLESS_OCR_LANGUAGE = "deu+eng";
+		};
+	};
+}

hosts/tahani/secrets.nix

@@ -0,0 +1,20 @@
+{user, ...}: {
+	sops.secrets = {
+		tahani-syncthing-cert = {
+			sopsFile = ../../secrets/tahani-syncthing-cert;
+			format = "binary";
+			owner = user;
+			path = "/home/${user}/.config/syncthing/cert.pem";
+		};
+		tahani-syncthing-key = {
+			sopsFile = ../../secrets/tahani-syncthing-key;
+			format = "binary";
+			owner = user;
+			path = "/home/${user}/.config/syncthing/key.pem";
+		};
+		tahani-paperless-password = {
+			sopsFile = ../../secrets/tahani-paperless-password;
+			format = "binary";
+		};
+	};
+}

hosts/tahani/syncthing.nix

@@ -0,0 +1,12 @@
+{user, ...}: {
+	services.syncthing.settings.folders = {
+		"Projects/Personal" = {
+			path = "/home/${user}/Projects/Personal";
+			devices = ["tahani" "jason"];
+		};
+		"Projects/Work" = {
+			path = "/home/${user}/Projects/Work";
+			devices = ["tahani" "chidi"];
+		};
+	};
+}