diff --git a/flake.nix b/flake.nix index 9a17351..d0ae4f4 100644 --- a/flake.nix +++ b/flake.nix @@ -9,12 +9,10 @@ extra-substituters = [ "https://cache.nixos.org" "https://nix-community.cachix.org" - "https://catppuccin.cachix.org" ]; extra-trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "catppuccin.cachix.org-1:noG/4HkbhJb+lUAdKrph6LaozJvAeEEZj4N732IysmU=" ]; }; @@ -46,10 +44,17 @@ url = "github:h-banii/youtube-music-nix"; inputs.nixpkgs.follows = "nixpkgs"; }; + + attic = { + url = "github:zhaofengli/attic"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = {flake-parts, ...} @ inputs: flake-parts.lib.mkFlake {inherit inputs;} { + debug = true; + imports = [ ./modules/flake ]; diff --git a/homes/x86_64-linux/jo/default.nix b/homes/x86_64-linux/jo/default.nix index 6fee357..a8ba242 100644 --- a/homes/x86_64-linux/jo/default.nix +++ b/homes/x86_64-linux/jo/default.nix @@ -38,7 +38,6 @@ ## RUNTIMES and CLIs for development bun git - attic-client ]; home.stateVersion = "25.05"; diff --git a/modules/flake/systems.nix b/modules/flake/systems.nix index 97be68f..2538911 100644 --- a/modules/flake/systems.nix +++ b/modules/flake/systems.nix @@ -17,6 +17,7 @@ (lib.optionals (class == "nixos") [ inputs.home-manager.nixosModules.default inputs.sops-nix.nixosModules.sops + inputs.attic.nixosModules.atticd ]) ++ (self.lib.dirToModuleList ../${class}); # Import modules based on current classname. }; diff --git a/modules/nixos/archetypes/server/default.nix b/modules/nixos/archetypes/server/default.nix index 4ee1041..222e633 100644 --- a/modules/nixos/archetypes/server/default.nix +++ b/modules/nixos/archetypes/server/default.nix @@ -34,8 +34,5 @@ in { # Enable SSH for remote login services.openssh.enable = true; - - # SSH rate-limiting and bans - services.fail2ban.enable = true; }; } diff --git a/modules/nixos/archetypes/workstation/default.nix b/modules/nixos/archetypes/workstation/default.nix index c8985ed..5f5b07d 100644 --- a/modules/nixos/archetypes/workstation/default.nix +++ b/modules/nixos/archetypes/workstation/default.nix @@ -34,7 +34,7 @@ in { nix = { enable = true; use-lix = true; - use-nixld = true; + use-nixld = true; }; }; diff --git a/modules/nixos/services/atticd/default.nix b/modules/nixos/services/atticd/default.nix index f4acb99..1f60aa8 100644 --- a/modules/nixos/services/atticd/default.nix +++ b/modules/nixos/services/atticd/default.nix @@ -4,7 +4,7 @@ config, ... }: let - inherit (lib) mkEnableOption mkIf types; + inherit (lib) mkEnableOption mkIf; inherit (self) namespace; inherit (self.lib) mkOpt; @@ -12,13 +12,13 @@ in { options.${namespace}.services.atticd = { enable = mkEnableOption "the attic service, a multi-tenant nix binary cache."; - sopsFile = mkOpt types.path null "The location of the sops secret file for the Atticd service."; + sopsFile = mkOpt types.str null "The location of the sops secret file for the Atticd service."; sopsFormat = mkOpt types.str null "The format of the sops secret file for the Atticd service."; subdomain = mkOpt types.str "cache" "The subdomain, of the system domain, the service should be exposed on."; }; config = mkIf cfg.enable { - sops.secrets."services/atticd" = { + config.sops.secrets."services/atticd" = { sopsFile = cfg.sopsFile; format = cfg.sopsFormat; }; @@ -38,23 +38,15 @@ in { avg-size = 64 * 1024; # 64 KiB max-size = 256 * 1024; # 256 KiB }; - - compression = { - type = "zstd"; - level = 12; - }; - - garbage-collection.interval = "8 hours"; }; }; services.traefik.dynamicConfigOptions = { http = { - services.atticd.loadBalancer.servers = [{url = "http://localhost:3900";}]; + services.atticd.loadBalancer.server.url = "http://localhost:3900"; routers.atticd = { - entryPoints = ["websecure"]; - service = "atticd"; - rule = "Host(`${cfg.subdomain}.${config.${namespace}.services.domain}`)"; + entrypoints = ["websecure"]; + rule = "Host(`${cfg.subdomain}.${config.services.domain}`)"; }; }; }; diff --git a/modules/nixos/services/default.nix b/modules/nixos/services/default.nix index 9aa339a..6c1ec3c 100644 --- a/modules/nixos/services/default.nix +++ b/modules/nixos/services/default.nix @@ -9,6 +9,5 @@ in { options.${namespace}.services = { domain = mkOpt types.str "thevoid.cafe" "The main system domain, used for exposing services."; - mail = mkOpt types.str "system@thevoid.cafe" "The main system administration E-Mail, used for logs and services."; }; } diff --git a/modules/nixos/services/duckdns/default.nix b/modules/nixos/services/duckdns/default.nix index c419804..f40fca5 100644 --- a/modules/nixos/services/duckdns/default.nix +++ b/modules/nixos/services/duckdns/default.nix @@ -12,7 +12,7 @@ in { options.${namespace}.services.duckdns = { enable = mkEnableOption "DuckDNS, the dynamic dns service. Will periodically refresh your IP."; - sopsFile = mkOpt types.path null "The location of the sops secret file for the DuckDNS service."; + sopsFile = mkOpt types.str null "The location of the sops secret file for the DuckDNS service."; sopsFormat = mkOpt types.str null "The format of the sops secret file for the DuckDNS service."; }; @@ -25,7 +25,7 @@ in { virtualisation.oci-containers.containers.duckdns = { image = "lscr.io/linuxserver/duckdns:latest"; autoStart = true; - hostname = config.networking.hostName; + hostname = config.networking.hostname; environmentFiles = [ config.sops.secrets.duckdns.path ]; diff --git a/modules/nixos/services/homepage/default.nix b/modules/nixos/services/homepage/default.nix index b51a220..1ce24dc 100644 --- a/modules/nixos/services/homepage/default.nix +++ b/modules/nixos/services/homepage/default.nix @@ -13,7 +13,7 @@ in { options.${namespace}.services.homepage = { enable = mkEnableOption "Homepage, an intuitive dashboard for your services."; subdomain = mkOpt types.str "home" "The subdomain, of the system domain, the service should be exposed on."; - configDir = mkOpt types.path null "The config directory, which will be copied to the Homepage directory during compilation."; + configDir = mkOpt types.str null "The config directory, which will be copied to the Homepage directory during compilation."; }; config = mkIf cfg.enable { @@ -31,11 +31,11 @@ in { virtualisation.oci-containers.containers.homepage = { image = "ghcr.io/gethomepage/homepage:latest"; autoStart = true; - hostname = config.networking.hostName; + hostname = config.networking.hostname; labels = { "traefik.enable" = "true"; "traefik.http.routers.homepage.entrypoints" = "websecure"; - "traefik.http.routers.homepage.rule" = "Host(`${cfg.subdomain}.${config.${namespace}.services.domain}`)"; + "traefik.http.routers.homepage.rule" = "Host(`${cfg.subdomain}.${config.services.domain}`)"; "traefik.http.services.homepage.loadbalancer.server.port" = "3000"; }; volumes = [ @@ -46,7 +46,7 @@ in { "/var/run/docker.sock:/var/run/docker.sock:ro" ]; environment = { - "HOMEPAGE_ALLOWED_HOSTS" = "${cfg.subdomain}.${config.${namespace}.services.domain}"; + "HOMEPAGE_ALLOWED_HOSTS" = "${cfg.subdomain}.${config.services.domain}"; }; extraOptions = ["--network=proxy"]; }; diff --git a/modules/nixos/services/traefik/default.nix b/modules/nixos/services/traefik/default.nix index 454751e..7d00513 100644 --- a/modules/nixos/services/traefik/default.nix +++ b/modules/nixos/services/traefik/default.nix @@ -4,15 +4,14 @@ config, ... }: let - inherit (lib) mkEnableOption mkIf types; + inherit (lib) mkEnableOption mkIf; inherit (self) namespace; - inherit (self.lib) mkOpt; cfg = config.${namespace}.services.traefik; in { options.${namespace}.services.traefik = { enable = mkEnableOption "the Traefik service."; - sopsFile = mkOpt types.path null "The location of the sops secret file for the Traefik service."; + sopsFile = mkOpt types.str null "The location of the sops secret file for the Traefik service."; sopsFormat = mkOpt types.str null "The format of the sops secret file for the Traefik service."; }; @@ -58,7 +57,7 @@ in { certificatesResolvers = { letsencrypt = { acme = { - email = config.${namespace}.services.mail; + email = cfg.cloudflareEmail; storage = "/var/lib/traefik/acme.json"; #caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"; # Uncomment this when testing stuff! dnsChallenge = { diff --git a/modules/nixos/services/vaultwarden/default.nix b/modules/nixos/services/vaultwarden/default.nix index 1725ade..be7e0b1 100644 --- a/modules/nixos/services/vaultwarden/default.nix +++ b/modules/nixos/services/vaultwarden/default.nix @@ -12,7 +12,7 @@ in { options.${namespace}.services.vaultwarden = { enable = mkEnableOption "Vaultwarden, a self-hostable password manager."; - sopsFile = mkOpt types.path null "The location of the sops secret file for the Vaultwarden service."; + sopsFile = mkOpt types.str null "The location of the sops secret file for the Vaultwarden service."; sopsFormat = mkOpt types.str null "The format of the sops secret file for the Vaultwarden service."; subdomain = mkOpt types.str "vault" "The subdomain, of the system domain, the service should be exposed on."; }; @@ -31,11 +31,11 @@ in { virtualisation.oci-containers.containers.vaultwarden = { image = "vaultwarden/server"; autoStart = true; - hostname = config.networking.hostName; + hostname = config.networking.hostname; labels = { "traefik.enable" = "true"; "traefik.http.routers.vaultwarden.entrypoints" = "websecure"; - "traefik.http.routers.vaultwarden.rule" = "Host(`${cfg.subdomain}.${config.${namespace}.services.domain}`)"; + "traefik.http.routers.vaultwarden.rule" = "Host(`${cfg.subdomain}.${config.services.domain}`)"; }; volumes = [ "/var/lib/containers/vaultwarden/data:/data:rw" diff --git a/modules/nixos/system/nix/default.nix b/modules/nixos/system/nix/default.nix index d1205b5..f11ff4b 100644 --- a/modules/nixos/system/nix/default.nix +++ b/modules/nixos/system/nix/default.nix @@ -5,9 +5,8 @@ config, ... }: let - inherit (lib) mkEnableOption mkIf types; + inherit (lib) mkEnableOption mkIf; inherit (self) namespace; - inherit (self.lib) mkOpt; cfg = config.${namespace}.system.nix; in { @@ -15,7 +14,6 @@ in { enable = mkEnableOption "Nix configuration overrides."; use-lix = mkEnableOption "Lix as an alternative to CppNix."; use-nixld = mkEnableOption "the use of dynamically linked executables on nix based systems."; - trusted-users = mkOpt (types.listOf types.str) ["@wheel"] "List of trusted users for this NixOS system."; }; config = mkIf cfg.enable { @@ -28,7 +26,6 @@ in { keep-outputs = true; max-jobs = "auto"; warn-dirty = false; - trusted-users = cfg.trusted-users; }; # Garbage collection configuration. diff --git a/systems/x86_64-nixos/absolutesolver/default.nix b/systems/x86_64-nixos/absolutesolver/default.nix index 77dcc0d..26c5186 100644 --- a/systems/x86_64-nixos/absolutesolver/default.nix +++ b/systems/x86_64-nixos/absolutesolver/default.nix @@ -1,8 +1,4 @@ {pkgs, ...}: { - imports = [ - ./hardware.nix - ]; - # Setup Sops sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; sops.age.keyFile = "/var/lib/sops-nix/key.txt"; @@ -40,12 +36,6 @@ enable = true; configDir = ./resources/homepage-config; }; - - atticd = { - enable = true; - sopsFile = ./secrets/atticd.env; - sopsFormat = "dotenv"; - }; }; }; diff --git a/systems/x86_64-nixos/absolutesolver/hardware.nix b/systems/x86_64-nixos/absolutesolver/hardware.nix deleted file mode 100644 index 82651b8..0000000 --- a/systems/x86_64-nixos/absolutesolver/hardware.nix +++ /dev/null @@ -1,55 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ - config, - lib, - modulesPath, - ... -}: { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usbhid" "uas" "sd_mod"]; - boot.initrd.kernelModules = []; - boot.kernelModules = ["kvm-intel"]; - boot.extraModulePackages = []; - - fileSystems."/" = { - device = "/dev/disk/by-uuid/5d4f9f57-085f-44a0-b987-bad24ff58769"; - fsType = "btrfs"; - options = ["subvol=@"]; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/8D0F-2821"; - fsType = "vfat"; - options = ["fmask=0077" "dmask=0077"]; - }; - - fileSystems."/mnt/storage" = { - device = "/dev/disk/by-uuid/237eb43e-1e4e-4cb1-873e-6b07f1368f4f"; - fsType = "ext4"; - }; - - swapDevices = [ - {device = "/dev/disk/by-uuid/42fc926f-f066-48e8-8c07-3627b2ba3cd4";} - ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.br-32acd0b5b342.useDHCP = lib.mkDefault true; - # networking.interfaces.docker0.useDHCP = lib.mkDefault true; - # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; - # networking.interfaces.veth0b3552e.useDHCP = lib.mkDefault true; - # networking.interfaces.veth3873910.useDHCP = lib.mkDefault true; - # networking.interfaces.veth9323c9b.useDHCP = lib.mkDefault true; - # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -}