resilio: modularise properly
All checks were successful
continuous-integration/drone/pr Build is passing
continuous-integration/drone/push Build is passing

This commit is contained in:
Jake Hillion 2023-04-08 15:29:11 +01:00
parent 7a6a0dceed
commit 25ae59d96d
6 changed files with 191 additions and 169 deletions

View File

@ -1,11 +1,6 @@
{ config, pkgs, lib, ... }:
{
config.system.stateVersion = "22.05";
config.networking.hostName = "gendry";
config.networking.domain = "jakehillion-terminals.ts.hillion.co.uk";
imports = [
../../modules/common/default.nix
../../modules/desktop/awesome/default.nix
@ -13,36 +8,68 @@
./bluetooth.nix
./hardware-configuration.nix
./persist.nix
./resilio.nix
];
config.boot.loader.systemd-boot.enable = true;
config.boot.loader.efi.canTouchEfiVariables = true;
config = {
system.stateVersion = "22.05";
## Tailscale
config.age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".file = ../../secrets/tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk.age;
config.tailscalePreAuth = config.age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".path;
networking.hostName = "gendry";
networking.domain = "jakehillion-terminals.ts.hillion.co.uk";
## Password (for interactive logins)
config.age.secrets."passwords/gendry.jakehillion-terminals.ts.hillion.co.uk/jake".file = ../../secrets/passwords/gendry.jakehillion-terminals.ts.hillion.co.uk/jake.age;
config.users.users."jake".passwordFile = config.age.secrets."passwords/gendry.jakehillion-terminals.ts.hillion.co.uk/jake".path;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
config.security.sudo.wheelNeedsPassword = lib.mkForce true;
## Resilio
custom.resilio.enable = true;
## Enable btrfs compression
config.fileSystems."/data".options = [ "compress=zstd" ];
config.fileSystems."/nix".options = [ "compress=zstd" ];
services.resilio.deviceName = "gendry.jakehillion-terminals";
services.resilio.directoryRoot = "/data/sync";
services.resilio.storagePath = "/data/sync/.sync";
## Graphics
config.boot.initrd.kernelModules = [ "amdgpu" ];
config.services.xserver.videoDrivers = [ "amdgpu" ];
custom.resilio.folders =
let
folderNames = [
"dad"
"joseph"
"projects"
"resources"
"sync"
];
mkFolder = name: {
name = name;
secret = {
name = "resilio/plain/${name}";
file = ../../secrets/resilio/plain/${name}.age;
};
};
in
builtins.map (mkFolder) folderNames;
## Spotify
config.home-manager.users.jake.services.spotifyd.settings = {
global = {
device_name = "Gendry";
device_type = "computer";
bitrate = 320;
## Tailscale
age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".file = ../../secrets/tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk.age;
tailscalePreAuth = config.age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".path;
## Password (for interactive logins)
age.secrets."passwords/gendry.jakehillion-terminals.ts.hillion.co.uk/jake".file = ../../secrets/passwords/gendry.jakehillion-terminals.ts.hillion.co.uk/jake.age;
users.users."jake".passwordFile = config.age.secrets."passwords/gendry.jakehillion-terminals.ts.hillion.co.uk/jake".path;
security.sudo.wheelNeedsPassword = lib.mkForce true;
## Enable btrfs compression
fileSystems."/data".options = [ "compress=zstd" ];
fileSystems."/nix".options = [ "compress=zstd" ];
## Graphics
boot.initrd.kernelModules = [ "amdgpu" ];
services.xserver.videoDrivers = [ "amdgpu" ];
## Spotify
home-manager.users.jake.services.spotifyd.settings = {
global = {
device_name = "Gendry";
device_type = "computer";
bitrate = 320;
};
};
};
}

View File

@ -1,44 +0,0 @@
{ config, pkgs, lib, ... }:
let
folderNames = [
"dad"
"joseph"
"projects"
"resources"
"sync"
];
in
{
imports = [
../../modules/resilio/default.nix
];
## Resilio Sync (Unencrypted)
config.services.resilio.enable = true;
config.services.resilio.deviceName = "gendry.jakehillion-terminals";
config.services.resilio.directoryRoot = "/data/sync";
config.services.resilio.storagePath = "/data/sync/.sync";
config.age.secrets =
let
mkSecret = name: {
name = "resilio/plain/${name}";
value = {
file = ../../secrets/resilio/plain/${name}.age;
owner = "rslsync";
group = "rslsync";
};
};
in
builtins.listToAttrs (builtins.map (mkSecret) folderNames);
config.resilioFolders =
let
mkFolder = name: {
name = name;
secretFile = config.age.secrets."resilio/plain/${name}".path;
};
in
builtins.map (mkFolder) folderNames;
}

View File

@ -1,90 +1,81 @@
{ config, pkgs, lib, ... }:
{
config.system.stateVersion = "22.05";
config.networking.hostName = "vm";
config.networking.domain = "strangervm.ts.hillion.co.uk";
imports = [
../../modules/common/default.nix
../../modules/drone/server.nix
../../modules/matrix/default.nix
../../modules/resilio/default.nix
./hardware-configuration.nix
];
config.boot.loader.grub = {
enable = true;
device = "/dev/sda";
};
config = {
system.stateVersion = "22.05";
## Custom Services
config.custom.www.global.enable = true;
networking.hostName = "vm";
networking.domain = "strangervm.ts.hillion.co.uk";
## Networking
config.networking.interfaces.ens18.ipv4.addresses = [{
address = "10.72.164.3";
prefixLength = 24;
}];
config.networking.defaultGateway = "10.72.164.1";
boot.loader.grub = {
enable = true;
device = "/dev/sda";
};
config.networking.firewall = {
allowedTCPPorts = lib.mkForce [
22 # SSH
];
allowedUDPPorts = lib.mkForce [ ];
interfaces = {
ens18 = {
allowedTCPPorts = lib.mkForce [
80 # HTTP 1-2
443 # HTTPS 1-2
];
allowedUDPPorts = lib.mkForce [
443 # HTTP 3
];
## Custom Services
custom.www.global.enable = true;
## Networking
networking.interfaces.ens18.ipv4.addresses = [{
address = "10.72.164.3";
prefixLength = 24;
}];
networking.defaultGateway = "10.72.164.1";
networking.firewall = {
allowedTCPPorts = lib.mkForce [
22 # SSH
];
allowedUDPPorts = lib.mkForce [ ];
interfaces = {
ens18 = {
allowedTCPPorts = lib.mkForce [
80 # HTTP 1-2
443 # HTTPS 1-2
];
allowedUDPPorts = lib.mkForce [
443 # HTTP 3
];
};
};
};
};
## Tailscale
config.age.secrets."tailscale/vm.strangervm.ts.hillion.co.uk".file = ../../secrets/tailscale/vm.strangervm.ts.hillion.co.uk.age;
config.tailscalePreAuth = config.age.secrets."tailscale/vm.strangervm.ts.hillion.co.uk".path;
## Tailscale
age.secrets."tailscale/vm.strangervm.ts.hillion.co.uk".file = ../../secrets/tailscale/vm.strangervm.ts.hillion.co.uk.age;
tailscalePreAuth = config.age.secrets."tailscale/vm.strangervm.ts.hillion.co.uk".path;
## Resilio Sync (Encrypted)
config.services.resilio.enable = true;
config.services.resilio.deviceName = "vm.strangervm";
config.services.resilio.directoryRoot = "/data/sync";
config.services.resilio.storagePath = "/data/sync/.sync";
## Resilio Sync (Encrypted)
custom.resilio.enable = true;
services.resilio.deviceName = "vm.strangervm";
services.resilio.directoryRoot = "/data/sync";
services.resilio.storagePath = "/data/sync/.sync";
config.age.secrets."resilio/encrypted/dad" = {
file = ../../secrets/resilio/encrypted/dad.age;
owner = "rslsync";
group = "rslsync";
};
config.age.secrets."resilio/encrypted/projects" = {
file = ../../secrets/resilio/encrypted/projects.age;
owner = "rslsync";
group = "rslsync";
};
config.age.secrets."resilio/encrypted/resources" = {
file = ../../secrets/resilio/encrypted/resources.age;
owner = "rslsync";
group = "rslsync";
};
config.age.secrets."resilio/encrypted/sync" = {
file = ../../secrets/resilio/encrypted/sync.age;
owner = "rslsync";
group = "rslsync";
};
custom.resilio.folders =
let
folderNames = [
"dad"
"projects"
"resources"
"sync"
];
mkFolder = name: {
name = name;
secret = {
name = "resilio/encrypted/${name}";
file = ../../secrets/resilio/encrypted/${name}.age;
};
};
in
builtins.map (mkFolder) folderNames;
config.resilioFolders = [
{ name = "dad"; secretFile = config.age.secrets."resilio/encrypted/dad".path; }
{ name = "projects"; secretFile = config.age.secrets."resilio/encrypted/projects".path; }
{ name = "resources"; secretFile = config.age.secrets."resilio/encrypted/resources".path; }
{ name = "sync"; secretFile = config.age.secrets."resilio/encrypted/sync".path; }
];
## Backups
config.services.postgresqlBackup.location = "/data/backup/postgres";
## Backups
services.postgresqlBackup.location = "/data/backup/postgres";
};
}

View File

@ -2,7 +2,15 @@
{
imports = [
./resilio.nix
./www/global.nix
./www/www-repo.nix
];
options.custom = {
user = lib.mkOption {
type = lib.types.str;
default = "jake";
};
};
}

68
modules/resilio.nix Normal file
View File

@ -0,0 +1,68 @@
{ pkgs, lib, config, nixpkgs-unstable, ... }:
let
cfg = config.custom.resilio;
in
{
imports = [ "${nixpkgs-unstable}/nixos/modules/services/networking/resilio.nix" ];
disabledModules = [ "services/networking/resilio.nix" ];
options.custom.resilio = {
enable = lib.mkEnableOption "resilio";
extraUsers = lib.mkOption {
type = with lib.types; listOf str;
default = [ config.custom.user ];
};
folders = lib.mkOption {
type = with lib.types; uniq (listOf attrs);
default = [ ];
};
};
config = lib.mkIf cfg.enable {
users.users =
let
mkUser =
(user: {
name = user;
value = {
extraGroups = [ "rslsync" ];
};
});
in
builtins.listToAttrs (builtins.map mkUser cfg.extraUsers);
age.secrets =
let
mkSecret = (secret: {
name = secret.name;
value = {
file = secret.file;
owner = "rslsync";
group = "rslsync";
};
});
in
builtins.listToAttrs (builtins.map (folder: mkSecret folder.secret) cfg.folders);
services.resilio = {
enable = true;
sharedFolders =
let
mkFolder = name: secret: {
directory = "${config.services.resilio.directoryRoot}/${name}";
secretFile = "${config.age.secrets."${secret.name}".path}";
knownHosts = [ ];
searchLAN = true;
useDHT = true;
useRelayServer = true;
useSyncTrash = false;
useTracker = true;
};
in
builtins.map (folder: mkFolder folder.name folder.secret) cfg.folders;
};
};
}

View File

@ -1,28 +0,0 @@
{ pkgs, lib, config, nixpkgs-unstable, ... }:
{
imports = [ "${nixpkgs-unstable}/nixos/modules/services/networking/resilio.nix" ];
disabledModules = [ "services/networking/resilio.nix" ];
options.resilioFolders = lib.mkOption {
type = with lib.types; uniq (listOf attrs);
default = [ ];
};
config.users.users.jake.extraGroups = [ "rslsync" ];
config.services.resilio.sharedFolders =
let
mkFolder = name: secretFile: {
directory = "${config.services.resilio.directoryRoot}/${name}";
secretFile = "${secretFile}";
knownHosts = [ ];
searchLAN = true;
useDHT = true;
useRelayServer = true;
useSyncTrash = false;
useTracker = true;
};
in
builtins.map (folder: mkFolder folder.name folder.secretFile) config.resilioFolders;
}