resilio: modularise properly
This commit is contained in:
parent
7a6a0dceed
commit
25ae59d96d
@ -1,11 +1,6 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
config.system.stateVersion = "22.05";
|
||||
|
||||
config.networking.hostName = "gendry";
|
||||
config.networking.domain = "jakehillion-terminals.ts.hillion.co.uk";
|
||||
|
||||
imports = [
|
||||
../../modules/common/default.nix
|
||||
../../modules/desktop/awesome/default.nix
|
||||
@ -13,36 +8,68 @@
|
||||
./bluetooth.nix
|
||||
./hardware-configuration.nix
|
||||
./persist.nix
|
||||
./resilio.nix
|
||||
];
|
||||
|
||||
config.boot.loader.systemd-boot.enable = true;
|
||||
config.boot.loader.efi.canTouchEfiVariables = true;
|
||||
config = {
|
||||
system.stateVersion = "22.05";
|
||||
|
||||
## Tailscale
|
||||
config.age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".file = ../../secrets/tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk.age;
|
||||
config.tailscalePreAuth = config.age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".path;
|
||||
networking.hostName = "gendry";
|
||||
networking.domain = "jakehillion-terminals.ts.hillion.co.uk";
|
||||
|
||||
## Password (for interactive logins)
|
||||
config.age.secrets."passwords/gendry.jakehillion-terminals.ts.hillion.co.uk/jake".file = ../../secrets/passwords/gendry.jakehillion-terminals.ts.hillion.co.uk/jake.age;
|
||||
config.users.users."jake".passwordFile = config.age.secrets."passwords/gendry.jakehillion-terminals.ts.hillion.co.uk/jake".path;
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
config.security.sudo.wheelNeedsPassword = lib.mkForce true;
|
||||
## Resilio
|
||||
custom.resilio.enable = true;
|
||||
|
||||
## Enable btrfs compression
|
||||
config.fileSystems."/data".options = [ "compress=zstd" ];
|
||||
config.fileSystems."/nix".options = [ "compress=zstd" ];
|
||||
services.resilio.deviceName = "gendry.jakehillion-terminals";
|
||||
services.resilio.directoryRoot = "/data/sync";
|
||||
services.resilio.storagePath = "/data/sync/.sync";
|
||||
|
||||
## Graphics
|
||||
config.boot.initrd.kernelModules = [ "amdgpu" ];
|
||||
config.services.xserver.videoDrivers = [ "amdgpu" ];
|
||||
custom.resilio.folders =
|
||||
let
|
||||
folderNames = [
|
||||
"dad"
|
||||
"joseph"
|
||||
"projects"
|
||||
"resources"
|
||||
"sync"
|
||||
];
|
||||
mkFolder = name: {
|
||||
name = name;
|
||||
secret = {
|
||||
name = "resilio/plain/${name}";
|
||||
file = ../../secrets/resilio/plain/${name}.age;
|
||||
};
|
||||
};
|
||||
in
|
||||
builtins.map (mkFolder) folderNames;
|
||||
|
||||
## Spotify
|
||||
config.home-manager.users.jake.services.spotifyd.settings = {
|
||||
global = {
|
||||
device_name = "Gendry";
|
||||
device_type = "computer";
|
||||
bitrate = 320;
|
||||
## Tailscale
|
||||
age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".file = ../../secrets/tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk.age;
|
||||
tailscalePreAuth = config.age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".path;
|
||||
|
||||
## Password (for interactive logins)
|
||||
age.secrets."passwords/gendry.jakehillion-terminals.ts.hillion.co.uk/jake".file = ../../secrets/passwords/gendry.jakehillion-terminals.ts.hillion.co.uk/jake.age;
|
||||
users.users."jake".passwordFile = config.age.secrets."passwords/gendry.jakehillion-terminals.ts.hillion.co.uk/jake".path;
|
||||
|
||||
security.sudo.wheelNeedsPassword = lib.mkForce true;
|
||||
|
||||
## Enable btrfs compression
|
||||
fileSystems."/data".options = [ "compress=zstd" ];
|
||||
fileSystems."/nix".options = [ "compress=zstd" ];
|
||||
|
||||
## Graphics
|
||||
boot.initrd.kernelModules = [ "amdgpu" ];
|
||||
services.xserver.videoDrivers = [ "amdgpu" ];
|
||||
|
||||
## Spotify
|
||||
home-manager.users.jake.services.spotifyd.settings = {
|
||||
global = {
|
||||
device_name = "Gendry";
|
||||
device_type = "computer";
|
||||
bitrate = 320;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@ -1,44 +0,0 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
folderNames = [
|
||||
"dad"
|
||||
"joseph"
|
||||
"projects"
|
||||
"resources"
|
||||
"sync"
|
||||
];
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
../../modules/resilio/default.nix
|
||||
];
|
||||
|
||||
## Resilio Sync (Unencrypted)
|
||||
config.services.resilio.enable = true;
|
||||
config.services.resilio.deviceName = "gendry.jakehillion-terminals";
|
||||
config.services.resilio.directoryRoot = "/data/sync";
|
||||
config.services.resilio.storagePath = "/data/sync/.sync";
|
||||
|
||||
config.age.secrets =
|
||||
let
|
||||
mkSecret = name: {
|
||||
name = "resilio/plain/${name}";
|
||||
value = {
|
||||
file = ../../secrets/resilio/plain/${name}.age;
|
||||
owner = "rslsync";
|
||||
group = "rslsync";
|
||||
};
|
||||
};
|
||||
in
|
||||
builtins.listToAttrs (builtins.map (mkSecret) folderNames);
|
||||
|
||||
config.resilioFolders =
|
||||
let
|
||||
mkFolder = name: {
|
||||
name = name;
|
||||
secretFile = config.age.secrets."resilio/plain/${name}".path;
|
||||
};
|
||||
in
|
||||
builtins.map (mkFolder) folderNames;
|
||||
}
|
@ -1,90 +1,81 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
config.system.stateVersion = "22.05";
|
||||
|
||||
config.networking.hostName = "vm";
|
||||
config.networking.domain = "strangervm.ts.hillion.co.uk";
|
||||
|
||||
imports = [
|
||||
../../modules/common/default.nix
|
||||
../../modules/drone/server.nix
|
||||
../../modules/matrix/default.nix
|
||||
../../modules/resilio/default.nix
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
|
||||
config.boot.loader.grub = {
|
||||
enable = true;
|
||||
device = "/dev/sda";
|
||||
};
|
||||
config = {
|
||||
system.stateVersion = "22.05";
|
||||
|
||||
## Custom Services
|
||||
config.custom.www.global.enable = true;
|
||||
networking.hostName = "vm";
|
||||
networking.domain = "strangervm.ts.hillion.co.uk";
|
||||
|
||||
## Networking
|
||||
config.networking.interfaces.ens18.ipv4.addresses = [{
|
||||
address = "10.72.164.3";
|
||||
prefixLength = 24;
|
||||
}];
|
||||
config.networking.defaultGateway = "10.72.164.1";
|
||||
boot.loader.grub = {
|
||||
enable = true;
|
||||
device = "/dev/sda";
|
||||
};
|
||||
|
||||
config.networking.firewall = {
|
||||
allowedTCPPorts = lib.mkForce [
|
||||
22 # SSH
|
||||
];
|
||||
allowedUDPPorts = lib.mkForce [ ];
|
||||
interfaces = {
|
||||
ens18 = {
|
||||
allowedTCPPorts = lib.mkForce [
|
||||
80 # HTTP 1-2
|
||||
443 # HTTPS 1-2
|
||||
];
|
||||
allowedUDPPorts = lib.mkForce [
|
||||
443 # HTTP 3
|
||||
];
|
||||
## Custom Services
|
||||
custom.www.global.enable = true;
|
||||
|
||||
## Networking
|
||||
networking.interfaces.ens18.ipv4.addresses = [{
|
||||
address = "10.72.164.3";
|
||||
prefixLength = 24;
|
||||
}];
|
||||
networking.defaultGateway = "10.72.164.1";
|
||||
|
||||
networking.firewall = {
|
||||
allowedTCPPorts = lib.mkForce [
|
||||
22 # SSH
|
||||
];
|
||||
allowedUDPPorts = lib.mkForce [ ];
|
||||
interfaces = {
|
||||
ens18 = {
|
||||
allowedTCPPorts = lib.mkForce [
|
||||
80 # HTTP 1-2
|
||||
443 # HTTPS 1-2
|
||||
];
|
||||
allowedUDPPorts = lib.mkForce [
|
||||
443 # HTTP 3
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
## Tailscale
|
||||
config.age.secrets."tailscale/vm.strangervm.ts.hillion.co.uk".file = ../../secrets/tailscale/vm.strangervm.ts.hillion.co.uk.age;
|
||||
config.tailscalePreAuth = config.age.secrets."tailscale/vm.strangervm.ts.hillion.co.uk".path;
|
||||
## Tailscale
|
||||
age.secrets."tailscale/vm.strangervm.ts.hillion.co.uk".file = ../../secrets/tailscale/vm.strangervm.ts.hillion.co.uk.age;
|
||||
tailscalePreAuth = config.age.secrets."tailscale/vm.strangervm.ts.hillion.co.uk".path;
|
||||
|
||||
## Resilio Sync (Encrypted)
|
||||
config.services.resilio.enable = true;
|
||||
config.services.resilio.deviceName = "vm.strangervm";
|
||||
config.services.resilio.directoryRoot = "/data/sync";
|
||||
config.services.resilio.storagePath = "/data/sync/.sync";
|
||||
## Resilio Sync (Encrypted)
|
||||
custom.resilio.enable = true;
|
||||
services.resilio.deviceName = "vm.strangervm";
|
||||
services.resilio.directoryRoot = "/data/sync";
|
||||
services.resilio.storagePath = "/data/sync/.sync";
|
||||
|
||||
config.age.secrets."resilio/encrypted/dad" = {
|
||||
file = ../../secrets/resilio/encrypted/dad.age;
|
||||
owner = "rslsync";
|
||||
group = "rslsync";
|
||||
};
|
||||
config.age.secrets."resilio/encrypted/projects" = {
|
||||
file = ../../secrets/resilio/encrypted/projects.age;
|
||||
owner = "rslsync";
|
||||
group = "rslsync";
|
||||
};
|
||||
config.age.secrets."resilio/encrypted/resources" = {
|
||||
file = ../../secrets/resilio/encrypted/resources.age;
|
||||
owner = "rslsync";
|
||||
group = "rslsync";
|
||||
};
|
||||
config.age.secrets."resilio/encrypted/sync" = {
|
||||
file = ../../secrets/resilio/encrypted/sync.age;
|
||||
owner = "rslsync";
|
||||
group = "rslsync";
|
||||
};
|
||||
custom.resilio.folders =
|
||||
let
|
||||
folderNames = [
|
||||
"dad"
|
||||
"projects"
|
||||
"resources"
|
||||
"sync"
|
||||
];
|
||||
mkFolder = name: {
|
||||
name = name;
|
||||
secret = {
|
||||
name = "resilio/encrypted/${name}";
|
||||
file = ../../secrets/resilio/encrypted/${name}.age;
|
||||
};
|
||||
};
|
||||
in
|
||||
builtins.map (mkFolder) folderNames;
|
||||
|
||||
config.resilioFolders = [
|
||||
{ name = "dad"; secretFile = config.age.secrets."resilio/encrypted/dad".path; }
|
||||
{ name = "projects"; secretFile = config.age.secrets."resilio/encrypted/projects".path; }
|
||||
{ name = "resources"; secretFile = config.age.secrets."resilio/encrypted/resources".path; }
|
||||
{ name = "sync"; secretFile = config.age.secrets."resilio/encrypted/sync".path; }
|
||||
];
|
||||
|
||||
## Backups
|
||||
config.services.postgresqlBackup.location = "/data/backup/postgres";
|
||||
## Backups
|
||||
services.postgresqlBackup.location = "/data/backup/postgres";
|
||||
};
|
||||
}
|
||||
|
@ -2,7 +2,15 @@
|
||||
|
||||
{
|
||||
imports = [
|
||||
./resilio.nix
|
||||
./www/global.nix
|
||||
./www/www-repo.nix
|
||||
];
|
||||
|
||||
options.custom = {
|
||||
user = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "jake";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
68
modules/resilio.nix
Normal file
68
modules/resilio.nix
Normal file
@ -0,0 +1,68 @@
|
||||
{ pkgs, lib, config, nixpkgs-unstable, ... }:
|
||||
|
||||
let
|
||||
cfg = config.custom.resilio;
|
||||
in
|
||||
{
|
||||
imports = [ "${nixpkgs-unstable}/nixos/modules/services/networking/resilio.nix" ];
|
||||
disabledModules = [ "services/networking/resilio.nix" ];
|
||||
|
||||
options.custom.resilio = {
|
||||
enable = lib.mkEnableOption "resilio";
|
||||
|
||||
extraUsers = lib.mkOption {
|
||||
type = with lib.types; listOf str;
|
||||
default = [ config.custom.user ];
|
||||
};
|
||||
|
||||
folders = lib.mkOption {
|
||||
type = with lib.types; uniq (listOf attrs);
|
||||
default = [ ];
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
users.users =
|
||||
let
|
||||
mkUser =
|
||||
(user: {
|
||||
name = user;
|
||||
value = {
|
||||
extraGroups = [ "rslsync" ];
|
||||
};
|
||||
});
|
||||
in
|
||||
builtins.listToAttrs (builtins.map mkUser cfg.extraUsers);
|
||||
|
||||
age.secrets =
|
||||
let
|
||||
mkSecret = (secret: {
|
||||
name = secret.name;
|
||||
value = {
|
||||
file = secret.file;
|
||||
owner = "rslsync";
|
||||
group = "rslsync";
|
||||
};
|
||||
});
|
||||
in
|
||||
builtins.listToAttrs (builtins.map (folder: mkSecret folder.secret) cfg.folders);
|
||||
|
||||
services.resilio = {
|
||||
enable = true;
|
||||
sharedFolders =
|
||||
let
|
||||
mkFolder = name: secret: {
|
||||
directory = "${config.services.resilio.directoryRoot}/${name}";
|
||||
secretFile = "${config.age.secrets."${secret.name}".path}";
|
||||
knownHosts = [ ];
|
||||
searchLAN = true;
|
||||
useDHT = true;
|
||||
useRelayServer = true;
|
||||
useSyncTrash = false;
|
||||
useTracker = true;
|
||||
};
|
||||
in
|
||||
builtins.map (folder: mkFolder folder.name folder.secret) cfg.folders;
|
||||
};
|
||||
};
|
||||
}
|
@ -1,28 +0,0 @@
|
||||
{ pkgs, lib, config, nixpkgs-unstable, ... }:
|
||||
|
||||
{
|
||||
imports = [ "${nixpkgs-unstable}/nixos/modules/services/networking/resilio.nix" ];
|
||||
disabledModules = [ "services/networking/resilio.nix" ];
|
||||
|
||||
options.resilioFolders = lib.mkOption {
|
||||
type = with lib.types; uniq (listOf attrs);
|
||||
default = [ ];
|
||||
};
|
||||
|
||||
config.users.users.jake.extraGroups = [ "rslsync" ];
|
||||
|
||||
config.services.resilio.sharedFolders =
|
||||
let
|
||||
mkFolder = name: secretFile: {
|
||||
directory = "${config.services.resilio.directoryRoot}/${name}";
|
||||
secretFile = "${secretFile}";
|
||||
knownHosts = [ ];
|
||||
searchLAN = true;
|
||||
useDHT = true;
|
||||
useRelayServer = true;
|
||||
useSyncTrash = false;
|
||||
useTracker = true;
|
||||
};
|
||||
in
|
||||
builtins.map (folder: mkFolder folder.name folder.secretFile) config.resilioFolders;
|
||||
}
|
Loading…
Reference in New Issue
Block a user