From 25ae59d96d5a8b6d9bc32945a4b7026a48c63e45 Mon Sep 17 00:00:00 2001 From: Jake Hillion Date: Sat, 8 Apr 2023 15:29:11 +0100 Subject: [PATCH] resilio: modularise properly --- .../default.nix | 81 +++++++---- .../resilio.nix | 44 ------ .../default.nix | 131 ++++++++---------- modules/default.nix | 8 ++ modules/resilio.nix | 68 +++++++++ modules/resilio/default.nix | 28 ---- 6 files changed, 191 insertions(+), 169 deletions(-) delete mode 100644 hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/resilio.nix create mode 100644 modules/resilio.nix delete mode 100644 modules/resilio/default.nix diff --git a/hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/default.nix b/hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/default.nix index 1b7960b..59195f1 100644 --- a/hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/default.nix +++ b/hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/default.nix @@ -1,11 +1,6 @@ { config, pkgs, lib, ... }: { - config.system.stateVersion = "22.05"; - - config.networking.hostName = "gendry"; - config.networking.domain = "jakehillion-terminals.ts.hillion.co.uk"; - imports = [ ../../modules/common/default.nix ../../modules/desktop/awesome/default.nix @@ -13,36 +8,68 @@ ./bluetooth.nix ./hardware-configuration.nix ./persist.nix - ./resilio.nix ]; - config.boot.loader.systemd-boot.enable = true; - config.boot.loader.efi.canTouchEfiVariables = true; + config = { + system.stateVersion = "22.05"; - ## Tailscale - config.age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".file = ../../secrets/tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk.age; - config.tailscalePreAuth = config.age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".path; + networking.hostName = "gendry"; + networking.domain = "jakehillion-terminals.ts.hillion.co.uk"; - ## Password (for interactive logins) - config.age.secrets."passwords/gendry.jakehillion-terminals.ts.hillion.co.uk/jake".file = ../../secrets/passwords/gendry.jakehillion-terminals.ts.hillion.co.uk/jake.age; - config.users.users."jake".passwordFile = config.age.secrets."passwords/gendry.jakehillion-terminals.ts.hillion.co.uk/jake".path; + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; - config.security.sudo.wheelNeedsPassword = lib.mkForce true; + ## Resilio + custom.resilio.enable = true; - ## Enable btrfs compression - config.fileSystems."/data".options = [ "compress=zstd" ]; - config.fileSystems."/nix".options = [ "compress=zstd" ]; + services.resilio.deviceName = "gendry.jakehillion-terminals"; + services.resilio.directoryRoot = "/data/sync"; + services.resilio.storagePath = "/data/sync/.sync"; - ## Graphics - config.boot.initrd.kernelModules = [ "amdgpu" ]; - config.services.xserver.videoDrivers = [ "amdgpu" ]; + custom.resilio.folders = + let + folderNames = [ + "dad" + "joseph" + "projects" + "resources" + "sync" + ]; + mkFolder = name: { + name = name; + secret = { + name = "resilio/plain/${name}"; + file = ../../secrets/resilio/plain/${name}.age; + }; + }; + in + builtins.map (mkFolder) folderNames; - ## Spotify - config.home-manager.users.jake.services.spotifyd.settings = { - global = { - device_name = "Gendry"; - device_type = "computer"; - bitrate = 320; + ## Tailscale + age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".file = ../../secrets/tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk.age; + tailscalePreAuth = config.age.secrets."tailscale/gendry.jakehillion-terminals.ts.hillion.co.uk".path; + + ## Password (for interactive logins) + age.secrets."passwords/gendry.jakehillion-terminals.ts.hillion.co.uk/jake".file = ../../secrets/passwords/gendry.jakehillion-terminals.ts.hillion.co.uk/jake.age; + users.users."jake".passwordFile = config.age.secrets."passwords/gendry.jakehillion-terminals.ts.hillion.co.uk/jake".path; + + security.sudo.wheelNeedsPassword = lib.mkForce true; + + ## Enable btrfs compression + fileSystems."/data".options = [ "compress=zstd" ]; + fileSystems."/nix".options = [ "compress=zstd" ]; + + ## Graphics + boot.initrd.kernelModules = [ "amdgpu" ]; + services.xserver.videoDrivers = [ "amdgpu" ]; + + ## Spotify + home-manager.users.jake.services.spotifyd.settings = { + global = { + device_name = "Gendry"; + device_type = "computer"; + bitrate = 320; + }; }; }; } diff --git a/hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/resilio.nix b/hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/resilio.nix deleted file mode 100644 index 913b1ec..0000000 --- a/hosts/gendry.jakehillion-terminals.ts.hillion.co.uk/resilio.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ config, pkgs, lib, ... }: - -let - folderNames = [ - "dad" - "joseph" - "projects" - "resources" - "sync" - ]; -in -{ - imports = [ - ../../modules/resilio/default.nix - ]; - - ## Resilio Sync (Unencrypted) - config.services.resilio.enable = true; - config.services.resilio.deviceName = "gendry.jakehillion-terminals"; - config.services.resilio.directoryRoot = "/data/sync"; - config.services.resilio.storagePath = "/data/sync/.sync"; - - config.age.secrets = - let - mkSecret = name: { - name = "resilio/plain/${name}"; - value = { - file = ../../secrets/resilio/plain/${name}.age; - owner = "rslsync"; - group = "rslsync"; - }; - }; - in - builtins.listToAttrs (builtins.map (mkSecret) folderNames); - - config.resilioFolders = - let - mkFolder = name: { - name = name; - secretFile = config.age.secrets."resilio/plain/${name}".path; - }; - in - builtins.map (mkFolder) folderNames; -} diff --git a/hosts/vm.strangervm.ts.hillion.co.uk/default.nix b/hosts/vm.strangervm.ts.hillion.co.uk/default.nix index e0bbc64..1131421 100644 --- a/hosts/vm.strangervm.ts.hillion.co.uk/default.nix +++ b/hosts/vm.strangervm.ts.hillion.co.uk/default.nix @@ -1,90 +1,81 @@ { config, pkgs, lib, ... }: { - config.system.stateVersion = "22.05"; - - config.networking.hostName = "vm"; - config.networking.domain = "strangervm.ts.hillion.co.uk"; - imports = [ ../../modules/common/default.nix ../../modules/drone/server.nix ../../modules/matrix/default.nix - ../../modules/resilio/default.nix ./hardware-configuration.nix ]; - config.boot.loader.grub = { - enable = true; - device = "/dev/sda"; - }; + config = { + system.stateVersion = "22.05"; - ## Custom Services - config.custom.www.global.enable = true; + networking.hostName = "vm"; + networking.domain = "strangervm.ts.hillion.co.uk"; - ## Networking - config.networking.interfaces.ens18.ipv4.addresses = [{ - address = "10.72.164.3"; - prefixLength = 24; - }]; - config.networking.defaultGateway = "10.72.164.1"; + boot.loader.grub = { + enable = true; + device = "/dev/sda"; + }; - config.networking.firewall = { - allowedTCPPorts = lib.mkForce [ - 22 # SSH - ]; - allowedUDPPorts = lib.mkForce [ ]; - interfaces = { - ens18 = { - allowedTCPPorts = lib.mkForce [ - 80 # HTTP 1-2 - 443 # HTTPS 1-2 - ]; - allowedUDPPorts = lib.mkForce [ - 443 # HTTP 3 - ]; + ## Custom Services + custom.www.global.enable = true; + + ## Networking + networking.interfaces.ens18.ipv4.addresses = [{ + address = "10.72.164.3"; + prefixLength = 24; + }]; + networking.defaultGateway = "10.72.164.1"; + + networking.firewall = { + allowedTCPPorts = lib.mkForce [ + 22 # SSH + ]; + allowedUDPPorts = lib.mkForce [ ]; + interfaces = { + ens18 = { + allowedTCPPorts = lib.mkForce [ + 80 # HTTP 1-2 + 443 # HTTPS 1-2 + ]; + allowedUDPPorts = lib.mkForce [ + 443 # HTTP 3 + ]; + }; }; }; - }; - ## Tailscale - config.age.secrets."tailscale/vm.strangervm.ts.hillion.co.uk".file = ../../secrets/tailscale/vm.strangervm.ts.hillion.co.uk.age; - config.tailscalePreAuth = config.age.secrets."tailscale/vm.strangervm.ts.hillion.co.uk".path; + ## Tailscale + age.secrets."tailscale/vm.strangervm.ts.hillion.co.uk".file = ../../secrets/tailscale/vm.strangervm.ts.hillion.co.uk.age; + tailscalePreAuth = config.age.secrets."tailscale/vm.strangervm.ts.hillion.co.uk".path; - ## Resilio Sync (Encrypted) - config.services.resilio.enable = true; - config.services.resilio.deviceName = "vm.strangervm"; - config.services.resilio.directoryRoot = "/data/sync"; - config.services.resilio.storagePath = "/data/sync/.sync"; + ## Resilio Sync (Encrypted) + custom.resilio.enable = true; + services.resilio.deviceName = "vm.strangervm"; + services.resilio.directoryRoot = "/data/sync"; + services.resilio.storagePath = "/data/sync/.sync"; - config.age.secrets."resilio/encrypted/dad" = { - file = ../../secrets/resilio/encrypted/dad.age; - owner = "rslsync"; - group = "rslsync"; - }; - config.age.secrets."resilio/encrypted/projects" = { - file = ../../secrets/resilio/encrypted/projects.age; - owner = "rslsync"; - group = "rslsync"; - }; - config.age.secrets."resilio/encrypted/resources" = { - file = ../../secrets/resilio/encrypted/resources.age; - owner = "rslsync"; - group = "rslsync"; - }; - config.age.secrets."resilio/encrypted/sync" = { - file = ../../secrets/resilio/encrypted/sync.age; - owner = "rslsync"; - group = "rslsync"; - }; + custom.resilio.folders = + let + folderNames = [ + "dad" + "projects" + "resources" + "sync" + ]; + mkFolder = name: { + name = name; + secret = { + name = "resilio/encrypted/${name}"; + file = ../../secrets/resilio/encrypted/${name}.age; + }; + }; + in + builtins.map (mkFolder) folderNames; - config.resilioFolders = [ - { name = "dad"; secretFile = config.age.secrets."resilio/encrypted/dad".path; } - { name = "projects"; secretFile = config.age.secrets."resilio/encrypted/projects".path; } - { name = "resources"; secretFile = config.age.secrets."resilio/encrypted/resources".path; } - { name = "sync"; secretFile = config.age.secrets."resilio/encrypted/sync".path; } - ]; - - ## Backups - config.services.postgresqlBackup.location = "/data/backup/postgres"; + ## Backups + services.postgresqlBackup.location = "/data/backup/postgres"; + }; } diff --git a/modules/default.nix b/modules/default.nix index c993513..799894e 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -2,7 +2,15 @@ { imports = [ + ./resilio.nix ./www/global.nix ./www/www-repo.nix ]; + + options.custom = { + user = lib.mkOption { + type = lib.types.str; + default = "jake"; + }; + }; } diff --git a/modules/resilio.nix b/modules/resilio.nix new file mode 100644 index 0000000..d1dbaa2 --- /dev/null +++ b/modules/resilio.nix @@ -0,0 +1,68 @@ +{ pkgs, lib, config, nixpkgs-unstable, ... }: + +let + cfg = config.custom.resilio; +in +{ + imports = [ "${nixpkgs-unstable}/nixos/modules/services/networking/resilio.nix" ]; + disabledModules = [ "services/networking/resilio.nix" ]; + + options.custom.resilio = { + enable = lib.mkEnableOption "resilio"; + + extraUsers = lib.mkOption { + type = with lib.types; listOf str; + default = [ config.custom.user ]; + }; + + folders = lib.mkOption { + type = with lib.types; uniq (listOf attrs); + default = [ ]; + }; + }; + + config = lib.mkIf cfg.enable { + users.users = + let + mkUser = + (user: { + name = user; + value = { + extraGroups = [ "rslsync" ]; + }; + }); + in + builtins.listToAttrs (builtins.map mkUser cfg.extraUsers); + + age.secrets = + let + mkSecret = (secret: { + name = secret.name; + value = { + file = secret.file; + owner = "rslsync"; + group = "rslsync"; + }; + }); + in + builtins.listToAttrs (builtins.map (folder: mkSecret folder.secret) cfg.folders); + + services.resilio = { + enable = true; + sharedFolders = + let + mkFolder = name: secret: { + directory = "${config.services.resilio.directoryRoot}/${name}"; + secretFile = "${config.age.secrets."${secret.name}".path}"; + knownHosts = [ ]; + searchLAN = true; + useDHT = true; + useRelayServer = true; + useSyncTrash = false; + useTracker = true; + }; + in + builtins.map (folder: mkFolder folder.name folder.secret) cfg.folders; + }; + }; +} diff --git a/modules/resilio/default.nix b/modules/resilio/default.nix deleted file mode 100644 index f8d5705..0000000 --- a/modules/resilio/default.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ pkgs, lib, config, nixpkgs-unstable, ... }: - -{ - imports = [ "${nixpkgs-unstable}/nixos/modules/services/networking/resilio.nix" ]; - disabledModules = [ "services/networking/resilio.nix" ]; - - options.resilioFolders = lib.mkOption { - type = with lib.types; uniq (listOf attrs); - default = [ ]; - }; - - config.users.users.jake.extraGroups = [ "rslsync" ]; - - config.services.resilio.sharedFolders = - let - mkFolder = name: secretFile: { - directory = "${config.services.resilio.directoryRoot}/${name}"; - secretFile = "${secretFile}"; - knownHosts = [ ]; - searchLAN = true; - useDHT = true; - useRelayServer = true; - useSyncTrash = false; - useTracker = true; - }; - in - builtins.map (folder: mkFolder folder.name folder.secretFile) config.resilioFolders; -}