From 626a10a91ccd209364c27fa90bf9235caf307edf Mon Sep 17 00:00:00 2001 From: Jonni Liljamo Date: Wed, 13 Nov 2024 18:10:36 +0200 Subject: [PATCH] feat: move cloud --- hosts/cloud/default.nix | 20 -------------------- {systems => lxc}/hosts/cloud/default.nix | 6 ++++++ {systems => lxc}/hosts/cloud/miniflux.nix | 0 {systems => lxc}/hosts/cloud/vikunja.nix | 0 lxc/hosts/default.nix | 5 +++++ lxc/roles/default.nix | 1 + lxc/roles/unfree.nix | 19 +++++++++++++++++++ secrets/cloud/secrets.yaml | 7 +++---- systems/hosts/default.nix | 5 ----- 9 files changed, 34 insertions(+), 29 deletions(-) delete mode 100644 hosts/cloud/default.nix rename {systems => lxc}/hosts/cloud/default.nix (96%) rename {systems => lxc}/hosts/cloud/miniflux.nix (100%) rename {systems => lxc}/hosts/cloud/vikunja.nix (100%) create mode 100644 lxc/roles/unfree.nix diff --git a/hosts/cloud/default.nix b/hosts/cloud/default.nix deleted file mode 100644 index ea5a202..0000000 --- a/hosts/cloud/default.nix +++ /dev/null @@ -1,20 +0,0 @@ -{config, ...}: { - sops.secrets.rootPwd.neededForUsers = true; - sops.secrets.liljamoPwd.neededForUsers = true; - - # Outline is under BSL1.1. - arta.unfree.allow = ["outline"]; - - roles.base = { - root.hashedPasswordFile = config.sops.secrets.rootPwd.path; - primaryUser = { - username = "liljamo"; - hashedPasswordFile = config.sops.secrets.liljamoPwd.path; - }; - }; - - roles.tailscale = { - enable = true; - enableSSH = true; - }; -} diff --git a/systems/hosts/cloud/default.nix b/lxc/hosts/cloud/default.nix similarity index 96% rename from systems/hosts/cloud/default.nix rename to lxc/hosts/cloud/default.nix index 29a85dc..09149ed 100644 --- a/systems/hosts/cloud/default.nix +++ b/lxc/hosts/cloud/default.nix @@ -10,6 +10,12 @@ in { ./miniflux.nix ./vikunja.nix ]; + sops.secrets.rootPwd.neededForUsers = true; + + roles.base.root.hashedPasswordFile = config.sops.secrets.rootPwd.path; + + # Outline is under BSL1.1. + roles.unfree.allow = ["outline"]; networking.firewall.allowedTCPPorts = [80 config.services.outline.port]; diff --git a/systems/hosts/cloud/miniflux.nix b/lxc/hosts/cloud/miniflux.nix similarity index 100% rename from systems/hosts/cloud/miniflux.nix rename to lxc/hosts/cloud/miniflux.nix diff --git a/systems/hosts/cloud/vikunja.nix b/lxc/hosts/cloud/vikunja.nix similarity index 100% rename from systems/hosts/cloud/vikunja.nix rename to lxc/hosts/cloud/vikunja.nix diff --git a/lxc/hosts/default.nix b/lxc/hosts/default.nix index 39d3747..1973da7 100644 --- a/lxc/hosts/default.nix +++ b/lxc/hosts/default.nix @@ -4,6 +4,11 @@ profiles: { profile = profiles.generic; modules = []; }; + cloud = { + system = "x86_64-linux"; + profile = profiles.generic; + modules = []; + }; dns = { system = "x86_64-linux"; profile = profiles.generic; diff --git a/lxc/roles/default.nix b/lxc/roles/default.nix index a45e34c..a1588e0 100644 --- a/lxc/roles/default.nix +++ b/lxc/roles/default.nix @@ -5,5 +5,6 @@ ./cadvisor.nix ./prometheus.nix ./tailscale.nix + ./unfree.nix ]; } diff --git a/lxc/roles/unfree.nix b/lxc/roles/unfree.nix new file mode 100644 index 0000000..f5112a3 --- /dev/null +++ b/lxc/roles/unfree.nix @@ -0,0 +1,19 @@ +{ + config, + lib, + ... +}: let + cfg = config.roles.unfree; +in { + options.roles.unfree = { + allow = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = []; + }; + }; + + config = { + nixpkgs.config.allowUnfreePredicate = pkg: + builtins.elem (lib.getName pkg) cfg.allow; + }; +} diff --git a/secrets/cloud/secrets.yaml b/secrets/cloud/secrets.yaml index 247ea77..d445efa 100644 --- a/secrets/cloud/secrets.yaml +++ b/secrets/cloud/secrets.yaml @@ -1,5 +1,4 @@ -rootPwd: ENC[AES256_GCM,data:XwfHY6qCxwYOtoKxYp+3gbx2JQpVDrq/KpFdLuSy0Mb026+ixrncicEw4E3R9iq9MnRZJpoauGxw1XQlBcvF2kx2sXZAnQxpHWGPZTunntTiDij/n6ahKbIuGqQHDAzc8KKlnRdCIebgEw==,iv:oAicqT0VJqjWI/Al/aLRDF0rEqCANmUuaml9aR1vKko=,tag:DDzOKvnsKSxZqosJM/gYnw==,type:str] -liljamoPwd: ENC[AES256_GCM,data:kp7QlA523jH3b5QyDqYAehd4vc01HqIqbbZwdVKY0mA6uiqFeUk7PMDwuH7NRnCGD8msaC3gyUUglBtWs3XGWukDA8H+lw5ZqCDaRD+KESURc3/s+LABiUf8Zwm6Dj5zWRmLctot85BWsA==,iv:VevfwnY1YpIRsSFd39cfuioPkGC3PSLlDbCXNmOuwXI=,tag:/e5L2CRWRHeppbyjAmf6gw==,type:str] +rootPwd: ENC[AES256_GCM,data:rwoj/TaJw8vtYw6/B4fS27jye7cD6ExKcyAzVcHTsmcsM13T8DbQvzfJUo3t4LE+NyJZQOVl8RiKcRbqBGQDCzm4Q6zP9PODs04PrT3eXCvKAdCkngx7PDH3qBWopPd1F/VuXw4TGaBRtg==,iv:Xx9CN8kSCq7UKtN24zFmibpvaeYjCU45OdSmXb4i/tU=,tag:vSBfyD/9OxhOW31afqYNyA==,type:str] outline: secretKey: ENC[AES256_GCM,data:POFzIrLEWmOAu2+53nD8KIJQ0q6oeDKdzpikfuNwxvjXfORwcG7QXjSU8wWfCXORbrT5knh7rcU9yvvBZXVObQ==,iv:f8dULXac9C6vnXZRvKhIc6WyVYl5eF/nrUs7ZCNdPYQ=,tag:boO+R3ny01WZfHT4WyEJ6A==,type:str] utilsSecret: ENC[AES256_GCM,data:MUluti1wd8x0z5eIVcPi4n5cmOLBBanM9pRQYPonxbJVAGuPrrfDLGJ8OrqNJGzrN4LmdW57Mhn0kAYf6Jl4Gw==,iv:pM6QdHK1xnYdu+zIoYlBirdhWaZbgud/2IqRO22jHbM=,tag:XOfeAO8DS60Ei8Rq2VofaA==,type:str] @@ -28,8 +27,8 @@ sops: TjduMkxMazUveTlUdStwRGJaRDlpaTAKW7P6B3W1tih2S81TRY7m/Me9Gr6CwZLi Wymq21dT+Or2FR8F2LZDHG8WiUOu/8bvSZ0ZYZpfs5mCvufdRhPFaA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-28T15:18:05Z" - mac: ENC[AES256_GCM,data:KXEj88VPXYLbM0v4bTkAFaIuEMI9/FPu/yS0QRoORq2c71Sm3uSsfZLRRYzfxQm1Q+6hjnyYiqRbpxjYDGDmUn7Oyfo3hESpAJguhUPi4Xbw60rB2ZryKhc/+DmGu4uR391grovlbgYXorfjlo0n0QpVlCyO0OlAiM1qqNhGPl0=,iv:/HuVsqL8J1WOFv22tQb+0NSp2VdmPkgFs4GFfF8DaVU=,tag:lzgxj4IPhTtOSWviefI81A==,type:str] + lastmodified: "2024-11-13T16:09:35Z" + mac: ENC[AES256_GCM,data:XisL3vvjuWNuaLSwJJZFn1r46iPON8KVv9HcLV7ax5C9BFywKWPFw4pN1J72pWisJLQ2WNCFZ21M4vjtN42TKs4HkTjPDRn6Gevi+zpLI4ghyw8EGiaQg1Hr8756vhFgQ7jzgxIiWzMy+YorcmFgJdKe0VG1iFD5FgwQz+b5JfY=,iv:RGj+SVTIxZ2aia7n6a5S6XGPfGDsXdPxmi8kpclvAG8=,tag:NwDPtJTnY6ARfX3udvE5oA==,type:str] pgp: - created_at: "2024-09-09T17:25:01Z" enc: |- diff --git a/systems/hosts/default.nix b/systems/hosts/default.nix index b0af418..8dfc736 100644 --- a/systems/hosts/default.nix +++ b/systems/hosts/default.nix @@ -17,11 +17,6 @@ }; # LXCs - cloud = { - system = "x86_64-linux"; - profile = lxc; - modules = []; - }; oci = { system = "x86_64-linux"; profile = lxc; -- 2.44.1