diff --git a/.sops.yaml b/.sops.yaml index 7a03b5f..9ad1fd3 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -9,10 +9,9 @@ keys: - &users: - &dev age14d55nfxlzm8t2yzplxpprygxmt99javafz9a8dh5llu87aww4qlswf6g0c - &hosts: - - &dev-vm age1rjtqzmywfr3zuzz0cn8eqnwp3x8ypzya9gcv6kvtplhudar5eayqq83ey4 - - &crayon age1pnu4tkdxfcnefntdw262k4m8wuv3qe2894s4e6w5j8yshg8vlu6q9uq5tv - - &blob age1kardawqarv498rwayadsmnlx62kvjgduvhhg3drx39xacn9u3ajq5d0qra - # new-host marker + - &dev-vm age1rjtqzmywfr3zuzz0cn8eqnwp3x8ypzya9gcv6kvtplhudar5eayqq83ey4 + - &crayon age1pnu4tkdxfcnefntdw262k4m8wuv3qe2894s4e6w5j8yshg8vlu6q9uq5tv + - &blobercraft age167gn88rldpmqmjhm9nl0gv05ms4tn37jx2nxwklfvs3xymfp9y7sa8vurh creation_rules: - path_regex: secrets.yaml$ key_groups: @@ -20,5 +19,4 @@ creation_rules: - *dev - *dev-vm - *crayon - - *blob - # new-host ptr marker + - *blobercraft diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..45bd70b --- /dev/null +++ b/Makefile @@ -0,0 +1,25 @@ +IP ?= +HOST ?= +deploy: + # push flake config to a remote server +ifeq ($(IP),) + $(error IP not set) +endif +ifeq ($(HOST),) + $(error HOST not set) +endif +ifneq ($(shell git diff),) + git add . + git commit -m "auto commit on build" -m "`PAGER=cat git diff --name-only --cached`" +endif + rsync -azr ./ crown@$(IP):~/flake-config + ssh crown@$(IP) "sudo NIX_CONFIG='experimental-features = flakes pipe-operators' nixos-rebuild switch --flake ~/flake-config#$(HOST)" + +sops: + # update sops keys + sops updatekeys secrets.yaml + +.DEFAULT_GOAL := default +.PHONY: default deploy sops +default: + # noop diff --git a/README.md b/README.md index b94efc8..39094d6 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ That's it, have fun poking around. ## Systems I suppose if you're trying to understand my config you'd need to know where this stuff is deployed and what for. -- blob +- blobercraft - This is my main homelab server. It's used for my media (jellyfin) along with some other stuff that you can find by looking at my config. - crayon @@ -21,14 +21,19 @@ that I thought a new user might want to understand as nix is rather poorly documented. ## Maintaining -I've included a dev shell to keep the system up to date. To enter the shell run: +I've included a make file to keep remote systems up to date, here's an example +of what I use to deploy to crayon: ```sh -nix develop +make deploy IP=squi.bid HOST=crayon ``` -Once you've entered the shell will give you a rundown on what you can do. +This step requires the remote system to have a crown user who can execute sudo +commands without an interactive prompt. + +I'll probably end up switching to something more standard once I've got the +time. ## TODO: -- [ ] blob +- [ ] blobercraft - [ ] add a git backup for everything on crayon (if possible) - [ ] ff sync server - [ ] crayon diff --git a/flake.lock b/flake.lock index a1a98cd..16d09e0 100644 --- a/flake.lock +++ b/flake.lock @@ -22,64 +22,6 @@ "type": "github" } }, - "deploy-rs": { - "inputs": { - "flake-compat": "flake-compat", - "nixpkgs": [ - "nixpkgs" - ], - "utils": "utils" - }, - "locked": { - "lastModified": 1762286984, - "narHash": "sha256-9I2H9x5We6Pl+DBYHjR1s3UT8wgwcpAH03kn9CqtdQc=", - "owner": "serokell", - "repo": "deploy-rs", - "rev": "9c870f63e28ec1e83305f7f6cb73c941e699f74f", - "type": "github" - }, - "original": { - "owner": "serokell", - "repo": "deploy-rs", - "type": "github" - } - }, - "disko": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1764017209, - "narHash": "sha256-RoJGCtKExXXkNCZUmmxezG3eOczEOTBw38DaZGSYJC0=", - "owner": "nix-community", - "repo": "disko", - "rev": "ec8eabe00c4ee9a2ddc50162c125f0ec2a7099e1", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "disko", - "type": "github" - } - }, - "flake-compat": { - "flake": false, - "locked": { - "lastModified": 1733328505, - "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, "nid": { "inputs": { "nixpkgs": [ @@ -102,24 +44,22 @@ }, "nixpkgs": { "locked": { - "lastModified": 1764522689, - "narHash": "sha256-SqUuBFjhl/kpDiVaKLQBoD8TLD+/cTUzzgVFoaHrkqY=", + "lastModified": 1762498405, + "narHash": "sha256-Zg/SCgCaAioc0/SVZQJxuECGPJy+OAeBcGeA5okdYDc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f", + "rev": "6faeb062ee4cf4f105989d490831713cc5a43ee1", "type": "github" }, "original": { "id": "nixpkgs", - "ref": "nixos-25.11", + "ref": "nixos-25.05", "type": "indirect" } }, "root": { "inputs": { "declarative-jellyfin": "declarative-jellyfin", - "deploy-rs": "deploy-rs", - "disko": "disko", "nid": "nid", "nixpkgs": "nixpkgs", "sops-nix": "sops-nix", @@ -160,21 +100,6 @@ "type": "indirect" } }, - "systems_2": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "treefmt-nix": { "inputs": { "nixpkgs": [ @@ -210,24 +135,6 @@ "ref": "nixos-unstable", "type": "indirect" } - }, - "utils": { - "inputs": { - "systems": "systems_2" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } } }, "root": "root", diff --git a/flake.nix b/flake.nix index e6906a9..c26540a 100644 --- a/flake.nix +++ b/flake.nix @@ -1,7 +1,7 @@ { description = "Nixos config flake"; inputs = { - nixpkgs.url = "nixpkgs/nixos-25.11"; + nixpkgs.url = "nixpkgs/nixos-25.05"; unstable.url = "nixpkgs/nixos-unstable"; nid.url = "github:nix-community/nix-index-database"; @@ -12,26 +12,18 @@ declarative-jellyfin.url = "github:Sveske-Juice/declarative-jellyfin"; declarative-jellyfin.inputs.nixpkgs.follows = "nixpkgs"; - - deploy-rs.url = "github:serokell/deploy-rs"; - deploy-rs.inputs.nixpkgs.follows = "nixpkgs"; - - disko.url = "github:nix-community/disko"; - disko.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = { self, nixpkgs, unstable, ... }@inputs: let base = [ # I've put these all here so that it's easier to see what's being # imported by default ./modules/os.nix - ./modules/server.nix ./modules/ssh.nix ./modules/time.nix ./modules/pkgs.nix ./modules/unstable.nix ./modules/zmotd.nix ./modules/sops.nix - ./modules/wireguard.nix ./modules/users/admin.nix ./overlays @@ -41,8 +33,6 @@ # use comma just in case I need to do some sysadmin stuff inputs.nid.nixosModules.nix-index { programs.nix-index-database.comma.enable = true; } - # disko for completly declarative machines - inputs.disko.nixosModules.disko ]; # ts so DRY it makes me wanna cry @@ -56,35 +46,11 @@ ] ++ modules; } )) <| hosts; - - mkNodes = nodes: - (builtins.mapAttrs (name: options: - nixpkgs.lib.attrsets.recursiveUpdate { - hostname = name; - profiles.system = { - user = "root"; - sshUser = "crown"; - path = inputs.deploy-rs.lib."x86_64-linux".activate.nixos self.nixosConfigurations.${name}; - }; - } options - )) <| nodes; in { # define all of my machines nixosConfigurations = mkHosts { - blob = []; + blobercraft = []; crayon = []; }; - - # and where they get deployed to - deploy.nodes = mkNodes { - crayon = { hostname = "squi.bid"; }; - }; - - # dev shell to deploy this flake - devShells."x86_64-linux".default = builtins.import ./shell.nix { - pkgs = nixpkgs.legacyPackages."x86_64-linux"; - }; - - checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib; }; } diff --git a/hosts/blob/default.nix b/hosts/blob/default.nix deleted file mode 100644 index 9a9cd87..0000000 --- a/hosts/blob/default.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ modulesPath, ... }: -{ - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - (modulesPath + "/profiles/qemu-guest.nix") - ./disko.nix - - ./hardware-configuration.nix # Include the results of the hardware scan. - ./jellyfin.nix - ./minecraft.nix - ./gatus.nix - ./ai.nix - ]; - - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - - # ai.enable = true; - jellyfin.enable = true; - minecraft.enable = true; - - # This value determines the NixOS release with which your system is to be - # compatible, in order to avoid breaking some software such as database - # servers. You should change this only after NixOS release notes say you - # should. - system.stateVersion = "25.05"; # Did you read the comment? -} diff --git a/hosts/blob/disko.nix b/hosts/blob/disko.nix deleted file mode 100644 index b6dd767..0000000 --- a/hosts/blob/disko.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ lib, ... }: -{ - disko.devices = { - disk.main = { - device = lib.mkDefault "/dev/sda"; - type = "disk"; - content = { - type = "gpt"; - partitions = { - boot = { - size = "1M"; - type = "EF02"; # for grub MBR - }; - ESP = { - size = "1G"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "umask=0077" ]; - }; - }; - root = { - size = "100%"; - content = { - type = "filesystem"; - format = "ext4"; - mountpoint = "/"; - }; - }; - }; - }; - }; - }; -} diff --git a/hosts/blob/ai.nix b/hosts/blobercraft/ai.nix similarity index 100% rename from hosts/blob/ai.nix rename to hosts/blobercraft/ai.nix diff --git a/hosts/blobercraft/default.nix b/hosts/blobercraft/default.nix new file mode 100644 index 0000000..07474e3 --- /dev/null +++ b/hosts/blobercraft/default.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + imports = [ + ./hardware-configuration.nix # Include the results of the hardware scan. + ./jellyfin.nix + ./minecraft.nix + ./gatus.nix + ./ai.nix + ]; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + # ai.enable = true; + jellyfin.enable = true; + minecraft.enable = true; +} diff --git a/hosts/blob/gatus.nix b/hosts/blobercraft/gatus.nix similarity index 100% rename from hosts/blob/gatus.nix rename to hosts/blobercraft/gatus.nix diff --git a/hosts/blob/hardware-configuration.nix b/hosts/blobercraft/hardware-configuration.nix similarity index 72% rename from hosts/blob/hardware-configuration.nix rename to hosts/blobercraft/hardware-configuration.nix index 3431b41..1e3ab01 100644 --- a/hosts/blob/hardware-configuration.nix +++ b/hosts/blobercraft/hardware-configuration.nix @@ -8,11 +8,24 @@ [ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; + fileSystems."/" = + { device = "/dev/disk/by-uuid/59b4c37b-b8c6-4b95-96af-e343161381bb"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/E8A3-780D"; + fsType = "vfat"; + options = [ "fmask=0077" "dmask=0077" ]; + }; + + swapDevices = [ ]; + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's # still possible to use this option, but it's recommended to use it in conjunction diff --git a/hosts/blob/jellyfin.nix b/hosts/blobercraft/jellyfin.nix similarity index 100% rename from hosts/blob/jellyfin.nix rename to hosts/blobercraft/jellyfin.nix diff --git a/hosts/blob/minecraft.nix b/hosts/blobercraft/minecraft.nix similarity index 100% rename from hosts/blob/minecraft.nix rename to hosts/blobercraft/minecraft.nix diff --git a/hosts/crayon/default.nix b/hosts/crayon/default.nix index 50373bc..c16c088 100644 --- a/hosts/crayon/default.nix +++ b/hosts/crayon/default.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ ... }: { imports = [ ./hardware-configuration.nix # Include the results of the hardware scan. @@ -9,17 +9,4 @@ boot.loader.grub.enable = true; boot.loader.grub.device = "/dev/vda"; - - wireguard = { - enable = true; - # pub: gq0/fX4EF/3jUNJSW5C3ythZjMVAWYqQdAVRw1eUC1Y= - privateKeyFile = config.sops.secrets."wireguard/crayon".path; - externalInterface = "enp1s0"; - }; - - # This value determines the NixOS release with which your system is to be - # compatible, in order to avoid breaking some software such as database - # servers. You should change this only after NixOS release notes say you - # should. - system.stateVersion = "25.05"; # Did you read the comment? } diff --git a/hosts/crayon/mailserver.nix b/hosts/crayon/mailserver.nix index 1a30bda..301781a 100644 --- a/hosts/crayon/mailserver.nix +++ b/hosts/crayon/mailserver.nix @@ -4,14 +4,13 @@ # working :( imports = [ (builtins.fetchTarball { - url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-25.11/nixos-mailserver-nixos-25.11.tar.gz"; - sha256 = "16kanlk74xnj7xgmjsj7pahy31hlxqcbv76xnsg8qbh54b0hwxgq"; + url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-25.05/nixos-mailserver-nixos-25.05.tar.gz"; + sha256 = "0la8v8d9vzhwrnxmmyz3xnb6vm76kihccjyidhfg6qfi3143fiwq"; }) ]; mailserver = { enable = true; - stateVersion = 3; fqdn = "mail.zacharyscheiman.com"; domains = [ "zacharyscheiman.com" "squi.bid" ]; messageSizeLimit = 2500000000; # 2.5GB diff --git a/modules/os.nix b/modules/os.nix index dae64ba..5b49310 100644 --- a/modules/os.nix +++ b/modules/os.nix @@ -4,7 +4,6 @@ settings = { experimental-features = [ "nix-command" "flakes" "pipe-operators" ]; auto-optimise-store = true; - trusted-users = [ "@wheel" ]; }; gc = { dates = "weekly"; @@ -19,4 +18,10 @@ enable = true; dates = "weekly"; }; + + # This value determines the NixOS release with which your system is to be + # compatible, in order to avoid breaking some software such as database + # servers. You should change this only after NixOS release notes say you + # should. + system.stateVersion = "25.05"; # Did you read the comment? } diff --git a/modules/pkgs.nix b/modules/pkgs.nix index 25f7b12..59d3a48 100644 --- a/modules/pkgs.nix +++ b/modules/pkgs.nix @@ -11,12 +11,6 @@ tree unzip zmotd - - # mmmm terminfo - foot.terminfo - ghostty.terminfo - kitty.terminfo - termite.terminfo ]; security.sudo.execWheelOnly = true; diff --git a/modules/server.nix b/modules/server.nix deleted file mode 100644 index 09ad9ab..0000000 --- a/modules/server.nix +++ /dev/null @@ -1,20 +0,0 @@ -# Most of this has been yoinked from nix-community/srvos, the only reason I'm -# not using it is because I want absolute control over my nix settings and using -# it would mean I would have to disable options that they enabled -{ - # Given that our systems are headless, emergency mode is useless. - # We prefer the system to attempt to continue booting so - # that we can hopefully still access it remotely. - systemd.enableEmergencyMode = false; - - # No need for fonts on a server - fonts.fontconfig.enable = false; - - # Ensure that basic bugs in systemd services are caught. - systemd.enableStrictShellChecks = true; - - # Make builds to be more likely killed than important services. - # 100 is the default for user slices and 500 is systemd-coredumpd@ - # We rather want a build to be killed than our precious user sessions as builds can be easily restarted. - systemd.services.nix-daemon.serviceConfig.OOMScoreAdjust = 250; -} diff --git a/modules/sops.nix b/modules/sops.nix index 8bb471d..f769a40 100644 --- a/modules/sops.nix +++ b/modules/sops.nix @@ -16,7 +16,6 @@ secrets = { "mail/me" = {}; "jellyfin/zachary" = {}; - "wireguard/crayon" = {}; }; }; } diff --git a/modules/ssh.nix b/modules/ssh.nix index bd618bf..a04ab33 100644 --- a/modules/ssh.nix +++ b/modules/ssh.nix @@ -20,12 +20,7 @@ services.sshguard.enable = true; services.openssh = { enable = true; - settings = { - KbdInteractiveAuthentication = false; - PasswordAuthentication = false; - UseDns = false; - X11Forwarding = false; - }; + settings.PasswordAuthentication = false; }; users.users.root.openssh.authorizedKeys.keys = config.ssh.keys; diff --git a/modules/wireguard.nix b/modules/wireguard.nix deleted file mode 100644 index f6b7f41..0000000 --- a/modules/wireguard.nix +++ /dev/null @@ -1,60 +0,0 @@ -{ pkgs, lib, config, ... }: -{ - options.wireguard = { - enable = lib.mkEnableOption "wireguard"; - port = lib.mkOption { - default = 51820; - description = "The port for wireguard to use."; - type = lib.types.int; - }; - externalInterface = lib.mkOption { - description = "The external networking interface for wireguard to use."; - type = lib.types.str; - }; - internalInterface = lib.mkOption { - default = "wg0"; - description = "The networking interface for wireguard to use."; - type = lib.types.str; - }; - privateKeyFile = lib.mkOption { - description = "The path to the private key of the wireguard server."; - type = lib.types.path; - }; - }; - - config = lib.mkIf config.wireguard.enable { - networking.nat.enable = true; - networking.nat.externalInterface = config.wireguard.externalInterface; - networking.nat.internalInterfaces = [ config.wireguard.internalInterface ]; - networking.firewall.allowedUDPPorts = [ config.wireguard.port ]; - networking.wireguard.interfaces = { - ${config.wireguard.internalInterface} = { - # Determines the IP address and subnet of the server's end of the tunnel interface. - ips = [ "10.100.0.1/24" ]; - listenPort = config.wireguard.port; - - # This allows the wireguard server to route your traffic to the internet and hence be like a VPN - # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients - postSetup = '' - ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE - ''; - - # This undoes the above command - postShutdown = '' - ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE - ''; - - # Path to the servers private key file. - privateKeyFile = config.wireguard.privateKeyFile; - - # TODO: add config option? - peers = [ - { - publicKey = "L+NlTn0E9pgCoEoTYs4aDewZSMmyeyC1Os9DCdwYTjY="; - allowedIPs = [ "10.100.0.2/32" ]; - } - ]; - }; - }; - }; -} diff --git a/secrets.yaml b/secrets.yaml index 4832b5f..fe10e0e 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -4,8 +4,6 @@ jellyfin: zachary: ENC[AES256_GCM,data:GIDgfsxhU4fZVjP/cTmTvIA1aeP4lbd3Fz6tbPLdyL37KD+IKERgkxJmGwtt9GNwnJBsHE/xpH8ZAvloS1DykZZtEaqB0H6wuA==,iv:FM0d4tiQPzyoEiqEQF5YvNeClHXOhP+q+TaKGeyg/TE=,tag:v+sYDwQiCX7o+g7plcnQFg==,type:str] users: crown: ENC[AES256_GCM,data:6UAYcafxflvbsTXC1N3Ff0hAlWGjveYDUzbcXPSGfPX0uXg++bfjRwYo3JFgfJpJ/KN4MODPSxgjFAFnoZOnkyxk0UDSppDagQ==,iv:PWmxuj2caqRLASjftbl0tovNq2t1WoDoviJXs/OO8yI=,tag:EwJhROsHfj5cPkpxUCy+uw==,type:str] -wireguard: - crayon: ENC[AES256_GCM,data:pQ4nOzcON+yCqgisBQO8LIdfi9GmXE9YcPzBRgu9Fdzx0R6p4dEK+DVBuDg=,iv:vq0uDgZlLwXVZMwE3xTWZDP20uaAcT4I0D7qLS61ApI=,tag:btVyZREPAgfcC694/Wusmg==,type:str] sops: kms: [] gcp_kms: [] @@ -15,41 +13,41 @@ sops: - recipient: age14d55nfxlzm8t2yzplxpprygxmt99javafz9a8dh5llu87aww4qlswf6g0c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaZVRGTEpIWW1qRWhPOTR5 - STdwVzZzeU1QS2l0TlN2NFNLY1VNZjVCdEhFCmxhejBDSjF5Vk1UQjdEYmpRRFRw - allpajVzcUFpc1h0TVBlUFdaUERPZ3cKLS0tIHc3S0FRbkgwc3BwYUYrWGUrUjZX - QjBLcFY5NnFBZXBJenFYUS8yMXBML0EKkuoDfnc0MnZ0bRQ4Op8GnxC0Mpld9nRE - 5tn6why12mT65jDHuaU3+bX2Rg5+NU90KpdA3S88M4tiCD3WSo70eg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNT0IxYjhWWkZadnVmcGpz + VXB5U2VvTFllYWhJTkNwQmxsWkxEL2drRHcwCksrMGs4SVZoL1pJNU00TUZBeU5V + UFBRcnRFdTlxUjgvcVpSelZIU0NyVWsKLS0tICtnZm8rYnB5cWhIUVBmQzQxSWIr + M29ZRHIwNGZSdi9LYmp5d2xyTWdmRDgKhs6COQa3Vmosiwv7I/IjvYr10Mx83V6z + W2d8PPTHBlRMqPcghpG2UOFsygzP8Y6UlMpCgt25vnFLUwCPlo7ERA== -----END AGE ENCRYPTED FILE----- - recipient: age1rjtqzmywfr3zuzz0cn8eqnwp3x8ypzya9gcv6kvtplhudar5eayqq83ey4 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyVEx6VzRNOFBickVjcGFj - UkpGNUpTeTVVUVRGRHJrRTI3UzhrRjIvcXdrCkFSWGE4YS91dEpJbFZEcFNGUmdP - UFJDc0hpTEVvaHZjY2k3Vk5jdTk4NjgKLS0tIDFpU0srRzBMTDFPVGVVblpEMTZk - SEtxQnN6T2lNbkRGWmUwSFdMVUw0dlEKKYe2xCYLQ8Q21p6f3NIIwRMrQHTicSp3 - BSIG0SmRGcSrzPlg8agUi4aWQ7du9EECXanQSu98sGhCWkIc/QHWnQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXMUFJY2RjSHcrS2Foa2Fo + dUJMSmpEL0NEN1BLYlZDNlA3aUQyQUNkYWxnCnNmV0ZpWTA0ZHUrUEtBV3MyZ3U1 + SitYaVFBZklaZ282K2plYUhlVjRVWGMKLS0tIGlOZENMbURDMWR5VEFIVEdyV3k5 + S3hQemRLNFd6eDlQY3pvUlkzUVhRUlUKHvdPyCCb0I825u9Hx+Fz+W9ESM2Gxy+N + lUsxP/ngAnG52MSrxxU33PG4TXSvaaYzuGP7gOQF6hB9U79inWzFzg== -----END AGE ENCRYPTED FILE----- - recipient: age1pnu4tkdxfcnefntdw262k4m8wuv3qe2894s4e6w5j8yshg8vlu6q9uq5tv enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvaVZxYTFMZDFCYnVTYWM4 - QS9Oa1dLa3dVNzArZ0hkKy8yR1Z3UVpRQzJVClo5dzU3dythWGU0NkoySUpYRUQv - MTlQYmJSVG5RNWkzWnlEaDh0YjFxL3MKLS0tIDdySlB3cGxoM09BZWdhN3RwNGtZ - Y1ZUb1Y3ais0dlZrclQyUUZxWkNSVHcKv1Q0VBHE9Y9bU6XyQ84WNf+JTIQq/mPI - tOD6uiS46KgnO5p8oM9rqvBmOPJKoS6bgSLUuEnqjLTtZE3QO0eKzA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtYTkvaldVWUk1TC94REEr + OHNiUHlqN0l3QWFJbjZ6anZpVTN5OGtibGtNCm9DcVJ6SktQeEFWU2REU0dpRjZu + WnBBaDMrbnRNaVhtR3BqdjVkc2tpZEEKLS0tIHRVdW8yL1JmcDVrVkNaa2lNN2h5 + Y0gxSjYrY3gydnBseEVlQTBSSEtJSVEKH4v1Q9kKQaj5vdV9mW2Rsl/GUbq1h/m9 + iy6BPmjC9GNtTBJ8VuvkQSvPLD+dsMwYqhmSbTQgDpRP3sQ4a6rWkA== -----END AGE ENCRYPTED FILE----- - - recipient: age1kardawqarv498rwayadsmnlx62kvjgduvhhg3drx39xacn9u3ajq5d0qra + - recipient: age167gn88rldpmqmjhm9nl0gv05ms4tn37jx2nxwklfvs3xymfp9y7sa8vurh enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwTFR1UU1PaTl0NWZ1dEVk - WTZMUEtGWFFyNm9aTzNmZHh3RkZHOGsvRWowCnYzZ3JlRGlqN2tHbmtIMFFHUVBD - dWNNc2ZqL1UwdlBmMERlNVZGK1ZhdVkKLS0tIGV1RHh5Z0Z3MlNMZHB0K1liTFdr - NTUrY2pDQXJuTnREakRWQkFqckN2M2MKSonhOJsqcY/HDY+d25rEPwKSl3FSOpkW - EJFXcKKTiJB96Ms5yDGRAtUvbqw/oSBbdGTqe7bE7pQhfj3Y8ECz4w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYcWVDbmhhc1FHRG5WOTEz + emp4Rm9YMlA3aXUvMnpDWElqRElzQjdlMzNRCjducWdqQzliZjkzaWtGdEdUbk9u + MlBCL0lqdWs4TVo0RW9ham5mTExTSzQKLS0tICtJWk15NG9yMWwyVjF6SE1weWFF + NmlybmxKYlJESGxJbFdCazZUKzVjYmMK56j3+CuRfZsbVeYfmESlD2z6GYzIFQYz + f/jpI+8CteDlxbGuUvW10hD7lB8az2+Z+MQX2+koy3PZBkGChPh/Yg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-26T18:38:21Z" - mac: ENC[AES256_GCM,data:V3lKQj0ZWIPl2RPpnv7tRBG8sH6W9+rfnPy0z6g+3SZGmKtwhcgqVBG/VPMKhuyseNZ4vxE23lD7Ol44PchMgd/OCJqJF6TUl3A4LIqkK8Ji0m0cPcC3hsFaI8rChkWcLse30qcoQov4NbP7yElpf76Bh/NqBFgOqCjDD0Pp/NU=,iv:897reifxaub96UDCKCsWNxabVCSzYLmsIrrkXCxBgoM=,tag:0d4iQhLA/YxR7wrtUVxXqA==,type:str] + lastmodified: "2025-11-09T02:00:10Z" + mac: ENC[AES256_GCM,data:9Jg3aXMMe8Yhf3CycD+UPqlTg0E619dmOJENRe2sfwROdKxOXhiFqnuI4t262XW3IMpJdCbv3RIblklF6vPaqqJWkPqj4Jt2niF4Bq0oR+cRM+rAElYAZ6vviCWnjTjOhTD/UB2RYPFH77Ce7RQmR4c5H4D6uLaw1g3+9TLJPTE=,iv:p4mF2S1n+mTV+ny3hKbQ+tYqh+4HGURyUP9hiSdMZjs=,tag:dWCa87XTwH3mBHshUMxjiQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.1 diff --git a/shell.nix b/shell.nix deleted file mode 100644 index 33db7da..0000000 --- a/shell.nix +++ /dev/null @@ -1,92 +0,0 @@ -{ - pkgs ? - # If pkgs is not defined, instantiate nixpkgs from locked commit - # yoinked from (github.com/EmergentMind/nix-config) - let - lock = (builtins.fromJSON (builtins.readFile ./flake.lock)).nodes.nixpkgs.locked; - nixpkgs = builtins.fetchTarball { - url = "https://github.com/${lock.owner}/${lock.repo}/archive/${lock.rev}.tar.gz"; - sha256 = lock.narHash; - }; - in - builtins.import nixpkgs { overlays = [ ]; }, - ... -}: -pkgs.mkShell { - nativeBuildInputs = with pkgs.buildPackages; [ - git - openssh - ssh-to-age - nixos-anywhere - - (pkgs.writeShellScriptBin "-commit" '' - # there shall be no impurity - if [ -n "$(git diff)" ]; then - git add . - git commit -m "auto commit on build" -m "`PAGER=cat git diff --name-only --cached`" - fi - '') - - (pkgs.writeShellScriptBin "-sops" "sops updatekeys secrets.yaml") - - (pkgs.writeShellScriptBin "-init" '' - USER="root" - if [ -z "$1" ] || [ -z "$2" ]; then - echo "the 1st argument must be the ip address" - echo "the 2nd argument must be the new hostname (the nix flake host)" - echo "the 3rd argument may be the user to ssh with if unset the default is root" - exit 0 - fi - - IP=$1 - HOST=$2 - if [ -n "$3" ]; then - USER=$3 - fi - - # get the remote systems ssh key - key=$(ssh $(USER)@$(IP) 'cat /etc/ssh/ssh_host_ed25519_key.pub' | ssh-to-age) - if [ -z "$key" ]; then - echo "failed to get the remote systems ssh pubkey" - exit 1 - fi - - # add the new sops key to the .sops.yaml - sed -i '/# new-host marker/i\ - &$(HOST) $(key)' .sops.yaml - sed -i '/# new-host ptr marker/i\ - *$(HOST)' .sops.yaml - - # update the keys - sops updatekeys secrets.yaml - - -commit - - # push the flake to the remote system - nixos-anywhere\ - --flake .#$HOST\ - --build-on remote\ - --copy-host-keys\ - --generate-hardware-config nixos-generate-config ./hosts/$HOST/hardware-configuration.nix\ - --target-host $USER@$IP - '') - - (pkgs.writeShellScriptBin "-deploy" '' - -commit - - # push flake config to a remote server(s) - nix run github:serokell/deploy-rs . # this needs to be the same version that the flake is using - '') - ]; - - shellHook = '' - cat << EOF - # This is my tiny nix shell to create new machines and update existing ones - # it requires you to have nix and sops installed to correctly setup a new - # system and nix to deploy to an existing one. - # - # Available commands: - # '-sops' -> updates your sops secret file - # '-init' -> initializes a new system with nix-anywhere - # '-deploy' -> deploys the existing flake to all nodes using deploy-rs - EOF - ''; -}