dotfiles/nixos-config
1
0
Fork 0
mirror of https://github.com/srid/nixos-config.git synced 2025-12-26 23:14:57 +08:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add nix-serve, https serve, agenix (#29)

Browse source
This commit is contained in:
Sridhar Ratnakumar 2022-12-23 15:07:38 -05:00 committed by GitHub
parent cb121622df
commit 6326d27460
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 176 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

131
flake.lock generated
View file

@ -1,5 +1,23 @@
{
"nodes": {
"agenix": {
"inputs": {
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1665870395,
"narHash": "sha256-Tsbqb27LDNxOoPLh0gw2hIb6L/6Ow/6lIBvqcHzEKBI=",
"owner": "ryantm",
"repo": "agenix",
"rev": "a630400067c6d03c9b3e0455347dc8559db14288",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"coc-rust-analyzer": {
"flake": false,
"locked": {
@ -95,7 +113,7 @@
"emacs-overlay": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs"
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1671358416,
@ -119,7 +137,7 @@
"haskell-flake": "haskell-flake",
"heist": "heist",
"heist-extra": "heist-extra",
"nixpkgs": "nixpkgs_2"
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1669586795,
@ -151,6 +169,22 @@
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1668681692,
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "009399224d5e398d03b22badca40a37ac85412a1",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
@ -254,7 +288,7 @@
"inputs": {
"flake-parts": "flake-parts_3",
"nix-darwin": "nix-darwin",
"nixpkgs": "nixpkgs_3",
"nixpkgs": "nixpkgs_4",
"pre-commit-hooks-nix": "pre-commit-hooks-nix"
},
"locked": {
@ -367,6 +401,26 @@
"type": "github"
}
},
"nix-serve-ng": {
"inputs": {
"flake-compat": "flake-compat_2",
"nixpkgs": "nixpkgs_5",
"utils": "utils_3"
},
"locked": {
"lastModified": 1669427214,
"narHash": "sha256-ELsHgI5OJEHDA2FWJdsxe5O7KGvt4znSH3yFVxOKHOA=",
"owner": "aristanetworks",
"repo": "nix-serve-ng",
"rev": "e36a1a93aacf2257c3eca8791b505a61b1e1ca95",
"type": "github"
},
"original": {
"owner": "aristanetworks",
"repo": "nix-serve-ng",
"type": "github"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1669146234,
@ -384,7 +438,7 @@
},
"nixos-shell": {
"inputs": {
"nixpkgs": "nixpkgs_4"
"nixpkgs": "nixpkgs_6"
},
"locked": {
"lastModified": 1646257415,
@ -418,14 +472,18 @@
},
"nixpkgs": {
"locked": {
"lastModified": 0,
"narHash": "sha256-mZfzDyzojwj6I0wyooIjGIn81WtGVnx6+avU5Wv+VKU=",
"path": "/nix/store/2n3ykdi3lamr8gn2if8wkf0px0kg1bnp-source",
"type": "path"
"lastModified": 1665732960,
"narHash": "sha256-WBZ+uSHKFyjvd0w4inbm0cNExYTn8lpYFcHEes8tmec=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "4428e23312933a196724da2df7ab78eb5e67a88e",
"type": "github"
},
"original": {
"id": "nixpkgs",
"type": "indirect"
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-lib": {
@ -483,6 +541,18 @@
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 0,
"narHash": "sha256-mZfzDyzojwj6I0wyooIjGIn81WtGVnx6+avU5Wv+VKU=",
"path": "/nix/store/2n3ykdi3lamr8gn2if8wkf0px0kg1bnp-source",
"type": "path"
},
"original": {
"id": "nixpkgs",
"type": "indirect"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1668443372,
"narHash": "sha256-lXNlVyNWwO22/JUdBtUWz68jZB3DM+Jq/irlsbwncI0=",
@ -498,7 +568,7 @@
"type": "github"
}
},
"nixpkgs_3": {
"nixpkgs_4": {
"locked": {
"lastModified": 1670495322,
"narHash": "sha256-PYwHXymeQZBrTylwDd4LgozTAgrJmp3UGf3mgnKPRr0=",
@ -514,7 +584,23 @@
"type": "github"
}
},
"nixpkgs_4": {
"nixpkgs_5": {
"locked": {
"lastModified": 1669391192,
"narHash": "sha256-f/2TqduZWcdq/pPddu1E7plNmcOuzt1IN4Fh3LSUKmM=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ce1f9354959ae1493916f2e551ecc32e79b4a473",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "master",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_6": {
"locked": {
"lastModified": 1628465643,
"narHash": "sha256-QSNw9bDq9uGUniQQtakRuw4m21Jxugm23SXLVgEV4DM=",
@ -529,7 +615,7 @@
"type": "indirect"
}
},
"nixpkgs_5": {
"nixpkgs_7": {
"locked": {
"lastModified": 1671200928,
"narHash": "sha256-mZfzDyzojwj6I0wyooIjGIn81WtGVnx6+avU5Wv+VKU=",
@ -569,6 +655,7 @@
},
"root": {
"inputs": {
"agenix": "agenix",
"coc-rust-analyzer": "coc-rust-analyzer",
"comma": "comma",
"darwin": "darwin",
@ -577,10 +664,11 @@
"flake-parts": "flake-parts_2",
"hci": "hci",
"home-manager": "home-manager",
"nix-serve-ng": "nix-serve-ng",
"nixos-hardware": "nixos-hardware",
"nixos-shell": "nixos-shell",
"nixos-vscode-server": "nixos-vscode-server",
"nixpkgs": "nixpkgs_5",
"nixpkgs": "nixpkgs_7",
"zk-nvim": "zk-nvim"
}
},
@ -614,6 +702,21 @@
"type": "github"
}
},
"utils_3": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"zk-nvim": {
"flake": false,
"locked": {

10
flake.nix
View file

@ -11,6 +11,8 @@
darwin.inputs.nixpkgs.follows = "nixpkgs";
home-manager.url = "github:nix-community/home-manager";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
agenix.url = "github:ryantm/agenix";
nix-serve-ng.url = "github:aristanetworks/nix-serve-ng";
hci.url = "github:hercules-ci/hercules-ci-agent";
@ -69,6 +71,7 @@
self.nixosModules.default # Defined in nixos/default.nix
./systems/hetzner/ax41.nix
./nixos/server/harden.nix
./nixos/hercules.nix
# I share my Hetzner server with other people who need it.
self.nixosModules.guests
];
@ -85,9 +88,12 @@
};
};
perSystem = { pkgs, config, ... }: {
perSystem = { pkgs, config, inputs', ... }: {
devShells.default = pkgs.mkShell {
buildInputs = [ pkgs.nixpkgs-fmt ];
buildInputs = [
pkgs.nixpkgs-fmt
inputs'.agenix.packages.agenix
];
};
formatter = pkgs.nixpkgs-fmt;
apps.default = config.apps.activate;

16
secrets/cache-priv-key.age Normal file
View file

@ -0,0 +1,16 @@
age-encryption.org/v1
-> ssh-rsa sNTFlg
Ys3fyTk1zXIPfYvN1cx+fK+DgackWPAb/KrY1VRS5xYIB8ODs/VrvuV09apkfhyd
4hrWgTrTz5mgjanMdX1PhvEqrv79dRJgIqnt801brFhVEwTQKr1XWfWq5+iWtwJG
5i0TeAfKoEUNXs9A900GhmQWS7MC7oLyqhVlpAVJ1jAM3HyK/y+LyIi/My/tpc0Q
sa00r36F7dt/dr3xUxKv9oqmDkZeklMEMMPVfLokt5C8msPhFkm6cvNQ4xh9fgS2
z14WbC4YNCmTxuFPPSoUX0QwK5shwA+qvENZ1jkP3F6bNfjcwDAg0dIzDXLcPFIH
oMElQQ1P/ZLxTAECigfl3w
-> ssh-ed25519 Ch6j2A thjC7f9Oz9WN7M5L0BHDzBvkz18KSTaF6OpiS1I09Ho
jbds6Wf0gKKdtv/l5ovnPbg1kY8Cyp3DZ8tjeuu27hw
-> 4l:[-grease ]V 3NBU )ut \;
KDb3aFVU6f7rhekxgSg+
--- XDufzpsUOyYSM9SQ8+j45Bp4OSqbpFZ8lI+2dN3uYSY
ZŒ$â@§§È2øê<C3B8>¤þ&£i²„kº$-œì<08>\ƒ$˜nVR4¹]fpܸ“¸(EÔ_²^ØÔ^!× LÒ°¤°8FÂ÷
¼(¥}Æ´@ϧùÄ·FëQ§å„Où
xzr¥?,lv:„3¦¦gAðŽ5Ñ·H˜ÖË2Û…«Ð{°"8ùM°

9
secrets/secrets.nix Normal file
View file

@ -0,0 +1,9 @@
let
keys = [
(builtins.readFile ../nixos/takemessh/id_rsa.pub)
(builtins.readFile ../systems/hetzner/ax41.pub)
];
in
{
"cache-priv-key.age".publicKeys = keys;
}

29
systems/hetzner/ax41.nix
View file

@ -4,6 +4,8 @@
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
inputs.agenix.nixosModule
inputs.nix-serve-ng.nixosModules.default
];
boot.initrd.availableKernelModules = [ "nvme" "ahci" "usbhid" ];
@ -54,7 +56,7 @@
# Network (Hetzner uses static IP assignments, and we don't use DHCP here)
networking.useDHCP = false;
networking.firewall.checkReversePath = "loose"; # Tailscale recommends this
networking.interfaces."enp41s0" = {
ipv4 = {
addresses = [{
@ -109,9 +111,29 @@
services.openssh.permitRootLogin = "prohibit-password";
services.openssh.enable = true;
services.tailscale.enable = true;
networking.firewall.checkReversePath = "loose"; # Tailscale recommends this
age.secrets.cache-priv-key.file = ../../secrets/cache-priv-key.age;
services.nix-serve = {
enable = true;
secretKeyFile = config.age.secrets.cache-priv-key.path;
};
services.nginx = {
enable = true;
virtualHosts."cache.srid.ca" = {
forceSSL = true;
enableACME = true;
locations."/".extraConfig = ''
proxy_pass http://localhost:${toString config.services.nix-serve.port};
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
'';
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
security.acme.acceptTerms = true;
security.acme.defaults.email = "srid@srid.ca";
# Define a user account. Don't forget to set a password with passwd.
users.users.${flake.config.people.myself} = {
@ -121,5 +143,4 @@
security.sudo.wheelNeedsPassword = false;
system.stateVersion = "20.03";
}

1
systems/hetzner/ax41.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMI2BuoFaJD7dfOuJUP0yGWsQ4+tnKojUZiAQgIb44uj root@pinch