teidesu/nixfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor: avoid importing libs

Browse source
This commit is contained in:
alina 🌸 2024-11-23 16:37:34 +03:00
parent 5f83ddd6df
commit 5fe8c75a26
Signed by: teidesu
SSH key fingerprint: SHA256:uNeCpw6aTSU4aIObXLvHfLkDa82HWH9EiOj9AXOIRpI
30 changed files with 200 additions and 336 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
hosts/arumi/configuration.nix
View file

@ -4,6 +4,7 @@
imports = [ imports = [
(modulesPath + "/profiles/minimal.nix") (modulesPath + "/profiles/minimal.nix")
(modulesPath + "/profiles/qemu-guest.nix") (modulesPath + "/profiles/qemu-guest.nix")
(abs "lib/desu")
./disk-config.nix ./disk-config.nix
./services/sing-box.nix ./services/sing-box.nix

13
hosts/arumi/services/mumble.nix
View file

@ -1,16 +1,9 @@
{ abs, config, ... }: { config, ... }:
let let
secrets = import (abs "lib/secrets.nix");
UID = 1101; UID = 1101;
in { in {
imports = [ desu.secrets.arumi-mumble-env.owner = "mumble";
(secrets.declare [{
name = "arumi-mumble-env";
owner = "mumble";
}])
];
users.users.mumble = { users.users.mumble = {
isNormalUser = true; isNormalUser = true;
@ -33,7 +26,7 @@ in {
"64738:64738/udp" "64738:64738/udp"
]; ];
environmentFiles = [ environmentFiles = [
(secrets.file config "arumi-mumble-env") config.desu.secrets.arumi-mumble-env.path
]; ];
user = builtins.toString UID; user = builtins.toString UID;
}; };

22
hosts/arumi/services/sing-box.nix
View file

@ -1,15 +1,9 @@
{ config, abs, pkgs, ... }: { config, pkgs, ... }:
let {
secrets = import (abs "lib/secrets.nix"); desu.secrets.arumi-singbox-pk = {};
in { desu.secrets.arumi-singbox-sid = {};
imports = [ desu.secrets.arumi-singbox-users = {};
(secrets.declare [
"arumi-singbox-pk"
"arumi-singbox-sid"
"arumi-singbox-users"
])
];
services.sing-box = { services.sing-box = {
enable = true; enable = true;
@ -31,9 +25,9 @@ in {
reality = { reality = {
enabled = true; enabled = true;
handshake = { inherit server; server_port = 443; }; handshake = { inherit server; server_port = 443; };
private_key._secret = secrets.file config "arumi-singbox-pk"; private_key._secret = config.desu.secrets.arumi-singbox-pk.path;
short_id = [ short_id = [
{ _secret = secrets.file config "arumi-singbox-sid"; } { _secret = config.desu.secrets.arumi-singbox-sid.path; }
]; ];
}; };
}; };
@ -49,7 +43,7 @@ in {
systemd.services.sing-box.preStart = let systemd.services.sing-box.preStart = let
file = "/etc/sing-box/config.json"; file = "/etc/sing-box/config.json";
in '' in ''
users=$(${pkgs.yaml2json}/bin/yaml2json < ${secrets.file config "arumi-singbox-users"}) users=$(${pkgs.yaml2json}/bin/yaml2json < ${config.desu.secrets.arumi-singbox-users.path})
${pkgs.jq}/bin/jq --arg users "$users" \ ${pkgs.jq}/bin/jq --arg users "$users" \
'.inbounds[0].users = ($users | fromjson | map({ "uuid": ., "flow": "xtls-rprx-vision" }))' \ '.inbounds[0].users = ($users | fromjson | map({ "uuid": ., "flow": "xtls-rprx-vision" }))' \
${file} > ${file}.tmp ${file} > ${file}.tmp

15
hosts/arumi/services/uptime-kuma.nix
View file

@ -1,19 +1,12 @@
{ abs, config, ... }: { config, ... }:
let let
secrets = import (abs "lib/secrets.nix");
UID = 1100; UID = 1100;
in { in {
# we use cf tunnels because 443 port is used by the proxy, # we use cf tunnels because 443 port is used by the proxy,
# and it's also generally easierbrew install cloudflared && # and it's also generally easier
imports = [ desu.secrets.arumi-cf-token.owner = "uptime-kuma";
(secrets.declare [{
name = "arumi-cf-token";
owner = "uptime-kuma";
}])
];
users.users.uptime-kuma = { users.users.uptime-kuma = {
isNormalUser = true; isNormalUser = true;
@ -31,7 +24,7 @@ in {
PGID = builtins.toString UID; PGID = builtins.toString UID;
}; };
environmentFiles = [ environmentFiles = [
(secrets.file config "arumi-cf-token") config.desu.secrets.arumi-cf-token.path
]; ];
}; };

1
hosts/koi/configuration.nix
View file

@ -8,6 +8,7 @@
imports = [ imports = [
(abs "hosts/nixos-common.nix") (abs "hosts/nixos-common.nix")
(abs "users/teidesu/server.nix") (abs "users/teidesu/server.nix")
(abs "lib/desu")
./hardware-configuration.nix ./hardware-configuration.nix
./partials/fde.nix ./partials/fde.nix

13
hosts/koi/containers/bots/channel-logger-bot.nix
View file

@ -1,16 +1,9 @@
{ abs, config, ... }: { config, ... }:
let let
secrets = import (abs "lib/secrets.nix");
UID = 1105; UID = 1105;
in { in {
imports = [ desu.secrets.channel-logger-bot-env.owner = "channel-logger-bot";
(secrets.declare [{
name = "channel-logger-bot-env";
owner = "channel-logger-bot";
}])
];
users.groups.channel-logger-bot = {}; users.groups.channel-logger-bot = {};
users.users.channel-logger-bot = { users.users.channel-logger-bot = {
@ -25,7 +18,7 @@ in {
"/srv/channel-logger-bot:/app/bot-data" "/srv/channel-logger-bot:/app/bot-data"
]; ];
environmentFiles = [ environmentFiles = [
(secrets.file config "channel-logger-bot-env") config.desu.secrets.channel-logger-bot-env.path
]; ];
environment.MTCUTE_LOG_LEVEL = "5"; environment.MTCUTE_LOG_LEVEL = "5";
user = builtins.toString UID; user = builtins.toString UID;

13
hosts/koi/containers/bots/pcre-sub-bot.nix
View file

@ -1,16 +1,9 @@
{ abs, config, ... }: { config, ... }:
let let
secrets = import (abs "lib/secrets.nix");
UID = 1101; UID = 1101;
in { in {
imports = [ desu.secrets.pcresub-bot-env.owner = "pcre-sub-bot";
(secrets.declare [{
name = "pcresub-bot-env";
owner = "pcre-sub-bot";
}])
];
users.groups.pcre-sub-bot = {}; users.groups.pcre-sub-bot = {};
users.users.pcre-sub-bot = { users.users.pcre-sub-bot = {
@ -25,7 +18,7 @@ in {
"/srv/pcre-sub-bot:/app/bot-data" "/srv/pcre-sub-bot:/app/bot-data"
]; ];
environmentFiles = [ environmentFiles = [
(secrets.file config "pcresub-bot-env") config.desu.secrets.pcresub-bot-env.path
]; ];
user = builtins.toString UID; user = builtins.toString UID;
}; };

11
hosts/koi/containers/conduwuit/bridges/telegram/default.nix
View file

@ -1,20 +1,13 @@
{ pkgs, abs, config, ... } @ inputs: { pkgs, abs, config, ... } @ inputs:
let let
secrets = import (abs "lib/secrets.nix");
trivial = import (abs "lib/trivial.nix") inputs;
env = import (abs "lib/env.nix") inputs; env = import (abs "lib/env.nix") inputs;
UID = 1108; UID = 1108;
bridgeConfig = pkgs.writeText "config.yaml" (builtins.toJSON (import ./config.nix)); bridgeConfig = pkgs.writeText "config.yaml" (builtins.toJSON (import ./config.nix));
in { in {
imports = [ desu.secrets.mautrix-tg-env.owner = "mautrix";
(secrets.declare [{
name = "mautrix-tg-env";
owner = "mautrix";
}])
];
users.groups.mautrix = {}; users.groups.mautrix = {};
users.users.mautrix = { users.users.mautrix = {
@ -41,7 +34,7 @@ in {
}; };
entrypoint = "/entrypoint.sh"; entrypoint = "/entrypoint.sh";
environmentFiles = [ environmentFiles = [
(secrets.file config "mautrix-tg-env") config.desu.secrets.mautrix-tg-env.path
]; ];
user = builtins.toString UID; user = builtins.toString UID;
}; };

12
hosts/koi/containers/conduwuit/default.nix
View file

@ -1,18 +1,14 @@
{ abs, config, ... } @ inputs: { config, ... }:
let let
secrets = import (abs "lib/secrets.nix");
UID = 1107; UID = 1107;
in { in {
imports = [ imports = [
(secrets.declare [{
name = "conduwuit-env";
owner = "conduwuit";
}])
./bridges/telegram ./bridges/telegram
]; ];
desu.secrets.conduwuit-env.owner = "conduwuit";
users.groups.conduwuit = {}; users.groups.conduwuit = {};
users.users.conduwuit = { users.users.conduwuit = {
isNormalUser = true; isNormalUser = true;
@ -29,7 +25,7 @@ in {
CONDUWUIT_CONFIG = "/conduwuit.toml"; CONDUWUIT_CONFIG = "/conduwuit.toml";
}; };
environmentFiles = [ environmentFiles = [
(secrets.file config "conduwuit-env") config.desu.secrets.conduwuit-env.path
]; ];
user = builtins.toString UID; user = builtins.toString UID;
}; };

22
hosts/koi/containers/kanidm/default.nix
View file

@ -1,23 +1,15 @@
{ abs, pkgs, config, ... }@inputs: { config, ... }:
let let
secrets = import (abs "lib/secrets.nix");
UID = 1111; UID = 1111;
in { in {
imports = [ imports = [
(secrets.declare [
{
name = "kanidm-tls-key";
owner = "kanidm";
}
{
name = "kanidm-tls-cert";
owner = "kanidm";
}
])
./proxy.nix ./proxy.nix
]; ];
desu.secrets.kanidm-tls-key.owner = "kanidm";
desu.secrets.kanidm-tls-cert.owner = "kanidm";
users.users.kanidm = { users.users.kanidm = {
isNormalUser = true; isNormalUser = true;
uid = UID; uid = UID;
@ -30,8 +22,8 @@ in {
"${./server.toml}:/data/server.toml" "${./server.toml}:/data/server.toml"
"${./style.css}:/hpkg/style.css" "${./style.css}:/hpkg/style.css"
"${./fish.png}:/hpkg/img/fish.png" "${./fish.png}:/hpkg/img/fish.png"
"${(secrets.file config "kanidm-tls-key")}:/data/key.pem" "${config.desu.secrets.kanidm-tls-key.path}:/data/key.pem"
"${(secrets.file config "kanidm-tls-cert")}:/data/chain.pem" "${config.desu.secrets.kanidm-tls-cert.path}:/data/chain.pem"
]; ];
user = "${builtins.toString UID}"; user = "${builtins.toString UID}";

13
hosts/koi/containers/navidrome/default.nix
View file

@ -1,16 +1,9 @@
{ abs, config, ... } @ inputs: { config, ... }:
let let
secrets = import (abs "lib/secrets.nix");
UID = 1102; UID = 1102;
in { in {
imports = [ desu.secrets.navidrome-env.owner = "navidrome";
(secrets.declare [{
name = "navidrome-env";
owner = "navidrome";
}])
];
users.groups.navidrome = {}; users.groups.navidrome = {};
users.users.navidrome = { users.users.navidrome = {
@ -29,7 +22,7 @@ in {
ND_CONFIGFILE = "/navidrome.toml"; ND_CONFIGFILE = "/navidrome.toml";
}; };
environmentFiles = [ environmentFiles = [
(secrets.file config "navidrome-env") config.desu.secrets.navidrome-env.path
]; ];
user = builtins.toString UID; user = builtins.toString UID;
}; };

13
hosts/koi/containers/pds/default.nix
View file

@ -1,17 +1,10 @@
{ abs, config, pkgs, ... }@inputs: { config, ... }:
let let
secrets = import (abs "lib/secrets.nix");
UID = 1106; UID = 1106;
in { in {
imports = [ desu.secrets.bluesky-pds-secrets.owner = "bluesky-pds";
(secrets.declare [{
name = "bluesky-pds-secrets";
owner = "bluesky-pds";
}])
];
users.groups.bluesky-pds = {}; users.groups.bluesky-pds = {};
users.users.bluesky-pds = { users.users.bluesky-pds = {
@ -40,7 +33,7 @@ in {
}; };
environmentFiles = [ environmentFiles = [
# PDS_JWT_SECRET, PDS_ADMIN_PASSWORD, PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX # PDS_JWT_SECRET, PDS_ADMIN_PASSWORD, PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX
(secrets.file config "bluesky-pds-secrets") config.desu.secrets.bluesky-pds-secrets.path
]; ];
user = builtins.toString UID; user = builtins.toString UID;
}; };

12
hosts/koi/containers/sftpgo/default.nix
View file

@ -1,19 +1,15 @@
{ pkgs, abs, config, ... }@inputs: { config, ... }:
let let
secrets = import (abs "lib/secrets.nix");
UID = 1112; UID = 1112;
WEBDAV_PORT = 16821; WEBDAV_PORT = 16821;
in { in {
imports = [ imports = [
(secrets.declare [{
name = "sftpgo-env";
owner = "sftpgo";
}])
./samba.nix ./samba.nix
]; ];
desu.secrets.sftpgo-env.owner = "sftpgo";
users.users.sftpgo = { users.users.sftpgo = {
isNormalUser = true; isNormalUser = true;
uid = UID; uid = UID;
@ -44,7 +40,7 @@ in {
SFTPGO_HTTPD__BINDINGS__0__OIDC__IMPLICIT_ROLES = "true"; SFTPGO_HTTPD__BINDINGS__0__OIDC__IMPLICIT_ROLES = "true";
}; };
environmentFiles = [ environmentFiles = [
(secrets.file config "sftpgo-env") config.desu.secrets.sftpgo-env.path
]; ];
ports = [ ports = [
"${builtins.toString WEBDAV_PORT}:80" "${builtins.toString WEBDAV_PORT}:80"

6
hosts/koi/containers/sharkey/default.nix
View file

@ -1,10 +1,8 @@
{ abs, pkgs, ... }@inputs: { pkgs, ... }:
let let
UID = 1104; UID = 1104;
trivial = import (abs "lib/trivial.nix") inputs; context = pkgs.copyPathToStore ./.;
context = trivial.storeDirectory ./.;
in { in {
users.users.misskey = { users.users.misskey = {
isNormalUser = true; isNormalUser = true;

14
hosts/koi/containers/siyuan/default.nix
View file

@ -1,18 +1,9 @@
{ abs, pkgs, config, ... }@inputs: { pkgs, ... }:
let let
secrets = import (abs "lib/secrets.nix");
trivial = import (abs "lib/trivial.nix") inputs;
UID = 1113; UID = 1113;
context = trivial.storeDirectory ./image; context = pkgs.copyPathToStore ./image;
in { in {
imports = [
(secrets.declare [{
name = "siyuan-teidesu-proxy-env";
owner = "siyuan-teidesu";
}])
];
users.users.siyuan-teidesu = { users.users.siyuan-teidesu = {
isNormalUser = true; isNormalUser = true;
uid = UID; uid = UID;
@ -40,6 +31,7 @@ in {
"d /srv/siyuan-teidesu 0700 ${builtins.toString UID} ${builtins.toString UID} -" "d /srv/siyuan-teidesu 0700 ${builtins.toString UID} ${builtins.toString UID} -"
]; ];
desu.secrets.siyuan-teidesu-proxy-env.owner = "siyuan-teidesu";
desu.openid-proxy.services.siyuan-teidesu = { desu.openid-proxy.services.siyuan-teidesu = {
clientId = "teidesu-siyuan"; clientId = "teidesu-siyuan";
domain = "siyuan.tei.su"; domain = "siyuan.tei.su";

13
hosts/koi/containers/teisu.nix
View file

@ -1,16 +1,9 @@
{ abs, config, ... } @ inputs: { config, ... } @ inputs:
let let
secrets = import (abs "lib/secrets.nix");
UID = 1103; UID = 1103;
in { in {
imports = [ desu.secrets.teisu-env.owner = "teisu";
(secrets.declare [{
name = "teisu-env";
owner = "teisu";
}])
];
users.users.teisu = { users.users.teisu = {
isNormalUser = true; isNormalUser = true;
@ -23,7 +16,7 @@ in {
"/srv/teisu:/app/.runtime" "/srv/teisu:/app/.runtime"
]; ];
environmentFiles = [ environmentFiles = [
(secrets.file config "teisu-env") config.desu.secrets.teisu-env.path
]; ];
user = builtins.toString UID; user = builtins.toString UID;
}; };

20
hosts/koi/containers/torrent.nix
View file

@ -1,16 +1,12 @@
{ abs, lib, pkgs, config, ... }@inputs: { abs, pkgs, config, ... }@inputs:
let let
containers = (import (abs "lib/containers.nix") inputs); containers = (import (abs "lib/containers.nix") inputs);
secrets = import (abs "lib/secrets.nix");
dlWebhook = secrets.mount config "qbt-dl-webhook";
in in
{ {
desu.secrets.qbt-dl-webhook.mode = "777";
desu.secrets.torrent-proxy-env.mode = "777";
imports = [ imports = [
(secrets.declare [
{ name = "qbt-dl-webhook"; mode = "777"; }
{ name = "torrent-proxy-env"; mode = "777"; }
])
(containers.mkNixosContainer { (containers.mkNixosContainer {
name = "torrent"; name = "torrent";
ephemeral = false; ephemeral = false;
@ -26,7 +22,7 @@ in
}; };
setup = { config, ... }: '' setup = { config, ... }: ''
mkdir -p /var/lib/qbittorrent/temp mkdir -p /var/lib/qbittorrent/temp
dl_webhook=`cat ${dlWebhook.path}` dl_webhook=`cat /mnt/secrets/qbt-dl-webhook`
sed -i "s|%DL_WEBHOOK%|$dl_webhook|g" ${config} sed -i "s|%DL_WEBHOOK%|$dl_webhook|g" ${config}
''; '';
config = { config = {
@ -71,7 +67,11 @@ in
hostPath = "/mnt/puffer/Downloads"; hostPath = "/mnt/puffer/Downloads";
isReadOnly = false; isReadOnly = false;
}; };
} // (dlWebhook.mounts); "/mnt/secrets/qbt-dl-webhook" = {
hostPath = config.desu.secrets.qbt-dl-webhook.path;
isReadOnly = true;
};
};
}) })
]; ];

13
hosts/koi/containers/vaultwarden.nix
View file

@ -1,16 +1,9 @@
{ abs, pkgs, config, ... }@inputs: { config, ... }:
let let
secrets = import (abs "lib/secrets.nix");
UID = 1109; UID = 1109;
in { in {
imports = [ desu.secrets.vaultwarden-env.owner = "vaultwarden";
(secrets.declare [{
name = "vaultwarden-env";
owner = "vaultwarden";
}])
];
virtualisation.oci-containers.containers.vaultwarden = { virtualisation.oci-containers.containers.vaultwarden = {
image = "vaultwarden/server:1.32.5-alpine"; image = "vaultwarden/server:1.32.5-alpine";
@ -26,7 +19,7 @@ in {
EXPERIMENTAL_CLIENT_FEATURE_FLAGS = "ssh-key-vault-item,ssh-agent,extension-refresh"; EXPERIMENTAL_CLIENT_FEATURE_FLAGS = "ssh-key-vault-item,ssh-agent,extension-refresh";
}; };
environmentFiles = [ environmentFiles = [
(secrets.file config "vaultwarden-env") config.desu.secrets.vaultwarden-env.path
]; ];
user = builtins.toString UID; user = builtins.toString UID;
}; };

2
hosts/koi/containers/verdaccio/config/config.yaml → hosts/koi/containers/verdaccio/config.yaml
View file

@ -3,7 +3,7 @@ storage: /verdaccio/storage
web: web:
enable: true enable: true
title: alina's personal registry title: alina's personal registry meow
primary_color: "#be15dc" primary_color: "#be15dc"
uplinks: uplinks:

18
hosts/koi/containers/verdaccio/default.nix
View file

@ -1,19 +1,9 @@
{ abs, pkgs, config, ... } @ inputs: { config, ... }:
let let
secrets = import (abs "lib/secrets.nix");
trivial = import (abs "lib/trivial.nix") inputs;
configDrv = trivial.storeDirectory ./config;
UID = 1100; UID = 1100;
in { in {
imports = [ desu.secrets.verdaccio-htpasswd.owner = "verdaccio";
(secrets.declare [{
name = "verdaccio-htpasswd";
owner = "verdaccio";
}])
];
users.users.verdaccio = { users.users.verdaccio = {
isNormalUser = true; isNormalUser = true;
@ -23,8 +13,8 @@ in {
virtualisation.oci-containers.containers.verdaccio = { virtualisation.oci-containers.containers.verdaccio = {
image = "verdaccio/verdaccio:5.31@sha256:c77fec2127a1c3d17fc0795786f1e1bd88258e6d7af1835786ced4f7c7287da8"; image = "verdaccio/verdaccio:5.31@sha256:c77fec2127a1c3d17fc0795786f1e1bd88258e6d7af1835786ced4f7c7287da8";
volumes = [ volumes = [
"${configDrv}:/verdaccio/conf" "${./config.yaml}:/verdaccio/conf/config.yaml"
"${secrets.file config "verdaccio-htpasswd"}:/verdaccio/htpasswd" "${config.desu.secrets.verdaccio-htpasswd.path}:/verdaccio/htpasswd"
"/srv/verdaccio/storage:/verdaccio/storage" "/srv/verdaccio/storage:/verdaccio/storage"
"/srv/verdaccio/plugins:/verdaccio/plugins" "/srv/verdaccio/plugins:/verdaccio/plugins"
]; ];

15
hosts/koi/containers/wakapi/default.nix
View file

@ -1,18 +1,9 @@
{ abs, pkgs, config, ... }@inputs: { config, ... }:
let let
secrets = import (abs "lib/secrets.nix");
UID = 1115; UID = 1115;
in { in {
imports = [ desu.secrets.wakapi-env.owner = "wakapi";
(secrets.declare [
{
name = "wakapi-env";
owner = "wakapi";
}
])
];
users.users.wakapi = { users.users.wakapi = {
isNormalUser = true; isNormalUser = true;
@ -55,7 +46,7 @@ in {
}; };
environmentFiles = [ environmentFiles = [
(secrets.file config "wakapi-env") config.desu.secrets.wakapi-env.path
]; ];
user = "${builtins.toString UID}"; user = "${builtins.toString UID}";

17
hosts/koi/containers/zond/default.nix
View file

@ -1,20 +1,9 @@
{ abs, config, ... }: { config, ... }:
let let
secrets = import (abs "lib/secrets.nix");
UID = 1116; UID = 1116;
in { in {
# todo 2: update UMAMI_HOST in teisu-env desu.secrets.umami-env.owner = "umami";
imports = [
(secrets.declare [
{
name = "umami-env";
owner = "umami";
}
])
];
users.users.umami = { users.users.umami = {
isNormalUser = true; isNormalUser = true;
@ -39,7 +28,7 @@ in {
}; };
environmentFiles = [ environmentFiles = [
(secrets.file config "umami-env") config.desu.secrets.umami-env.path
]; ];
user = "${builtins.toString UID}"; user = "${builtins.toString UID}";

8
hosts/koi/services/landing/default.nix
View file

@ -1,11 +1,9 @@
{ abs, pkgs, ... } @ inputs: { pkgs, ... }:
let {
trivial = import (abs "lib/trivial.nix") inputs;
in {
services.nginx.virtualHosts."stupid.fish" = { services.nginx.virtualHosts."stupid.fish" = {
forceSSL = true; forceSSL = true;
useACMEHost = "stupid.fish"; useACMEHost = "stupid.fish";
root = trivial.storeDirectory ./assets; root = pkgs.copyPathToStore ./assets;
}; };
} }

17
hosts/koi/services/nginx.nix
View file

@ -1,13 +1,8 @@
{ pkgs, abs, config, ... }@inputs: { config, ... }:
let {
secrets = import (abs "lib/secrets.nix"); desu.secrets.cloudflare-email.owner = "nginx";
in { desu.secrets.cloudflare-token.owner = "nginx";
# sadly due to our network setup we cant properly extract this to a container
# not a big deal though, since we only need to run it once
imports = [
(secrets.declare ["cloudflare-email" "cloudflare-token"])
];
services.nginx = { services.nginx = {
enable = true; enable = true;
@ -78,8 +73,8 @@ in {
group = "nginx"; group = "nginx";
dnsProvider = "cloudflare"; dnsProvider = "cloudflare";
credentialFiles = { credentialFiles = {
"CLOUDFLARE_EMAIL_FILE" = config.age.secrets.cloudflare-email.path; "CLOUDFLARE_EMAIL_FILE" = config.desu.secrets.cloudflare-email.path;
"CLOUDFLARE_API_KEY_FILE" = config.age.secrets.cloudflare-token.path; "CLOUDFLARE_API_KEY_FILE" = config.desu.secrets.cloudflare-token.path;
}; };
}; };
in { in {

42
hosts/koi/services/sing-box.nix
View file

@ -1,20 +1,14 @@
{ pkgs, abs, config, ... }: { config, ... }:
let {
secrets = import (abs "lib/secrets.nix");
secretsUnsafe = pkgs.callPackage (abs "lib/secrets-unsafe.nix") {}; desu.secrets.arumi-singbox-pub = {};
in { desu.secrets.arumi-singbox-sid = {};
imports = [ desu.secrets.arumi-singbox-koi-uuid = {};
(secrets.declare [ desu.secrets.vless-sakura-ip = {};
"arumi-singbox-pub" desu.secrets.vless-sakura-pk = {};
"arumi-singbox-sid" desu.secrets.vless-sakura-sid = {};
"arumi-singbox-koi-uuid" desu.secrets.vless-sakura-uuid = {};
"vless-sakura-ip"
"vless-sakura-pk"
"vless-sakura-sid"
"vless-sakura-uuid"
])
];
services.sing-box = { services.sing-box = {
enable = true; enable = true;
@ -36,7 +30,7 @@ in {
tag = "xtls-arumi"; tag = "xtls-arumi";
type = "vless"; type = "vless";
flow = "xtls-rprx-vision"; flow = "xtls-rprx-vision";
server = secretsUnsafe.readUnsafe "arumi-ip"; server = config.desu.readUnsafeSecret "arumi-ip";
server_port = 443; server_port = 443;
domain_strategy = ""; domain_strategy = "";
packet_encoding = ""; packet_encoding = "";
@ -46,32 +40,32 @@ in {
server_name = "updates.cdn-apple.com"; server_name = "updates.cdn-apple.com";
reality = { reality = {
enabled = true; enabled = true;
public_key._secret = secrets.file config "arumi-singbox-pub"; public_key._secret = config.desu.secrets.arumi-singbox-pub.path;
short_id._secret = secrets.file config "arumi-singbox-sid"; short_id._secret = config.desu.secrets.arumi-singbox-sid.path;
}; };
utls = { enabled = true; fingerprint = "edge"; }; utls = { enabled = true; fingerprint = "edge"; };
}; };
uuid._secret = secrets.file config "arumi-singbox-koi-uuid"; uuid._secret = config.desu.secrets.arumi-singbox-koi-uuid.path;
} }
{ {
# thanks kamillaova # thanks kamillaova
tag = "xtls-sakura"; tag = "xtls-sakura";
flow = "xtls-rprx-vision"; flow = "xtls-rprx-vision";
server._secret = secrets.file config "vless-sakura-ip"; server._secret = config.desu.secrets.vless-sakura-ip.path;
server_port = 443; server_port = 443;
tls = { tls = {
alpn = [ "h2" ]; alpn = [ "h2" ];
enabled = true; enabled = true;
reality = { reality = {
enabled = true; enabled = true;
public_key._secret = secrets.file config "vless-sakura-pk"; public_key._secret = config.desu.secrets.vless-sakura-pk.path;
short_id._secret = secrets.file config "vless-sakura-sid"; short_id._secret = config.desu.secrets.vless-sakura-sid.path;
}; };
server_name = "telegram.org"; server_name = "telegram.org";
utls = { enabled = true; fingerprint = "edge"; }; utls = { enabled = true; fingerprint = "edge"; };
}; };
type = "vless"; type = "vless";
uuid._secret = secrets.file config "vless-sakura-uuid"; uuid._secret = config.desu.secrets.vless-sakura-uuid.path;
} }
{ {
tag = "final"; tag = "final";

73
lib/containers.nix
View file

@ -1,7 +1,5 @@
{ pkgs, lib, ... }@inputs: { ... }:
let
trivial = import ./trivial.nix inputs;
in
{ {
# this function is quite deeply tied to my home network setup # this function is quite deeply tied to my home network setup
# i should make it more generic one day # i should make it more generic one day
@ -48,71 +46,4 @@ in
localAddress = "${ip}/16"; localAddress = "${ip}/16";
}) // containerConfig; }) // containerConfig;
}; };
# nixos oci-containers fucking suck, so we just do a one-shot
# systemd service that invokes docker-compose
#
# not very reproducible nor declarative, but compatible with pretty much
# anything, which is (imo) more important for a home server
mkDockerComposeContainer =
{ directory
, name ? builtins.baseNameOf directory
, autoStart ? true
, extraConfig ? { }
, env ? { }
, envFiles ? [ ]
, extraFlags ? [ ]
, after ? [ ]
}:
let
# referencing the file directly would make the service dependant
# on the entire flake, resulting in the container being restarted
# every time we change anything at all
storeDir = trivial.storeDirectory directory;
inlineEnvNames = builtins.attrNames env;
inlineEnvDrv = lib.optionals (builtins.length inlineEnvNames != 0) [
(pkgs.writeText "${name}.env" (
builtins.concatStringsSep "\n" (
map (name: "${name}=${builtins.toJSON env.${name}}") inlineEnvNames
)
))
];
allEnvFiles = envFiles ++ inlineEnvDrv;
cmdline = builtins.concatStringsSep " " (
[
"--build"
"--remove-orphans"
] ++ extraFlags
);
cmdlineBeforeUp = builtins.concatStringsSep " " (
map (env: "--env-file ${lib.escapeShellArg env}") allEnvFiles
);
in
{
systemd.services."docker-compose-${name}" = {
wantedBy = if autoStart then [ "multi-user.target" ] else [ ];
after = [ "docker.service" "docker.socket" ] ++ after;
serviceConfig = {
WorkingDirectory = storeDir;
ExecStart = "${pkgs.docker}/bin/docker compose ${cmdlineBeforeUp} up ${cmdline}";
ExecStopPost = "${pkgs.docker}/bin/docker compose down";
} // (extraConfig.serviceConfig or { });
} // (builtins.removeAttrs extraConfig [ "serviceConfig" ]);
};
# buildDockerfile = { name, context }: builtins.derivation {
# name = "${name}-image";
# # __noChroot = true;
# src = context;
# builder = pkgs.writeShellScript "builder.sh" (let
# docker = "${pkgs.docker}/bin/docker";
# in ''
# ${docker} build -t ${name} $src
# ${docker} save -o $out ${name}
# ${docker} image rm ${name}
# '');
# system = pkgs.system;
# };
} }

5
lib/desu/default.nix Normal file
View file

@ -0,0 +1,5 @@
{
imports = [
./secrets.nix
];
}

22
lib/desu/secrets-unsafe.nix Normal file
View file

@ -0,0 +1,22 @@
{
age,
writeShellScript,
system,
...
}:
{
readUnsafe = name: let
identityPath = ../secrets/unsafe.key;
path = ../secrets + "/UNSAFE.${name}.age";
drv = builtins.derivation {
system = system;
name = name;
src = path;
builder = writeShellScript "read-${name}.sh" ''
${age}/bin/age --decrypt --identity ${identityPath} $src > $out
'';
};
in builtins.readFile drv;
}

66
lib/desu/secrets.nix Normal file
View file

@ -0,0 +1,66 @@
{ config, pkgs, lib, ... }:
{
options = with lib; {
desu.readUnsafeSecret = mkOption { type = types.anything; };
desu.secrets = mkOption {
type = types.attrsOf (types.submodule ({ name, ... }: {
options = {
path = mkOption {
type = types.str;
default = config.age.secrets.${name}.path;
};
unsafe = mkOption {
type = types.bool;
default = false;
};
mode = mkOption {
type = types.str;
default = "0400";
};
owner = mkOption {
type = types.str;
default = "0";
};
group = mkOption {
type = types.str;
default = "0";
};
};
}));
};
};
config = {
desu.readUnsafeSecret = name: let
identityPath = ../../secrets/unsafe.key;
path = ../../secrets + "/UNSAFE.${name}.age";
drv = builtins.derivation {
system = pkgs.system;
name = name;
src = path;
builder = pkgs.writeShellScript "read-${name}.sh" ''
${pkgs.age}/bin/age --decrypt --identity ${identityPath} $src > $out
'';
};
in builtins.readFile drv;
age.secrets = builtins.listToAttrs (
map (name: let
cfg = config.desu.secrets.${name};
in {
# unsafe secrets are handled at build-time
name = if cfg.unsafe then null else name;
value = {
file = ../../secrets + "/${name}.age";
owner = cfg.owner;
group = cfg.group;
mode = cfg.mode;
};
}) (builtins.attrNames config.desu.secrets)
);
};
}

24
lib/trivial.nix
View file

@ -1,24 +0,0 @@
{ pkgs, ... }@inputs:
{
storeDirectory = dir:
let
dirName = builtins.baseNameOf dir;
drv = derivation {
name = dirName;
src = dir;
builder = pkgs.writeShellScript "builder.sh" ''
${pkgs.coreutils}/bin/mkdir -p $out/${dirName}
for i in $(${pkgs.coreutils}/bin/ls -A $src); do
${pkgs.coreutils}/bin/cp -rf $src/$i $out/${dirName}
done
'';
system = pkgs.system;
};
in
"${drv}/${dirName}";
yaml2json = file: pkgs.runCommand "yaml2json" { buildInputs = [ pkgs.yq ]; } ''
yq -j < ${file} > $out
'';
}