Commit 11e2fec
Changed files (22)
hosts
chaser-kevin
modules
nixos
base
outputs
x86_64-linux
secrets
hosts/chaser-kevin/default.nix
@@ -23,11 +23,12 @@ in {
./boot.nix
];
- networking =
- {
- inherit hostName;
- }
- // myvars.networking.generateHostNetworking hostName;
+ modules.my-hosts.${hostName}.network = {
+ enable = "networkmanager";
+ iface = "wlp0s20f3";
+ useDHCP = true;
+ nameservers = myvars.defaultNameservers;
+ };
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
hosts/chaser-kevin/miscs.nix
@@ -29,9 +29,10 @@
# Touchpad
services.libinput.enable = true;
- # Network Manager
- environment.systemPackages = with pkgs; [networkmanagerapplet];
-
# √(3200² + 2000²) px / 16 in ≃ 235 dpi
services.xserver.dpi = 235;
+
+ # Mihomo
+ services.mihomo.enable = true;
+ modules.secrets.mihomo.enable = true;
}
modules/base/hosts.nix
@@ -0,0 +1,75 @@
+{lib, ...}:
+with lib; let
+ hostModule = types.submodule {
+ options = {
+ network = mkOption {
+ type = networkModule;
+ default = {};
+ description = "Network configurations of the host.";
+ };
+ hostPublicKey = mkOption {
+ type = types.nullOr types.str;
+ default = null;
+ };
+ sshPorts = mkOption {
+ type = types.listOf types.port;
+ default = [22];
+ };
+ };
+ };
+
+ networkModule = types.submodule {
+ options = {
+ enable = mkOption {
+ type = types.nullOr (types.enum ["networkmanager" "networkd"]);
+ default = null;
+ description = "Which network manager to use.";
+ };
+ iface = mkOption {
+ type = types.str;
+ };
+ useDHCP = mkOption {
+ type = types.bool;
+ default = false;
+ };
+ nameservers = mkOption {
+ type = types.listOf types.str;
+ default = [];
+ };
+ search = mkOption {
+ type = types.listOf types.str;
+ default = [];
+ };
+ ipv4 = mkOption {
+ type = types.nullOr types.str;
+ default = null;
+ };
+ ipv6 = mkOption {
+ type = types.nullOr types.str;
+ default = null;
+ };
+ prefixLength4 = mkOption {
+ type = types.int;
+ default = 24;
+ };
+ prefixLength6 = mkOption {
+ type = types.int;
+ default = 64;
+ };
+ defaultGateway = mkOption {
+ type = types.nullOr types.str;
+ default = null;
+ };
+ defaultGateway6 = mkOption {
+ type = types.nullOr types.str;
+ default = null;
+ };
+ };
+ };
+in {
+ options.modules.my-hosts = mkOption {
+ type = types.attrsOf hostModule;
+ description = "My nix hosts general configuration";
+ default = {};
+ };
+}
modules/base/users.nix
@@ -1,5 +1,37 @@
-{myvars, ...}: {
- programs.ssh = myvars.networking.ssh;
+{
+ lib,
+ myvars,
+ config,
+ ...
+}: let
+ hosts = config.modules.my-hosts;
+ sshTargetHosts = lib.filterAttrs (n: v: !builtins.isNull v.hostPublicKey) hosts;
+in {
+ programs.ssh = {
+ extraConfig =
+ lib.attrsets.foldlAttrs
+ (acc: host: val:
+ acc
+ + ''
+ Host ${host}
+ HostName ${val.network.ipv4}
+ Port ${val.sshPort}
+ '')
+ ""
+ sshTargetHosts;
+ knownHosts =
+ lib.mapAttrs'
+ (
+ host: value:
+ lib.attrsets.nameValuePair
+ (value.network.ipv4)
+ {
+ inherit (value) hostPublicKey;
+ hostNames = [host];
+ }
+ )
+ sshTargetHosts;
+ };
users.users.${myvars.username} = {
description = myvars.userfullname;
modules/nixos/base/mihomo/default.nix
@@ -5,7 +5,7 @@
...
}: {
services.mihomo = {
- enable = lib.mkDefault true;
+ enable = lib.mkDefault false;
tunMode = true;
webui = pkgs.metacubexd;
configFile = config.sops.templates."mihomo-config.yaml".path;
modules/nixos/base/networking.nix
@@ -1,21 +1,77 @@
{
- # Network discovery, mDNS
- # With this enabled, you can access your machine at <hostname>.local
- # it's more convenient than using the IP address.
- # https://avahi.org/
- services.avahi = {
- enable = true;
- nssmdns4 = true;
- publish = {
- enable = true;
- domain = true;
- userServices = true;
- };
- };
+ config,
+ lib,
+ hostName,
+ ...
+}:
+lib.mkMerge [
+ {
+ # Use an NTP server located in the mainland of China to synchronize the system time
+ networking.timeServers = [
+ "ntp.aliyun.com" # Aliyun NTP Server
+ "ntp.tencent.com" # Tencent NTP Server
+ ];
+ }
- # Use an NTP server located in the mainland of China to synchronize the system time
- networking.timeServers = [
- "ntp.aliyun.com" # Aliyun NTP Server
- "ntp.tencent.com" # Tencent NTP Server
- ];
-}
+ (let
+ cfg = config.modules.my-hosts.${hostName}.network;
+ in
+ lib.mkIf cfg.useDHCP {
+ assertions = map (x: {
+ assertion = cfg.${x} == null;
+ message = "my-host.network.useDHCP is confilt with my-host.network.${x}";
+ }) ["ipv4" "ipv6"];
+ })
+
+ (let
+ cfg = config.modules.my-hosts.${hostName}.network;
+ in
+ lib.mkIf
+ (cfg.enable == "networkmanager")
+ {
+ networking = with cfg; {
+ networkmanager.enable = true;
+ useDHCP = lib.mkDefault useDHCP;
+ inherit hostName search defaultGateway defaultGateway6 nameservers;
+ interfaces.${cfg.iface} = lib.mkIf (!builtins.isNull cfg.ipv4 && !builtins.isNull cfg.ipv6) {
+ ipv4.addresses = lib.optional (!builtins.isNull cfg.ipv4) {
+ address = cfg.ipv4;
+ prefixLength = cfg.prefixLength4;
+ };
+ ipv6.addresses = lib.optional (!builtins.isNull cfg.ipv6) {
+ address = cfg.ipv6;
+ prefixLength = cfg.prefixLength6;
+ };
+ };
+ };
+ })
+ (let
+ cfg = config.modules.my-hosts.${hostName}.network;
+ in
+ lib.mkIf
+ (cfg.enable == "networkd")
+ {
+ networking.useNetworkd = true;
+ networking.hostName = hostName;
+ systemd.network.networks."10-${cfg.iface}" = {
+ matchConfig.Name = [cfg.iface];
+ networkConfig = {
+ Address =
+ (lib.optionals (!builtins.isNull cfg.ipv4) ["${cfg.ipv4}/${toString cfg.prefixLength4}"])
+ ++ (lib.optionals (!builtins.isNull cfg.ipv6) ["${cfg.ipv6}/${toString cfg.prefixLength6}"]);
+ DNS = cfg.nameservers;
+ };
+ routes =
+ (lib.optional (!builtins.isNull cfg.defaultGateway)
+ {
+ Destination = "0.0.0.0/0";
+ Gateway = cfg.defaultGateway;
+ })
+ ++ (lib.optional (!builtins.isNull cfg.defaultGateway6) {
+ Destination = "::/0";
+ Gateway = cfg.defaultGateway6;
+ });
+ linkConfig.RequiredForOnline = "routable";
+ };
+ })
+]
modules/nixos/base/ssh.nix
@@ -1,9 +1,15 @@
-{lib, ...}: {
+{
+ lib,
+ config,
+ hostName,
+ ...
+}: {
# Or disable the firewall altogether.
networking.firewall.enable = lib.mkDefault false;
# Enable the OpenSSH daemon.
services.openssh = {
enable = true;
+ ports = config.modules.my-hosts.${hostName}.sshPorts;
settings = {
# root user is used for remote deployment.
PermitRootLogin = "prohibit-password";
outputs/x86_64-linux/src/kevin.nix
@@ -29,6 +29,10 @@
};
in {
nixosConfigurations = {
- "${name}" = mylib.nixosSystem (base-modules // args);
+ "${name}" = mylib.nixosSystem (base-modules
+ // args
+ // {
+ genSpecialArgs = system: (genSpecialArgs system) // {hostName = name;};
+ });
};
}
outputs/x86_64-linux/src/pardofelis.nix
@@ -0,0 +1,42 @@
+{
+ # NOTE: the args not used in this file CAN NOT be removed!
+ # because haumea pass argument lazily,
+ # and these arguments are used in the functions like `mylib.nixosSystem`, `mylib.colmenaSystem`, etc.
+ inputs,
+ lib,
+ myvars,
+ mylib,
+ system,
+ genSpecialArgs,
+ ...
+} @ args: let
+ # Pardofelis - Codename "Reverie", 13th of Flame-Chasers
+ name = "pardofelis";
+ tags = ["pardo" "vps"];
+ ssh-user = "root";
+
+ modules = {
+ nixos-modules = map mylib.relativeToRoot [
+ # common
+ "secrets/nixos.nix"
+ "modules/nixos/server/x86_64.nix"
+ # host specific
+ "hosts/chaser-${name}"
+ ];
+ home-modules = map mylib.relativeToRoot [
+ "home/linux/core.nix"
+ ];
+ };
+
+ systemArgs =
+ modules
+ // args
+ // {
+ genSpecialArgs = system: (genSpecialArgs system) // {hostName = name;};
+ };
+in {
+ nixosConfigurations.${name} = mylib.nixosSystem systemArgs;
+
+ colmena.${name} =
+ mylib.colmenaSystem (systemArgs // {inherit tags ssh-user;});
+}
secrets/base/default.nix
@@ -1,15 +0,0 @@
-let
- mapSecrets = keys:
- builtins.listToAttrs (builtins.map (k: {
- name = k;
- value = {
- format = "yaml";
- sopsFile = ./secrets.yaml;
- };
- })
- keys);
-in {
- sops.secrets = mapSecrets [
- "github-access-token"
- ];
-}
secrets/base/secrets.yaml
@@ -1,28 +0,0 @@
-github-access-token: ENC[AES256_GCM,data:Ca/NER89MA1sF+bGc6Tcz/OVr7vlu7fh6p0eZWEONQ9HvkNeXN1aB3duWLTCWUTv+qvTYXrNicOTVFpLdlpaq3oJhZno+l6jbDu00DIOFUFyg8VfOXXZYPxlCx/K,iv:e+nTOBn4GAARFDXdWOEGZYMvzgjFUwxfk2BmY/Xm/A4=,tag:UuvOUtZ5LbFyy3JAEux40Q==,type:str]
-sops:
- age:
- - recipient: age1sur93fevme8az4v6txee9uw7gk8xcpz2u0mfzvayavrcx9zkefxsmcpnln
- enc: |
- -----BEGIN AGE ENCRYPTED FILE-----
- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4MUJodUUvWkxNeDQyemR0
- NmhWV20vNFRkK0JUN3JFZUpyZHl1WVdBaFFnCjJ3Zmdra2RlODkrZkc3Kzk5Q2Zy
- N2plT2dRQkUzOG53RDUrZHY1ZjFsS1EKLS0tIGdRREVxaGc5S1ZTV1R0NmNvenpJ
- Yi9ZV013dWo1NjlEbkREMlYxL3FZS0EKMStYByW8u5mTQ+ZthgWqTTOsjatJVuFo
- 5bOZw/lgD5L6XcSb+xWbM21dlV/Vn7ulMsTHM7FE2Z36OGQc0cwQUA==
- -----END AGE ENCRYPTED FILE-----
- lastmodified: "2025-07-13T16:55:44Z"
- mac: ENC[AES256_GCM,data:avJXHLxu1WPUILzgUpDVobGbhABJq/yKJExBVZx56KN0gMM/Q7GzSoK4GAglw6nrJSLbYwHN/IzH3X/rR5Z1YYD/imHJO/rO5YCMYlnZvXXk/9Hif4bi5e8NdyuWrNGXrSYfUU68x9VVEGF0UWTFu+TAQihXvrx4LLA9J6dmetw=,iv:KgD3mAtonjL6l2WNkcfAyw7NxSxRUezEwNlImQ+9fLY=,tag:tsJaOH2TJFVqdcjLQ4xVTQ==,type:str]
- pgp:
- - created_at: "2025-06-03T17:06:45Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- hF4Dh4vQ8CmRuq4SAQdAMt829MplCrLDjQjnpmQfj1f1l98VHir3KmuwyHHqYUgw
- F+I8O8PReUS+LKLFy+H1HbrsAuBUfnC8y8q9a6eX092cjX3hcNRAlPMUa89yG1Ud
- 0l4B43c42oJb/mxgorqnjMieIAE3pzXd2vX/qFZzKMZHFT30rpwWGXQibW4nRG2Q
- fmboUVQPEcwx/9FdO9kQP8lldCQA5ny6HalKL0e3LWTXSi39XpTtb8ZMO6G3xvG/
- =kTIM
- -----END PGP MESSAGE-----
- fp: 56AC2ED35E51AFE66EAAA569878BD0F02991BAAE
- unencrypted_suffix: _unencrypted
- version: 3.10.2
secrets/hosts/default.nix
@@ -0,0 +1,3 @@
+{mylib, ...}: {
+ imports = mylib.scanModules ./.;
+}
secrets/nixos/default.nix
@@ -1,17 +0,0 @@
-let
- mapSecrets = keys:
- builtins.listToAttrs (builtins.map (k: {
- name = k;
- value = {
- format = "yaml";
- sopsFile = ./secrets.yaml;
- };
- })
- keys);
-in {
- sops.secrets = mapSecrets [
- "mihomo/providers/yi_yuan"
- "mihomo/providers/mo_jie"
- "aria2-rpc-secret"
- ];
-}
secrets/nixos/secrets.yaml
@@ -1,32 +0,0 @@
-mihomo:
- providers:
- yi_yuan: ENC[AES256_GCM,data:s+aeWYDpUzCJikFdwLaa5bbATg6VFz+dsqbuVJfHd+xnOxQm32lFCpTM3nM22Cw5Fy2KhVupwFKRhGzhwfGZXowf0QDc4fFpQH/nveb8/C82C0mJPGg5w3/r6G2PAsU=,iv:cikjeLhXqfoDDeJGOobRVqejmic8IINOa7Bh7rLDY6k=,tag:ExJCLLrf0Is2SsWZaAwBdg==,type:str]
- mo_jie: ENC[AES256_GCM,data:cCwgl6ZBXSyv0v9DYFHBk4sS29bQ4yt6SiVTIOMr6F/aBV0hzPavErpO7A6CYCfs6e03ZZCyvQVGjbA+c4TEH8+K/OPPKjUzpE3k3FwfJQ==,iv:tN2Kyo6X2eAAqx+/OOOtAW4YSIYaR2TuoPmUuLQuzCw=,tag:LbxetW8P44/TPV4uk6d63g==,type:str]
-aria2-rpc-secret: ENC[AES256_GCM,data:5q0HzOd4XjDbRA==,iv:54Fwf7RgpOPulHN9ZLglgWpB16EsqpPEiBAcgb2H/Ys=,tag:IKqsUXd4VH/ebaK+X+QiLw==,type:str]
-sops:
- age:
- - recipient: age1sur93fevme8az4v6txee9uw7gk8xcpz2u0mfzvayavrcx9zkefxsmcpnln
- enc: |
- -----BEGIN AGE ENCRYPTED FILE-----
- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3blBzNTR1eGhuUEJpUWor
- d1FqcGlSNnhPNVpJa1I3TlI0TDFHYS9PUTJjClpwREFVTTc0aTJBRW13Y3RWY0x4
- OWlVa3FNRUZYaWt6YXVJQnFWbVllcVUKLS0tICtKb05DdzlJYldDQndJaWdoclY4
- V0lEaEYxVVozUHpRRDcwOEFuc002WGMKH6ewbfK1BuUguYbHxEKbzTTC+QbSYHMB
- WIKu1bHYVaOu8grQq5A4RDDP8pgxFlLrKPDw841Oy5/jHFE4DYiQrw==
- -----END AGE ENCRYPTED FILE-----
- lastmodified: "2025-07-13T16:58:03Z"
- mac: ENC[AES256_GCM,data:CurUQKMEi896f/wVzeZSKhHHFQmxi+D1bAHSYqYQMG7IgWL6h8MVhzx3AVHjIlgOU7ikf2HrBs/E9/oOMk5L68t89FLeCeiYWp9XFRU+lNzS/jhqmw/MCEIBDfJFvDhzO4HHZFHKd5yreSm1mTVgH5beTIq3VmeXTm8MtNgoNOQ=,iv:EsbIGcBhyNAOGLoCKzgT7IsDo5RBlvx8EfpHY0gpuUs=,tag:TcEHWrVZNa/VrkaqQC4Djg==,type:str]
- pgp:
- - created_at: "2025-07-13T16:57:48Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- hF4Dh4vQ8CmRuq4SAQdA+tSoSJdi8OD88jazXVsI1LnPUe7kF1aVpZfzC3Vsq00w
- kXkPlD64pBLoRjwZ8ZHHR3EUD1+BoA2PfKeHWB8jF169d6K3wW4nFMAtCWvuBXEe
- 0lEBDCgTipKF03XhGPr59dUnMdpWtyA3R4IgowCEcmCq/HHY6F3PxUUmJ59jgGB2
- 0co9dGWZ7oGzLR8CLKKwWjJylOfiS08PIMrHVOo7Yi+pLPY=
- =rnOM
- -----END PGP MESSAGE-----
- fp: 56AC2ED35E51AFE66EAAA569878BD0F02991BAAE
- unencrypted_suffix: _unencrypted
- version: 3.10.2
secrets/base.nix
@@ -0,0 +1,15 @@
+{sops-nix, ...}: {
+ imports = [
+ sops-nix.nixosModules.sops
+ ./hosts
+ ];
+
+ sops.defaultSopsFile = ./secrets.yaml;
+
+ sops.secrets."github-access-token" = {};
+
+ sops.age = {
+ sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
+ generateKey = true;
+ };
+}
secrets/nixos.nix
@@ -1,12 +1,31 @@
-{sops-nix, ...}: {
- imports = [
- sops-nix.nixosModules.sops
- ./base
- ./nixos
- ];
+{
+ lib,
+ config,
+ ...
+}:
+with lib; let
+ cfg = config.modules.secrets;
+in {
+ imports = [./base.nix];
- sops.age = {
- sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
- generateKey = true;
+ options.modules.secrets = {
+ mihomo.enable = mkEnableOption "NixOS Secrets for Mihomo";
};
+
+ config = mkMerge [
+ {
+ sops.secrets = {
+ "aria2-rpc-secret" = {
+ restartUnits = ["aria2.service"];
+ };
+ };
+ }
+
+ (mkIf cfg.mihomo.enable {
+ sops.secrets = genAttrs [
+ "mihomo/providers/yi_yuan"
+ "mihomo/providers/mo_jie"
+ ] (name: {restartUnits = ["mihomo.service"];});
+ })
+ ];
}
secrets/README.md
@@ -18,7 +18,7 @@ nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-ag
Open the secret file in the terminal using sops:
```sh
-sops secrets/base/secrets.yaml
+sops secrets/secrets.yaml
```
Then edit and add new secret fields:
@@ -28,7 +28,7 @@ this: "is a secret"
and: { a: { nest: secret } }
```
-Next, edit and add the field in `/secrets/base/default.nix`:
+Next, edit and add the field in `/secrets/base.nix`:
```nix
let
secrets/README.zh-CN.md
@@ -18,7 +18,7 @@ nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-ag
在终端中使用 sops 打开机密所在的文件:
```sh
-sops secrets/base/secrets.yaml
+sops secrets/secrets.yaml
```
并编辑添加新的机密字段:
@@ -28,7 +28,7 @@ this: "is a secret"
and: { a: { nest: secret } }
```
-随后在 `/secrets/base/default.nix` 中编辑添加该字段
+随后在 `/secrets/base.nix` 中编辑添加该字段
```nix
let
secrets/secrets.yaml
@@ -0,0 +1,42 @@
+github-access-token: ENC[AES256_GCM,data:Ca/NER89MA1sF+bGc6Tcz/OVr7vlu7fh6p0eZWEONQ9HvkNeXN1aB3duWLTCWUTv+qvTYXrNicOTVFpLdlpaq3oJhZno+l6jbDu00DIOFUFyg8VfOXXZYPxlCx/K,iv:e+nTOBn4GAARFDXdWOEGZYMvzgjFUwxfk2BmY/Xm/A4=,tag:UuvOUtZ5LbFyy3JAEux40Q==,type:str]
+mihomo:
+ providers:
+ yi_yuan: ENC[AES256_GCM,data:Lpgq1RVV35OT+oJC7280nJzN7lW77OYdEcVxBHRd0FzIu9D0hEC4VE8Gf0nw4LsL6BNQbZQtULmrSR1gi8DNGcjQJUGedA/LaOM7stL/g62FdYzNVVoDTyhRwOdxj8A=,iv:lwaEEDQkyCQDNML6Iv6jhZmz0zUU1SDhN363datm4Fs=,tag:J4vAVMXplSd9qz1eq2gFZA==,type:str]
+ mo_jie: ENC[AES256_GCM,data:QT+UjsZhrF3mBui6rxn9q7QkYTM69l2ZCi8ecIFOkMzwLNcsCrG5ir0v9t1SocDDnNXNxOC4lH+kot4MHXjjYE3VXXp2AGuYP66OB85Zsg==,iv:ZZ7l9CDc3Lleh/51URWX0x/b/+t1nQH+eijJ7AOj7z4=,tag:S9pA0nZUHkjwbza1kzCTwg==,type:str]
+aria2-rpc-secret: ENC[AES256_GCM,data:I6FYN/TRRP2ceQ==,iv:18dOBc/3WTden6Za2IaSoUOX5aY6M0jAwt94il0f5OI=,tag:WZf3xu7EC7cVlZU5urNWzQ==,type:str]
+sops:
+ age:
+ - recipient: age1sur93fevme8az4v6txee9uw7gk8xcpz2u0mfzvayavrcx9zkefxsmcpnln
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFNmtzTE1hNnhiZDVpMDd1
+ bHl4VnRmQjBhQnFjbE5wWHVkeFo1bWlMc1h3CmZPNVcxMGpFRENTeUJBMko2UlAw
+ QWFFN1gxU2NmWXRsU1d2Q1hPS2pCdUUKLS0tIElYOW4vOCt5bkFhVng1R0JPZGs5
+ VDZnMGVvYjVxYUFPMHZNU3UwbFpXNncKUiVCNLyEkSpXhke79nqn96FzuJiLII41
+ bYR/L23fhZ9FPCWed8iPGJQgDuWsCWwde7K1j+50g0L1RcNkONP0Wg==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1paj3ugpwg9l282ae7rm9t9kre5f4glljx5gj7ncthnzxfdxlcqas0jw6zx
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFQ2NqRVhTSE5oOXlTdEhk
+ ZG0rUCt4akdIc25LY0x0T0hlL2tjM1k2M0FBCkJPQWFBNHAxUDhySHFPL0xxRVY3
+ ajRuVGJSUEJMejcxWUxkQWFNS0FrUUUKLS0tIFd6ck80UjRXYzBzODFLQXlNV2tI
+ VlhsclVpbUtQMk45YUx0OXJocHpycUkKQl63KY0SqgDHaG+VlfsnczVZ7PH520EE
+ vUrAq1GKMbouZmIv3Yn952jIzgUudvZXcTP7NAFehE96LQxig9S+Zw==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2025-07-14T08:59:30Z"
+ mac: ENC[AES256_GCM,data:9r7iPa/5jOobUGHnLZvBPp1nbUBl+Buc84B+2au/GS37xKnfR0gLas1cKb9P6F1NLmQ+wqZMqp1J4HgkYZOJsPGr9Nq8Xw/7dW8rOdr0LIFzARug4XDml7shYd4xu5+jHoS4pC5Wl0Wpj76c0a11chTFsllUXVjnajoFWCBGGYM=,iv:dh+C4uOHe59WAfJuFv7GCaTeBGhWIad1xv3W5Eq611s=,tag:2r3CZZAEr1gXQ4oTazi7+A==,type:str]
+ pgp:
+ - created_at: "2025-07-14T09:17:48Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hF4Dh4vQ8CmRuq4SAQdAvuP3lTA11ezSlVRzvARkjKWEyXq55memX6VcnF1GaBow
+ YgRdrJxH7FZh1qUbGQ9+T6e3NUMhOHVHunmuZ5U5fohqmyrprZts1cY/qfl8/9zb
+ 0l4BPmwpi8sHg+YVEuyXHrTRLMcFABLcD2d5AQiae1LDTxZWzaWJt3VVyNpyCFcG
+ 3uVYvhFpeQhDCNPh1l6MtaTnCIYeXaUr7JPn/vFk5yg38HQmbE+lwlvxxF87vgPn
+ =0q2P
+ -----END PGP MESSAGE-----
+ fp: 56AC2ED35E51AFE66EAAA569878BD0F02991BAAE
+ unencrypted_suffix: _unencrypted
+ version: 3.10.2
vars/default.nix
@@ -2,7 +2,14 @@
username = "hpcesia";
userfullname = "HPCesia";
useremail = "me@hpcesia.com";
- networking = import ./networking.nix {inherit lib;};
+ defaultNameservers = [
+ # IPv4
+ "119.29.29.29" # DNSPod
+ "223.5.5.5" # AliDNS
+ # IPv6
+ "2400:3200::1" # Alidns
+ "2606:4700:4700::1111" # Cloudflare
+ ];
# generated by `mkpasswd -m scrypt`
initialHashedPassword = "$7$CU..../....xQnray7Ah6GYybfmtsxmF.$k0F/eaOC2.9gXwXp0jgMrFM.fnMtFqYi3GZFaaJGsl3";
# Public Keys that can be used to login to all my PC and servers.
vars/networking.nix
@@ -1,79 +0,0 @@
-{lib}: let
- defaultNameservers = [
- # IPv4
- "119.29.29.29" # DNSPod
- "223.5.5.5" # AliDNS
- # IPv6
- "2400:3200::1" # Alidns
- "2606:4700:4700::1111" # Cloudflare
- ];
-in rec {
- hosts = {
- kevin = {
- environment = {
- nameservers = defaultNameservers;
- };
- useNetworkManager = true;
- iface = "wlp0s20f3";
- };
- };
-
- generateHostNetworking = hostName: let
- hostData = hosts.${hostName};
- env = hostData.environment;
- in {
- inherit (env) nameservers;
- defaultGateway = lib.mkIf (env ? "defaultGateway6") env.defaultGateway;
- defaultGateway6 = lib.mkIf (env ? "defaultGateway6") env.defaultGateway6;
- search = lib.mkIf (env ? "search") env.search;
-
- useNetworkd = lib.mkDefault (hostData.useNetworkd or false);
- networkmanager.enable = lib.mkDefault (hostData.useNetworkManager or false);
- useDHCP = lib.mkDefault (hostData.useNetworkManager or false);
-
- interfaces."${hostData.iface}" = {
- ipv4.addresses = lib.mkIf (hostData ? "ipv4" && hostData.useNetworkd or false) [
- {
- address = hostData.ipv4;
- prefixLength = env.prefixLength or env.prefixLength4;
- }
- ];
- ipv6.addresses = lib.mkIf (hostData ? "ipv6" && hostData.useNetworkd or false) [
- {
- address = hostData.ipv6;
- prefixLength = env.prefixLength6;
- }
- ];
- };
- };
-
- ssh = {
- extraConfig = let
- sshTargetHosts = lib.attrsets.filterAttrs (name: value: value ? "ipv4") hosts;
- in
- lib.attrsets.foldlAttrs
- (acc: host: val:
- acc
- + ''
- Host ${host}
- HostName ${val.ipv4}
- Port ${val.port or "22"}
- '')
- ""
- sshTargetHosts;
- knownHosts =
- lib.attrsets.mapAttrs'
- (
- host: value:
- lib.attrsets.nameValuePair
- (value.ipv4)
- {
- inherit (value) publicKey;
- hostNames = [host];
- }
- )
- (
- lib.attrsets.filterAttrs (n: v: v ? "publicKey") hosts
- );
- };
-}
.sops.yaml
@@ -2,13 +2,7 @@ keys:
- &admin_hpcesia 56AC2ED35E51AFE66EAAA569878BD0F02991BAAE
- &chaser_kevin age1sur93fevme8az4v6txee9uw7gk8xcpz2u0mfzvayavrcx9zkefxsmcpnln
creation_rules:
- - path_regex: ^secrets/base/secrets\.yaml$
- key_groups:
- - pgp:
- - *admin_hpcesia
- age:
- - *chaser_kevin
- - path_regex: ^secrets/nixos/secrets\.yaml$
+ - path_regex: ^secrets/secrets\.yaml$
key_groups:
- pgp:
- *admin_hpcesia