diff --git a/configurations/nixos/tofu/configuration.nix b/configurations/nixos/tofu/configuration.nix index c07da7e..c8dcd00 100644 --- a/configurations/nixos/tofu/configuration.nix +++ b/configurations/nixos/tofu/configuration.nix @@ -2,35 +2,17 @@ { disko.devices.disk.main.device = "/dev/vda"; - users.users.admin = { - isNormalUser = true; - - name = "sky"; - extraGroups = [ - "wheel" - "networkmanager" - "video" - "input" - ]; - uid = 1000; - openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys; - }; - users.users.root.openssh.authorizedKeys.keys = [ - "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBA9i9HoP7X8Ufzz8rAaP7Nl3UOMZxQHMrsnA5aEQfpTyIQ1qW68jJ4jGK5V6Wv27MMc3czDU1qfFWIbGEWurUHQ=" - ]; - services.tailscale = { - enable = true; - }; services.tty-ips.enable = true; - networking.yggdrasil.enable = true; - networking.yggdrasil.AllowedPublicKeys = [ - "d0e265fcf663451ae9bc048dc1297749819ce9d48042a986f2866c15a779a074" - ]; - virtualisation.incus.agent.enable = true; + networking.yggdrasil = { + enable = true; + AllowedPublicKeys = [ + "d0e265fcf663451ae9bc048dc1297749819ce9d48042a986f2866c15a779a074" + ]; + }; nixpkgs.hostPlatform = "x86_64-linux"; networking.hostName = "smultiboi"; environment.systemPackages = [ - pkgs.otf + # pkgs.otf ]; # Used for backwards compatibility, please read the changelog before changing. # $ darwin-rebuild changelog diff --git a/configurations/nixos/tofu/default.nix b/configurations/nixos/tofu/default.nix index f9289d7..ea4b9c9 100644 --- a/configurations/nixos/tofu/default.nix +++ b/configurations/nixos/tofu/default.nix @@ -1,6 +1,6 @@ # See /modules/nixos/* for actual settings # This file is just *top-level* configuration. -{ flake, ... }: +{ flake, modulesPath, ... }: let inherit (flake) inputs; @@ -9,6 +9,7 @@ in { imports = [ self.nixosModules.default + "${modulesPath}/virtualisation/lxc-container.nix" ./configuration.nix ./hardware-configuration.nix ./disko.nix diff --git a/modules/nixos/common/default.nix b/modules/nixos/common/default.nix index af6e953..5f2a314 100644 --- a/modules/nixos/common/default.nix +++ b/modules/nixos/common/default.nix @@ -6,4 +6,9 @@ ++ [ flake.inputs.disko.nixosModules.default ]; + + nixpkgs.overlays = [ flake.inputs.self.overlays.default ]; + services.tailscale = { + enable = true; + }; } diff --git a/modules/nixos/common/otf.nix b/modules/nixos/common/otf.nix new file mode 100644 index 0000000..69d6618 --- /dev/null +++ b/modules/nixos/common/otf.nix @@ -0,0 +1,91 @@ +{ + lib, + config, + pkgs, + ... +}: + +let + cfg = config.services.otf; +in +{ + options.services.otf = { + enable = lib.mkEnableOption "Open Terraform Framework"; + # It is important to expose the datadirectory to the user so we make it a reusable option + dataDir = lib.mkOption { + type = lib.types.str; + default = "/var/lib/otf"; + description = "Directory to store OTF data."; + }; + package = lib.mkPackageOption pkgs "otf" { }; + pgPackage = lib.mkPackageOption pkgs "postgresql_16" { }; + # this application is configured entirely by environment variables and needs to be exposed + environment = lib.mkOption { + type = + with lib.types; + attrsOf ( + nullOr (oneOf [ + str + path + package + ]) + ); + default = { + OTF_ADDRESS = "localhost:9000"; + OTF_SITE_TOKEN = "my-token"; + OTF_SSL = "false"; + # the application needs a secret for encryption and other things + # TODO: make mechanism to load via file + OTF_SECRET = "f73e55eada59bd1c37d69ae3bbacd982"; + # more options can be set but these are a reminder for myself + OTF_CERT_FILE = ""; + OTF_KEY_FILE = ""; + }; + description = "Environment variables for the OTF service."; + }; + }; + + config = lib.mkIf cfg.enable { + # it is best for this project to have a dedicated user for database access + users.groups.otf = { }; + users.users.otf = { + isSystemUser = true; + home = cfg.dataDir; + createHome = true; + group = "otf"; + }; + + services.postgresql = { + enable = true; + # this lets us set the package + # TODO: expose to end user + package = cfg.pgPackage; + # This enabled autoconfig of both a database and a user of the same name + ensureDatabases = [ "otf" ]; + ensureUsers = [ + { + name = "otf"; + ensureDBOwnership = true; + } + ]; + }; + + systemd.services.otf = { + description = "Open Terraform Framework"; + after = [ + "network.target" + "postgresql.service" + ]; + requires = [ "postgresql.service" ]; + wantedBy = [ "multi-user.target" ]; + inherit (cfg) environment; + serviceConfig = { + User = "otf"; + Group = "otf"; + WorkingDirectory = cfg.dataDir; + ExecStart = "${cfg.package}/bin/otfd"; + Restart = "on-failure"; + }; + }; + }; +} diff --git a/modules/nixos/common/ssh.nix b/modules/nixos/common/ssh.nix index fadae72..28b196f 100644 --- a/modules/nixos/common/ssh.nix +++ b/modules/nixos/common/ssh.nix @@ -1,4 +1,5 @@ _: { + services.openssh.enable = true; security = { sudo.execWheelOnly = true; pam = { diff --git a/modules/nixos/common/users.nix b/modules/nixos/common/users.nix new file mode 100644 index 0000000..9a6d43c --- /dev/null +++ b/modules/nixos/common/users.nix @@ -0,0 +1,22 @@ +{ + lib, + config, + pkgs, + ... +}: +{ + users.users.root.openssh.authorizedKeys.keys = + with config.users.users; + sky.openssh.authorizedKeys.keys; + users.users.sky = { + isNormalUser = true; + name = "sky"; + extraGroups = [ + "wheel" + ]; + uid = 1000; + openssh.authorizedKeys.keys = [ + "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBA9i9HoP7X8Ufzz8rAaP7Nl3UOMZxQHMrsnA5aEQfpTyIQ1qW68jJ4jGK5V6Wv27MMc3czDU1qfFWIbGEWurUHQ=" + ]; + }; +} diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 9886cbd..f612cb8 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -5,6 +5,5 @@ imports = [ flake.inputs.self.nixosModules.common ]; - services.openssh.enable = true; - nixpkgs.overlays = [ flake.inputs.self.overlays.default ]; + }