From 6becf62164a504a5cccc64cbaadc06a729c0077f Mon Sep 17 00:00:00 2001 From: Jermeiah S Date: Thu, 19 Jun 2025 16:07:55 -0400 Subject: [PATCH 1/4] feat: isolate deploy module --- modules/flake/deploy.nix | 33 +++++++++++++++++-------------- modules/nixos/common/deployrs.nix | 10 ++++++++++ modules/nixos/common/ssh.nix | 5 +---- 3 files changed, 29 insertions(+), 19 deletions(-) create mode 100644 modules/nixos/common/deployrs.nix diff --git a/modules/flake/deploy.nix b/modules/flake/deploy.nix index 0af10de..d5f1f3e 100644 --- a/modules/flake/deploy.nix +++ b/modules/flake/deploy.nix @@ -6,21 +6,25 @@ let nixpkgs nixos-anywhere ; + inherit (nixpkgs) lib; genNode = hostName: nixosCfg: let - # inherit (self.hosts.${hostName}) address hostPlatform remoteBuild; - # inherit (deploy-rs.lib.${hostPlatform}) activate; - system = self.nixosConfigurations."${hostName}".pkgs.system; - address = self.nixosConfigurations."${hostName}".config.deploy.address; + deploy = nixosCfg.config.deploy; + system = nixosCfg.pkgs.system; in { - # inherit address; - hostname = address; - profiles.system.path = deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.${hostName}; + hostname = deploy.address; + profiles.system.path = deploy-rs.lib.${system}.activate.nixos nixosCfg; }; + + # Filter out nodes where deploy.enable != true + deployableNodes = lib.filterAttrs (hostName: nixosCfg: nixosCfg.config.deploy.enable or false) ( + self.nixosConfigurations or { } + ); + in { perSystem = @@ -44,13 +48,12 @@ in deploy = deploy-rs.apps.${system}.deploy-rs; }; }; - flake = { - deploy = { - autoRollback = false; - magicRollback = true; - user = "root"; - remoteBuild = true; - nodes = lib.mapAttrs genNode (self.nixosConfigurations or { }); - }; + + flake.deploy = { + autoRollback = false; + magicRollback = true; + user = "root"; + remoteBuild = true; + nodes = lib.mapAttrs genNode deployableNodes; }; } diff --git a/modules/nixos/common/deployrs.nix b/modules/nixos/common/deployrs.nix new file mode 100644 index 0000000..40fbb0e --- /dev/null +++ b/modules/nixos/common/deployrs.nix @@ -0,0 +1,10 @@ +{ lib, config, ... }: +{ + options.deploy = { + enable = lib.mkEnableOption "enable deployrs module"; + address = lib.mkOption { + type = lib.types.str; + default = config.networking.hostName; + }; + }; +} diff --git a/modules/nixos/common/ssh.nix b/modules/nixos/common/ssh.nix index 8d7f703..d2de754 100644 --- a/modules/nixos/common/ssh.nix +++ b/modules/nixos/common/ssh.nix @@ -1,9 +1,6 @@ { lib, config, ... }: { - options.deploy.address = lib.mkOption { - type = lib.types.str; - default = config.networking.hostName; - }; + config = { services.openssh.enable = true; security = { From 1cf7f2c0546165f5ca9e6accd5c81e91146e9423 Mon Sep 17 00:00:00 2001 From: Jermeiah S Date: Thu, 19 Jun 2025 16:08:04 -0400 Subject: [PATCH 2/4] remove useless comments --- configurations/nixos/tofu/default.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/configurations/nixos/tofu/default.nix b/configurations/nixos/tofu/default.nix index 18efd18..582f803 100644 --- a/configurations/nixos/tofu/default.nix +++ b/configurations/nixos/tofu/default.nix @@ -1,5 +1,3 @@ -# See /modules/nixos/* for actual settings -# This file is just *top-level* configuration. { flake, modulesPath, From 4ecc6a4ae60b4898c2bcba78ba86ec55103fc131 Mon Sep 17 00:00:00 2001 From: Jermeiah S Date: Thu, 19 Jun 2025 16:21:37 -0400 Subject: [PATCH 3/4] migrate firewall config increase security --- configurations/nixos/base-image/default.nix | 36 +++++++++++++++++++ .../nixos/observer-tofu/default.nix | 6 ++-- configurations/nixos/tofu/default.nix | 2 +- modules/nixos/common/incus.nix | 14 ++++++++ 4 files changed, 55 insertions(+), 3 deletions(-) create mode 100644 configurations/nixos/base-image/default.nix diff --git a/configurations/nixos/base-image/default.nix b/configurations/nixos/base-image/default.nix new file mode 100644 index 0000000..fb80fbe --- /dev/null +++ b/configurations/nixos/base-image/default.nix @@ -0,0 +1,36 @@ +{ + flake, + modulesPath, + config, + ... +}: + +let + inherit (flake) inputs; + inherit (inputs) self; +in +{ + imports = [ + self.nixosModules.default + "${modulesPath}/virtualisation/lxc-container.nix" + ]; + deploy = { + enable = false; + }; + + services = { + tty-ips.enable = true; + }; + networking = { + yggdrasil = { + enable = true; + AllowedPublicKeys = [ + "d0e265fcf663451ae9bc048dc1297749819ce9d48042a986f2866c15a779a074" + ]; + }; + hostName = "tofu"; + }; + environment.systemPackages = [ + ]; + system.stateVersion = "25.05"; +} diff --git a/configurations/nixos/observer-tofu/default.nix b/configurations/nixos/observer-tofu/default.nix index 76c6201..1419e1c 100644 --- a/configurations/nixos/observer-tofu/default.nix +++ b/configurations/nixos/observer-tofu/default.nix @@ -14,7 +14,10 @@ in self.nixosModules.default "${modulesPath}/virtualisation/lxc-container.nix" ]; - deploy.address = "200:b938:d405:92df:a6e:1ffd:5213:26b"; + deploy = { + enable = true; + address = "200:b938:d405:92df:a6e:1ffd:5213:26b"; + }; services = { tty-ips.enable = true; uptime-kuma = { @@ -27,7 +30,6 @@ in }; }; networking = { - firewall.enable = false; yggdrasil = { enable = true; AllowedPublicKeys = [ diff --git a/configurations/nixos/tofu/default.nix b/configurations/nixos/tofu/default.nix index 582f803..3f0c038 100644 --- a/configurations/nixos/tofu/default.nix +++ b/configurations/nixos/tofu/default.nix @@ -15,6 +15,7 @@ in "${modulesPath}/virtualisation/lxc-container.nix" ]; deploy = { + enable = true; address = "200:1978:6503:e6f0:2dbe:11fd:74b:ff64"; }; sops.secrets = { @@ -39,7 +40,6 @@ in }; }; networking = { - firewall.enable = false; yggdrasil = { enable = true; AllowedPublicKeys = [ diff --git a/modules/nixos/common/incus.nix b/modules/nixos/common/incus.nix index 00d4741..3e2963f 100644 --- a/modules/nixos/common/incus.nix +++ b/modules/nixos/common/incus.nix @@ -14,6 +14,20 @@ }; networking = { + firewall = { + enable = true; + interfaces = { + ygg0 = { + allowedTCPPorts = [ 22 ]; + allowedUDPPorts = [ ]; + }; + }; + + # Default deny policy for all interfaces (including ygg0) + allowPing = false; + allowedTCPPorts = [ ]; + allowedUDPPorts = [ ]; + }; dhcpcd.enable = false; useDHCP = false; useHostResolvConf = false; From b9f35afd8bd6ca7792cd7c705ee2982d7599eecb Mon Sep 17 00:00:00 2001 From: Jermeiah S Date: Thu, 19 Jun 2025 16:24:33 -0400 Subject: [PATCH 4/4] deploy-rs upgrade sane defaults --- configurations/nixos/observer-tofu/default.nix | 1 - configurations/nixos/tofu/default.nix | 1 - modules/nixos/common/deployrs.nix | 2 +- 3 files changed, 1 insertion(+), 3 deletions(-) diff --git a/configurations/nixos/observer-tofu/default.nix b/configurations/nixos/observer-tofu/default.nix index 1419e1c..312a252 100644 --- a/configurations/nixos/observer-tofu/default.nix +++ b/configurations/nixos/observer-tofu/default.nix @@ -15,7 +15,6 @@ in "${modulesPath}/virtualisation/lxc-container.nix" ]; deploy = { - enable = true; address = "200:b938:d405:92df:a6e:1ffd:5213:26b"; }; services = { diff --git a/configurations/nixos/tofu/default.nix b/configurations/nixos/tofu/default.nix index 3f0c038..35de13c 100644 --- a/configurations/nixos/tofu/default.nix +++ b/configurations/nixos/tofu/default.nix @@ -15,7 +15,6 @@ in "${modulesPath}/virtualisation/lxc-container.nix" ]; deploy = { - enable = true; address = "200:1978:6503:e6f0:2dbe:11fd:74b:ff64"; }; sops.secrets = { diff --git a/modules/nixos/common/deployrs.nix b/modules/nixos/common/deployrs.nix index 40fbb0e..b179f7e 100644 --- a/modules/nixos/common/deployrs.nix +++ b/modules/nixos/common/deployrs.nix @@ -1,7 +1,7 @@ { lib, config, ... }: { options.deploy = { - enable = lib.mkEnableOption "enable deployrs module"; + enable = (lib.mkEnableOption // { default = true; }) "enable deployrs module"; address = lib.mkOption { type = lib.types.str; default = config.networking.hostName;