SK-Development-Studios/Nixos-Configuration
2
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: SK-Development-Studios:bb141b7a715e94d263a5da719c7bd8f4b1ce2917
Branches Tags
SK-Development-Studios:main
...
compare: SK-Development-Studios:b9f35afd8bd6ca7792cd7c705ee2982d7599eecb
Branches Tags
SK-Development-Studios:main

4 commits
bb141b7a71 ... b9f35afd8b

Author SHA1 Message Date
Jermeiah S
b9f35afd8b
deploy-rs upgrade sane defaults 2025-06-19 16:24:33 -04:00
Jermeiah S
4ecc6a4ae6
migrate firewall config increase security 2025-06-19 16:21:37 -04:00
Jermeiah S
1cf7f2c054
remove useless comments 2025-06-19 16:08:04 -04:00
Jermeiah S
6becf62164
feat: isolate deploy module 2025-06-19 16:07:55 -04:00
7 changed files with 82 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

36
configurations/nixos/base-image/default.nix Normal file
View file

@ -0,0 +1,36 @@
{
flake,
modulesPath,
config,
...
}:
let
inherit (flake) inputs;
inherit (inputs) self;
in
{
imports = [
self.nixosModules.default
"${modulesPath}/virtualisation/lxc-container.nix"
];
deploy = {
enable = false;
};
services = {
tty-ips.enable = true;
};
networking = {
yggdrasil = {
enable = true;
AllowedPublicKeys = [
"d0e265fcf663451ae9bc048dc1297749819ce9d48042a986f2866c15a779a074"
];
};
hostName = "tofu";
};
environment.systemPackages = [
];
system.stateVersion = "25.05";
}

5
configurations/nixos/observer-tofu/default.nix
View file

@ -14,7 +14,9 @@ in
self.nixosModules.default self.nixosModules.default
"${modulesPath}/virtualisation/lxc-container.nix" "${modulesPath}/virtualisation/lxc-container.nix"
]; ];
deploy.address = "200:b938:d405:92df:a6e:1ffd:5213:26b"; deploy = {
address = "200:b938:d405:92df:a6e:1ffd:5213:26b";
};
services = { services = {
tty-ips.enable = true; tty-ips.enable = true;
uptime-kuma = { uptime-kuma = {
@ -27,7 +29,6 @@ in
}; };
}; };
networking = { networking = {
firewall.enable = false;
yggdrasil = { yggdrasil = {
enable = true; enable = true;
AllowedPublicKeys = [ AllowedPublicKeys = [

3
configurations/nixos/tofu/default.nix
View file

@ -1,5 +1,3 @@
# See /modules/nixos/* for actual settings
# This file is just *top-level* configuration.
{ {
flake, flake,
modulesPath, modulesPath,
@ -41,7 +39,6 @@ in
}; };
}; };
networking = { networking = {
firewall.enable = false;
yggdrasil = { yggdrasil = {
enable = true; enable = true;
AllowedPublicKeys = [ AllowedPublicKeys = [

33
modules/flake/deploy.nix
View file

@ -6,21 +6,25 @@ let
nixpkgs nixpkgs
nixos-anywhere nixos-anywhere
; ;
inherit (nixpkgs) lib; inherit (nixpkgs) lib;
genNode = genNode =
hostName: nixosCfg: hostName: nixosCfg:
let let
# inherit (self.hosts.${hostName}) address hostPlatform remoteBuild; deploy = nixosCfg.config.deploy;
# inherit (deploy-rs.lib.${hostPlatform}) activate; system = nixosCfg.pkgs.system;
system = self.nixosConfigurations."${hostName}".pkgs.system;
address = self.nixosConfigurations."${hostName}".config.deploy.address;
in in
{ {
# inherit address; hostname = deploy.address;
hostname = address; profiles.system.path = deploy-rs.lib.${system}.activate.nixos nixosCfg;
profiles.system.path = deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.${hostName};
}; };
# Filter out nodes where deploy.enable != true
deployableNodes = lib.filterAttrs (hostName: nixosCfg: nixosCfg.config.deploy.enable or false) (
self.nixosConfigurations or { }
);
in in
{ {
perSystem = perSystem =
@ -44,13 +48,12 @@ in
deploy = deploy-rs.apps.${system}.deploy-rs; deploy = deploy-rs.apps.${system}.deploy-rs;
}; };
}; };
flake = {
deploy = { flake.deploy = {
autoRollback = false; autoRollback = false;
magicRollback = true; magicRollback = true;
user = "root"; user = "root";
remoteBuild = true; remoteBuild = true;
nodes = lib.mapAttrs genNode (self.nixosConfigurations or { }); nodes = lib.mapAttrs genNode deployableNodes;
};
}; };
} }

10
modules/nixos/common/deployrs.nix Normal file
View file

@ -0,0 +1,10 @@
{ lib, config, ... }:
{
options.deploy = {
enable = (lib.mkEnableOption // { default = true; }) "enable deployrs module";
address = lib.mkOption {
type = lib.types.str;
default = config.networking.hostName;
};
};
}

14
modules/nixos/common/incus.nix
View file

@ -14,6 +14,20 @@
}; };
networking = { networking = {
firewall = {
enable = true;
interfaces = {
ygg0 = {
allowedTCPPorts = [ 22 ];
allowedUDPPorts = [ ];
};
};
# Default deny policy for all interfaces (including ygg0)
allowPing = false;
allowedTCPPorts = [ ];
allowedUDPPorts = [ ];
};
dhcpcd.enable = false; dhcpcd.enable = false;
useDHCP = false; useDHCP = false;
useHostResolvConf = false; useHostResolvConf = false;

5
modules/nixos/common/ssh.nix
View file

@ -1,9 +1,6 @@
{ lib, config, ... }: { lib, config, ... }:
{ {
options.deploy.address = lib.mkOption {
type = lib.types.str;
default = config.networking.hostName;
};
config = { config = {
services.openssh.enable = true; services.openssh.enable = true;
security = { security = {