deploy-rs upgrade sane defaults

migrate firewall config increase security
remove useless comments
2025-06-19 16:24:33 -04:00 · 2025-06-19 16:21:37 -04:00 · 2025-06-19 16:08:04 -04:00 · 2025-06-19 16:07:55 -04:00
7 changed files with 82 additions and 24 deletions
--- a/configurations/nixos/base-image/default.nix
+++ b/configurations/nixos/base-image/default.nix
@ -0,0 +1,36 @@
+{
+  flake,
+  modulesPath,
+  config,
+  ...
+}:
+
+let
+  inherit (flake) inputs;
+  inherit (inputs) self;
+in
+{
+  imports = [
+    self.nixosModules.default
+    "${modulesPath}/virtualisation/lxc-container.nix"
+  ];
+  deploy = {
+    enable = false;
+  };
+
+  services = {
+    tty-ips.enable = true;
+  };
+  networking = {
+    yggdrasil = {
+      enable = true;
+      AllowedPublicKeys = [
+        "d0e265fcf663451ae9bc048dc1297749819ce9d48042a986f2866c15a779a074"
+      ];
+    };
+    hostName = "tofu";
+  };
+  environment.systemPackages = [
+  ];
+  system.stateVersion = "25.05";
+}
--- a/configurations/nixos/observer-tofu/default.nix
+++ b/configurations/nixos/observer-tofu/default.nix
@ -14,7 +14,9 @@ in
    self.nixosModules.default
    "${modulesPath}/virtualisation/lxc-container.nix"
  ];
-  deploy.address = "200:b938:d405:92df:a6e:1ffd:5213:26b";
+  deploy = {
+    address = "200:b938:d405:92df:a6e:1ffd:5213:26b";
+  };
  services = {
    tty-ips.enable = true;
    uptime-kuma = {
@ -27,7 +29,6 @@ in
    };
  };
  networking = {
-    firewall.enable = false;
    yggdrasil = {
      enable = true;
      AllowedPublicKeys = [
--- a/configurations/nixos/tofu/default.nix
+++ b/configurations/nixos/tofu/default.nix
@ -1,5 +1,3 @@
-# See /modules/nixos/* for actual settings
-# This file is just *top-level* configuration.
 {
  flake,
  modulesPath,
@ -41,7 +39,6 @@ in
    };
  };
  networking = {
-    firewall.enable = false;
    yggdrasil = {
      enable = true;
      AllowedPublicKeys = [
--- a/modules/flake/deploy.nix
+++ b/modules/flake/deploy.nix
@ -6,21 +6,25 @@ let
    nixpkgs
    nixos-anywhere
    ;
+
  inherit (nixpkgs) lib;

  genNode =
    hostName: nixosCfg:
    let
-      # inherit (self.hosts.${hostName}) address hostPlatform remoteBuild;
-      # inherit (deploy-rs.lib.${hostPlatform}) activate;
-      system = self.nixosConfigurations."${hostName}".pkgs.system;
-      address = self.nixosConfigurations."${hostName}".config.deploy.address;
+      deploy = nixosCfg.config.deploy;
+      system = nixosCfg.pkgs.system;
    in
    {
-      # inherit address;
-      hostname = address;
-      profiles.system.path = deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.${hostName};
+      hostname = deploy.address;
+      profiles.system.path = deploy-rs.lib.${system}.activate.nixos nixosCfg;
    };
+
+  # Filter out nodes where deploy.enable != true
+  deployableNodes = lib.filterAttrs (hostName: nixosCfg: nixosCfg.config.deploy.enable or false) (
+    self.nixosConfigurations or { }
+  );
+
 in
 {
  perSystem =
@ -44,13 +48,12 @@ in
        deploy = deploy-rs.apps.${system}.deploy-rs;
      };
    };
-  flake = {
-    deploy = {
-      autoRollback = false;
-      magicRollback = true;
-      user = "root";
-      remoteBuild = true;
-      nodes = lib.mapAttrs genNode (self.nixosConfigurations or { });
-    };
+
+  flake.deploy = {
+    autoRollback = false;
+    magicRollback = true;
+    user = "root";
+    remoteBuild = true;
+    nodes = lib.mapAttrs genNode deployableNodes;
  };
 }
--- a/modules/nixos/common/deployrs.nix
+++ b/modules/nixos/common/deployrs.nix
@ -0,0 +1,10 @@
+{ lib, config, ... }:
+{
+  options.deploy = {
+    enable = (lib.mkEnableOption // { default = true; }) "enable deployrs module";
+    address = lib.mkOption {
+      type = lib.types.str;
+      default = config.networking.hostName;
+    };
+  };
+}
--- a/modules/nixos/common/incus.nix
+++ b/modules/nixos/common/incus.nix
@ -14,6 +14,20 @@
  };

  networking = {
+    firewall = {
+      enable = true;
+      interfaces = {
+        ygg0 = {
+          allowedTCPPorts = [ 22 ];
+          allowedUDPPorts = [ ];
+        };
+      };
+
+      # Default deny policy for all interfaces (including ygg0)
+      allowPing = false;
+      allowedTCPPorts = [ ];
+      allowedUDPPorts = [ ];
+    };
    dhcpcd.enable = false;
    useDHCP = false;
    useHostResolvConf = false;
--- a/modules/nixos/common/ssh.nix
+++ b/modules/nixos/common/ssh.nix
@ -1,9 +1,6 @@
 { lib, config, ... }:
 {
-  options.deploy.address = lib.mkOption {
-    type = lib.types.str;
-    default = config.networking.hostName;
-  };
+
  config = {
    services.openssh.enable = true;
    security = {
Author	SHA1	Message	Date
Jermeiah S	b9f35afd8b	deploy-rs upgrade sane defaults	2025-06-19 16:24:33 -04:00
Jermeiah S	4ecc6a4ae6	migrate firewall config increase security	2025-06-19 16:21:37 -04:00
Jermeiah S	1cf7f2c054	remove useless comments	2025-06-19 16:08:04 -04:00
Jermeiah S	6becf62164	feat: isolate deploy module	2025-06-19 16:07:55 -04:00