diff --git a/base.nix b/base.nix index 3e38d40..4dd8df1 100644 --- a/base.nix +++ b/base.nix @@ -1,21 +1,14 @@ { config, pkgs, lib, inputs, ... }: { - imports = [ + imports = let ifExists = p: if builtins.pathExists p then p else {}; in [ ./cachix.nix # update with `cachix use --mode nixos -d . FOOBAR` ./profiles/locale-no.nix # results of 'nixos-generate-config' # nice to have if i just dump this flake into /etc/nixos on a clean install - (if builtins.pathExists ./configuration.nix - then ./configuration.nix - else {} - ) - (if builtins.pathExists ./hardware-configuration.nix - then ./hardware-configuration.nix - else {} - ) + (ifExists ./configuration.nix ) + (ifExists ./hardware-configuration.nix ) ]; - # TODO: how can i do this in home-manager? nixpkgs.config.permittedInsecurePackages = [ "pulsar-1.106.0" "pulsar-1.109.0" diff --git a/flake.lock b/flake.lock index b88dffe..8431858 100644 --- a/flake.lock +++ b/flake.lock @@ -135,6 +135,119 @@ "type": "github" } }, + "nixpkgs-1909": { + "flake": false, + "locked": { + "lastModified": 1600952148, + "narHash": "sha256-GUKHrnng33luc6mUT3rDnZ3Hm+4MMEJpEchRIAQx7JQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "75f4ba05c63be3f147bcc2f7bd4ba1f029cedcb1", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-19.09", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-2003": { + "locked": { + "lastModified": 1620055814, + "narHash": "sha256-8LEHoYSJiL901bTMVatq+rf8y7QtWuZhwwpKE2fyaRY=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "1db42b7fe3878f3f5f7a4f2dc210772fd080e205", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-20.03", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-2009": { + "locked": { + "lastModified": 1635350005, + "narHash": "sha256-tAMJnUwfaDEB2aa31jGcu7R7bzGELM9noc91L2PbVjg=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "1c1f5649bb9c1b0d98637c8c365228f57126f361", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-20.09", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-2105": { + "locked": { + "lastModified": 1659914493, + "narHash": "sha256-lkA5X3VNMKirvA+SUzvEhfA7XquWLci+CGi505YFAIs=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "022caabb5f2265ad4006c1fa5b1ebe69fb0c3faf", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-21.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-2111": { + "locked": { + "lastModified": 1659446231, + "narHash": "sha256-hekabNdTdgR/iLsgce5TGWmfIDZ86qjPhxDg/8TlzhE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "eabc38219184cc3e04a974fe31857d8e0eac098d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-21.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-2205": { + "locked": { + "lastModified": 1685573264, + "narHash": "sha256-Zffu01pONhs/pqH07cjlF10NnMDLok8ix5Uk4rhOnZQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "380be19fbd2d9079f677978361792cb25e8a3635", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-22.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-2211": { + "locked": { + "lastModified": 1688392541, + "narHash": "sha256-lHrKvEkCPTUO+7tPfjIcb7Trk6k31rz18vkyqmkeJfY=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ea4c80b39be4c09702b0cb3b42eab59e2ba4f24b", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-2305": { "locked": { "lastModified": 1704290814, @@ -239,6 +352,13 @@ "home-manager-edge": "home-manager-edge", "nixos-generators-2311": "nixos-generators-2311", "nixos-hardware": "nixos-hardware", + "nixpkgs-1909": "nixpkgs-1909", + "nixpkgs-2003": "nixpkgs-2003", + "nixpkgs-2009": "nixpkgs-2009", + "nixpkgs-2105": "nixpkgs-2105", + "nixpkgs-2111": "nixpkgs-2111", + "nixpkgs-2205": "nixpkgs-2205", + "nixpkgs-2211": "nixpkgs-2211", "nixpkgs-2305": "nixpkgs-2305", "nixpkgs-2311": "nixpkgs-2311", "nixpkgs-edge": "nixpkgs-edge", diff --git a/flake.nix b/flake.nix index 2d1ed24..f5cf5d3 100644 --- a/flake.nix +++ b/flake.nix @@ -6,6 +6,14 @@ nixpkgs-edge.url = "github:NixOS/nixpkgs/nixos-unstable"; nixpkgs-2311.url = "github:NixOS/nixpkgs/nixos-23.11"; nixpkgs-2305.url = "github:NixOS/nixpkgs/nixos-23.05"; + nixpkgs-2211.url = "github:NixOS/nixpkgs/nixos-22.11"; # for old docs + nixpkgs-2205.url = "github:NixOS/nixpkgs/nixos-22.05"; # for old docs + nixpkgs-2111.url = "github:NixOS/nixpkgs/nixos-21.11"; # for old docs + nixpkgs-2105.url = "github:NixOS/nixpkgs/nixos-21.05"; # for old docs + nixpkgs-2009.url = "github:NixOS/nixpkgs/nixos-20.09"; # for old docs + nixpkgs-2003.url = "github:NixOS/nixpkgs/nixos-20.03"; # for old docs + nixpkgs-1909.url = "github:NixOS/nixpkgs/nixos-19.09"; # for old docs + nixpkgs-1909.flake = false; # Earlier versions are not flake-pure # https://github.com/nix-community/home-manager home-manager-edge.url = "github:nix-community/home-manager/master"; @@ -43,13 +51,6 @@ #https://github.com/numtide/nixpkgs-unfree # has a cache #https://github.com/matthewbauer/nixiosk inputs.pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix"; - - # used to host old docs - nixpkgs-22.url = "github:NixOS/nixpkgs/nixos-22.11"; - nixpkgs-21.url = "github:NixOS/nixpkgs/nixos-21.11"; - nixpkgs-20.url = "github:NixOS/nixpkgs/nixos-20.09"; - nixpkgs-19.url = "github:NixOS/nixpkgs/nixos-19.09"; - nixpkgs-19.flake = false; # Earlier versions are not flake-pure /**/ #pbsds-papers.url = "git+ssh://git@github.com/pbsds/papers.git"; @@ -95,6 +96,13 @@ home-manager = inputs'.home-manager-2305; sops-nix = inputs'.sops-nix-2305; }; + inputs-2211 = inputs-2305 // { nixpkgs = inputs'.nixpkgs-2211; }; + inputs-2205 = inputs-2305 // { nixpkgs = inputs'.nixpkgs-2205; }; + inputs-2111 = inputs-2305 // { nixpkgs = inputs'.nixpkgs-2111; }; + inputs-2105 = inputs-2305 // { nixpkgs = inputs'.nixpkgs-2105; }; + inputs-2009 = inputs-2305 // { nixpkgs = inputs'.nixpkgs-2009; }; + inputs-2003 = inputs-2305 // { nixpkgs = inputs'.nixpkgs-2003; }; + inputs-1909 = inputs-2305 // { nixpkgs = inputs'.nixpkgs-1909; }; mkFlakeView = inputs: system: inputs.nixpkgs.lib.mapAttrs (name: flake: { # TODO filter non-flake inputs @@ -124,9 +132,9 @@ mkModule = domain: system: inputs: stateVersion: modules: hostname: ({ lib, ... }: { system.stateVersion = lib.mkDefault stateVersion; # TODO: home-manager - imports = [ + imports = let ifExists = p: if builtins.pathExists p then p else {}; in [ ./base.nix - "${self}/hosts/${hostname}" + (ifExists "${self}/hosts/${hostname}") inputs.sops-nix.nixosModules.sops inputs.home-manager.nixosModule ] ++ modules; @@ -273,7 +281,7 @@ in { envrc-local = mkShell envrc-pkgs; envrc-remote = mkShell (envrc-pkgs ++ [ - flakes.unstable.pkgs.remote-exec # TODO: stable + (pkgs.remote-exec or flakes.unstable.pkgs.remote-exec) pkgs.yq pkgs.rsync ]); diff --git a/hosts/noximilien/default.nix b/hosts/noximilien/default.nix index f9a5483..6c5d22b 100644 --- a/hosts/noximilien/default.nix +++ b/hosts/noximilien/default.nix @@ -11,6 +11,8 @@ ../../profiles/sshd.nix ../../profiles/podman.nix + ../../profiles/vpn-pbsds/headscale.nix # opens port 3478 + ../../users/pbsds ../../users/jornane @@ -25,8 +27,6 @@ ../../profiles/services/tmate-server.nix # opens port 42244 - ../../profiles/vpn-pbsds/headscale.nix - ../../profiles/http # enables nginx+acme, defines mkDomain ../../profiles/http/index ../../profiles/http/services/cinny.nix diff --git a/profiles/http/docs/nixpkgs.nix b/profiles/http/docs/nixpkgs.nix index 8bfd82d..1596c7e 100644 --- a/profiles/http/docs/nixpkgs.nix +++ b/profiles/http/docs/nixpkgs.nix @@ -28,28 +28,52 @@ in } # == Old Nixpkgs manuals == /** / + { + dirname = "nixpkgs-manual-23.05"; + basename= "manual.html"; + path = "${mk-nixpkgs-manual inputs.nixpkgs-2213}05share/doc/nixpkgs"; + desc = "Official Nixpkgs 23.05 manual"; + } { dirname = "nixpkgs-manual-22.11"; basename= "manual.html"; - path = "${mk-nixpkgs-manual inputs.nixpkgs-22}/share/doc/nixpkgs"; + path = "${mk-nixpkgs-manual inputs.nixpkgs-2211}/share/doc/nixpkgs"; desc = "Official Nixpkgs 22.11 manual"; } + { + dirname = "nixpkgs-manual-22.05"; + basename= "manual.html"; + path = "${mk-nixpkgs-manual inputs.nixpkgs-2205}/share/doc/nixpkgs"; + desc = "Official Nixpkgs 22.05 manual"; + } { dirname = "nixpkgs-manual-21.11"; basename= "manual.html"; - path = "${mk-nixpkgs-manual inputs.nixpkgs-21}/share/doc/nixpkgs"; + path = "${mk-nixpkgs-manual inputs.nixpkgs-2111}/share/doc/nixpkgs"; desc = "Official Nixpkgs 21.11 manual"; } + { + dirname = "nixpkgs-manual-21.05"; + basename= "manual.html"; + path = "${mk-nixpkgs-manual inputs.nixpkgs-2105}/share/doc/nixpkgs"; + desc = "Official Nixpkgs 21.05 manual"; + } { dirname = "nixpkgs-manual-20.09"; basename= "manual.html"; - path = "${mk-nixpkgs-manual inputs.nixpkgs-20}/share/doc/nixpkgs"; + path = "${mk-nixpkgs-manual inputs.nixpkgs-2009}/share/doc/nixpkgs"; desc = "Official Nixpkgs 20.09 manual"; } + { + dirname = "nixpkgs-manual-20.03"; + basename= "manual.html"; + path = "${mk-nixpkgs-manual inputs.nixpkgs-2003}/share/doc/nixpkgs"; + desc = "Official Nixpkgs 20.03 manual"; + } { dirname = "nixpkgs-manual-19.09"; basename= "manual.html"; - path = "${mk-nixpkgs-manual inputs.nixpkgs-19}/share/doc/nixpkgs"; + path = "${mk-nixpkgs-manual inputs.nixpkgs-1909}/share/doc/nixpkgs"; desc = "Official Nixpkgs 19.09 manual"; } /**/ @@ -57,19 +81,34 @@ in /** / { dirname = "nixos-manual-22.11"; - path = "${mk-nixos-manual inputs.nixpkgs-22}/share/doc/nixos"; + path = "${mk-nixos-manual inputs.nixpkgs-2211}/share/doc/nixos"; desc = "Official Nixos 22.11 manual"; } + { + dirname = "nixos-manual-22.05"; + path = "${mk-nixos-manual inputs.nixpkgs-2205}/share/doc/nixos"; + desc = "Official Nixos 22.05 manual"; + } { dirname = "nixos-manual-21.11"; - path = "${mk-nixos-manual inputs.nixpkgs-21}/share/doc/nixos"; + path = "${mk-nixos-manual inputs.nixpkgs-2111}/share/doc/nixos"; desc = "Official Nixos 21.11 manual"; } + { + dirname = "nixos-manual-21.05"; + path = "${mk-nixos-manual inputs.nixpkgs-2105}/share/doc/nixos"; + desc = "Official Nixos 21.05 manual"; + } { dirname = "nixos-manual-20.09"; - path = "${mk-nixos-manual inputs.nixpkgs-20}/share/doc/nixos"; + path = "${mk-nixos-manual inputs.nixpkgs-2009}/share/doc/nixos"; desc = "Official Nixos 20.09 manual"; } + { + dirname = "nixos-manual-20.03"; + path = "${mk-nixos-manual inputs.nixpkgs-2003}/share/doc/nixos"; + desc = "Official Nixos 20.03 manual"; + } { dirname = "nixos-manual-19.09"; path = "${mk-nixos-manual inputs.nixpkgs-19}/share/doc/nixos"; diff --git a/profiles/vpn-pbsds/headscale.nix b/profiles/vpn-pbsds/headscale.nix index c25d0b4..7b29a20 100644 --- a/profiles/vpn-pbsds/headscale.nix +++ b/profiles/vpn-pbsds/headscale.nix @@ -3,7 +3,7 @@ let cfg = config.services.headscale; server-url = "head.pbsds.net"; derpPort = 3478; - inherit (lib) mkIf; + inherit (lib) mkIf getExe; in { environment.systemPackages = mkIf cfg.enable [ cfg.package ]; @@ -50,7 +50,7 @@ in wantedBy = [ "headscale.service" ]; script = '' sleep 60 # Wait for headscale to be ready - "${lib.getExe cfg.package}/bin/headscale namespaces create ts || true + ${getExe cfg.package} namespaces create ts || true ''; }; diff --git a/profiles/vpn-pbsds/tailscale.nix b/profiles/vpn-pbsds/tailscale.nix index 6bd7e3c..7da620f 100644 --- a/profiles/vpn-pbsds/tailscale.nix +++ b/profiles/vpn-pbsds/tailscale.nix @@ -1,12 +1,35 @@ -{ config, ...}: +{ config, pkgs, lib, ...}: +let + cfg = config.services.tailscale; + inherit (lib) mkIf getExe; +in { services.tailscale.enable = true; networking.firewall.checkReversePath = "loose"; - networking.firewall.trustedInterfaces = [ "tailscale0" ]; - networking.firewall.allowedUDPPorts = [ config.services.tailscale.port ]; + networking.firewall.trustedInterfaces = [ cfg.interfaceName ]; + networking.firewall.allowedUDPPorts = [ cfg.port ]; - # remote-set X - # tailscale up --login-server 'https://head.pbsds.net' - # ssh noximilien.pbsds.net headscale --namespace nodes register --key + /** / + systemd.services."tailscale-autoconnect" = mkIf cfg.enable { + serviceConfig.Type = "oneshot"; + after = [ "network-pre.target" "tailscale.service" ]; + wants = [ "network-pre.target" "tailscale.service" ]; + wantedBy = [ "tailscale.service" ]; + script = '' + sleep 60 # Wait for tailscaled to settle + status="$(${getExe cfg.package} status -json | ${getExe pkgs.jq} -r .BackendState)" + if [ $status = "Running" ]; then + exit 0 # already authenticated + fi + + #${getExe cfg.package} up -authkey tskey-examplekeyhere + ''; + }; + /**/ + + + # remote sudo nixos-rebuild switch --flake . -L + # remote-quick sudo tailscale up --login-server 'https://head.pbsds.net' + # ssh noximilien.pbsds.net sudo headscale --namespace 'ts' nodes register --key } diff --git a/users/pbsds/default.nix b/users/pbsds/default.nix index 8f9a38e..a345a6f 100644 --- a/users/pbsds/default.nix +++ b/users/pbsds/default.nix @@ -48,8 +48,9 @@ # TODO: NAS stuff ] ++ lib.optionals config.virtualisation.docker.enable [ "docker" - ] ++ lib.optionals config.services.headscale.enable [ - config.services.headscale.group + # doesn't work... + #] ++ lib.optionals config.services.headscale.enable [ + # config.services.headscale.group ]; initialHashedPassword = "$6$yNgxTHcP1UYkNwuZ$1sBehnKgPjVnDe0tSV8kyfynWpfjDzuohZX6SoTrMnYFa3/aiMOtI6JppYevl.M6qYhBIT0XBvL6TqSSFWn8B/";