stuff

2024-01-27 03:47:28 +01:00 · 2024-01-27 03:47:28 +01:00 · 9704c36cb3
parent 791758b499
commit 9704c36cb3
8 changed files with 223 additions and 39 deletions
--- a/base.nix
+++ b/base.nix
@ -1,21 +1,14 @@
 { config, pkgs, lib, inputs, ... }:
 {
-  imports = [
+  imports = let ifExists = p: if builtins.pathExists p then p else {}; in [
    ./cachix.nix # update with `cachix use --mode nixos -d . FOOBAR`
    ./profiles/locale-no.nix
    # results of 'nixos-generate-config'
    # nice to have if i just dump this flake into /etc/nixos on a clean install
-    (if builtins.pathExists ./configuration.nix
-      then ./configuration.nix
-      else {}
-    )
-    (if builtins.pathExists ./hardware-configuration.nix
-      then ./hardware-configuration.nix
-      else {}
-    )
+    (ifExists ./configuration.nix )
+    (ifExists ./hardware-configuration.nix )
  ];

-  # TODO: how can i do this in home-manager?
  nixpkgs.config.permittedInsecurePackages = [
    "pulsar-1.106.0"
    "pulsar-1.109.0"
--- a/flake.lock
+++ b/flake.lock
@ -135,6 +135,119 @@
        "type": "github"
      }
    },
+    "nixpkgs-1909": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1600952148,
+        "narHash": "sha256-GUKHrnng33luc6mUT3rDnZ3Hm+4MMEJpEchRIAQx7JQ=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "75f4ba05c63be3f147bcc2f7bd4ba1f029cedcb1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-19.09",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-2003": {
+      "locked": {
+        "lastModified": 1620055814,
+        "narHash": "sha256-8LEHoYSJiL901bTMVatq+rf8y7QtWuZhwwpKE2fyaRY=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "1db42b7fe3878f3f5f7a4f2dc210772fd080e205",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-20.03",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-2009": {
+      "locked": {
+        "lastModified": 1635350005,
+        "narHash": "sha256-tAMJnUwfaDEB2aa31jGcu7R7bzGELM9noc91L2PbVjg=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "1c1f5649bb9c1b0d98637c8c365228f57126f361",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-20.09",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-2105": {
+      "locked": {
+        "lastModified": 1659914493,
+        "narHash": "sha256-lkA5X3VNMKirvA+SUzvEhfA7XquWLci+CGi505YFAIs=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "022caabb5f2265ad4006c1fa5b1ebe69fb0c3faf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-21.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-2111": {
+      "locked": {
+        "lastModified": 1659446231,
+        "narHash": "sha256-hekabNdTdgR/iLsgce5TGWmfIDZ86qjPhxDg/8TlzhE=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "eabc38219184cc3e04a974fe31857d8e0eac098d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-21.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-2205": {
+      "locked": {
+        "lastModified": 1685573264,
+        "narHash": "sha256-Zffu01pONhs/pqH07cjlF10NnMDLok8ix5Uk4rhOnZQ=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "380be19fbd2d9079f677978361792cb25e8a3635",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-22.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-2211": {
+      "locked": {
+        "lastModified": 1688392541,
+        "narHash": "sha256-lHrKvEkCPTUO+7tPfjIcb7Trk6k31rz18vkyqmkeJfY=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "ea4c80b39be4c09702b0cb3b42eab59e2ba4f24b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-22.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "nixpkgs-2305": {
      "locked": {
        "lastModified": 1704290814,
@ -239,6 +352,13 @@
        "home-manager-edge": "home-manager-edge",
        "nixos-generators-2311": "nixos-generators-2311",
        "nixos-hardware": "nixos-hardware",
+        "nixpkgs-1909": "nixpkgs-1909",
+        "nixpkgs-2003": "nixpkgs-2003",
+        "nixpkgs-2009": "nixpkgs-2009",
+        "nixpkgs-2105": "nixpkgs-2105",
+        "nixpkgs-2111": "nixpkgs-2111",
+        "nixpkgs-2205": "nixpkgs-2205",
+        "nixpkgs-2211": "nixpkgs-2211",
        "nixpkgs-2305": "nixpkgs-2305",
        "nixpkgs-2311": "nixpkgs-2311",
        "nixpkgs-edge": "nixpkgs-edge",
--- a/flake.nix
+++ b/flake.nix
@ -6,6 +6,14 @@
    nixpkgs-edge.url = "github:NixOS/nixpkgs/nixos-unstable";
    nixpkgs-2311.url = "github:NixOS/nixpkgs/nixos-23.11";
    nixpkgs-2305.url = "github:NixOS/nixpkgs/nixos-23.05";
+    nixpkgs-2211.url = "github:NixOS/nixpkgs/nixos-22.11"; # for old docs
+    nixpkgs-2205.url = "github:NixOS/nixpkgs/nixos-22.05"; # for old docs
+    nixpkgs-2111.url = "github:NixOS/nixpkgs/nixos-21.11"; # for old docs
+    nixpkgs-2105.url = "github:NixOS/nixpkgs/nixos-21.05"; # for old docs
+    nixpkgs-2009.url = "github:NixOS/nixpkgs/nixos-20.09"; # for old docs
+    nixpkgs-2003.url = "github:NixOS/nixpkgs/nixos-20.03"; # for old docs
+    nixpkgs-1909.url = "github:NixOS/nixpkgs/nixos-19.09"; # for old docs
+    nixpkgs-1909.flake = false; # Earlier versions are not flake-pure

    # https://github.com/nix-community/home-manager
    home-manager-edge.url = "github:nix-community/home-manager/master";
@ -43,13 +51,6 @@
    #https://github.com/numtide/nixpkgs-unfree # has a cache
    #https://github.com/matthewbauer/nixiosk
    inputs.pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix";
-
-    # used to host old docs
-    nixpkgs-22.url = "github:NixOS/nixpkgs/nixos-22.11";
-    nixpkgs-21.url = "github:NixOS/nixpkgs/nixos-21.11";
-    nixpkgs-20.url = "github:NixOS/nixpkgs/nixos-20.09";
-    nixpkgs-19.url = "github:NixOS/nixpkgs/nixos-19.09";
-    nixpkgs-19.flake = false; # Earlier versions are not flake-pure
    /**/

    #pbsds-papers.url = "git+ssh://git@github.com/pbsds/papers.git";
@ -95,6 +96,13 @@
      home-manager = inputs'.home-manager-2305;
      sops-nix = inputs'.sops-nix-2305;
    };
+    inputs-2211 = inputs-2305 // { nixpkgs = inputs'.nixpkgs-2211; };
+    inputs-2205 = inputs-2305 // { nixpkgs = inputs'.nixpkgs-2205; };
+    inputs-2111 = inputs-2305 // { nixpkgs = inputs'.nixpkgs-2111; };
+    inputs-2105 = inputs-2305 // { nixpkgs = inputs'.nixpkgs-2105; };
+    inputs-2009 = inputs-2305 // { nixpkgs = inputs'.nixpkgs-2009; };
+    inputs-2003 = inputs-2305 // { nixpkgs = inputs'.nixpkgs-2003; };
+    inputs-1909 = inputs-2305 // { nixpkgs = inputs'.nixpkgs-1909; };

    mkFlakeView = inputs: system: inputs.nixpkgs.lib.mapAttrs (name: flake: {
      # TODO filter non-flake inputs
@ -124,9 +132,9 @@
    mkModule = domain: system: inputs: stateVersion: modules: hostname: ({ lib, ... }: {
      system.stateVersion = lib.mkDefault stateVersion; # TODO: home-manager

-      imports = [
+      imports = let ifExists = p: if builtins.pathExists p then p else {}; in [
        ./base.nix
-        "${self}/hosts/${hostname}"
+        (ifExists "${self}/hosts/${hostname}")
        inputs.sops-nix.nixosModules.sops
        inputs.home-manager.nixosModule
      ] ++ modules;
@ -273,7 +281,7 @@
    in {
      envrc-local  = mkShell envrc-pkgs;
      envrc-remote = mkShell (envrc-pkgs ++ [
-        flakes.unstable.pkgs.remote-exec # TODO: stable
+        (pkgs.remote-exec or flakes.unstable.pkgs.remote-exec)
        pkgs.yq
        pkgs.rsync
      ]);
--- a/hosts/noximilien/default.nix
+++ b/hosts/noximilien/default.nix
@ -11,6 +11,8 @@
    ../../profiles/sshd.nix
    ../../profiles/podman.nix

+    ../../profiles/vpn-pbsds/headscale.nix # opens port 3478
+
    ../../users/pbsds
    ../../users/jornane

@ -25,8 +27,6 @@

    ../../profiles/services/tmate-server.nix # opens port 42244

-    ../../profiles/vpn-pbsds/headscale.nix
-
    ../../profiles/http # enables nginx+acme, defines mkDomain
    ../../profiles/http/index
    ../../profiles/http/services/cinny.nix
--- a/profiles/http/docs/nixpkgs.nix
+++ b/profiles/http/docs/nixpkgs.nix
@ -28,28 +28,52 @@ in
    }
    # == Old Nixpkgs manuals ==
    /** /
+    {
+      dirname = "nixpkgs-manual-23.05";
+      basename= "manual.html";
+      path    = "${mk-nixpkgs-manual inputs.nixpkgs-2213}05share/doc/nixpkgs";
+      desc    = "Official Nixpkgs 23.05 manual";
+    }
    {
      dirname = "nixpkgs-manual-22.11";
      basename= "manual.html";
-      path    = "${mk-nixpkgs-manual inputs.nixpkgs-22}/share/doc/nixpkgs";
+      path    = "${mk-nixpkgs-manual inputs.nixpkgs-2211}/share/doc/nixpkgs";
      desc    = "Official Nixpkgs 22.11 manual";
    }
+    {
+      dirname = "nixpkgs-manual-22.05";
+      basename= "manual.html";
+      path    = "${mk-nixpkgs-manual inputs.nixpkgs-2205}/share/doc/nixpkgs";
+      desc    = "Official Nixpkgs 22.05 manual";
+    }
    {
      dirname = "nixpkgs-manual-21.11";
      basename= "manual.html";
-      path    = "${mk-nixpkgs-manual inputs.nixpkgs-21}/share/doc/nixpkgs";
+      path    = "${mk-nixpkgs-manual inputs.nixpkgs-2111}/share/doc/nixpkgs";
      desc    = "Official Nixpkgs 21.11 manual";
    }
+    {
+      dirname = "nixpkgs-manual-21.05";
+      basename= "manual.html";
+      path    = "${mk-nixpkgs-manual inputs.nixpkgs-2105}/share/doc/nixpkgs";
+      desc    = "Official Nixpkgs 21.05 manual";
+    }
    {
      dirname = "nixpkgs-manual-20.09";
      basename= "manual.html";
-      path    = "${mk-nixpkgs-manual inputs.nixpkgs-20}/share/doc/nixpkgs";
+      path    = "${mk-nixpkgs-manual inputs.nixpkgs-2009}/share/doc/nixpkgs";
      desc    = "Official Nixpkgs 20.09 manual";
    }
+    {
+      dirname = "nixpkgs-manual-20.03";
+      basename= "manual.html";
+      path    = "${mk-nixpkgs-manual inputs.nixpkgs-2003}/share/doc/nixpkgs";
+      desc    = "Official Nixpkgs 20.03 manual";
+    }
    {
      dirname = "nixpkgs-manual-19.09";
      basename= "manual.html";
-      path    = "${mk-nixpkgs-manual inputs.nixpkgs-19}/share/doc/nixpkgs";
+      path    = "${mk-nixpkgs-manual inputs.nixpkgs-1909}/share/doc/nixpkgs";
      desc    = "Official Nixpkgs 19.09 manual";
    }
    /**/
@ -57,19 +81,34 @@ in
    /** /
    {
      dirname = "nixos-manual-22.11";
-      path    = "${mk-nixos-manual inputs.nixpkgs-22}/share/doc/nixos";
+      path    = "${mk-nixos-manual inputs.nixpkgs-2211}/share/doc/nixos";
      desc    = "Official Nixos 22.11 manual";
    }
+    {
+      dirname = "nixos-manual-22.05";
+      path    = "${mk-nixos-manual inputs.nixpkgs-2205}/share/doc/nixos";
+      desc    = "Official Nixos 22.05 manual";
+    }
    {
      dirname = "nixos-manual-21.11";
-      path    = "${mk-nixos-manual inputs.nixpkgs-21}/share/doc/nixos";
+      path    = "${mk-nixos-manual inputs.nixpkgs-2111}/share/doc/nixos";
      desc    = "Official Nixos 21.11 manual";
    }
+    {
+      dirname = "nixos-manual-21.05";
+      path    = "${mk-nixos-manual inputs.nixpkgs-2105}/share/doc/nixos";
+      desc    = "Official Nixos 21.05 manual";
+    }
    {
      dirname = "nixos-manual-20.09";
-      path    = "${mk-nixos-manual inputs.nixpkgs-20}/share/doc/nixos";
+      path    = "${mk-nixos-manual inputs.nixpkgs-2009}/share/doc/nixos";
      desc    = "Official Nixos 20.09 manual";
    }
+    {
+      dirname = "nixos-manual-20.03";
+      path    = "${mk-nixos-manual inputs.nixpkgs-2003}/share/doc/nixos";
+      desc    = "Official Nixos 20.03 manual";
+    }
    {
      dirname = "nixos-manual-19.09";
      path    = "${mk-nixos-manual inputs.nixpkgs-19}/share/doc/nixos";
--- a/profiles/vpn-pbsds/headscale.nix
+++ b/profiles/vpn-pbsds/headscale.nix
@ -3,7 +3,7 @@ let
  cfg = config.services.headscale;
  server-url = "head.pbsds.net";
  derpPort = 3478;
-  inherit (lib) mkIf;
+  inherit (lib) mkIf getExe;
 in
 {
  environment.systemPackages = mkIf cfg.enable [ cfg.package ];
@ -50,7 +50,7 @@ in
    wantedBy = [ "headscale.service" ];
    script = ''
      sleep 60 # Wait for headscale to be ready
-      "${lib.getExe cfg.package}/bin/headscale namespaces create ts || true
+      ${getExe cfg.package} namespaces create ts || true
    '';
  };

--- a/profiles/vpn-pbsds/tailscale.nix
+++ b/profiles/vpn-pbsds/tailscale.nix
@ -1,12 +1,35 @@
-{ config, ...}:
+{ config, pkgs, lib, ...}:
+let
+  cfg = config.services.tailscale;
+  inherit (lib) mkIf getExe;
+in
 {
  services.tailscale.enable = true;
  networking.firewall.checkReversePath = "loose";
-  networking.firewall.trustedInterfaces = [ "tailscale0" ];
-  networking.firewall.allowedUDPPorts = [ config.services.tailscale.port ];
+  networking.firewall.trustedInterfaces = [ cfg.interfaceName ];
+  networking.firewall.allowedUDPPorts = [ cfg.port ];

-  # remote-set X
-  # tailscale up --login-server 'https://head.pbsds.net'
-  # ssh noximilien.pbsds.net headscale --namespace <namespace_name> nodes register --key <machine_key>
+  /** /
+  systemd.services."tailscale-autoconnect" = mkIf cfg.enable {
+    serviceConfig.Type = "oneshot";
+    after = [ "network-pre.target" "tailscale.service" ];
+    wants = [ "network-pre.target" "tailscale.service" ];
+    wantedBy = [ "tailscale.service" ];
+    script = ''
+      sleep 60 # Wait for tailscaled to settle

+      status="$(${getExe cfg.package} status -json | ${getExe pkgs.jq} -r .BackendState)"
+      if [ $status = "Running" ]; then
+        exit 0 # already authenticated
+      fi
+
+      #${getExe cfg.package} up -authkey tskey-examplekeyhere
+    '';
+  };
+  /**/
+
+
+  # remote sudo nixos-rebuild switch --flake . -L
+  # remote-quick sudo tailscale up --login-server 'https://head.pbsds.net'
+  # ssh noximilien.pbsds.net sudo headscale --namespace 'ts' nodes register --key <machine_key>
 }
--- a/users/pbsds/default.nix
+++ b/users/pbsds/default.nix
@ -48,8 +48,9 @@
      # TODO: NAS stuff
    ] ++ lib.optionals config.virtualisation.docker.enable [
      "docker"
-    ] ++ lib.optionals config.services.headscale.enable [
-      config.services.headscale.group
+    # doesn't work...
+    #] ++ lib.optionals config.services.headscale.enable [
+    #  config.services.headscale.group
    ];

    initialHashedPassword = "$6$yNgxTHcP1UYkNwuZ$1sBehnKgPjVnDe0tSV8kyfynWpfjDzuohZX6SoTrMnYFa3/aiMOtI6JppYevl.M6qYhBIT0XBvL6TqSSFWn8B/";