diff --git a/flake.nix b/flake.nix index 85ae672..703560f 100644 --- a/flake.nix +++ b/flake.nix @@ -53,7 +53,7 @@ } @ inputs: let inherit (nixpkgs) lib; - inherit (builtins) filter mapAttrs attrValues concatLists; + inherit (builtins) mapAttrs; util = import ./util.nix inputs; diff --git a/nixos/common/modules/default.nix b/nixos/common/modules/default.nix index 386191b..9b31e01 100644 --- a/nixos/common/modules/default.nix +++ b/nixos/common/modules/default.nix @@ -4,5 +4,6 @@ ./flood.nix ./unpackerr.nix ./vmagent.nix + ./vault.nix ]; } diff --git a/nixos/common/modules/vault.nix b/nixos/common/modules/vault.nix new file mode 100644 index 0000000..65a87e6 --- /dev/null +++ b/nixos/common/modules/vault.nix @@ -0,0 +1,75 @@ +{ config, pkgs, lib, flat_hosts, ... }: +with lib; +let + cfg = config.services.v.vault; + hostIP = config.deployment.targetHost; + + vault_hosts = + filter ({ tags ? [ ], ip ? "", ... }: (elem "vault" tags) && (ip != hostIP)) + flat_hosts; + cluster_config = concatStrings (map ({ ip, ... }: '' + retry_join { + leader_api_addr = "http://${ip}:${toString cfg.port}" + } + '') vault_hosts); +in { + options.services.v.vault = { + enable = mkEnableOption "v.vault"; + + node_id = mkOption { + type = types.str; + description = '' + The cluster node id of this node + ''; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Whether to open port port and clusterPort in the firewall for vault + ''; + }; + + port = mkOption { + type = types.int; + default = 8200; + description = '' + The port vault listens on + **note:** this has to be the same for all nodes in a cluster + ''; + }; + + clusterPort = mkOption { + type = types.int; + default = 8201; + description = '' + The cluster port vault listens on + **note:** this has to be the same for all nodes in a cluster + ''; + }; + }; + + config = mkIf cfg.enable { + networking.firewall.allowedTCPPorts = + mkIf cfg.openFirewall [ cfg.port cfg.clusterPort ]; + + services.vault = { + enable = true; + # bin version includes the UI + package = pkgs.vault-bin; + address = "0.0.0.0:${toString cfg.port}"; + storageBackend = "raft"; + storagePath = "/var/lib/vault-raft"; + storageConfig = '' + node_id = "${cfg.node_id}" + '' + cluster_config; + extraConfig = '' + ui = true + disable_mlock = true + api_addr = "http://${hostIP}:${toString cfg.port}" + cluster_addr = "http://${hostIP}:${toString cfg.clusterPort}" + ''; + }; + }; +} diff --git a/nixos/hosts/hades/default.nix b/nixos/hosts/hades/default.nix index a750235..73dd9ae 100644 --- a/nixos/hosts/hades/default.nix +++ b/nixos/hosts/hades/default.nix @@ -33,6 +33,7 @@ hostname = "vault-0"; ip = "192.168.0.103"; mac = "7A:14:15:ED:D1:E6"; + tags = [ "vault" ]; } { hostname = "MariaDB"; diff --git a/nixos/hosts/hades/vault-0/configuration.nix b/nixos/hosts/hades/vault-0/configuration.nix index e197981..58bdcc9 100644 --- a/nixos/hosts/hades/vault-0/configuration.nix +++ b/nixos/hosts/hades/vault-0/configuration.nix @@ -2,11 +2,7 @@ # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ config, pkgs, hosts, ... }: -let - port = 8200; - clusterPort = 8201; -in { +{ config, pkgs, hosts, ... }: { # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave @@ -16,31 +12,9 @@ in { system.stateVersion = "21.05"; # Did you read the comment? # Vault - networking.firewall.allowedTCPPorts = [ port clusterPort ]; - - services.vault = { + services.v.vault = { enable = true; - # bin version includes the UI - package = pkgs.vault-bin; - address = "0.0.0.0:${toString port}"; - storageBackend = "raft"; - storagePath = "/var/lib/vault-raft"; - storageConfig = '' - node_id = "hades-1" - - retry_join { - leader_api_addr = "http://10.42.42.30:${toString port}" - } - - retry_join { - leader_api_addr = "http://10.42.42.6:${toString port}" - } - ''; - extraConfig = '' - ui = true - disable_mlock = true - api_addr = "http://192.168.0.103:${toString port}" - cluster_addr = "http://192.168.0.103:${toString clusterPort}" - ''; + openFirewall = true; + node_id = "hades-1"; }; } diff --git a/nixos/hosts/olympus/default.nix b/nixos/hosts/olympus/default.nix index a2d0f55..a40399a 100644 --- a/nixos/hosts/olympus/default.nix +++ b/nixos/hosts/olympus/default.nix @@ -30,6 +30,7 @@ ip = "10.42.42.6"; mac = "16:2B:87:55:0C:0C"; profile = "vault-0"; + tags = [ "vault" ]; } { hostname = "mosquitto"; @@ -155,6 +156,7 @@ ip = "10.42.42.30"; mac = "26:69:0E:7C:B3:79"; profile = "vault-1"; + tags = [ "vault" ]; } { hostname = "nuc"; diff --git a/nixos/hosts/olympus/vault-0/configuration.nix b/nixos/hosts/olympus/vault-0/configuration.nix index 612f519..0e508de 100644 --- a/nixos/hosts/olympus/vault-0/configuration.nix +++ b/nixos/hosts/olympus/vault-0/configuration.nix @@ -3,9 +3,10 @@ # and in the NixOS manual (accessible by running ‘nixos-help’). { config, pkgs, hosts, ... }: -let +let port = 8200; clusterPort = 8201; + ip = config.deployment.targetHost; in { # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions @@ -15,31 +16,10 @@ in { # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "21.05"; # Did you read the comment? - # Additional packages - environment.systemPackages = with pkgs; [ ]; - # Vault - networking.firewall.allowedTCPPorts = [ port clusterPort ]; - - services.vault = { + services.v.vault = { enable = true; - # bin version includes the UI - package = pkgs.vault-bin; - address = "0.0.0.0:${toString port}"; - storageBackend = "raft"; - storagePath = "/var/lib/vault-raft"; - storageConfig = '' - node_id = "olympus-1" - - retry_join { - leader_api_addr = "http://10.42.42.30:${toString port}" - } - ''; - extraConfig = '' - ui = true - disable_mlock = true - api_addr = "http://10.42.42.6:${toString port}" - cluster_addr = "http://10.42.42.6:${toString clusterPort}" - ''; + openFirewall = true; + node_id = "olympus-1"; }; } diff --git a/nixos/hosts/olympus/vault-1/configuration.nix b/nixos/hosts/olympus/vault-1/configuration.nix index 5bcf47f..ed2ce83 100644 --- a/nixos/hosts/olympus/vault-1/configuration.nix +++ b/nixos/hosts/olympus/vault-1/configuration.nix @@ -15,31 +15,13 @@ in { # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "21.05"; # Did you read the comment? - # Additional packages - environment.systemPackages = with pkgs; [ ]; - # Vault networking.firewall.allowedTCPPorts = [ port clusterPort ]; - services.vault = { + # Vault + services.v.vault = { enable = true; - # bin version includes the UI - package = pkgs.vault-bin; - address = "0.0.0.0:${toString port}"; - storageBackend = "raft"; - storagePath = "/var/lib/vault-raft"; - storageConfig = '' - node_id = "olympus-2" - - retry_join { - leader_api_addr = "http://10.42.42.6:${toString port}" - } - ''; - extraConfig = '' - ui = true - disable_mlock = true - api_addr = "http://10.42.42.30:${toString port}" - cluster_addr = "http://10.42.42.30:${toString clusterPort}" - ''; + openFirewall = true; + node_id = "olympus-2"; }; } diff --git a/nixos/hosts/thalassa/null/configuration.nix b/nixos/hosts/thalassa/null/configuration.nix index 9faf63f..3426b44 100644 --- a/nixos/hosts/thalassa/null/configuration.nix +++ b/nixos/hosts/thalassa/null/configuration.nix @@ -30,22 +30,18 @@ let exec Hyprland ''; -in -{ - imports = - [ - # Include the results of the hardware scan. - ./hardware-configuration.nix - ./networking.nix - ]; +in { + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ./networking.nix + ]; # home-manager home-manager.useGlobalPkgs = true; home-manager.useUserPackages = true; home-manager.users.victor = import ./home; - home-manager.extraSpecialArgs = { - inherit inputs; - }; + home-manager.extraSpecialArgs = { inherit inputs; }; security.pam.services.swaylock = { }; @@ -58,7 +54,10 @@ in noto-fonts-cjk noto-fonts-emoji dejavu_fonts - (nerdfonts.override { fonts = [ "DejaVuSansMono" "Ubuntu" "DroidSansMono" "NerdFontsSymbolsOnly" ]; }) + (nerdfonts.override { + fonts = + [ "DejaVuSansMono" "Ubuntu" "DroidSansMono" "NerdFontsSymbolsOnly" ]; + }) ]; enableDefaultFonts = false; @@ -66,8 +65,10 @@ in fontconfig = { defaultFonts = { monospace = [ "DejaVuSansMono Nerd Font" "Noto Color Emoji" ]; - sansSerif = [ "DejaVu Sans" "DejaVuSansMono Nerd Font" "Noto Color Emoji" ]; - serif = [ "DejaVu Serif" "DejaVuSansMono Nerd Font" "Noto Color Emoji" ]; + sansSerif = + [ "DejaVu Sans" "DejaVuSansMono Nerd Font" "Noto Color Emoji" ]; + serif = + [ "DejaVu Serif" "DejaVuSansMono Nerd Font" "Noto Color Emoji" ]; emoji = [ "Noto Color Emoji" ]; }; }; @@ -76,7 +77,7 @@ in # Bootloader. # boot.initrd.systemd.enable = true; # Experimental boot = { - kernelPackages = pkgs.linuxPackages_latest; + kernelPackages = pkgs.linuxPackages_latest; loader.systemd-boot.editor = false; loader.systemd-boot.enable = true; loader.systemd-boot.configurationLimit = 6; @@ -85,7 +86,7 @@ in }; services.gnome.gnome-keyring.enable = true; - + fileSystems."/".options = [ "compress=zstd" ]; # Filesystem dedup services.beesd.filesystems = { @@ -112,16 +113,15 @@ in LC_TIME = "en_DK.UTF-8"; }; - i18n.supportedLocales = [ - "en_GB.UTF-8/UTF-8" - "nl_NL.UTF-8/UTF-8" - "en_DK.UTF-8/UTF-8" - ]; + i18n.supportedLocales = + [ "en_GB.UTF-8/UTF-8" "nl_NL.UTF-8/UTF-8" "en_DK.UTF-8/UTF-8" ]; xdg.portal = { - enable = true; - wlr.enable = true; + enable = true; + wlr.enable = true; }; + + services.udisks2.enable = true; services.dbus.enable = true; # Hyprland @@ -218,7 +218,8 @@ in debug = false; cue = true; control = "sufficient"; - authFile = "/etc/u2f-mappings"; # use `pamu2fcfg` from `pkgs.pam_u2f` to generate this config + authFile = + "/etc/u2f-mappings"; # use `pamu2fcfg` from `pkgs.pam_u2f` to generate this config }; programs.ssh.startAgent = true; @@ -228,10 +229,10 @@ in HandlePowerKey=suspend ''; - services.udev.packages = with pkgs; [ + services.udev.packages = with pkgs; [ android-udev-rules logitech-udev-rules - qmk-udev-rules + qmk-udev-rules wooting-udev-rules ];