diff --git a/flake.lock b/flake.lock index 9a46a8b..97db651 100644 --- a/flake.lock +++ b/flake.lock @@ -1,28 +1,5 @@ { "nodes": { - "agenix": { - "inputs": { - "darwin": [], - "home-manager": "home-manager", - "nixpkgs": [ - "nixpkgs" - ], - "systems": "systems" - }, - "locked": { - "lastModified": 1754433428, - "narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=", - "owner": "ryantm", - "repo": "agenix", - "rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d", - "type": "github" - }, - "original": { - "owner": "ryantm", - "repo": "agenix", - "type": "github" - } - }, "auto-cpufreq": { "inputs": { "nixpkgs": [ @@ -30,11 +7,11 @@ ] }, "locked": { - "lastModified": 1758056808, - "narHash": "sha256-7I4duKo9OdQ7sldgjoYBlpZ+xykszDj/IVz5hlJOaeg=", + "lastModified": 1752998173, + "narHash": "sha256-ZlYpBp2WOe03UrpjJGz5KTOL/pp7A452hJO/Vc8C4/0=", "owner": "AdnanHodzic", "repo": "auto-cpufreq", - "rev": "9f86acc38dca4299b70ea55ae6c52902da5c903c", + "rev": "562278377ffa96f3c1af49c7b499df028ce8d8bd", "type": "github" }, "original": { @@ -50,11 +27,11 @@ ] }, "locked": { - "lastModified": 1757508292, - "narHash": "sha256-7lVWL5bC6xBIMWWDal41LlGAG+9u2zUorqo3QCUL4p4=", + "lastModified": 1753140376, + "narHash": "sha256-7lrVrE0jSvZHrxEzvnfHFE/Wkk9DDqb+mYCodI5uuB8=", "owner": "nix-community", "repo": "disko", - "rev": "146f45bee02b8bd88812cfce6ffc0f933788875a", + "rev": "545aba02960caa78a31bd9a8709a0ad4b6320a5c", "type": "github" }, "original": { @@ -119,36 +96,15 @@ "home-manager": { "inputs": { "nixpkgs": [ - "agenix", "nixpkgs" ] }, "locked": { - "lastModified": 1745494811, - "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", + "lastModified": 1753592768, + "narHash": "sha256-oV695RvbAE4+R9pcsT9shmp6zE/+IZe6evHWX63f2Qg=", "owner": "nix-community", "repo": "home-manager", - "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, - "home-manager_2": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1757808926, - "narHash": "sha256-K6PEI5PYY94TVMH0mX3MbZNYFme7oNRKml/85BpRRAo=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "f21d9167782c086a33ad53e2311854a8f13c281e", + "rev": "fc3add429f21450359369af74c2375cb34a2d204", "type": "github" }, "original": { @@ -181,11 +137,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1757943327, - "narHash": "sha256-w6cDExPBqbq7fTLo4dZ1ozDGeq3yV6dSN4n/sAaS6OM=", + "lastModified": 1754564048, + "narHash": "sha256-dz303vGuzWjzOPOaYkS9xSW+B93PSAJxvBd6CambXVA=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "67a709cfe5d0643dafd798b0b613ed579de8be05", + "rev": "26ed7a0d4b8741fe1ef1ee6fa64453ca056ce113", "type": "github" }, "original": { @@ -197,11 +153,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1758070117, - "narHash": "sha256-uLwwHFCZnT1c3N3biVe/0hCkag2GSrf9+M56+Okf+WY=", + "lastModified": 1754767907, + "narHash": "sha256-8OnUzRQZkqtUol9vuUuQC30hzpMreKptNyET2T9lB6g=", "owner": "nixos", "repo": "nixpkgs", - "rev": "e9b7f2ff62b35f711568b1f0866243c7c302028d", + "rev": "c5f08b62ed75415439d48152c2a784e36909b1bc", "type": "github" }, "original": { @@ -304,32 +260,14 @@ }, "root": { "inputs": { - "agenix": "agenix", "auto-cpufreq": "auto-cpufreq", "disko": "disko", - "home-manager": "home-manager_2", + "home-manager": "home-manager", "lazy-apps": "lazy-apps", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", "proxmox-nixos": "proxmox-nixos", - "secrets": "secrets", - "systems": "systems_3" - } - }, - "secrets": { - "flake": false, - "locked": { - "lastModified": 1758149260, - "narHash": "sha256-Pgw5Krmc27t+7On6fwHJWx0nuoLRu0XqwN5MHaZ5kys=", - "ref": "refs/heads/main", - "rev": "50fd7d5277505cbb3235aae9719d3b8b0c7fe692", - "revCount": 5, - "type": "git", - "url": "ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git" - }, - "original": { - "type": "git", - "url": "ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git" + "systems": "systems_2" } }, "systems": { @@ -348,21 +286,6 @@ } }, "systems_2": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_3": { "locked": { "lastModified": 1689347949, "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", @@ -379,7 +302,7 @@ }, "utils": { "inputs": { - "systems": "systems_2" + "systems": "systems" }, "locked": { "lastModified": 1710146030, diff --git a/flake.nix b/flake.nix index fab5bf0..a4ec7a2 100644 --- a/flake.nix +++ b/flake.nix @@ -22,17 +22,7 @@ url = "github:nix-community/disko"; inputs.nixpkgs.follows = "nixpkgs"; }; - agenix = { - url = "github:ryantm/agenix"; - inputs = { - nixpkgs.follows = "nixpkgs"; - darwin.follows = ""; - }; - }; - secrets = { - url = "git+ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git"; - flake = false; - }; + systems.url = "github:nix-systems/default-linux"; }; @@ -44,7 +34,6 @@ home-manager, auto-cpufreq, proxmox-nixos, - agenix, disko, systems, ... @@ -137,7 +126,6 @@ modules = [ disko.nixosModules.disko - agenix.nixosModules.default ./hosts/srv01.hf ]; }; diff --git a/hosts/srv01.hf/default.nix b/hosts/srv01.hf/default.nix index feb2183..193fe35 100644 --- a/hosts/srv01.hf/default.nix +++ b/hosts/srv01.hf/default.nix @@ -4,10 +4,8 @@ imports = [ ../../modules/disko/efi-full-btrfs.nix - ./secrets.nix ../../users/julius/nixos-server.nix - ../../users/nixremote.nix ../../modules/nix.nix ../../modules/network-server.nix ../../modules/locale.nix @@ -15,24 +13,11 @@ ../../modules/sshd.nix ../../modules/qemu-guest.nix ../../modules/docker.nix - ../../modules/teleport.nix - ../../modules/portainer_agent.nix ../../modules/auto-upgrade.nix # Include the results of the hardware scan. ./hardware-configuration.nix ]; - services.openssh.openFirewall = false; - services.teleport = { - enable = true; - settings.teleport = { - ca_pin = config.age.secrets."teleport-ca_pin".path; - auth_token = config.age.secrets."teleport-join_token".path; - }; - }; - - virtualisation.oci-containers.containers.portainer_agent.environmentFiles = [ config.age.secrets."portainer-join_token".path ]; - systemd.network = { enable = true; networks."10-wan" = { diff --git a/hosts/srv01.hf/secrets.nix b/hosts/srv01.hf/secrets.nix deleted file mode 100644 index 8697e77..0000000 --- a/hosts/srv01.hf/secrets.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ inputs, ... }: -{ - age.secrets = { - teleport-ca_pin.file = "${inputs.secrets}/secrets/teleport/ca_pin"; - teleport-join_token.file = "${inputs.secrets}/secrets/srv01-hf/teleport_auth_token"; - portainer-join_token.file = "${inputs.secrets}/secrets/srv01-hf/portainer_join_token"; - }; -} diff --git a/modules/auto-upgrade.nix b/modules/auto-upgrade.nix index 3dc9849..5ed134e 100644 --- a/modules/auto-upgrade.nix +++ b/modules/auto-upgrade.nix @@ -1,6 +1,5 @@ { inputs, - pkgs, ... }: { system.autoUpgrade = { @@ -12,26 +11,5 @@ flake = inputs.self.outPath; dates = "02:00"; randomizedDelaySec = "45min"; - allowReboot = true; - rebootWindow = { - lower = "01:00"; - upper = "05:00"; - }; - }; - - # Also needs access to the nix-private repo which contains the encrypted secrets - programs.ssh = { - extraConfig = " - Host git.jfreudenberger.de - Port 222 - User git - IdentityFile /etc/ssh/ssh_host_ed25519_key - "; - knownHostsFiles = [ - (pkgs.writeText "forgejo.keys" ''[git.jfreudenberger.de]:222 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+uqIeb9+AoqwD0Z6xLKI2dsRoS9Qh/VwboYfGpBJd+ -[git.jfreudenberger.de]:222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8GDSt4LsCzOoIZkqZRLgXyTLyHoJu62cFFP88i8GpSadyV6mJPkK5p2mgBzN/BM9I/G2VWfvqdM8Fy/7p3S8kDhmmkOk1AK7C/+qaQKsKcQauJuzNXlwMHG1Ivath80TO9PIQc9jYakP9xl8SACd5bwkvfEm3rS5awZ8T2hWgnsgO8pFHFOFmFnVbujXZk58FVTCxpgyPqjFv76JSYxpHk1VtiQ52jScsreOImEOWWg88f9IM9etWcshuxte4zudaqc2KjjAB6pYMuVj7O6cwMXKjCUxTzyomWjr2JoEruIslifbZ6bJGgswg5ENJSKURuMPgTuGM6Nrjp75V/yFD -[git.jfreudenberger.de]:222 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOS447cAWRZgHPs6MOoRS6/J66oY753QPiM7BI63/qNDd5qrCan153dJd5lBGwDR0vMWiV/0cmzuACfP5QS1Lv8= - '') - ]; }; } diff --git a/modules/docker.nix b/modules/docker.nix index d216ec2..b9f7aa1 100644 --- a/modules/docker.nix +++ b/modules/docker.nix @@ -4,11 +4,8 @@ ... }: { - virtualisation = { - docker = { - enable = true; - }; - oci-containers.backend = "docker"; + virtualisation.docker = { + enable = true; }; } diff --git a/modules/portainer_agent.nix b/modules/portainer_agent.nix deleted file mode 100644 index 8bebd6c..0000000 --- a/modules/portainer_agent.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ - ... -}: { - virtualisation.oci-containers.containers = { - portainer_agent = { - image = "portainer/agent:2.33.1"; - volumes = [ - "/var/run/docker.sock:/var/run/docker.sock" - "/var/lib/docker/volumes:/var/lib/docker/volumes" - "/:/host" - ]; - environment = { - EDGE = "1"; - CAP_HOST_MANAGEMENT = "1"; - }; - extraOptions = [ - ''--mount=type=volume,source=portainer_agent,target=/data,volume-driver=local'' - ]; - }; - }; -} diff --git a/users/nixremote.nix b/users/nixremote.nix deleted file mode 100644 index b0075cb..0000000 --- a/users/nixremote.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ - ... -}: { - users.users = { - nixremote = { - isNormalUser = true; - uid = 1100; - group = "users"; - }; - }; - - nix.settings.trusted-users = [ "nixremote" ]; -}