chore: migrate nine host

2025-07-30 19:47:47 +00:00 · 2025-02-22 17:38:46 +03:00 · 2025-02-22 17:38:46 +03:00 · bf396257de
commit bf396257de
parent f67d2760f7
34 changed files with 400 additions and 177 deletions
--- a/modules/acme/default.nix
+++ b/modules/acme/default.nix
@ -0,0 +1,21 @@
+{ config, ... }: let
+  inherit (config.networking) domain;
+in {
+  secrets.acmeEnvironment.file = ./environment.age;
+
+  security.acme = {
+    acceptTerms = true;
+
+    defaults = {
+      environmentFile = config.secrets.acmeEnvironment.path;
+      dnsProvider     = "cloudflare";
+      dnsResolver     = "1.1.1.1";
+      email           = "security@${domain}";
+    };
+
+    certs.${domain} = {
+      extraDomainNames = [ "*.${domain}" ];
+      group            = "nginx";
+    };
+  };
+}
--- a/modules/acme/environment.age
+++ b/modules/acme/environment.age
@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 +rZ0Tw /sYx2CZG4l/oWbh9aKT4lFOcSiwY6A9SxwgX32mXqBs
+iK6qzFpI4xGh5m4oqmW18eM2v6OVj/z3t1aRslnhH50
+-> ssh-ed25519 spFFQA S3tkGQbTGQgWcp8Uh625eMCnE/h4nFVeb/z1AVemBkw
+9RiAPo2w7PC+2abVofU1Aficcn0eOfvvOMgxGXRIL+0
+-> ssh-ed25519 dASlBQ zuVu1QbtutWUG93M+i/UlVlkrmUdz71SrW8jhV4Pxg4
+OMEdnXV0Ix11FRX58Q3zH7nRG2tSkBl1wDmGY7J4JLM
+-> ssh-ed25519 CzqbPQ XLqIYDBAQXyL4/khZ71XP6uajnkX2HhzA2Ksx1UTGiU
+MWrt9f1XjxECD4TRKbME2bN4XU1ns9VQ7btuqijXJYU
+--- rpTCT+04nE+Jl+2qDHbocBGeYQYBtW/EcRiYHWTqcvw
+ñP3ÐÔ¢p¸ŸQ¬^“¬ ³š8lA<6C>¶Å»‰ÌhYQê±	Gü×ÿ‘¢ðWÐüÊ'ï&ã×ªHÐÉ;Ü<>ï ¼	á*3™û Ð÷
+t€AõàOXkˆ>M¸††öiœ:!äo¸Ì›s9å!:£$£rŽ»ÿaŽ4"HUD
+Œ¾ËbHºôH£–w'Å Ì<C2A0>Ù±x·³ÌJ¨<>àXœYy«+å–ú¡P»(‹eG&&ŽTGÐ'ÔÍ8à:!)Ôª<Â´
--- a/modules/common/git.nix
+++ b/modules/common/git.nix
@ -95,8 +95,6 @@ in {
      '';

      programs.git = enabled {
-        package = pkgs.gitFull;
-
        userName  = homeConfig.programs.jujutsu.settings.user.name;
        userEmail = homeConfig.programs.jujutsu.settings.user.email;

--- a/modules/common/helix.nix
+++ b/modules/common/helix.nix
@ -240,7 +240,7 @@ in {

    # RUST
    pkgs.rust-analyzer-nightly
-    pkgs.lldb_20
+    pkgs.lldb

    # TYPESCRIPT & OTHERS
    pkgs.deno
--- a/modules/common/ip.nix
+++ b/modules/common/ip.nix
@ -0,0 +1,8 @@
+{ lib, ... }: let
+  inherit (lib) mkValue;
+in {
+  options.networking = {
+    ipv4 = mkValue null;
+    ipv6 = mkValue null;
+  };
+}
--- a/modules/common/nix.nix
+++ b/modules/common/nix.nix
@ -1,5 +1,5 @@
 { self, config, inputs, lib, pkgs, ... }: let
-  inherit (lib) concatStringsSep const disabled filterAttrs flip isType mapAttrs mapAttrsToList merge mkAfter optionalAttrs;
+  inherit (lib) concatStringsSep const disabled filterAttrs flip id isType mapAttrs mapAttrsToList merge mkAfter optionalAttrs;
  inherit (lib.strings) toJSON;

  registryMap = inputs
@ -11,7 +11,7 @@ in {

  nix.nixPath = registryMap
      |> mapAttrsToList (name: value: "${name}=${value}")
-      |> concatStringsSep ":";
+      |> (if config.isDarwin then concatStringsSep ":" else id);

  nix.registry = registryMap // { default = inputs.nixpkgs; }
    |> mapAttrs (_: flake: { inherit flake; });
--- a/modules/common/nushell/default.nix
+++ b/modules/common/nushell/default.nix
@ -1,31 +1,33 @@
 { config, lib, pkgs, ... }: let
  inherit (lib) enabled filter first foldl' getExe last match mkIf nameValuePair optionalAttrs readFile removeAttrs splitString;
 in {
-  users = optionalAttrs config.isLinux { defaultUserShell = pkgs.nushell; };
+  environment = optionalAttrs config.isLinux {
+    sessionVariables.SHELLS = getExe pkgs.nushell;
+  } // {
+    shells = mkIf config.isDarwin [ pkgs.nushell ];

-  environment.shells = mkIf config.isDarwin [ pkgs.nushell ];
+    shellAliases = {
+      la  = "ls --all";
+      lla = "ls --long --all";
+      sl  = "ls";

-  environment.shellAliases = {
-    la  = "ls --all";
-    lla = "ls --long --all";
-    sl  = "ls";
+      cp = "cp --recursive --verbose --progress";
+      mk = "mkdir";
+      mv = "mv --verbose";
+      rm = "rm --recursive --verbose";

-    cp = "cp --recursive --verbose --progress";
-    mk = "mkdir";
-    mv = "mv --verbose";
-    rm = "rm --recursive --verbose";
+      pstree = "pstree -g 2";
+      tree   = "tree -CF --dirsfirst";
+    };

-    pstree = "pstree -g 2";
-    tree   = "tree -CF --dirsfirst";
+    systemPackages = [
+      pkgs.fish   # For completions.
+      pkgs.zoxide # For completions and better cd.
+    ];
+
+    variables.STARSHIP_LOG = "error";
  };

-  environment.systemPackages = [
-    pkgs.fish   # For completions.
-    pkgs.zoxide # For completions and better cd.
-  ];
-
-  environment.variables.STARSHIP_LOG = "error";
-
  nixpkgs.overlays = [(self: super: {
    zoxide = super.zoxide.overrideAttrs (old: {
      src = self.fetchFromGitHub {
--- a/modules/common/python.nix
+++ b/modules/common/python.nix
@ -1,10 +1,6 @@
 { pkgs, ... }: {
  environment.systemPackages = [
-    (pkgs.python311.withPackages (pkgs: [
-      pkgs.pip
-      pkgs.requests
-    ]))
-
+    pkgs.python314
    pkgs.uv
  ];
 }
--- a/modules/common/ssh/config.age
+++ b/modules/common/ssh/config.age
--- a/modules/common/ssh/default.nix
+++ b/modules/common/ssh/default.nix
@ -46,11 +46,11 @@ in {
        #   port     = 2222;
        # };

-        # nine = {
-        #   hostname = self.nine.networking.ipv4;
-        #   user     = "seven";
-        #   port     = 2222;
-        # };
+        nine = {
+          hostname = self.nine.networking.ipv4;
+          user     = "seven";
+          port     = 2222;
+        };
      };
    };
  }];
--- a/modules/common/system.nix
+++ b/modules/common/system.nix
@ -1,5 +1,5 @@
 { config, lib, ... }: let
-  inherit (lib) any elem getAttr last mapAttrsToList mkConst splitString;
+  inherit (lib) last mkConst mkValue splitString;
 in {
  options = {
    os = mkConst <| last <| splitString "-" config.nixpkgs.hostPlatform.system;
@ -7,7 +7,9 @@ in {
    isLinux  = mkConst <| config.os == "linux";
    isDarwin = mkConst <| config.os == "darwin";

-    isDesktop = mkConst <| config.isDarwin || false; # (any (elem "graphical") <| mapAttrsToList (_: getAttr "extraGroups") config.users.users);
-    isServer  = mkConst <| !config.isDesktop;
+    type = mkValue "server";
+
+    isDesktop = mkConst <| config.type == "desktop";
+    isServer  = mkConst <| config.type == "server";
  };
 }
--- a/modules/linux/crash.nix
+++ b/modules/linux/crash.nix
@ -1,7 +1,3 @@
-{ config, lib, pkgs, ... }: let
-  inherit (lib) getExe;
-in {
-  environment.sessionVariables.SHELLS = getExe config.environment.sessionVariables.SHELL;
-
+{ pkgs, ... }: {
  users.defaultUserShell = pkgs.crash;
 }
--- a/modules/linux/endlessh-go.nix
+++ b/modules/linux/endlessh-go.nix
@ -1,5 +1,5 @@
 { config, lib, pkgs, ... }: let
-  inherit (lib) enabled merge mkEnableOption mkIf mkOption types;
+  inherit (lib) enabled mkEnableOption mkIf mkOption types;

  fakeSSHPort    = 22;
 in {
@ -19,7 +19,7 @@ in {
    extraOptions = [
      "-alsologtostderr"
      "-geoip_supplier max-mind-db"
-      "-max_mind_db ${pkgs.clash-geoip}/etc/clash/Country.mmdb"
+      "-max_mind_db ${pkgs.dbip-country-lite}/share/dbip/dbip-country-lite.mmdb"
    ];

    prometheus = config.services.prometheus.exporters.endlessh-go;
--- a/modules/linux/restic/default.nix
+++ b/modules/linux/restic/default.nix
@ -1,5 +1,5 @@
 { config, lib, ... }: let
-  inherit (lib) genAttrs merge mkConst mkIf remove;
+  inherit (lib) genAttrs mkConst mkIf remove;
 in{
  options.resticHosts = mkConst <| remove config.networking.hostName [ "cube" "disk" "nine" ];

--- a/modules/linux/restic/password.age
+++ b/modules/linux/restic/password.age
@ -1,11 +1,11 @@
 age-encryption.org/v1
-> ssh-ed25519 +rZ0Tw xhx8zm8GiLF+Y+2w9jxYr0k5EV09CwlYxaXlH9ZvRF8
-m6WXa1m9kRJxXHDamHhTuXbWkBqPmvzei6ZU/CgTTgE
-> ssh-ed25519 spFFQA jzcaT4YrjACZ8UdNBHCPr6oHTRtdGXBj8dR2TGEo9A0
-Q9t68ssLWmfSINP2l5ifRQ4q9ITpT6fx9lKnB1sdl2g
-> ssh-ed25519 dASlBQ FVfNa8ql4GBQc8lFGyLZ76yq3hY0/XJPT5IenlxuIRg
-4SmF95S6VDt43LuLZLPpUSB+4HHYl5LRVWV6MkW0q5M
-> ssh-ed25519 CzqbPQ 3BBzb1KkXAIzBsdQpHVQ53LjueHhJ8bcfZbH1ZV1D0I
-OoHk1f28Qr5HHaOVuVm/Pr8MqEuGtuHev2pzlYmc93c
--- TcuCWM/kQHR+DtXdZlZCXHDoDxsFkzQbfM/Ebbcb5BI
-<EFBFBD>|ìç38|H„%ËtˆÈ<CB86>38ÎŠrŠz¶‰ð?4ÜH¤“ÕŽ²ª’×ø<C397>Có+„Ò
+-> ssh-ed25519 +rZ0Tw CtS/6eNaVgR5InQp3n06/zY/rp6UOYEhe092pCHIKHM
+/GHgCc3HFQx079StHxc+bwy8UBn39xKLa0yC7TisI28
+-> ssh-ed25519 spFFQA /Pi6oNwnVhPbxqHqIdTTuyMKgYlrGZP54OsXPZPlkQE
+pWxgQH3AcKOO6k3XqfE7vqMh3KQvmMMobPzb7jFFV7w
+-> ssh-ed25519 dASlBQ kP3MP43ihgSVjFjW25E1sDIOZL9jBrZ8yv+ca8TjFn8
+cdKgnRSTykGS2C3m4IyYlBtSyTmS1SPSbesdR6egzHs
+-> ssh-ed25519 CzqbPQ 5AUMLp2mUwdNZpenEbI6Czw1yU9CxkCeratgkXjezWo
+dmAHKomz8ifPuLdmXgBVI8dAhlHfkTZ0/chhdCdTHhk
+--- wrGrDfB+rsqf65ALfKuDMhFD6cLMheAH9JXQXcvPhHc
+„b²¼–aFaÈ—v<E28094>¹¹½åd´<á3…s\<5C>þA¬±…ìÐÑê˜â¬ý<C2AC>#;ãn
--- a/modules/linux/steam.nix
+++ b/modules/linux/steam.nix
@ -1,4 +1,6 @@
-{ pkgs, ... }: {
+{ config, pkgs, lib, ... }: let
+  inherit (lib) merge mkIf;
+in merge <| mkIf config.isDesktop {
  # Steam uses 32-bit drivers for some unholy fucking reason.
  hardware.graphics.enable32Bit = true;

--- a/modules/mail/default.nix
+++ b/modules/mail/default.nix
@ -0,0 +1,53 @@
+{ self, config, lib, ... }: let
+  inherit (lib) const enabled genAttrs head mkDefault;
+  inherit (config.networking) domain;
+
+  fqdn = "mail1.${domain}";
+in {
+  imports = [(self + /modules/acme)];
+
+  secrets.mailPassword.file = ./password.hash.age;
+
+  services.prometheus.exporters.postfix = enabled {
+    listenAddress = "[::]";
+  };
+
+  services.restic.backups = genAttrs config.resticHosts <| const {
+    paths = [ config.mailserver.dkimKeyDirectory config.mailserver.mailDirectory ];
+  };
+
+  mailserver = enabled {
+    fqdn = mkDefault fqdn;
+
+    domains           = mkDefault [ domain ];
+    certificateScheme = "acme";
+
+    # We use systemd-resolved instead of Knot Resolver.
+    localDnsResolver = false;
+
+    hierarchySeparator = "/";
+    useFsLayout        = true;
+
+    dkimKeyDirectory = "/var/lib/dkim";
+    mailDirectory    = "/var/lib/mail";
+    sieveDirectory   = "/var/lib/sieve";
+
+    vmailUserName  = "mail";
+    vmailGroupName = "mail";
+
+    # The mailserver at <turkiye.gov> malfunctions.
+    # dmarcReporting = enabled {
+    #   domain = head config.mailserver.domains;
+
+    #   organizationName = "Doofemshmirtz Evil Inc.";
+    # };
+
+    fullTextSearch = enabled;
+
+    loginAccounts."contact@${head config.mailserver.domains}" = {
+      aliases = [ "@${head config.mailserver.domains}" ];
+
+      hashedPasswordFile = config.secrets.mailPassword.path;
+    };
+  };
+}
--- a/modules/mail/password.hash.age
+++ b/modules/mail/password.hash.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 +rZ0Tw 3FKgAlI2mIHkl623ktW4WVByhP3yZr0SGnUlMegyHHc
+gbSjIj69rEKgieBaCt7AbmVKM4SzKHpeFh6VidOuJ1M
+-> ssh-ed25519 spFFQA OxjlQ9UqV/ff49cTNl2y/RrQyhRHw/bZ6A4tssSRHGw
+S2vXscTOiuIj8K0jSxactZlfC1xNeOLK1pNiOsSzcu0
+-> ssh-ed25519 dASlBQ 37/rUlIczHaI5Kd8UY5nGjh4Zainn6aRoXJf2wCIMnQ
+RQnektskdprpUMzPqBqRk3jsOokDev3COMFILjgEKV4
+-> ssh-ed25519 CzqbPQ T77BWh2cC1MtJFbBdl3MFXuQ1Htlc/kWcCtHhWV+9l8
+A+3zHRx14GklmeHzbtGGVgzLQLNGz5Z39Fx5Oc08sDo
+--- ojzWUX7nzpF8qmd7JqY3utHTTYlboKQu6+jRec61sRE
+â°ÞSôKkrÁê™&bH“5wÖµ0€Ãe;U×jmUÅ9•¤hRØ¾%16Ò|]£*Æs´þÌëwW§yœT_þ[Öug8€Q]nDØà¨vá<76> „°ˆÎ	øCÑ
--- a/modules/mail/password.plain.age
+++ b/modules/mail/password.plain.age
@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 +rZ0Tw yK5fuqcnE1yO5tTAudZ/TXDvBf0sn4eCr39j/jZgil0
+hTr80COfDui7lhRnaDjNB2c2gtNOKQaiW4Yiz0am/A
+-> ssh-ed25519 spFFQA kDMyjjSxHOaLZ6ocr/q7MmRoqrXHdzHFzbZslaA0hlE
+jurwi1z6m+weYx5Wr3+E8+2fbYgwPFTKOPOuAYjt8wI
+-> ssh-ed25519 dASlBQ 5CYRg+Sw+jDk+S1EtLEG+PXf6EKJwx/Re9e/txOrs2A
+vUaTfOS9Fuce2x/qL5Pg3L0ZHZPBrhr63W4UT0n28uI
+-> ssh-ed25519 CzqbPQ 1uz6duuPfhpAjWjGdjwUGr7UHyqxG/zKn6rCVPgxSF8
+y5t/i2p08GqDOeaC27CJE528br/qU4i+iUEvMXDdX4w
+--- mGUus7T7rcsjt8LRCBc0vr5f3KFLSZweFYvaaNen+zg
+iOÐ2Ñ»GQ(o
ÿX3=>®:¨²É)mç½
+ÀÁ<EFBFBD>í"[ûQ»Q