chore: migrate cube host

2025-07-30 03:27:45 +00:00 · 2025-02-23 14:26:08 +03:00 · 2025-02-23 14:26:08 +03:00 · f2ab446c48
commit f2ab446c48
parent dad68acf68
45 changed files with 904 additions and 88 deletions
--- a/modules/acme/default.nix
+++ b/modules/acme/default.nix
@ -2,11 +2,11 @@
  inherit (config.networking) domain;
  inherit (lib) mkValue;
 in {
-  options.acmeUsers = mkValue [];
+  options.security.acme.users = mkValue [];

  config.secrets.acmeEnvironment.file = ./environment.age;

-  config.users.groups.acme.members = config.acmeUsers;
+  config.users.groups.acme.members = config.security.acme.users;

  config.security.acme = {
    acceptTerms = true;
--- a/modules/acme/environment.age
+++ b/modules/acme/environment.age
@ -1,11 +1,12 @@
 age-encryption.org/v1
-> ssh-ed25519 +rZ0Tw DMMzxXSIPSsRLkIvKJAiE6OzV1z3EZ0T+od2iIxMiA0
-OHVLHmVzeiWlsVI+DQ5M+iNik+nsdiQBz4zcquygC0A
-> ssh-ed25519 spFFQA TVqArtAoudQlrgAqshCP8ZU0YlVZoKwkvUVh968NqC8
-Cy7+Y1rTFiAoWp6Gw8a1cljCjWPHtNwXjlXWQyu8A8U
-> ssh-ed25519 dASlBQ ui5a61Tg1JoJvR8okc8qKkDhrSE9dH84XZQWhLn7cCo
-5ehK2bvVgLZSYr5AstV1dwW7/qaVGRxs8PdzAg7sk4w
-> ssh-ed25519 CzqbPQ wgktFhPRIAwX8BNJu8svEHDrpz0ZCOw94nR+M3FJCTY
-RAErTHg/g/voC7yPf2lB+ELmysNwQXre9jucw2y+ZVc
--- AB7oiyhts6riNlp5xuWsFTzIx2y7Axn0CU4uCXHfVLo
-ê`8³ô¡eß§J°SçT'ûBÄ›ýz÷gÖK‹‰Ÿ®üªÕ
¡zêš‰Wc¡FÝ¸3á‡´GRÁ}’²¼R×™qü6Ä]¢òn€0bÖ<+ãÉdàÔ´ø\EƒC”•MìUÍ±ÀØ¿3ü X{qé¶ö<C2B6>jÊ<6A>ŠEŠ0&MìÙë8x¸t‰öÊˆ¢°F	Ç}/Oáqž_<C5BE>:ýªÝï¹ÒŸ0£ö±ßá(•I/hôËKH„Ÿ„K\ÊÏX\'(ÒgÀŠ†b±A¶ßÜ<>
+-> ssh-ed25519 +rZ0Tw 9CETPqa+HdfpR1kRho1QnotNGFsLCVh64oRzP6DoF3Q
+nZ6qcscZQ3Auct11BaM0jsYLyGnseDQ7OwQgSvLqGDw
+-> ssh-ed25519 spFFQA 3oJSVeOECqU6ZkxLWErgrfn/3pLEEaJGy64OiGLvsXM
+dt7obdmMHz4rGJxqQuZm9ptbCbJmxk80s3ME0FNQWuI
+-> ssh-ed25519 dASlBQ A0OQkTL89cmKOhFlHerq98XxdEqn/EaXB+DlTbaGG2c
+X8sG3M7BEPrey204Bs2kLuiPI+r4LKvIVD+Xdz/Vfxk
+-> ssh-ed25519 CzqbPQ ZU/Fb5/XYBD9RQjMC4IQwQPSouotxFNWVpKdCsetNQk
+o97rTb0aofBUmjPyrY11NwE33az7+HxbYUlw6cjE9GU
+--- 8wtobvBFTd1V1idugrE6xnI1/QW/StCrcO6IjrRl/cQ
+}¡KœzLþD(ÙÁÓøÑŸ¨€Â_Ì²ÇtV¾~NÖ¥^¥'5ˆ\ø†ŒH.7ŸŽÔ¹h<Uè‹cœA§qŒA¬`&j±{â<>‹àÆsž[Ä"êpÈ©KG³WaKôìÁ/ñM@èê^VUýØtAß"&ãU½ŸPœö¶°›`¿p€,ÿ~XØ<58>Ë·8s(æV¦ã`¡åþw.l»^…<>ýòu _IA¥öx€SÚ¾Ã©
+_øÃ!NThŸÂZ¸%ˆi`ŒŸÎÝ
--- a/modules/common/dns.nix
+++ b/modules/common/dns.nix
@ -1,14 +1,14 @@
 { lib, ... }: let
  inherit (lib) mkConst;
 in {
-  options.dnsServers = mkConst [
+  options.networking.dns.servers = mkConst [
    "45.90.28.0#7f2bf8.dns.nextdns.io"
    "2a07:a8c0::#7f2bf8.dns.nextdns.io"
    "45.90.30.0#7f2bf8.dns.nextdns.io"
    "2a07:a8c1::#7f2bf8.dns.nextdns.io"
  ];

-  options.fallbackDnsServers = mkConst [
+  options.networking.dns.serversFallback = mkConst [
    "1.1.1.1#one.one.one.one"
    "2606:4700:4700::1111#one.one.one.one"

--- a/modules/common/ip.nix
+++ b/modules/common/ip.nix
@ -2,7 +2,10 @@
  inherit (lib) mkValue;
 in {
  options.networking = {
-    ipv4 = mkValue null;
-    ipv6 = mkValue null;
+    ipv4.address      = mkValue null;
+    ipv4.prefixLength = mkValue 22;
+
+    ipv6.address      = mkValue null;
+    ipv6.prefixLength = mkValue 64;
  };
 }
--- a/modules/common/ssh/config.age
+++ b/modules/common/ssh/config.age
--- a/modules/common/ssh/default.nix
+++ b/modules/common/ssh/default.nix
@ -34,20 +34,20 @@ in {

        # TODO: Maybe autogenerate these?

-        # cube = {
-        #   hostname = self.cube.networking.ipv4;
-        #   user     = "rgb";
-        #   port     = 2222;
-        # };
+        cube = {
+          hostname = self.cube.networking.ipv4.address;
+          user     = "rgb";
+          port     = 2222;
+        };

        disk = {
-          hostname = self.disk.networking.ipv4;
+          hostname = self.disk.networking.ipv4.address;
          user     = "floppy";
          port     = 2222;
        };

        nine = {
-          hostname = self.nine.networking.ipv4;
+          hostname = self.nine.networking.ipv4.address;
          user     = "seven";
          port     = 2222;
        };
--- a/modules/darwin/dns.nix
+++ b/modules/darwin/dns.nix
@ -1,9 +1,9 @@
 { config, lib, ... }: let
-  inherit (lib) head map splitString;
+  inherit (lib) head splitString;
 in {
  # Yeah, no DNSSEC or DoT or anything.
  # That's what you get for using Darwin I guess.
-  networking.dns = config.dnsServers
+  networking.dns = config.networking.dns.servers
    |> map (splitString "#")
    |> map head;

--- a/modules/linux/endlessh-go.nix
+++ b/modules/linux/endlessh-go.nix
@ -1,7 +1,7 @@
 { config, lib, pkgs, ... }: let
  inherit (lib) enabled mkEnableOption mkIf mkOption types;

-  fakeSSHPort    = 22;
+  portFakeSSH = 22;
 in {
  config.services.prometheus.exporters.endlessh-go = mkIf config.isServer <| enabled {
    listenAddress = "[::]";
@ -10,11 +10,11 @@ in {
  # `services.endlessh-go.openFirewall` exposes both the Prometheus
  # exporters port and the SSH port, and we don't want the metrics
  # to leak, so we manually expose this like so.
-  config.networking.firewall.allowedTCPPorts = mkIf config.isServer <| [ fakeSSHPort ];
+  config.networking.firewall.allowedTCPPorts = mkIf config.isServer <| [ portFakeSSH ];

  config.services.endlessh-go = mkIf config.isServer <| enabled {
    listenAddress = "[::]";
-    port          = fakeSSHPort;
+    port          = portFakeSSH;

    extraOptions = [
      "-alsologtostderr"
--- a/modules/linux/hyprland/hyprland.nix
+++ b/modules/linux/hyprland/hyprland.nix
@ -8,12 +8,12 @@ in merge <| mkIf config.isDesktop {
  xdg.portal = enabled {
    config.common.default = "*";

-    extraPortals = with pkgs; [
-      xdg-desktop-portal-hyprland
+    extraPortals = [
+      pkgs.xdg-desktop-portal-hyprland
    ];

-    configPackages = with pkgs; [
-      hyprland
+    configPackages = [
+      pkgs.hyprland
    ];
  };

@ -50,7 +50,7 @@ in merge <| mkIf config.isDesktop {
        enableXdgAutostart = true;
      };

-      # plugins = with pkgs; [ hyprcursors ];
+      # plugins = [ pkgs.hyprcursors ];

      # settings.plugin.dynamic-cursors = {
      #   mode  = "rotate";
--- a/modules/linux/ip.nix
+++ b/modules/linux/ip.nix
@ -3,14 +3,12 @@
  inherit (lib) optionals;
 in {
  networking.interfaces.${interface} = {
-    ipv4.addresses = optionals (config.networking.ipv4 != null) [{
-      address      = config.networking.ipv4;
-      prefixLength = 22;
+    ipv4.addresses = optionals (config.networking.ipv4.address != null) [{
+      inherit (config.networking.ipv4) address prefixLength;
    }];

-    ipv6.addresses = optionals (config.networking.ipv4 != null)  [{
-      address      = config.networking.ipv6;
-      prefixLength = 64;
+    ipv6.addresses = optionals (config.networking.ipv4.address != null)  [{
+      inherit (config.networking.ipv6) address prefixLength;
    }];
  };
 }
--- a/modules/linux/resolved.nix
+++ b/modules/linux/resolved.nix
@ -1,14 +1,14 @@
 { config, lib, ... }: let
-  inherit (lib) enabled concatStringsSep map;
+  inherit (lib) enabled concatStringsSep;
 in {
  services.resolved = enabled {
    dnssec     = "true";
    dnsovertls = "true";

-    extraConfig = config.dnsServers
+    extraConfig = config.networking.dns.servers
      |> map (server: "DNS=${server}")
      |> concatStringsSep "\n";

-    fallbackDns = config.fallbackDnsServers;
+    fallbackDns = config.networking.dns.serversFallback;
  };
 }
--- a/modules/linux/restic/default.nix
+++ b/modules/linux/restic/default.nix
@ -1,11 +1,11 @@
 { config, lib, ... }: let
  inherit (lib) genAttrs mkConst mkIf remove;
 in{
-  options.resticHosts = mkConst <| remove config.networking.hostName [ "cube" "disk" "nine" ];
+  options.services.restic.hosts = mkConst <| remove config.networking.hostName [ "cube" "disk" "nine" ];

  config.secrets.resticPassword.file = mkIf config.isServer ./password.age;

-  config.services.restic.backups =  mkIf config.isServer <| genAttrs config.resticHosts (host: {
+  config.services.restic.backups =  mkIf config.isServer <| genAttrs config.services.restic.hosts (host: {
    repository   = "sftp:backup@${host}:${config.networking.hostName}-backup";
    passwordFile = config.secrets.resticPassword.path;
    initialize   = true;
--- a/modules/linux/restic/password.age
+++ b/modules/linux/restic/password.age
--- a/modules/mail/default.nix
+++ b/modules/mail/default.nix
@ -10,11 +10,11 @@ in {
    listenAddress = "[::]";
  };

-  services.restic.backups = genAttrs config.resticHosts <| const {
+  services.restic.backups = genAttrs config.services.restic.hosts <| const {
    paths = [ config.mailserver.dkimKeyDirectory config.mailserver.mailDirectory ];
  };

-  acmeUsers = [ "mail" ];
+  security.acme.users = [ "mail" ];

  mailserver = enabled {
    domains           = mkDefault [ domain ];
--- a/modules/mail/password.hash.age
+++ b/modules/mail/password.hash.age
--- a/modules/mail/password.plain.age
+++ b/modules/mail/password.plain.age
--- a/modules/nginx.nix
+++ b/modules/nginx.nix
@ -2,13 +2,13 @@
  inherit (config.networking) domain;
  inherit (lib) enabled mkConst;
 in {
-  options.nginxSslTemplate = mkConst {
+  options.nginx.sslTemplate = mkConst {
    forceSSL    = true;
    quic        = true;
    useACMEHost = config.networking.domain;
  };

-  options.nginxHeaders = mkConst ''
+  options.nginx.headers = mkConst ''
    # TODO: Not working for some reason.
    add_header Access-Control-Allow-Origin $allow_origin;
    add_header Access-Control-Allow-Methods $allow_methods;
@ -33,7 +33,7 @@ in {
    listenAddress = "[::]";
  };

-  config.acmeUsers = [ "nginx" ];
+  config.security.acme.users = [ "nginx" ];

  config.services.nginx = enabled {
    package = pkgs.nginxQuic;
@ -61,7 +61,7 @@ in {
        ~^https://.+\.${domain}$ "GET, HEAD, OPTIONS";
      }

-      ${config.nginxHeaders}
+      ${config.nginx.headers}

      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
    '';
--- a/modules/site.nix
+++ b/modules/site.nix
@ -2,22 +2,22 @@
  inherit (config.networking) domain;
  inherit (lib) enabled merge;

-  sitePath = "/var/www/site";
+  pathSite = "/var/www/site";

-  notFoundLocationConfig = {
+  configNotFoundLocation = {
    extraConfig                  = "error_page 404 /404.html;";
    locations."/404".extraConfig = "internal;";
  };
 in {
  services.nginx = enabled {
-    virtualHosts.${domain} = merge config.nginxSslTemplate notFoundLocationConfig {
-      root = sitePath;
+    virtualHosts.${domain} = merge config.nginx.sslTemplate configNotFoundLocation {
+      root = pathSite;

      locations."/".tryFiles = "$uri $uri.html $uri/index.html =404";

      locations."/assets/".extraConfig = ''
        if ($request_method = OPTIONS) {
-          ${config.nginxHeaders}
+          ${config.nginx.headers}
          add_header Content-Type text/plain;
          add_header Content-Length 0;
          return 204;
@ -27,12 +27,12 @@ in {
      '';
    };

-    virtualHosts."www.${domain}" = merge config.nginxSslTemplate {
+    virtualHosts."www.${domain}" = merge config.nginx.sslTemplate {
      locations."/".extraConfig = "return 301 https://${domain}$request_uri;";
    };

-    virtualHosts._ = merge config.nginxSslTemplate notFoundLocationConfig {
-      root = sitePath;
+    virtualHosts._ = merge config.nginx.sslTemplate configNotFoundLocation {
+      root = pathSite;

      locations."/".extraConfig        = "return 404;";
      locations."/assets/".extraConfig = "return 301 https://${domain}$request_uri;";