From 6a5e8a2dc5d8d04b5bb056c987879d2c2351740c Mon Sep 17 00:00:00 2001 From: Christine Elisabeth Koppel Date: Thu, 12 Feb 2026 15:00:54 +0100 Subject: [PATCH] Created preliminary foundation of testing the nix systems by Flakes. --- copy_pasta.zsh | 17 ++++++ flake.lock | 27 ++++++++++ flake.nix | 50 +++++++++++++++++ .../sway_greetd_homemanager.nix | 5 +- .../modules/secrets-config/sops-wireguard.nix | 54 +++++++++++++++++++ .../system/blank_system_USE_THIS_AS_COPY.nix | 10 ++-- .../modules/system/compose-songsheet.nix | 19 ++++--- .../modules/system/database.nix | 13 ++--- nix-system-configs/modules/system/forgejo.nix | 12 ++--- .../modules/system/teamspeak.nix | 16 +++--- nix-system-configs/modules/system/traefik.nix | 10 ++-- .../modules/system/wireguard_server.nix | 16 +++--- 12 files changed, 200 insertions(+), 49 deletions(-) create mode 100644 copy_pasta.zsh create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 nix-system-configs/modules/secrets-config/sops-wireguard.nix diff --git a/copy_pasta.zsh b/copy_pasta.zsh new file mode 100644 index 0000000..0f2792e --- /dev/null +++ b/copy_pasta.zsh @@ -0,0 +1,17 @@ + +export NIX_CONFIG="experimental-features = nix-command flakes" + +echo "=== nix --version ===" +nix --version +echo + +echo "=== nix flake show ===" +nix flake show . +echo + +echo "=== nix eval (raw toplevel) ===" +nix eval --raw .#nixosConfigurations.nixos-local-wireguard-server.config.system.build.toplevel || true +echo + +echo "=== nix build --dry-run ===" +nix build --dry-run .#nixosConfigurations.nixos-local-wireguard-server.config.system.build.toplevel || true \ No newline at end of file diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..f732214 --- /dev/null +++ b/flake.lock @@ -0,0 +1,27 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1770770419, + "narHash": "sha256-iKZMkr6Cm9JzWlRYW/VPoL0A9jVKtZYiU4zSrVeetIs=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "6c5e707c6b5339359a9a9e215c5e66d6d802fd7a", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-25.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..f3c5349 --- /dev/null +++ b/flake.nix @@ -0,0 +1,50 @@ +{ + description = "PRG Server Infrastructure - NixOS Configurations"; + + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; + }; + + outputs = { self, nixpkgs, ... }: + let + system = "x86_64-linux"; + in + { + nixosConfigurations = { + "nixos-local-wireguard-server" = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ ./nix-system-configs/modules/system/wireguard_server.nix ]; + }; + + "nixos-blank" = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ ./nix-system-configs/modules/system/blank_system_USE_THIS_AS_COPY.nix ]; + }; + + "nixos-songsheet" = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ ./nix-system-configs/modules/system/compose-songsheet.nix ]; + }; + + "nixos-database" = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ ./nix-system-configs/modules/system/database.nix ]; + }; + + "nixos-forgejo" = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ ./nix-system-configs/modules/system/forgejo.nix ]; + }; + + "nixos-teamspeak" = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ ./nix-system-configs/modules/system/teamspeak.nix ]; + }; + + "nixos-traefik" = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ ./nix-system-configs/modules/system/traefik.nix ]; + }; + }; + }; +} diff --git a/nix-system-configs/modules/desktop-manager/sway_greetd_homemanager.nix b/nix-system-configs/modules/desktop-manager/sway_greetd_homemanager.nix index efe791b..cd34a7d 100644 --- a/nix-system-configs/modules/desktop-manager/sway_greetd_homemanager.nix +++ b/nix-system-configs/modules/desktop-manager/sway_greetd_homemanager.nix @@ -4,7 +4,10 @@ lib, ... }: let - home-manager = builtins.fetchTarball "https://github.com/nix-community/home-manager/archive/release-25.11.tar.gz"; + home-manager = builtins.fetchTarball { + url = "https://github.com/nix-community/home-manager/archive/release-25.11.tar.gz"; + sha256 = "1kqxy6r4ahnbazmpa4pncdp62najdikdaw8hvrv8nl6qxvbmf9fy"; + }; cfg = config.services.forgejo; srv = cfg.settings.server; in { diff --git a/nix-system-configs/modules/secrets-config/sops-wireguard.nix b/nix-system-configs/modules/secrets-config/sops-wireguard.nix new file mode 100644 index 0000000..73f7041 --- /dev/null +++ b/nix-system-configs/modules/secrets-config/sops-wireguard.nix @@ -0,0 +1,54 @@ +{ + config, + pkgs, + lib, + ... +}: { + imports = let + # replace this with an actual commit id or tag + commit = "17eea6f3816ba6568b8c81db8a4e6ca438b30b7c"; + in [ + "${builtins.fetchTarball { + url = "https://github.com/Mic92/sops-nix/archive/${commit}.tar.gz"; + # replace this with an actual hash + sha256 = "ktjWTq+D5MTXQcL9N6cDZXUf9kX8JBLLBLT0ZyOTSYY="; + }}/modules/sops" + ]; + + # This will add secrets.yml to the nix store + # You can avoid this by adding a string to the full path instead, i.e. + # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml"; + sops.defaultSopsFile = ../../secrets/wireguard/secrets.yaml; + # This will automatically import SSH keys as age keys + #sops.age.sshKeyPaths = ["/home/nixosdd/.ssh/id_ed25519"]; + # This is using an age key that is expected to already be in the filesystem + sops.age.keyFile = "/var/lib/sops-nix/key.txt"; + # This will generate a new key if the key specified above does not exist + sops.age.generateKey = true; + + # Export individual WireGuard keys from the SOPS YAML as text secrets so they + # are available both as strings and as files (.path) + sops.secrets."wireguard_private" = { + format = "yaml"; + sopsFile = ../../secrets/wireguard/secrets.yaml; + owner = "root"; + mode = "0400"; + }; + + sops.secrets."wireguard_preshared" = { + format = "yaml"; + sopsFile = ../../secrets/wireguard/secrets.yaml; + owner = "root"; + mode = "0400"; + }; + + sops.secrets."wireguard_public" = { + format = "yaml"; + sopsFile = ../../secrets/wireguard/secrets.yaml; + owner = "root"; + mode = "0444"; + }; + + + +} diff --git a/nix-system-configs/modules/system/blank_system_USE_THIS_AS_COPY.nix b/nix-system-configs/modules/system/blank_system_USE_THIS_AS_COPY.nix index 6fa22ea..41384a0 100644 --- a/nix-system-configs/modules/system/blank_system_USE_THIS_AS_COPY.nix +++ b/nix-system-configs/modules/system/blank_system_USE_THIS_AS_COPY.nix @@ -28,11 +28,11 @@ }; imports = [ - ./modules/desktop-manager/sway_greetd_homemanager.nix - ./modules/local/hostname_username.nix - ./modules/local/networking_local.nix - ./modules/bootloader/seabios-assigned-iso-at-birth.nix - ./modules/lix-default.nix + ../desktop-manager/sway_greetd_homemanager.nix + ../local/hostname_username.nix + ../local/networking_local.nix + ../bootloader/seabios-assigned-iso-at-birth.nix + ../lix-default.nix # Optionally to enable remote building: ./modules/toolsets/remote_building.nix #./modules/songsheet/wavelog/docker-compose.nix #./modules/secrets-config/sops-the-blank-system.nix diff --git a/nix-system-configs/modules/system/compose-songsheet.nix b/nix-system-configs/modules/system/compose-songsheet.nix index 2a83324..89a2148 100644 --- a/nix-system-configs/modules/system/compose-songsheet.nix +++ b/nix-system-configs/modules/system/compose-songsheet.nix @@ -28,17 +28,16 @@ }; imports = [ - ./modules/desktop-manager/sway_greetd_homemanager.nix - ./modules/local/hostname_username.nix - ./modules/local/networking_local.nix - ./modules/bootloader/seabios-assigned-iso-at-birth.nix - ./modules/lix-default.nix - # Optionally: ./modules/toolsets/remote_building.nix - # - # + ../desktop-manager/sway_greetd_homemanager.nix + ../local/hostname_username.nix + ../local/networking_local.nix + ../bootloader/seabios-assigned-iso-at-birth.nix + ../lix-default.nix + # Optionally: ../toolsets/remote_building.nix + ## Compose modules for Portainer service - ./modules/songsheet/wavelog/docker-compose.nix - ./modules/secrets-config/sops-composesongsheet.nix + ../songsheet/wavelog/docker-compose.nix + ../secrets-config/sops-composesongsheet.nix ]; config = { diff --git a/nix-system-configs/modules/system/database.nix b/nix-system-configs/modules/system/database.nix index fdac7b9..7255081 100644 --- a/nix-system-configs/modules/system/database.nix +++ b/nix-system-configs/modules/system/database.nix @@ -28,12 +28,13 @@ }; imports = [ - ./modules/desktop-manager/gnome.nix - ./modules/local/hostname_username.nix - ./modules/local/networking_local.nix - ./modules/lix-default.nix - ./modules/secrets-config/sops-database.nix - ./modules/system_scripts/gcloud_backup.nix + ../desktop-manager/gnome.nix + ../local/hostname_username.nix + ../local/networking_local.nix + ../bootloader/seabios-assigned-iso-at-birth.nix + ../lix-default.nix + ../secrets-config/sops-database.nix + ../system_scripts/gcloud_backup.nix ./hardware-configuration.nix ]; diff --git a/nix-system-configs/modules/system/forgejo.nix b/nix-system-configs/modules/system/forgejo.nix index f000f9f..583c0f7 100644 --- a/nix-system-configs/modules/system/forgejo.nix +++ b/nix-system-configs/modules/system/forgejo.nix @@ -32,12 +32,12 @@ in { }; imports = [ - ./modules/desktop-manager/sway_greetd_homemanager.nix - ./modules/local/hostname_username.nix - ./modules/local/networking_local.nix - ./modules/toolsets/remote_building.nix - ./modules/bootloader/seabios-assigned-proxmox-at-birth.nix - ./modules/lix-default.nix + ../desktop-manager/sway_greetd_homemanager.nix + ../local/hostname_username.nix + ../local/networking_local.nix + ../toolsets/remote_building.nix + ../bootloader/seabios-assigned-proxmox-at-birth.nix + ../lix-default.nix ]; config = { diff --git a/nix-system-configs/modules/system/teamspeak.nix b/nix-system-configs/modules/system/teamspeak.nix index 7427647..6f89dbd 100644 --- a/nix-system-configs/modules/system/teamspeak.nix +++ b/nix-system-configs/modules/system/teamspeak.nix @@ -28,17 +28,15 @@ }; imports = [ - ./modules/desktop-manager/sway_greetd_homemanager.nix - ./modules/local/hostname_username.nix - ./modules/local/networking_local.nix - ./modules/bootloader/seabios-assigned-iso-at-birth.nix - ./modules/lix-default.nix + ../desktop-manager/sway_greetd_homemanager.nix + ../local/hostname_username.nix + ../local/networking_local.nix + ../bootloader/seabios-assigned-iso-at-birth.nix + ../lix-default.nix # Optionally: ./modules/toolsets/remote_building.nix - # - # ## Compose modules for Portainer service - ./modules/songsheet/wavelog/docker-compose.nix - ./modules/secrets-config/sops-composesongsheet.nix + ../songsheet/wavelog/docker-compose.nix + ../secrets-config/sops-composesongsheet.nix ]; config = { diff --git a/nix-system-configs/modules/system/traefik.nix b/nix-system-configs/modules/system/traefik.nix index 3613882..07d2ac8 100644 --- a/nix-system-configs/modules/system/traefik.nix +++ b/nix-system-configs/modules/system/traefik.nix @@ -28,11 +28,11 @@ }; imports = [ - ./modules/desktop-manager/sway_greetd_homemanager.nix - ./modules/local/hostname_username.nix - ./modules/local/networking_local.nix - ./modules/bootloader/seabios-assigned-iso-at-birth.nix - ./modules/lix-default.nix + ../desktop-manager/sway_greetd_homemanager.nix + ../local/hostname_username.nix + ../local/networking_local.nix + ../bootloader/seabios-assigned-iso-at-birth.nix + ../lix-default.nix # Optionally: ./modules/toolsets/remote_building.nix ]; diff --git a/nix-system-configs/modules/system/wireguard_server.nix b/nix-system-configs/modules/system/wireguard_server.nix index 71be160..db47c70 100644 --- a/nix-system-configs/modules/system/wireguard_server.nix +++ b/nix-system-configs/modules/system/wireguard_server.nix @@ -28,11 +28,12 @@ }; imports = [ - ./modules/desktop-manager/sway_greetd_homemanager.nix - ./modules/local/hostname_username.nix - ./modules/local/networking_local.nix - ./modules/bootloader/seabios-assigned-iso-at-birth.nix - ./modules/lix-default.nix + ../desktop-manager/sway_greetd_homemanager.nix + ../local/hostname_username.nix + ../local/networking_local.nix + ../bootloader/seabios-assigned-iso-at-birth.nix + ../lix-default.nix + ../secrets-config/sops-wireguard.nix # Optionally to enable remote building: ./modules/toolsets/remote_building.nix #./modules/songsheet/wavelog/docker-compose.nix #./modules/secrets-config/sops-the-blank-system.nix @@ -76,18 +77,19 @@ # Why 5182(0)? WireGuard server is running on port 51820, # thus we can use the "5182" infix in the IPv6 prefix to make it more memorable and less likely to cause confusion # with other local network services in the future. - postUp = '' + postSetup = '' ${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s fc00:5182::1:1/112 -o eth0 -j MASQUERADE ''; # Undo the above - preDown = '' + postShutdown = '' ${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fc00:5182::1:1/112 -o eth0 -j MASQUERADE ''; privateKeyFile = config.sops.secrets.wireguard_private.path; + #presharedKeyFile = config.sops.secrets.wireguard_preshared.path; }; };