all: add peerix capabilities

This commit is contained in:
Aaron Bieber 2022-08-30 15:56:37 -06:00
parent 8a81578425
commit b35a2966b2
No known key found for this signature in database
7 changed files with 90 additions and 23 deletions

View File

@ -1,7 +1,7 @@
{ config, lib, ... }:
with lib; {
options = {
peerix = {
tsPeerix = {
enable = mkOption {
description = "Enable peerix";
default = false;
@ -17,18 +17,28 @@ with lib; {
};
};
config = mkIf config.peerix.enable {
config = mkIf config.tsPeerix.enable {
users.groups.peerix = {
name = "peerix";
};
users.users.peerix = {
name = "peerix";
group = "peerix";
isSystemUser = true;
};
services = {
peerix = {
enable = true;
openFirewall = false; # UDP/12304
privateKeyFile = "${config.peerix.privateKeyFile}";
publicKeyFile = ../../configs/peerix.pubs;
openFirewall = false;
user = "peerix";
privateKeyFile = "${config.tsPeerix.privateKeyFile}";
publicKeyFile = ./peerix.pubs;
};
};
networking.firewall.interfaces = {
"tailscale0" = {
allowedUDPPorts = 12304;
allowedUDPPorts = [ 12304 ];
allowedTCPPorts = [ 12304 ];
};
};
};

View File

@ -1,2 +1 @@
peerix-europa:FpjwUsYBl+I/SEr5JuO676oVhtUvY2zjyIr2VAVbmfs=
peerix-stan:3wdu3RBNCIVdgVRFt7bPQuoNH1liYsndLL0pI8mZCbg=
peerix-europa:FpjwUsYBl+I/SEr5JuO676oVhtUvY2zjyIr2VAVbmfs= peerix-stan:3wdu3RBNCIVdgVRFt7bPQuoNH1liYsndLL0pI8mZCbg=

View File

@ -12,6 +12,7 @@ in {
./configs/gitmux.nix
./configs/git.nix
./configs/neovim.nix
./configs/peerix.nix
./configs/manager.nix
./configs/tmux.nix
./configs/net-overlay.nix

43
flake.lock generated
View File

@ -137,6 +137,28 @@
"type": "github"
}
},
"peerix": {
"inputs": {
"flake-compat": "flake-compat",
"flake-utils": "flake-utils_2",
"nixpkgs": [
"stable"
]
},
"locked": {
"lastModified": 1661429880,
"narHash": "sha256-7/m468XZW82O7KhDtRdQ7RnPsh83+tA8N4U0FncFo1U=",
"owner": "cid-chan",
"repo": "peerix",
"rev": "32cd1b098b83c90726848bd6726f74e72c557abb",
"type": "github"
},
"original": {
"owner": "cid-chan",
"repo": "peerix",
"type": "github"
}
},
"root": {
"inputs": {
"darwin": "darwin",
@ -145,6 +167,7 @@
"mcchunkie": "mcchunkie",
"microca": "microca",
"nixos-hardware": "nixos-hardware",
"peerix": "peerix",
"sshKnownHosts": "sshKnownHosts",
"stable": "stable",
"unstable": "unstable",
@ -192,11 +215,11 @@
},
"stable": {
"locked": {
"lastModified": 1661754554,
"narHash": "sha256-de5B2kxfNBLYQrAw7jiavjkNTqI7+2ff5etpn7h1OYo=",
"lastModified": 1661825248,
"narHash": "sha256-3A5W95RnB8aELcapCalM8zJhyIo+iNyN77uRJfkbFig=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "8771f639c5539e0285aea854404047af78ed7007",
"rev": "f4924a0a1fba98b6721792f2a5b1d71e11664dfa",
"type": "github"
},
"original": {
@ -240,11 +263,11 @@
},
"unstableSmall": {
"locked": {
"lastModified": 1661757213,
"narHash": "sha256-f52E4WkJSUxuollb5YgPG7aw1Qbe6eOEtpWd2TM9MxM=",
"lastModified": 1661846789,
"narHash": "sha256-gpizELTzMLw/UislEW9rp4B5ZLcgHkQbkqoxCoDZurc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "767a1251bf27d89868e86a4e2f6a2b37781e546b",
"rev": "1cc8a7ba8844f68a646da509a3976b52f406a28c",
"type": "github"
},
"original": {
@ -260,11 +283,11 @@
"stable": "stable_2"
},
"locked": {
"lastModified": 1661788636,
"narHash": "sha256-CaVETfPsIWXw2Rw4jYwR/m85iNVPT+8C9hCYJ9i+rWg=",
"lastModified": 1661891289,
"narHash": "sha256-GY5MlRoHpnnziRpV/e2h8eWI4yu3e6gCA7Flt6JA31A=",
"ref": "main",
"rev": "29bbc65eae31d82e8675d21bd337148bdae0cd43",
"revCount": 32,
"rev": "5777109f8298dcf1d893b2cd743a7e088bba231f",
"revCount": 37,
"type": "git",
"url": "ssh://xin-secrets-ro/qbit/xin-secrets.git"
},

View File

@ -17,7 +17,7 @@
emacs-overlay = {
url =
"github:nix-community/emacs-overlay/0bb59bd04ff65270b34434edde00654f43a0dec8";
"github:nix-community/emacs-overlay";
inputs.nixpkgs.follows = "stable";
};
@ -45,14 +45,23 @@
url = "github:qbit/gqrss";
flake = false;
};
peerix = {
url = "github:cid-chan/peerix";
inputs.nixpkgs.follows = "stable";
};
};
outputs = { self, unstable, unstableSmall, stable, nixos-hardware
, sshKnownHosts, microca, mcchunkie, gqrss, darwin, xin-secrets, ...
, sshKnownHosts, microca, mcchunkie, gqrss, darwin, xin-secrets, peerix, ...
}@flakes:
let
hostBase = {
overlays = [ flakes.emacs-overlay.overlay ];
overlays = [
flakes.emacs-overlay.overlay
flakes.peerix.overlay
];
modules = [
# Common config stuffs
(import (./default.nix))
@ -63,7 +72,7 @@
];
};
overlays = [ flakes.emacs-overlay.overlay ];
overlays = [ flakes.emacs-overlay.overlay flakes.peerix.overlay ];
buildVer = { system.configurationRevision = self.rev or "DIRTY"; };
buildShell = pkgs:
@ -116,13 +125,16 @@
nixosConfigurations = {
box = buildSys "x86_64-linux" stable [ ] "box";
europa = buildSys "x86_64-linux" unstable [ ] "europa";
europa = buildSys "x86_64-linux" unstable [ peerix.nixosModules.peerix ]
"europa";
faf = buildSys "x86_64-linux" stable [ ] "faf";
hass = buildSys "x86_64-linux" stable [ ] "hass";
h = buildSys "x86_64-linux" unstableSmall [ ] "h";
litr = buildSys "x86_64-linux" unstable [ ] "litr";
stan = buildSys "x86_64-linux" stable [
nixos-hardware.nixosModules.framework
peerix.nixosModules.peerix
] "stan";
weather = buildSys "aarch64-linux" stable
[ nixos-hardware.nixosModules.raspberry-pi-4 ] "weather";

View File

@ -29,6 +29,12 @@ in {
group = "wheel";
mode = "400";
};
peerix_private_key = {
sopsFile = config.xin-secrets.europa.peerix;
owner = "peerix";
group = "wheel";
mode = "400";
};
};
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
@ -118,6 +124,11 @@ in {
};
};
tsPeerix = {
enable = true;
privateKeyFile = "${config.sops.secrets.peerix_private_key.path}";
};
programs.steam.enable = true;
services = {
emacs = {

View File

@ -60,6 +60,12 @@ in {
owner = "root";
mode = "400";
};
peerix_private_key = {
sopsFile = config.xin-secrets.stan.peerix;
owner = "peerix";
group = "peerix";
mode = "400";
};
};
systemd.services = {
@ -111,6 +117,11 @@ in {
zsh.enable = true;
};
tsPeerix = {
enable = true;
privateKeyFile = "${config.sops.secrets.peerix_private_key.path}";
};
services = {
emacs = {
enable = false;