From b35a2966b275c8b5915b548d22ed08bdac2e9470 Mon Sep 17 00:00:00 2001 From: Aaron Bieber Date: Tue, 30 Aug 2022 15:56:37 -0600 Subject: [PATCH] all: add peerix capabilities --- configs/peerix.nix | 22 ++++++++++++++------ configs/peerix.pubs | 3 +-- default.nix | 1 + flake.lock | 43 ++++++++++++++++++++++++++++++---------- flake.nix | 22 +++++++++++++++----- hosts/europa/default.nix | 11 ++++++++++ hosts/stan/default.nix | 11 ++++++++++ 7 files changed, 90 insertions(+), 23 deletions(-) diff --git a/configs/peerix.nix b/configs/peerix.nix index 0603635..830711d 100644 --- a/configs/peerix.nix +++ b/configs/peerix.nix @@ -1,7 +1,7 @@ { config, lib, ... }: with lib; { options = { - peerix = { + tsPeerix = { enable = mkOption { description = "Enable peerix"; default = false; @@ -17,18 +17,28 @@ with lib; { }; }; - config = mkIf config.peerix.enable { + config = mkIf config.tsPeerix.enable { + users.groups.peerix = { + name = "peerix"; + }; + users.users.peerix = { + name = "peerix"; + group = "peerix"; + isSystemUser = true; + }; services = { peerix = { enable = true; - openFirewall = false; # UDP/12304 - privateKeyFile = "${config.peerix.privateKeyFile}"; - publicKeyFile = ../../configs/peerix.pubs; + openFirewall = false; + user = "peerix"; + privateKeyFile = "${config.tsPeerix.privateKeyFile}"; + publicKeyFile = ./peerix.pubs; }; }; networking.firewall.interfaces = { "tailscale0" = { - allowedUDPPorts = 12304; + allowedUDPPorts = [ 12304 ]; + allowedTCPPorts = [ 12304 ]; }; }; }; diff --git a/configs/peerix.pubs b/configs/peerix.pubs index 1b0b76e..ee5dbe3 100644 --- a/configs/peerix.pubs +++ b/configs/peerix.pubs @@ -1,2 +1 @@ -peerix-europa:FpjwUsYBl+I/SEr5JuO676oVhtUvY2zjyIr2VAVbmfs= -peerix-stan:3wdu3RBNCIVdgVRFt7bPQuoNH1liYsndLL0pI8mZCbg= +peerix-europa:FpjwUsYBl+I/SEr5JuO676oVhtUvY2zjyIr2VAVbmfs= peerix-stan:3wdu3RBNCIVdgVRFt7bPQuoNH1liYsndLL0pI8mZCbg= diff --git a/default.nix b/default.nix index cff20c9..f7340ed 100644 --- a/default.nix +++ b/default.nix @@ -12,6 +12,7 @@ in { ./configs/gitmux.nix ./configs/git.nix ./configs/neovim.nix + ./configs/peerix.nix ./configs/manager.nix ./configs/tmux.nix ./configs/net-overlay.nix diff --git a/flake.lock b/flake.lock index 766a9bc..33e9cfb 100644 --- a/flake.lock +++ b/flake.lock @@ -137,6 +137,28 @@ "type": "github" } }, + "peerix": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils": "flake-utils_2", + "nixpkgs": [ + "stable" + ] + }, + "locked": { + "lastModified": 1661429880, + "narHash": "sha256-7/m468XZW82O7KhDtRdQ7RnPsh83+tA8N4U0FncFo1U=", + "owner": "cid-chan", + "repo": "peerix", + "rev": "32cd1b098b83c90726848bd6726f74e72c557abb", + "type": "github" + }, + "original": { + "owner": "cid-chan", + "repo": "peerix", + "type": "github" + } + }, "root": { "inputs": { "darwin": "darwin", @@ -145,6 +167,7 @@ "mcchunkie": "mcchunkie", "microca": "microca", "nixos-hardware": "nixos-hardware", + "peerix": "peerix", "sshKnownHosts": "sshKnownHosts", "stable": "stable", "unstable": "unstable", @@ -192,11 +215,11 @@ }, "stable": { "locked": { - "lastModified": 1661754554, - "narHash": "sha256-de5B2kxfNBLYQrAw7jiavjkNTqI7+2ff5etpn7h1OYo=", + "lastModified": 1661825248, + "narHash": "sha256-3A5W95RnB8aELcapCalM8zJhyIo+iNyN77uRJfkbFig=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8771f639c5539e0285aea854404047af78ed7007", + "rev": "f4924a0a1fba98b6721792f2a5b1d71e11664dfa", "type": "github" }, "original": { @@ -240,11 +263,11 @@ }, "unstableSmall": { "locked": { - "lastModified": 1661757213, - "narHash": "sha256-f52E4WkJSUxuollb5YgPG7aw1Qbe6eOEtpWd2TM9MxM=", + "lastModified": 1661846789, + "narHash": "sha256-gpizELTzMLw/UislEW9rp4B5ZLcgHkQbkqoxCoDZurc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "767a1251bf27d89868e86a4e2f6a2b37781e546b", + "rev": "1cc8a7ba8844f68a646da509a3976b52f406a28c", "type": "github" }, "original": { @@ -260,11 +283,11 @@ "stable": "stable_2" }, "locked": { - "lastModified": 1661788636, - "narHash": "sha256-CaVETfPsIWXw2Rw4jYwR/m85iNVPT+8C9hCYJ9i+rWg=", + "lastModified": 1661891289, + "narHash": "sha256-GY5MlRoHpnnziRpV/e2h8eWI4yu3e6gCA7Flt6JA31A=", "ref": "main", - "rev": "29bbc65eae31d82e8675d21bd337148bdae0cd43", - "revCount": 32, + "rev": "5777109f8298dcf1d893b2cd743a7e088bba231f", + "revCount": 37, "type": "git", "url": "ssh://xin-secrets-ro/qbit/xin-secrets.git" }, diff --git a/flake.nix b/flake.nix index d546195..912e213 100644 --- a/flake.nix +++ b/flake.nix @@ -17,7 +17,7 @@ emacs-overlay = { url = - "github:nix-community/emacs-overlay/0bb59bd04ff65270b34434edde00654f43a0dec8"; + "github:nix-community/emacs-overlay"; inputs.nixpkgs.follows = "stable"; }; @@ -45,14 +45,23 @@ url = "github:qbit/gqrss"; flake = false; }; + + peerix = { + url = "github:cid-chan/peerix"; + inputs.nixpkgs.follows = "stable"; + }; }; outputs = { self, unstable, unstableSmall, stable, nixos-hardware - , sshKnownHosts, microca, mcchunkie, gqrss, darwin, xin-secrets, ... + , sshKnownHosts, microca, mcchunkie, gqrss, darwin, xin-secrets, peerix, ... }@flakes: let hostBase = { - overlays = [ flakes.emacs-overlay.overlay ]; + overlays = [ + flakes.emacs-overlay.overlay + flakes.peerix.overlay + + ]; modules = [ # Common config stuffs (import (./default.nix)) @@ -63,7 +72,7 @@ ]; }; - overlays = [ flakes.emacs-overlay.overlay ]; + overlays = [ flakes.emacs-overlay.overlay flakes.peerix.overlay ]; buildVer = { system.configurationRevision = self.rev or "DIRTY"; }; buildShell = pkgs: @@ -116,13 +125,16 @@ nixosConfigurations = { box = buildSys "x86_64-linux" stable [ ] "box"; - europa = buildSys "x86_64-linux" unstable [ ] "europa"; + europa = buildSys "x86_64-linux" unstable [ peerix.nixosModules.peerix ] + "europa"; faf = buildSys "x86_64-linux" stable [ ] "faf"; hass = buildSys "x86_64-linux" stable [ ] "hass"; h = buildSys "x86_64-linux" unstableSmall [ ] "h"; litr = buildSys "x86_64-linux" unstable [ ] "litr"; stan = buildSys "x86_64-linux" stable [ nixos-hardware.nixosModules.framework + peerix.nixosModules.peerix + ] "stan"; weather = buildSys "aarch64-linux" stable [ nixos-hardware.nixosModules.raspberry-pi-4 ] "weather"; diff --git a/hosts/europa/default.nix b/hosts/europa/default.nix index 92e7790..e4026db 100644 --- a/hosts/europa/default.nix +++ b/hosts/europa/default.nix @@ -29,6 +29,12 @@ in { group = "wheel"; mode = "400"; }; + peerix_private_key = { + sopsFile = config.xin-secrets.europa.peerix; + owner = "peerix"; + group = "wheel"; + mode = "400"; + }; }; boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; @@ -118,6 +124,11 @@ in { }; }; + tsPeerix = { + enable = true; + privateKeyFile = "${config.sops.secrets.peerix_private_key.path}"; + }; + programs.steam.enable = true; services = { emacs = { diff --git a/hosts/stan/default.nix b/hosts/stan/default.nix index 1a2e10f..43f520f 100644 --- a/hosts/stan/default.nix +++ b/hosts/stan/default.nix @@ -60,6 +60,12 @@ in { owner = "root"; mode = "400"; }; + peerix_private_key = { + sopsFile = config.xin-secrets.stan.peerix; + owner = "peerix"; + group = "peerix"; + mode = "400"; + }; }; systemd.services = { @@ -111,6 +117,11 @@ in { zsh.enable = true; }; + tsPeerix = { + enable = true; + privateKeyFile = "${config.sops.secrets.peerix_private_key.path}"; + }; + services = { emacs = { enable = false;