From 0044b9eed159b0c8b42abe7a6f1238eba8abc0e8 Mon Sep 17 00:00:00 2001 From: Guanran Wang Date: Thu, 23 Nov 2023 14:23:03 +0800 Subject: [PATCH] nixos: cleanup --- nixos/flake-modules/impermanence.nix | 14 ++++++++++++-- users/guanranwang/nixos/profiles/core/default.nix | 4 ++-- .../nixos/profiles/device-type/desktop/default.nix | 4 ++++ .../nixos/profiles/use-cases/clash-meta-client.nix | 12 +++++------- .../nixos/profiles/use-cases/hysteria2-server.nix | 7 +++---- .../nixos/profiles/use-cases/juicity-server.nix | 7 +++---- 6 files changed, 29 insertions(+), 19 deletions(-) diff --git a/nixos/flake-modules/impermanence.nix b/nixos/flake-modules/impermanence.nix index 950886a..0b2c30a 100644 --- a/nixos/flake-modules/impermanence.nix +++ b/nixos/flake-modules/impermanence.nix @@ -1,5 +1,15 @@ -{inputs, ...}: { - imports = [inputs.impermanence.nixosModules.impermanence]; +{ + inputs, + lib, + ... +}: { + imports = [ + inputs.impermanence.nixosModules.impermanence + ./sops-nix.nix + ]; + + ### sops-nix + sops.age.sshKeyPaths = lib.mkForce ["/nix/persist/system/etc/ssh/ssh_host_ed25519_key"]; # this folder is where the files will be stored (don't put it in tmpfs) environment.persistence."/nix/persist/system" = { diff --git a/users/guanranwang/nixos/profiles/core/default.nix b/users/guanranwang/nixos/profiles/core/default.nix index c537127..9c1236f 100644 --- a/users/guanranwang/nixos/profiles/core/default.nix +++ b/users/guanranwang/nixos/profiles/core/default.nix @@ -30,6 +30,7 @@ ### Flakes imports = [ ../../../../../nixos/flake-modules/sops-nix.nix + ../../../../../nixos/flake-modules/home-manager.nix ]; ### sops-nix @@ -37,11 +38,10 @@ users.groups."nix-access-tokens" = {}; sops = { defaultSopsFile = ../../../secrets/secrets.yaml; - age.sshKeyPaths = ["/nix/persist/system/etc/ssh/ssh_host_ed25519_key"]; + age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; gnupg.sshKeyPaths = []; secrets = { "hashed-passwd".neededForUsers = true; # Hashed user password - "wireless/home".path = "/var/lib/iwd/wangxiaobo.psk"; # Home wifi password "nix-access-tokens" = { group = config.users.groups."nix-access-tokens".name; mode = "0440"; diff --git a/users/guanranwang/nixos/profiles/device-type/desktop/default.nix b/users/guanranwang/nixos/profiles/device-type/desktop/default.nix index 33de45b..46dc7bf 100644 --- a/users/guanranwang/nixos/profiles/device-type/desktop/default.nix +++ b/users/guanranwang/nixos/profiles/device-type/desktop/default.nix @@ -5,6 +5,7 @@ }: { imports = [ ### Flakes + ../../../../../../nixos/flake-modules/sops-nix.nix ../../../../../../nixos/flake-modules/home-manager.nix ../../../../../../nixos/flake-modules/berberman.nix ]; @@ -12,6 +13,9 @@ ### Options myFlake.nixos.boot.noLoaderMenu = lib.mkDefault true; + ### sops-nix + sops.secrets."wireless/home".path = "/var/lib/iwd/wangxiaobo.psk"; # Home wifi password + ### home-manager home-manager.users.guanranwang.imports = map (n: ../../../../home-manager/${n}) [ "profiles/command-line/nixos/fancy-stuff.nix" diff --git a/users/guanranwang/nixos/profiles/use-cases/clash-meta-client.nix b/users/guanranwang/nixos/profiles/use-cases/clash-meta-client.nix index 235ddc9..485bef0 100644 --- a/users/guanranwang/nixos/profiles/use-cases/clash-meta-client.nix +++ b/users/guanranwang/nixos/profiles/use-cases/clash-meta-client.nix @@ -3,9 +3,7 @@ config, inputs, ... -}: let - etcDirectory = "clash-meta"; -in { +}: { imports = [ ../../../../../nixos/flake-modules/sops-nix.nix ]; @@ -15,7 +13,7 @@ in { owner = config.users.users."clash-meta".name; group = config.users.groups."clash-meta".name; restartUnits = ["clash-meta.service"]; - path = "/etc/${etcDirectory}/config.yaml"; + path = "/etc/clash-meta/config.yaml"; }; ### System proxy settings @@ -37,10 +35,10 @@ in { serviceConfig = { Type = "simple"; - WorkingDirectory = "/etc/${etcDirectory}"; + WorkingDirectory = "/etc/clash-meta"; User = [config.users.users."clash-meta".name]; Group = [config.users.groups."clash-meta".name]; - ExecStart = "${pkgs.clash-meta}/bin/clash-meta -d /etc/${etcDirectory}"; + ExecStart = "${pkgs.clash-meta}/bin/clash-meta -d /etc/clash-meta"; Restart = "on-failure"; CapabilityBoundingSet = [ "CAP_NET_ADMIN" @@ -65,5 +63,5 @@ in { # - https://yacd.haishan.me # - clash-dashboard (buggy): # - https://clash.razord.top - environment.etc."${etcDirectory}/metacubexd".source = inputs.metacubexd; + environment.etc."clash-meta/metacubexd".source = inputs.metacubexd; } diff --git a/users/guanranwang/nixos/profiles/use-cases/hysteria2-server.nix b/users/guanranwang/nixos/profiles/use-cases/hysteria2-server.nix index cffce0b..7b05309 100644 --- a/users/guanranwang/nixos/profiles/use-cases/hysteria2-server.nix +++ b/users/guanranwang/nixos/profiles/use-cases/hysteria2-server.nix @@ -3,7 +3,6 @@ config, ... }: let - etcDirectory = "hysteria"; port = 43956; in { imports = [ @@ -21,7 +20,7 @@ in { owner = config.users.users."hysteria".name; group = config.users.groups."hysteria".name; restartUnits = ["hysteria-server.service"]; - path = "/etc/${etcDirectory}/config.yaml"; + path = "/etc/hysteria/config.yaml"; }; ### User running proxy service @@ -40,10 +39,10 @@ in { serviceConfig = { Type = "simple"; - WorkingDirectory = "/etc/${etcDirectory}"; + WorkingDirectory = "/etc/hysteria"; User = [config.users.users."hysteria".name]; Group = [config.users.groups."hysteria".name]; - ExecStart = "${pkgs.hysteria}/bin/hysteria server --config /etc/${etcDirectory}/config.yaml"; + ExecStart = "${pkgs.hysteria}/bin/hysteria server --config /etc/hysteria/config.yaml"; Restart = "on-failure"; CapabilityBoundingSet = [ "CAP_NET_ADMIN" diff --git a/users/guanranwang/nixos/profiles/use-cases/juicity-server.nix b/users/guanranwang/nixos/profiles/use-cases/juicity-server.nix index 6630f2e..bdebbd6 100644 --- a/users/guanranwang/nixos/profiles/use-cases/juicity-server.nix +++ b/users/guanranwang/nixos/profiles/use-cases/juicity-server.nix @@ -3,7 +3,6 @@ config, ... }: let - etcDirectory = "juicity"; port = "33829"; in { imports = [ @@ -21,7 +20,7 @@ in { owner = config.users.users."juicity".name; group = config.users.groups."juicity".name; restartUnits = ["juicity-server.service"]; - path = "/etc/${etcDirectory}/config.yaml"; + path = "/etc/juicity/config.yaml"; }; ### User running proxy service @@ -40,10 +39,10 @@ in { serviceConfig = { Type = "simple"; - WorkingDirectory = "/etc/${etcDirectory}"; + WorkingDirectory = "/etc/juicity"; User = [config.users.users."juicity".name]; Group = [config.users.groups."juicity".name]; - ExecStart = "${pkgs.juicity}/bin/juicity-server run -c /etc/${etcDirectory}/config.json"; + ExecStart = "${pkgs.juicity}/bin/juicity-server run -c /etc/juicity/config.json"; Restart = "on-failure"; CapabilityBoundingSet = [ "CAP_NET_ADMIN"