nixos: cleanup

This commit is contained in:
Guanran Wang 2023-11-23 14:23:03 +08:00
parent 65a4e1e46a
commit 0044b9eed1
Signed by: nyancat
SSH key fingerprint: SHA256:8oWGKciPALWut/6WA27oFKofX+6Wtc0gQnsefXLQx/8
6 changed files with 29 additions and 19 deletions

View file

@ -1,5 +1,15 @@
{inputs, ...}: { {
imports = [inputs.impermanence.nixosModules.impermanence]; inputs,
lib,
...
}: {
imports = [
inputs.impermanence.nixosModules.impermanence
./sops-nix.nix
];
### sops-nix
sops.age.sshKeyPaths = lib.mkForce ["/nix/persist/system/etc/ssh/ssh_host_ed25519_key"];
# this folder is where the files will be stored (don't put it in tmpfs) # this folder is where the files will be stored (don't put it in tmpfs)
environment.persistence."/nix/persist/system" = { environment.persistence."/nix/persist/system" = {

View file

@ -30,6 +30,7 @@
### Flakes ### Flakes
imports = [ imports = [
../../../../../nixos/flake-modules/sops-nix.nix ../../../../../nixos/flake-modules/sops-nix.nix
../../../../../nixos/flake-modules/home-manager.nix
]; ];
### sops-nix ### sops-nix
@ -37,11 +38,10 @@
users.groups."nix-access-tokens" = {}; users.groups."nix-access-tokens" = {};
sops = { sops = {
defaultSopsFile = ../../../secrets/secrets.yaml; defaultSopsFile = ../../../secrets/secrets.yaml;
age.sshKeyPaths = ["/nix/persist/system/etc/ssh/ssh_host_ed25519_key"]; age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
gnupg.sshKeyPaths = []; gnupg.sshKeyPaths = [];
secrets = { secrets = {
"hashed-passwd".neededForUsers = true; # Hashed user password "hashed-passwd".neededForUsers = true; # Hashed user password
"wireless/home".path = "/var/lib/iwd/wangxiaobo.psk"; # Home wifi password
"nix-access-tokens" = { "nix-access-tokens" = {
group = config.users.groups."nix-access-tokens".name; group = config.users.groups."nix-access-tokens".name;
mode = "0440"; mode = "0440";

View file

@ -5,6 +5,7 @@
}: { }: {
imports = [ imports = [
### Flakes ### Flakes
../../../../../../nixos/flake-modules/sops-nix.nix
../../../../../../nixos/flake-modules/home-manager.nix ../../../../../../nixos/flake-modules/home-manager.nix
../../../../../../nixos/flake-modules/berberman.nix ../../../../../../nixos/flake-modules/berberman.nix
]; ];
@ -12,6 +13,9 @@
### Options ### Options
myFlake.nixos.boot.noLoaderMenu = lib.mkDefault true; myFlake.nixos.boot.noLoaderMenu = lib.mkDefault true;
### sops-nix
sops.secrets."wireless/home".path = "/var/lib/iwd/wangxiaobo.psk"; # Home wifi password
### home-manager ### home-manager
home-manager.users.guanranwang.imports = map (n: ../../../../home-manager/${n}) [ home-manager.users.guanranwang.imports = map (n: ../../../../home-manager/${n}) [
"profiles/command-line/nixos/fancy-stuff.nix" "profiles/command-line/nixos/fancy-stuff.nix"

View file

@ -3,9 +3,7 @@
config, config,
inputs, inputs,
... ...
}: let }: {
etcDirectory = "clash-meta";
in {
imports = [ imports = [
../../../../../nixos/flake-modules/sops-nix.nix ../../../../../nixos/flake-modules/sops-nix.nix
]; ];
@ -15,7 +13,7 @@ in {
owner = config.users.users."clash-meta".name; owner = config.users.users."clash-meta".name;
group = config.users.groups."clash-meta".name; group = config.users.groups."clash-meta".name;
restartUnits = ["clash-meta.service"]; restartUnits = ["clash-meta.service"];
path = "/etc/${etcDirectory}/config.yaml"; path = "/etc/clash-meta/config.yaml";
}; };
### System proxy settings ### System proxy settings
@ -37,10 +35,10 @@ in {
serviceConfig = { serviceConfig = {
Type = "simple"; Type = "simple";
WorkingDirectory = "/etc/${etcDirectory}"; WorkingDirectory = "/etc/clash-meta";
User = [config.users.users."clash-meta".name]; User = [config.users.users."clash-meta".name];
Group = [config.users.groups."clash-meta".name]; Group = [config.users.groups."clash-meta".name];
ExecStart = "${pkgs.clash-meta}/bin/clash-meta -d /etc/${etcDirectory}"; ExecStart = "${pkgs.clash-meta}/bin/clash-meta -d /etc/clash-meta";
Restart = "on-failure"; Restart = "on-failure";
CapabilityBoundingSet = [ CapabilityBoundingSet = [
"CAP_NET_ADMIN" "CAP_NET_ADMIN"
@ -65,5 +63,5 @@ in {
# - https://yacd.haishan.me # - https://yacd.haishan.me
# - clash-dashboard (buggy): # - clash-dashboard (buggy):
# - https://clash.razord.top # - https://clash.razord.top
environment.etc."${etcDirectory}/metacubexd".source = inputs.metacubexd; environment.etc."clash-meta/metacubexd".source = inputs.metacubexd;
} }

View file

@ -3,7 +3,6 @@
config, config,
... ...
}: let }: let
etcDirectory = "hysteria";
port = 43956; port = 43956;
in { in {
imports = [ imports = [
@ -21,7 +20,7 @@ in {
owner = config.users.users."hysteria".name; owner = config.users.users."hysteria".name;
group = config.users.groups."hysteria".name; group = config.users.groups."hysteria".name;
restartUnits = ["hysteria-server.service"]; restartUnits = ["hysteria-server.service"];
path = "/etc/${etcDirectory}/config.yaml"; path = "/etc/hysteria/config.yaml";
}; };
### User running proxy service ### User running proxy service
@ -40,10 +39,10 @@ in {
serviceConfig = { serviceConfig = {
Type = "simple"; Type = "simple";
WorkingDirectory = "/etc/${etcDirectory}"; WorkingDirectory = "/etc/hysteria";
User = [config.users.users."hysteria".name]; User = [config.users.users."hysteria".name];
Group = [config.users.groups."hysteria".name]; Group = [config.users.groups."hysteria".name];
ExecStart = "${pkgs.hysteria}/bin/hysteria server --config /etc/${etcDirectory}/config.yaml"; ExecStart = "${pkgs.hysteria}/bin/hysteria server --config /etc/hysteria/config.yaml";
Restart = "on-failure"; Restart = "on-failure";
CapabilityBoundingSet = [ CapabilityBoundingSet = [
"CAP_NET_ADMIN" "CAP_NET_ADMIN"

View file

@ -3,7 +3,6 @@
config, config,
... ...
}: let }: let
etcDirectory = "juicity";
port = "33829"; port = "33829";
in { in {
imports = [ imports = [
@ -21,7 +20,7 @@ in {
owner = config.users.users."juicity".name; owner = config.users.users."juicity".name;
group = config.users.groups."juicity".name; group = config.users.groups."juicity".name;
restartUnits = ["juicity-server.service"]; restartUnits = ["juicity-server.service"];
path = "/etc/${etcDirectory}/config.yaml"; path = "/etc/juicity/config.yaml";
}; };
### User running proxy service ### User running proxy service
@ -40,10 +39,10 @@ in {
serviceConfig = { serviceConfig = {
Type = "simple"; Type = "simple";
WorkingDirectory = "/etc/${etcDirectory}"; WorkingDirectory = "/etc/juicity";
User = [config.users.users."juicity".name]; User = [config.users.users."juicity".name];
Group = [config.users.groups."juicity".name]; Group = [config.users.groups."juicity".name];
ExecStart = "${pkgs.juicity}/bin/juicity-server run -c /etc/${etcDirectory}/config.json"; ExecStart = "${pkgs.juicity}/bin/juicity-server run -c /etc/juicity/config.json";
Restart = "on-failure"; Restart = "on-failure";
CapabilityBoundingSet = [ CapabilityBoundingSet = [
"CAP_NET_ADMIN" "CAP_NET_ADMIN"