refactor: make sshd module and some code refactor

2023-12-27 11:39:38 -05:00 · 2023-12-27 11:39:38 -05:00 · ed92a42266
commit ed92a42266
parent f8442fc37e
15 changed files with 89 additions and 97 deletions
--- a/devices/binto/default.nix
+++ b/devices/binto/default.nix
@ -8,6 +8,7 @@
    ../../modules/kmscon.nix
    ../../modules/printer.nix
    ../../modules/proton-bridge.nix
+    ../../modules/sshd.nix
    ../../modules/tailscale.nix

    ./modules/gpu-replay.nix
@ -56,16 +57,6 @@
    firewall.enable = false;
  };

-  services = {
-    openssh = {
-      enable = true;
-      settings = {
-        PasswordAuthentication = false;
-        PermitRootLogin = "no";
-      };
-    };
-  };
-
  # Set your time zone.
  time.timeZone = "America/Montreal";

--- a/devices/oksys/default.nix
+++ b/devices/oksys/default.nix
@ -2,6 +2,7 @@
  imports = [
    ./hardware-configuration.nix

+    ../../modules/sshd.nix
    ../../modules/tailscale.nix

    ./modules/blocky.nix
@ -47,16 +48,6 @@
    firewall.enable = false;
  };

-  services = {
-    openssh = {
-      enable = true;
-      settings = {
-        PasswordAuthentication = false;
-        PermitRootLogin = "no";
-      };
-    };
-  };
-
  # Set your time zone.
  time.timeZone = "America/Montreal";

--- a/devices/oksys/modules/blocky.nix
+++ b/devices/oksys/modules/blocky.nix
@ -2,6 +2,7 @@
  services = {
    blocky = {
      enable = true;
+
      settings = {
        upstream = {
          default = [
--- a/devices/servivi/default.nix
+++ b/devices/servivi/default.nix
@ -3,6 +3,7 @@
    ./hardware-configuration.nix

    ../../modules/kmscon.nix
+    ../../modules/sshd.nix
    ../../modules/tailscale.nix

    ./modules/binary-cache.nix
@ -41,16 +42,6 @@
    firewall.enable = false;
  };

-  services = {
-    openssh = {
-      enable = true;
-      settings = {
-        PasswordAuthentication = false;
-        PermitRootLogin = "no";
-      };
-    };
-  };
-
  # Set your time zone.
  time.timeZone = "America/Montreal";

--- a/devices/servivi/modules/binary-cache.nix
+++ b/devices/servivi/modules/binary-cache.nix
@ -1,7 +1,6 @@
 {
  config,
  pkgs,
-  nixpkgs,
  ...
 }: let
  secrets = config.sops.secrets;
@ -12,6 +11,7 @@ in {
    secretKeyFile = secrets.binary-cache-key.path;
  };

+  # Populate cache
  systemd = {
    services.buildAll = {
      serviceConfig = {
@ -19,25 +19,28 @@ in {
        User = vars.user;
        Group = config.users.users.${vars.user}.group;
      };
+
+      path = with pkgs; [
+        git
+        nix
+        nixci
+        openssh
+      ];
+
      script = ''
        cd /tmp
-        ${pkgs.nix}/bin/nix-shell \
-          -I "nixpkgs=${nixpkgs}" \
-          -p openssh nix git nixci --run \
-        "${builtins.concatStringsSep "; " [
-          "git clone https://git.nelim.org/matt1432/nixos-configs.git nix-clone"
-          "cd nix-clone"
-          "nix flake update"
-          "nixci ."
-          "cd .."
-          "rm -r nix-clone"
-        ]}"
+        git clone https://git.nelim.org/matt1432/nixos-configs.git nix-clone
+        cd nix-clone
+        nix flake update
+        nixci .
+        cd ..
+        rm -r nix-clone
      '';
    };
    timers.buildAll = {
      wantedBy = ["timers.target"];
      partOf = ["buildAll.service"];
-      timerConfig.OnCalendar = ["*-*-* 0:00:00"];
+      timerConfig.OnCalendar = ["0:00:00"];
    };
  };
 }
--- a/devices/servivi/modules/borgbackup.nix
+++ b/devices/servivi/modules/borgbackup.nix
@ -3,18 +3,27 @@
  lib,
  pkgs,
  ...
-}: {
+}:
+with lib; let
+  cfg = config.services.borgbackup;
+  secrets = config.sops.secrets;
+in {
  # Make this file declare default settings
-  options.services.borgbackup = with lib; {
+  options.services.borgbackup = {
+    #
    defaults = mkOption {
      type = types.attrs;
    };
+    configs = mkOption {
+      type = types.attrs;
+    };
  };

  config = {
    users.groups.borg = {};
    users.users.borg = {
      isSystemUser = true;
+      # https://mynixos.com/nixpkgs/option/services.borgbackup.jobs.%3Cname%3E.readWritePaths
      createHome = true;
      home = "/var/lib/borg";
      group = "borg";
@ -28,17 +37,14 @@
    services.borgbackup = {
      defaults = {
        user = "borg";
-        environment = {
-          # TODO: use secrets
-          BORG_RSH = "ssh -i ${config.users.users.borg.home}/.ssh/id_ed25519";
-        };
+        environment = {BORG_RSH = "ssh -i ${secrets.borg-ssh.path}";};

        repo = "ssh://matt@pve/data/backups/borg";
        encryption = {
          mode = "repokey";
          passCommand = let
            cat = "${pkgs.coreutils}/bin/cat";
-            key = config.sops.secrets.borg-repo.path;
+            key = secrets.borg-repo.path;
          in "${cat} ${key}";
        };

@ -46,6 +52,8 @@
        startAt = "00/3:00";
        compression = "auto,lzma";
      };
+
+      jobs = mapAttrs (_: v: v // cfg.defaults) cfg.configs;
    };
  };
 }
--- a/devices/servivi/modules/minecraft.nix
+++ b/devices/servivi/modules/minecraft.nix
@ -88,12 +88,10 @@
      };
    };

-    borgbackup.jobs.mc =
-      config.services.borgbackup.defaults
-      // {
-        paths = [
-          "/var/lib/minecraft"
-        ];
-      };
+    borgbackup.configs.mc = {
+      paths = [
+        "/var/lib/minecraft"
+      ];
+    };
  };
 }