diff --git a/configuration.nix b/configuration.nix index 509622b..950b605 100644 --- a/configuration.nix +++ b/configuration.nix @@ -2,8 +2,7 @@ imports = [ (modulesPath + "/installer/scan/not-detected.nix") ./modules/disk-config.nix - ./modules/agenix.nix - ./modules/custom.nix + ./modules/custom ./modules/uptimed.nix ]; @@ -55,12 +54,6 @@ PasswordAuthentication = false; KbdInteractiveAuthentication = false; }; - extraConfig = '' - HostCertificate ${ - builtins.toFile "host_ed25519-cert.pub" config.custom.ssh.hostCert - } - HostKey ${config.age.secrets.host_ed25519.path} - ''; }; xserver = { @@ -92,12 +85,6 @@ }; }; - extraConfig = '' - CertificateFile ${ - builtins.toFile "user_ed25519-cert.pub" config.custom.ssh.userCert - } - IdentityFile ${config.age.secrets.user_ed25519.path} - ''; }; neovim = { @@ -186,4 +173,6 @@ hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + + age.identityPaths = [ "/root/age_ed25519" ]; } diff --git a/modules/agenix.nix b/modules/agenix.nix deleted file mode 100644 index de2b883..0000000 --- a/modules/agenix.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ config, ... }: { - age = { - identityPaths = [ "/root/age_ed25519" ]; - - secrets = { - "host_ed25519".file = config.custom.ssh.hostKey; - "user_ed25519".file = config.custom.ssh.userKey; - }; - }; -} diff --git a/modules/custom.nix b/modules/custom.nix deleted file mode 100644 index aebc25b..0000000 --- a/modules/custom.nix +++ /dev/null @@ -1,88 +0,0 @@ -{ pkgs, lib, config, ... }: { - options = { - custom = { - dataDisk.enable = lib.mkOption { - default = false; - type = lib.types.bool; - description = '' - Whether to automatically mount /dev/sda1 on /mnt/data - ''; - }; - - ssh = { - hostCert = lib.mkOption { - type = lib.types.str; - description = '' - SSH host certificate - ''; - }; - - userCert = lib.mkOption { - type = lib.types.str; - description = '' - SSH user certificate - ''; - }; - - hostKey = lib.mkOption { - default = ../secrets/${config.networking.hostName}_host_ed25519.age; - type = lib.types.path; - description = '' - SSH host key - ''; - }; - - userKey = lib.mkOption { - default = ../secrets/${config.networking.hostName}_user_ed25519.age; - type = lib.types.path; - description = '' - SSH user key - ''; - }; - }; - - terraformDatabase.enable = lib.mkOption { - default = false; - type = lib.types.bool; - description = '' - Whether to start a postgreSQL database for Terraform states - ''; - }; - }; - }; - - config = { - fileSystems."/mnt/data" = - lib.mkIf config.custom.dataDisk.enable { device = "/dev/sda1"; }; - - services.postgresql = lib.mkIf config.custom.terraformDatabase.enable { - enable = true; - ensureDatabases = [ "terraformstates" ]; - package = pkgs.postgresql_15; - enableTCPIP = true; - dataDir = - "/mnt/data/postgresql/${config.services.postgresql.package.psqlSchema}"; - # TODO: for now trust, replace this with client certificate later - authentication = '' - hostssl terraformstates terraform all trust - ''; - settings = { - ssl = true; - ssl_cert_file = builtins.toFile "postgresql_server.crt" - (builtins.readFile ../postgresql_server.crt); - ssl_key_file = config.age.secrets."postgresql_server.key".path; - }; - ensureUsers = [{ - name = "terraform"; - ensurePermissions = { "DATABASE terraformstates" = "ALL PRIVILEGES"; }; - }]; - }; - - age.secrets."postgresql_server.key" = { - file = ../secrets/postgresql_server.key.age; - mode = "400"; - owner = builtins.toString config.ids.uids.postgres; - group = builtins.toString config.ids.gids.postgres; - }; - }; -} diff --git a/modules/custom/data-disk.nix b/modules/custom/data-disk.nix new file mode 100644 index 0000000..4e2d485 --- /dev/null +++ b/modules/custom/data-disk.nix @@ -0,0 +1,19 @@ +{ lib, config, ... }: +let cfg = config.custom.dataDisk; +in { + options = { + custom = { + dataDisk.enable = lib.mkOption { + default = false; + type = lib.types.bool; + description = '' + Whether to automatically mount /dev/sda1 on /mnt/data + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + fileSystems."/mnt/data" = { device = "/dev/sda1"; }; + }; +} diff --git a/modules/custom/default.nix b/modules/custom/default.nix new file mode 100644 index 0000000..ceeaefa --- /dev/null +++ b/modules/custom/default.nix @@ -0,0 +1,3 @@ +{ + imports = [ ./terraform-database.nix ./data-disk.nix ./ssh-certificates.nix ]; +} diff --git a/modules/custom/ssh-certificates.nix b/modules/custom/ssh-certificates.nix new file mode 100644 index 0000000..456ff21 --- /dev/null +++ b/modules/custom/ssh-certificates.nix @@ -0,0 +1,65 @@ +{ lib, config, ... }: +let + cfg = config.custom.ssh; + hostCert = builtins.toFile "host_ed25519-cert.pub" cfg.hostCert; + userCert = builtins.toFile "user_ed25519-cert.pub" cfg.userCert; +in { + options = { + custom = { + ssh = { + hostCert = lib.mkOption { + type = lib.types.str; + description = '' + SSH host certificate + ''; + }; + + userCert = lib.mkOption { + type = lib.types.str; + description = '' + SSH user certificate + ''; + }; + + hostKey = lib.mkOption { + default = + ../../secrets/${config.networking.hostName}_host_ed25519.age; + type = lib.types.path; + description = '' + SSH host key + ''; + }; + + userKey = lib.mkOption { + default = + ../../secrets/${config.networking.hostName}_user_ed25519.age; + type = lib.types.path; + description = '' + SSH user key + ''; + }; + }; + }; + }; + + config = { + services.openssh = { + extraConfig = '' + HostCertificate ${hostCert} + HostKey ${config.age.secrets.host_ed25519.path} + ''; + }; + + programs.ssh = { + extraConfig = '' + CertificateFile ${userCert} + IdentityFile ${config.age.secrets.user_ed25519.path} + ''; + }; + + age.secrets = { + "host_ed25519".file = cfg.hostKey; + "user_ed25519".file = cfg.userKey; + }; + }; +} diff --git a/modules/custom/terraform-database.nix b/modules/custom/terraform-database.nix new file mode 100644 index 0000000..06b5611 --- /dev/null +++ b/modules/custom/terraform-database.nix @@ -0,0 +1,49 @@ +{ pkgs, lib, config, ... }: +let cfg = config.custom.terraformDatabase; +in { + options = { + custom = { + terraformDatabase.enable = lib.mkOption { + default = false; + type = lib.types.bool; + description = '' + Whether to start a postgreSQL database for Terraform states + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + services.postgresql = { + enable = true; + ensureDatabases = [ "terraformstates" ]; + package = pkgs.postgresql_15; + enableTCPIP = true; + dataDir = lib.mkIf config.custom.dataDisk.enable + "/mnt/data/postgresql/${config.services.postgresql.package.psqlSchema}"; + # dataDir = + # "/mnt/data/postgresql/${config.services.postgresql.package.psqlSchema}"; + # TODO: for now trust, replace this with client certificate later + authentication = '' + hostssl terraformstates terraform all trust + ''; + settings = { + ssl = true; + ssl_cert_file = builtins.toFile "postgresql_server.crt" + (builtins.readFile ../../postgresql_server.crt); + ssl_key_file = config.age.secrets."postgresql_server.key".path; + }; + ensureUsers = [{ + name = "terraform"; + ensurePermissions = { "DATABASE terraformstates" = "ALL PRIVILEGES"; }; + }]; + }; + + age.secrets."postgresql_server.key" = { + file = ../../secrets/postgresql_server.key.age; + mode = "400"; + owner = builtins.toString config.ids.uids.postgres; + group = builtins.toString config.ids.gids.postgres; + }; + }; +}