~~

oluceps · Oct 21, 2024 · 62cbe41 · 62cbe41
1 parent a5763c9
commit 62cbe41
Show file tree

Hide file tree

Showing 14 changed files with 104 additions and 159 deletions.
diff --git a/age/cloud.nix b/age/cloud.nix
@@ -6,4 +6,4 @@
   # rrr,
   ...
 }:
-({ })
+(hard [ "juic-san" ])
diff --git a/age/default.nix b/age/default.nix
@@ -6,6 +6,7 @@
   data,
   user,
   self,
+  lib,
   ...
 }:
 {
@@ -41,6 +42,7 @@
             rootRo
             sdnetRo
             rrr
+            lib
             ;
         };
       in

diff --git a/age/trust.nix b/age/trust.nix
@@ -2,6 +2,7 @@
   hard,
   userRo,
   rootRo,
+  lib,
   # sdnetRo,
   # rrr,
   ...
@@ -11,7 +12,6 @@
   "dae.sub"
   "jc-do"
   "ss-az"
-  "juic-san"
   "naive"
 ])
 // (userRo [
@@ -39,25 +39,28 @@
     group = "users";
     name = "d.dae";
   };
-  hyst-us-cli = {
-    rekeyFile = ../sec/hyst-us-cli.age;
-    mode = "640";
-    owner = "root";
-    group = "users";
-    name = "hyst-us-cli.yaml";
-  };
-  hyst-la-cli = {
-    rekeyFile = ../sec/hyst-la-cli.age;
-    mode = "640";
-    owner = "root";
-    group = "users";
-    name = "hyst-la-cli.yaml";
-  };
-  hyst-hk-cli = {
-    rekeyFile = ../sec/hyst-hk-cli.age;
-    mode = "640";
-    owner = "root";
-    group = "users";
-    name = "hyst-hk-cli.yaml";
-  };
+
 }
+// (
+  let
+    inherit (lib) listToAttrs nameValuePair;
+  in
+  listToAttrs (
+    map
+      (
+        n:
+        nameValuePair "hyst-${n}-cli" {
+          rekeyFile = ../sec/hyst-${n}-cli.age;
+          mode = "640";
+          owner = "root";
+          group = "users";
+          name = "hyst-${n}-cli.yaml";
+        }
+      )
+      [
+        "la"
+        "us"
+        "hk"
+      ]
+  )
+)
diff --git a/hosts/abhoth/spec.nix b/hosts/abhoth/spec.nix
@@ -57,7 +57,7 @@
         openFirewall = 4432;
         credentials = [
           "key:${config.age.secrets."nyaw.key".path}"
-          "cert:${config.age.secrets."nyaw.cert".path}"
+          "crt:${config.age.secrets."nyaw.cert".path}"
         ];
         configFile = config.age.secrets.hyst-us.path;
       };

diff --git a/hosts/azasos/default.nix b/hosts/azasos/default.nix
@@ -49,7 +49,7 @@ withSystem "x86_64-linux" (
       ./rekey.nix
       ./spec.nix
       ./caddy.nix
-      ../../age
+      (lib.iage "cloud")
       ../../packages.nix
       ../../misc.nix
       ../../users.nix

diff --git a/hosts/azasos/rekey.nix b/hosts/azasos/rekey.nix
@@ -1,4 +1,9 @@
-{ data, ... }:
+{
+  data,
+  lib,
+  self,
+  ...
+}:
 let
   hostPrivKey = "/var/lib/ssh/ssh_host_ed25519_key";
 in
@@ -12,13 +17,59 @@ in
   age = {
     identityPaths = [ hostPrivKey ];
     rekey.hostPubkey = data.keys.azasosHostPubKey;
-    secrets = {
-      wga = {
-        rekeyFile = ../../sec/wga.age;
-        owner = "systemd-network";
-        group = "root";
-        mode = "400";
-      };
-    };
+    secrets =
+      {
+        wga = {
+          rekeyFile = ../../sec/wga.age;
+          owner = "systemd-network";
+          group = "root";
+          mode = "400";
+        };
+
+        hyst-us-cli = {
+          rekeyFile = ../sec/hyst-us-cli.age;
+          mode = "640";
+          owner = "root";
+          group = "users";
+          name = "hyst-us-cli.yaml";
+        };
+        hyst-la-cli = {
+          rekeyFile = ../sec/hyst-la-cli.age;
+          mode = "640";
+          owner = "root";
+          group = "users";
+          name = "hyst-la-cli.yaml";
+        };
+        hyst-hk-cli = {
+          rekeyFile = ../sec/hyst-hk-cli.age;
+          mode = "640";
+          owner = "root";
+          group = "users";
+          name = "hyst-hk-cli.yaml";
+        };
+      }
+      // (
+        let
+          inherit (lib) listToAttrs nameValuePair;
+        in
+        listToAttrs (
+          map
+            (
+              n:
+              nameValuePair "hyst-${n}-cli" {
+                rekeyFile = "${self}/sec/hyst-${n}-cli.age";
+                mode = "640";
+                owner = "root";
+                group = "users";
+                name = "hyst-${n}-cli.yaml";
+              }
+            )
+            [
+              "la"
+              "us"
+              "hk"
+            ]
+        )
+      );
   };
 }
diff --git a/hosts/colour/default.nix b/hosts/colour/default.nix
@@ -48,7 +48,7 @@ withSystem "x86_64-linux" (
       ./rekey.nix
       ./spec.nix
       ./caddy.nix
-      ../../age
+      (lib.iage "cloud")
       ../../packages.nix
       ../../misc.nix
       ../../users.nix

diff --git a/hosts/nodens/default.nix b/hosts/nodens/default.nix
@@ -22,6 +22,11 @@ withSystem "x86_64-linux" (
           "cinny-4.2.1"
           "cinny-unwrapped-4.2.1"
         ];
+        allowUnfreePredicate =
+          pkg:
+          builtins.elem (lib.getName pkg) [
+            "factorio-headless"
+          ];
       };
       overlays =
         (import "${self}/overlays.nix" { inherit inputs' inputs; })
@@ -43,13 +48,13 @@ withSystem "x86_64-linux" (
       user = "elen";
     };
     modules = lib.sharedModules ++ [
-      ../sysvars.nix
+      # ../sysvars.nix
       ./hardware.nix
       ./network.nix
       ./rekey.nix
       ./spec.nix
       ./caddy.nix
-      ../../age
+      (lib.iage "cloud")
       ../../packages.nix
       ../../misc.nix
       ../../users.nix

diff --git a/hosts/nodens/spec.nix b/hosts/nodens/spec.nix
@@ -108,10 +108,10 @@
     juicity.instances = {
       only = {
         enable = true;
-        credentials = [
-          "key:${config.age.secrets."nyaw.key".path}"
-          "cert:${config.age.secrets."nyaw.cert".path}"
-        ];
+        # credentials = [
+        #   "key:${config.age.secrets."nyaw.key".path}"
+        #   "cert:${config.age.secrets."nyaw.cert".path}"
+        # ];
         serve = true;
         openFirewall = 23180;
         configFile = config.age.secrets.juic-san.path;

diff --git a/hosts/yidhra/default.nix b/hosts/yidhra/default.nix
@@ -53,7 +53,7 @@ withSystem "x86_64-linux" (
       ./network.nix
       ./rekey.nix
       ./spec.nix
-      ../../age
+      (lib.iage "cloud")
       ../../packages.nix
       ../../misc.nix
       ../../users.nix

diff --git a/modules/smartdns.nix b/modules/smartdns.nix
diff --git a/pkgs/smartdns-rs.nix b/pkgs/smartdns-rs.nix
diff --git a/repack/smartdns.nix b/repack/smartdns.nix
diff --git a/util.nu b/util.nu
@@ -39,8 +39,6 @@ export def b [
 
 }
 
-# /nix/store/6p33aybdjmhnilj7ymbfhgivl94bcg4y-system-path/bin/systemd-run -E LOCALE_ARCHIVE -E NIXOS_INSTALL_BOOTLOADER= --collect --no-ask-password --pipe --quiet --same-dir --service-type=exec --unit=nixos-rebuild-switch-to-configuration --wait /nix/store/80p580pppp385sg8k1rq59088kfb3a2d-nixos-system-eihort-24.11.20241019.6125359/bin/switch-to-configuration switch
-
 # deploy
 # all op with hostname
 export def d [
@@ -77,7 +75,7 @@ export def d [
     | par-each {|| {name: $in.0, addr: $in.1, path: $in.2}}
     | each {|i|
         log info $'deploying ($i.path)(char newline)-> ($i.name) | ($i.addr)'
-        ssh -t $'ssh://($i.addr)' $'sudo ($i.path)/bin/switch-to-configuration ($mode)' | complete
+        ssh -t $'ssh://($i.addr)' $'sudo systemd-run -E LOCALE_ARCHIVE --collect --no-ask-password --pipe --quiet --same-dir --service-type=exec --unit=nixos-rebuild-switch-to-configuration --wait ($i.path)/bin/switch-to-configuration ($mode)' | complete
       }
   }
 }