Add Colmena to manage systems, use better pathing for smallfetch, use better mountpoints and hostnames from Colema

2025-06-01 06:17:48 -04:00 · 2025-06-01 06:17:48 -04:00 · 1f7d01bb4d
commit 1f7d01bb4d
parent 215ad6b1a7
53 changed files with 254 additions and 166 deletions
--- a/modules/system/default.nix
+++ b/modules/system/default.nix
@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, name, ... }:
 {
  imports = [
    ./devices
@ -13,4 +13,6 @@
    desktop.enable = mkEnableOption "Desktop apps and services";
    server.enable = mkEnableOption "Server apps and services";
  };
+
+  config.networking.hostName = name;
 }
--- a/modules/system/devices/networking/mycelium/default.nix
+++ b/modules/system/devices/networking/mycelium/default.nix
@ -1,7 +1,5 @@
 { ... }:
 {
-  imports = [ ./ips ];
-
  services.mycelium = {
    enable = true;
    openFirewall = true;
--- a/modules/system/devices/networking/mycelium/ips/default.nix
+++ b/modules/system/devices/networking/mycelium/ips/default.nix
@ -1,15 +0,0 @@
-{ config, lib, ... }:
-{
-  options.services.mycelium.ips = lib.mkOption {
-    type = lib.types.attrs;
-  };
-
-  config.services.mycelium.ips = {
-    tower = "4e4:535:9d47:f367:becd:6557:458d:5b1b";
-    intuos = "40e:404:a427:da33:163e:97b3:a2a3:9ed4";
-    jupiter = "5ce:969c:40d1:9575:f5e:591d:c377:a20b";
-    midas = "538:e163:87ba:f847:3646:18b6:6b01:d8f8";
-    kitty = "53f:dc2d:80c9:3ca2:4b15:ef4d:38a0:c868";
-    prophet = "42f:2737:2aed:4dee:cbe4:3c73:1918:ad9b";
-  };
-}
--- a/modules/system/programs/colmena/default.nix
+++ b/modules/system/programs/colmena/default.nix
@ -0,0 +1,4 @@
+{ ... }:
+{
+  deployment.targetUser = "sudo";
+}
--- a/modules/system/programs/default.nix
+++ b/modules/system/programs/default.nix
@ -1,6 +1,7 @@
 { ... }:
 {
  imports = [
+    ./colmena
    ./desktops
    ./gaming
    ./git
--- a/modules/system/services/general/ssh/default.nix
+++ b/modules/system/services/general/ssh/default.nix
@ -12,6 +12,8 @@
    };
  };

+  programs.ssh.startAgent = true;
+
  security.pam.services.sshd.allowNullPassword = true;

  environment.persistence."/persist".files = [
--- a/modules/system/services/server/nfs/default.nix
+++ b/modules/system/services/server/nfs/default.nix
@ -1,11 +1,13 @@
-{ config, lib, ... }:
+{ config, lib, nodes, ... }:
 {
  imports = [ ./user ];

  config = lib.mkIf config.services.nfs.server.enable {
    services.nfs.server.exports = "/storage *(rw)";
-    networking.firewall.extraInputRules = with lib; ''
-      ip6 saddr { ${concatStringsSep ", " (attrValues config.services.mycelium.ips)} } tcp dport 2049 accept
+    networking.firewall.extraInputRules = let
+      targetHosts = lib.attrValues (lib.mapAttrs (_: node: node.config.deployment.targetHost) nodes);
+    in ''
+      ip6 saddr { ${lib.concatStringsSep ", " targetHosts} } tcp dport 2049 accept
    '';
  };
 }
--- a/modules/system/services/server/nginx/rtmp/default.nix
+++ b/modules/system/services/server/nginx/rtmp/default.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, nodes, ... }:
 {
  config = lib.mkIf config.services.webserver.enable {
    services.nginx = {
@ -23,8 +23,10 @@
        }
      '';
    };
-    networking.firewall.extraInputRules = with config.services.mycelium.ips; ''
-      ip6 saddr { ${tower}, ${intuos}, ${jupiter} } tcp dport 1935 accept
+    networking.firewall.extraInputRules = let
+      targetHosts = lib.attrValues (lib.mapAttrs (_: node: node.config.deployment.targetHost) nodes);
+    in ''
+      ip6 saddr { ${lib.concatStringsSep ", " targetHosts} } tcp dport 1935 accept
      ip saddr { ${config.secrets.ips.luna}, ${config.secrets.ips.corn} } tcp dport 1935 accept
    '';
    systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www/landing-page/streams/hls/" ];
--- a/modules/system/services/server/owncast/default.nix
+++ b/modules/system/services/server/owncast/default.nix
@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, nodes, ... }:
 {
  imports = [ ./nginx ];

@ -7,8 +7,10 @@
      port = 8060;
      rtmp-port = 1945;
    };
-    networking.firewall.extraInputRules = with config.services.mycelium.ips; ''
-      ip6 saddr { ${tower}, ${intuos}, ${jupiter} } tcp dport 1935 accept
+    networking.firewall.extraInputRules = let
+      targetHosts = lib.attrValues (lib.mapAttrs (_: node: node.config.deployment.targetHost) nodes);
+    in ''
+      ip6 saddr { ${lib.concatStringsSep ", " targetHosts} } tcp dport ${toString config.services.owncast.rtmp-port} accept
    '';
    environment.persistence."/persist".directories = [ "/var/lib/owncast" ];
  };
--- a/modules/system/settings/security/privilege/default.nix
+++ b/modules/system/settings/security/privilege/default.nix
@ -3,5 +3,25 @@
  security.sudo-rs = {
    enable = true;
    execWheelOnly = true;
+    extraRules = [
+      {
+        users = [ "sudo" ];
+        commands = [
+          {
+            command = "ALL";
+            options = [ "NOPASSWD" ];
+          }
+        ];
+      }
+    ];
+  };
+
+  # Create a user that has admin non-interactively
+  users.users.sudo = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN3B9Uf3h5JiD2HjF/vQ5Zx9pibMgRrlf7ZoBktev9eB Warden"
+    ];
  };
 }
--- a/modules/system/users/main/default.nix
+++ b/modules/system/users/main/default.nix
@ -23,7 +23,7 @@
        ../../../../hosts/prophet/id_ed25519.pub
      ];
      openssh.authorizedKeys.keys = [ 
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKn+61Hd+nQ5tQgt4219+h/zsnej1j2dHU5uvC3k3Bnw Warden"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN3B9Uf3h5JiD2HjF/vQ5Zx9pibMgRrlf7ZoBktev9eB Warden"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJahAoF74BY6GCTsFkt1ADKaraFgJJozW1Y1aBTLK0j9 Pixel9"
      ];
      extraGroups = [