diff --git a/devices/nas/default.nix b/devices/nas/default.nix index d91b6129..791a5747 100644 --- a/devices/nas/default.nix +++ b/devices/nas/default.nix @@ -41,7 +41,7 @@ inputs: initrd.sshd.enable = true; nixpkgs.march = "silvermont"; nix.substituters = [ "https://nix-store.chn.moe?priority=100" ]; - networking = { hostname = "nas"; networkd = {}; }; + networking.networkd = {}; }; hardware = { cpus = [ "intel" ]; gpu.type = "intel"; }; services = diff --git a/devices/pc/default.nix b/devices/pc/default.nix index b6ee521b..20e34008 100644 --- a/devices/pc/default.nix +++ b/devices/pc/default.nix @@ -53,7 +53,6 @@ inputs: modules.modprobeConfig = [ "options iwlwifi power_save=0" "options iwlmvm power_scheme=1" "options iwlwifi uapsd_disable=1" ]; }; - networking.hostname = "pc"; sysctl.laptop-mode = 5; gui.enable = true; }; diff --git a/devices/pi3b/default.nix b/devices/pi3b/default.nix index 3069b87c..f9a7a708 100644 --- a/devices/pi3b/default.nix +++ b/devices/pi3b/default.nix @@ -18,7 +18,7 @@ inputs: swap = [ "/nix/swap/swap" ]; rollingRootfs = {}; }; - networking = { hostname = "pi3b"; networkd = {}; }; + networking.networkd = {}; nixpkgs.arch = "aarch64"; kernel.variant = "nixos"; }; diff --git a/devices/srv1-node0/default.nix b/devices/srv1-node0/default.nix deleted file mode 100644 index 9a175674..00000000 --- a/devices/srv1-node0/default.nix +++ /dev/null @@ -1,50 +0,0 @@ -inputs: -{ - config = - { - nixos = - { - system = - { - fileSystems = - { - mount = - { - vfat."/dev/disk/by-uuid/7A60-4232" = "/boot"; - btrfs."/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; }; - }; - swap = [ "/dev/mapper/swap" ]; - rollingRootfs = {}; - }; - nixpkgs.march = "cascadelake"; - kernel.variant = "xanmod-lts"; - networking.hostname = "srv1-node0"; - gui.enable = true; - }; - packages.vasp = null; - hardware.cpus = [ "intel" ]; - services = - { - snapper.enable = true; - sshd = {}; - xray.client.enable = true; - smartd.enable = true; - beesd.instances.root = { device = "/"; hashTableSizeMB = 4096; threads = 4; }; - wireguard = - { - enable = true; - peers = [ "vps6" ]; - publicKey = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw="; - wireguardIp = "192.168.83.3"; - }; - slurm = - { - enable = true; - cpu = { cores = 16; threads = 2; mpiThreads = 2; openmpThreads = 4; }; - memoryMB = 90112; - }; - }; - user.users = [ "chn" ]; - }; - }; -} diff --git a/devices/srv1-node0/secrets/munge.key b/devices/srv1-node0/secrets/munge.key deleted file mode 100644 index fb2fd4a2..00000000 --- a/devices/srv1-node0/secrets/munge.key +++ /dev/null @@ -1,24 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:ftogJ/2oPME8sVbyNAuI3t3GEzUmdCadyjf2g/bjGNx3AoV0jU0SDxnBLDFfoR1rEtV00zfgCMPDGsEXavg+QVvoICpvvhckXMOLXe37H3Ff0wDVJtL4BBIK3oVh/SiYaRm/+uR0x6HW37KX50RRvKvpQoRdMVNnvtKbMjmQVIA=,iv:MOHfTIavoU643K10jSR3HruzoofOqqVspYgiaLc294o=,tag:zjDTPKwAOh/nqkquvAQpbw==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5TTB1bHFXcDhoMk1QVzJ0\nUUplcGVBVUhoOEt0Rnc2ZStDUUpjZmV0eGpvCjFQSGl4TjlMT2R5RExNZWxwOUtz\nSWhhSUtFN0JISzJhclpCMFZDQ09jK28KLS0tIGJydDNoY3hBbEhBYUNYZGZCaWpQ\nQnVDalJCcWpIRTdVaWkzeGVNSGpDRWsKWXoMC8NApfenn191aRwdAjD0iM5+C3R6\nXKpHxfhc1Gf6paxBhketFU+AwWsKiBDKh0gntV49F+YSriPa7uI3FA==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1ffvr5pqd2lfj24e3fh53s92z6h76fda3du4y4k6r3yjumdwvpfgqzj033a", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzclYwVjdOZnQ1Y2dlUi9n\naXQya21QVHZ0KzMxTkVuTEJuazB4WklqdFdvCmpMd0h6OXUvZSttOFpmeUdsSlNs\nQkhQaVJqVFdidFNMejljV2h3WUFTaFUKLS0tIGNBemY5R1N3T00zMEthZjBsWXZh\nVXRtNG5UV3I3WG5LYUphNUNyUDI5WXcKVQpMe3zYgzHOtQQvo8Vvz94lYR6TBFuV\nD7ztr4rD/Vdk3hkSGZQvdzGjNDdGpac38LUN9vtFQbzMofykcn/etw==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2024-02-24T05:48:31Z", - "mac": "ENC[AES256_GCM,data:kCLcS6xeMijD8Bxa0MBUbFH2pdXX6BdGL1SztHHPet8loMkiCfgEiyp9l/QjszWa3G6zx3K+0wXXtRXmrNAxThnIgMZQVGCy4Ucw7fp8Pral/5eaJNlZGb56JQPF9ZDHb9YQPDPImaEAKYUtzayyaZAGJGlCmIIhVVhXTx7iiig=,iv:MXRDA/6YnVUbLdYAIrMvrdb2iPsi4Bmr06SPCU8CCVc=,tag:9hT7Xo0tRnHTgAaivKj4QQ==,type:str]", - "pgp": null, - "unencrypted_suffix": "_unencrypted", - "version": "3.8.1" - } -} \ No newline at end of file diff --git a/devices/srv1-node3/default.nix b/devices/srv1-node3/default.nix deleted file mode 100644 index 6e77539f..00000000 --- a/devices/srv1-node3/default.nix +++ /dev/null @@ -1,50 +0,0 @@ -inputs: -{ - config = - { - nixos = - { - system = - { - fileSystems = - { - mount = - { - vfat."/dev/disk/by-uuid/7A60-4232" = "/boot"; - btrfs."/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; }; - }; - swap = [ "/dev/mapper/swap" ]; - rollingRootfs = {}; - }; - nixpkgs.march = "broadwell"; - kernel.variant = "xanmod-lts"; - networking.hostname = "srv1-node3"; - gui.enable = true; - }; - packages.vasp = null; - hardware.cpus = [ "intel" ]; - services = - { - snapper.enable = true; - sshd = {}; - xray.client.enable = true; - smartd.enable = true; - beesd.instances.root = { device = "/"; hashTableSizeMB = 4096; threads = 4; }; - wireguard = - { - enable = true; - peers = [ "vps6" ]; - publicKey = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw="; - wireguardIp = "192.168.83.3"; - }; - slurm = - { - enable = true; - cpu = { cores = 16; threads = 2; mpiThreads = 2; openmpThreads = 4; }; - memoryMB = 90112; - }; - }; - user.users = [ "chn" ]; - }; - }; -} diff --git a/devices/srv1-node3/secrets/munge.key b/devices/srv1-node3/secrets/munge.key deleted file mode 100644 index fb2fd4a2..00000000 --- a/devices/srv1-node3/secrets/munge.key +++ /dev/null @@ -1,24 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:ftogJ/2oPME8sVbyNAuI3t3GEzUmdCadyjf2g/bjGNx3AoV0jU0SDxnBLDFfoR1rEtV00zfgCMPDGsEXavg+QVvoICpvvhckXMOLXe37H3Ff0wDVJtL4BBIK3oVh/SiYaRm/+uR0x6HW37KX50RRvKvpQoRdMVNnvtKbMjmQVIA=,iv:MOHfTIavoU643K10jSR3HruzoofOqqVspYgiaLc294o=,tag:zjDTPKwAOh/nqkquvAQpbw==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5TTB1bHFXcDhoMk1QVzJ0\nUUplcGVBVUhoOEt0Rnc2ZStDUUpjZmV0eGpvCjFQSGl4TjlMT2R5RExNZWxwOUtz\nSWhhSUtFN0JISzJhclpCMFZDQ09jK28KLS0tIGJydDNoY3hBbEhBYUNYZGZCaWpQ\nQnVDalJCcWpIRTdVaWkzeGVNSGpDRWsKWXoMC8NApfenn191aRwdAjD0iM5+C3R6\nXKpHxfhc1Gf6paxBhketFU+AwWsKiBDKh0gntV49F+YSriPa7uI3FA==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1ffvr5pqd2lfj24e3fh53s92z6h76fda3du4y4k6r3yjumdwvpfgqzj033a", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzclYwVjdOZnQ1Y2dlUi9n\naXQya21QVHZ0KzMxTkVuTEJuazB4WklqdFdvCmpMd0h6OXUvZSttOFpmeUdsSlNs\nQkhQaVJqVFdidFNMejljV2h3WUFTaFUKLS0tIGNBemY5R1N3T00zMEthZjBsWXZh\nVXRtNG5UV3I3WG5LYUphNUNyUDI5WXcKVQpMe3zYgzHOtQQvo8Vvz94lYR6TBFuV\nD7ztr4rD/Vdk3hkSGZQvdzGjNDdGpac38LUN9vtFQbzMofykcn/etw==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2024-02-24T05:48:31Z", - "mac": "ENC[AES256_GCM,data:kCLcS6xeMijD8Bxa0MBUbFH2pdXX6BdGL1SztHHPet8loMkiCfgEiyp9l/QjszWa3G6zx3K+0wXXtRXmrNAxThnIgMZQVGCy4Ucw7fp8Pral/5eaJNlZGb56JQPF9ZDHb9YQPDPImaEAKYUtzayyaZAGJGlCmIIhVVhXTx7iiig=,iv:MXRDA/6YnVUbLdYAIrMvrdb2iPsi4Bmr06SPCU8CCVc=,tag:9hT7Xo0tRnHTgAaivKj4QQ==,type:str]", - "pgp": null, - "unencrypted_suffix": "_unencrypted", - "version": "3.8.1" - } -} \ No newline at end of file diff --git a/devices/srv1/default.nix b/devices/srv1/default.nix new file mode 100644 index 00000000..949734ea --- /dev/null +++ b/devices/srv1/default.nix @@ -0,0 +1,29 @@ +inputs: +{ + config = + { + nixos = + { + system = + { + fileSystems = { swap = [ "/dev/mapper/swap" ]; rollingRootfs = {}; }; + kernel.variant = "xanmod-lts"; + gui.enable = true; + }; + hardware.cpus = [ "intel" ]; + services = + { + snapper.enable = true; + sshd = {}; + smartd.enable = true; + slurm = + { + enable = true; + cpu = { cores = 16; threads = 2; mpiThreads = 2; openmpThreads = 4; }; + memoryMB = 90112; + }; + }; + user.users = [ "chn" ]; + }; + }; +} diff --git a/devices/srv1/node0/default.nix b/devices/srv1/node0/default.nix new file mode 100644 index 00000000..1beff6c4 --- /dev/null +++ b/devices/srv1/node0/default.nix @@ -0,0 +1,31 @@ +inputs: +{ + config = + { + nixos = + { + system = + { + fileSystems.mount = + { + vfat."/dev/disk/by-uuid/7A60-4232" = "/boot"; + btrfs."/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; }; + }; + nixpkgs.march = "cascadelake"; + }; + packages.vasp = null; + services = + { + xray.client.enable = true; + beesd.instances.root = { device = "/"; hashTableSizeMB = 4096; threads = 4; }; + wireguard = + { + enable = true; + peers = [ "vps6" ]; + publicKey = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw="; + wireguardIp = "192.168.83.3"; + }; + }; + }; + }; +} diff --git a/devices/srv1-node0/secrets/default.yaml b/devices/srv1/node0/secrets.yaml similarity index 100% rename from devices/srv1-node0/secrets/default.yaml rename to devices/srv1/node0/secrets.yaml diff --git a/devices/srv1/node3/default.nix b/devices/srv1/node3/default.nix new file mode 100644 index 00000000..1beff6c4 --- /dev/null +++ b/devices/srv1/node3/default.nix @@ -0,0 +1,31 @@ +inputs: +{ + config = + { + nixos = + { + system = + { + fileSystems.mount = + { + vfat."/dev/disk/by-uuid/7A60-4232" = "/boot"; + btrfs."/dev/mapper/root1" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; }; + }; + nixpkgs.march = "cascadelake"; + }; + packages.vasp = null; + services = + { + xray.client.enable = true; + beesd.instances.root = { device = "/"; hashTableSizeMB = 4096; threads = 4; }; + wireguard = + { + enable = true; + peers = [ "vps6" ]; + publicKey = "l1gFSDCeBxyf/BipXNvoEvVvLqPgdil84nmr5q6+EEw="; + wireguardIp = "192.168.83.3"; + }; + }; + }; + }; +} diff --git a/devices/srv1-node3/secrets/default.yaml b/devices/srv1/node3/secrets.yaml similarity index 100% rename from devices/srv1-node3/secrets/default.yaml rename to devices/srv1/node3/secrets.yaml diff --git a/devices/surface/default.nix b/devices/surface/default.nix index 22e83512..1456ffb4 100644 --- a/devices/surface/default.nix +++ b/devices/surface/default.nix @@ -26,7 +26,6 @@ inputs: nixpkgs.march = "skylake"; nix = { substituters = [ "https://nix-store.chn.moe?priority=100" ]; githubToken.enable = true; }; kernel = { variant = "xanmod-lts"; patches = [ "surface" "hibernate-progress" ]; }; - networking.hostname = "surface"; gui.enable = true; }; hardware = { cpus = [ "intel" ]; gpu.type = "intel"; }; diff --git a/devices/vps4/default.nix b/devices/vps4/default.nix index 77b693a3..18658a25 100644 --- a/devices/vps4/default.nix +++ b/devices/vps4/default.nix @@ -29,7 +29,7 @@ inputs: nixpkgs.march = "znver2"; nix.substituters = [ "https://nix-store.chn.moe?priority=100" ]; initrd.sshd.enable = true; - networking = { hostname = "vps4"; networkd = {}; }; + networking.networkd = {}; kernel.variant = "xanmod-latest"; nix-ld = null; binfmt = null; diff --git a/devices/vps6/default.nix b/devices/vps6/default.nix index d9fa485b..7f48d94f 100644 --- a/devices/vps6/default.nix +++ b/devices/vps6/default.nix @@ -29,7 +29,7 @@ inputs: nixpkgs.march = "sandybridge"; nix.substituters = [ "https://nix-store.chn.moe?priority=100" ]; initrd.sshd.enable = true; - networking = { hostname = "vps6"; networkd = {}; }; + networking.networkd = {}; # do not use cachyos kernel, beesd + cachyos kernel + heavy io = system freeze, not sure why }; services = diff --git a/devices/vps7/default.nix b/devices/vps7/default.nix index bd663f4e..efcbf6e6 100644 --- a/devices/vps7/default.nix +++ b/devices/vps7/default.nix @@ -29,7 +29,7 @@ inputs: nixpkgs.march = "znver2"; nix.substituters = [ "https://nix-store.chn.moe?priority=100" ]; initrd.sshd.enable = true; - networking = { hostname = "vps7"; networkd = {}; }; + networking.networkd = {}; kernel.variant = "xanmod-lts"; }; services = diff --git a/devices/xmupc1/default.nix b/devices/xmupc1/default.nix index 0d59a1b6..198f3cd7 100644 --- a/devices/xmupc1/default.nix +++ b/devices/xmupc1/default.nix @@ -48,7 +48,6 @@ inputs: }; }; gui = { enable = true; preferred = false; autoStart = true; }; - networking.hostname = "xmupc1"; nix.remote.slave.enable = true; }; hardware = { cpus = [ "amd" ]; gpu.type = "nvidia"; }; diff --git a/devices/xmupc2/default.nix b/devices/xmupc2/default.nix index a7e4fe4d..01eb3da2 100644 --- a/devices/xmupc2/default.nix +++ b/devices/xmupc2/default.nix @@ -41,7 +41,6 @@ inputs: }; }; gui = { enable = true; preferred = false; autoStart = true; }; - networking.hostname = "xmupc2"; nix = { marches = diff --git a/flake.nix b/flake.nix index 0847f313..f309cdaa 100644 --- a/flake.nix +++ b/flake.nix @@ -76,18 +76,14 @@ # nixos-wallpaper = { url = "git+https://git.chn.moe/chn/nixos-wallpaper.git"; flake = false; }; }; - outputs = inputs: - let - localLib = import ./flake/lib.nix inputs.nixpkgs.lib; - devices = [ "nas" "pc" "pi3b" "srv1-node0" "srv1-node3" "surface" "vps4" "vps6" "vps7" "xmupc1" "xmupc2" ]; - in - { - packages.x86_64-linux = import ./flake/packages.nix { inherit inputs devices; }; - nixosConfigurations = import ./flake/nixos.nix { inherit inputs devices localLib; }; - overlays.default = final: prev: - { localPackages = (import ./packages { inherit localLib; pkgs = final; topInputs = inputs; }); }; - config = { archive = false; branch = "production"; }; - devShells.x86_64-linux = import ./flake/dev.nix { inherit inputs; }; - src = import ./flake/src.nix { inherit inputs; }; - }; + outputs = inputs: let localLib = import ./flake/lib.nix inputs.nixpkgs.lib; in + { + packages.x86_64-linux = import ./flake/packages.nix { inherit inputs localLib; }; + nixosConfigurations = import ./flake/nixos.nix { inherit inputs localLib; }; + overlays.default = final: prev: + { localPackages = (import ./packages { inherit localLib; pkgs = final; topInputs = inputs; }); }; + config = { archive = false; branch = "production"; }; + devShells.x86_64-linux = import ./flake/dev.nix { inherit inputs; }; + src = import ./flake/src.nix { inherit inputs; }; + }; } diff --git a/flake/nixos.nix b/flake/nixos.nix index 20c2ff45..64ab8012 100644 --- a/flake/nixos.nix +++ b/flake/nixos.nix @@ -1,18 +1,51 @@ -{ inputs, devices, localLib }: -builtins.listToAttrs (builtins.map - (system: - { - name = system; - value = inputs.nixpkgs.lib.nixosSystem +{ inputs, localLib }: +builtins.listToAttrs +( + (builtins.map + (system: { - system = let arch.pi3b = "aarch64-linux"; in arch.${system} or "x86_64-linux"; - specialArgs = { topInputs = inputs; inherit localLib; }; - modules = localLib.mkModules - [ - { config.nixpkgs.overlays = [ inputs.self.overlays.default ]; } - ../modules - ../devices/${system} - ]; - }; - }) - devices) + name = system; + value = inputs.nixpkgs.lib.nixosSystem + { + system = let arch.pi3b = "aarch64-linux"; in arch.${system} or "x86_64-linux"; + specialArgs = { topInputs = inputs; inherit localLib; }; + modules = localLib.mkModules + [ + { + config = + { + nixpkgs.overlays = [ inputs.self.overlays.default ]; + nixos.system.networking.hostname = system; + }; + } + ../modules + ../devices/${system} + ]; + }; + }) + [ "nas" "pc" "pi3b" "surface" "vps4" "vps6" "vps7" "xmupc1" "xmupc2" ]) + ++ (builtins.map + (node: + { + name = "srv1-${node}"; + value = inputs.nixpkgs.lib.nixosSystem + { + system = "x86_64-linux"; + specialArgs = { topInputs = inputs; inherit localLib; }; + modules = localLib.mkModules + [ + { + config = + { + nixpkgs.overlays = [ inputs.self.overlays.default ]; + nixos.system.cluster = { clusterName = "srv1"; nodeName = node; }; + }; + } + ../modules + ../devices/srv1 + ../devices/srv1/${node} + ]; + }; + }) + [ "node0" "node3" ]) +) diff --git a/flake/packages.nix b/flake/packages.nix index a0f6c60e..452b39e1 100644 --- a/flake/packages.nix +++ b/flake/packages.nix @@ -1,4 +1,4 @@ -{ inputs, devices }: rec +{ inputs, localLib }: rec { pkgs = (import inputs.nixpkgs { @@ -17,10 +17,6 @@ blog = pkgs.callPackage ../blog { inherit (inputs) hextra; }; } // (builtins.listToAttrs (builtins.map - (system: - { - name = system; - value = inputs.self.outputs.nixosConfigurations.${system}.config.system.build.toplevel; - }) - devices) + (system: { inherit (system) name; value = system.value.config.system.build.toplevel; }) + localLib.attrsToList inputs.self.outputs.nixosConfigurations) ) diff --git a/modules/system/cluster.nix b/modules/system/cluster.nix new file mode 100644 index 00000000..22722cc3 --- /dev/null +++ b/modules/system/cluster.nix @@ -0,0 +1,21 @@ +inputs: +{ + options.nixos.system.cluster = let inherit (inputs.lib) mkOption types; in mkOption + { + type = types.nullOr (types.submodule { options = + { + clusterName = mkOption { type = types.nonEmptyStr; }; + nodeName = mkOption { type = types.nonEmptyStr; }; + nodeType = mkOption { type = types.enum [ "master" "worker" ]; default = "worker"; }; + };}); + default = null; + }; + config = let inherit (inputs.config.nixos.system) cluster; in inputs.lib.mkIf (cluster != null) + { + nixos.system.networking.hostname = "${cluster.clusterName}-${cluster.nodeName}"; + # 作为从机时,home-manager 需要被禁用 + systemd.services = inputs.lib.mkIf (cluster.nodeType == "worker") (builtins.listToAttrs (builtins.map + (user: { "home-manager-${user}".enable = false; }) + inputs.config.nixos.users.users)); + }; +} diff --git a/modules/system/sops.nix b/modules/system/sops.nix index 96563eac..96604467 100644 --- a/modules/system/sops.nix +++ b/modules/system/sops.nix @@ -5,28 +5,26 @@ inputs: enable = mkOption { type = types.bool; default = true; }; keyPathPrefix = mkOption { type = types.str; default = "/nix/persistent"; }; }; - config = - let - inherit (inputs.lib) mkIf; - inherit (inputs.config.nixos.system) sops; - in mkIf sops.enable + config = let inherit (inputs.config.nixos.system) sops; in inputs.lib.mkIf sops.enable + { + sops = { - sops = - { - defaultSopsFile = - let deviceDir = "${inputs.topInputs.self}/devices/${inputs.config.nixos.system.networking.hostname}"; - in mkIf - ( - builtins.pathExists "${deviceDir}/secrets.yaml" - || builtins.pathExists "${deviceDir}/secrets/default.yaml" - ) - ( - if builtins.pathExists "${deviceDir}/secrets.yaml" then "${deviceDir}/secrets.yaml" - else "${deviceDir}/secrets/default.yaml" - ); - # sops start before impermanence, so we need to use the absolute path - age.sshKeyPaths = [ "${sops.keyPathPrefix}/etc/ssh/ssh_host_ed25519_key" ]; - gnupg.sshKeyPaths = [ "${sops.keyPathPrefix}/etc/ssh/ssh_host_rsa_key" ]; - }; + defaultSopsFile = + let deviceDir = + if (inputs.config.nixos.system.cluster == null) then + "${inputs.topInputs.self}/devices/${inputs.config.nixos.system.networking.hostname}" + else + "${inputs.topInputs.self}/devices/${inputs.config.nixos.system.cluster.clusterName}" + + "/${inputs.config.nixos.system.cluster.nodeName}"; + in inputs.lib.mkMerge + [ + (inputs.lib.mkIf (builtins.pathExists "${deviceDir}/secrets.yaml") "${deviceDir}/secrets.yaml") + (inputs.lib.mkIf (builtins.pathExists "${deviceDir}/secrets/default.yaml") + "${deviceDir}/secrets/default.yaml") + ]; + # sops start before impermanence, so we need to use the absolute path + age.sshKeyPaths = [ "${sops.keyPathPrefix}/etc/ssh/ssh_host_ed25519_key" ]; + gnupg.sshKeyPaths = [ "${sops.keyPathPrefix}/etc/ssh/ssh_host_rsa_key" ]; }; + }; } diff --git a/modules/user/chn/default.nix b/modules/user/chn/default.nix index 48627b8c..f4fcf891 100644 --- a/modules/user/chn/default.nix +++ b/modules/user/chn/default.nix @@ -82,26 +82,31 @@ inputs: )) ) ]; - persistence."/nix/persistent/home/chn" = + persistence = { - directories = - [ - # common things - "bin" "Desktop" "Documents" "Downloads" "Music" "Pictures" "repo" "share" "Public" "Videos" - ".config" ".local/share" - # xmuvpn - ".ecdata" - # firefox - { dir = ".mozilla/firefox/default"; mode = "0700"; } - # ssh - { dir = ".ssh"; mode = "0700"; } - # steam - ".steam" # ".local/share/Steam" - # vscode - ".vscode" # ".config/Code" ".config/grammarly-languageserver" - # zotero - ".zotero" "Zotero" - ]; + "/nix/persistent/home/chn" = + { + directories = + [ + # common things + "bin" "Desktop" "Documents" "Downloads" "Music" "Pictures" "repo" "share" "Public" "Videos" + ".config" ".local/share" + # xmuvpn + ".ecdata" + # firefox + ".mozilla/firefox/default" + # ssh + ".ssh" + # steam + ".steam" # ".local/share/Steam" + # vscode + ".vscode" # ".config/Code" ".config/grammarly-languageserver" + # zotero + ".zotero" "Zotero" + ]; + allowOther = true; + }; + "/nix/rootfs/current/home/chn".allowOther = true; }; }; pam.yubico.authorizedYubiKeys.ids = [ "cccccbgrhnub" ]; diff --git a/modules/user/default.nix b/modules/user/default.nix index 1edc84b3..3ca0a250 100644 --- a/modules/user/default.nix +++ b/modules/user/default.nix @@ -84,9 +84,10 @@ inputs: home-manager.users = builtins.listToAttrs (builtins.map (name: { inherit name; value.imports = user.sharedModules; }) user.users); - environment.persistence."${inputs.config.nixos.system.impermanence.persistence}".directories = builtins.map - (user: { directory = "/home/${user}"; inherit user; group = user; mode = "0700"; }) - (builtins.filter (user: user != "chn") user.users); + environment.persistence."${inputs.config.nixos.system.impermanence.persistence}".directories = + inputs.lib.mkIf (inputs.config.nixos.system.cluster.nodeType or null != "worker") (builtins.map + (user: { directory = "/home/${user}"; inherit user; group = user; mode = "0700"; }) + (builtins.filter (user: user != "chn") user.users)); } # set hashedPassword if it exist in secrets (