chore: Update nixos configuration for hakase and mai hosts

yousiki · Jun 5, 2024 · c8b8a51 · c8b8a51
1 parent 195acaa
commit c8b8a51
Show file tree

Hide file tree

Showing 8 changed files with 63 additions and 31 deletions.
diff --git a/cells/nixos/hosts/hakase/default.nix b/cells/nixos/hosts/hakase/default.nix
@@ -9,7 +9,6 @@
   imports = [
     ./configuration.nix
     ./hardware-configuration.nix
-    ./homelab.nix
 
     inputs.nixos-hardware.nixosModules.common-cpu-intel-cpu-only
     inputs.nixos-hardware.nixosModules.common-gpu-nvidia-nonprime
@@ -21,9 +20,10 @@
 
     inputs.cells.nixos.nixosProfiles.core
     inputs.cells.nixos.nixosProfiles.desktop
+    inputs.cells.nixos.nixosProfiles.homelab
+    inputs.cells.nixos.nixosProfiles.nas
     inputs.cells.nixos.nixosProfiles.nvidia
     inputs.cells.nixos.nixosProfiles.proxy
-    inputs.cells.nixos.nixosProfiles.secrets
     inputs.cells.nixos.nixosProfiles.server
 
     inputs.cells.home.homeProfiles.base

diff --git a/cells/nixos/hosts/hakase/hardware-configuration.nix b/cells/nixos/hosts/hakase/hardware-configuration.nix
@@ -66,16 +66,6 @@ in {
     options = ["noatime"];
   };
 
-  fileSystems."/mnt/nas-yyp-home" = mkCifs "//nas.ybh1998.space/home";
-  fileSystems."/mnt/nas-yyp-share" = mkCifs "//nas.ybh1998.space/share";
-  fileSystems."/mnt/nas-mck-home" = mkCifs "//nas-changping.ybh1998.space/home";
-  fileSystems."/mnt/nas-mck-share" = mkCifs "//nas-changping.ybh1998.space/share";
-
-  fileSystems."/mnt/nas-satoshi-bangumi" = mkNfs "satoshi.mck.cn.yousiki.top:/share/Bangumi";
-  fileSystems."/mnt/nas-satoshi-downloads" = mkNfs "satoshi.mck.cn.yousiki.top:/share/Downloads";
-  fileSystems."/mnt/nas-satoshi-movie" = mkNfs "satoshi.mck.cn.yousiki.top:/share/Movie";
-  fileSystems."/mnt/nas-satoshi-research" = mkNfs "satoshi.mck.cn.yousiki.top:/share/Research";
-
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
   # still possible to use this option, but it's recommended to use it in conjunction

diff --git a/cells/nixos/hosts/mai/default.nix b/cells/nixos/hosts/mai/default.nix
@@ -18,9 +18,9 @@
 
     inputs.cells.nixos.nixosProfiles.core
     inputs.cells.nixos.nixosProfiles.desktop
+    inputs.cells.nixos.nixosProfiles.nas
     inputs.cells.nixos.nixosProfiles.proxy
     inputs.cells.nixos.nixosProfiles.rime
-    inputs.cells.nixos.nixosProfiles.secrets
     inputs.cells.nixos.nixosProfiles.server
 
     inputs.cells.home.homeProfiles.base

diff --git a/cells/nixos/profiles/core.nix b/cells/nixos/profiles/core.nix
@@ -4,6 +4,7 @@
 }: {pkgs, ...}: {
   imports = [
     inputs.cells.common.commonProfiles.core
+    inputs.agenix.nixosModules.default
   ];
 
   time.timeZone = "Asia/Shanghai";

diff --git a/cells/nixos/hosts/hakase/homelab.nix → cells/nixos/profiles/homelab.nix b/cells/nixos/hosts/hakase/homelab.nix → cells/nixos/profiles/homelab.nix
@@ -1,9 +1,18 @@
 {
+  inputs,
+  cell,
+}: {
   config,
   lib,
   pkgs,
   ...
 }: {
+  age.secrets.hakase-tunnel-cert = {
+    file = "${inputs.self}/secrets/hakase-tunnel-cert.age";
+    owner = "cloudflared";
+    group = "cloudflared";
+  };
+
   services.cloudflared = {
     enable = true;
     tunnels = {

diff --git a/cells/nixos/profiles/nas.nix b/cells/nixos/profiles/nas.nix
@@ -0,0 +1,48 @@
+{
+  inputs,
+  cell,
+}: {
+  pkgs,
+  config,
+  ...
+}: let
+  credentials = config.age.secrets.nas-credentials.path;
+
+  mkCifs = device: {
+    device = device;
+    fsType = "cifs";
+    options = [
+      "noauto"
+      "x-systemd.automount"
+      "x-systemd.idle-timeout=60"
+      "x-systemd.device-timeout=5s"
+      "x-systemd.mount-timeout=5s"
+      "noperm"
+      "credentials=${credentials}"
+    ];
+  };
+
+  mkNfs = device: {
+    device = device;
+    fsType = "nfs";
+    options = [
+      "noauto"
+      "x-systemd.automount"
+      "x-systemd.idle-timeout=600"
+      "x-systemd.device-timeout=5s"
+      "x-systemd.mount-timeout=5s"
+    ];
+  };
+in {
+  age.secrets.nas-credentials.file = "${inputs.self}/secrets/nas-credentials.age";
+
+  fileSystems."/mnt/nas-yyp-home" = mkCifs "//nas.ybh1998.space/home";
+  fileSystems."/mnt/nas-yyp-share" = mkCifs "//nas.ybh1998.space/share";
+  fileSystems."/mnt/nas-mck-home" = mkCifs "//nas-changping.ybh1998.space/home";
+  fileSystems."/mnt/nas-mck-share" = mkCifs "//nas-changping.ybh1998.space/share";
+
+  fileSystems."/mnt/nas-satoshi-bangumi" = mkNfs "satoshi.mck.cn.yousiki.top:/share/Bangumi";
+  fileSystems."/mnt/nas-satoshi-downloads" = mkNfs "satoshi.mck.cn.yousiki.top:/share/Downloads";
+  fileSystems."/mnt/nas-satoshi-movie" = mkNfs "satoshi.mck.cn.yousiki.top:/share/Movie";
+  fileSystems."/mnt/nas-satoshi-research" = mkNfs "satoshi.mck.cn.yousiki.top:/share/Research";
+}
diff --git a/cells/nixos/profiles/proxy.nix b/cells/nixos/profiles/proxy.nix
@@ -20,4 +20,6 @@
   services.clash-meta.enable = true;
   services.clash-meta.configPath = config.age.secrets.clash-config.path;
   services.clash-meta.openFirewall = true;
+
+  age.secrets.clash-config.file = "${inputs.self}/secrets/clash-config.age";
 }
diff --git a/cells/nixos/profiles/secrets.nix b/cells/nixos/profiles/secrets.nix