dollnix

this is a flake with all its systems in it

https://git.dolly.sh/doll/nixos (mirrored to https://codeberg.org/noe/nixos)

format

• /.woodpecker - CI/CD and other automation for this repo
• /home-manager - LEGACY: home-manager configs specifically (to be reworked)
  • /features - home-manager features
  • /noe/common - reusable configs
  • /noe/hosts - individual machine-attached home-manager configs.
    • machines will automatically import their own by <hostname>.nix
• /lib - internal nix libraries to create and manage machines
• /machines - all the machines!!
  • */secrets/*.yaml - sops secrets for specific machines
• /modules/internal - internal configuration stuff
  • /features - features that can be enabled and configured
  • /share/certificates - .doll CA certs and openssl config
  • /tagged-systems - default configs for specific system tags (like a desktop vs lxc)
• /overlays - various overlays used by this flake
• /pkgs - packages use by this flake; feel free to reuse but uhh haha don't import this hellflake
• /scripts - nix-wrapped shell scripts and helpers (see scripts available below)
• /secrets - sops secrets for unspecific machines
• /templates - stuff that helps us make infrastructure work
  • /machine - file templating used via nix-instantiate
  • /proxmox-lxc - baseline config for generating a proxmox LXC tarball
• Justfile - LEGACY: just definitions
• operator-keys.nix - doll's ssh public age keys

scripts available

• just - deprecated: just runner (its like make); subcommands of note:
  • just build [which] - builds a specific machine
  • just trace [which] - build with --show-trace
• lix deploy <target> - runs the deploy script for a single machine. see deploy.nix
• lix fix - runs lint fixers that normally don't get applied by nix fmt, but also runs nix fmt.
• lix switch [target] - runs the switch script for the current/specified machine. see deploy.nix
• mac2ipv6 - translates a proxmox MAC address to our relevant local ipv6 network.
  • for observers, welcome to awk hell: gawk -F: '{ bitFlip = xor(2,strtonum("0x"$1)); printf tolower("%x"$2":"$3"ff:fe"$4":"$5$6), bitFlip }'
• nix run .#generate-ca-cert -- ./hostname.pem ./hostname.key hostname - sign a CA root certificate
  • tbh it barely uses this its just because it is a valid openssl CA signing environment
• nix run .#generate-cert -- ./hostname.pem ./hostname.key hostname - sign a year long cert for hostname with the nixos intermediate CA cert.
  • the root cert is trusted by all machines; but we issue certs from intermediates.
  • can be used to generate intermediate CA certs as well, set CA_NAME=ca. useful for renewals and ACME server
  • can generate both ec and rsa certs, set CERT_ALGO=ec or CERT_ALGO=rsa
• nix run .#onboard-machine -- <hostname> [ssh-target] - creates a machines/<hostname>/default.nix and rotates secrets.
  • this is used against a fresh nix install to fetch the agePublicKey and set up necessary secrets.
  • it does not guarantee a working system — that one MUST adjust it to accomodate.
    • no seriously it by default removes the kernel. seriously this is real.
  • set ssh-target with mac2ipv6 for free sauce
• nix run .#rotate-passwords - rotates root and proxmox-lxc bootstrapping passwords (ran by CI)
• nix run .#rotate-tailscale-secret - rotates the tailscale auth key (ran by CI)
• nix run .#{...}.config.internal.anywhere - freshly install this machine on the target. see deploy.nix
• nix run .#{...}.config.internal.deploy-rescue - does a "rescue" deploy by pushing the nix derivation and switching to it manually. see deploy.nix
• nix run .#{...}.config.internal.push - push this machine config to nix cache. see deploy.nix
• nix run .#{...}.config.internal.unlock - full disk encryption remote unlock. see deploy.nix
• sops - shadowed sops script that has an automatically generated sops config
  • can be ran as nix run .#sops -- as well for use in scripts that update the flake
  • optionally run sops --x-inspect to print out the config file in use

patterns

this repo does some stuff that one might enjoy

auto-import

this pattern automatically imports every regular file in the directory.

it does not recurse into subdirectories, as far as it can tell.

{lib, ...}:
with builtins;
with lib.attrsets; let
  files = readDir ./.;
  submodules =
    mapAttrsToList
    (file: _: ./${file})
    (filterAttrs
      (name: type:
        (type == "regular") && (name != "default.nix"))
      files);
in {
  imports = submodules;
}

examples:

• modules/internal/default.nix
• modules/internal/features/default.nix
• modules/internal/tagged-systems/default.nix
• machines/default.nix

computed options

allows us to generate scripts and other configurations using the current system config.

currently used for deploy and switch operations

{
  config,
  lib,
  pkgs,
  ...
}: {
  options = {
    computed = lib.mkOption {
      description = "computed from current system config";
      type = lib.types.package;
    };
  };

  config = {
    computed = pkgs.writeShellApplication {
      name = "computed-script";
      text = ''
        echo "hello from ${config.networking.hostName}!"
      '';
    };
  };
}

run with nix run .#nixosConfigurations.some-machine.config.computed

examples:

• modules/internal/deploy.nix

declarative tooling configuration

sort of an extension of "computed options" in some cases in this repo.

allows us to make configurations with every nixos system in mind (e.g. sops)

could also be useful for cross-configuration, like DNS names, nginx configs... just be sure to prevent infinite recursion with filtering (nix repl . is very friendly!)

{
  pkgs,
  lib,
  inputs,
  ...
}:
let
  allMachineKeys = lib.mapAttrsToList
    (name: system: "${system.config.internal.machine.agePublicKey} ${name}")
    inputs.self.packages.x86_64-linux.nixosConfigurations;
in
  pkgs.writeText "age-public-keys.txt" (lib.strings.join "\n" allMachineKeys)

examples:

• scripts/sops-config.nix
  • consumed by scripts/sops.nix
• flake.nix#apps.deploy.$hostname
• flake.nix#apps.switch.$hostname

lix sub-command scripts

with experimental-features = lix-custom-sub-commands, we can create lix-$name scripts and run them with lix $name!

examples:

• scripts/lix-deploy
• scripts/lix-fix
• scripts/lix-switch

tagging and flagging

we can set a list of tags or features, and automatically enable them for a machine if present.

for instance, we set an internal.tags = ["desktop" "client"];

the following config will result in internal.tagged-systems.desktop.enable = true; and so on.

this allows us to keep most configs imported, which speeds up evaluation.

this is also fully type-checked, so a tag that doesn't exist will throw an evaluation error.

{
  lib,
  config,
  ...
}:
with lib; {
  options.internal.tags = mkOption {
    type = types.listOf types.str;
    description = "featureset tagging to make importing configs simpler";
    default = [];
  };

  imports = [./tagged-systems];

  config = let
    enable = tags: listToAttrs (map (tag: nameValuePair tag {enable = lib.mkDefault true;}) tags);
  in {
    internal.tagged-systems = enable config.internal.tags;
  };
}

which enables a module like,,,

{
  lib,
  config,
  ...
}: {
  options.internal.tagged-systems.desktop.enable =
    lib.mkEnableOption "desktop machine";

  config = lib.mkIf config.internal.tagged-systems.desktop.enable {
    system.nixos.tags = ["desktop"]; # set artifact tag

    programs.fish.enable = true;
  };
};

examples:

• modules/internal/features.nix
• modules/internal/tags.nix
• in implementation: machines/aerial/default.nix
  • fyi: dollSystem hides parts of this

automation

this repo is automated over via woodpecker. it is private, unfortunately... but here's a look!

• nix-flake-update - cron: @weekly - updates nix flake
• rotate-passwords - cron: @monthly - rotates root and proxmox-lxc bootstrapping passwords
• rotate-tailscale-auth-key - cron: @monthly - replaces the tailscale auth key