Remove flake dependency on other nixos configs

Author: jhh

flake.lock

@@ -27,9 +27,6 @@
     uv2nix.inputs.pyproject-nix.follows = "pyproject-nix";
     uv2nix.inputs.nixpkgs.follows = "nixpkgs";
 
-    staging.url = "github:jhh/nixos-configs";
-    staging.inputs.nixpkgs.follows = "nixpkgs";
-
     pyproject-build-systems.url = "github:pyproject-nix/build-system-pkgs";
     pyproject-build-systems.inputs.pyproject-nix.follows = "pyproject-nix";
     pyproject-build-systems.inputs.uv2nix.follows = "uv2nix";

flake.nix

@@ -28,7 +28,7 @@ test: (manage "test --keepdb")
 
 _check_nixos:
     @if ! command -v nixos-rebuild &> /dev/null; then \
-        echo "Not on NixOS, skipping deploy to staging"; \
+        echo "Not on NixOS, skipping deploy..."; \
         exit 1; \
     fi
 
@@ -41,8 +41,6 @@ stage how="switch": (_deploy_to "pallas" "" how)
 # deploy to production server
 deploy how="dry-activate": (_deploy_to "mercury" "--use-substitutes" how)
 
-
-
 # push packages to cachix
 push:
     nix build --json .#venv | jq -r '.[].outputs | to_entries[].value' | cachix push strykeforce

justfile

@@ -1,8 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 R4OZVw 61NZ1+OedexMb6o742bb25IAZct7QcE8G8fao6HN/lw
-geNjTh9CvdW7WzaCtsE6shuAo8dRCZo/WFTfPHJkUbQ
--> ssh-ed25519 eLi0pQ +QH6ECUF6Eg8vmjbd3vXmhQOi4x0lbSwH1f2uGn05k0
-+fM/aBydvXsmmFG/U+5M/6jC5lDHIanaBQFfcCRERgM
---- wgKhE7EpNvF+Tok3ZMZHTLCHya3vmHqa45Y6p3JmT1k
-7z�t^����rУ~%���p�G8�(A~
-Å'G�mR�0O
�s�߹����De�H�{=�nq�K'b���q����Wj��6�BN�<�U��#߆����^Y�����Z�8�x���()��M������jx\��7�{Ʈ��6g
+-> ssh-ed25519 R4OZVw +q4nzKdduxZh9cO9jOLNwhrNsbt+7ASp8Kqzc5SJUV8
+KVxoVczfI+PCUPDQbyf8oPGXGJMpJU0NZ1pJ+qrGMfM
+-> ssh-ed25519 eLi0pQ OaRBXFf/0KF1e8zBYv+OTHGFsyg0WcIssRQ0xFRjRHY
++iJbmJVY6C8qHcAeBKJOyk75p5mj9ElvHWolKF1nLpk
+--- lfLXpDgPmHJPhTs73Gv6fGTOWE/T/dD0V7PU29oEJ5Y
+Ɣm�Ŗrd�����zP��tҲHx�L��'�^��ۍ1&ς�/�'H.G)�H�2���I��G:Ľn�D����������z��1ٽ(�/u��MII8oN�� �*�Y��+X}�����L�b1�Ԭ[���56-���

nix/hosts/pallas/aws_secret.age

@@ -1,22 +1,93 @@
 {
+  config,
   flake,
   inputs,
+  modulesPath,
   pkgs,
-  perSystem,
   ...
 }:
 {
   imports = [
-    inputs.staging.nixosModules.hardware-proxmox-lxc
-    inputs.staging.nixosModules.server-j3ff
+    (modulesPath + "/virtualisation/proxmox-lxc.nix")
+    inputs.srvos.nixosModules.server
     flake.nixosModules.strykeforce-website
+    inputs.agenix.nixosModules.default
     ./postgresql.nix
     ./strykeforce-sync.nix
     ./strykeforce-website.nix
   ];
 
   networking.hostName = "pallas";
   nixpkgs.hostPlatform = "x86_64-linux";
+  proxmoxLXC.manageHostName = true;
+  nix.optimise.automatic = true;
+
+  services = {
+    fstrim.enable = true;
+    getty.autologinUser = "root";
+    prometheus = {
+      exporters = {
+        node = {
+          enable = true;
+          enabledCollectors = [ "systemd" ];
+          port = 9002;
+          openFirewall = true;
+        };
+      };
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    ghostty.terminfo
+    mailutils
+  ];
+
+  networking = {
+    domain = "lan.j3ff.io";
+    search = [ "lan.j3ff.io" ];
+
+    nameservers = [
+      "1.1.1.1"
+      "1.0.0.1"
+      "8.8.8.8"
+      "8.8.4.4"
+    ];
+  };
+
+  services.tailscale.enable = true;
+  services.tailscale.openFirewall = true;
+
+  age.secrets.sasl_passwd = {
+    file = ./sasl_passwd.age;
+  };
+
+  systemd.services.postfix.preStart = ''
+    ln -sf ${config.age.secrets.sasl_passwd.path} /etc/postfix/sasl_passwd
+    ${pkgs.postfix}/bin/postmap /etc/postfix/sasl_passwd
+  '';
+
+  services.postfix = {
+    enable = true;
+    config = {
+      "append_dot_mydomain" = "yes";
+      "smtp_sasl_auth_enable" = "yes";
+      "smtp_sasl_password_maps" = "hash:/etc/postfix/sasl_passwd";
+      "smtp_sasl_security_options" = "noanonymous";
+      "inet_protocols" = "ipv4";
+    };
+    domain = config.networking.domain;
+    relayHost = "smtp.fastmail.com";
+    relayPort = 587;
+    rootAlias = "[email protected]";
+  };
+
+  users.users.root = {
+    # https://start.1password.com/open/i?a=7Z533SZAYZCNVL764G5INOV75Q&v=lwpxghrefna57cr6nw7mr3bybm&i=v6cyausjzre6hjypvdsfhlkbty&h=my.1password.com
+    hashedPassword = "$y$j9T$6B8V0Z9VkFiU0fMwSuLrA0$z3YHuwwAZro3N7TopVIsNltIJ5BXt3TQj1wQqt5HSuD";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPqpWpNJzfzioGYyR9q4wLwPkBrnmc/Gdl6JsO+SUpel [email protected]"
+    ];
+  };
 
   system.stateVersion = "21.11";
 }

nix/hosts/pallas/configuration.nix

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 R4OZVw 8RfovSn56R3O9D8uhHpH+hmq1JZ4eQrABS4McTnrDTA
+hbBPzaqf0is6LrBJs5Gz2leHHGQDoHX7n2QpjeRoY3Q
+-> ssh-ed25519 eLi0pQ XDzoMxlXGbBuTTx7WzBCSvc1nozGYiy0QjFF0TyIKEs
+rep2BkZodTmqhXFAFWtIKwu7pCXSGePnXscxreB84gk
+--- l7Zh0Hkk3TDR/bOqvMs0IRMJ5X2SBtQ3YrCC+pIcmjk
+�H\o�i.9�n���\��%j����"���Q4ƃ���t�_�s-ҠN��氦z?�����k��&�bp1�\�-NY�~W`	��]}?�

nix/hosts/pallas/sasl_passwd.age

@@ -1,17 +1,14 @@
 let
-  jeff = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPqpWpNJzfzioGYyR9q4wLwPkBrnmc/Gdl6JsO+SUpel";
-
   # ssh-keyscan <host>
+  jeff = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPqpWpNJzfzioGYyR9q4wLwPkBrnmc/Gdl6JsO+SUpel";
   pallas = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBeB+n+G1c6c2VZvPlfllS/Hnw7u6S8mn7ILWMK29iwe";
-
-in
-{
-  "aws_secret.age".publicKeys = [
-    jeff
-    pallas
-  ];
-  "strykeforce_website_secrets.age".publicKeys = [
+  keys = [
     jeff
     pallas
   ];
+in
+{
+  "aws_secret.age".publicKeys = keys;
+  "sasl_passwd.age".publicKeys = keys;
+  "strykeforce_website_secrets.age".publicKeys = keys;
 }