Simon Gardling
d00ff42e8e
new site-config.nix holds values previously duplicated across hosts:
domain, old_domain, contact_email, timezone, binary_cache (url + pubkey),
dns_servers, lan (cidr + gateway), hosts.{muffin,yarn} (ip/alias/ssh_host_key),
ssh_keys.{laptop,desktop,ci_deploy}.
threaded through specialArgs on all three hosts + home-manager extraSpecialArgs +
homeConfigurations.primary + serverLib. service-configs.nix now takes
{ site_config } as a function arg and drops its https namespace; per-service
domains (gitea/matrix/ntfy/mollysocket/livekit/firefox-sync/grafana) are
derived from site_config.domain. ~15 service files and 6 vm tests migrated.
breakage fixes rolled in:
- home/progs/zen/dark-reader.nix: 5 stale *.gardling.com entries in
disabledFor rewritten to *.sigkill.computer (caddy 301s the old names so
these never fired and the new sigkill urls were getting dark-reader applied)
- modules/desktop-common.nix: drop unused hugepagesz=1G/hugepages=3
kernelParams (no consumer on mreow or yarn; xmrig on muffin still reserves
its own via services/monero/xmrig.nix)
verification: muffin toplevel is bit-identical to pre-refactor baseline.
mreow/yarn toplevels differ only in boot.json kernelParams + darkreader
storage.js (nix-diff verified). deployGuardTest and fail2banVaultwardenTest
(latter exercises site_config.domain via bitwarden.nix) pass.
64 lines
2.4 KiB
Nix
64 lines
2.4 KiB
Nix
# Site-wide constants shared across all three hosts and home-manager profiles.
|
|
#
|
|
# This file is pure data — no package refs, no module config. Import it from
|
|
# flake.nix and pass it as the `site_config` specialArg (and extraSpecialArg for
|
|
# home-manager). Callers read values; they do not set them.
|
|
#
|
|
# Adding a value: only add if it's used by ≥2 hosts/modules. Host-specific
|
|
# single-use values stay in the host's default.nix. Muffin-only service
|
|
# infrastructure (ports, zpool names, hugepage budgets) stays in
|
|
# hosts/muffin/service-configs.nix.
|
|
rec {
|
|
# --- Identity ---
|
|
domain = "sigkill.computer";
|
|
old_domain = "gardling.com"; # served by muffin via permanent redirect (services/caddy/caddy.nix)
|
|
contact_email = "titaniumtown@proton.me";
|
|
|
|
# All three hosts run on the same timezone. Override per-host via
|
|
# lib.mkForce when travelling (see hosts/mreow/default.nix for the pattern).
|
|
timezone = "America/New_York";
|
|
|
|
# --- Binary cache (muffin serves via harmonia, desktops consume) ---
|
|
binary_cache = {
|
|
url = "https://nix-cache.${domain}";
|
|
public_key = "nix-cache.${domain}-1:ONtQC9gUjL+2yNgMWB68NudPySXhyzJ7I3ra56/NPgk=";
|
|
};
|
|
|
|
# --- LAN topology ---
|
|
dns_servers = [
|
|
"1.1.1.1"
|
|
"9.9.9.9"
|
|
];
|
|
|
|
lan = {
|
|
cidr = "192.168.1.0/24";
|
|
gateway = "192.168.1.1";
|
|
};
|
|
|
|
# Per-host network info. mreow is laptop-on-DHCP so it has no entry.
|
|
hosts = {
|
|
muffin = {
|
|
ip = "192.168.1.50";
|
|
# Canonical alias used by deploy.sh, CI workflows, and borg backup target.
|
|
# Resolves via /etc/hosts on muffin and the desktops' NetworkManager DNS.
|
|
alias = "server-public";
|
|
# SSH host key — same key is served for every alias muffin answers to
|
|
# (server-public, the IP, git.${domain}, git.${old_domain}).
|
|
ssh_host_key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFMjgaMnE+zS7tL+m5E7gh9Q9U1zurLdmU0qcmEmaucu";
|
|
};
|
|
yarn = {
|
|
ip = "192.168.1.223";
|
|
alias = "desktop";
|
|
};
|
|
};
|
|
|
|
# --- SSH pubkeys ---
|
|
# One line per key, referenced by name from services/ssh.nix (muffin) and
|
|
# hosts/yarn/default.nix. Rotating a key means changing it here, nowhere else.
|
|
ssh_keys = {
|
|
laptop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH";
|
|
desktop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJjT5QZ3zRDb+V6Em20EYpSEgPW5e/U+06uQGJdraxi";
|
|
ci_deploy = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC5ZYN6idL/w/mUIfPOH1i+Q/SQXuzAMQUEuWpipx1Pc ci-deploy@muffin";
|
|
};
|
|
}
|