c3d2
/
nix-config
22
6
Fork 2
Code Issues 16 Pull Requests 1 Releases Wiki Activity

Move none module settings to config

pull/105/head
Sandro - 2022-12-22 01:15:10 +01:00
parent 8e63a500c3
commit 7e72e59a77
Signed by: sandro
GPG Key ID: 3AF5A43A3EECC2E5
3 changed files with 140 additions and 158 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
config/default.nix
View File

@ -1,14 +1,97 @@
{ config, lib, ... }:
{ config, lib, pkgs, ... }:
# this file contains default configuration that may be turned on depending on other config settings.
# options should go to modules.
lib.mkMerge [
{
assertions = [{
assertion = config.users.users.root.password == null;
message = "Root passwords not allowed in HQ";
}];
boot.cleanTmpDir = true;
documentation.nixos.enable = false;
environment = {
noXlibs = !lib.any (host: host == config.networking.hostName) [ "dacbert" "glotzbert" "rpi-netboot" ];
systemPackages = with pkgs; [
bmon
curl
dig
ethtool
git
htop
iotop
mtr
pv
ripgrep
screen
tcpdump
tmux
tree
vim
wget
];
};
i18n = {
defaultLocale = "en_US.UTF-8";
supportedLocales = [
"en_US.UTF-8/UTF-8"
"de_DE.UTF-8/UTF-8"
];
};
nix = {
settings = {
builders-use-substitutes = true;
connect-timeout = 20;
experimental-features = "nix-command flakes";
fallback = true;
trusted-public-keys = [
"nix-serve.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps="
];
# don't self feed hydra
substituters = lib.mkIf (config.networking.hostName != "hydra") (
lib.mkBefore [ "https://nix-serve.hq.c3d2.de" ]
);
};
gc = {
automatic = lib.mkDefault true;
dates = "06:00";
options = "--delete-older-than 21d";
randomizedDelaySec = "6h";
};
};
services.openssh = {
# Required for deployment and sops
enable = true;
permitRootLogin = "prohibit-password";
};
programs = {
fzf.keybindings = true;
vim.defaultEditor = true;
};
security.acme = {
acceptTerms = true;
defaults = {
email = "mail@c3d2.de";
# letsencrypt staging server with way higher rate limits
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
};
};
# Reboot on hang
systemd.watchdog = lib.mkIf (!config.boot.isContainer) {
runtimeTime = "15s";
rebootTime = "15s";
};
time.timeZone = lib.mkDefault "Europe/Berlin";
users.motd = builtins.readFile ./motd;
zramSwap.enable = true;
}
(lib.mkIf config.services.nginx.enable {

6
config/motd Normal file
View File

@ -0,0 +1,6 @@
______ ______
/ / / / / /\ \ \
/ / / / / / \ \ \
\ \ \ \ / / / / /
\_\_\_\/_/ /_/_/

199
modules/c3d2.nix
View File

@ -37,34 +37,20 @@ let
toHqPrivateAddress = toIpv6Address hqPrefix64;
in
{
options.c3d2 = with lib; {
allUsersCanSshRoot = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Let all people in <literal>c3d2.users</literal>
login as root for deployment via SSH.
'';
};
enableMotd = mkOption {
type = types.bool;
default = true;
};
mergeNncpSettings = mkEnableOption ''
options.c3d2 = {
mergeNncpSettings = lib.mkEnableOption ''
Whether to merge <literal>c3d2.nncp.<>.nncp</literal>
into <literal>programs.nncp.settings</literal>.
'';
k-ot.enable = mkEnableOption ''
k-ot.enable = lib.mkEnableOption ''
Add k-ot user to this machine. Anyone with an SSH key listed in
<literal>c3d2.users</literal> can log in as this user.
'';
hq = {
interface = mkOption {
type = with types; nullOr str;
interface = lib.mkOption {
type = with lib.types; nullOr str;
default = null;
example = "eth0";
description = ''
@ -72,16 +58,16 @@ in
'';
};
journalToMqtt = mkOption {
type = types.bool;
journalToMqtt = lib.mkOption {
type = lib.types.bool;
# broken :(
default = false;
};
};
nncp = {
neigh = mkOption {
type = with types; attrsOf neighMod;
neigh = lib.mkOption {
type = with lib.types; attrsOf neighMod;
default = { };
description = ''
Attrset of NNCP neighbours for relaying packets.
@ -102,39 +88,43 @@ in
};
};
sshKeys = mkOption {
type = with types; attrsOf (listOf str);
sshKeys = lib.mkOption {
type = with lib.types; attrsOf (listOf str);
default = [ ];
};
};
config =
let
adminKeys = with builtins; lib.lists.flatten (attrValues cfg.sshKeys);
in
{
assertions = [{
assertion = config.users.users.root.password == null;
message = "Root passwords not allowed in HQ";
}];
programs.nncp.settings = lib.optionalAttrs cfg.mergeNncpSettings cfg.nncp;
users.motd = lib.mkIf cfg.enableMotd (builtins.readFile ./motd);
users =
let
adminKeys = with builtins; lib.lists.flatten (attrValues cfg.sshKeys);
in
{
users = {
k-ot = lib.mkIf cfg.k-ot.enable {
createHome = true;
isNormalUser = true;
uid = 1000;
extraGroups = [
"audio"
"video"
"wheel"
];
password = "k-otk-ot";
openssh.authorizedKeys.keys = adminKeys;
};
users = {
users = {
k-ot = lib.mkIf cfg.k-ot.enable {
createHome = true;
isNormalUser = true;
uid = 1000;
extraGroups = [
"audio"
"video"
"wheel"
];
password = "k-otk-ot";
openssh.authorizedKeys.keys = adminKeys;
root.openssh.authorizedKeys.keys = adminKeys;
};
root.openssh.authorizedKeys.keys = lib.mkIf cfg.allUsersCanSshRoot adminKeys;
};
};
services.vector = lib.mkIf config.c3d2.hq.journalToMqtt {
enable = true;
@ -159,8 +149,8 @@ in
};
secret.mqtt =
let
catSecrets = with pkgs; writeScript "cat-vector-secrets" ''
#!${runtimeShell} -e
catSecrets = pkgs.writeScript "cat-vector-secrets" ''
#!${pkgs.runtimeShell} -e
echo '{'
COMMA=n
for F in $@; do
@ -197,18 +187,6 @@ in
};
};
boot.cleanTmpDir = true;
documentation.nixos.enable = false;
i18n = {
defaultLocale = "en_US.UTF-8";
supportedLocales = [
"en_US.UTF-8/UTF-8"
"de_DE.UTF-8/UTF-8"
];
};
systemd.network.networks = lib.mkIf (cfg.hq.interface != null && config.networking.useNetworkd) {
"40-eth0".routes = [{
routeConfig = {
@ -218,13 +196,11 @@ in
}];
};
networking = {
interfaces = lib.mkIf (cfg.hq.interface != null) {
"${cfg.hq.interface}".ipv6.addresses = [{
address = toHqPrivateAddress config.networking.hostName;
prefixLength = 64;
}];
};
networking.interfaces = lib.mkIf (cfg.hq.interface != null) {
"${cfg.hq.interface}".ipv6.addresses = [{
address = toHqPrivateAddress config.networking.hostName;
prefixLength = 64;
}];
nameservers = with hostRegistry.dnscache; [
ip4
@ -242,80 +218,17 @@ in
config.networking.nameservers;
};
nix = {
settings = {
builders-use-substitutes = true;
connect-timeout = 20;
experimental-features = "nix-command flakes";
fallback = true;
trusted-public-keys = [
"nix-serve.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps="
];
# don't self feed hydra
substituters = lib.mkIf (config.networking.hostName != "hydra") (
lib.mkBefore [ "https://nix-serve.hq.c3d2.de" ]
);
};
gc = {
automatic = lib.mkDefault true;
dates = "06:00";
options = "--delete-older-than 21d";
randomizedDelaySec = "6h";
};
registry.c3d2 = {
from = {
id = "c3d2";
type = "indirect";
};
to = {
type = "git";
url = "https://gitea.c3d2.de/C3D2/nix-config.git";
};
};
};
services.openssh = {
# Required for deployment and sops
enable = true;
permitRootLogin = "prohibit-password";
};
sops.age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];
environment = {
noXlibs = (!lib.any (host: host == config.networking.hostName) [ "dacbert" "glotzbert" "rpi-netboot" ]);
systemPackages = with pkgs; [
bmon
curl
dig
ethtool
git
htop
iotop
mtr
pv
ripgrep
screen
tcpdump
tmux
tree
vim
wget
];
};
programs = {
fzf.keybindings = true;
ssh.knownHosts =
let
hosts = (import ../ssh-public-keys.nix).hosts;
inherit ((import ../ssh-public-keys.nix)) hosts;
list = map
(name: {
inherit name;
value =
let
ip6 = if zentralwerk.lib.config.site.net-combined.hosts6 ? name then
ip6 =
if zentralwerk.lib.config.site.net-combined.hosts6 ? name then
zentralwerk.lib.config.site.net.hosts6.${name}
else
toHqPrivateAddress name;
@ -324,31 +237,11 @@ in
publicKey = lib.head (lib.getAttr name hosts);
hostNames = [ ip6 "${name}.hq.c3d2.de" name ];
};
})
})
(builtins.attrNames hosts);
keyedHosts = lib.filter (x: x.value.publicKey != null || x.value.publicKeyFile != null) list;
in
lib.listToAttrs keyedHosts;
vim.defaultEditor = true;
};
time.timeZone = lib.mkDefault "Europe/Berlin";
# Reboot on hang
systemd.watchdog = lib.mkIf (!config.boot.isContainer) {
runtimeTime = "15s";
rebootTime = "15s";
};
security.acme = {
acceptTerms = true;
defaults = {
email = "mail@c3d2.de";
# letsencrypt staging server with way higher rate limits
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
};
};
zramSwap.enable = true;
};
}