diff --git a/config/default.nix b/config/default.nix
index e17f7dcb..9b45e22f 100644
--- a/config/default.nix
+++ b/config/default.nix
@@ -1,14 +1,97 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
# this file contains default configuration that may be turned on depending on other config settings.
# options should go to modules.
lib.mkMerge [
{
- assertions = [{
- assertion = config.users.users.root.password == null;
- message = "Root passwords not allowed in HQ";
- }];
+ boot.cleanTmpDir = true;
+
+ documentation.nixos.enable = false;
+
+ environment = {
+ noXlibs = !lib.any (host: host == config.networking.hostName) [ "dacbert" "glotzbert" "rpi-netboot" ];
+ systemPackages = with pkgs; [
+ bmon
+ curl
+ dig
+ ethtool
+ git
+ htop
+ iotop
+ mtr
+ pv
+ ripgrep
+ screen
+ tcpdump
+ tmux
+ tree
+ vim
+ wget
+ ];
+ };
+
+ i18n = {
+ defaultLocale = "en_US.UTF-8";
+ supportedLocales = [
+ "en_US.UTF-8/UTF-8"
+ "de_DE.UTF-8/UTF-8"
+ ];
+ };
+
+ nix = {
+ settings = {
+ builders-use-substitutes = true;
+ connect-timeout = 20;
+ experimental-features = "nix-command flakes";
+ fallback = true;
+ trusted-public-keys = [
+ "nix-serve.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps="
+ ];
+ # don't self feed hydra
+ substituters = lib.mkIf (config.networking.hostName != "hydra") (
+ lib.mkBefore [ "https://nix-serve.hq.c3d2.de" ]
+ );
+ };
+ gc = {
+ automatic = lib.mkDefault true;
+ dates = "06:00";
+ options = "--delete-older-than 21d";
+ randomizedDelaySec = "6h";
+ };
+ };
+
+ services.openssh = {
+ # Required for deployment and sops
+ enable = true;
+ permitRootLogin = "prohibit-password";
+ };
+
+ programs = {
+ fzf.keybindings = true;
+ vim.defaultEditor = true;
+ };
+
+ security.acme = {
+ acceptTerms = true;
+ defaults = {
+ email = "mail@c3d2.de";
+ # letsencrypt staging server with way higher rate limits
+ # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+ };
+ };
+
+ # Reboot on hang
+ systemd.watchdog = lib.mkIf (!config.boot.isContainer) {
+ runtimeTime = "15s";
+ rebootTime = "15s";
+ };
+
+ time.timeZone = lib.mkDefault "Europe/Berlin";
+
+ users.motd = builtins.readFile ./motd;
+
+ zramSwap.enable = true;
}
(lib.mkIf config.services.nginx.enable {
diff --git a/config/motd b/config/motd
new file mode 100644
index 00000000..8d861030
--- /dev/null
+++ b/config/motd
@@ -0,0 +1,6 @@
+ ______ ______
+ / / / / / /\ \ \
+/ / / / / / \ \ \
+\ \ \ \ / / / / /
+ \_\_\_\/_/ /_/_/
+
diff --git a/modules/c3d2.nix b/modules/c3d2.nix
index 550771d6..2f099a96 100644
--- a/modules/c3d2.nix
+++ b/modules/c3d2.nix
@@ -37,34 +37,20 @@ let
toHqPrivateAddress = toIpv6Address hqPrefix64;
in
{
- options.c3d2 = with lib; {
- allUsersCanSshRoot = lib.mkOption {
- type = lib.types.bool;
- default = true;
- description = ''
- Let all people in c3d2.users
- login as root for deployment via SSH.
- '';
- };
-
- enableMotd = mkOption {
- type = types.bool;
- default = true;
- };
-
- mergeNncpSettings = mkEnableOption ''
+ options.c3d2 = {
+ mergeNncpSettings = lib.mkEnableOption ''
Whether to merge c3d2.nncp.<…>.nncp
into programs.nncp.settings.
'';
- k-ot.enable = mkEnableOption ''
+ k-ot.enable = lib.mkEnableOption ''
Add k-ot user to this machine. Anyone with an SSH key listed in
c3d2.users can log in as this user.
'';
hq = {
- interface = mkOption {
- type = with types; nullOr str;
+ interface = lib.mkOption {
+ type = with lib.types; nullOr str;
default = null;
example = "eth0";
description = ''
@@ -72,16 +58,16 @@ in
'';
};
- journalToMqtt = mkOption {
- type = types.bool;
+ journalToMqtt = lib.mkOption {
+ type = lib.types.bool;
# broken :(
default = false;
};
};
nncp = {
- neigh = mkOption {
- type = with types; attrsOf neighMod;
+ neigh = lib.mkOption {
+ type = with lib.types; attrsOf neighMod;
default = { };
description = ''
Attrset of NNCP neighbours for relaying packets.
@@ -102,39 +88,43 @@ in
};
};
- sshKeys = mkOption {
- type = with types; attrsOf (listOf str);
+ sshKeys = lib.mkOption {
+ type = with lib.types; attrsOf (listOf str);
default = [ ];
};
};
config =
- let
- adminKeys = with builtins; lib.lists.flatten (attrValues cfg.sshKeys);
- in
{
+ assertions = [{
+ assertion = config.users.users.root.password == null;
+ message = "Root passwords not allowed in HQ";
+ }];
+
programs.nncp.settings = lib.optionalAttrs cfg.mergeNncpSettings cfg.nncp;
- users.motd = lib.mkIf cfg.enableMotd (builtins.readFile ./motd);
+ users =
+ let
+ adminKeys = with builtins; lib.lists.flatten (attrValues cfg.sshKeys);
+ in
+ {
+ users = {
+ k-ot = lib.mkIf cfg.k-ot.enable {
+ createHome = true;
+ isNormalUser = true;
+ uid = 1000;
+ extraGroups = [
+ "audio"
+ "video"
+ "wheel"
+ ];
+ password = "k-otk-ot";
+ openssh.authorizedKeys.keys = adminKeys;
+ };
- users = {
- users = {
- k-ot = lib.mkIf cfg.k-ot.enable {
- createHome = true;
- isNormalUser = true;
- uid = 1000;
- extraGroups = [
- "audio"
- "video"
- "wheel"
- ];
- password = "k-otk-ot";
- openssh.authorizedKeys.keys = adminKeys;
+ root.openssh.authorizedKeys.keys = adminKeys;
};
-
- root.openssh.authorizedKeys.keys = lib.mkIf cfg.allUsersCanSshRoot adminKeys;
};
- };
services.vector = lib.mkIf config.c3d2.hq.journalToMqtt {
enable = true;
@@ -159,8 +149,8 @@ in
};
secret.mqtt =
let
- catSecrets = with pkgs; writeScript "cat-vector-secrets" ''
- #!${runtimeShell} -e
+ catSecrets = pkgs.writeScript "cat-vector-secrets" ''
+ #!${pkgs.runtimeShell} -e
echo '{'
COMMA=n
for F in $@; do
@@ -197,18 +187,6 @@ in
};
};
- boot.cleanTmpDir = true;
-
- documentation.nixos.enable = false;
-
- i18n = {
- defaultLocale = "en_US.UTF-8";
- supportedLocales = [
- "en_US.UTF-8/UTF-8"
- "de_DE.UTF-8/UTF-8"
- ];
- };
-
systemd.network.networks = lib.mkIf (cfg.hq.interface != null && config.networking.useNetworkd) {
"40-eth0".routes = [{
routeConfig = {
@@ -218,13 +196,11 @@ in
}];
};
- networking = {
- interfaces = lib.mkIf (cfg.hq.interface != null) {
- "${cfg.hq.interface}".ipv6.addresses = [{
- address = toHqPrivateAddress config.networking.hostName;
- prefixLength = 64;
- }];
- };
+ networking.interfaces = lib.mkIf (cfg.hq.interface != null) {
+ "${cfg.hq.interface}".ipv6.addresses = [{
+ address = toHqPrivateAddress config.networking.hostName;
+ prefixLength = 64;
+ }];
nameservers = with hostRegistry.dnscache; [
ip4
@@ -242,80 +218,17 @@ in
config.networking.nameservers;
};
- nix = {
- settings = {
- builders-use-substitutes = true;
- connect-timeout = 20;
- experimental-features = "nix-command flakes";
- fallback = true;
- trusted-public-keys = [
- "nix-serve.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps="
- ];
- # don't self feed hydra
- substituters = lib.mkIf (config.networking.hostName != "hydra") (
- lib.mkBefore [ "https://nix-serve.hq.c3d2.de" ]
- );
- };
- gc = {
- automatic = lib.mkDefault true;
- dates = "06:00";
- options = "--delete-older-than 21d";
- randomizedDelaySec = "6h";
- };
- registry.c3d2 = {
- from = {
- id = "c3d2";
- type = "indirect";
- };
- to = {
- type = "git";
- url = "https://gitea.c3d2.de/C3D2/nix-config.git";
- };
- };
- };
-
- services.openssh = {
- # Required for deployment and sops
- enable = true;
- permitRootLogin = "prohibit-password";
- };
-
- sops.age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];
-
- environment = {
- noXlibs = (!lib.any (host: host == config.networking.hostName) [ "dacbert" "glotzbert" "rpi-netboot" ]);
- systemPackages = with pkgs; [
- bmon
- curl
- dig
- ethtool
- git
- htop
- iotop
- mtr
- pv
- ripgrep
- screen
- tcpdump
- tmux
- tree
- vim
- wget
- ];
- };
-
programs = {
- fzf.keybindings = true;
-
ssh.knownHosts =
let
- hosts = (import ../ssh-public-keys.nix).hosts;
+ inherit ((import ../ssh-public-keys.nix)) hosts;
list = map
(name: {
inherit name;
value =
let
- ip6 = if zentralwerk.lib.config.site.net-combined.hosts6 ? name then
+ ip6 =
+ if zentralwerk.lib.config.site.net-combined.hosts6 ? name then
zentralwerk.lib.config.site.net.hosts6.${name}
else
toHqPrivateAddress name;
@@ -324,31 +237,11 @@ in
publicKey = lib.head (lib.getAttr name hosts);
hostNames = [ ip6 "${name}.hq.c3d2.de" name ];
};
- })
+ })
(builtins.attrNames hosts);
keyedHosts = lib.filter (x: x.value.publicKey != null || x.value.publicKeyFile != null) list;
in
lib.listToAttrs keyedHosts;
-
- vim.defaultEditor = true;
};
-
- time.timeZone = lib.mkDefault "Europe/Berlin";
-
- # Reboot on hang
- systemd.watchdog = lib.mkIf (!config.boot.isContainer) {
- runtimeTime = "15s";
- rebootTime = "15s";
- };
-
- security.acme = {
- acceptTerms = true;
- defaults = {
- email = "mail@c3d2.de";
- # letsencrypt staging server with way higher rate limits
- # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
- };
- };
- zramSwap.enable = true;
};
}