Move none module settings to config
This commit is contained in:
parent
8e63a500c3
commit
7e72e59a77
|
@ -1,14 +1,97 @@
|
||||||
{ config, lib, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
# this file contains default configuration that may be turned on depending on other config settings.
|
# this file contains default configuration that may be turned on depending on other config settings.
|
||||||
# options should go to modules.
|
# options should go to modules.
|
||||||
|
|
||||||
lib.mkMerge [
|
lib.mkMerge [
|
||||||
{
|
{
|
||||||
assertions = [{
|
boot.cleanTmpDir = true;
|
||||||
assertion = config.users.users.root.password == null;
|
|
||||||
message = "Root passwords not allowed in HQ";
|
documentation.nixos.enable = false;
|
||||||
}];
|
|
||||||
|
environment = {
|
||||||
|
noXlibs = !lib.any (host: host == config.networking.hostName) [ "dacbert" "glotzbert" "rpi-netboot" ];
|
||||||
|
systemPackages = with pkgs; [
|
||||||
|
bmon
|
||||||
|
curl
|
||||||
|
dig
|
||||||
|
ethtool
|
||||||
|
git
|
||||||
|
htop
|
||||||
|
iotop
|
||||||
|
mtr
|
||||||
|
pv
|
||||||
|
ripgrep
|
||||||
|
screen
|
||||||
|
tcpdump
|
||||||
|
tmux
|
||||||
|
tree
|
||||||
|
vim
|
||||||
|
wget
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
i18n = {
|
||||||
|
defaultLocale = "en_US.UTF-8";
|
||||||
|
supportedLocales = [
|
||||||
|
"en_US.UTF-8/UTF-8"
|
||||||
|
"de_DE.UTF-8/UTF-8"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
nix = {
|
||||||
|
settings = {
|
||||||
|
builders-use-substitutes = true;
|
||||||
|
connect-timeout = 20;
|
||||||
|
experimental-features = "nix-command flakes";
|
||||||
|
fallback = true;
|
||||||
|
trusted-public-keys = [
|
||||||
|
"nix-serve.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps="
|
||||||
|
];
|
||||||
|
# don't self feed hydra
|
||||||
|
substituters = lib.mkIf (config.networking.hostName != "hydra") (
|
||||||
|
lib.mkBefore [ "https://nix-serve.hq.c3d2.de" ]
|
||||||
|
);
|
||||||
|
};
|
||||||
|
gc = {
|
||||||
|
automatic = lib.mkDefault true;
|
||||||
|
dates = "06:00";
|
||||||
|
options = "--delete-older-than 21d";
|
||||||
|
randomizedDelaySec = "6h";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.openssh = {
|
||||||
|
# Required for deployment and sops
|
||||||
|
enable = true;
|
||||||
|
permitRootLogin = "prohibit-password";
|
||||||
|
};
|
||||||
|
|
||||||
|
programs = {
|
||||||
|
fzf.keybindings = true;
|
||||||
|
vim.defaultEditor = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
security.acme = {
|
||||||
|
acceptTerms = true;
|
||||||
|
defaults = {
|
||||||
|
email = "mail@c3d2.de";
|
||||||
|
# letsencrypt staging server with way higher rate limits
|
||||||
|
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# Reboot on hang
|
||||||
|
systemd.watchdog = lib.mkIf (!config.boot.isContainer) {
|
||||||
|
runtimeTime = "15s";
|
||||||
|
rebootTime = "15s";
|
||||||
|
};
|
||||||
|
|
||||||
|
time.timeZone = lib.mkDefault "Europe/Berlin";
|
||||||
|
|
||||||
|
users.motd = builtins.readFile ./motd;
|
||||||
|
|
||||||
|
zramSwap.enable = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
(lib.mkIf config.services.nginx.enable {
|
(lib.mkIf config.services.nginx.enable {
|
||||||
|
|
|
@ -0,0 +1,6 @@
|
||||||
|
______ ______
|
||||||
|
/ / / / / /\ \ \
|
||||||
|
/ / / / / / \ \ \
|
||||||
|
\ \ \ \ / / / / /
|
||||||
|
\_\_\_\/_/ /_/_/
|
||||||
|
|
199
modules/c3d2.nix
199
modules/c3d2.nix
|
@ -37,34 +37,20 @@ let
|
||||||
toHqPrivateAddress = toIpv6Address hqPrefix64;
|
toHqPrivateAddress = toIpv6Address hqPrefix64;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.c3d2 = with lib; {
|
options.c3d2 = {
|
||||||
allUsersCanSshRoot = lib.mkOption {
|
mergeNncpSettings = lib.mkEnableOption ''
|
||||||
type = lib.types.bool;
|
|
||||||
default = true;
|
|
||||||
description = ''
|
|
||||||
Let all people in <literal>c3d2.users</literal>
|
|
||||||
login as root for deployment via SSH.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
enableMotd = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
mergeNncpSettings = mkEnableOption ''
|
|
||||||
Whether to merge <literal>c3d2.nncp.<…>.nncp</literal>
|
Whether to merge <literal>c3d2.nncp.<…>.nncp</literal>
|
||||||
into <literal>programs.nncp.settings</literal>.
|
into <literal>programs.nncp.settings</literal>.
|
||||||
'';
|
'';
|
||||||
|
|
||||||
k-ot.enable = mkEnableOption ''
|
k-ot.enable = lib.mkEnableOption ''
|
||||||
Add k-ot user to this machine. Anyone with an SSH key listed in
|
Add k-ot user to this machine. Anyone with an SSH key listed in
|
||||||
<literal>c3d2.users</literal> can log in as this user.
|
<literal>c3d2.users</literal> can log in as this user.
|
||||||
'';
|
'';
|
||||||
|
|
||||||
hq = {
|
hq = {
|
||||||
interface = mkOption {
|
interface = lib.mkOption {
|
||||||
type = with types; nullOr str;
|
type = with lib.types; nullOr str;
|
||||||
default = null;
|
default = null;
|
||||||
example = "eth0";
|
example = "eth0";
|
||||||
description = ''
|
description = ''
|
||||||
|
@ -72,16 +58,16 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
journalToMqtt = mkOption {
|
journalToMqtt = lib.mkOption {
|
||||||
type = types.bool;
|
type = lib.types.bool;
|
||||||
# broken :(
|
# broken :(
|
||||||
default = false;
|
default = false;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
nncp = {
|
nncp = {
|
||||||
neigh = mkOption {
|
neigh = lib.mkOption {
|
||||||
type = with types; attrsOf neighMod;
|
type = with lib.types; attrsOf neighMod;
|
||||||
default = { };
|
default = { };
|
||||||
description = ''
|
description = ''
|
||||||
Attrset of NNCP neighbours for relaying packets.
|
Attrset of NNCP neighbours for relaying packets.
|
||||||
|
@ -102,39 +88,43 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
sshKeys = mkOption {
|
sshKeys = lib.mkOption {
|
||||||
type = with types; attrsOf (listOf str);
|
type = with lib.types; attrsOf (listOf str);
|
||||||
default = [ ];
|
default = [ ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config =
|
config =
|
||||||
let
|
|
||||||
adminKeys = with builtins; lib.lists.flatten (attrValues cfg.sshKeys);
|
|
||||||
in
|
|
||||||
{
|
{
|
||||||
|
assertions = [{
|
||||||
|
assertion = config.users.users.root.password == null;
|
||||||
|
message = "Root passwords not allowed in HQ";
|
||||||
|
}];
|
||||||
|
|
||||||
programs.nncp.settings = lib.optionalAttrs cfg.mergeNncpSettings cfg.nncp;
|
programs.nncp.settings = lib.optionalAttrs cfg.mergeNncpSettings cfg.nncp;
|
||||||
|
|
||||||
users.motd = lib.mkIf cfg.enableMotd (builtins.readFile ./motd);
|
users =
|
||||||
|
let
|
||||||
|
adminKeys = with builtins; lib.lists.flatten (attrValues cfg.sshKeys);
|
||||||
|
in
|
||||||
|
{
|
||||||
|
users = {
|
||||||
|
k-ot = lib.mkIf cfg.k-ot.enable {
|
||||||
|
createHome = true;
|
||||||
|
isNormalUser = true;
|
||||||
|
uid = 1000;
|
||||||
|
extraGroups = [
|
||||||
|
"audio"
|
||||||
|
"video"
|
||||||
|
"wheel"
|
||||||
|
];
|
||||||
|
password = "k-otk-ot";
|
||||||
|
openssh.authorizedKeys.keys = adminKeys;
|
||||||
|
};
|
||||||
|
|
||||||
users = {
|
root.openssh.authorizedKeys.keys = adminKeys;
|
||||||
users = {
|
|
||||||
k-ot = lib.mkIf cfg.k-ot.enable {
|
|
||||||
createHome = true;
|
|
||||||
isNormalUser = true;
|
|
||||||
uid = 1000;
|
|
||||||
extraGroups = [
|
|
||||||
"audio"
|
|
||||||
"video"
|
|
||||||
"wheel"
|
|
||||||
];
|
|
||||||
password = "k-otk-ot";
|
|
||||||
openssh.authorizedKeys.keys = adminKeys;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
root.openssh.authorizedKeys.keys = lib.mkIf cfg.allUsersCanSshRoot adminKeys;
|
|
||||||
};
|
};
|
||||||
};
|
|
||||||
|
|
||||||
services.vector = lib.mkIf config.c3d2.hq.journalToMqtt {
|
services.vector = lib.mkIf config.c3d2.hq.journalToMqtt {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -159,8 +149,8 @@ in
|
||||||
};
|
};
|
||||||
secret.mqtt =
|
secret.mqtt =
|
||||||
let
|
let
|
||||||
catSecrets = with pkgs; writeScript "cat-vector-secrets" ''
|
catSecrets = pkgs.writeScript "cat-vector-secrets" ''
|
||||||
#!${runtimeShell} -e
|
#!${pkgs.runtimeShell} -e
|
||||||
echo '{'
|
echo '{'
|
||||||
COMMA=n
|
COMMA=n
|
||||||
for F in $@; do
|
for F in $@; do
|
||||||
|
@ -197,18 +187,6 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
boot.cleanTmpDir = true;
|
|
||||||
|
|
||||||
documentation.nixos.enable = false;
|
|
||||||
|
|
||||||
i18n = {
|
|
||||||
defaultLocale = "en_US.UTF-8";
|
|
||||||
supportedLocales = [
|
|
||||||
"en_US.UTF-8/UTF-8"
|
|
||||||
"de_DE.UTF-8/UTF-8"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.network.networks = lib.mkIf (cfg.hq.interface != null && config.networking.useNetworkd) {
|
systemd.network.networks = lib.mkIf (cfg.hq.interface != null && config.networking.useNetworkd) {
|
||||||
"40-eth0".routes = [{
|
"40-eth0".routes = [{
|
||||||
routeConfig = {
|
routeConfig = {
|
||||||
|
@ -218,13 +196,11 @@ in
|
||||||
}];
|
}];
|
||||||
};
|
};
|
||||||
|
|
||||||
networking = {
|
networking.interfaces = lib.mkIf (cfg.hq.interface != null) {
|
||||||
interfaces = lib.mkIf (cfg.hq.interface != null) {
|
"${cfg.hq.interface}".ipv6.addresses = [{
|
||||||
"${cfg.hq.interface}".ipv6.addresses = [{
|
address = toHqPrivateAddress config.networking.hostName;
|
||||||
address = toHqPrivateAddress config.networking.hostName;
|
prefixLength = 64;
|
||||||
prefixLength = 64;
|
}];
|
||||||
}];
|
|
||||||
};
|
|
||||||
|
|
||||||
nameservers = with hostRegistry.dnscache; [
|
nameservers = with hostRegistry.dnscache; [
|
||||||
ip4
|
ip4
|
||||||
|
@ -242,80 +218,17 @@ in
|
||||||
config.networking.nameservers;
|
config.networking.nameservers;
|
||||||
};
|
};
|
||||||
|
|
||||||
nix = {
|
|
||||||
settings = {
|
|
||||||
builders-use-substitutes = true;
|
|
||||||
connect-timeout = 20;
|
|
||||||
experimental-features = "nix-command flakes";
|
|
||||||
fallback = true;
|
|
||||||
trusted-public-keys = [
|
|
||||||
"nix-serve.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps="
|
|
||||||
];
|
|
||||||
# don't self feed hydra
|
|
||||||
substituters = lib.mkIf (config.networking.hostName != "hydra") (
|
|
||||||
lib.mkBefore [ "https://nix-serve.hq.c3d2.de" ]
|
|
||||||
);
|
|
||||||
};
|
|
||||||
gc = {
|
|
||||||
automatic = lib.mkDefault true;
|
|
||||||
dates = "06:00";
|
|
||||||
options = "--delete-older-than 21d";
|
|
||||||
randomizedDelaySec = "6h";
|
|
||||||
};
|
|
||||||
registry.c3d2 = {
|
|
||||||
from = {
|
|
||||||
id = "c3d2";
|
|
||||||
type = "indirect";
|
|
||||||
};
|
|
||||||
to = {
|
|
||||||
type = "git";
|
|
||||||
url = "https://gitea.c3d2.de/C3D2/nix-config.git";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.openssh = {
|
|
||||||
# Required for deployment and sops
|
|
||||||
enable = true;
|
|
||||||
permitRootLogin = "prohibit-password";
|
|
||||||
};
|
|
||||||
|
|
||||||
sops.age.sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];
|
|
||||||
|
|
||||||
environment = {
|
|
||||||
noXlibs = (!lib.any (host: host == config.networking.hostName) [ "dacbert" "glotzbert" "rpi-netboot" ]);
|
|
||||||
systemPackages = with pkgs; [
|
|
||||||
bmon
|
|
||||||
curl
|
|
||||||
dig
|
|
||||||
ethtool
|
|
||||||
git
|
|
||||||
htop
|
|
||||||
iotop
|
|
||||||
mtr
|
|
||||||
pv
|
|
||||||
ripgrep
|
|
||||||
screen
|
|
||||||
tcpdump
|
|
||||||
tmux
|
|
||||||
tree
|
|
||||||
vim
|
|
||||||
wget
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
programs = {
|
programs = {
|
||||||
fzf.keybindings = true;
|
|
||||||
|
|
||||||
ssh.knownHosts =
|
ssh.knownHosts =
|
||||||
let
|
let
|
||||||
hosts = (import ../ssh-public-keys.nix).hosts;
|
inherit ((import ../ssh-public-keys.nix)) hosts;
|
||||||
list = map
|
list = map
|
||||||
(name: {
|
(name: {
|
||||||
inherit name;
|
inherit name;
|
||||||
value =
|
value =
|
||||||
let
|
let
|
||||||
ip6 = if zentralwerk.lib.config.site.net-combined.hosts6 ? name then
|
ip6 =
|
||||||
|
if zentralwerk.lib.config.site.net-combined.hosts6 ? name then
|
||||||
zentralwerk.lib.config.site.net.hosts6.${name}
|
zentralwerk.lib.config.site.net.hosts6.${name}
|
||||||
else
|
else
|
||||||
toHqPrivateAddress name;
|
toHqPrivateAddress name;
|
||||||
|
@ -324,31 +237,11 @@ in
|
||||||
publicKey = lib.head (lib.getAttr name hosts);
|
publicKey = lib.head (lib.getAttr name hosts);
|
||||||
hostNames = [ ip6 "${name}.hq.c3d2.de" name ];
|
hostNames = [ ip6 "${name}.hq.c3d2.de" name ];
|
||||||
};
|
};
|
||||||
})
|
})
|
||||||
(builtins.attrNames hosts);
|
(builtins.attrNames hosts);
|
||||||
keyedHosts = lib.filter (x: x.value.publicKey != null || x.value.publicKeyFile != null) list;
|
keyedHosts = lib.filter (x: x.value.publicKey != null || x.value.publicKeyFile != null) list;
|
||||||
in
|
in
|
||||||
lib.listToAttrs keyedHosts;
|
lib.listToAttrs keyedHosts;
|
||||||
|
|
||||||
vim.defaultEditor = true;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
time.timeZone = lib.mkDefault "Europe/Berlin";
|
|
||||||
|
|
||||||
# Reboot on hang
|
|
||||||
systemd.watchdog = lib.mkIf (!config.boot.isContainer) {
|
|
||||||
runtimeTime = "15s";
|
|
||||||
rebootTime = "15s";
|
|
||||||
};
|
|
||||||
|
|
||||||
security.acme = {
|
|
||||||
acceptTerms = true;
|
|
||||||
defaults = {
|
|
||||||
email = "mail@c3d2.de";
|
|
||||||
# letsencrypt staging server with way higher rate limits
|
|
||||||
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
zramSwap.enable = true;
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue