c3d2/nix-config
c3d2
/
nix-config
24
7
Fork 3
Code Issues 12 Pull Requests 2 Releases Wiki Activity

Move none condition settings to config/default.nix

This commit is contained in:
Sandro - 2023-12-20 23:05:43 +01:00
parent 1f49c2cf17
commit 9e2296a05a
Signed by: sandro
GPG Key ID: 3AF5A43A3EECC2E5
2 changed files with 53 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
config/default.nix
View File

@ -1,4 +1,4 @@
{ config, lib, nixos, pkgs, ssh-public-keys, zentralwerk, ... }: { config, hostRegistry, lib, nixos, pkgs, ssh-public-keys, zentralwerk, ... }:
# this file contains default configuration that may be turned on depending on other config settings. # this file contains default configuration that may be turned on depending on other config settings.
# options should go to modules. # options should go to modules.
@ -35,6 +35,12 @@
documentation.enable = false; documentation.enable = false;
environment = { environment = {
etc."resolv.conf" = lib.mkIf (!config.services.resolved.enable) {
text = lib.concatMapStrings (ns: ''
nameserver ${ns}
'') config.networking.nameservers;
};
gnome.excludePackages = with pkgs; with gnome; [ gnome.excludePackages = with pkgs; with gnome; [
baobab baobab
cheese cheese
@ -51,11 +57,14 @@
totem totem
yelp # less webkitgtk's yelp # less webkitgtk's
]; ];
interactiveShellInit = /* sh */ '' interactiveShellInit = /* sh */ ''
# raise some awareness torwards failed services # raise some awareness torwards failed services
systemctl --no-pager --failed || true systemctl --no-pager --failed || true
''; '';
noXlibs = !config.services.xserver.enable; noXlibs = !config.services.xserver.enable;
systemPackages = with pkgs; [ systemPackages = with pkgs; [
bmon bmon
curl curl
@ -89,11 +98,19 @@
]; ];
}; };
networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ networking = {
# proxy protocol used by public-access-proxy firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [
8080 # proxy protocol used by public-access-proxy
8443 8080
]; 8443
];
nameservers = with hostRegistry.dnscache; [
ip4
ip6
"9.9.9.9"
];
useHostResolvConf = lib.mkIf (!config.services.resolved.enable) true;
};
nix = { nix = {
deleteChannels = true; deleteChannels = true;
@ -287,5 +304,15 @@
time.timeZone = lib.mkDefault "Europe/Berlin"; time.timeZone = lib.mkDefault "Europe/Berlin";
users.motdFile = ./motd; users = {
motdFile = ./motd;
users = let
adminKeys = with builtins; lib.lists.flatten (attrValues cfg.sshKeys);
in {
# https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix#L23
nixos = lib.mkIf (config.system.nixos.variant_id == "installer") { openssh.authorizedKeys.keys = adminKeys; };
root.openssh.authorizedKeys.keys = adminKeys;
};
};
} }

66
modules/c3d2.nix
View File

@ -1,4 +1,4 @@
{ zentralwerk, hostRegistry, config, options, lib, pkgs, ... }: { zentralwerk, config, lib, pkgs, ... }:
let let
cfg = config.c3d2; cfg = config.c3d2;
@ -89,29 +89,18 @@ in
adminKeys = with builtins; lib.lists.flatten (attrValues cfg.sshKeys); adminKeys = with builtins; lib.lists.flatten (attrValues cfg.sshKeys);
in in
{ {
users = { users.k-ot = lib.mkIf cfg.k-ot.enable {
k-ot = lib.mkIf cfg.k-ot.enable { createHome = true;
createHome = true; isNormalUser = true;
isNormalUser = true; uid = 1000;
uid = 1000; extraGroups = [
extraGroups = [ "audio"
"audio" "video"
"video" "wheel"
"wheel" ];
]; # get by running mkpasswd logged in as the user
# get by running mkpasswd logged in as the user hashedPassword = "$y$j9T$AoK/PRviZS4BDJ6jX/Qt6/$FDM/JfANEU7H0RAIuN0DL2hjYujVAVDdI0jgN5wGwB5";
hashedPassword = "$y$j9T$AoK/PRviZS4BDJ6jX/Qt6/$FDM/JfANEU7H0RAIuN0DL2hjYujVAVDdI0jgN5wGwB5"; openssh.authorizedKeys.keys = adminKeys;
openssh.authorizedKeys.keys = adminKeys;
};
# TODO: change when on 23.05
# https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix#L23
# nixos = lib.mkIf (config.system.nixos.variant_id == "installer") { openssh.authorizedKeys.keys = adminKeys; };
# using proxy option to detect iso
# https://github.com/NixOS/nixpkgs/blob/nixos-22.11/nixos/modules/profiles/installation-device.nix#L48
nixos = lib.mkIf (config.services.getty.autologinUser == "nixos") { openssh.authorizedKeys.keys = adminKeys; };
root.openssh.authorizedKeys.keys = adminKeys;
}; };
}; };
@ -138,7 +127,7 @@ in
}; };
secret.mqtt = secret.mqtt =
let let
catSecrets = pkgs.writeScript "cat-vector-secrets" '' catSecrets = pkgs.writeScript "cat-vector-secrets" /* bash */ ''
#!${pkgs.runtimeShell} -e #!${pkgs.runtimeShell} -e
echo '{' echo '{'
COMMA=n COMMA=n
@ -185,28 +174,11 @@ in
}]; }];
}; };
networking = { networking.interfaces = lib.mkIf (cfg.hq.interface != null) {
interfaces = lib.mkIf (cfg.hq.interface != null) { "${cfg.hq.interface}".ipv6.addresses = [{
"${cfg.hq.interface}".ipv6.addresses = [{ address = toHqPrivateAddress config.networking.hostName;
address = toHqPrivateAddress config.networking.hostName; prefixLength = 64;
prefixLength = 64; }];
}];
};
nameservers = with hostRegistry.dnscache; [
ip4
ip6
"9.9.9.9"
];
useHostResolvConf = lib.mkIf (!config.services.resolved.enable) true;
};
environment.etc."resolv.conf" = lib.mkIf (!config.services.resolved.enable) {
text = lib.concatMapStrings
(ns: ''
nameserver ${ns}
'')
config.networking.nameservers;
}; };
}; };
} }