diff --git a/README.md b/README.md index 35a1e0c2..315c7e8e 100644 --- a/README.md +++ b/README.md @@ -290,6 +290,8 @@ nix flake lock . --update-input secrets # Laptops / Desktops +Note: currently being rebuild! + This repository contains a NixOS module that can be used with personal machines as well. This module appends `/etc/ssh/ssh_known_hosts` with the host keys of registered HQ hosts, and optionally appends `/etc/hosts` with static IPv6 @@ -309,7 +311,6 @@ in { ]; c3d2 = { - isInHq = false; # not in HQ, this is the default. enableMotd = true; # Set the login shell message to the <<> logo. }; diff --git a/config/default.nix b/config/default.nix index 5385ae01..e17f7dcb 100644 --- a/config/default.nix +++ b/config/default.nix @@ -3,12 +3,21 @@ # this file contains default configuration that may be turned on depending on other config settings. # options should go to modules. -lib.mkIf config.services.nginx.enable { - services.nginx = { - openFirewall = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - }; -} +lib.mkMerge [ + { + assertions = [{ + assertion = config.users.users.root.password == null; + message = "Root passwords not allowed in HQ"; + }]; + } + + (lib.mkIf config.services.nginx.enable { + services.nginx = { + openFirewall = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + }; + }) +] diff --git a/hosts/bind/default.nix b/hosts/bind/default.nix index e3993b27..56fcdeb8 100644 --- a/hosts/bind/default.nix +++ b/hosts/bind/default.nix @@ -18,7 +18,6 @@ let in { c3d2 = { - isInHq = false; hq.statistics.enable = true; deployment.server = "server10"; }; diff --git a/hosts/dacbert/default.nix b/hosts/dacbert/default.nix index f9ff48ee..7bfdf7f2 100644 --- a/hosts/dacbert/default.nix +++ b/hosts/dacbert/default.nix @@ -35,7 +35,6 @@ let in { c3d2 = { - isInHq = true; hq.interface = "eth0"; hq.statistics.enable = true; audioServer.enable = true; @@ -103,6 +102,7 @@ in }; networking = { + domain = "hq.c3d2.de"; hostName = "dacbert"; # Define your hostname. useDHCP = false; interfaces.eth0.useDHCP = true; diff --git a/hosts/dn42/default.nix b/hosts/dn42/default.nix index 9b24d8ce..d547ba8e 100644 --- a/hosts/dn42/default.nix +++ b/hosts/dn42/default.nix @@ -6,6 +6,7 @@ let inherit (pkgs) neighbors; in { networking = { + domain = "hq.c3d2.de"; hostName = "dn42"; useNetworkd = true; # No Firewalling! @@ -13,7 +14,6 @@ in { }; services.resolved.enable = false; c3d2 = { - isInHq = true; hq = { interface = "c3d2"; statistics.enable = true; diff --git a/hosts/freifunk/default.nix b/hosts/freifunk/default.nix index 6f2efd34..c320fcea 100644 --- a/hosts/freifunk/default.nix +++ b/hosts/freifunk/default.nix @@ -39,7 +39,6 @@ in { fi ''; c3d2 = { - isInHq = false; hq.statistics.enable = true; deployment = { server = "server10"; diff --git a/hosts/glotzbert/default.nix b/hosts/glotzbert/default.nix index f9787a72..ea71e186 100644 --- a/hosts/glotzbert/default.nix +++ b/hosts/glotzbert/default.nix @@ -4,7 +4,6 @@ imports = [ ./hardware-configuration.nix ]; c3d2 = { - isInHq = true; hq.interface = "eno1"; k-ot.enable = true; autoUpdate = true; @@ -31,6 +30,7 @@ }; networking = { + domain = "hq.c3d2.de"; hostName = "glotzbert"; interfaces.eno1.useDHCP = true; }; diff --git a/hosts/grafana/default.nix b/hosts/grafana/default.nix index 7defa9dd..ea10b44b 100644 --- a/hosts/grafana/default.nix +++ b/hosts/grafana/default.nix @@ -2,10 +2,7 @@ { microvm.mem = 4096; - c3d2 = { - deployment.server = "server10"; - isInHq = false; - }; + c3d2.deployment.server = "server10"; environment.systemPackages = with pkgs; [ influxdb ]; diff --git a/hosts/jabber/default.nix b/hosts/jabber/default.nix index 021644d9..e829ca77 100644 --- a/hosts/jabber/default.nix +++ b/hosts/jabber/default.nix @@ -39,7 +39,6 @@ in c3d2 = { deployment.server = "server10"; hq.statistics.enable = true; - isInHq = false; }; services.collectd.plugins.exec = '' diff --git a/hosts/mailtngbert/default.nix b/hosts/mailtngbert/default.nix index d4691490..5ba92b36 100644 --- a/hosts/mailtngbert/default.nix +++ b/hosts/mailtngbert/default.nix @@ -38,7 +38,6 @@ in c3d2 = { deployment.server = "server10"; hq.statistics.enable = true; - isInHq = false; }; sops.defaultSopsFile = ./secrets.yaml; diff --git a/hosts/mobilizon/default.nix b/hosts/mobilizon/default.nix index e8da6ac1..54daf7d3 100644 --- a/hosts/mobilizon/default.nix +++ b/hosts/mobilizon/default.nix @@ -1,9 +1,6 @@ { config, pkgs, ... }: { - c3d2 = { - deployment.server = "server10"; - isInHq = false; - }; + c3d2.deployment.server = "server10"; microvm.mem = 2048; diff --git a/hosts/pulsebert/default.nix b/hosts/pulsebert/default.nix index 09fec445..2c00f962 100644 --- a/hosts/pulsebert/default.nix +++ b/hosts/pulsebert/default.nix @@ -6,7 +6,6 @@ ]; c3d2 = { - isInHq = true; hq.interface = "eth0"; hq.statistics.enable = true; k-ot.enable = true; @@ -46,6 +45,7 @@ }; networking = { + domain = "hq.c3d2.de"; firewall = { allowedTCPPorts = [ # pulseaudio/pipewire network sync diff --git a/hosts/radiobert/default.nix b/hosts/radiobert/default.nix index 21b514fb..8c02667a 100644 --- a/hosts/radiobert/default.nix +++ b/hosts/radiobert/default.nix @@ -7,7 +7,6 @@ ]; c3d2 = { - isInHq = false; hq.statistics.enable = true; pi-sensors = if true then [] else [ { type = "dht22"; diff --git a/hosts/rpi-netboot/default.nix b/hosts/rpi-netboot/default.nix index 034309e7..18c63eb5 100644 --- a/hosts/rpi-netboot/default.nix +++ b/hosts/rpi-netboot/default.nix @@ -2,7 +2,6 @@ { c3d2 = { - isInHq = true; hq.interface = "eth0"; hq.statistics.enable = false; audioServer.enable = true; diff --git a/hosts/scrape/default.nix b/hosts/scrape/default.nix index a5c7f6d1..08f422bf 100644 --- a/hosts/scrape/default.nix +++ b/hosts/scrape/default.nix @@ -10,10 +10,7 @@ let }; luftqualitaetStations = [ "1672" "1649" "1680" "1639" ]; in { - c3d2 = { - isInHq = false; - deployment.server = "server10"; - }; + c3d2.deployment.server = "server10"; networking.hostName = "scrape"; diff --git a/hosts/sdrweb/default.nix b/hosts/sdrweb/default.nix index f30488b1..221a8dd7 100644 --- a/hosts/sdrweb/default.nix +++ b/hosts/sdrweb/default.nix @@ -5,10 +5,7 @@ vcpu = 16; needForSpeed = true; }; - c3d2 = { - isInHq = false; - hq.statistics.enable = true; - }; + c3d2.hq.statistics.enable = true; system.stateVersion = "22.05"; diff --git a/hosts/server8/default.nix b/hosts/server8/default.nix index 4a89b78b..75e62f90 100644 --- a/hosts/server8/default.nix +++ b/hosts/server8/default.nix @@ -1,4 +1,4 @@ -{ ... }: +{ config, ... }: { imports = [ diff --git a/hosts/sshlog/default.nix b/hosts/sshlog/default.nix index 39854c5d..235e4f1b 100644 --- a/hosts/sshlog/default.nix +++ b/hosts/sshlog/default.nix @@ -1,13 +1,7 @@ { config, lib, pkgs, ... }: { - deployment = { - persistedShares = [ "/etc" "/home" "/var" ]; - mem = 512; - }; - c3d2 = { - isInHq = false; - hq.statistics.enable = true; - }; + deployment.mem = 512; + c3d2.hq.statistics.enable = true; networking = { hostName = "sshlog"; diff --git a/modules/c3d2.nix b/modules/c3d2.nix index 81e5dab1..b778bfe9 100644 --- a/modules/c3d2.nix +++ b/modules/c3d2.nix @@ -47,8 +47,6 @@ in ''; }; - isInHq = mkEnableOption "HQ presence (TODO: what is this? association to VLAN 5?)"; - enableMotd = mkOption { type = types.bool; default = true; @@ -113,7 +111,6 @@ in config = let adminKeys = with builtins; lib.lists.flatten (attrValues cfg.sshKeys); - mkIfIsInHq = x: lib.mkIf cfg.isInHq (lib.mkDefault x); in { programs.nncp.settings = lib.optionalAttrs cfg.mergeNncpSettings cfg.nncp; @@ -200,13 +197,6 @@ in }; }; - assertions = [ - { - assertion = cfg.isInHq -> (config.users.users.root.password == null); - message = "Root passwords not allowed in HQ"; - } - ]; - boot.cleanTmpDir = true; documentation.nixos.enable = false; @@ -229,8 +219,6 @@ in }; networking = { - domain = mkIfIsInHq "hq.c3d2.de"; - interfaces = lib.mkIf (cfg.hq.interface != null) { "${cfg.hq.interface}".ipv6.addresses = [{ address = toHqPrivateAddress config.networking.hostName;