c3d2/nix-config
c3d2
/
nix-config
24
7
Fork 3
Code Issues 12 Pull Requests 2 Releases Wiki Activity

Cleanup options

This commit is contained in:
Sandro - 2022-12-19 01:08:09 +01:00
parent 66fcd56dec
commit fee4372499
Signed by: sandro
GPG Key ID: 3AF5A43A3EECC2E5
6 changed files with 14 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@ -324,7 +324,6 @@ in {
c3d2 = {
isInHq = false; # not in HQ, this is the default.
mergeHostsFile = true; # Make entries in /etc/hosts form hosts.nix
enableMotd = true; # Set the login shell message to the <<</>> logo.
};

1
hosts/dacbert/default.nix
View File

@ -36,7 +36,6 @@ in
{
c3d2 = {
isInHq = true;
mergeHostsFile = true;
hq.interface = "eth0";
hq.statistics.enable = true;
audioServer.enable = true;

1
hosts/glotzbert/default.nix
View File

@ -6,7 +6,6 @@
c3d2 = {
isInHq = true;
hq.interface = "eno1";
hq.enableBinaryCache = false;
k-ot.enable = true;
autoUpdate = true;
};

1
hosts/pulsebert/default.nix
View File

@ -7,7 +7,6 @@
c3d2 = {
isInHq = true;
mergeHostsFile = true;
hq.interface = "eth0";
hq.statistics.enable = true;
k-ot.enable = true;

1
hosts/rpi-netboot/default.nix
View File

@ -3,7 +3,6 @@
{
c3d2 = {
isInHq = true;
mergeHostsFile = true;
hq.interface = "eth0";
hq.statistics.enable = false;
audioServer.enable = true;

90
modules/c3d2.nix
View File

@ -38,17 +38,9 @@ let
in
{
options.c3d2 = with lib; {
acmeEmail = mkOption {
type = types.str;
default = "mail@c3d2.de";
description = ''
Admin email address to use for Letsencrypt
'';
};
allUsersCanSshRoot = lib.mkOption {
type = lib.types.bool;
default = false;
default = true;
description = ''
Let all people in <literal>c3d2.users</literal>
login as root for deployment via SSH.
@ -59,16 +51,7 @@ in
enableMotd = mkOption {
type = types.bool;
default = cfg.isInHq;
defaultText = literalExample "config.c3d2.isInHq";
};
mergeHostsFile = mkOption {
type = types.bool;
default = cfg.isInHq;
description = ''
Whether to add <literal>c3d2.hosts</literal> to /etc/hosts.
'';
default = true;
};
mergeNncpSettings = mkEnableOption ''
@ -91,19 +74,6 @@ in
'';
};
enableBinaryCache = mkOption {
type = types.bool;
default = cfg.isInHq;
defaultText = literalExample "config.c3d2.isInHq";
description = "Whether to enable the local Nix binary cache";
};
enableMpdProxy = mkOption {
type = types.bool;
default = false;
description = "Whether to proxy the local MPD database";
};
journalToMqtt = mkOption {
type = types.bool;
# broken :(
@ -189,15 +159,6 @@ in
mkIfIsInHq = x: lib.mkIf cfg.isInHq (lib.mkDefault x);
in
{
networking.hosts = lib.mkIf cfg.mergeHostsFile
((
lib.attrsets.mapAttrs' (n: v: { name = v.ip4; value = [ "${n}.c3d2" ]; })
(lib.attrsets.filterAttrs (_: v: v.ip4 != null) cfg.hosts)
) // (
lib.attrsets.mapAttrs' (n: v: { name = v.ip6; value = [ "${n}.c3d2" ]; })
(lib.attrsets.filterAttrs (_: v: v.ip6 != null) cfg.hosts)
));
programs.nncp.settings = lib.optionalAttrs cfg.mergeNncpSettings cfg.nncp;
users.motd = lib.mkIf cfg.enableMotd (builtins.readFile ./motd);
@ -270,6 +231,7 @@ in
};
};
};
sops.secrets = lib.mkIf config.c3d2.hq.journalToMqtt {
"mqtt/user" = {
sopsFile = ../modules/mqtt.yaml;
@ -286,14 +248,6 @@ in
assertion = cfg.isInHq -> (config.users.users.root.password == null);
message = "Root passwords not allowed in HQ";
}
{
assertion = cfg.hq.enableBinaryCache -> cfg.mergeHostsFile;
message = "mergeHostsFile must be enabled for enableBinaryCache";
}
{
assertion = cfg.hq.enableMpdProxy -> cfg.mergeHostsFile;
message = "mergeHostsFile must be enabled for enableMpdProxy";
}
{
assertion = cfg.isInHq -> builtins.hasAttr config.networking.hostName cfg.hosts;
message = "${config.networking.hostName} is not registered in ${toString ../host-registry.nix}";
@ -344,12 +298,9 @@ in
documentation.nixos.enable = false;
c3d2.allUsersCanSshRoot = lib.mkDefault true;
i18n = {
defaultLocale = "en_US.UTF-8";
supportedLocales = [
"en_US.UTF-8/UTF-8"
"de_DE.UTF-8/UTF-8"
];
};
@ -364,10 +315,6 @@ in
};
networking = {
defaultGateway = lib.mkIf (!config.networking.useNetworkd) (
mkIfIsInHq "172.22.99.4"
);
domain = mkIfIsInHq "hq.c3d2.de";
interfaces = lib.mkIf (cfg.hq.interface != null) {
@ -399,10 +346,10 @@ in
connect-timeout = 20;
experimental-features = "nix-command flakes";
fallback = true;
# don't self feed hydra
trusted-public-keys = lib.mkIf (config.networking.hostName != "hydra") [
trusted-public-keys = [
"nix-serve.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps="
];
# don't self feed hydra
substituters = lib.mkIf (config.networking.hostName != "hydra") (
lib.mkBefore [ "https://nix-serve.hq.c3d2.de" ]
);
@ -426,7 +373,7 @@ in
};
services.openssh = {
# Required for deployment
# Required for deployment and sops
enable = true;
permitRootLogin = "prohibit-password";
};
@ -480,7 +427,7 @@ in
{
publicKey = null;
publicKeyFile = null;
hostNames = [ ip6 "${name}.hq.c3d2.de" "${name}.hq" name ];
hostNames = [ ip6 "${name}.hq.c3d2.de" name ];
} // sshAttrs;
})
(builtins.attrNames cfg.hosts);
@ -506,23 +453,14 @@ in
rebootTime = "15s";
};
# Defaults for LetsEncrypt
security.acme =
if options.security.acme ? defaults
then {
acceptTerms = true;
# NixOS>=22.05
defaults = {
email = cfg.acmeEmail;
# letsencrypt staging server with way higher rate limits
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
};
}
else {
acceptTerms = true;
# TODO: NixOS<=21.05
email = cfg.acmeEmail;
security.acme = {
acceptTerms = true;
defaults = {
email = "mail@c3d2.de";
# letsencrypt staging server with way higher rate limits
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
};
};
zramSwap.enable = true;
};
}