Cleanup options
This commit is contained in:
parent
66fcd56dec
commit
fee4372499
|
@ -324,7 +324,6 @@ in {
|
|||
|
||||
c3d2 = {
|
||||
isInHq = false; # not in HQ, this is the default.
|
||||
mergeHostsFile = true; # Make entries in /etc/hosts form hosts.nix
|
||||
enableMotd = true; # Set the login shell message to the <<</>> logo.
|
||||
};
|
||||
|
||||
|
|
|
@ -36,7 +36,6 @@ in
|
|||
{
|
||||
c3d2 = {
|
||||
isInHq = true;
|
||||
mergeHostsFile = true;
|
||||
hq.interface = "eth0";
|
||||
hq.statistics.enable = true;
|
||||
audioServer.enable = true;
|
||||
|
|
|
@ -6,7 +6,6 @@
|
|||
c3d2 = {
|
||||
isInHq = true;
|
||||
hq.interface = "eno1";
|
||||
hq.enableBinaryCache = false;
|
||||
k-ot.enable = true;
|
||||
autoUpdate = true;
|
||||
};
|
||||
|
|
|
@ -7,7 +7,6 @@
|
|||
|
||||
c3d2 = {
|
||||
isInHq = true;
|
||||
mergeHostsFile = true;
|
||||
hq.interface = "eth0";
|
||||
hq.statistics.enable = true;
|
||||
k-ot.enable = true;
|
||||
|
|
|
@ -3,7 +3,6 @@
|
|||
{
|
||||
c3d2 = {
|
||||
isInHq = true;
|
||||
mergeHostsFile = true;
|
||||
hq.interface = "eth0";
|
||||
hq.statistics.enable = false;
|
||||
audioServer.enable = true;
|
||||
|
|
|
@ -38,17 +38,9 @@ let
|
|||
in
|
||||
{
|
||||
options.c3d2 = with lib; {
|
||||
acmeEmail = mkOption {
|
||||
type = types.str;
|
||||
default = "mail@c3d2.de";
|
||||
description = ''
|
||||
Admin email address to use for Letsencrypt
|
||||
'';
|
||||
};
|
||||
|
||||
allUsersCanSshRoot = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
default = true;
|
||||
description = ''
|
||||
Let all people in <literal>c3d2.users</literal>
|
||||
login as root for deployment via SSH.
|
||||
|
@ -59,16 +51,7 @@ in
|
|||
|
||||
enableMotd = mkOption {
|
||||
type = types.bool;
|
||||
default = cfg.isInHq;
|
||||
defaultText = literalExample "config.c3d2.isInHq";
|
||||
};
|
||||
|
||||
mergeHostsFile = mkOption {
|
||||
type = types.bool;
|
||||
default = cfg.isInHq;
|
||||
description = ''
|
||||
Whether to add <literal>c3d2.hosts</literal> to /etc/hosts.
|
||||
'';
|
||||
default = true;
|
||||
};
|
||||
|
||||
mergeNncpSettings = mkEnableOption ''
|
||||
|
@ -91,19 +74,6 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
enableBinaryCache = mkOption {
|
||||
type = types.bool;
|
||||
default = cfg.isInHq;
|
||||
defaultText = literalExample "config.c3d2.isInHq";
|
||||
description = "Whether to enable the local Nix binary cache";
|
||||
};
|
||||
|
||||
enableMpdProxy = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Whether to proxy the local MPD database";
|
||||
};
|
||||
|
||||
journalToMqtt = mkOption {
|
||||
type = types.bool;
|
||||
# broken :(
|
||||
|
@ -189,15 +159,6 @@ in
|
|||
mkIfIsInHq = x: lib.mkIf cfg.isInHq (lib.mkDefault x);
|
||||
in
|
||||
{
|
||||
networking.hosts = lib.mkIf cfg.mergeHostsFile
|
||||
((
|
||||
lib.attrsets.mapAttrs' (n: v: { name = v.ip4; value = [ "${n}.c3d2" ]; })
|
||||
(lib.attrsets.filterAttrs (_: v: v.ip4 != null) cfg.hosts)
|
||||
) // (
|
||||
lib.attrsets.mapAttrs' (n: v: { name = v.ip6; value = [ "${n}.c3d2" ]; })
|
||||
(lib.attrsets.filterAttrs (_: v: v.ip6 != null) cfg.hosts)
|
||||
));
|
||||
|
||||
programs.nncp.settings = lib.optionalAttrs cfg.mergeNncpSettings cfg.nncp;
|
||||
|
||||
users.motd = lib.mkIf cfg.enableMotd (builtins.readFile ./motd);
|
||||
|
@ -270,6 +231,7 @@ in
|
|||
};
|
||||
};
|
||||
};
|
||||
|
||||
sops.secrets = lib.mkIf config.c3d2.hq.journalToMqtt {
|
||||
"mqtt/user" = {
|
||||
sopsFile = ../modules/mqtt.yaml;
|
||||
|
@ -286,14 +248,6 @@ in
|
|||
assertion = cfg.isInHq -> (config.users.users.root.password == null);
|
||||
message = "Root passwords not allowed in HQ";
|
||||
}
|
||||
{
|
||||
assertion = cfg.hq.enableBinaryCache -> cfg.mergeHostsFile;
|
||||
message = "mergeHostsFile must be enabled for enableBinaryCache";
|
||||
}
|
||||
{
|
||||
assertion = cfg.hq.enableMpdProxy -> cfg.mergeHostsFile;
|
||||
message = "mergeHostsFile must be enabled for enableMpdProxy";
|
||||
}
|
||||
{
|
||||
assertion = cfg.isInHq -> builtins.hasAttr config.networking.hostName cfg.hosts;
|
||||
message = "${config.networking.hostName} is not registered in ${toString ../host-registry.nix}";
|
||||
|
@ -344,12 +298,9 @@ in
|
|||
|
||||
documentation.nixos.enable = false;
|
||||
|
||||
c3d2.allUsersCanSshRoot = lib.mkDefault true;
|
||||
|
||||
i18n = {
|
||||
defaultLocale = "en_US.UTF-8";
|
||||
supportedLocales = [
|
||||
"en_US.UTF-8/UTF-8"
|
||||
"de_DE.UTF-8/UTF-8"
|
||||
];
|
||||
};
|
||||
|
@ -364,10 +315,6 @@ in
|
|||
};
|
||||
|
||||
networking = {
|
||||
defaultGateway = lib.mkIf (!config.networking.useNetworkd) (
|
||||
mkIfIsInHq "172.22.99.4"
|
||||
);
|
||||
|
||||
domain = mkIfIsInHq "hq.c3d2.de";
|
||||
|
||||
interfaces = lib.mkIf (cfg.hq.interface != null) {
|
||||
|
@ -399,10 +346,10 @@ in
|
|||
connect-timeout = 20;
|
||||
experimental-features = "nix-command flakes";
|
||||
fallback = true;
|
||||
# don't self feed hydra
|
||||
trusted-public-keys = lib.mkIf (config.networking.hostName != "hydra") [
|
||||
trusted-public-keys = [
|
||||
"nix-serve.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps="
|
||||
];
|
||||
# don't self feed hydra
|
||||
substituters = lib.mkIf (config.networking.hostName != "hydra") (
|
||||
lib.mkBefore [ "https://nix-serve.hq.c3d2.de" ]
|
||||
);
|
||||
|
@ -426,7 +373,7 @@ in
|
|||
};
|
||||
|
||||
services.openssh = {
|
||||
# Required for deployment
|
||||
# Required for deployment and sops
|
||||
enable = true;
|
||||
permitRootLogin = "prohibit-password";
|
||||
};
|
||||
|
@ -480,7 +427,7 @@ in
|
|||
{
|
||||
publicKey = null;
|
||||
publicKeyFile = null;
|
||||
hostNames = [ ip6 "${name}.hq.c3d2.de" "${name}.hq" name ];
|
||||
hostNames = [ ip6 "${name}.hq.c3d2.de" name ];
|
||||
} // sshAttrs;
|
||||
})
|
||||
(builtins.attrNames cfg.hosts);
|
||||
|
@ -506,23 +453,14 @@ in
|
|||
rebootTime = "15s";
|
||||
};
|
||||
|
||||
# Defaults for LetsEncrypt
|
||||
security.acme =
|
||||
if options.security.acme ? defaults
|
||||
then {
|
||||
acceptTerms = true;
|
||||
# NixOS>=22.05
|
||||
defaults = {
|
||||
email = cfg.acmeEmail;
|
||||
# letsencrypt staging server with way higher rate limits
|
||||
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
|
||||
};
|
||||
}
|
||||
else {
|
||||
acceptTerms = true;
|
||||
# TODO: NixOS<=21.05
|
||||
email = cfg.acmeEmail;
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults = {
|
||||
email = "mail@c3d2.de";
|
||||
# letsencrypt staging server with way higher rate limits
|
||||
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
|
||||
};
|
||||
};
|
||||
zramSwap.enable = true;
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue