diff --git a/README.md b/README.md
index 26aeaf38..ea7dca45 100644
--- a/README.md
+++ b/README.md
@@ -324,7 +324,6 @@ in {
c3d2 = {
isInHq = false; # not in HQ, this is the default.
- mergeHostsFile = true; # Make entries in /etc/hosts form hosts.nix
enableMotd = true; # Set the login shell message to the <<>> logo.
};
diff --git a/hosts/dacbert/default.nix b/hosts/dacbert/default.nix
index ec809989..87669624 100644
--- a/hosts/dacbert/default.nix
+++ b/hosts/dacbert/default.nix
@@ -36,7 +36,6 @@ in
{
c3d2 = {
isInHq = true;
- mergeHostsFile = true;
hq.interface = "eth0";
hq.statistics.enable = true;
audioServer.enable = true;
diff --git a/hosts/glotzbert/default.nix b/hosts/glotzbert/default.nix
index b3474ad7..f9787a72 100644
--- a/hosts/glotzbert/default.nix
+++ b/hosts/glotzbert/default.nix
@@ -6,7 +6,6 @@
c3d2 = {
isInHq = true;
hq.interface = "eno1";
- hq.enableBinaryCache = false;
k-ot.enable = true;
autoUpdate = true;
};
diff --git a/hosts/pulsebert/default.nix b/hosts/pulsebert/default.nix
index 6f2e319a..91c86cf8 100644
--- a/hosts/pulsebert/default.nix
+++ b/hosts/pulsebert/default.nix
@@ -7,7 +7,6 @@
c3d2 = {
isInHq = true;
- mergeHostsFile = true;
hq.interface = "eth0";
hq.statistics.enable = true;
k-ot.enable = true;
diff --git a/hosts/rpi-netboot/default.nix b/hosts/rpi-netboot/default.nix
index 017dec7c..be934f20 100644
--- a/hosts/rpi-netboot/default.nix
+++ b/hosts/rpi-netboot/default.nix
@@ -3,7 +3,6 @@
{
c3d2 = {
isInHq = true;
- mergeHostsFile = true;
hq.interface = "eth0";
hq.statistics.enable = false;
audioServer.enable = true;
diff --git a/modules/c3d2.nix b/modules/c3d2.nix
index 348f5f73..2d006083 100644
--- a/modules/c3d2.nix
+++ b/modules/c3d2.nix
@@ -38,17 +38,9 @@ let
in
{
options.c3d2 = with lib; {
- acmeEmail = mkOption {
- type = types.str;
- default = "mail@c3d2.de";
- description = ''
- Admin email address to use for Letsencrypt
- '';
- };
-
allUsersCanSshRoot = lib.mkOption {
type = lib.types.bool;
- default = false;
+ default = true;
description = ''
Let all people in c3d2.users
login as root for deployment via SSH.
@@ -59,16 +51,7 @@ in
enableMotd = mkOption {
type = types.bool;
- default = cfg.isInHq;
- defaultText = literalExample "config.c3d2.isInHq";
- };
-
- mergeHostsFile = mkOption {
- type = types.bool;
- default = cfg.isInHq;
- description = ''
- Whether to add c3d2.hosts to /etc/hosts.
- '';
+ default = true;
};
mergeNncpSettings = mkEnableOption ''
@@ -91,19 +74,6 @@ in
'';
};
- enableBinaryCache = mkOption {
- type = types.bool;
- default = cfg.isInHq;
- defaultText = literalExample "config.c3d2.isInHq";
- description = "Whether to enable the local Nix binary cache";
- };
-
- enableMpdProxy = mkOption {
- type = types.bool;
- default = false;
- description = "Whether to proxy the local MPD database";
- };
-
journalToMqtt = mkOption {
type = types.bool;
# broken :(
@@ -189,15 +159,6 @@ in
mkIfIsInHq = x: lib.mkIf cfg.isInHq (lib.mkDefault x);
in
{
- networking.hosts = lib.mkIf cfg.mergeHostsFile
- ((
- lib.attrsets.mapAttrs' (n: v: { name = v.ip4; value = [ "${n}.c3d2" ]; })
- (lib.attrsets.filterAttrs (_: v: v.ip4 != null) cfg.hosts)
- ) // (
- lib.attrsets.mapAttrs' (n: v: { name = v.ip6; value = [ "${n}.c3d2" ]; })
- (lib.attrsets.filterAttrs (_: v: v.ip6 != null) cfg.hosts)
- ));
-
programs.nncp.settings = lib.optionalAttrs cfg.mergeNncpSettings cfg.nncp;
users.motd = lib.mkIf cfg.enableMotd (builtins.readFile ./motd);
@@ -270,6 +231,7 @@ in
};
};
};
+
sops.secrets = lib.mkIf config.c3d2.hq.journalToMqtt {
"mqtt/user" = {
sopsFile = ../modules/mqtt.yaml;
@@ -286,14 +248,6 @@ in
assertion = cfg.isInHq -> (config.users.users.root.password == null);
message = "Root passwords not allowed in HQ";
}
- {
- assertion = cfg.hq.enableBinaryCache -> cfg.mergeHostsFile;
- message = "mergeHostsFile must be enabled for enableBinaryCache";
- }
- {
- assertion = cfg.hq.enableMpdProxy -> cfg.mergeHostsFile;
- message = "mergeHostsFile must be enabled for enableMpdProxy";
- }
{
assertion = cfg.isInHq -> builtins.hasAttr config.networking.hostName cfg.hosts;
message = "${config.networking.hostName} is not registered in ${toString ../host-registry.nix}";
@@ -344,12 +298,9 @@ in
documentation.nixos.enable = false;
- c3d2.allUsersCanSshRoot = lib.mkDefault true;
-
i18n = {
defaultLocale = "en_US.UTF-8";
supportedLocales = [
- "en_US.UTF-8/UTF-8"
"de_DE.UTF-8/UTF-8"
];
};
@@ -364,10 +315,6 @@ in
};
networking = {
- defaultGateway = lib.mkIf (!config.networking.useNetworkd) (
- mkIfIsInHq "172.22.99.4"
- );
-
domain = mkIfIsInHq "hq.c3d2.de";
interfaces = lib.mkIf (cfg.hq.interface != null) {
@@ -399,10 +346,10 @@ in
connect-timeout = 20;
experimental-features = "nix-command flakes";
fallback = true;
- # don't self feed hydra
- trusted-public-keys = lib.mkIf (config.networking.hostName != "hydra") [
+ trusted-public-keys = [
"nix-serve.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps="
];
+ # don't self feed hydra
substituters = lib.mkIf (config.networking.hostName != "hydra") (
lib.mkBefore [ "https://nix-serve.hq.c3d2.de" ]
);
@@ -426,7 +373,7 @@ in
};
services.openssh = {
- # Required for deployment
+ # Required for deployment and sops
enable = true;
permitRootLogin = "prohibit-password";
};
@@ -480,7 +427,7 @@ in
{
publicKey = null;
publicKeyFile = null;
- hostNames = [ ip6 "${name}.hq.c3d2.de" "${name}.hq" name ];
+ hostNames = [ ip6 "${name}.hq.c3d2.de" name ];
} // sshAttrs;
})
(builtins.attrNames cfg.hosts);
@@ -506,23 +453,14 @@ in
rebootTime = "15s";
};
- # Defaults for LetsEncrypt
- security.acme =
- if options.security.acme ? defaults
- then {
- acceptTerms = true;
- # NixOS>=22.05
- defaults = {
- email = cfg.acmeEmail;
- # letsencrypt staging server with way higher rate limits
- # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
- };
- }
- else {
- acceptTerms = true;
- # TODO: NixOS<=21.05
- email = cfg.acmeEmail;
+ security.acme = {
+ acceptTerms = true;
+ defaults = {
+ email = "mail@c3d2.de";
+ # letsencrypt staging server with way higher rate limits
+ # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
};
+ };
zramSwap.enable = true;
};
}