c3d2/nix-config
c3d2
/
nix-config
24
7
Fork 3
Code Issues 12 Pull Requests 2 Releases Wiki Activity

Cleanup options

This commit is contained in:
Sandro - 2022-12-19 01:08:09 +01:00
parent 66fcd56dec
commit fee4372499
Signed by: sandro
GPG Key ID: 3AF5A43A3EECC2E5
6 changed files with 14 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@ -324,7 +324,6 @@ in {
c3d2 = { c3d2 = {
isInHq = false; # not in HQ, this is the default. isInHq = false; # not in HQ, this is the default.
mergeHostsFile = true; # Make entries in /etc/hosts form hosts.nix
enableMotd = true; # Set the login shell message to the <<</>> logo. enableMotd = true; # Set the login shell message to the <<</>> logo.
}; };

1
hosts/dacbert/default.nix
View File

@ -36,7 +36,6 @@ in
{ {
c3d2 = { c3d2 = {
isInHq = true; isInHq = true;
mergeHostsFile = true;
hq.interface = "eth0"; hq.interface = "eth0";
hq.statistics.enable = true; hq.statistics.enable = true;
audioServer.enable = true; audioServer.enable = true;

1
hosts/glotzbert/default.nix
View File

@ -6,7 +6,6 @@
c3d2 = { c3d2 = {
isInHq = true; isInHq = true;
hq.interface = "eno1"; hq.interface = "eno1";
hq.enableBinaryCache = false;
k-ot.enable = true; k-ot.enable = true;
autoUpdate = true; autoUpdate = true;
}; };

1
hosts/pulsebert/default.nix
View File

@ -7,7 +7,6 @@
c3d2 = { c3d2 = {
isInHq = true; isInHq = true;
mergeHostsFile = true;
hq.interface = "eth0"; hq.interface = "eth0";
hq.statistics.enable = true; hq.statistics.enable = true;
k-ot.enable = true; k-ot.enable = true;

1
hosts/rpi-netboot/default.nix
View File

@ -3,7 +3,6 @@
{ {
c3d2 = { c3d2 = {
isInHq = true; isInHq = true;
mergeHostsFile = true;
hq.interface = "eth0"; hq.interface = "eth0";
hq.statistics.enable = false; hq.statistics.enable = false;
audioServer.enable = true; audioServer.enable = true;

90
modules/c3d2.nix
View File

@ -38,17 +38,9 @@ let
in in
{ {
options.c3d2 = with lib; { options.c3d2 = with lib; {
acmeEmail = mkOption {
type = types.str;
default = "mail@c3d2.de";
description = ''
Admin email address to use for Letsencrypt
'';
};
allUsersCanSshRoot = lib.mkOption { allUsersCanSshRoot = lib.mkOption {
type = lib.types.bool; type = lib.types.bool;
default = false; default = true;
description = '' description = ''
Let all people in <literal>c3d2.users</literal> Let all people in <literal>c3d2.users</literal>
login as root for deployment via SSH. login as root for deployment via SSH.
@ -59,16 +51,7 @@ in
enableMotd = mkOption { enableMotd = mkOption {
type = types.bool; type = types.bool;
default = cfg.isInHq; default = true;
defaultText = literalExample "config.c3d2.isInHq";
};
mergeHostsFile = mkOption {
type = types.bool;
default = cfg.isInHq;
description = ''
Whether to add <literal>c3d2.hosts</literal> to /etc/hosts.
'';
}; };
mergeNncpSettings = mkEnableOption '' mergeNncpSettings = mkEnableOption ''
@ -91,19 +74,6 @@ in
''; '';
}; };
enableBinaryCache = mkOption {
type = types.bool;
default = cfg.isInHq;
defaultText = literalExample "config.c3d2.isInHq";
description = "Whether to enable the local Nix binary cache";
};
enableMpdProxy = mkOption {
type = types.bool;
default = false;
description = "Whether to proxy the local MPD database";
};
journalToMqtt = mkOption { journalToMqtt = mkOption {
type = types.bool; type = types.bool;
# broken :( # broken :(
@ -189,15 +159,6 @@ in
mkIfIsInHq = x: lib.mkIf cfg.isInHq (lib.mkDefault x); mkIfIsInHq = x: lib.mkIf cfg.isInHq (lib.mkDefault x);
in in
{ {
networking.hosts = lib.mkIf cfg.mergeHostsFile
((
lib.attrsets.mapAttrs' (n: v: { name = v.ip4; value = [ "${n}.c3d2" ]; })
(lib.attrsets.filterAttrs (_: v: v.ip4 != null) cfg.hosts)
) // (
lib.attrsets.mapAttrs' (n: v: { name = v.ip6; value = [ "${n}.c3d2" ]; })
(lib.attrsets.filterAttrs (_: v: v.ip6 != null) cfg.hosts)
));
programs.nncp.settings = lib.optionalAttrs cfg.mergeNncpSettings cfg.nncp; programs.nncp.settings = lib.optionalAttrs cfg.mergeNncpSettings cfg.nncp;
users.motd = lib.mkIf cfg.enableMotd (builtins.readFile ./motd); users.motd = lib.mkIf cfg.enableMotd (builtins.readFile ./motd);
@ -270,6 +231,7 @@ in
}; };
}; };
}; };
sops.secrets = lib.mkIf config.c3d2.hq.journalToMqtt { sops.secrets = lib.mkIf config.c3d2.hq.journalToMqtt {
"mqtt/user" = { "mqtt/user" = {
sopsFile = ../modules/mqtt.yaml; sopsFile = ../modules/mqtt.yaml;
@ -286,14 +248,6 @@ in
assertion = cfg.isInHq -> (config.users.users.root.password == null); assertion = cfg.isInHq -> (config.users.users.root.password == null);
message = "Root passwords not allowed in HQ"; message = "Root passwords not allowed in HQ";
} }
{
assertion = cfg.hq.enableBinaryCache -> cfg.mergeHostsFile;
message = "mergeHostsFile must be enabled for enableBinaryCache";
}
{
assertion = cfg.hq.enableMpdProxy -> cfg.mergeHostsFile;
message = "mergeHostsFile must be enabled for enableMpdProxy";
}
{ {
assertion = cfg.isInHq -> builtins.hasAttr config.networking.hostName cfg.hosts; assertion = cfg.isInHq -> builtins.hasAttr config.networking.hostName cfg.hosts;
message = "${config.networking.hostName} is not registered in ${toString ../host-registry.nix}"; message = "${config.networking.hostName} is not registered in ${toString ../host-registry.nix}";
@ -344,12 +298,9 @@ in
documentation.nixos.enable = false; documentation.nixos.enable = false;
c3d2.allUsersCanSshRoot = lib.mkDefault true;
i18n = { i18n = {
defaultLocale = "en_US.UTF-8"; defaultLocale = "en_US.UTF-8";
supportedLocales = [ supportedLocales = [
"en_US.UTF-8/UTF-8"
"de_DE.UTF-8/UTF-8" "de_DE.UTF-8/UTF-8"
]; ];
}; };
@ -364,10 +315,6 @@ in
}; };
networking = { networking = {
defaultGateway = lib.mkIf (!config.networking.useNetworkd) (
mkIfIsInHq "172.22.99.4"
);
domain = mkIfIsInHq "hq.c3d2.de"; domain = mkIfIsInHq "hq.c3d2.de";
interfaces = lib.mkIf (cfg.hq.interface != null) { interfaces = lib.mkIf (cfg.hq.interface != null) {
@ -399,10 +346,10 @@ in
connect-timeout = 20; connect-timeout = 20;
experimental-features = "nix-command flakes"; experimental-features = "nix-command flakes";
fallback = true; fallback = true;
# don't self feed hydra trusted-public-keys = [
trusted-public-keys = lib.mkIf (config.networking.hostName != "hydra") [
"nix-serve.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps=" "nix-serve.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps="
]; ];
# don't self feed hydra
substituters = lib.mkIf (config.networking.hostName != "hydra") ( substituters = lib.mkIf (config.networking.hostName != "hydra") (
lib.mkBefore [ "https://nix-serve.hq.c3d2.de" ] lib.mkBefore [ "https://nix-serve.hq.c3d2.de" ]
); );
@ -426,7 +373,7 @@ in
}; };
services.openssh = { services.openssh = {
# Required for deployment # Required for deployment and sops
enable = true; enable = true;
permitRootLogin = "prohibit-password"; permitRootLogin = "prohibit-password";
}; };
@ -480,7 +427,7 @@ in
{ {
publicKey = null; publicKey = null;
publicKeyFile = null; publicKeyFile = null;
hostNames = [ ip6 "${name}.hq.c3d2.de" "${name}.hq" name ]; hostNames = [ ip6 "${name}.hq.c3d2.de" name ];
} // sshAttrs; } // sshAttrs;
}) })
(builtins.attrNames cfg.hosts); (builtins.attrNames cfg.hosts);
@ -506,23 +453,14 @@ in
rebootTime = "15s"; rebootTime = "15s";
}; };
# Defaults for LetsEncrypt security.acme = {
security.acme = acceptTerms = true;
if options.security.acme ? defaults defaults = {
then { email = "mail@c3d2.de";
acceptTerms = true; # letsencrypt staging server with way higher rate limits
# NixOS>=22.05 # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
defaults = {
email = cfg.acmeEmail;
# letsencrypt staging server with way higher rate limits
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
};
}
else {
acceptTerms = true;
# TODO: NixOS<=21.05
email = cfg.acmeEmail;
}; };
};
zramSwap.enable = true; zramSwap.enable = true;
}; };
} }