Cleanup options
This commit is contained in:
parent
66fcd56dec
commit
fee4372499
|
@ -324,7 +324,6 @@ in {
|
||||||
|
|
||||||
c3d2 = {
|
c3d2 = {
|
||||||
isInHq = false; # not in HQ, this is the default.
|
isInHq = false; # not in HQ, this is the default.
|
||||||
mergeHostsFile = true; # Make entries in /etc/hosts form hosts.nix
|
|
||||||
enableMotd = true; # Set the login shell message to the <<</>> logo.
|
enableMotd = true; # Set the login shell message to the <<</>> logo.
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -36,7 +36,6 @@ in
|
||||||
{
|
{
|
||||||
c3d2 = {
|
c3d2 = {
|
||||||
isInHq = true;
|
isInHq = true;
|
||||||
mergeHostsFile = true;
|
|
||||||
hq.interface = "eth0";
|
hq.interface = "eth0";
|
||||||
hq.statistics.enable = true;
|
hq.statistics.enable = true;
|
||||||
audioServer.enable = true;
|
audioServer.enable = true;
|
||||||
|
|
|
@ -6,7 +6,6 @@
|
||||||
c3d2 = {
|
c3d2 = {
|
||||||
isInHq = true;
|
isInHq = true;
|
||||||
hq.interface = "eno1";
|
hq.interface = "eno1";
|
||||||
hq.enableBinaryCache = false;
|
|
||||||
k-ot.enable = true;
|
k-ot.enable = true;
|
||||||
autoUpdate = true;
|
autoUpdate = true;
|
||||||
};
|
};
|
||||||
|
|
|
@ -7,7 +7,6 @@
|
||||||
|
|
||||||
c3d2 = {
|
c3d2 = {
|
||||||
isInHq = true;
|
isInHq = true;
|
||||||
mergeHostsFile = true;
|
|
||||||
hq.interface = "eth0";
|
hq.interface = "eth0";
|
||||||
hq.statistics.enable = true;
|
hq.statistics.enable = true;
|
||||||
k-ot.enable = true;
|
k-ot.enable = true;
|
||||||
|
|
|
@ -3,7 +3,6 @@
|
||||||
{
|
{
|
||||||
c3d2 = {
|
c3d2 = {
|
||||||
isInHq = true;
|
isInHq = true;
|
||||||
mergeHostsFile = true;
|
|
||||||
hq.interface = "eth0";
|
hq.interface = "eth0";
|
||||||
hq.statistics.enable = false;
|
hq.statistics.enable = false;
|
||||||
audioServer.enable = true;
|
audioServer.enable = true;
|
||||||
|
|
|
@ -38,17 +38,9 @@ let
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.c3d2 = with lib; {
|
options.c3d2 = with lib; {
|
||||||
acmeEmail = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "mail@c3d2.de";
|
|
||||||
description = ''
|
|
||||||
Admin email address to use for Letsencrypt
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
allUsersCanSshRoot = lib.mkOption {
|
allUsersCanSshRoot = lib.mkOption {
|
||||||
type = lib.types.bool;
|
type = lib.types.bool;
|
||||||
default = false;
|
default = true;
|
||||||
description = ''
|
description = ''
|
||||||
Let all people in <literal>c3d2.users</literal>
|
Let all people in <literal>c3d2.users</literal>
|
||||||
login as root for deployment via SSH.
|
login as root for deployment via SSH.
|
||||||
|
@ -59,16 +51,7 @@ in
|
||||||
|
|
||||||
enableMotd = mkOption {
|
enableMotd = mkOption {
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
default = cfg.isInHq;
|
default = true;
|
||||||
defaultText = literalExample "config.c3d2.isInHq";
|
|
||||||
};
|
|
||||||
|
|
||||||
mergeHostsFile = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = cfg.isInHq;
|
|
||||||
description = ''
|
|
||||||
Whether to add <literal>c3d2.hosts</literal> to /etc/hosts.
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
|
|
||||||
mergeNncpSettings = mkEnableOption ''
|
mergeNncpSettings = mkEnableOption ''
|
||||||
|
@ -91,19 +74,6 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
enableBinaryCache = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = cfg.isInHq;
|
|
||||||
defaultText = literalExample "config.c3d2.isInHq";
|
|
||||||
description = "Whether to enable the local Nix binary cache";
|
|
||||||
};
|
|
||||||
|
|
||||||
enableMpdProxy = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = false;
|
|
||||||
description = "Whether to proxy the local MPD database";
|
|
||||||
};
|
|
||||||
|
|
||||||
journalToMqtt = mkOption {
|
journalToMqtt = mkOption {
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
# broken :(
|
# broken :(
|
||||||
|
@ -189,15 +159,6 @@ in
|
||||||
mkIfIsInHq = x: lib.mkIf cfg.isInHq (lib.mkDefault x);
|
mkIfIsInHq = x: lib.mkIf cfg.isInHq (lib.mkDefault x);
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
networking.hosts = lib.mkIf cfg.mergeHostsFile
|
|
||||||
((
|
|
||||||
lib.attrsets.mapAttrs' (n: v: { name = v.ip4; value = [ "${n}.c3d2" ]; })
|
|
||||||
(lib.attrsets.filterAttrs (_: v: v.ip4 != null) cfg.hosts)
|
|
||||||
) // (
|
|
||||||
lib.attrsets.mapAttrs' (n: v: { name = v.ip6; value = [ "${n}.c3d2" ]; })
|
|
||||||
(lib.attrsets.filterAttrs (_: v: v.ip6 != null) cfg.hosts)
|
|
||||||
));
|
|
||||||
|
|
||||||
programs.nncp.settings = lib.optionalAttrs cfg.mergeNncpSettings cfg.nncp;
|
programs.nncp.settings = lib.optionalAttrs cfg.mergeNncpSettings cfg.nncp;
|
||||||
|
|
||||||
users.motd = lib.mkIf cfg.enableMotd (builtins.readFile ./motd);
|
users.motd = lib.mkIf cfg.enableMotd (builtins.readFile ./motd);
|
||||||
|
@ -270,6 +231,7 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
sops.secrets = lib.mkIf config.c3d2.hq.journalToMqtt {
|
sops.secrets = lib.mkIf config.c3d2.hq.journalToMqtt {
|
||||||
"mqtt/user" = {
|
"mqtt/user" = {
|
||||||
sopsFile = ../modules/mqtt.yaml;
|
sopsFile = ../modules/mqtt.yaml;
|
||||||
|
@ -286,14 +248,6 @@ in
|
||||||
assertion = cfg.isInHq -> (config.users.users.root.password == null);
|
assertion = cfg.isInHq -> (config.users.users.root.password == null);
|
||||||
message = "Root passwords not allowed in HQ";
|
message = "Root passwords not allowed in HQ";
|
||||||
}
|
}
|
||||||
{
|
|
||||||
assertion = cfg.hq.enableBinaryCache -> cfg.mergeHostsFile;
|
|
||||||
message = "mergeHostsFile must be enabled for enableBinaryCache";
|
|
||||||
}
|
|
||||||
{
|
|
||||||
assertion = cfg.hq.enableMpdProxy -> cfg.mergeHostsFile;
|
|
||||||
message = "mergeHostsFile must be enabled for enableMpdProxy";
|
|
||||||
}
|
|
||||||
{
|
{
|
||||||
assertion = cfg.isInHq -> builtins.hasAttr config.networking.hostName cfg.hosts;
|
assertion = cfg.isInHq -> builtins.hasAttr config.networking.hostName cfg.hosts;
|
||||||
message = "${config.networking.hostName} is not registered in ${toString ../host-registry.nix}";
|
message = "${config.networking.hostName} is not registered in ${toString ../host-registry.nix}";
|
||||||
|
@ -344,12 +298,9 @@ in
|
||||||
|
|
||||||
documentation.nixos.enable = false;
|
documentation.nixos.enable = false;
|
||||||
|
|
||||||
c3d2.allUsersCanSshRoot = lib.mkDefault true;
|
|
||||||
|
|
||||||
i18n = {
|
i18n = {
|
||||||
defaultLocale = "en_US.UTF-8";
|
defaultLocale = "en_US.UTF-8";
|
||||||
supportedLocales = [
|
supportedLocales = [
|
||||||
"en_US.UTF-8/UTF-8"
|
|
||||||
"de_DE.UTF-8/UTF-8"
|
"de_DE.UTF-8/UTF-8"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
@ -364,10 +315,6 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
defaultGateway = lib.mkIf (!config.networking.useNetworkd) (
|
|
||||||
mkIfIsInHq "172.22.99.4"
|
|
||||||
);
|
|
||||||
|
|
||||||
domain = mkIfIsInHq "hq.c3d2.de";
|
domain = mkIfIsInHq "hq.c3d2.de";
|
||||||
|
|
||||||
interfaces = lib.mkIf (cfg.hq.interface != null) {
|
interfaces = lib.mkIf (cfg.hq.interface != null) {
|
||||||
|
@ -399,10 +346,10 @@ in
|
||||||
connect-timeout = 20;
|
connect-timeout = 20;
|
||||||
experimental-features = "nix-command flakes";
|
experimental-features = "nix-command flakes";
|
||||||
fallback = true;
|
fallback = true;
|
||||||
# don't self feed hydra
|
trusted-public-keys = [
|
||||||
trusted-public-keys = lib.mkIf (config.networking.hostName != "hydra") [
|
|
||||||
"nix-serve.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps="
|
"nix-serve.hq.c3d2.de:KZRGGnwOYzys6pxgM8jlur36RmkJQ/y8y62e52fj1ps="
|
||||||
];
|
];
|
||||||
|
# don't self feed hydra
|
||||||
substituters = lib.mkIf (config.networking.hostName != "hydra") (
|
substituters = lib.mkIf (config.networking.hostName != "hydra") (
|
||||||
lib.mkBefore [ "https://nix-serve.hq.c3d2.de" ]
|
lib.mkBefore [ "https://nix-serve.hq.c3d2.de" ]
|
||||||
);
|
);
|
||||||
|
@ -426,7 +373,7 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
services.openssh = {
|
services.openssh = {
|
||||||
# Required for deployment
|
# Required for deployment and sops
|
||||||
enable = true;
|
enable = true;
|
||||||
permitRootLogin = "prohibit-password";
|
permitRootLogin = "prohibit-password";
|
||||||
};
|
};
|
||||||
|
@ -480,7 +427,7 @@ in
|
||||||
{
|
{
|
||||||
publicKey = null;
|
publicKey = null;
|
||||||
publicKeyFile = null;
|
publicKeyFile = null;
|
||||||
hostNames = [ ip6 "${name}.hq.c3d2.de" "${name}.hq" name ];
|
hostNames = [ ip6 "${name}.hq.c3d2.de" name ];
|
||||||
} // sshAttrs;
|
} // sshAttrs;
|
||||||
})
|
})
|
||||||
(builtins.attrNames cfg.hosts);
|
(builtins.attrNames cfg.hosts);
|
||||||
|
@ -506,23 +453,14 @@ in
|
||||||
rebootTime = "15s";
|
rebootTime = "15s";
|
||||||
};
|
};
|
||||||
|
|
||||||
# Defaults for LetsEncrypt
|
security.acme = {
|
||||||
security.acme =
|
acceptTerms = true;
|
||||||
if options.security.acme ? defaults
|
defaults = {
|
||||||
then {
|
email = "mail@c3d2.de";
|
||||||
acceptTerms = true;
|
# letsencrypt staging server with way higher rate limits
|
||||||
# NixOS>=22.05
|
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
|
||||||
defaults = {
|
|
||||||
email = cfg.acmeEmail;
|
|
||||||
# letsencrypt staging server with way higher rate limits
|
|
||||||
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
acceptTerms = true;
|
|
||||||
# TODO: NixOS<=21.05
|
|
||||||
email = cfg.acmeEmail;
|
|
||||||
};
|
};
|
||||||
|
};
|
||||||
zramSwap.enable = true;
|
zramSwap.enable = true;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue