Drop c3d2.isInHq

2022-12-21 19:43:47 +01:00 · 2022-12-21 19:43:47 +01:00 · fe8683f01f
commit fe8683f01f
parent 3f493722ba
19 changed files with 31 additions and 57 deletions
--- a/README.md
+++ b/README.md
@ -290,6 +290,8 @@ nix flake lock . --update-input secrets
 # Laptops / Desktops
 Note: currently being rebuild!
 This repository contains a NixOS module that can be used with personal machines
 as well. This module appends `/etc/ssh/ssh_known_hosts` with the host keys of
 registered HQ hosts, and optionally appends `/etc/hosts` with static IPv6
@ -309,7 +311,6 @@ in {
  ];
  c3d2 = {
    isInHq = false; # not in HQ, this is the default.
    enableMotd = true; # Set the login shell message to the <<</>> logo.
  };
--- a/config/default.nix
+++ b/config/default.nix
@ -3,12 +3,21 @@
 # this file contains default configuration that may be turned on depending on other config settings.
 # options should go to modules.
-lib.mkIf config.services.nginx.enable {
+lib.mkMerge [
-  services.nginx = {
+  {
-    openFirewall = true;
+    assertions = [{
-    recommendedGzipSettings = true;
+      assertion = config.users.users.root.password == null;
-    recommendedOptimisation = true;
+      message = "Root passwords not allowed in HQ";
-    recommendedProxySettings = true;
+    }];
-    recommendedTlsSettings = true;
+  }
-  };
+
-}
+  (lib.mkIf config.services.nginx.enable {
    services.nginx = {
      openFirewall = true;
      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
    };
  })
 ]
--- a/hosts/bind/default.nix
+++ b/hosts/bind/default.nix
@ -18,7 +18,6 @@ let
 in
 {
  c3d2 = {
    isInHq = false;
    hq.statistics.enable = true;
    deployment.server = "server10";
  };
--- a/hosts/dacbert/default.nix
+++ b/hosts/dacbert/default.nix
@ -35,7 +35,6 @@ let
 in
 {
  c3d2 = {
    isInHq = true;
    hq.interface = "eth0";
    hq.statistics.enable = true;
    audioServer.enable = true;
@ -103,6 +102,7 @@ in
  };
  networking = {
    domain = "hq.c3d2.de";
    hostName = "dacbert"; # Define your hostname.
    useDHCP = false;
    interfaces.eth0.useDHCP = true;
--- a/hosts/dn42/default.nix
+++ b/hosts/dn42/default.nix
@ -6,6 +6,7 @@ let
  inherit (pkgs) neighbors;
 in {
  networking = {
    domain = "hq.c3d2.de";
    hostName = "dn42";
    useNetworkd = true;
    # No Firewalling!
@ -13,7 +14,6 @@ in {
  };
  services.resolved.enable = false;
  c3d2 = {
    isInHq = true;
    hq = {
      interface = "c3d2";
      statistics.enable = true;
--- a/hosts/freifunk/default.nix
+++ b/hosts/freifunk/default.nix
@ -39,7 +39,6 @@ in {
    fi
  '';
  c3d2 = {
    isInHq = false;
    hq.statistics.enable = true;
    deployment = {
      server = "server10";
--- a/hosts/glotzbert/default.nix
+++ b/hosts/glotzbert/default.nix
@ -4,7 +4,6 @@
  imports = [ ./hardware-configuration.nix ];
  c3d2 = {
    isInHq = true;
    hq.interface = "eno1";
    k-ot.enable = true;
    autoUpdate = true;
@ -31,6 +30,7 @@
  };
  networking = {
    domain = "hq.c3d2.de";
    hostName = "glotzbert";
    interfaces.eno1.useDHCP = true;
  };
--- a/hosts/grafana/default.nix
+++ b/hosts/grafana/default.nix
@ -2,10 +2,7 @@
 {
  microvm.mem = 4096;
-  c3d2 = {
+  c3d2.deployment.server = "server10";
    deployment.server = "server10";
    isInHq = false;
  };
  environment.systemPackages = with pkgs; [ influxdb ];
--- a/hosts/jabber/default.nix
+++ b/hosts/jabber/default.nix
@ -39,7 +39,6 @@ in
  c3d2 = {
    deployment.server = "server10";
    hq.statistics.enable = true;
    isInHq = false;
  };
  services.collectd.plugins.exec = ''
--- a/hosts/mailtngbert/default.nix
+++ b/hosts/mailtngbert/default.nix
@ -38,7 +38,6 @@ in
  c3d2 = {
    deployment.server = "server10";
    hq.statistics.enable = true;
    isInHq = false;
  };
  sops.defaultSopsFile = ./secrets.yaml;
--- a/hosts/mobilizon/default.nix
+++ b/hosts/mobilizon/default.nix
@ -1,9 +1,6 @@
 { config, pkgs, ... }:
 {
-  c3d2 = {
+  c3d2.deployment.server = "server10";
    deployment.server = "server10";
    isInHq = false;
  };
  microvm.mem = 2048;
--- a/hosts/pulsebert/default.nix
+++ b/hosts/pulsebert/default.nix
@ -6,7 +6,6 @@
  ];
  c3d2 = {
    isInHq = true;
    hq.interface = "eth0";
    hq.statistics.enable = true;
    k-ot.enable = true;
@ -46,6 +45,7 @@
  };
  networking = {
    domain = "hq.c3d2.de";
    firewall = {
      allowedTCPPorts = [
        # pulseaudio/pipewire network sync
--- a/hosts/radiobert/default.nix
+++ b/hosts/radiobert/default.nix
@ -7,7 +7,6 @@
  ];
  c3d2 = {
    isInHq = false;
    hq.statistics.enable = true;
    pi-sensors = if true then [] else [ {
      type = "dht22";
--- a/hosts/rpi-netboot/default.nix
+++ b/hosts/rpi-netboot/default.nix
@ -2,7 +2,6 @@
 {
  c3d2 = {
    isInHq = true;
    hq.interface = "eth0";
    hq.statistics.enable = false;
    audioServer.enable = true;
--- a/hosts/scrape/default.nix
+++ b/hosts/scrape/default.nix
@ -10,10 +10,7 @@ let
  };
  luftqualitaetStations = [ "1672" "1649" "1680" "1639" ];
 in {
-  c3d2 = {
+  c3d2.deployment.server = "server10";
    isInHq = false;
    deployment.server = "server10";
  };
  networking.hostName = "scrape";
--- a/hosts/sdrweb/default.nix
+++ b/hosts/sdrweb/default.nix
@ -5,10 +5,7 @@
    vcpu = 16;
    needForSpeed = true;
  };
-  c3d2 = {
+  c3d2.hq.statistics.enable = true;
    isInHq = false;
    hq.statistics.enable = true;
  };
  system.stateVersion = "22.05";
--- a/hosts/server8/default.nix
+++ b/hosts/server8/default.nix
@ -1,4 +1,4 @@
-{ ... }:
+{ config, ... }:
 {
  imports = [
--- a/hosts/sshlog/default.nix
+++ b/hosts/sshlog/default.nix
@ -1,13 +1,7 @@
 { config, lib, pkgs, ... }:
 {
-  deployment = {
+  deployment.mem = 512;
-    persistedShares = [ "/etc" "/home" "/var" ];
+  c3d2.hq.statistics.enable = true;
    mem = 512;
  };
  c3d2 = {
    isInHq = false;
    hq.statistics.enable = true;
  };
  networking = {
    hostName = "sshlog";
--- a/modules/c3d2.nix
+++ b/modules/c3d2.nix
@ -47,8 +47,6 @@ in
      '';
    };
    isInHq = mkEnableOption "HQ presence (TODO: what is this? association to VLAN 5?)";
    enableMotd = mkOption {
      type = types.bool;
      default = true;
@ -113,7 +111,6 @@ in
  config =
    let
      adminKeys = with builtins; lib.lists.flatten (attrValues cfg.sshKeys);
      mkIfIsInHq = x: lib.mkIf cfg.isInHq (lib.mkDefault x);
    in
    {
      programs.nncp.settings = lib.optionalAttrs cfg.mergeNncpSettings cfg.nncp;
@ -200,13 +197,6 @@ in
        };
      };
      assertions = [
        {
          assertion = cfg.isInHq -> (config.users.users.root.password == null);
          message = "Root passwords not allowed in HQ";
        }
      ];
      boot.cleanTmpDir = true;
      documentation.nixos.enable = false;
@ -229,8 +219,6 @@ in
      };
      networking = {
        domain = mkIfIsInHq "hq.c3d2.de";
        interfaces = lib.mkIf (cfg.hq.interface != null) {
          "${cfg.hq.interface}".ipv6.addresses = [{
            address = toHqPrivateAddress config.networking.hostName;