diff options
| author | Seth Flynn <[email protected]> | 2025-02-13 16:54:19 -0500 |
|---|---|---|
| committer | Seth Flynn <[email protected]> | 2025-02-13 22:09:11 -0500 |
| commit | 386ecf3d14ea486aba523b14200fcd2e7e04b9d6 (patch) | |
| tree | c9009fe26ece76f0c9d76ba89895094ee500b054 | |
| parent | fdd2dd359c1d72b9ebeb676efb4141b5536f160c (diff) | |
nixos: make more "traits" mixins
| -rw-r--r-- | modules/nixos/mixins/default.nix | 3 | ||||
| -rw-r--r-- | modules/nixos/mixins/nvidia.nix | 6 | ||||
| -rw-r--r-- | modules/nixos/mixins/resolved.nix | 23 | ||||
| -rw-r--r-- | modules/nixos/mixins/tailscale.nix | 34 | ||||
| -rw-r--r-- | modules/nixos/mixins/zram.nix (renamed from modules/nixos/traits/zram.nix) | 13 | ||||
| -rw-r--r-- | modules/nixos/profiles/personal.nix | 5 | ||||
| -rw-r--r-- | modules/nixos/profiles/server.nix | 21 | ||||
| -rw-r--r-- | modules/nixos/traits/containers.nix | 26 | ||||
| -rw-r--r-- | modules/nixos/traits/default.nix | 4 | ||||
| -rw-r--r-- | modules/nixos/traits/resolved.nix | 40 | ||||
| -rw-r--r-- | modules/nixos/traits/tailscale.nix | 52 | ||||
| -rw-r--r-- | systems/glados-wsl/default.nix | 6 | ||||
| -rw-r--r-- | systems/glados/default.nix | 11 |
13 files changed, 100 insertions, 144 deletions
diff --git a/modules/nixos/mixins/default.nix b/modules/nixos/mixins/default.nix index 2ec36d7..701c4db 100644 --- a/modules/nixos/mixins/default.nix +++ b/modules/nixos/mixins/default.nix @@ -9,5 +9,8 @@ ./nginx.nix ./nvidia.nix ./promtail.nix + ./resolved.nix + ./tailscale.nix + ./zram.nix ]; } diff --git a/modules/nixos/mixins/nvidia.nix b/modules/nixos/mixins/nvidia.nix index ff81385..e62bc90 100644 --- a/modules/nixos/mixins/nvidia.nix +++ b/modules/nixos/mixins/nvidia.nix @@ -54,8 +54,10 @@ in }; }) - (lib.mkIf config.traits.containers.enable { - hardware.nvidia-container-toolkit.enable = true; + (lib.mkIf config.virtualisation.podman.enable { + hardware = { + nvidia-container-toolkit.enable = true; + }; }) ]; } diff --git a/modules/nixos/mixins/resolved.nix b/modules/nixos/mixins/resolved.nix new file mode 100644 index 0000000..3c3f9e9 --- /dev/null +++ b/modules/nixos/mixins/resolved.nix @@ -0,0 +1,23 @@ +{ config, lib, ... }: + +{ + config = lib.mkMerge [ + { + services.resolved = { + enable = lib.mkDefault true; + dnsovertls = "true"; + }; + } + + (lib.mkIf config.services.resolved.enable { + networking = { + nameservers = [ + "1.1.1.1#one.one.one.one" + "1.0.0.1#one.one.one.one" + ]; + + networkmanager.dns = "systemd-resolved"; + }; + }) + ]; +} diff --git a/modules/nixos/mixins/tailscale.nix b/modules/nixos/mixins/tailscale.nix new file mode 100644 index 0000000..177aa90 --- /dev/null +++ b/modules/nixos/mixins/tailscale.nix @@ -0,0 +1,34 @@ +{ + config, + lib, + ... +}: + +let + cfg = config.services.tailscale; + + usingTailscaleSSH = lib.elem "--ssh" config.services.tailscale.extraUpFlags; +in + +{ + config = lib.mkMerge [ + { + services.tailscale = { + openFirewall = true; + }; + } + + (lib.mkIf cfg.enable { + networking.firewall = { + # Trust all connections over Tailscale + trustedInterfaces = [ config.services.tailscale.interfaceName ]; + }; + }) + + (lib.mkIf (cfg.enable && usingTailscaleSSH) { + networking.firewall = { + allowedTCPPorts = [ 22 ]; + }; + }) + ]; +} diff --git a/modules/nixos/traits/zram.nix b/modules/nixos/mixins/zram.nix index f5ba2a9..8d21dde 100644 --- a/modules/nixos/traits/zram.nix +++ b/modules/nixos/mixins/zram.nix @@ -1,13 +1,8 @@ { config, lib, ... }: -let - cfg = config.traits.zram; -in -{ - options.traits.zram = { - enable = lib.mkEnableOption "zram and sysctl optimizations"; - }; - config = lib.mkIf cfg.enable { +{ + config = lib.mkIf config.zramSwap.enable { + # Optimize system for zram # https://github.com/pop-os/default-settings/pull/163 # https://wiki.archlinux.org/title/Zram#Multiple_zram_devices boot.kernel.sysctl = { @@ -16,7 +11,5 @@ in "vm.watermark_scale_factor" = 125; "vm.page-cluster" = 0; }; - - zramSwap.enable = true; }; } diff --git a/modules/nixos/profiles/personal.nix b/modules/nixos/profiles/personal.nix index 4d1c784..fd59a27 100644 --- a/modules/nixos/profiles/personal.nix +++ b/modules/nixos/profiles/personal.nix @@ -15,6 +15,10 @@ in }; config = lib.mkIf cfg.enable { + services = { + tailscale.enable = true; + }; + traits = { home-manager.enable = true; @@ -22,7 +26,6 @@ in enable = true; secretsDir = inputs.self + "/secrets/personal"; }; - tailscale.enable = true; users = { seth.enable = true; diff --git a/modules/nixos/profiles/server.nix b/modules/nixos/profiles/server.nix index 373dc5d..d1c54c1 100644 --- a/modules/nixos/profiles/server.nix +++ b/modules/nixos/profiles/server.nix @@ -1,6 +1,7 @@ { config, lib, + secretsDir, inputs', ... }: @@ -27,6 +28,10 @@ in # All servers are most likely on stable, so we want to pull in some newer packages from time to time _module.args.unstable = inputs'.nixpkgs.legacyPackages; + age.secrets = { + tailscaleAuthKey.file = "${secretsDir}/tailscaleAuthKey.age"; + }; + boot.tmp.cleanOnBoot = lib.mkDefault true; # We don't need it here @@ -43,16 +48,22 @@ in ]; }; - services.comin.enable = true; + services = { + comin.enable = true; - traits = { - secrets.enable = true; tailscale = { enable = true; - ssh.enable = true; + + authKeyFile = config.age.secrets.tailscaleAuthKey.path; + extraUpFlags = [ "--ssh" ]; }; - zram.enable = true; }; + + traits = { + secrets.enable = true; + }; + + zramSwap.enable = true; } (lib.mkIf cfg.hostUser { diff --git a/modules/nixos/traits/containers.nix b/modules/nixos/traits/containers.nix deleted file mode 100644 index b684803..0000000 --- a/modules/nixos/traits/containers.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -let - cfg = config.traits.containers; -in -{ - options.traits.containers = { - enable = lib.mkEnableOption "support for containers"; - }; - - config = lib.mkIf cfg.enable { - virtualisation = { - podman = { - enable = true; - extraPackages = [ pkgs.podman-compose ]; - autoPrune.enable = true; - }; - - oci-containers.backend = "podman"; - }; - }; -} diff --git a/modules/nixos/traits/default.nix b/modules/nixos/traits/default.nix index aafa445..6b1e796 100644 --- a/modules/nixos/traits/default.nix +++ b/modules/nixos/traits/default.nix @@ -1,16 +1,12 @@ { imports = [ ./arm-builder.nix - ./containers.nix ./determinate.nix ./home-manager.nix ./locale.nix ./mac-builder.nix ./nvd-diff.nix - ./resolved.nix ./secrets.nix - ./tailscale.nix ./users - ./zram.nix ]; } diff --git a/modules/nixos/traits/resolved.nix b/modules/nixos/traits/resolved.nix deleted file mode 100644 index f21f8c3..0000000 --- a/modules/nixos/traits/resolved.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ - config, - lib, - ... -}: -let - cfg = config.traits.resolved; -in -{ - options.traits.resolved = { - enable = lib.mkEnableOption "systemd-resolved as the DNS resolver" // { - default = true; - }; - - networkManagerIntegration = lib.mkEnableOption "integration with network-manager" // { - default = config.networking.networkmanager.enable; - defaultText = "config.networking.networkmanager.enable"; - }; - }; - - config = lib.mkIf cfg.enable ( - lib.mkMerge [ - { - networking.nameservers = [ - "1.1.1.1#one.one.one.one" - "1.0.0.1#one.one.one.one" - ]; - - services.resolved = { - enable = true; - dnsovertls = "true"; - }; - } - - (lib.mkIf cfg.networkManagerIntegration { - networking.networkmanager.dns = "systemd-resolved"; - }) - ] - ); -} diff --git a/modules/nixos/traits/tailscale.nix b/modules/nixos/traits/tailscale.nix deleted file mode 100644 index ea38e5c..0000000 --- a/modules/nixos/traits/tailscale.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ - config, - lib, - secretsDir, - ... -}: -let - cfg = config.traits.tailscale; -in -{ - options.traits.tailscale = { - enable = lib.mkEnableOption "Tailscale"; - ssh.enable = lib.mkEnableOption "Tailscale SSH"; - manageSecrets = lib.mkEnableOption "automatic management of secrets"; - }; - - config = lib.mkIf cfg.enable ( - lib.mkMerge [ - { - networking.firewall = { - # all connections from tailscale are safe...or should be - trustedInterfaces = [ config.services.tailscale.interfaceName ]; - }; - - services.tailscale = { - enable = true; - openFirewall = true; - }; - } - - (lib.mkIf cfg.ssh.enable { - networking.firewall = { - allowedTCPPorts = [ 22 ]; - }; - - services.tailscale = { - extraUpFlags = [ "--ssh" ]; - }; - }) - - (lib.mkIf cfg.manageSecrets { - age.secrets = lib.mkIf cfg.manageSecrets { - tailscaleAuthKey.file = "${secretsDir}/tailscaleAuthKey.age"; - }; - - services.tailscale = { - authKeyFile = config.age.secrets.tailscaleAuthKey.path; - }; - }) - ] - ); -} diff --git a/systems/glados-wsl/default.nix b/systems/glados-wsl/default.nix index 2d7060f..b30451c 100644 --- a/systems/glados-wsl/default.nix +++ b/systems/glados-wsl/default.nix @@ -1,4 +1,5 @@ { pkgs, inputs, ... }: + { imports = [ inputs.nixos-wsl.nixosModules.wsl @@ -22,13 +23,16 @@ # (nixos-wsl probably doesn't set it) security.apparmor.enable = false; + services = { + resolved.enable = false; + }; + system.stateVersion = "23.11"; traits = { arm-builder.enable = true; determinate.enable = true; mac-builder.enable = true; - resolved.enable = false; }; wsl = { diff --git a/systems/glados/default.nix b/systems/glados/default.nix index 0d64af7..42cdeb8 100644 --- a/systems/glados/default.nix +++ b/systems/glados/default.nix @@ -4,6 +4,7 @@ inputs, ... }: + { imports = [ ./hardware-configuration.nix @@ -80,10 +81,14 @@ traits = { arm-builder.enable = true; - containers.enable = true; determinate.enable = true; mac-builder.enable = true; - tailscale.enable = true; - zram.enable = true; }; + + virtualisation = { + oci-containers.backend = "podman"; + podman.enable = true; + }; + + zramSwap.enable = true; } |