nixos: make more "traits" mixins

5 files changed, 79 insertions, 2 deletions

diff --git a/modules/nixos/mixins/default.nix b/modules/nixos/mixins/default.nix
index 2ec36d7..701c4db 100644
--- a/modules/nixos/mixins/default.nix
+++ b/modules/nixos/mixins/default.nix
@@ -9,5 +9,8 @@
     ./nginx.nix
     ./nvidia.nix
     ./promtail.nix
+    ./resolved.nix
+    ./tailscale.nix
+    ./zram.nix
   ];
 }
diff --git a/modules/nixos/mixins/nvidia.nix b/modules/nixos/mixins/nvidia.nix
index ff81385..e62bc90 100644
--- a/modules/nixos/mixins/nvidia.nix
+++ b/modules/nixos/mixins/nvidia.nix
@@ -54,8 +54,10 @@ in
       };
     })
 
-    (lib.mkIf config.traits.containers.enable {
-      hardware.nvidia-container-toolkit.enable = true;
+    (lib.mkIf config.virtualisation.podman.enable {
+      hardware = {
+        nvidia-container-toolkit.enable = true;
+      };
     })
   ];
 }
diff --git a/modules/nixos/mixins/resolved.nix b/modules/nixos/mixins/resolved.nix
new file mode 100644
index 0000000..3c3f9e9
--- /dev/null
+++ b/modules/nixos/mixins/resolved.nix
@@ -0,0 +1,23 @@
+{ config, lib, ... }:
+
+{
+  config = lib.mkMerge [
+    {
+      services.resolved = {
+        enable = lib.mkDefault true;
+        dnsovertls = "true";
+      };
+    }
+
+    (lib.mkIf config.services.resolved.enable {
+      networking = {
+        nameservers = [
+          "1.1.1.1#one.one.one.one"
+          "1.0.0.1#one.one.one.one"
+        ];
+
+        networkmanager.dns = "systemd-resolved";
+      };
+    })
+  ];
+}
diff --git a/modules/nixos/mixins/tailscale.nix b/modules/nixos/mixins/tailscale.nix
new file mode 100644
index 0000000..177aa90
--- /dev/null
+++ b/modules/nixos/mixins/tailscale.nix
@@ -0,0 +1,34 @@
+{
+  config,
+  lib,
+  ...
+}:
+
+let
+  cfg = config.services.tailscale;
+
+  usingTailscaleSSH = lib.elem "--ssh" config.services.tailscale.extraUpFlags;
+in
+
+{
+  config = lib.mkMerge [
+    {
+      services.tailscale = {
+        openFirewall = true;
+      };
+    }
+
+    (lib.mkIf cfg.enable {
+      networking.firewall = {
+        # Trust all connections over Tailscale
+        trustedInterfaces = [ config.services.tailscale.interfaceName ];
+      };
+    })
+
+    (lib.mkIf (cfg.enable && usingTailscaleSSH) {
+      networking.firewall = {
+        allowedTCPPorts = [ 22 ];
+      };
+    })
+  ];
+}
diff --git a/modules/nixos/mixins/zram.nix b/modules/nixos/mixins/zram.nix
new file mode 100644
index 0000000..8d21dde
--- /dev/null
+++ b/modules/nixos/mixins/zram.nix
@@ -0,0 +1,15 @@
+{ config, lib, ... }:
+
+{
+  config = lib.mkIf config.zramSwap.enable {
+    # Optimize system for zram
+    # https://github.com/pop-os/default-settings/pull/163
+    # https://wiki.archlinux.org/title/Zram#Multiple_zram_devices
+    boot.kernel.sysctl = {
+      "vm.swappiness" = 180;
+      "vm.watermark_boost_factor" = 0;
+      "vm.watermark_scale_factor" = 125;
+      "vm.page-cluster" = 0;
+    };
+  };
+}