tree-wide: refactor

i went overboard on modules. this is much comfier
author: seth <[email protected]> 2023-10-30 04:22:32 -0400
committer: seth <[email protected]> 2023-10-30 09:46:15 +0000
commit: 10b0df38b4286237b56ff9177f8d4c5676bfb5c1 (patch)
tree: ab298c74339bf9bc41571fa88746ecd9c522fbdf /modules/nixos
parent: 4c2c60a4f2b14c1e6ffaffe5e301dc31ac4fed0f (diff)
18 files changed, 615 insertions, 0 deletions
diff --git a/modules/nixos/base.nix b/modules/nixos/base.nix
new file mode 100644
index 0000000..ca696dd
--- /dev/null
+++ b/modules/nixos/base.nix
@@ -0,0 +1,103 @@
+{
+  config,
+  lib,
+  pkgs,
+  inputs,
+  ...
+}: let
+  inherit (lib) mkDefault;
+  channelPath = i: "/etc/nix/channels/${i}";
+
+  mapInputs = fn: map fn (builtins.filter (n: n != "self") (builtins.attrNames inputs));
+
+  # yes this is a bad way to detect which option should be used (or exists)
+  # but i'm lazy. please do not copy this
+  passwordFile =
+    if lib.versionAtLeast config.system.stateVersion "23.11"
+    then "hashedPasswordFile"
+    else "passwordFile";
+in {
+  imports = [
+    ../shared
+  ];
+
+  environment.systemPackages = with pkgs; [man-pages man-pages-posix];
+
+  documentation.man = {
+    generateCaches = mkDefault true;
+    man-db.enable = mkDefault true;
+  };
+
+  i18n = {
+    supportedLocales = [
+      "en_US.UTF-8/UTF-8"
+    ];
+
+    defaultLocale = "en_US.UTF-8";
+  };
+
+  networking.networkmanager = {
+    enable = mkDefault true;
+    dns = mkDefault "systemd-resolved";
+  };
+
+  nix = {
+    nixPath = mapInputs (i: "${i}=${channelPath i}");
+    gc.dates = mkDefault "weekly";
+    settings.trusted-users = ["root" "@wheel"];
+  };
+
+  programs = {
+    git.enable = mkDefault true;
+    vim.defaultEditor = mkDefault true;
+  };
+
+  security = {
+    apparmor.enable = mkDefault true;
+    audit.enable = mkDefault true;
+    auditd.enable = mkDefault true;
+    polkit.enable = mkDefault true;
+    rtkit.enable = mkDefault true;
+    sudo.execWheelOnly = true;
+  };
+
+  services = {
+    dbus.apparmor = mkDefault "enabled";
+
+    resolved = {
+      enable = mkDefault true;
+      dnssec = mkDefault "allow-downgrade";
+      extraConfig = mkDefault ''
+        [Resolve]
+        DNS=1.1.1.1 1.0.0.1
+        DNSOverTLS=yes
+      '';
+    };
+
+    journald.extraConfig = ''
+      MaxRetentionSec=1w
+    '';
+  };
+
+  system.activationScripts."upgrade-diff" = {
+    supportsDryActivation = true;
+    text = ''
+      ${pkgs.nvd}/bin/nvd --nix-bin-dir=${config.nix.package}/bin diff /run/current-system "$systemConfig"
+    '';
+  };
+
+  systemd.tmpfiles.rules =
+    mapInputs (i: "L+ ${channelPath i}     - - - - ${inputs.${i}.outPath}");
+
+  users = {
+    defaultUserShell = pkgs.bash;
+    mutableUsers = false;
+
+    users.root = {
+      home = mkDefault "/root";
+      uid = mkDefault config.ids.uids.root;
+      group = mkDefault "root";
+      "${passwordFile}" = mkDefault config.age.secrets.rootPassword.path;
+    };
+  };
+}
diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
new file mode 100644
index 0000000..f43e8ae
--- /dev/null
+++ b/modules/nixos/default.nix
@@ -0,0 +1,12 @@
+{
+  flake.nixosModules = {
+    default = ./base.nix;
+    desktop = ./desktop;
+    gnome = ./desktop/gnome;
+    plasma = ./desktop/plasma;
+    budgie = ./desktop/budgie;
+    server = ./server;
+    services = ./services;
+    hardware = ./hardware;
+  };
+}
diff --git a/modules/nixos/desktop/budgie/default.nix b/modules/nixos/desktop/budgie/default.nix
new file mode 100644
index 0000000..d29649b
--- /dev/null
+++ b/modules/nixos/desktop/budgie/default.nix
@@ -0,0 +1,44 @@
+{pkgs, ...}: {
+  services.xserver = {
+    displayManager.lightdm.greeters.slick = {
+      theme = {
+        name = "Materia-dark";
+        package = pkgs.materia-theme;
+      };
+      iconTheme = {
+        name = "Papirus-Dark";
+        package = pkgs.papirus-icon-theme;
+      };
+      cursorTheme = {
+        name = "Breeze-gtk";
+        package = pkgs.libsForQt5.breeze-gtk;
+      };
+    };
+
+    desktopManager.budgie = {
+      enable = true;
+      extraGSettingsOverrides = ''
+        [org.gnome.desktop.interface:Budgie]
+        gtk-theme="Materia-dark"
+        icon-theme="Papirus-Dark"
+        cursor-theme="Breeze-gtk"
+        font-name="Noto Sans 10"
+        document-font-name="Noto Sans 10"
+        monospace-font-name="Fira Code 10"
+        enable-hot-corners=true
+      '';
+    };
+  };
+
+  environment.budgie.excludePackages = with pkgs; [
+    qogir-theme
+    qogir-icon-theme
+  ];
+
+  environment.systemPackages = with pkgs; [
+    alacritty
+    breeze-gtk
+    materia-theme
+    papirus-icon-theme
+  ];
+}
diff --git a/modules/nixos/desktop/default.nix b/modules/nixos/desktop/default.nix
new file mode 100644
index 0000000..a40d94e
--- /dev/null
+++ b/modules/nixos/desktop/default.nix
@@ -0,0 +1,56 @@
+{
+  lib,
+  pkgs,
+  ...
+}: {
+  environment = {
+    noXlibs = lib.mkForce false;
+    systemPackages = with pkgs; [wl-clipboard xclip];
+  };
+
+  fonts = {
+    enableDefaultPackages = lib.mkDefault true;
+
+    packages = lib.mkDefault (with pkgs; [
+      corefonts
+      fira-code
+      (nerdfonts.override {fonts = ["FiraCode"];})
+      noto-fonts
+      noto-fonts-extra
+      noto-fonts-emoji
+      noto-fonts-cjk-sans
+    ]);
+
+    fontconfig = {
+      enable = lib.mkDefault true;
+      defaultFonts = lib.mkDefault {
+        serif = ["Noto Serif"];
+        sansSerif = ["Noto Sans"];
+        emoji = ["Noto Color Emoji"];
+        monospace = ["Fira Code"];
+      };
+    };
+  };
+
+  hardware.pulseaudio.enable = false;
+
+  programs = {
+    dconf.enable = lib.mkDefault true;
+    firefox.enable = lib.mkDefault true;
+    xwayland.enable = lib.mkDefault true;
+  };
+
+  services = {
+    pipewire = lib.mkDefault {
+      enable = true;
+      wireplumber.enable = true;
+      alsa.enable = true;
+      jack.enable = true;
+      pulse.enable = true;
+    };
+
+    xserver.enable = lib.mkDefault true;
+  };
+
+  xdg.portal.enable = lib.mkDefault true;
+}
diff --git a/modules/nixos/desktop/gnome/default.nix b/modules/nixos/desktop/gnome/default.nix
new file mode 100644
index 0000000..7e2c07e
--- /dev/null
+++ b/modules/nixos/desktop/gnome/default.nix
@@ -0,0 +1,29 @@
+{
+  pkgs,
+  lib,
+  ...
+}: {
+  environment = {
+    gnome.excludePackages = with pkgs; [
+      gnome-tour
+    ];
+
+    sessionVariables = {
+      NIXOS_OZONE_WL = "1";
+    };
+
+    systemPackages = with pkgs; [
+      adw-gtk3
+      blackbox-terminal
+    ];
+  };
+
+  services.xserver = {
+    displayManager.gdm = {
+      enable = true;
+      wayland = lib.mkForce true;
+    };
+
+    desktopManager.gnome.enable = true;
+  };
+}
diff --git a/modules/nixos/desktop/plasma/default.nix b/modules/nixos/desktop/plasma/default.nix
new file mode 100644
index 0000000..d580e3f
--- /dev/null
+++ b/modules/nixos/desktop/plasma/default.nix
@@ -0,0 +1,17 @@
+{pkgs, ...}: {
+  environment = {
+    plasma5.excludePackages = with pkgs.libsForQt5; [
+      khelpcenter
+      plasma-browser-integration
+      print-manager
+    ];
+  };
+
+  services.xserver = {
+    displayManager.sddm.enable = true;
+    desktopManager.plasma5 = {
+      enable = true;
+      useQtScaling = true;
+    };
+  };
+}
diff --git a/modules/nixos/features/tailscale.nix b/modules/nixos/features/tailscale.nix
new file mode 100644
index 0000000..cbbe2e5
--- /dev/null
+++ b/modules/nixos/features/tailscale.nix
@@ -0,0 +1,63 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  cfg = config.features.tailscale;
+  inherit (lib) mkDefault mkEnableOption mkIf optionalAttrs;
+
+  baseDir = ../../../secrets/systems/${config.networking.hostName};
+in {
+  options.features.tailscale = {
+    enable = mkEnableOption "enable support for tailscale";
+    ssh.enable = mkEnableOption "enable support for tailscale ssh";
+  };
+
+  config = mkIf cfg.enable {
+    age.secrets = mkIf cfg.ssh.enable {
+      tailscaleAuthKey.file = "${baseDir}/tailscaleAuthKey.age";
+    };
+
+    networking.firewall =
+      {
+        allowedUDPPorts = [config.services.tailscale.port];
+        trustedInterfaces = ["tailscale0"];
+      }
+      // optionalAttrs cfg.ssh.enable {
+        allowedTCPPorts = [22];
+      };
+
+    services = {
+      tailscale.enable = mkDefault true;
+    };
+
+    # https://tailscale.com/kb/1096/nixos-minecraft/
+    systemd.services = mkIf cfg.ssh.enable {
+      tailscale-autoconnect = {
+        description = "Automatic connection to Tailscale";
+
+        after = ["network-pre.target" "tailscale.service"];
+        wants = ["network-pre.target" "tailscale.service"];
+        wantedBy = ["multi-user.target"];
+
+        serviceConfig.Type = "oneshot";
+
+        script = ''
+          # wait for tailscaled to settle
+          sleep 2
+
+          # check if we are already authenticated to tailscale
+          status="$(${lib.getExe pkgs.tailscale} status -json | ${lib.getExe pkgs.jq}/bin/jq -r .BackendState)"
+          if [ $status = "Running" ]; then # if so, then do nothing
+            exit 0
+          fi
+
+          # otherwise authenticate with tailscale
+          ${lib.getExe pkgs.tailscale}/bin/tailscale up --ssh \
+            --auth-key "file:${config.age.secrets.tailscaleAuthKey.path}"
+        '';
+      };
+    };
+  };
+}
diff --git a/modules/nixos/features/virtualisation.nix b/modules/nixos/features/virtualisation.nix
new file mode 100644
index 0000000..206a98e
--- /dev/null
+++ b/modules/nixos/features/virtualisation.nix
@@ -0,0 +1,21 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  cfg = config.features.virtualisation;
+  inherit (lib) mkEnableOption mkIf;
+in {
+  options.features.virtualisation.enable = mkEnableOption "enable podman";
+
+  config.virtualisation = mkIf cfg.enable {
+    podman = {
+      enable = true;
+      enableNvidia = true;
+      extraPackages = with pkgs; [podman-compose];
+      autoPrune.enable = true;
+    };
+    oci-containers.backend = "podman";
+  };
+}
diff --git a/modules/nixos/hardware/default.nix b/modules/nixos/hardware/default.nix
new file mode 100644
index 0000000..b939953
--- /dev/null
+++ b/modules/nixos/hardware/default.nix
@@ -0,0 +1,8 @@
+{lib, ...}: {
+  imports = [
+    ./ssd.nix
+    ./nvidia.nix
+  ];
+
+  hardware.enableAllFirmware = lib.mkDefault true;
+}
diff --git a/modules/nixos/hardware/nvidia.nix b/modules/nixos/hardware/nvidia.nix
new file mode 100644
index 0000000..1b42fef
--- /dev/null
+++ b/modules/nixos/hardware/nvidia.nix
@@ -0,0 +1,34 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  cfg = config.hardware.nvidia;
+  inherit (lib) mkEnableOption mkIf;
+in {
+  options.hardware.nvidia.enable = mkEnableOption "enable nvidia support";
+
+  config = mkIf cfg.enable {
+    environment.sessionVariables = {
+      LIBVA_DRIVER_NAME = "vdpau";
+      VDPAU_DRIVER = "nvidia";
+    };
+
+    hardware = {
+      nvidia = {
+        package = config.boot.kernelPackages.nvidiaPackages.stable;
+        modesetting.enable = true;
+      };
+
+      opengl = {
+        enable = true;
+        # make steam work
+        driSupport32Bit = true;
+        extraPackages = [pkgs.vaapiVdpau];
+      };
+    };
+
+    services.xserver.videoDrivers = ["nvidia"];
+  };
+}
diff --git a/modules/nixos/hardware/ssd.nix b/modules/nixos/hardware/ssd.nix
new file mode 100644
index 0000000..7279a12
--- /dev/null
+++ b/modules/nixos/hardware/ssd.nix
@@ -0,0 +1,14 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.hardware.ssd;
+  inherit (lib) mkEnableOption mkIf;
+in {
+  options.hardware.ssd.enable = mkEnableOption "ssd settings";
+
+  config = mkIf cfg.enable {
+    services.fstrim.enable = true;
+  };
+}
diff --git a/modules/nixos/server/acme.nix b/modules/nixos/server/acme.nix
new file mode 100644
index 0000000..48746c2
--- /dev/null
+++ b/modules/nixos/server/acme.nix
@@ -0,0 +1,14 @@
+{config, ...}: {
+  age.secrets = {
+    cloudflareApiKey.file = ../../../secrets/systems/${config.networking.hostName}/cloudflareApiKey.age;
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "[email protected]";
+      dnsProvider = "cloudflare";
+      credentialsFile = config.age.secrets.cloudflareApiKey.path;
+    };
+  };
+}
diff --git a/modules/nixos/server/default.nix b/modules/nixos/server/default.nix
new file mode 100644
index 0000000..1f759ec
--- /dev/null
+++ b/modules/nixos/server/default.nix
@@ -0,0 +1,39 @@
+{
+  config,
+  lib,
+  pkgs,
+  inputs,
+  ...
+}: {
+  imports = [
+    ./acme.nix
+    ./secrets.nix
+  ];
+
+  _module.args.unstable = inputs.nixpkgs.legacyPackages.${pkgs.stdenv.hostPlatform.system};
+
+  documentation = {
+    enable = false;
+
+    man = {
+      enable = false;
+      man-db.enable = false;
+    };
+
+    nixos.enable = false;
+    dev.enable = false;
+  };
+
+  environment.defaultPackages = lib.mkForce [];
+
+  nix = {
+    gc = {
+      dates = "*-*-1,5,9,13,17,21,25,29 00:00:00";
+      options = "-d --delete-older-than 2d";
+    };
+
+    settings.allowed-users = [config.networking.hostName];
+  };
+
+  security.pam.enableSSHAgentAuth = true;
+}
diff --git a/modules/nixos/server/secrets.nix b/modules/nixos/server/secrets.nix
new file mode 100644
index 0000000..e435690
--- /dev/null
+++ b/modules/nixos/server/secrets.nix
@@ -0,0 +1,12 @@
+{config, ...}: {
+  age = let
+    baseDir = ../../../secrets/systems/${config.networking.hostName};
+  in {
+    identityPaths = ["/etc/age/key"];
+
+    secrets = {
+      rootPassword.file = "${baseDir}/rootPassword.age";
+      userPassword.file = "${baseDir}/userPassword.age";
+    };
+  };
+}
diff --git a/modules/nixos/services/cloudflared.nix b/modules/nixos/services/cloudflared.nix
new file mode 100644
index 0000000..a144266
--- /dev/null
+++ b/modules/nixos/services/cloudflared.nix
@@ -0,0 +1,40 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.server.services.cloudflared;
+  inherit (lib) mkEnableOption mkIf;
+in {
+  options.server.services.cloudflared = {
+    enable = mkEnableOption "cloudflared";
+  };
+
+  config = mkIf cfg.enable {
+    age.secrets.cloudflaredCreds = {
+      file = ../../../secrets/systems/${config.networking.hostName}/cloudflaredCreds.age;
+      mode = "400";
+      owner = "cloudflared";
+      group = "cloudflared";
+    };
+
+    services.cloudflared = {
+      enable = true;
+      tunnels = {
+        "${config.networking.hostName}-nginx" = {
+          default = "http_status:404";
+
+          ingress = let
+            inherit (config.services) nginx;
+          in
+            lib.genAttrs
+            (builtins.attrNames nginx.virtualHosts)
+            (_: {service = "http://localhost:${builtins.toString nginx.defaultHTTPListenPort}";});
+
+          originRequest.noTLSVerify = true;
+          credentialsFile = config.age.secrets.cloudflaredCreds.path;
+        };
+      };
+    };
+  };
+}
diff --git a/modules/nixos/services/default.nix b/modules/nixos/services/default.nix
new file mode 100644
index 0000000..3423b79
--- /dev/null
+++ b/modules/nixos/services/default.nix
@@ -0,0 +1,7 @@
+{
+  imports = [
+    ./cloudflared.nix
+    ./hercules.nix
+    ./promtail.nix
+  ];
+}
diff --git a/modules/nixos/services/hercules.nix b/modules/nixos/services/hercules.nix
new file mode 100644
index 0000000..fc3c92d
--- /dev/null
+++ b/modules/nixos/services/hercules.nix
@@ -0,0 +1,55 @@
+{
+  config,
+  lib,
+  unstable,
+  ...
+}: let
+  cfg = config.server.services.hercules-ci;
+  inherit (lib) mkEnableOption mkIf;
+
+  baseDir = ../../../secrets/systems/${config.networking.hostName};
+  hercArgs = {
+    mode = "400";
+    owner = "hercules-ci-agent";
+    group = "hercules-ci-agent";
+  };
+in {
+  options.server.services.hercules-ci = {
+    enable = mkEnableOption "enable hercules-ci";
+    secrets.enable = mkEnableOption "manage secrets for hercules-ci";
+  };
+
+  config = mkIf cfg.enable {
+    age.secrets = mkIf cfg.secrets.enable {
+      binaryCache =
+        {
+          file = "${baseDir}/binaryCache.age";
+        }
+        // hercArgs;
+
+      clusterToken =
+        {
+          file = "${baseDir}/clusterToken.age";
+        }
+        // hercArgs;
+
+      secretsJson =
+        {
+          file = "${baseDir}/secretsJson.age";
+        }
+        // hercArgs;
+    };
+
+    services = {
+      hercules-ci-agent = {
+        enable = true;
+        package = unstable.hercules-ci-agent;
+        settings = {
+          binaryCachesPath = config.age.secrets.binaryCache.path;
+          clusterJoinTokenPath = config.age.secrets.clusterToken.path;
+          secretsJsonPath = config.age.secrets.secretsJson.path;
+        };
+      };
+    };
+  };
+}
diff --git a/modules/nixos/services/promtail.nix b/modules/nixos/services/promtail.nix
new file mode 100644
index 0000000..63faf15
--- /dev/null
+++ b/modules/nixos/services/promtail.nix
@@ -0,0 +1,47 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.server.services.promtail;
+  inherit (lib) mkEnableOption mkIf mkOption types;
+in {
+  options.server.services.promtail = {
+    enable = mkEnableOption "enable promtail";
+
+    clients = mkOption {
+      type = types.listOf types.attrs;
+      default = [{}];
+      description = "clients for promtail";
+    };
+  };
+
+  config.services.promtail = mkIf cfg.enable {
+    enable = true;
+    configuration = {
+      inherit (cfg) clients;
+      server.disable = true;
+
+      scrape_configs = [
+        {
+          job_name = "journal";
+
+          journal = {
+            max_age = "12h";
+            labels = {
+              job = "systemd-journal";
+              host = "${config.networking.hostName}";
+            };
+          };
+
+          relabel_configs = [
+            {
+              source_labels = ["__journal__systemd_unit"];
+              target_label = "unit";
+            }
+          ];
+        }
+      ];
+    };
+  };
+}
author	seth <[email protected]>	2023-10-30 04:22:32 -0400
committer	seth <[email protected]>	2023-10-30 09:46:15 +0000
commit	10b0df38b4286237b56ff9177f8d4c5676bfb5c1 (patch)
tree	ab298c74339bf9bc41571fa88746ecd9c522fbdf /modules/nixos
parent	4c2c60a4f2b14c1e6ffaffe5e301dc31ac4fed0f (diff)