diff options
75 files changed, 1093 insertions, 671 deletions
diff --git a/modules/darwin/suites/default.nix b/modules/darwin/archetypes/default.nix index b4bd1b5..b4bd1b5 100644 --- a/modules/darwin/suites/default.nix +++ b/modules/darwin/archetypes/default.nix diff --git a/modules/darwin/archetypes/personal.nix b/modules/darwin/archetypes/personal.nix new file mode 100644 index 0000000..34f9ec4 --- /dev/null +++ b/modules/darwin/archetypes/personal.nix @@ -0,0 +1,21 @@ +{ + config, + lib, + ... +}: let + cfg = config.archetypes.personal; +in { + options.archetypes.personal = { + enable = lib.mkEnableOption "personal archetype"; + }; + + config = lib.mkIf cfg.enable { + base.enable = true; + desktop.enable = true; + + traits = { + home-manager.enable = true; + users.seth.enable = true; + }; + }; +} diff --git a/modules/darwin/base.nix b/modules/darwin/base.nix deleted file mode 100644 index 9fc0d86..0000000 --- a/modules/darwin/base.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ - lib, - inputs, - ... -}: { - imports = [../shared]; - - # not sure why i have to force this - environment.etc."nix/inputs/nixpkgs".source = lib.mkForce inputs.nixpkgs.outPath; - - programs = { - bash.enable = true; - vim.enable = true; - zsh.enable = true; - }; - - services.nix-daemon.enable = true; -} diff --git a/modules/darwin/base/default.nix b/modules/darwin/base/default.nix new file mode 100644 index 0000000..5066832 --- /dev/null +++ b/modules/darwin/base/default.nix @@ -0,0 +1,7 @@ +{ + imports = [ + ../../shared + ./nix.nix + ./programs.nix + ]; +} diff --git a/modules/darwin/base/nix.nix b/modules/darwin/base/nix.nix new file mode 100644 index 0000000..dd593f9 --- /dev/null +++ b/modules/darwin/base/nix.nix @@ -0,0 +1,16 @@ +{ + config, + lib, + inputs, + ... +}: let + cfg = config.base.nixSettings; + enable = config.base.enable && cfg.enable; +in { + config = lib.mkIf enable { + # not sure why i have to force this + environment.etc."nix/inputs/nixpkgs".source = lib.mkForce inputs.nixpkgs.outPath; + + services.nix-daemon.enable = true; + }; +} diff --git a/modules/darwin/base/programs.nix b/modules/darwin/base/programs.nix new file mode 100644 index 0000000..bb6d4f5 --- /dev/null +++ b/modules/darwin/base/programs.nix @@ -0,0 +1,16 @@ +{ + config, + lib, + ... +}: let + cfg = config.base.defaultPrograms; + enable = config.base.enable && cfg.enable; +in { + config = lib.mkIf enable { + programs = { + bash.enable = true; + vim.enable = true; + zsh.enable = true; + }; + }; +} diff --git a/modules/darwin/default.nix b/modules/darwin/default.nix index 4dfa561..1b6cd03 100644 --- a/modules/darwin/default.nix +++ b/modules/darwin/default.nix @@ -1,7 +1,8 @@ { flake.darwinModules = { - default = ./base.nix; - desktop = ./desktop.nix; - suites = ./suites; + default = ./base; + archetypes = ./archetypes; + desktop = ./desktop; + traits = ./traits; }; } diff --git a/modules/darwin/desktop.nix b/modules/darwin/desktop.nix deleted file mode 100644 index c6eb106..0000000 --- a/modules/darwin/desktop.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: let - cfg = config.desktop; -in { - options.desktop.enable = lib.mkEnableOption "base desktop settings"; - - config = lib.mkIf cfg.enable { - fonts.fonts = with pkgs; - lib.mkDefault [ - (nerdfonts.override {fonts = ["FiraCode"];}) - ]; - - homebrew = { - enable = lib.mkDefault true; - - onActivation = lib.mkDefault { - autoUpdate = true; - cleanup = "zap"; - upgrade = true; - }; - - caskArgs = { - no_quarantine = true; - require_sha = false; - }; - - casks = [ - "chromium" - "iterm2" - ]; - }; - - programs.gnupg.agent.enable = lib.mkDefault true; - }; -} diff --git a/modules/darwin/desktop/default.nix b/modules/darwin/desktop/default.nix new file mode 100644 index 0000000..cdfb246 --- /dev/null +++ b/modules/darwin/desktop/default.nix @@ -0,0 +1,11 @@ +{lib, ...}: { + options.desktop = { + enable = lib.mkEnableOption "base desktop settings"; + }; + + imports = [ + ./fonts.nix + ./homebrew.nix + ./programs.nix + ]; +} diff --git a/modules/darwin/desktop/fonts.nix b/modules/darwin/desktop/fonts.nix new file mode 100644 index 0000000..39d8531 --- /dev/null +++ b/modules/darwin/desktop/fonts.nix @@ -0,0 +1,20 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.desktop.fonts; + enable = config.desktop.enable && cfg.enable; +in { + options.desktop.fonts = { + enable = lib.mkEnableOption "desktop fonts" // {default = true;}; + }; + + config = lib.mkIf enable { + fonts.fonts = with pkgs; + lib.mkDefault [ + (nerdfonts.override {fonts = ["FiraCode"];}) + ]; + }; +} diff --git a/modules/darwin/desktop/homebrew.nix b/modules/darwin/desktop/homebrew.nix new file mode 100644 index 0000000..1015ff9 --- /dev/null +++ b/modules/darwin/desktop/homebrew.nix @@ -0,0 +1,29 @@ +{ + config, + lib, + ... +}: let + cfg = config.desktop.homebrew; + enable = config.desktop.enable && cfg.enable; +in { + options.desktop.homebrew = { + enable = lib.mkEnableOption "Homebrew integration" // {default = true;}; + }; + + config = lib.mkIf enable { + homebrew = { + enable = true; + + onActivation = lib.mkDefault { + autoUpdate = true; + cleanup = "zap"; + upgrade = true; + }; + + caskArgs = { + no_quarantine = true; + require_sha = false; + }; + }; + }; +} diff --git a/modules/darwin/desktop/programs.nix b/modules/darwin/desktop/programs.nix new file mode 100644 index 0000000..b681c59 --- /dev/null +++ b/modules/darwin/desktop/programs.nix @@ -0,0 +1,20 @@ +{ + config, + lib, + ... +}: let + cfg = config.desktop.defaultPrograms; + enable = config.desktop.enable && cfg.enable; +in { + options.desktop.defaultPrograms = { + enable = lib.mkEnableOption "default desktop programs" // {default = true;}; + }; + + config = lib.mkIf enable { + homebrew.casks = [ + "chromium" + "iterm2" + ]; + programs.gnupg.agent.enable = lib.mkDefault true; + }; +} diff --git a/modules/darwin/suites/personal.nix b/modules/darwin/suites/personal.nix deleted file mode 100644 index 6f37936..0000000 --- a/modules/darwin/suites/personal.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ - config, - lib, - ... -}: let - cfg = config.suites.personal; -in { - config = lib.mkIf cfg.enable { - desktop.enable = true; - }; -} diff --git a/modules/shared/suites/default.nix b/modules/darwin/traits/default.nix index b4bd1b5..e6e5275 100644 --- a/modules/shared/suites/default.nix +++ b/modules/darwin/traits/default.nix @@ -1,5 +1,5 @@ { imports = [ - ./personal.nix + ./users.nix ]; } diff --git a/modules/darwin/traits/users.nix b/modules/darwin/traits/users.nix new file mode 100644 index 0000000..b0a2078 --- /dev/null +++ b/modules/darwin/traits/users.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ../../../users/seth/darwin.nix + ]; +} diff --git a/modules/nixos/suites/default.nix b/modules/nixos/archetypes/default.nix index 0d11285..dfdb4e4 100644 --- a/modules/nixos/suites/default.nix +++ b/modules/nixos/archetypes/default.nix @@ -1,6 +1,6 @@ { imports = [ - ./personal.nix ./server.nix + ./personal.nix ]; } diff --git a/modules/nixos/archetypes/personal.nix b/modules/nixos/archetypes/personal.nix new file mode 100644 index 0000000..7122708 --- /dev/null +++ b/modules/nixos/archetypes/personal.nix @@ -0,0 +1,32 @@ +{ + config, + lib, + ... +}: let + cfg = config.archetypes.personal; +in { + options.archetypes = { + personal.enable = lib.mkEnableOption "personal archetype"; + }; + + config = lib.mkIf cfg.enable { + base.enable = true; + + traits = { + home-manager.enable = true; + + locale = { + en_US.enable = true; + US-east.enable = true; + }; + + secrets.enable = true; + tailscale.enable = true; + user-setup.enable = true; + + users = { + seth.enable = true; + }; + }; + }; +} diff --git a/modules/nixos/archetypes/server.nix b/modules/nixos/archetypes/server.nix new file mode 100644 index 0000000..31e0bf5 --- /dev/null +++ b/modules/nixos/archetypes/server.nix @@ -0,0 +1,68 @@ +{ + config, + lib, + pkgs, + inputs, + ... +}: let + cfg = config.archetypes.server; +in { + options.archetypes = { + server.enable = lib.mkEnableOption "server archetype"; + }; + + config = lib.mkIf cfg.enable { + base = { + enable = true; + documentation.enable = false; + }; + + traits = { + cloudflared.enable = true; + + locale = { + en_US.enable = true; + US-east.enable = true; + }; + + secrets.enable = true; + + tailscale = { + enable = true; + ssh.enable = true; + }; + + user-setup.enable = true; + users = { + hostUser.enable = true; + }; + }; + + _module.args.unstable = inputs.nixpkgs.legacyPackages.${pkgs.stdenv.hostPlatform.system}; + + boot = { + tmp.cleanOnBoot = lib.mkDefault true; + kernelPackages = lib.mkDefault pkgs.linuxPackages_hardened; + }; + + documentation = { + enable = false; + man.enable = false; + }; + + environment = { + defaultPackages = lib.mkForce []; + etc."nix/inputs/nixpkgs".source = inputs.nixpkgs-stable.outPath; + }; + + nix = { + gc = { + dates = "*-*-1,5,9,13,17,21,25,29 00:00:00"; + options = "-d --delete-older-than 2d"; + }; + + registry.n.flake = inputs.nixpkgs-stable; + settings.allowed-users = [config.networking.hostName]; + }; + }; +} diff --git a/modules/nixos/base.nix b/modules/nixos/base.nix deleted file mode 100644 index a5c4318..0000000 --- a/modules/nixos/base.nix +++ /dev/null @@ -1,90 +0,0 @@ -{ - config, - lib, - pkgs, - inputs, - ... -}: let - inherit (lib) mkDefault; -in { - imports = [ - ../shared - ]; - - environment.systemPackages = with pkgs; [man-pages man-pages-posix]; - - documentation.nixos.enable = false; - - # not sure why i can't use this on darwin? - environment.etc."nix/inputs/nixpkgs".source = lib.mkDefault inputs.nixpkgs.outPath; - - i18n = { - supportedLocales = [ - "en_US.UTF-8/UTF-8" - ]; - - defaultLocale = "en_US.UTF-8"; - }; - - networking.networkmanager = { - enable = mkDefault true; - dns = mkDefault "systemd-resolved"; - }; - - nix = { - channel.enable = mkDefault false; - gc.dates = mkDefault "weekly"; - settings.trusted-users = ["root" "@wheel"]; - }; - - programs = { - git.enable = mkDefault true; - vim.defaultEditor = mkDefault true; - }; - - security = { - apparmor.enable = mkDefault true; - audit.enable = mkDefault true; - auditd.enable = mkDefault true; - polkit.enable = mkDefault true; - rtkit.enable = mkDefault true; - sudo.execWheelOnly = true; - }; - - services = { - dbus.apparmor = mkDefault "enabled"; - - resolved = { - enable = mkDefault true; - dnssec = mkDefault "allow-downgrade"; - extraConfig = mkDefault '' - [Resolve] - DNS=1.1.1.1 1.0.0.1 - DNSOverTLS=yes - ''; - }; - - journald.extraConfig = '' - MaxRetentionSec=1w - ''; - }; - - system.activationScripts."upgrade-diff" = { - supportsDryActivation = true; - text = '' - ${pkgs.nvd}/bin/nvd --nix-bin-dir=${config.nix.package}/bin diff /run/current-system "$systemConfig" - ''; - }; - - users = { - defaultUserShell = pkgs.bash; - mutableUsers = false; - - users.root = { - home = mkDefault "/root"; - uid = mkDefault config.ids.uids.root; - group = mkDefault "root"; - hashedPasswordFile = mkDefault config.age.secrets.rootPassword.path; - }; - }; -} diff --git a/modules/nixos/base/default.nix b/modules/nixos/base/default.nix new file mode 100644 index 0000000..31cd6ff --- /dev/null +++ b/modules/nixos/base/default.nix @@ -0,0 +1,28 @@ +{ + config, + lib, + pkgs, + ... +}: { + imports = [ + ../../shared + ./documentation.nix + ./networking.nix + ./nix.nix + ./programs.nix + ./security.nix + ]; + + services.journald.extraConfig = '' + MaxRetentionSec=1w + ''; + + system.activationScripts."upgrade-diff" = { + supportsDryActivation = true; + text = '' + ${lib.getExe pkgs.nvd} \ + --nix-bin-dir=${config.nix.package}/bin \ + diff /run/current-system "$systemConfig" + ''; + }; +} diff --git a/modules/nixos/base/documentation.nix b/modules/nixos/base/documentation.nix new file mode 100644 index 0000000..5792c80 --- /dev/null +++ b/modules/nixos/base/documentation.nix @@ -0,0 +1,15 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.base.documentation; + enable = config.base.enable && cfg.enable; +in { + config = lib.mkIf enable { + documentation.nixos.enable = false; + + environment.systemPackages = with pkgs; [man-pages man-pages-posix]; + }; +} diff --git a/modules/nixos/base/networking.nix b/modules/nixos/base/networking.nix new file mode 100644 index 0000000..895127c --- /dev/null +++ b/modules/nixos/base/networking.nix @@ -0,0 +1,31 @@ +{ + config, + lib, + ... +}: let + cfg = config.base.networking; + enable = config.base.enable && cfg.enable; +in { + options.base.networking = { + enable = lib.mkEnableOption "base network settings" // {default = true;}; + }; + + config = lib.mkIf enable { + networking.networkmanager = { + enable = lib.mkDefault true; + dns = "systemd-resolved"; + }; + + services = { + resolved = { + enable = lib.mkDefault true; + dnssec = "allow-downgrade"; + extraConfig = lib.mkDefault '' + [Resolve] + DNS=1.1.1.1 1.0.0.1 + DNSOverTLS=yes + ''; + }; + }; + }; +} diff --git a/modules/nixos/base/nix.nix b/modules/nixos/base/nix.nix new file mode 100644 index 0000000..720a074 --- /dev/null +++ b/modules/nixos/base/nix.nix @@ -0,0 +1,20 @@ +{ + config, + lib, + inputs, + ... +}: let + cfg = config.base.nixSettings; + enable = config.base.enable && cfg.enable; +in { + config = lib.mkIf enable { + # not sure why i can't use this on darwin? + environment.etc."nix/inputs/nixpkgs".source = lib.mkDefault inputs.nixpkgs.outPath; + + nix = { + channel.enable = lib.mkDefault false; + gc.dates = lib.mkDefault "weekly"; + settings.trusted-users = ["root" "@wheel"]; + }; + }; +} diff --git a/modules/nixos/base/programs.nix b/modules/nixos/base/programs.nix new file mode 100644 index 0000000..7d1a15b --- /dev/null +++ b/modules/nixos/base/programs.nix @@ -0,0 +1,15 @@ +{ + config, + lib, + ... +}: let + cfg = config.base.defaultPrograms; + enable = config.base.enable && cfg.enable; +in { + config = lib.mkIf enable { + programs = { + git.enable = true; + vim.defaultEditor = true; + }; + }; +} diff --git a/modules/nixos/base/security.nix b/modules/nixos/base/security.nix new file mode 100644 index 0000000..4401f81 --- /dev/null +++ b/modules/nixos/base/security.nix @@ -0,0 +1,26 @@ +{ + config, + lib, + ... +}: let + cfg = config.base.security; + enable = config.base.enable && cfg.enable; +in { + options.base.security = { + enable = lib.mkEnableOption "base security settings" // {default = true;}; + }; + + config = lib.mkIf enable { + security = { + apparmor.enable = lib.mkDefault true; + audit.enable = lib.mkDefault true; + auditd.enable = lib.mkDefault true; + polkit.enable = lib.mkDefault true; + sudo.execWheelOnly = true; + }; + + services = { + dbus.apparmor = lib.mkDefault "enabled"; + }; + }; +} diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index a7ba7f9..a334bb3 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -1,10 +1,8 @@ { flake.nixosModules = { - default = ./base.nix; + default = ./base; + archetypes = ./archetypes; desktop = ./desktop; - features = ./features; - server = ./server; - services = ./services; - suites = ./suites; + traits = ./traits; }; } diff --git a/modules/nixos/desktop/audio.nix b/modules/nixos/desktop/audio.nix new file mode 100644 index 0000000..1e47ab2 --- /dev/null +++ b/modules/nixos/desktop/audio.nix @@ -0,0 +1,27 @@ +{ + config, + lib, + ... +}: let + cfg = config.desktop.audio; + enable = config.desktop.enable && cfg.enable; +in { + options.desktop.audio = { + enable = lib.mkEnableOption "desktop audio configuration" // {default = true;}; + }; + + config = lib.mkIf enable { + hardware.pulseaudio.enable = false; + security.rtkit.enable = true; + + services = { + pipewire = lib.mkDefault { + enable = true; + wireplumber.enable = true; + alsa.enable = true; + jack.enable = true; + pulse.enable = true; + }; + }; + }; +} diff --git a/modules/nixos/desktop/default.nix b/modules/nixos/desktop/default.nix index 12023ef..17392c4 100644 --- a/modules/nixos/desktop/default.nix +++ b/modules/nixos/desktop/default.nix @@ -1,68 +1,25 @@ { config, lib, - pkgs, ... }: let cfg = config.desktop; in { - options.desktop.enable = lib.mkEnableOption "base desktop settings"; + options.desktop = { + enable = lib.mkEnableOption "desktop settings"; + }; imports = [ + ./audio.nix + ./fonts.nix + ./programs.nix + ./budgie ./gnome ./plasma ]; config = lib.mkIf cfg.enable { - environment = { - noXlibs = lib.mkForce false; - systemPackages = with pkgs; [wl-clipboard xclip]; - }; - - fonts = { - enableDefaultPackages = lib.mkDefault true; - - packages = with pkgs; [ - (nerdfonts.override {fonts = ["FiraCode" "Hack" "Noto"];}) - noto-fonts - noto-fonts-extra - noto-fonts-color-emoji - noto-fonts-cjk-sans - ]; - - fontconfig = { - enable = lib.mkDefault true; - cache32Bit = true; - defaultFonts = lib.mkDefault { - serif = ["Noto Serif"]; - sansSerif = ["Noto Sans"]; - emoji = ["Noto Color Emoji"]; - monospace = ["Noto Sans Mono"]; - }; - }; - }; - - hardware.pulseaudio.enable = false; - - programs = { - chromium.enable = lib.mkDefault true; - firefox.enable = lib.mkDefault true; - xwayland.enable = lib.mkDefault true; - }; - - services = { - pipewire = lib.mkDefault { - enable = true; - wireplumber.enable = true; - alsa.enable = true; - jack.enable = true; - pulse.enable = true; - }; - - xserver.enable = lib.mkDefault true; - }; - - xdg.portal.enable = lib.mkDefault true; + services.xserver.enable = true; }; } diff --git a/modules/nixos/desktop/fonts.nix b/modules/nixos/desktop/fonts.nix new file mode 100644 index 0000000..212f88c --- /dev/null +++ b/modules/nixos/desktop/fonts.nix @@ -0,0 +1,38 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.desktop.fonts; + enable = config.desktop.enable && cfg.enable; +in { + options.desktop.fonts = { + enable = lib.mkEnableOption "desktop fonts" // {default = true;}; + }; + + config = lib.mkIf enable { + fonts = { + enableDefaultPackages = true; + + packages = with pkgs; [ + (nerdfonts.override {fonts = ["FiraCode" "Hack" "Noto"];}) + noto-fonts + noto-fonts-extra + noto-fonts-color-emoji + noto-fonts-cjk-sans + ]; + + fontconfig = { + enable = true; + cache32Bit = lib.mkDefault true; + defaultFonts = lib.mkDefault { + serif = ["Noto Serif"]; + sansSerif = ["Noto Sans"]; + emoji = ["Noto Color Emoji"]; + monospace = ["Noto Sans Mono"]; + }; + }; + }; + }; +} diff --git a/modules/nixos/desktop/programs.nix b/modules/nixos/desktop/programs.nix new file mode 100644 index 0000000..94bde49 --- /dev/null +++ b/modules/nixos/desktop/programs.nix @@ -0,0 +1,28 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.desktop.defaultPrograms; + enable = config.desktop.enable && cfg.enable; +in { + options.desktop.defaultPrograms = { + enable = lib.mkEnableOption "default desktop programs" // {default = true;}; + }; + + config = lib.mkIf enable { + environment = { + noXlibs = lib.mkForce false; + systemPackages = with pkgs; [wl-clipboard xclip]; + }; + + programs = { + chromium.enable = true; + firefox.enable = true; + xwayland.enable = true; + }; + + xdg.portal.enable = true; + }; +} diff --git a/modules/nixos/features/default.nix b/modules/nixos/features/default.nix deleted file mode 100644 index 607277f..0000000 --- a/modules/nixos/features/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ - imports = [ - ./containers.nix - ./nvk - ./tailscale.nix - ]; -} diff --git a/modules/nixos/features/tailscale.nix b/modules/nixos/features/tailscale.nix deleted file mode 100644 index 9eba428..0000000 --- a/modules/nixos/features/tailscale.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ - config, - lib, - secretsDir, - ... -}: let - cfg = config.features.tailscale; -in { - options.features.tailscale = { - enable = lib.mkEnableOption "Tailscale"; - ssh.enable = lib.mkEnableOption "Tailscale SSH"; - }; - - config = lib.mkIf cfg.enable { - age.secrets = lib.mkIf cfg.ssh.enable { - tailscaleAuthKey.file = "${secretsDir}/tailscaleAuthKey.age"; - }; - - networking.firewall = - { - trustedInterfaces = ["tailscale0"]; - } - // lib.optionalAttrs cfg.ssh.enable { - allowedTCPPorts = [22]; - }; - - services.tailscale = - { - enable = true; - openFirewall = true; - } - // lib.optionalAttrs cfg.ssh.enable { - authKeyFile = config.age.secrets.tailscaleAuthKey.path; - extraUpFlags = ["--ssh"]; - }; - }; -} diff --git a/modules/nixos/server/acme.nix b/modules/nixos/server/acme.nix deleted file mode 100644 index a08c8ae..0000000 --- a/modules/nixos/server/acme.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ - config, - lib, - secretsDir, - ... -}: let - cfg = config.server.acme; -in { - options.server.acme.enable = lib.mkEnableOption "ACME support"; - - config = lib.mkIf cfg.enable { - age.secrets = { - cloudflareApiKey.file = secretsDir + "/cloudflareApiKey.age"; - }; - - security.acme = { - acceptTerms = true; - defaults = { - email = "[email protected]"; - dnsProvider = "cloudflare"; - credentialsFile = config.age.secrets.cloudflareApiKey.path; - }; - }; - }; -} diff --git a/modules/nixos/server/default.nix b/modules/nixos/server/default.nix deleted file mode 100644 index baf05f9..0000000 --- a/modules/nixos/server/default.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ - config, - lib, - pkgs, - inputs, - ... -}: let - cfg = config.server; -in { - options.server.enable = lib.mkEnableOption "base server settings"; - - imports = [ - ./acme.nix - ./secrets.nix - ]; - - config = lib.mkIf cfg.enable { - _module.args.unstable = inputs.nixpkgs.legacyPackages.${pkgs.stdenv.hostPlatform.system}; - - boot = { - tmp.cleanOnBoot = lib.mkDefault true; - kernelPackages = lib.mkDefault pkgs.linuxPackages_hardened; - }; - environment.etc."nix/inputs/nixpkgs".source = inputs.nixpkgs-stable.outPath; - - documentation = { - enable = false; - man.enable = false; - }; - - environment.defaultPackages = lib.mkForce []; - - nix = { - gc = { - dates = "*-*-1,5,9,13,17,21,25,29 00:00:00"; - options = "-d --delete-older-than 2d"; - }; - - registry.n.flake = inputs.nixpkgs-stable; - settings.allowed-users = [config.networking.hostName]; - }; - }; -} diff --git a/modules/nixos/server/secrets.nix b/modules/nixos/server/secrets.nix deleted file mode 100644 index 0f38995..0000000 --- a/modules/nixos/server/secrets.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ - config, - lib, - secretsDir, - ... -}: let - cfg = config.server.secrets; -in { - options.server.secrets.enable = lib.mkEnableOption "secrets management"; - - config = lib.mkIf cfg.enable { - age = { - identityPaths = ["/etc/age/key"]; - - secrets = { - rootPassword.file = secretsDir + "/rootPassword.age"; - userPassword.file = secretsDir + "/userPassword.age"; - }; - }; - }; -} diff --git a/modules/nixos/services/cloudflared.nix b/modules/nixos/services/cloudflared.nix deleted file mode 100644 index 42f5908..0000000 --- a/modules/nixos/services/cloudflared.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ - config, - lib, - secretsDir, - ... -}: let - cfg = config.server.services.cloudflared; - inherit (lib) mkEnableOption mkIf; - inherit (config.services) nginx; -in { - options.server.services.cloudflared = { - enable = mkEnableOption "cloudflared"; - }; - - config = mkIf cfg.enable { - age.secrets.cloudflaredCreds = { - file = secretsDir + "/cloudflaredCreds.age"; - mode = "400"; - owner = "cloudflared"; - group = "cloudflared"; - }; - - services.cloudflared = { - enable = true; - tunnels = { - "${config.networking.hostName}-nginx" = { - default = "http_status:404"; - - ingress = lib.genAttrs (builtins.attrNames nginx.virtualHosts) ( - _: {service = "http://localhost:${toString nginx.defaultHTTPListenPort}";} - ); - - credentialsFile = config.age.secrets.cloudflaredCreds.path; - }; - }; - }; - }; -} diff --git a/modules/nixos/services/default.nix b/modules/nixos/services/default.nix deleted file mode 100644 index 3423b79..0000000 --- a/modules/nixos/services/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ - imports = [ - ./cloudflared.nix - ./hercules.nix - ./promtail.nix - ]; -} diff --git a/modules/nixos/services/hercules.nix b/modules/nixos/services/hercules.nix deleted file mode 100644 index 879367c..0000000 --- a/modules/nixos/services/hercules.nix +++ /dev/null @@ -1,55 +0,0 @@ -{ - config, - lib, - unstable, - secretsDir, - ... -}: let - cfg = config.server.services.hercules-ci; - inherit (lib) mkEnableOption mkIf; - - hercArgs = { - mode = "400"; - owner = "hercules-ci-agent"; - group = "hercules-ci-agent"; - }; -in { - options.server.services.hercules-ci = { - enable = mkEnableOption "hercules-ci"; - secrets.enable = mkEnableOption "secrets management for hercules-ci"; - }; - - config = mkIf cfg.enable { - age.secrets = mkIf cfg.secrets.enable { - binaryCache = - { - file = secretsDir + "/binaryCache.age"; - } - // hercArgs; - - clusterToken = - { - file = secretsDir + "/clusterToken.age"; - } - // hercArgs; - - secretsJson = - { - file = secretsDir + "/secretsJson.age"; - } - // hercArgs; - }; - - services = { - hercules-ci-agent = { - enable = true; - package = unstable.hercules-ci-agent; - settings = { - binaryCachesPath = config.age.secrets.binaryCache.path; - clusterJoinTokenPath = config.age.secrets.clusterToken.path; - secretsJsonPath = config.age.secrets.secretsJson.path; - }; - }; - }; - }; -} diff --git a/modules/nixos/services/promtail.nix b/modules/nixos/services/promtail.nix deleted file mode 100644 index ced1ece..0000000 --- a/modules/nixos/services/promtail.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ - config, - lib, - ... -}: let - cfg = config.server.services.promtail; - inherit (lib) mkEnableOption mkIf mkOption types; -in { - options.server.services.promtail = { - enable = mkEnableOption "Promtail"; - - clients = mkOption { - type = types.listOf types.attrs; - default = [{}]; - description = "clients for promtail"; - }; - }; - - config.services.promtail = mkIf cfg.enable { - enable = true; - configuration = { - inherit (cfg) clients; - server.disable = true; - - scrape_configs = [ - { - job_name = "journal"; - - journal = { - max_age = "12h"; - labels = { - job = "systemd-journal"; - host = "${config.networking.hostName}"; - }; - }; - - relabel_configs = [ - { - source_labels = ["__journal__systemd_unit"]; - target_label = "unit"; - } - ]; - } - ]; - }; - }; -} diff --git a/modules/nixos/suites/personal.nix b/modules/nixos/suites/personal.nix deleted file mode 100644 index 830062b..0000000 --- a/modules/nixos/suites/personal.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ - config, - lib, - secretsDir, - ... -}: let - cfg = config.suites.personal; -in { - config = lib.mkIf cfg.enable { - age = { - identityPaths = ["/etc/age/key"]; - secrets = { - rootPassword.file = secretsDir + "/rootPassword.age"; - sethPassword.file = secretsDir + "/sethPassword.age"; - }; - }; - }; -} diff --git a/modules/nixos/suites/server.nix b/modules/nixos/suites/server.nix deleted file mode 100644 index ac0c001..0000000 --- a/modules/nixos/suites/server.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ - config, - lib, - ... -}: let - cfg = config.suites.server; -in { - options.suites.server = { - enable = lib.mkEnableOption "Server configuration set"; - }; - - config = lib.mkIf cfg.enable { - features.tailscale = { - enable = true; - ssh.enable = true; - }; - - server = { - enable = true; - secrets.enable = true; - }; - }; -} diff --git a/modules/nixos/traits/acme.nix b/modules/nixos/traits/acme.nix new file mode 100644 index 0000000..a377b25 --- /dev/null +++ b/modules/nixos/traits/acme.nix @@ -0,0 +1,46 @@ +{ + config, + lib, + secretsDir, + ... +}: let + cfg = config.traits.acme; +in { + options.traits.acme = { + enable = lib.mkEnableOption "ACME support"; + + manageSecrets = + lib.mkEnableOption "automatic management of secrets" + // { + default = config.traits.secrets.enable; + }; + + useDns = lib.mkEnableOption "the usage of dns to get certs" // {default = true;}; + }; + + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + { + security.acme = { + acceptTerms = true; + defaults = + { + email = "[email protected]"; + } + // lib.optionalAttrs cfg.useDns { + dnsProvider = "cloudflare"; + } + // lib.optionalAttrs cfg.manageSecrets { + credentialsFile = config.age.secrets.cloudflareApiKey.path; + }; + }; + } + + (lib.mkIf cfg.manageSecrets { + age.secrets = { + cloudflareApiKey.file = secretsDir + "/cloudflareApiKey.age"; + }; + }) + ] + ); +} diff --git a/modules/nixos/traits/cloudflared.nix b/modules/nixos/traits/cloudflared.nix new file mode 100644 index 0000000..9905d33 --- /dev/null +++ b/modules/nixos/traits/cloudflared.nix @@ -0,0 +1,50 @@ +{ + config, + lib, + secretsDir, + ... +}: let + cfg = config.traits.cloudflared; + inherit (config.services) nginx; +in { + options.traits.cloudflared = { + enable = lib.mkEnableOption "cloudflared"; + manageSecrets = + lib.mkEnableOption "automatically managed secrets" + // { + default = config.traits.secrets.enable; + }; + }; + + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + { + services.cloudflared = { + enable = true; + tunnels = { + "${config.networking.hostName}-nginx" = + { + default = "http_status:404"; + + ingress = lib.genAttrs (builtins.attrNames nginx.virtualHosts) ( + _: {service = "http://localhost:${toString nginx.defaultHTTPListenPort}";} + ); + } + // lib.optionalAttrs cfg.manageSecrets { + credentialsFile = config.age.secrets.cloudflaredCreds.path; + }; + }; + }; + } + + (lib.mkIf cfg.manageSecrets { + age.secrets.cloudflaredCreds = { + file = secretsDir + "/cloudflaredCreds.age"; + mode = "400"; + owner = "cloudflared"; + group = "cloudflared"; + }; + }) + ] + ); +} diff --git a/modules/nixos/features/containers.nix b/modules/nixos/traits/containers.nix index 290f7b0..43c748c 100644 --- a/modules/nixos/features/containers.nix +++ b/modules/nixos/traits/containers.nix @@ -4,9 +4,9 @@ pkgs, ... }: let - cfg = config.features.containers; + cfg = config.traits.containers; in { - options.features.containers = { + options.traits.containers = { enable = lib.mkEnableOption "containers support"; }; diff --git a/modules/nixos/traits/default.nix b/modules/nixos/traits/default.nix new file mode 100644 index 0000000..6eda57f --- /dev/null +++ b/modules/nixos/traits/default.nix @@ -0,0 +1,15 @@ +{ + imports = [ + ./acme.nix + ./cloudflared.nix + ./containers.nix + ./hercules.nix + ./locale.nix + ./nvk + ./promtail.nix + ./secrets.nix + ./tailscale.nix + ./user-setup.nix + ./users.nix + ]; +} diff --git a/modules/nixos/traits/hercules.nix b/modules/nixos/traits/hercules.nix new file mode 100644 index 0000000..fc3dbd0 --- /dev/null +++ b/modules/nixos/traits/hercules.nix @@ -0,0 +1,49 @@ +{ + config, + lib, + unstable, + secretsDir, + ... +}: let + cfg = config.traits.hercules-ci; +in { + options.traits.hercules-ci = { + enable = lib.mkEnableOption "hercules-ci"; + manageSecrets = lib.mkEnableOption "automatic secrets management"; + }; + + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + { + services = { + hercules-ci-agent = { + enable = true; + package = unstable.hercules-ci-agent; + settings = { + binaryCachesPath = config.age.secrets.binaryCache.path; + clusterJoinTokenPath = config.age.secrets.clusterToken.path; + secretsJsonPath = config.age.secrets.secretsJson.path; + }; + }; + }; + } + + (let + hercArgs = { + mode = "400"; + owner = "hercules-ci-agent"; + group = "hercules-ci-agent"; + }; + + mkSecrets = lib.mapAttrs (_: file: lib.recursiveUpdate hercArgs {inherit file;}); + in + lib.mkIf cfg.manageSecrets { + age.secrets = mkSecrets { + binaryCache = secretsDir + "/binaryCache.age"; + clusterToken = secretsDir + "/clusterToken.age"; + secretsJson = secretsDir + "/secretsJson.age"; + }; + }) + ] + ); +} diff --git a/modules/nixos/traits/locale.nix b/modules/nixos/traits/locale.nix new file mode 100644 index 0000000..1de19ce --- /dev/null +++ b/modules/nixos/traits/locale.nix @@ -0,0 +1,25 @@ +{ + config, + lib, + ... +}: let + cfg = config.traits.locale; +in { + options.traits.locale = { + en_US = { + enable = lib.mkEnableOption "en_US locale"; + }; + }; + + config = lib.mkMerge [ + (lib.mkIf cfg.en_US.enable { + i18n = { + supportedLocales = [ + "en_US.UTF-8/UTF-8" + ]; + + defaultLocale = "en_US.UTF-8"; + }; + }) + ]; +} diff --git a/modules/nixos/features/nvk/default.nix b/modules/nixos/traits/nvk/default.nix index 977dd3b..8e849ce 100644 --- a/modules/nixos/features/nvk/default.nix +++ b/modules/nixos/traits/nvk/default.nix @@ -4,11 +4,13 @@ pkgs, ... }: let - cfg = config.features.nvk; + cfg = config.traits.nvk; mesa = import ./mesa.nix pkgs; mesa32 = import ./mesa.nix pkgs.pkgsi686Linux; in { - options.features.nvk.enable = lib.mkEnableOption "nvk"; + options.traits.nvk = { + enable = lib.mkEnableOption "nvk drivers"; + }; config = lib.mkIf cfg.enable { # make sure we're loading new gsp firmware diff --git a/modules/nixos/features/nvk/mesa.nix b/modules/nixos/traits/nvk/mesa.nix index 4b622c6..4b622c6 100644 --- a/modules/nixos/features/nvk/mesa.nix +++ b/modules/nixos/traits/nvk/mesa.nix diff --git a/modules/nixos/traits/promtail.nix b/modules/nixos/traits/promtail.nix new file mode 100644 index 0000000..5e08b25 --- /dev/null +++ b/modules/nixos/traits/promtail.nix @@ -0,0 +1,49 @@ +{ + config, + lib, + ... +}: let + cfg = config.traits.promtail; + inherit (lib) types; +in { + options.traits.promtail = { + enable = lib.mkEnableOption "Promtail"; + + clients = lib.mkOption { + type = types.listOf types.attrs; + default = [{}]; + description = "clients for promtail"; + }; + }; + + config = lib.mkIf cfg.enable { + services.promtail = { + enable = true; + configuration = { + inherit (cfg) clients; + server.disable = true; + + scrape_configs = [ + { + job_name = "journal"; + + journal = { + max_age = "12h"; + labels = { + job = "systemd-journal"; + host = "${config.networking.hostName}"; + }; + }; + + relabel_configs = [ + { + source_labels = ["__journal__systemd_unit"]; + target_label = "unit"; + } + ]; + } + ]; + }; + }; + }; +} diff --git a/modules/nixos/traits/secrets.nix b/modules/nixos/traits/secrets.nix new file mode 100644 index 0000000..085d8f3 --- /dev/null +++ b/modules/nixos/traits/secrets.nix @@ -0,0 +1,17 @@ +{ + config, + lib, + ... +}: let + cfg = config.traits.secrets; +in { + options.traits.secrets = { + enable = lib.mkEnableOption "secrets management"; + }; + + config = lib.mkIf cfg.enable { + age = { + identityPaths = ["/etc/age/key"]; + }; + }; +} diff --git a/modules/nixos/traits/tailscale.nix b/modules/nixos/traits/tailscale.nix new file mode 100644 index 0000000..93616b5 --- /dev/null +++ b/modules/nixos/traits/tailscale.nix @@ -0,0 +1,48 @@ +{ + config, + lib, + secretsDir, + ... +}: let + cfg = config.traits.tailscale; +in { + options.traits.tailscale = { + enable = lib.mkEnableOption "Tailscale"; + ssh.enable = lib.mkEnableOption "Tailscale SSH"; + manageSecrets = + lib.mkEnableOption "the use of agenix for auth" + // { + default = config.traits.secrets.enable && cfg.ssh.enable; + }; + }; + + config = lib.mkIf cfg.enable (lib.mkMerge [ + { + networking.firewall = + { + trustedInterfaces = ["tailscale0"]; + } + // lib.optionalAttrs cfg.ssh.enable { + allowedTCPPorts = [22]; + }; + + services.tailscale = + { + enable = true; + openFirewall = true; + } + // lib.optionalAttrs cfg.ssh.enable { + extraUpFlags = ["--ssh"]; + } + // lib.optionalAttrs cfg.manageSecrets { + authKeyFile = config.age.secrets.tailscaleAuthKey.path; + }; + } + + (lib.mkIf cfg.manageSecrets { + age.secrets = lib.mkIf cfg.manageSecrets { + tailscaleAuthKey.file = "${secretsDir}/tailscaleAuthKey.age"; + }; + }) + ]); +} diff --git a/modules/nixos/traits/user-setup.nix b/modules/nixos/traits/user-setup.nix new file mode 100644 index 0000000..a8a4cd6 --- /dev/null +++ b/modules/nixos/traits/user-setup.nix @@ -0,0 +1,45 @@ +{ + config, + lib, + pkgs, + secretsDir, + ... +}: let + cfg = config.traits.user-setup; +in { + options.traits.user-setup = { + enable = lib.mkEnableOption "basic immutable user & root configurations"; + manageSecrets = + lib.mkEnableOption "automatic management of secrets" + // { + default = config.traits.secrets.enable; + }; + }; + + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + { + users = { + defaultUserShell = pkgs.bash; + mutableUsers = false; + + users.root = + { + home = lib.mkDefault "/root"; + uid = lib.mkDefault config.ids.uids.root; + group = lib.mkDefault "root"; + } + // lib.optionalAttrs cfg.manageSecrets { + hashedPasswordFile = config.age.secrets.rootPassword.path; + }; + }; + } + + (lib.mkIf cfg.manageSecrets { + age.secrets = { + rootPassword.file = secretsDir + "/rootPassword.age"; + }; + }) + ] + ); +} diff --git a/modules/nixos/traits/users.nix b/modules/nixos/traits/users.nix new file mode 100644 index 0000000..3302366 --- /dev/null +++ b/modules/nixos/traits/users.nix @@ -0,0 +1,44 @@ +{ + config, + lib, + pkgs, + secretsDir, + ... +}: let + cfg = config.traits.users; + inherit (config.networking) hostName; +in { + imports = [ + ../../../users/seth/nixos.nix + ]; + + options.traits.users = { + hostUser = { + enable = lib.mkEnableOption "${hostName} user configuration"; + manageSecrets = + lib.mkEnableOption "automatically manage secrets" + // { + default = config.traits.secrets.enable; + }; + }; + }; + + config = lib.mkMerge [ + (lib.mkIf cfg.hostUser.enable { + users.users.${hostName} = { + isNormalUser = true; + shell = pkgs.bash; + }; + }) + + (lib.mkIf (cfg.hostUser.enable && cfg.hostUser.manageSecrets) { + age.secrets = { + userPassword.file = secretsDir + "/userPassword.age"; + }; + + users.users.${hostName} = { + hashedPasswordFile = config.age.secrets.userPassword.path; + }; + }) + ]; +} diff --git a/modules/shared/base/default.nix b/modules/shared/base/default.nix new file mode 100644 index 0000000..9154ae7 --- /dev/null +++ b/modules/shared/base/default.nix @@ -0,0 +1,23 @@ +{ + config, + lib, + inputs, + ... +}: let + cfg = config.base; + inherit (inputs) self; +in { + options.base = { + enable = lib.mkEnableOption "basic configurations"; + }; + + imports = [ + ./documentation.nix + ./nix.nix + ./programs.nix + ]; + + config = lib.mkIf cfg.enable { + system.configurationRevision = self.rev or self.dirtyRev or "dirty-unknown"; + }; +} diff --git a/modules/shared/base/documentation.nix b/modules/shared/base/documentation.nix new file mode 100644 index 0000000..0139f7d --- /dev/null +++ b/modules/shared/base/documentation.nix @@ -0,0 +1,19 @@ +{ + config, + lib, + ... +}: let + cfg = config.base.documentation; + enable = config.base.enable && cfg.enable; +in { + options.base.documentation = { + enable = lib.mkEnableOption "documentation settings" // {default = true;}; + }; + + config = lib.mkIf enable { + documentation = { + doc.enable = false; + info.enable = false; + }; + }; +} diff --git a/modules/shared/base/nix.nix b/modules/shared/base/nix.nix new file mode 100644 index 0000000..6e1bdf3 --- /dev/null +++ b/modules/shared/base/nix.nix @@ -0,0 +1,43 @@ +{ + config, + lib, + pkgs, + inputs, + ... +}: let + cfg = config.base.nixSettings; + enable = config.base.enable && cfg.enable; +in { + options.base.nixSettings = { + enable = lib.mkEnableOption "nix settings" // {default = true;}; + }; + + config = lib.mkIf enable { + nix = { + registry.n.flake = lib.mkDefault inputs.nixpkgs; + + nixPath = [ + "nixpkgs=/etc/nix/inputs/nixpkgs" + ]; + + settings = { + auto-optimise-store = pkgs.stdenv.isLinux; + experimental-features = lib.mkDefault ["nix-command" "flakes" "auto-allocate-uids" "repl-flake"]; + + trusted-substituters = lib.mkDefault ["https://getchoo.cachix.org"]; + trusted-public-keys = lib.mkDefault ["getchoo.cachix.org-1:ftdbAUJVNaFonM0obRGgR5+nUmdLMM+AOvDOSx0z5tE="]; + nix-path = config.nix.nixPath; + }; + + gc = { + automatic = lib.mkDefault true; + options = lib.mkDefault "--delete-older-than 7d"; + }; + }; + + nixpkgs = { + overlays = [inputs.self.overlays.default]; + config.allowUnfree = lib.mkDefault true; + }; + }; +} diff --git a/modules/shared/base/programs.nix b/modules/shared/base/programs.nix new file mode 100644 index 0000000..796fce0 --- /dev/null +++ b/modules/shared/base/programs.nix @@ -0,0 +1,16 @@ +{ + config, + lib, + ... +}: let + cfg = config.base.defaultPrograms; + enable = config.base.enable && cfg.enable; +in { + options.base.defaultPrograms = { + enable = lib.mkEnableOption "default programs" // {default = true;}; + }; + + config = lib.mkIf enable { + programs.gnupg.agent.enable = lib.mkDefault true; + }; +} diff --git a/modules/shared/default.nix b/modules/shared/default.nix index edd1f34..cf3dd84 100644 --- a/modules/shared/default.nix +++ b/modules/shared/default.nix @@ -1,24 +1,6 @@ { - lib, - inputs, - ... -}: let - inherit (inputs) self; -in { imports = [ - ./nix.nix - ./suites - ./users + ./base + ./traits ]; - - system.configurationRevision = self.rev or self.dirtyRev or "dirty-unknown"; - - documentation = { - doc.enable = false; - info.enable = false; - }; - - time.timeZone = lib.mkDefault "America/New_York"; - - programs.gnupg.agent.enable = lib.mkDefault true; } diff --git a/modules/shared/nix.nix b/modules/shared/nix.nix deleted file mode 100644 index 770e7e4..0000000 --- a/modules/shared/nix.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ - config, - lib, - pkgs, - inputs, - ... -}: { - nix = { - registry.n.flake = lib.mkDefault inputs.nixpkgs; - - nixPath = [ - "nixpkgs=/etc/nix/inputs/nixpkgs" - ]; - - settings = { - auto-optimise-store = pkgs.stdenv.isLinux; - experimental-features = lib.mkDefault ["nix-command" "flakes" "auto-allocate-uids" "repl-flake"]; - - trusted-substituters = lib.mkDefault ["https://getchoo.cachix.org"]; - trusted-public-keys = lib.mkDefault ["getchoo.cachix.org-1:ftdbAUJVNaFonM0obRGgR5+nUmdLMM+AOvDOSx0z5tE="]; - nix-path = config.nix.nixPath; - }; - - gc = { - automatic = lib.mkDefault true; - options = lib.mkDefault "--delete-older-than 7d"; - }; - }; - - nixpkgs = { - overlays = [inputs.self.overlays.default]; - config.allowUnfree = lib.mkDefault true; - }; -} diff --git a/modules/shared/suites/personal.nix b/modules/shared/suites/personal.nix deleted file mode 100644 index 1a9278a..0000000 --- a/modules/shared/suites/personal.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ - config, - lib, - ... -}: let - cfg = config.suites.personal; -in { - options.suites.personal = { - enable = lib.mkEnableOption "Personal configuration set"; - }; - - config = lib.mkIf cfg.enable { - users.seth.enable = lib.mkDefault true; - }; -} diff --git a/modules/shared/traits/default.nix b/modules/shared/traits/default.nix new file mode 100644 index 0000000..fa5ba25 --- /dev/null +++ b/modules/shared/traits/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./locale.nix + ./home-manager.nix + ]; +} diff --git a/modules/shared/traits/home-manager.nix b/modules/shared/traits/home-manager.nix new file mode 100644 index 0000000..732f4f9 --- /dev/null +++ b/modules/shared/traits/home-manager.nix @@ -0,0 +1,21 @@ +{ + config, + lib, + inputs, + inputs', + ... +}: let + cfg = config.traits.home-manager; +in { + options.traits.home-manager = { + enable = lib.mkEnableOption "home-manager configuration"; + }; + + config = lib.mkIf cfg.enable { + home-manager = { + useGlobalPkgs = true; + useUserPackages = true; + extraSpecialArgs = {inherit inputs inputs';}; + }; + }; +} diff --git a/modules/shared/traits/locale.nix b/modules/shared/traits/locale.nix new file mode 100644 index 0000000..9c07c14 --- /dev/null +++ b/modules/shared/traits/locale.nix @@ -0,0 +1,19 @@ +{ + config, + lib, + ... +}: let + cfg = config.traits.locale; +in { + options.traits.locale = { + US-east = { + enable = lib.mkEnableOption "eastern United States locale"; + }; + }; + + config = lib.mkMerge [ + (lib.mkIf cfg.US-east.enable { + time.timeZone = "America/New_York"; + }) + ]; +} diff --git a/modules/shared/users/default.nix b/modules/shared/users/default.nix deleted file mode 100644 index bb3062e..0000000 --- a/modules/shared/users/default.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ - inputs, - inputs', - ... -}: { - imports = [ - ./seth.nix - ]; - - home-manager = { - useGlobalPkgs = true; - useUserPackages = true; - extraSpecialArgs = {inherit inputs inputs';}; - }; -} diff --git a/systems/atlas/default.nix b/systems/atlas/default.nix index 5fd346b..1b6cbac 100644 --- a/systems/atlas/default.nix +++ b/systems/atlas/default.nix @@ -1,8 +1,4 @@ { - config, - pkgs, - ... -}: { imports = [ ./hardware-configuration.nix ./miniflux.nix @@ -10,7 +6,7 @@ ./teawiebot.nix ]; - suites.server.enable = true; + archetypes.server.enable = true; boot = { loader.systemd-boot.enable = true; @@ -29,12 +25,6 @@ logrotate.checkConfig = false; }; - users.users.atlas = { - isNormalUser = true; - shell = pkgs.bash; - hashedPasswordFile = config.age.secrets.userPassword.path; - }; - system.stateVersion = "23.05"; zramSwap.enable = true; diff --git a/systems/atlas/nginx.nix b/systems/atlas/nginx.nix index 03a6fc1..f1d7409 100644 --- a/systems/atlas/nginx.nix +++ b/systems/atlas/nginx.nix @@ -14,15 +14,15 @@ name: value: lib.nameValuePair "${name}.${config.networking.domain}" value ); in { - server.services.cloudflared.enable = true; - services.nginx = { enable = true; + recommendedBrotliSettings = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; + recommendedZstdSettings = true; virtualHosts = toVHosts { miniflux = { diff --git a/systems/caroline/default.nix b/systems/caroline/default.nix index dc9bdc8..f41ae12 100644 --- a/systems/caroline/default.nix +++ b/systems/caroline/default.nix @@ -1,5 +1,5 @@ {config, ...}: { - suites.personal.enable = true; + archetypes.personal.enable = true; homebrew.casks = [ "altserver" diff --git a/systems/glados-wsl/default.nix b/systems/glados-wsl/default.nix index 7014938..a0b02bf 100644 --- a/systems/glados-wsl/default.nix +++ b/systems/glados-wsl/default.nix @@ -10,7 +10,12 @@ inputs.nixos-wsl.nixosModules.wsl ]; - suites.personal.enable = true; + archetypes.personal.enable = true; + + base = { + networking.enable = false; + security.enable = false; + }; documentation = { enable = lib.mkForce true; @@ -25,7 +30,7 @@ ]; }; - features.tailscale.enable = true; + traits.tailscale.enable = true; wsl = { enable = true; @@ -39,20 +44,5 @@ interop.includePath = false; }; - # doesn't work on wsl - services.dbus.apparmor = "disabled"; - # ditto - networking.networkmanager.enable = false; - - # ditto - security = { - apparmor.enable = false; - audit.enable = false; - auditd.enable = false; - }; - - # ditto - services.resolved.enable = false; - system.stateVersion = "23.11"; } diff --git a/systems/glados/default.nix b/systems/glados/default.nix index a887de0..4f8af01 100644 --- a/systems/glados/default.nix +++ b/systems/glados/default.nix @@ -11,22 +11,18 @@ inputs.nixos-hardware.nixosModules.common-pc-ssd ]; - suites.personal.enable = true; + archetypes.personal.enable = true; desktop = { enable = true; gnome.enable = true; }; - features = { + traits = { containers.enable = true; tailscale.enable = true; }; - home-manager.users.seth = { - seth.desktop.enable = true; - }; - security.tpm2 = { enable = true; abrmd.enable = true; diff --git a/users/seth/darwin.nix b/users/seth/darwin.nix new file mode 100644 index 0000000..049d3d3 --- /dev/null +++ b/users/seth/darwin.nix @@ -0,0 +1,7 @@ +{ + imports = [./system.nix]; + + home-manager.users.seth = { + seth.desktop.enable = false; + }; +} diff --git a/users/seth/module/desktop/default.nix b/users/seth/module/desktop/default.nix index 66a821d..3c09e96 100644 --- a/users/seth/module/desktop/default.nix +++ b/users/seth/module/desktop/default.nix @@ -2,12 +2,17 @@ config, lib, pkgs, + osConfig, ... }: let cfg = config.seth.desktop; in { options.seth.desktop = { - enable = lib.mkEnableOption "desktop"; + enable = + lib.mkEnableOption "desktop" + // { + default = osConfig.desktop.enable or false; + }; }; imports = [ diff --git a/users/seth/module/shell/fish.nix b/users/seth/module/shell/fish.nix index 6dfebb9..a349dfa 100644 --- a/users/seth/module/shell/fish.nix +++ b/users/seth/module/shell/fish.nix @@ -36,6 +36,7 @@ in { nixgc = "sudo nix-collect-garbage -d && nix-collect-garbage -d"; }; } + (lib.mkIf cfg.withPlugins { plugins = let mkFishPlugins = builtins.map (plugin: { diff --git a/users/seth/nixos.nix b/users/seth/nixos.nix new file mode 100644 index 0000000..3ef6584 --- /dev/null +++ b/users/seth/nixos.nix @@ -0,0 +1,29 @@ +{ + config, + lib, + secretsDir, + ... +}: let + cfg = config.traits.users.seth; + enable = cfg.enable && cfg.manageSecrets; +in { + options.traits.users.seth = { + manageSecrets = + lib.mkEnableOption "automatic management of sercrets" + // { + default = config.traits.secrets.enable or false; + }; + }; + + imports = [./system.nix]; + + config = lib.mkIf enable { + age.secrets = { + sethPassword.file = secretsDir + "/sethPassword.age"; + }; + + users.users.seth = { + hashedPasswordFile = lib.mkDefault config.age.secrets.sethPassword.path; + }; + }; +} diff --git a/modules/shared/users/seth.nix b/users/seth/system.nix index 0c98fc9..4feb807 100644 --- a/modules/shared/users/seth.nix +++ b/users/seth/system.nix @@ -4,10 +4,10 @@ pkgs, ... }: let - cfg = config.users.seth; + cfg = config.traits.users.seth; in { - options.users.seth = { - enable = lib.mkEnableOption "Seth's configuration & home"; + options.traits.users.seth = { + enable = lib.mkEnableOption "Seth's user & home configuration"; }; config = lib.mkIf cfg.enable { @@ -23,13 +23,12 @@ in { // lib.optionalAttrs pkgs.stdenv.isLinux { extraGroups = ["wheel"]; isNormalUser = true; - hashedPasswordFile = lib.mkDefault config.age.secrets.sethPassword.path; }; programs.fish.enable = lib.mkDefault true; home-manager.users.seth = { - imports = [../../../users/seth]; + imports = [./.]; }; }; } |