diff options
Diffstat (limited to 'modules/nixos')
32 files changed, 250 insertions, 348 deletions
diff --git a/modules/nixos/README.md b/modules/nixos/README.md index 5a78133..5204795 100644 --- a/modules/nixos/README.md +++ b/modules/nixos/README.md @@ -1,20 +1,24 @@ # ./modules/nixos/ -## archetypes +## defaults -The high-level "type" of a machine (i.e., `personal` or `server`) +Defaults (mostly) shared across all configurations -## base +## desktop -Low level options shared for (almost) any kind of system +Installs cool GUI stuff for desktops and laptops -## desktop +## mixins -Installs cool GUI stuff for desktops...or laptops too I guess +Small modules that add onto existing ones; mean to be "mixed in" with your regular configurations + +## profiles + +The high-level "type" of a machine (i.e., `personal` or `server`) -## server +## services -Installs cool daemons and such for servers +Custom service modules ## traits diff --git a/modules/nixos/archetypes/server.nix b/modules/nixos/archetypes/server.nix deleted file mode 100644 index 780e1b4..0000000 --- a/modules/nixos/archetypes/server.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ config, lib, ... }: -let - cfg = config.archetypes.server; -in -{ - options.archetypes = { - server.enable = lib.mkEnableOption "the Server archetype"; - }; - - config = lib.mkIf cfg.enable { - base = { - enable = true; - defaultPrograms.enable = false; - }; - - server = { - enable = true; - mixins = { - cloudflared.enable = true; - nginx.enable = true; - }; - }; - - traits = { - autoUpgrade.enable = true; - - secrets.enable = true; - - tailscale = { - enable = true; - ssh.enable = true; - }; - - zram.enable = true; - }; - }; -} diff --git a/modules/nixos/base/networking.nix b/modules/nixos/base/networking.nix deleted file mode 100644 index c4514df..0000000 --- a/modules/nixos/base/networking.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ config, lib, ... }: -let - cfg = config.base.networking; -in -{ - options.base.networking = { - enable = lib.mkEnableOption "base network settings" // { - default = config.base.enable; - defaultText = lib.literalExpression "config.base.enable"; - }; - }; - - config = lib.mkIf cfg.enable { - networking.networkmanager = { - enable = lib.mkDefault true; - dns = "systemd-resolved"; - }; - - services = { - resolved = { - enable = lib.mkDefault true; - dnssec = "allow-downgrade"; - extraConfig = lib.mkDefault '' - [Resolve] - DNS=1.1.1.1 1.0.0.1 - DNSOverTLS=yes - ''; - }; - }; - }; -} diff --git a/modules/nixos/base/nix.nix b/modules/nixos/base/nix.nix deleted file mode 100644 index e49eb17..0000000 --- a/modules/nixos/base/nix.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ config, lib, ... }: -let - cfg = config.base.nixSettings; -in -{ - config = lib.mkIf cfg.enable { - nix = { - channel.enable = lib.mkDefault false; - settings.trusted-users = [ - "root" - "@wheel" - ]; - }; - }; -} diff --git a/modules/nixos/base/programs.nix b/modules/nixos/base/programs.nix deleted file mode 100644 index 55424dc..0000000 --- a/modules/nixos/base/programs.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ config, lib, ... }: -let - cfg = config.base.defaultPrograms; -in -{ - config = lib.mkIf cfg.enable { - programs = { - git.enable = true; - vim.defaultEditor = true; - }; - }; -} diff --git a/modules/nixos/base/security.nix b/modules/nixos/base/security.nix deleted file mode 100644 index 66a1e7e..0000000 --- a/modules/nixos/base/security.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ config, lib, ... }: -let - cfg = config.base.security; -in -{ - options.base.security = { - enable = lib.mkEnableOption "basic security settings" // { - default = config.base.enable; - defaultText = lib.literalExpression "config.base.enable"; - }; - - apparmor = lib.mkEnableOption "AppArmor support" // { - default = true; - }; - - auditing = lib.mkEnableOption "auditing support" // { - default = true; - }; - }; - - # much here is sourced from https://xeiaso.net/blog/paranoid-nixos-2021-07-18/ - config = lib.mkIf cfg.enable ( - lib.mkMerge [ - { - security = { - polkit.enable = true; - sudo.execWheelOnly = true; - }; - } - (lib.mkIf cfg.auditing { - security = { - audit.enable = true; - auditd.enable = true; - }; - }) - (lib.mkIf cfg.apparmor { - security.apparmor.enable = true; - services.dbus.apparmor = lib.mkDefault "enabled"; - }) - ] - ); -} diff --git a/modules/nixos/base/users.nix b/modules/nixos/base/users.nix deleted file mode 100644 index b757fc5..0000000 --- a/modules/nixos/base/users.nix +++ /dev/null @@ -1,58 +0,0 @@ -{ - config, - lib, - pkgs, - secretsDir, - ... -}: -let - cfg = config.base.users; -in -{ - options.base.users = { - enable = lib.mkEnableOption "basic user configurations" // { - default = config.base.enable; - defaultText = lib.literalExpression "config.base.enable"; - }; - - defaultRoot = { - enable = lib.mkEnableOption "default root user configuration" // { - default = false; - }; - - manageSecrets = lib.mkEnableOption "automatic management of secrets" // { - default = config.traits.secrets.enable; - defaultText = lib.literalExpression "config.traits.secrets.enable"; - }; - }; - }; - - config = lib.mkIf cfg.enable ( - lib.mkMerge [ - { - users = { - defaultUserShell = pkgs.bash; - mutableUsers = false; - }; - } - - (lib.mkIf cfg.defaultRoot.enable { - users.users.root = { - home = lib.mkDefault "/root"; - uid = lib.mkDefault config.ids.uids.root; - group = lib.mkDefault "root"; - }; - }) - - (lib.mkIf (cfg.defaultRoot.enable && cfg.defaultRoot.manageSecrets) { - age.secrets = { - rootPassword.file = secretsDir + "/rootPassword.age"; - }; - - users.users.root = { - hashedPasswordFile = config.age.secrets.rootPassword.path; - }; - }) - ] - ); -} diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index acc9d59..82e4b93 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -1,10 +1,11 @@ { imports = [ ../shared - ./archetypes - ./base + ./defaults ./desktop - ./server + ./mixins + ./profiles + ./services ./traits ]; } diff --git a/modules/nixos/defaults/default.nix b/modules/nixos/defaults/default.nix new file mode 100644 index 0000000..bcd3554 --- /dev/null +++ b/modules/nixos/defaults/default.nix @@ -0,0 +1,8 @@ +{ + imports = [ + ./nix.nix + ./programs.nix + ./security.nix + ./users.nix + ]; +} diff --git a/modules/nixos/defaults/nix.nix b/modules/nixos/defaults/nix.nix new file mode 100644 index 0000000..8716f00 --- /dev/null +++ b/modules/nixos/defaults/nix.nix @@ -0,0 +1,10 @@ +{ lib, ... }: +{ + nix = { + channel.enable = lib.mkDefault false; + settings.trusted-users = [ + "root" + "@wheel" + ]; + }; +} diff --git a/modules/nixos/defaults/programs.nix b/modules/nixos/defaults/programs.nix new file mode 100644 index 0000000..c7d655f --- /dev/null +++ b/modules/nixos/defaults/programs.nix @@ -0,0 +1,6 @@ +{ + programs = { + git.enable = true; + vim.defaultEditor = true; + }; +} diff --git a/modules/nixos/defaults/security.nix b/modules/nixos/defaults/security.nix new file mode 100644 index 0000000..65ce729 --- /dev/null +++ b/modules/nixos/defaults/security.nix @@ -0,0 +1,13 @@ +# Much of this is sourced from https://xeiaso.net/blog/paranoid-nixos-2021-07-18/ +{ lib, ... }: +{ + security = { + apparmor.enable = lib.mkDefault true; + audit.enable = lib.mkDefault true; + auditd.enable = lib.mkDefault true; + polkit.enable = true; + sudo.execWheelOnly = true; + }; + + services.dbus.apparmor = lib.mkDefault "enabled"; +} diff --git a/modules/nixos/defaults/users.nix b/modules/nixos/defaults/users.nix new file mode 100644 index 0000000..0cec52a --- /dev/null +++ b/modules/nixos/defaults/users.nix @@ -0,0 +1,18 @@ +{ + config, + lib, + pkgs, + ... +}: +{ + users = { + defaultUserShell = pkgs.bash; + mutableUsers = false; + + users.root = { + home = lib.mkDefault "/root"; + uid = config.ids.uids.root; + group = "root"; + }; + }; +} diff --git a/modules/nixos/desktop/programs.nix b/modules/nixos/desktop/programs.nix index 01a9928..2830943 100644 --- a/modules/nixos/desktop/programs.nix +++ b/modules/nixos/desktop/programs.nix @@ -4,29 +4,17 @@ pkgs, ... }: -let - cfg = config.desktop.defaultPrograms; -in { - options.desktop.defaultPrograms = { - enable = lib.mkEnableOption "default desktop programs" // { - default = config.desktop.enable; - defaultText = lib.literalExpression "config.desktop.enable"; - }; - }; - - config = lib.mkIf cfg.enable { - environment.systemPackages = with pkgs; [ - wl-clipboard - xclip + config = lib.mkIf config.desktop.enable { + environment.systemPackages = [ + pkgs.wl-clipboard ]; programs = { - chromium.enable = true; - firefox.enable = true; - xwayland.enable = true; + chromium.enable = lib.mkDefault true; + firefox.enable = lib.mkDefault true; }; - xdg.portal.enable = true; + xdg.portal.enable = lib.mkDefault true; }; } diff --git a/modules/nixos/server/mixins/acme.nix b/modules/nixos/mixins/acme.nix index 39166f2..3b49caf 100644 --- a/modules/nixos/server/mixins/acme.nix +++ b/modules/nixos/mixins/acme.nix @@ -5,10 +5,10 @@ ... }: let - cfg = config.server.mixins.acme; + cfg = config.mixins.acme; in { - options.server.mixins.acme = { + options.mixins.acme = { enable = lib.mkEnableOption "ACME mixin"; manageSecrets = lib.mkEnableOption "automatic management of secrets" // { diff --git a/modules/nixos/server/mixins/cloudflared.nix b/modules/nixos/mixins/cloudflared.nix index 9a56aaa..372103b 100644 --- a/modules/nixos/server/mixins/cloudflared.nix +++ b/modules/nixos/mixins/cloudflared.nix @@ -5,11 +5,11 @@ ... }: let - cfg = config.server.mixins.cloudflared; + cfg = config.mixins.cloudflared; inherit (config.services) nginx; in { - options.server.mixins.cloudflared = { + options.mixins.cloudflared = { enable = lib.mkEnableOption "cloudflared mixin"; tunnelName = lib.mkOption { description = '' diff --git a/modules/nixos/server/mixins/default.nix b/modules/nixos/mixins/default.nix index 461cd34..461cd34 100644 --- a/modules/nixos/server/mixins/default.nix +++ b/modules/nixos/mixins/default.nix diff --git a/modules/nixos/server/mixins/hercules.nix b/modules/nixos/mixins/hercules.nix index a04f9b1..de209a3 100644 --- a/modules/nixos/server/mixins/hercules.nix +++ b/modules/nixos/mixins/hercules.nix @@ -6,10 +6,10 @@ ... }: let - cfg = config.server.mixins.hercules-ci; + cfg = config.mixins.hercules-ci; in { - options.server.mixins.hercules-ci = { + options.mixins.hercules-ci = { enable = lib.mkEnableOption "Hercules CI mixin"; manageSecrets = lib.mkEnableOption "automatic management of secrets" // { default = config.traits.secrets.enable; diff --git a/modules/nixos/server/mixins/nginx.nix b/modules/nixos/mixins/nginx.nix index e3cc47a..67d0c25 100644 --- a/modules/nixos/server/mixins/nginx.nix +++ b/modules/nixos/mixins/nginx.nix @@ -1,9 +1,9 @@ { config, lib, ... }: let - cfg = config.server.mixins.nginx; + cfg = config.mixins.nginx; in { - options.server.mixins.nginx = { + options.mixins.nginx = { enable = lib.mkEnableOption "NGINX mixin"; }; diff --git a/modules/nixos/server/mixins/promtail.nix b/modules/nixos/mixins/promtail.nix index 173a85b..022c271 100644 --- a/modules/nixos/server/mixins/promtail.nix +++ b/modules/nixos/mixins/promtail.nix @@ -1,10 +1,10 @@ { config, lib, ... }: let - cfg = config.server.mixins.promtail; + cfg = config.mixins.promtail; inherit (lib) types; in { - options.server.mixins.promtail = { + options.mixins.promtail = { enable = lib.mkEnableOption "Promtail mixin"; clients = lib.mkOption { diff --git a/modules/nixos/archetypes/default.nix b/modules/nixos/profiles/default.nix index 0d11285..0d11285 100644 --- a/modules/nixos/archetypes/default.nix +++ b/modules/nixos/profiles/default.nix diff --git a/modules/nixos/archetypes/personal.nix b/modules/nixos/profiles/personal.nix index 4200269..df52696 100644 --- a/modules/nixos/archetypes/personal.nix +++ b/modules/nixos/profiles/personal.nix @@ -1,15 +1,13 @@ { config, lib, ... }: let - cfg = config.archetypes.personal; + cfg = config.profiles.personal; in { - options.archetypes = { - personal.enable = lib.mkEnableOption "the Personal archetype"; + options.profiles.personal = { + enable = lib.mkEnableOption "the Personal profile"; }; config = lib.mkIf cfg.enable { - base.enable = true; - traits = { home-manager.enable = true; diff --git a/modules/nixos/profiles/server.nix b/modules/nixos/profiles/server.nix new file mode 100644 index 0000000..e3e785b --- /dev/null +++ b/modules/nixos/profiles/server.nix @@ -0,0 +1,66 @@ +{ + config, + lib, + pkgs, + inputs, + ... +}: +let + cfg = config.profiles.server; +in +{ + options.profiles.server = { + enable = lib.mkEnableOption "the Server profile"; + + hostUser = lib.mkEnableOption "a default interactive user" // { + default = true; + }; + }; + + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + { + # All servers are most likely on stable, so we want to pull in some newer packages from time to time + _module.args.unstable = inputs.nixpkgs.legacyPackages.${pkgs.stdenv.hostPlatform.system}; + + boot.tmp.cleanOnBoot = lib.mkDefault true; + + # We don't need it here + documentation.enable = false; + + environment.defaultPackages = lib.mkForce [ ]; + + mixins = { + cloudflared.enable = true; + nginx.enable = true; + }; + + nix.gc = { + # Every ~2 days + dates = "Mon,Wed,Fri *-*-* 00:00:00"; + options = "-d --delete-older-than 2d"; + }; + + traits = { + autoUpgrade.enable = true; + secrets.enable = true; + tailscale = { + enable = true; + ssh.enable = true; + }; + zram.enable = true; + }; + } + + (lib.mkIf cfg.hostUser { + # Hardening access to `nix` as no other users *should* ever really touch it + nix.settings.allowed-users = [ config.networking.hostName ]; + + users.users.${config.networking.hostName} = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + }; + }) + ] + ); +} diff --git a/modules/nixos/server/default.nix b/modules/nixos/server/default.nix deleted file mode 100644 index 3cc60fb..0000000 --- a/modules/nixos/server/default.nix +++ /dev/null @@ -1,45 +0,0 @@ -{ - config, - lib, - pkgs, - inputs, - ... -}: -let - cfg = config.server; -in -{ - options.server = { - enable = lib.mkEnableOption "basic server settings"; - }; - - imports = [ - ./github-mirror - ./host-user.nix - ./mixins - ]; - - config = lib.mkIf cfg.enable { - # all servers are most likely on stable, so we may want to pull some newer packages from time to time - _module.args.unstable = inputs.nixpkgs.legacyPackages.${pkgs.stdenv.hostPlatform.system}; - - boot.tmp.cleanOnBoot = lib.mkDefault true; - - # we don't need it here - documentation.enable = false; - - environment.defaultPackages = lib.mkForce [ ]; - - nix = { - gc = { - # ~every 2 days - dates = "Mon,Wed,Fri *-*-* 00:00:00"; - options = "-d --delete-older-than 2d"; - }; - - # hardening access to `nix` on servers as no other users - # *should* ever really touch it - settings.allowed-users = [ config.networking.hostName ]; - }; - }; -} diff --git a/modules/nixos/server/host-user.nix b/modules/nixos/server/host-user.nix deleted file mode 100644 index c60bfe3..0000000 --- a/modules/nixos/server/host-user.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ - config, - lib, - secretsDir, - ... -}: -let - cfg = config.server.hostUser; - inherit (config.networking) hostName; -in -{ - options.server.hostUser = { - enable = lib.mkEnableOption "a default interactive user" // { - default = config.server.enable; - defaultText = lib.literalExpression "config.server.enable"; - }; - - manageSecrets = lib.mkEnableOption "automatic management of secrets" // { - default = config.traits.secrets.enable; - defaultText = lib.literalExpression "config.traits.secrets.enable"; - }; - }; - - config = lib.mkIf cfg.enable ( - lib.mkMerge [ - { - users.users.${hostName} = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - }; - } - - (lib.mkIf cfg.manageSecrets { - age.secrets = { - userPassword.file = secretsDir + "/userPassword.age"; - }; - - users.users.${hostName} = { - hashedPasswordFile = config.age.secrets.userPassword.path; - }; - }) - ] - ); -} diff --git a/modules/nixos/services/default.nix b/modules/nixos/services/default.nix new file mode 100644 index 0000000..038c3a6 --- /dev/null +++ b/modules/nixos/services/default.nix @@ -0,0 +1,3 @@ +{ + imports = [ ./github-mirror ]; +} diff --git a/modules/nixos/server/github-mirror/default.nix b/modules/nixos/services/github-mirror/default.nix index 9d0d870..9d0d870 100644 --- a/modules/nixos/server/github-mirror/default.nix +++ b/modules/nixos/services/github-mirror/default.nix diff --git a/modules/nixos/server/github-mirror/update-mirror.sh b/modules/nixos/services/github-mirror/update-mirror.sh index c1e392d..c1e392d 100755 --- a/modules/nixos/server/github-mirror/update-mirror.sh +++ b/modules/nixos/services/github-mirror/update-mirror.sh diff --git a/modules/nixos/traits/default.nix b/modules/nixos/traits/default.nix index 88a0b8c..1bb92b2 100644 --- a/modules/nixos/traits/default.nix +++ b/modules/nixos/traits/default.nix @@ -6,7 +6,9 @@ ./containers.nix ./home-manager.nix ./locale.nix + ./nvd-diff.nix ./nvidia.nix + ./resolved.nix ./secrets.nix ./tailscale.nix ./users diff --git a/modules/nixos/base/default.nix b/modules/nixos/traits/nvd-diff.nix index 3a6412e..4c59287 100644 --- a/modules/nixos/base/default.nix +++ b/modules/nixos/traits/nvd-diff.nix @@ -5,22 +5,16 @@ ... }: let - cfg = config.base; + cfg = config.traits.nvd-diff; in { - imports = [ - ./networking.nix - ./nix.nix - ./programs.nix - ./security.nix - ./users.nix - ]; + options.traits.nvd-diff = { + enable = lib.mkEnableOption "showing configuration diffs with NVD on upgrade" // { + default = true; + }; + }; config = lib.mkIf cfg.enable { - services.journald.extraConfig = '' - MaxRetentionSec=1w - ''; - system.activationScripts."upgrade-diff" = { supportsDryActivation = true; text = '' diff --git a/modules/nixos/traits/resolved.nix b/modules/nixos/traits/resolved.nix new file mode 100644 index 0000000..d6501c9 --- /dev/null +++ b/modules/nixos/traits/resolved.nix @@ -0,0 +1,41 @@ +{ + config, + lib, + ... +}: +let + cfg = config.traits.resolved; +in +{ + options.traits.resolved = { + enable = lib.mkEnableOption "systemd-resolved as the DNS resolver" // { + default = true; + }; + + networkManagerIntegration = lib.mkEnableOption "integration with network-manager" // { + default = config.networking.networkmanager.enable; + defaultText = "config.networking.networkmanager.enable"; + }; + }; + + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + { + networking.nameservers = [ + "1.1.1.1#one.one.one.one" + "1.0.0.1#one.one.one.one" + ]; + + services.resolved = { + enable = true; + dnssec = "allow-downgrade"; + dnsovertls = "true"; + }; + } + + (lib.mkIf cfg.networkManagerIntegration { + networking.networkmanager.dns = "systemd-resolved"; + }) + ] + ); +} diff --git a/modules/nixos/traits/secrets.nix b/modules/nixos/traits/secrets.nix index 6624ef8..d7f4e60 100644 --- a/modules/nixos/traits/secrets.nix +++ b/modules/nixos/traits/secrets.nix @@ -2,6 +2,7 @@ config, lib, inputs, + secretsDir, ... }: let @@ -10,17 +11,50 @@ in { options.traits.secrets = { enable = lib.mkEnableOption "secrets management"; - }; - - imports = [ inputs.agenix.nixosModules.default ]; - config = lib.mkIf cfg.enable { - _module.args = { - secretsDir = inputs.self + "/secrets/${config.networking.hostName}"; + rootUser = lib.mkEnableOption "manage secrets for root user" // { + default = true; }; - age = { - identityPaths = [ "/etc/age/key" ]; + hostUser = lib.mkEnableOption "manager secrets for host user (see `profiles.server.hostUser`)" // { + default = config.profiles.server.hostUser; + defaultText = "config.profiles.server.hostUser"; }; }; + + imports = [ inputs.agenix.nixosModules.default ]; + + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + { + _module.args = { + secretsDir = inputs.self + "/secrets/${config.networking.hostName}"; + }; + + age = { + identityPaths = [ "/etc/age/key" ]; + }; + } + + (lib.mkIf cfg.rootUser { + age.secrets = { + rootPassword.file = secretsDir + "/rootPassword.age"; + }; + + users.users.root = { + hashedPasswordFile = config.age.secrets.rootPassword.path; + }; + }) + + (lib.mkIf (config.profiles.server.enable && cfg.hostUser) { + age.secrets = { + userPassword.file = secretsDir + "/userPassword.age"; + }; + + users.users.${config.networking.hostName} = { + hashedPasswordFile = config.age.secrets.userPassword.path; + }; + }) + ] + ); } |