diff options
Diffstat (limited to 'modules/nixos')
39 files changed, 734 insertions, 472 deletions
diff --git a/modules/nixos/suites/default.nix b/modules/nixos/archetypes/default.nix index 0d11285..dfdb4e4 100644 --- a/modules/nixos/suites/default.nix +++ b/modules/nixos/archetypes/default.nix @@ -1,6 +1,6 @@ { imports = [ - ./personal.nix ./server.nix + ./personal.nix ]; } diff --git a/modules/nixos/archetypes/personal.nix b/modules/nixos/archetypes/personal.nix new file mode 100644 index 0000000..7122708 --- /dev/null +++ b/modules/nixos/archetypes/personal.nix @@ -0,0 +1,32 @@ +{ + config, + lib, + ... +}: let + cfg = config.archetypes.personal; +in { + options.archetypes = { + personal.enable = lib.mkEnableOption "personal archetype"; + }; + + config = lib.mkIf cfg.enable { + base.enable = true; + + traits = { + home-manager.enable = true; + + locale = { + en_US.enable = true; + US-east.enable = true; + }; + + secrets.enable = true; + tailscale.enable = true; + user-setup.enable = true; + + users = { + seth.enable = true; + }; + }; + }; +} diff --git a/modules/nixos/archetypes/server.nix b/modules/nixos/archetypes/server.nix new file mode 100644 index 0000000..31e0bf5 --- /dev/null +++ b/modules/nixos/archetypes/server.nix @@ -0,0 +1,68 @@ +{ + config, + lib, + pkgs, + inputs, + ... +}: let + cfg = config.archetypes.server; +in { + options.archetypes = { + server.enable = lib.mkEnableOption "server archetype"; + }; + + config = lib.mkIf cfg.enable { + base = { + enable = true; + documentation.enable = false; + }; + + traits = { + cloudflared.enable = true; + + locale = { + en_US.enable = true; + US-east.enable = true; + }; + + secrets.enable = true; + + tailscale = { + enable = true; + ssh.enable = true; + }; + + user-setup.enable = true; + users = { + hostUser.enable = true; + }; + }; + + _module.args.unstable = inputs.nixpkgs.legacyPackages.${pkgs.stdenv.hostPlatform.system}; + + boot = { + tmp.cleanOnBoot = lib.mkDefault true; + kernelPackages = lib.mkDefault pkgs.linuxPackages_hardened; + }; + + documentation = { + enable = false; + man.enable = false; + }; + + environment = { + defaultPackages = lib.mkForce []; + etc."nix/inputs/nixpkgs".source = inputs.nixpkgs-stable.outPath; + }; + + nix = { + gc = { + dates = "*-*-1,5,9,13,17,21,25,29 00:00:00"; + options = "-d --delete-older-than 2d"; + }; + + registry.n.flake = inputs.nixpkgs-stable; + settings.allowed-users = [config.networking.hostName]; + }; + }; +} diff --git a/modules/nixos/base.nix b/modules/nixos/base.nix deleted file mode 100644 index a5c4318..0000000 --- a/modules/nixos/base.nix +++ /dev/null @@ -1,90 +0,0 @@ -{ - config, - lib, - pkgs, - inputs, - ... -}: let - inherit (lib) mkDefault; -in { - imports = [ - ../shared - ]; - - environment.systemPackages = with pkgs; [man-pages man-pages-posix]; - - documentation.nixos.enable = false; - - # not sure why i can't use this on darwin? - environment.etc."nix/inputs/nixpkgs".source = lib.mkDefault inputs.nixpkgs.outPath; - - i18n = { - supportedLocales = [ - "en_US.UTF-8/UTF-8" - ]; - - defaultLocale = "en_US.UTF-8"; - }; - - networking.networkmanager = { - enable = mkDefault true; - dns = mkDefault "systemd-resolved"; - }; - - nix = { - channel.enable = mkDefault false; - gc.dates = mkDefault "weekly"; - settings.trusted-users = ["root" "@wheel"]; - }; - - programs = { - git.enable = mkDefault true; - vim.defaultEditor = mkDefault true; - }; - - security = { - apparmor.enable = mkDefault true; - audit.enable = mkDefault true; - auditd.enable = mkDefault true; - polkit.enable = mkDefault true; - rtkit.enable = mkDefault true; - sudo.execWheelOnly = true; - }; - - services = { - dbus.apparmor = mkDefault "enabled"; - - resolved = { - enable = mkDefault true; - dnssec = mkDefault "allow-downgrade"; - extraConfig = mkDefault '' - [Resolve] - DNS=1.1.1.1 1.0.0.1 - DNSOverTLS=yes - ''; - }; - - journald.extraConfig = '' - MaxRetentionSec=1w - ''; - }; - - system.activationScripts."upgrade-diff" = { - supportsDryActivation = true; - text = '' - ${pkgs.nvd}/bin/nvd --nix-bin-dir=${config.nix.package}/bin diff /run/current-system "$systemConfig" - ''; - }; - - users = { - defaultUserShell = pkgs.bash; - mutableUsers = false; - - users.root = { - home = mkDefault "/root"; - uid = mkDefault config.ids.uids.root; - group = mkDefault "root"; - hashedPasswordFile = mkDefault config.age.secrets.rootPassword.path; - }; - }; -} diff --git a/modules/nixos/base/default.nix b/modules/nixos/base/default.nix new file mode 100644 index 0000000..31cd6ff --- /dev/null +++ b/modules/nixos/base/default.nix @@ -0,0 +1,28 @@ +{ + config, + lib, + pkgs, + ... +}: { + imports = [ + ../../shared + ./documentation.nix + ./networking.nix + ./nix.nix + ./programs.nix + ./security.nix + ]; + + services.journald.extraConfig = '' + MaxRetentionSec=1w + ''; + + system.activationScripts."upgrade-diff" = { + supportsDryActivation = true; + text = '' + ${lib.getExe pkgs.nvd} \ + --nix-bin-dir=${config.nix.package}/bin \ + diff /run/current-system "$systemConfig" + ''; + }; +} diff --git a/modules/nixos/base/documentation.nix b/modules/nixos/base/documentation.nix new file mode 100644 index 0000000..5792c80 --- /dev/null +++ b/modules/nixos/base/documentation.nix @@ -0,0 +1,15 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.base.documentation; + enable = config.base.enable && cfg.enable; +in { + config = lib.mkIf enable { + documentation.nixos.enable = false; + + environment.systemPackages = with pkgs; [man-pages man-pages-posix]; + }; +} diff --git a/modules/nixos/base/networking.nix b/modules/nixos/base/networking.nix new file mode 100644 index 0000000..895127c --- /dev/null +++ b/modules/nixos/base/networking.nix @@ -0,0 +1,31 @@ +{ + config, + lib, + ... +}: let + cfg = config.base.networking; + enable = config.base.enable && cfg.enable; +in { + options.base.networking = { + enable = lib.mkEnableOption "base network settings" // {default = true;}; + }; + + config = lib.mkIf enable { + networking.networkmanager = { + enable = lib.mkDefault true; + dns = "systemd-resolved"; + }; + + services = { + resolved = { + enable = lib.mkDefault true; + dnssec = "allow-downgrade"; + extraConfig = lib.mkDefault '' + [Resolve] + DNS=1.1.1.1 1.0.0.1 + DNSOverTLS=yes + ''; + }; + }; + }; +} diff --git a/modules/nixos/base/nix.nix b/modules/nixos/base/nix.nix new file mode 100644 index 0000000..720a074 --- /dev/null +++ b/modules/nixos/base/nix.nix @@ -0,0 +1,20 @@ +{ + config, + lib, + inputs, + ... +}: let + cfg = config.base.nixSettings; + enable = config.base.enable && cfg.enable; +in { + config = lib.mkIf enable { + # not sure why i can't use this on darwin? + environment.etc."nix/inputs/nixpkgs".source = lib.mkDefault inputs.nixpkgs.outPath; + + nix = { + channel.enable = lib.mkDefault false; + gc.dates = lib.mkDefault "weekly"; + settings.trusted-users = ["root" "@wheel"]; + }; + }; +} diff --git a/modules/nixos/base/programs.nix b/modules/nixos/base/programs.nix new file mode 100644 index 0000000..7d1a15b --- /dev/null +++ b/modules/nixos/base/programs.nix @@ -0,0 +1,15 @@ +{ + config, + lib, + ... +}: let + cfg = config.base.defaultPrograms; + enable = config.base.enable && cfg.enable; +in { + config = lib.mkIf enable { + programs = { + git.enable = true; + vim.defaultEditor = true; + }; + }; +} diff --git a/modules/nixos/base/security.nix b/modules/nixos/base/security.nix new file mode 100644 index 0000000..4401f81 --- /dev/null +++ b/modules/nixos/base/security.nix @@ -0,0 +1,26 @@ +{ + config, + lib, + ... +}: let + cfg = config.base.security; + enable = config.base.enable && cfg.enable; +in { + options.base.security = { + enable = lib.mkEnableOption "base security settings" // {default = true;}; + }; + + config = lib.mkIf enable { + security = { + apparmor.enable = lib.mkDefault true; + audit.enable = lib.mkDefault true; + auditd.enable = lib.mkDefault true; + polkit.enable = lib.mkDefault true; + sudo.execWheelOnly = true; + }; + + services = { + dbus.apparmor = lib.mkDefault "enabled"; + }; + }; +} diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index a7ba7f9..a334bb3 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -1,10 +1,8 @@ { flake.nixosModules = { - default = ./base.nix; + default = ./base; + archetypes = ./archetypes; desktop = ./desktop; - features = ./features; - server = ./server; - services = ./services; - suites = ./suites; + traits = ./traits; }; } diff --git a/modules/nixos/desktop/audio.nix b/modules/nixos/desktop/audio.nix new file mode 100644 index 0000000..1e47ab2 --- /dev/null +++ b/modules/nixos/desktop/audio.nix @@ -0,0 +1,27 @@ +{ + config, + lib, + ... +}: let + cfg = config.desktop.audio; + enable = config.desktop.enable && cfg.enable; +in { + options.desktop.audio = { + enable = lib.mkEnableOption "desktop audio configuration" // {default = true;}; + }; + + config = lib.mkIf enable { + hardware.pulseaudio.enable = false; + security.rtkit.enable = true; + + services = { + pipewire = lib.mkDefault { + enable = true; + wireplumber.enable = true; + alsa.enable = true; + jack.enable = true; + pulse.enable = true; + }; + }; + }; +} diff --git a/modules/nixos/desktop/default.nix b/modules/nixos/desktop/default.nix index 12023ef..17392c4 100644 --- a/modules/nixos/desktop/default.nix +++ b/modules/nixos/desktop/default.nix @@ -1,68 +1,25 @@ { config, lib, - pkgs, ... }: let cfg = config.desktop; in { - options.desktop.enable = lib.mkEnableOption "base desktop settings"; + options.desktop = { + enable = lib.mkEnableOption "desktop settings"; + }; imports = [ + ./audio.nix + ./fonts.nix + ./programs.nix + ./budgie ./gnome ./plasma ]; config = lib.mkIf cfg.enable { - environment = { - noXlibs = lib.mkForce false; - systemPackages = with pkgs; [wl-clipboard xclip]; - }; - - fonts = { - enableDefaultPackages = lib.mkDefault true; - - packages = with pkgs; [ - (nerdfonts.override {fonts = ["FiraCode" "Hack" "Noto"];}) - noto-fonts - noto-fonts-extra - noto-fonts-color-emoji - noto-fonts-cjk-sans - ]; - - fontconfig = { - enable = lib.mkDefault true; - cache32Bit = true; - defaultFonts = lib.mkDefault { - serif = ["Noto Serif"]; - sansSerif = ["Noto Sans"]; - emoji = ["Noto Color Emoji"]; - monospace = ["Noto Sans Mono"]; - }; - }; - }; - - hardware.pulseaudio.enable = false; - - programs = { - chromium.enable = lib.mkDefault true; - firefox.enable = lib.mkDefault true; - xwayland.enable = lib.mkDefault true; - }; - - services = { - pipewire = lib.mkDefault { - enable = true; - wireplumber.enable = true; - alsa.enable = true; - jack.enable = true; - pulse.enable = true; - }; - - xserver.enable = lib.mkDefault true; - }; - - xdg.portal.enable = lib.mkDefault true; + services.xserver.enable = true; }; } diff --git a/modules/nixos/desktop/fonts.nix b/modules/nixos/desktop/fonts.nix new file mode 100644 index 0000000..212f88c --- /dev/null +++ b/modules/nixos/desktop/fonts.nix @@ -0,0 +1,38 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.desktop.fonts; + enable = config.desktop.enable && cfg.enable; +in { + options.desktop.fonts = { + enable = lib.mkEnableOption "desktop fonts" // {default = true;}; + }; + + config = lib.mkIf enable { + fonts = { + enableDefaultPackages = true; + + packages = with pkgs; [ + (nerdfonts.override {fonts = ["FiraCode" "Hack" "Noto"];}) + noto-fonts + noto-fonts-extra + noto-fonts-color-emoji + noto-fonts-cjk-sans + ]; + + fontconfig = { + enable = true; + cache32Bit = lib.mkDefault true; + defaultFonts = lib.mkDefault { + serif = ["Noto Serif"]; + sansSerif = ["Noto Sans"]; + emoji = ["Noto Color Emoji"]; + monospace = ["Noto Sans Mono"]; + }; + }; + }; + }; +} diff --git a/modules/nixos/desktop/programs.nix b/modules/nixos/desktop/programs.nix new file mode 100644 index 0000000..94bde49 --- /dev/null +++ b/modules/nixos/desktop/programs.nix @@ -0,0 +1,28 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.desktop.defaultPrograms; + enable = config.desktop.enable && cfg.enable; +in { + options.desktop.defaultPrograms = { + enable = lib.mkEnableOption "default desktop programs" // {default = true;}; + }; + + config = lib.mkIf enable { + environment = { + noXlibs = lib.mkForce false; + systemPackages = with pkgs; [wl-clipboard xclip]; + }; + + programs = { + chromium.enable = true; + firefox.enable = true; + xwayland.enable = true; + }; + + xdg.portal.enable = true; + }; +} diff --git a/modules/nixos/features/default.nix b/modules/nixos/features/default.nix deleted file mode 100644 index 607277f..0000000 --- a/modules/nixos/features/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ - imports = [ - ./containers.nix - ./nvk - ./tailscale.nix - ]; -} diff --git a/modules/nixos/features/tailscale.nix b/modules/nixos/features/tailscale.nix deleted file mode 100644 index 9eba428..0000000 --- a/modules/nixos/features/tailscale.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ - config, - lib, - secretsDir, - ... -}: let - cfg = config.features.tailscale; -in { - options.features.tailscale = { - enable = lib.mkEnableOption "Tailscale"; - ssh.enable = lib.mkEnableOption "Tailscale SSH"; - }; - - config = lib.mkIf cfg.enable { - age.secrets = lib.mkIf cfg.ssh.enable { - tailscaleAuthKey.file = "${secretsDir}/tailscaleAuthKey.age"; - }; - - networking.firewall = - { - trustedInterfaces = ["tailscale0"]; - } - // lib.optionalAttrs cfg.ssh.enable { - allowedTCPPorts = [22]; - }; - - services.tailscale = - { - enable = true; - openFirewall = true; - } - // lib.optionalAttrs cfg.ssh.enable { - authKeyFile = config.age.secrets.tailscaleAuthKey.path; - extraUpFlags = ["--ssh"]; - }; - }; -} diff --git a/modules/nixos/server/acme.nix b/modules/nixos/server/acme.nix deleted file mode 100644 index a08c8ae..0000000 --- a/modules/nixos/server/acme.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ - config, - lib, - secretsDir, - ... -}: let - cfg = config.server.acme; -in { - options.server.acme.enable = lib.mkEnableOption "ACME support"; - - config = lib.mkIf cfg.enable { - age.secrets = { - cloudflareApiKey.file = secretsDir + "/cloudflareApiKey.age"; - }; - - security.acme = { - acceptTerms = true; - defaults = { - email = "[email protected]"; - dnsProvider = "cloudflare"; - credentialsFile = config.age.secrets.cloudflareApiKey.path; - }; - }; - }; -} diff --git a/modules/nixos/server/default.nix b/modules/nixos/server/default.nix deleted file mode 100644 index baf05f9..0000000 --- a/modules/nixos/server/default.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ - config, - lib, - pkgs, - inputs, - ... -}: let - cfg = config.server; -in { - options.server.enable = lib.mkEnableOption "base server settings"; - - imports = [ - ./acme.nix - ./secrets.nix - ]; - - config = lib.mkIf cfg.enable { - _module.args.unstable = inputs.nixpkgs.legacyPackages.${pkgs.stdenv.hostPlatform.system}; - - boot = { - tmp.cleanOnBoot = lib.mkDefault true; - kernelPackages = lib.mkDefault pkgs.linuxPackages_hardened; - }; - environment.etc."nix/inputs/nixpkgs".source = inputs.nixpkgs-stable.outPath; - - documentation = { - enable = false; - man.enable = false; - }; - - environment.defaultPackages = lib.mkForce []; - - nix = { - gc = { - dates = "*-*-1,5,9,13,17,21,25,29 00:00:00"; - options = "-d --delete-older-than 2d"; - }; - - registry.n.flake = inputs.nixpkgs-stable; - settings.allowed-users = [config.networking.hostName]; - }; - }; -} diff --git a/modules/nixos/server/secrets.nix b/modules/nixos/server/secrets.nix deleted file mode 100644 index 0f38995..0000000 --- a/modules/nixos/server/secrets.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ - config, - lib, - secretsDir, - ... -}: let - cfg = config.server.secrets; -in { - options.server.secrets.enable = lib.mkEnableOption "secrets management"; - - config = lib.mkIf cfg.enable { - age = { - identityPaths = ["/etc/age/key"]; - - secrets = { - rootPassword.file = secretsDir + "/rootPassword.age"; - userPassword.file = secretsDir + "/userPassword.age"; - }; - }; - }; -} diff --git a/modules/nixos/services/cloudflared.nix b/modules/nixos/services/cloudflared.nix deleted file mode 100644 index 42f5908..0000000 --- a/modules/nixos/services/cloudflared.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ - config, - lib, - secretsDir, - ... -}: let - cfg = config.server.services.cloudflared; - inherit (lib) mkEnableOption mkIf; - inherit (config.services) nginx; -in { - options.server.services.cloudflared = { - enable = mkEnableOption "cloudflared"; - }; - - config = mkIf cfg.enable { - age.secrets.cloudflaredCreds = { - file = secretsDir + "/cloudflaredCreds.age"; - mode = "400"; - owner = "cloudflared"; - group = "cloudflared"; - }; - - services.cloudflared = { - enable = true; - tunnels = { - "${config.networking.hostName}-nginx" = { - default = "http_status:404"; - - ingress = lib.genAttrs (builtins.attrNames nginx.virtualHosts) ( - _: {service = "http://localhost:${toString nginx.defaultHTTPListenPort}";} - ); - - credentialsFile = config.age.secrets.cloudflaredCreds.path; - }; - }; - }; - }; -} diff --git a/modules/nixos/services/default.nix b/modules/nixos/services/default.nix deleted file mode 100644 index 3423b79..0000000 --- a/modules/nixos/services/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ - imports = [ - ./cloudflared.nix - ./hercules.nix - ./promtail.nix - ]; -} diff --git a/modules/nixos/services/hercules.nix b/modules/nixos/services/hercules.nix deleted file mode 100644 index 879367c..0000000 --- a/modules/nixos/services/hercules.nix +++ /dev/null @@ -1,55 +0,0 @@ -{ - config, - lib, - unstable, - secretsDir, - ... -}: let - cfg = config.server.services.hercules-ci; - inherit (lib) mkEnableOption mkIf; - - hercArgs = { - mode = "400"; - owner = "hercules-ci-agent"; - group = "hercules-ci-agent"; - }; -in { - options.server.services.hercules-ci = { - enable = mkEnableOption "hercules-ci"; - secrets.enable = mkEnableOption "secrets management for hercules-ci"; - }; - - config = mkIf cfg.enable { - age.secrets = mkIf cfg.secrets.enable { - binaryCache = - { - file = secretsDir + "/binaryCache.age"; - } - // hercArgs; - - clusterToken = - { - file = secretsDir + "/clusterToken.age"; - } - // hercArgs; - - secretsJson = - { - file = secretsDir + "/secretsJson.age"; - } - // hercArgs; - }; - - services = { - hercules-ci-agent = { - enable = true; - package = unstable.hercules-ci-agent; - settings = { - binaryCachesPath = config.age.secrets.binaryCache.path; - clusterJoinTokenPath = config.age.secrets.clusterToken.path; - secretsJsonPath = config.age.secrets.secretsJson.path; - }; - }; - }; - }; -} diff --git a/modules/nixos/services/promtail.nix b/modules/nixos/services/promtail.nix deleted file mode 100644 index ced1ece..0000000 --- a/modules/nixos/services/promtail.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ - config, - lib, - ... -}: let - cfg = config.server.services.promtail; - inherit (lib) mkEnableOption mkIf mkOption types; -in { - options.server.services.promtail = { - enable = mkEnableOption "Promtail"; - - clients = mkOption { - type = types.listOf types.attrs; - default = [{}]; - description = "clients for promtail"; - }; - }; - - config.services.promtail = mkIf cfg.enable { - enable = true; - configuration = { - inherit (cfg) clients; - server.disable = true; - - scrape_configs = [ - { - job_name = "journal"; - - journal = { - max_age = "12h"; - labels = { - job = "systemd-journal"; - host = "${config.networking.hostName}"; - }; - }; - - relabel_configs = [ - { - source_labels = ["__journal__systemd_unit"]; - target_label = "unit"; - } - ]; - } - ]; - }; - }; -} diff --git a/modules/nixos/suites/personal.nix b/modules/nixos/suites/personal.nix deleted file mode 100644 index 830062b..0000000 --- a/modules/nixos/suites/personal.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ - config, - lib, - secretsDir, - ... -}: let - cfg = config.suites.personal; -in { - config = lib.mkIf cfg.enable { - age = { - identityPaths = ["/etc/age/key"]; - secrets = { - rootPassword.file = secretsDir + "/rootPassword.age"; - sethPassword.file = secretsDir + "/sethPassword.age"; - }; - }; - }; -} diff --git a/modules/nixos/suites/server.nix b/modules/nixos/suites/server.nix deleted file mode 100644 index ac0c001..0000000 --- a/modules/nixos/suites/server.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ - config, - lib, - ... -}: let - cfg = config.suites.server; -in { - options.suites.server = { - enable = lib.mkEnableOption "Server configuration set"; - }; - - config = lib.mkIf cfg.enable { - features.tailscale = { - enable = true; - ssh.enable = true; - }; - - server = { - enable = true; - secrets.enable = true; - }; - }; -} diff --git a/modules/nixos/traits/acme.nix b/modules/nixos/traits/acme.nix new file mode 100644 index 0000000..a377b25 --- /dev/null +++ b/modules/nixos/traits/acme.nix @@ -0,0 +1,46 @@ +{ + config, + lib, + secretsDir, + ... +}: let + cfg = config.traits.acme; +in { + options.traits.acme = { + enable = lib.mkEnableOption "ACME support"; + + manageSecrets = + lib.mkEnableOption "automatic management of secrets" + // { + default = config.traits.secrets.enable; + }; + + useDns = lib.mkEnableOption "the usage of dns to get certs" // {default = true;}; + }; + + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + { + security.acme = { + acceptTerms = true; + defaults = + { + email = "[email protected]"; + } + // lib.optionalAttrs cfg.useDns { + dnsProvider = "cloudflare"; + } + // lib.optionalAttrs cfg.manageSecrets { + credentialsFile = config.age.secrets.cloudflareApiKey.path; + }; + }; + } + + (lib.mkIf cfg.manageSecrets { + age.secrets = { + cloudflareApiKey.file = secretsDir + "/cloudflareApiKey.age"; + }; + }) + ] + ); +} diff --git a/modules/nixos/traits/cloudflared.nix b/modules/nixos/traits/cloudflared.nix new file mode 100644 index 0000000..9905d33 --- /dev/null +++ b/modules/nixos/traits/cloudflared.nix @@ -0,0 +1,50 @@ +{ + config, + lib, + secretsDir, + ... +}: let + cfg = config.traits.cloudflared; + inherit (config.services) nginx; +in { + options.traits.cloudflared = { + enable = lib.mkEnableOption "cloudflared"; + manageSecrets = + lib.mkEnableOption "automatically managed secrets" + // { + default = config.traits.secrets.enable; + }; + }; + + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + { + services.cloudflared = { + enable = true; + tunnels = { + "${config.networking.hostName}-nginx" = + { + default = "http_status:404"; + + ingress = lib.genAttrs (builtins.attrNames nginx.virtualHosts) ( + _: {service = "http://localhost:${toString nginx.defaultHTTPListenPort}";} + ); + } + // lib.optionalAttrs cfg.manageSecrets { + credentialsFile = config.age.secrets.cloudflaredCreds.path; + }; + }; + }; + } + + (lib.mkIf cfg.manageSecrets { + age.secrets.cloudflaredCreds = { + file = secretsDir + "/cloudflaredCreds.age"; + mode = "400"; + owner = "cloudflared"; + group = "cloudflared"; + }; + }) + ] + ); +} diff --git a/modules/nixos/features/containers.nix b/modules/nixos/traits/containers.nix index 290f7b0..43c748c 100644 --- a/modules/nixos/features/containers.nix +++ b/modules/nixos/traits/containers.nix @@ -4,9 +4,9 @@ pkgs, ... }: let - cfg = config.features.containers; + cfg = config.traits.containers; in { - options.features.containers = { + options.traits.containers = { enable = lib.mkEnableOption "containers support"; }; diff --git a/modules/nixos/traits/default.nix b/modules/nixos/traits/default.nix new file mode 100644 index 0000000..6eda57f --- /dev/null +++ b/modules/nixos/traits/default.nix @@ -0,0 +1,15 @@ +{ + imports = [ + ./acme.nix + ./cloudflared.nix + ./containers.nix + ./hercules.nix + ./locale.nix + ./nvk + ./promtail.nix + ./secrets.nix + ./tailscale.nix + ./user-setup.nix + ./users.nix + ]; +} diff --git a/modules/nixos/traits/hercules.nix b/modules/nixos/traits/hercules.nix new file mode 100644 index 0000000..fc3dbd0 --- /dev/null +++ b/modules/nixos/traits/hercules.nix @@ -0,0 +1,49 @@ +{ + config, + lib, + unstable, + secretsDir, + ... +}: let + cfg = config.traits.hercules-ci; +in { + options.traits.hercules-ci = { + enable = lib.mkEnableOption "hercules-ci"; + manageSecrets = lib.mkEnableOption "automatic secrets management"; + }; + + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + { + services = { + hercules-ci-agent = { + enable = true; + package = unstable.hercules-ci-agent; + settings = { + binaryCachesPath = config.age.secrets.binaryCache.path; + clusterJoinTokenPath = config.age.secrets.clusterToken.path; + secretsJsonPath = config.age.secrets.secretsJson.path; + }; + }; + }; + } + + (let + hercArgs = { + mode = "400"; + owner = "hercules-ci-agent"; + group = "hercules-ci-agent"; + }; + + mkSecrets = lib.mapAttrs (_: file: lib.recursiveUpdate hercArgs {inherit file;}); + in + lib.mkIf cfg.manageSecrets { + age.secrets = mkSecrets { + binaryCache = secretsDir + "/binaryCache.age"; + clusterToken = secretsDir + "/clusterToken.age"; + secretsJson = secretsDir + "/secretsJson.age"; + }; + }) + ] + ); +} diff --git a/modules/nixos/traits/locale.nix b/modules/nixos/traits/locale.nix new file mode 100644 index 0000000..1de19ce --- /dev/null +++ b/modules/nixos/traits/locale.nix @@ -0,0 +1,25 @@ +{ + config, + lib, + ... +}: let + cfg = config.traits.locale; +in { + options.traits.locale = { + en_US = { + enable = lib.mkEnableOption "en_US locale"; + }; + }; + + config = lib.mkMerge [ + (lib.mkIf cfg.en_US.enable { + i18n = { + supportedLocales = [ + "en_US.UTF-8/UTF-8" + ]; + + defaultLocale = "en_US.UTF-8"; + }; + }) + ]; +} diff --git a/modules/nixos/features/nvk/default.nix b/modules/nixos/traits/nvk/default.nix index 977dd3b..8e849ce 100644 --- a/modules/nixos/features/nvk/default.nix +++ b/modules/nixos/traits/nvk/default.nix @@ -4,11 +4,13 @@ pkgs, ... }: let - cfg = config.features.nvk; + cfg = config.traits.nvk; mesa = import ./mesa.nix pkgs; mesa32 = import ./mesa.nix pkgs.pkgsi686Linux; in { - options.features.nvk.enable = lib.mkEnableOption "nvk"; + options.traits.nvk = { + enable = lib.mkEnableOption "nvk drivers"; + }; config = lib.mkIf cfg.enable { # make sure we're loading new gsp firmware diff --git a/modules/nixos/features/nvk/mesa.nix b/modules/nixos/traits/nvk/mesa.nix index 4b622c6..4b622c6 100644 --- a/modules/nixos/features/nvk/mesa.nix +++ b/modules/nixos/traits/nvk/mesa.nix diff --git a/modules/nixos/traits/promtail.nix b/modules/nixos/traits/promtail.nix new file mode 100644 index 0000000..5e08b25 --- /dev/null +++ b/modules/nixos/traits/promtail.nix @@ -0,0 +1,49 @@ +{ + config, + lib, + ... +}: let + cfg = config.traits.promtail; + inherit (lib) types; +in { + options.traits.promtail = { + enable = lib.mkEnableOption "Promtail"; + + clients = lib.mkOption { + type = types.listOf types.attrs; + default = [{}]; + description = "clients for promtail"; + }; + }; + + config = lib.mkIf cfg.enable { + services.promtail = { + enable = true; + configuration = { + inherit (cfg) clients; + server.disable = true; + + scrape_configs = [ + { + job_name = "journal"; + + journal = { + max_age = "12h"; + labels = { + job = "systemd-journal"; + host = "${config.networking.hostName}"; + }; + }; + + relabel_configs = [ + { + source_labels = ["__journal__systemd_unit"]; + target_label = "unit"; + } + ]; + } + ]; + }; + }; + }; +} diff --git a/modules/nixos/traits/secrets.nix b/modules/nixos/traits/secrets.nix new file mode 100644 index 0000000..085d8f3 --- /dev/null +++ b/modules/nixos/traits/secrets.nix @@ -0,0 +1,17 @@ +{ + config, + lib, + ... +}: let + cfg = config.traits.secrets; +in { + options.traits.secrets = { + enable = lib.mkEnableOption "secrets management"; + }; + + config = lib.mkIf cfg.enable { + age = { + identityPaths = ["/etc/age/key"]; + }; + }; +} diff --git a/modules/nixos/traits/tailscale.nix b/modules/nixos/traits/tailscale.nix new file mode 100644 index 0000000..93616b5 --- /dev/null +++ b/modules/nixos/traits/tailscale.nix @@ -0,0 +1,48 @@ +{ + config, + lib, + secretsDir, + ... +}: let + cfg = config.traits.tailscale; +in { + options.traits.tailscale = { + enable = lib.mkEnableOption "Tailscale"; + ssh.enable = lib.mkEnableOption "Tailscale SSH"; + manageSecrets = + lib.mkEnableOption "the use of agenix for auth" + // { + default = config.traits.secrets.enable && cfg.ssh.enable; + }; + }; + + config = lib.mkIf cfg.enable (lib.mkMerge [ + { + networking.firewall = + { + trustedInterfaces = ["tailscale0"]; + } + // lib.optionalAttrs cfg.ssh.enable { + allowedTCPPorts = [22]; + }; + + services.tailscale = + { + enable = true; + openFirewall = true; + } + // lib.optionalAttrs cfg.ssh.enable { + extraUpFlags = ["--ssh"]; + } + // lib.optionalAttrs cfg.manageSecrets { + authKeyFile = config.age.secrets.tailscaleAuthKey.path; + }; + } + + (lib.mkIf cfg.manageSecrets { + age.secrets = lib.mkIf cfg.manageSecrets { + tailscaleAuthKey.file = "${secretsDir}/tailscaleAuthKey.age"; + }; + }) + ]); +} diff --git a/modules/nixos/traits/user-setup.nix b/modules/nixos/traits/user-setup.nix new file mode 100644 index 0000000..a8a4cd6 --- /dev/null +++ b/modules/nixos/traits/user-setup.nix @@ -0,0 +1,45 @@ +{ + config, + lib, + pkgs, + secretsDir, + ... +}: let + cfg = config.traits.user-setup; +in { + options.traits.user-setup = { + enable = lib.mkEnableOption "basic immutable user & root configurations"; + manageSecrets = + lib.mkEnableOption "automatic management of secrets" + // { + default = config.traits.secrets.enable; + }; + }; + + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + { + users = { + defaultUserShell = pkgs.bash; + mutableUsers = false; + + users.root = + { + home = lib.mkDefault "/root"; + uid = lib.mkDefault config.ids.uids.root; + group = lib.mkDefault "root"; + } + // lib.optionalAttrs cfg.manageSecrets { + hashedPasswordFile = config.age.secrets.rootPassword.path; + }; + }; + } + + (lib.mkIf cfg.manageSecrets { + age.secrets = { + rootPassword.file = secretsDir + "/rootPassword.age"; + }; + }) + ] + ); +} diff --git a/modules/nixos/traits/users.nix b/modules/nixos/traits/users.nix new file mode 100644 index 0000000..3302366 --- /dev/null +++ b/modules/nixos/traits/users.nix @@ -0,0 +1,44 @@ +{ + config, + lib, + pkgs, + secretsDir, + ... +}: let + cfg = config.traits.users; + inherit (config.networking) hostName; +in { + imports = [ + ../../../users/seth/nixos.nix + ]; + + options.traits.users = { + hostUser = { + enable = lib.mkEnableOption "${hostName} user configuration"; + manageSecrets = + lib.mkEnableOption "automatically manage secrets" + // { + default = config.traits.secrets.enable; + }; + }; + }; + + config = lib.mkMerge [ + (lib.mkIf cfg.hostUser.enable { + users.users.${hostName} = { + isNormalUser = true; + shell = pkgs.bash; + }; + }) + + (lib.mkIf (cfg.hostUser.enable && cfg.hostUser.manageSecrets) { + age.secrets = { + userPassword.file = secretsDir + "/userPassword.age"; + }; + + users.users.${hostName} = { + hashedPasswordFile = config.age.secrets.userPassword.path; + }; + }) + ]; +} |