diff options
Diffstat (limited to 'parts/modules/nixos/base')
| -rw-r--r-- | parts/modules/nixos/base/default.nix | 34 | ||||
| -rw-r--r-- | parts/modules/nixos/base/documentation.nix | 21 | ||||
| -rw-r--r-- | parts/modules/nixos/base/locale.nix | 18 | ||||
| -rw-r--r-- | parts/modules/nixos/base/network.nix | 26 | ||||
| -rw-r--r-- | parts/modules/nixos/base/nix.nix | 24 | ||||
| -rw-r--r-- | parts/modules/nixos/base/packages.nix | 15 | ||||
| -rw-r--r-- | parts/modules/nixos/base/root.nix | 26 | ||||
| -rw-r--r-- | parts/modules/nixos/base/security.nix | 27 | ||||
| -rw-r--r-- | parts/modules/nixos/base/systemd.nix | 7 | ||||
| -rw-r--r-- | parts/modules/nixos/base/upgrade-diff.nix | 12 |
10 files changed, 210 insertions, 0 deletions
diff --git a/parts/modules/nixos/base/default.nix b/parts/modules/nixos/base/default.nix new file mode 100644 index 0000000..ed0fb23 --- /dev/null +++ b/parts/modules/nixos/base/default.nix @@ -0,0 +1,34 @@ +{ + config, + lib, + ... +}: let + cfg = config.base; + inherit (lib) mkDefault mkEnableOption mkIf; +in { + options.base.enable = mkEnableOption "base nixos module"; + + imports = [ + ../../shared + ./documentation.nix + ./locale.nix + ./network.nix + ./nix.nix + ./packages.nix + ./root.nix + ./security.nix + ./systemd.nix + ./upgrade-diff.nix + ]; + + config = mkIf cfg.enable { + base = { + defaultPackages.enable = mkDefault true; + defaultLocale.enable = mkDefault true; + defaultRoot.enable = mkDefault true; + documentation.enable = mkDefault true; + networking.enable = mkDefault true; + nix-settings.enable = mkDefault true; + }; + }; +} diff --git a/parts/modules/nixos/base/documentation.nix b/parts/modules/nixos/base/documentation.nix new file mode 100644 index 0000000..68a194f --- /dev/null +++ b/parts/modules/nixos/base/documentation.nix @@ -0,0 +1,21 @@ +{ + config, + lib, + pkgs, + ... +}: let + cfg = config.base.documentation; + inherit (lib) mkIf; +in { + config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [man-pages man-pages-posix]; + documentation = { + man = { + generateCaches = true; + man-db.enable = true; + }; + + dev.enable = true; + }; + }; +} diff --git a/parts/modules/nixos/base/locale.nix b/parts/modules/nixos/base/locale.nix new file mode 100644 index 0000000..7259ef2 --- /dev/null +++ b/parts/modules/nixos/base/locale.nix @@ -0,0 +1,18 @@ +{ + config, + lib, + ... +}: let + cfg = config.base.defaultLocale; + inherit (lib) mkIf; +in { + config = mkIf cfg.enable { + i18n = { + supportedLocales = [ + "en_US.UTF-8/UTF-8" + ]; + + defaultLocale = "en_US.UTF-8"; + }; + }; +} diff --git a/parts/modules/nixos/base/network.nix b/parts/modules/nixos/base/network.nix new file mode 100644 index 0000000..5bc90d1 --- /dev/null +++ b/parts/modules/nixos/base/network.nix @@ -0,0 +1,26 @@ +{ + config, + lib, + ... +}: let + cfg = config.base.networking; + inherit (lib) mkEnableOption mkIf; +in { + options.base.networking.enable = mkEnableOption "networking"; + + config = mkIf cfg.enable { + networking.networkmanager = { + enable = true; + dns = "systemd-resolved"; + }; + services.resolved = { + enable = lib.mkDefault true; + dnssec = "allow-downgrade"; + extraConfig = '' + [Resolve] + DNS=1.1.1.1 1.0.0.1 + DNSOverTLS=yes + ''; + }; + }; +} diff --git a/parts/modules/nixos/base/nix.nix b/parts/modules/nixos/base/nix.nix new file mode 100644 index 0000000..3dcac11 --- /dev/null +++ b/parts/modules/nixos/base/nix.nix @@ -0,0 +1,24 @@ +{ + config, + lib, + inputs, + ... +}: let + inherit (builtins) attrNames map; + inherit (lib) mkDefault mkIf; + cfg = config.base.nix-settings; + + channelPath = i: "/etc/nix/channels/${i}"; + + mapInputs = fn: map fn (attrNames inputs); +in { + config = mkIf cfg.enable { + nix = { + nixPath = mapInputs (i: "${i}=${channelPath i}"); + gc.dates = mkDefault "weekly"; + }; + + systemd.tmpfiles.rules = + mapInputs (i: "L+ ${channelPath i} - - - - ${inputs.${i}.outPath}"); + }; +} diff --git a/parts/modules/nixos/base/packages.nix b/parts/modules/nixos/base/packages.nix new file mode 100644 index 0000000..7390a40 --- /dev/null +++ b/parts/modules/nixos/base/packages.nix @@ -0,0 +1,15 @@ +{ + config, + lib, + ... +}: let + cfg = config.base.defaultPackages; + inherit (lib) mkIf; +in { + config = mkIf cfg.enable { + programs = { + git.enable = true; + vim.defaultEditor = true; + }; + }; +} diff --git a/parts/modules/nixos/base/root.nix b/parts/modules/nixos/base/root.nix new file mode 100644 index 0000000..ecc5203 --- /dev/null +++ b/parts/modules/nixos/base/root.nix @@ -0,0 +1,26 @@ +{ + config, + lib, + ... +}: let + cfg = config.base.defaultRoot; + inherit (lib) mkDefault mkEnableOption mkIf; + + # yes this is a bad way to detect which option should be used (or exists) + # but i'm lazy. please do not copy this + passwordFile = + if lib.versionAtLeast config.system.stateVersion "23.11" + then "hashedPasswordFile" + else "passwordFile"; +in { + options.base.defaultRoot.enable = mkEnableOption "default root user"; + + config = mkIf cfg.enable { + users.users.root = { + home = mkDefault "/root"; + uid = mkDefault config.ids.uids.root; + group = mkDefault "root"; + "${passwordFile}" = mkDefault config.age.secrets.rootPassword.path; + }; + }; +} diff --git a/parts/modules/nixos/base/security.nix b/parts/modules/nixos/base/security.nix new file mode 100644 index 0000000..e13d1c7 --- /dev/null +++ b/parts/modules/nixos/base/security.nix @@ -0,0 +1,27 @@ +{ + lib, + pkgs, + ... +}: let + inherit (lib) mkDefault; +in { + security = { + apparmor.enable = mkDefault true; + audit.enable = mkDefault true; + auditd.enable = mkDefault true; + polkit.enable = mkDefault true; + rtkit.enable = mkDefault true; + sudo.execWheelOnly = true; + }; + + services.dbus.apparmor = mkDefault "enabled"; + + users = { + defaultUserShell = pkgs.bash; + mutableUsers = false; + }; + + nix.settings = { + trusted-users = ["root" "@wheel"]; + }; +} diff --git a/parts/modules/nixos/base/systemd.nix b/parts/modules/nixos/base/systemd.nix new file mode 100644 index 0000000..2888c0b --- /dev/null +++ b/parts/modules/nixos/base/systemd.nix @@ -0,0 +1,7 @@ +_: { + services = { + journald.extraConfig = '' + MaxRetentionSec=1w + ''; + }; +} diff --git a/parts/modules/nixos/base/upgrade-diff.nix b/parts/modules/nixos/base/upgrade-diff.nix new file mode 100644 index 0000000..68be9af --- /dev/null +++ b/parts/modules/nixos/base/upgrade-diff.nix @@ -0,0 +1,12 @@ +{ + config, + pkgs, + ... +}: { + system.activationScripts."upgrade-diff" = { + supportsDryActivation = true; + text = '' + ${pkgs.nvd}/bin/nvd --nix-bin-dir=${config.nix.package}/bin diff /run/current-system "$systemConfig" + ''; + }; +} |