banananetwork
/
server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Activity

reformat code (first time with nixfmt

Browse Source
main
Felix Stupp 1 year ago
parent 350958c0c0
commit 539680512c
Signed by: zocker
GPG Key ID: 93E1BD26F6B02FB7
25 changed files with 434 additions and 553 deletions
Show Stats Download Patch File Download Diff File

74
flake.nix
Unescape Escape View File

@ -1,7 +1,6 @@
{
description = "banananet.work Server & Deployment Controller environment";
inputs = {
# packages repositories
@ -26,11 +25,13 @@
};
outputs = { self, ... }@inputs:
outputs =
{ self, ... }@inputs:
let
inherit (self) outputs;
flakeArg = { inherit self inputs outputs; };
flakeArg = {
inherit self inputs outputs;
};
# constants
system = "x86_64-linux";
# package repositories
@ -39,28 +40,29 @@
in
{
# shortcut to fully configured secrix
apps.x86_64-linux.secrix = inputs.secrix.secrix self;
nixosConfigurations =
let
nixosSystem = { modules, system }: inputs.nixpkgs.lib.nixosSystem {
modules = [
outputs.nixosModules.myOptions
outputs.nixosModules.withDepends
] ++ modules;
specialArgs = {
flake = flakeArg;
nixosSystem =
{ modules, system }:
inputs.nixpkgs.lib.nixosSystem {
modules = [
outputs.nixosModules.myOptions
outputs.nixosModules.withDepends
] ++ modules;
specialArgs = {
flake = flakeArg;
};
inherit system;
};
inherit system;
};
in
{
"x13yz" = nixosSystem {
modules = [
{ nixpkgs.overlays = [ (final: prev: { nixfmt-rfc-style = pkgs_unstable.nixfmt-rfc-style; }) ]; }
{
# TODO check if required & hide into modules
boot = {
@ -70,13 +72,9 @@
"rtsx_pci_sdmmc"
"xhci_pci"
];
kernelModules = [
"dm-snapshot"
];
kernelModules = [ "dm-snapshot" ];
};
kernelModules = [
"kvm-intel"
];
kernelModules = [ "kvm-intel" ];
};
}
inputs.nixos-hardware.nixosModules.lenovo-thinkpad-x13-yoga
@ -96,14 +94,22 @@
fileSystems."/" = {
device = "/dev/disk/by-uuid/c93557db-e7c5-46ef-9cd8-87eb7c5753dc";
fsType = "ext4";
options = [ "relatime" "discard" ];
options = [
"relatime"
"discard"
];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/5F9A-9A2D";
fsType = "vfat";
options = [ "uid=0" "gid=0" "fmask=0077" "dmask=0077" ];
options = [
"uid=0"
"gid=0"
"fmask=0077"
"dmask=0077"
];
};
swapDevices = [{ device = "/dev/disk/by-uuid/8482463b-ceb3-40b3-abef-b49df2de88e5"; }];
swapDevices = [ { device = "/dev/disk/by-uuid/8482463b-ceb3-40b3-abef-b49df2de88e5"; } ];
system.stateVersion = "24.05";
x-banananetwork.sshHostPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG71dtqG/c0AiFBN9OxoLD35TDQm3m8LXj/BQw60PE0h";
}
@ -121,7 +127,6 @@
};
nixosModules = {
# this one includes all of my modules
@ -146,21 +151,18 @@
};
devShells."${system}".default =
let
pkgs = pkgs_unstable;
in
pkgs.mkShell
{
packages = with pkgs; [
curl
rsync
opentofu
terranix
];
};
pkgs.mkShell {
packages = with pkgs; [
curl
rsync
opentofu
terranix
];
};
};
}

9
nix/home-manager-modules/frontend/base.nix
Unescape Escape View File

@ -1,9 +1,10 @@
# this stuff replaces all settings which would be configured by the corresponding frontend NixOS module
{ config
, lib
, pkgs
, ...
{
config,
lib,
pkgs,
...
}:
let
cfg = config.x-banananetwork.frontend;

15
nix/home-manager-modules/frontend/default.nix
Unescape Escape View File

@ -1,17 +1,17 @@
{ config
, lib
, pkgs
, ...
}: {
{
config,
lib,
pkgs,
...
}:
{
imports = [
./base.nix
./extension.nix
];
options = {
x-banananetwork.frontend = {
@ -31,5 +31,4 @@
};
}

12
nix/home-manager-modules/frontend/extension.nix
Unescape Escape View File

@ -1,7 +1,9 @@
# this stuff must all be compatible to settings already configured by the corresponding frontend NixOS module
{ config
, lib
, pkgs
, ...
}: { }
{
config,
lib,
pkgs,
...
}:
{ }

17
nix/myOptions.nix
Unescape Escape View File

@ -1,23 +1,20 @@
# configures options only really useable for me
{ config
, lib
, pkgs
, ...
{
config,
lib,
pkgs,
...
}:
let
myOpts = config.x-banananetwork;
in
{
config = {
x-banananetwork = {
# options defined in nixos-modules/options.nix
sshPublicKeys = [
@ -30,18 +27,14 @@ in
userName = "zocker";
# defaults for other modules, derived from them above
frontend = {
username = myOpts.userName;
};
};
};
}

35
nix/nixos-modules/allCommon.nix
Unescape Escape View File

@ -1,18 +1,18 @@
# applies to all of my machines
# examples: PCs, laptops, VMs, hypervisors, ...
{ config
, lib
, options
, pkgs
, ...
{
config,
lib,
options,
pkgs,
...
}:
let
cfg = config.x-banananetwork.allCommon;
in
{
options = {
x-banananetwork.allCommon = {
@ -28,10 +28,8 @@ in
};
config = lib.mkIf cfg.enable {
assertions = [
(
let
@ -44,7 +42,6 @@ in
)
];
documentation = {
man.mandoc.settings.output = {
@ -53,7 +50,6 @@ in
};
i18n = {
# inspired by https://wiki.archlinux.org/title/Locale
defaultLocale = lib.mkDefault "en_US.UTF-8";
@ -67,7 +63,6 @@ in
};
};
nix = {
channel.enable = false;
@ -86,12 +81,8 @@ in
"flakes"
"nix-command"
];
hashed-mirrors = [
"https://tarballs.nixos.org/"
];
trusted-users = [
"root"
];
hashed-mirrors = [ "https://tarballs.nixos.org/" ];
trusted-users = [ "root" ];
};
};
@ -99,7 +90,6 @@ in
OOMScoreAdjust = lib.mkDefault 250;
};
# well-known public keys
programs.ssh = {
hostKeyAlgorithms = [
@ -114,7 +104,6 @@ in
};
};
security = {
pki = {
@ -155,7 +144,6 @@ in
};
system.activationScripts.diff = {
supportsDryActivation = true;
text = ''
@ -173,26 +161,19 @@ in
${pkgs.shellcheck}/bin/shellcheck --check-sourced --external-sources --norc --severity=warning $out/activate $out/dry-activate
'';
time = {
hardwareClockInLocalTime = lib.mkDefault false;
timeZone = lib.mkDefault "Etc/UTC";
};
x-banananetwork = {
improvedDefaults.enable = true;
secrix = {
enable = true;
hostKeyType = "ed25519";
};
};
};
}

16
nix/nixos-modules/autoUnfree.nix
Unescape Escape View File

@ -1,14 +1,14 @@
{ config
, lib
, pkgs
, ...
{
config,
lib,
pkgs,
...
}:
let
cfg = config.x-banananetwork.autoUnfree;
in
{
options = {
x-banananetwork.autoUnfree = {
@ -59,20 +59,16 @@ in
};
config = lib.mkIf cfg.enable {
nixpkgs.config = {
allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) (map lib.getName cfg.packages);
};
# TODO add alternative for allowUnfreePredicate for users
x-banananetwork.autoUnfree.packages =
let
inherit (lib.lists) flatten optional optionals;
@ -97,8 +93,6 @@ in
]))
];
};
}

14
nix/nixos-modules/debugMinimal.nix
Unescape Escape View File

@ -1,14 +1,14 @@
{ config
, lib
, pkgs
, ...
{
config,
lib,
pkgs,
...
}:
let
cfg = config.x-banananetwork.debugMinimal;
in
{
options = {
x-banananetwork.debugMinimal = {
@ -21,10 +21,8 @@ in
};
config = lib.mkIf cfg.enable {
programs = {
bash = {
@ -85,8 +83,6 @@ in
};
};
}

62
nix/nixos-modules/frontend/default.nix
Unescape Escape View File

@ -1,14 +1,14 @@
{ config
, lib
, pkgs
, ...
{
config,
lib,
pkgs,
...
}:
let
cfg = config.x-banananetwork.frontend;
in
{
options = {
x-banananetwork.frontend = {
@ -27,21 +27,14 @@ in
};
config = lib.mkIf cfg.enable {
# TODO copy modem-manager overlay (for now)
# NixOS configuration
console = {
useXkbConfig = true;
};
environment = {
pathsToLink = [
@ -54,7 +47,6 @@ in
};
hardware = {
bluetooth = {
@ -75,7 +67,6 @@ in
};
home-manager = {
useGlobalPkgs = true;
@ -88,13 +79,12 @@ in
};
networking = {
firewall = {
trustedInterfaces = with lib.lists; flatten [
(optional config.services.tailscale.enable "tailscale0")
];
trustedInterfaces =
with lib.lists;
flatten [ (optional config.services.tailscale.enable "tailscale0") ];
};
networkmanager.enable = true;
@ -103,12 +93,10 @@ in
};
nix.settings = {
builders-use-substitutes = lib.mkDefault true;
};
programs = {
captive-browser = {
@ -222,6 +210,7 @@ in
PopupBlocking = {
Allow = [
"https://app.roll20.net"
# placeholder for more
];
Default = true;
Locked = true;
@ -353,14 +342,12 @@ in
};
security = {
rtkit.enable = lib.mkIf config.services.pipewire.enable true;
};
services = {
desktopManager.plasma6 = {
@ -445,36 +432,38 @@ in
};
users = {
users."${cfg.username}" = {
description = "${cfg.username}";
extraGroups = with lib.lists; flatten [
(optional config.networking.networkmanager.enable "networkmanger")
"wheel"
];
extraGroups =
with lib.lists;
flatten [
(optional config.networking.networkmanager.enable "networkmanger")
"wheel"
];
isNormalUser = true;
openssh.authorizedKeys.keys = config.x-banananetwork.sshPublicKeys;
packages = with pkgs; lib.lists.flatten [
kdePackages.kate
(lib.lists.optional cfg.convertable [
maliit-keyboard # on-screen keyboard (should just work, see https://discuss.kde.org/t/how-to-enable-virtual-keyboard-included-in-kde/264/2)
])
];
packages =
with pkgs;
lib.lists.flatten [
kdePackages.kate
(lib.lists.optional cfg.convertable [
maliit-keyboard # on-screen keyboard (should just work, see https://discuss.kde.org/t/how-to-enable-virtual-keyboard-included-in-kde/264/2)
])
];
};
};
x-banananetwork = {
allCommon.enable = true;
autoUnfree = {
enable = true;
# TODO merge with nixos-modules/frontend/home.nix
packages = with pkgs.mpvScripts; [
# TODO merge with nixos-modules/frontend/home.nix
evafast
];
};
@ -485,7 +474,6 @@ in
};
# TODO wishlist:
# - enable & disable touch keyboard automatically based on convertable status
# - https://github.com/cynicsketch/nix-mineral (NixOS hardening)
@ -493,8 +481,6 @@ in
# - programs.autojump
# - programs.yubikey-touch-detector
};
}

51
nix/nixos-modules/frontend/home.nix
Unescape Escape View File

@ -1,8 +1,9 @@
{ nixosConfig
, config
, lib
, pkgs
, ...
{
nixosConfig,
config,
lib,
pkgs,
...
}:
let
@ -17,7 +18,6 @@ let
in
{
# TODO exclude in own home-manager module
assertions =
let
@ -35,13 +35,7 @@ in
}
];
home = {
stateVersion = nixosConfig.system.stateVersion;
};
home.stateVersion = nixosConfig.system.stateVersion;
home.file = {
@ -63,7 +57,6 @@ in
};
home.packages = with pkgs; [
# dev
@ -109,7 +102,6 @@ in
];
programs = {
bash = {
@ -174,8 +166,14 @@ in
mutableKeys = false;
mutableTrust = false;
publicKeys = [
{ source = "${myGpgKey}"; trust = 5; }
{ source = "${archiveGpgKey}"; trust = 5; }
{
source = "${myGpgKey}";
trust = 5;
}
{
source = "${archiveGpgKey}";
trust = 5;
}
];
scdaemonSettings = {
disable-ccid = lib.mkIf nixosConfig.services.pcscd.enable true;
@ -400,7 +398,6 @@ in
};
services = {
gpg-agent = {
@ -428,7 +425,6 @@ in
# TODO improve fix permanently
systemd.user.services.syncthingtray.Service.ExecStartPre = "sleep 10";
# TODO does not work yet (current: manual config)
#accounts.email.accounts."Mailbox Personal" = {
# primary = true;
@ -456,10 +452,8 @@ in
# };
#};
# ======================================
# hotfix because GUI is managed on system level (fow now)
systemd.user.targets.tray = {
Unit = {
@ -470,19 +464,18 @@ in
# allow unfree limited
# TODO merge with nixos-modules/frontend/default.nix
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
# mpv plugins missing licenses
"evafast"
];
nixpkgs.config.allowUnfreePredicate =
pkg:
builtins.elem (lib.getName pkg) [
# mpv plugins missing licenses
"evafast"
];
# ZSH config
programs.zsh.enable = true;
programs.zsh.antidote = {
enable = true;
plugins = [
"djui/alias-tips"
];
plugins = [ "djui/alias-tips" ];
};
}

60
nix/nixos-modules/graphics.nix
Unescape Escape View File

@ -1,14 +1,14 @@
{ config
, lib
, pkgs
, ...
{
config,
lib,
pkgs,
...
}:
let
cfg = config.hardware.graphics;
in
{
options = {
hardware.graphics = {
@ -23,44 +23,38 @@ in
};
config = lib.mkMerge [
{
assertions = [{
assertion = cfg.required -> cfg.amd.enable || cfg.intel.enable;
message = "'hardware.graphics.required' not fullfilled by any of 'hardware.graphics.*.enable'";
}];
assertions = [
{
assertion = cfg.required -> cfg.amd.enable || cfg.intel.enable;
message = "'hardware.graphics.required' not fullfilled by any of 'hardware.graphics.*.enable'";
}
];
}
(
# TODO replace with drivers
lib.mkIf
cfg.amd.enable
{
assertions = [{
assertion = !cfg.amd.enable;
message = "graphics module missing support for AMD drivers";
}];
}
lib.mkIf cfg.amd.enable {
assertions = lib.singleton {
assertion = !cfg.amd.enable;
message = "graphics module missing support for AMD drivers";
};
}
)
(
lib.mkIf
cfg.intel.enable
{
hardware.opengl = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver
intel-media-sdk
libvdpau-va-gl
];
};
}
)
(lib.mkIf cfg.intel.enable {
hardware.opengl = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver
intel-media-sdk
libvdpau-va-gl
];
};
})
];
}

40
nix/nixos-modules/hwCommon.nix
Unescape Escape View File

@ -1,9 +1,10 @@
# applicable to all hosts running on bare hardware
{ config
, lib
, pkgs
, ...
{
config,
lib,
pkgs,
...
}:
let
cfg = config.x-banananetwork.hwCommon;
@ -11,10 +12,8 @@ let
in
{
options = {
hardware.cpu = {
type = lib.mkOption {
@ -24,10 +23,12 @@ in
This setting is required when using generalizing options
like option{hardware.cpu.updateMicrocode}.
'';
type = with lib.types; nullOr (enum [
"amd"
"intel"
]);
type =
with lib.types;
nullOr (enum [
"amd"
"intel"
]);
# required
};
@ -40,7 +41,6 @@ in
};
x-banananetwork.hwCommon = {
enable = lib.mkEnableOption ''
@ -49,13 +49,10 @@ in
};
};
config = lib.mkIf cfg.enable {
assertions = [
{
assertion = cfg.enable -> !config.x-banananetwork.vmCommon.enable;
@ -63,7 +60,6 @@ in
}
];
boot = {
# TODO adapt better
@ -78,7 +74,6 @@ in
};
hardware = {
cpu = lib.mkMerge [
@ -87,9 +82,7 @@ in
(
let
type = config.hardware.cpu.type;
opts = isType: {
updateMicrocode = lib.mkDefault (isType && config.hardware.cpu.updateMicrocode);
};
opts = isType: { updateMicrocode = lib.mkDefault (isType && config.hardware.cpu.updateMicrocode); };
in
{
amd = opts (type == "amd");
@ -97,9 +90,7 @@ in
}
)
{
updateMicrocode = lib.mkDefault true;
}
{ updateMicrocode = lib.mkDefault true; }
];
@ -107,13 +98,11 @@ in
};
powerManagement = {
cpuFreqGovernor = "ondemand";
enable = true;
};
services = {
fwupd = {
@ -136,7 +125,6 @@ in
};
x-banananetwork = {
allCommon.enable = true;
@ -144,8 +132,6 @@ in
};
};
}

17
nix/nixos-modules/improvedDefaults/command-not-found.nix
Unescape Escape View File

@ -1,22 +1,24 @@
{ config
, lib
, pkgs
, ...
{
config,
lib,
pkgs,
...
}:
let
cfg = config.x-banananetwork.improvedDefaults;
in
{
config = lib.mkIf cfg.enable (
let
nixI = config.programs.nix-index;
shellInt = builtins.any (x: x) (with nixI;
shellInt = builtins.any (x: x) (
with nixI;
[
enableBashIntegration
enableZshIntegration
]);
]
);
nixIclash = nixI.enable && shellInt;
in
{
@ -26,5 +28,4 @@ in
}
);
}

12
nix/nixos-modules/improvedDefaults/default.nix
Unescape Escape View File

@ -1,14 +1,14 @@
{ config
, lib
, pkgs
, ...
{
config,
lib,
pkgs,
...
}:
let
cfg = config.x-banananetwork.improvedDefaults;
in
{
imports = [
./command-not-found.nix
./firefox.nix
@ -17,7 +17,6 @@ in
./wayland.nix
];
options = {
x-banananetwork.improvedDefaults = {
@ -35,5 +34,4 @@ in
};
}

12
nix/nixos-modules/improvedDefaults/firefox.nix
Unescape Escape View File

@ -1,7 +1,8 @@
{ config
, lib
, pkgs
, ...
{
config,
lib,
pkgs,
...
}:
let
cfg = config.x-banananetwork.improvedDefaults;
@ -11,13 +12,11 @@ in
config = lib.mkIf (cfg.enable && fx.enable) {
# TODO only on touchscreen / wayland
environment.sessionVariables = {
MOZ_USE_XINPUT2 = "1";
};
programs.firefox = {
preferences = {
@ -30,7 +29,6 @@ in
};
};
}

11
nix/nixos-modules/improvedDefaults/powertop-tlp.nix
Unescape Escape View File

@ -1,14 +1,14 @@
{ config
, lib
, pkgs
, ...
{
config,
lib,
pkgs,
...
}:
let
cfg = config.x-banananetwork.improvedDefaults;
in
{
config = lib.mkIf cfg.enable (
let
powertop = config.powerManagement.powertop;
@ -26,5 +26,4 @@ in
}
);
}

101
nix/nixos-modules/improvedDefaults/sshAuthorize.nix
Unescape Escape View File

@ -1,7 +1,8 @@
{ config
, lib
, pkgs
, ...
{
config,
lib,
pkgs,
...
}:
let
myOpts = config.x-banananetwork;
@ -9,62 +10,66 @@ let
in
{
options = {
x-banananetwork.improvedDefaults = {
autoSshAuthorizeRoot = lib.mkEnableOption ''
automatically add option{x-banananetwork.sshPublicKeys} to roots authorized keys
and enable option{services.openssh.settings.PermitRootLogin}
if no other user has "wheel" power & SSH authorized keys defined.
autoSshAuthorizeRoot =
lib.mkEnableOption ''
automatically add option{x-banananetwork.sshPublicKeys} to roots authorized keys
and enable option{services.openssh.settings.PermitRootLogin}
if no other user has "wheel" power & SSH authorized keys defined.
Also, option{services.openssh.settings.PermitRootLogin} will be disabled
if this module does not require it.
'' // { default = true; };
Also, option{services.openssh.settings.PermitRootLogin} will be disabled
if this module does not require it.
''
// {
default = true;
};
};
};
config =
lib.mkIf
(lib.lists.all (x: x) [
cfg.enable
cfg.autoSshAuthorizeRoot
config.services.openssh.enable
])
(
let
inherit (lib.attrsets) attrValues filterAttrs;
inherit (lib.lists) any;
# variables
users = config.users.users;
wheelUsers = lib.trivial.pipe users [
(filterAttrs (n: v: n != "root"))
(filterAttrs (n: v: builtins.elem "wheel" v.extraGroups))
];
areKeysSet = authKeysOpts: any (x: true) (authKeysOpts.keys ++ authKeysOpts.keyFiles);
isUserAuthed = userOpts: areKeysSet userOpts.openssh.authorizedKeys;
# used facts
isNonRootAuthed = any isUserAuthed (attrValues wheelUsers);
isRootAuthed = isUserAuthed users."root";
doRootAuth = !isNonRootAuthed;
in
{
config = lib.mkIf
(lib.lists.all (x: x) [
cfg.enable
cfg.autoSshAuthorizeRoot
config.services.openssh.enable
])
(
let
inherit (lib.attrsets) attrValues filterAttrs;
inherit (lib.lists) any;
# variables
users = config.users.users;
wheelUsers = lib.trivial.pipe users [
(filterAttrs (n: v: n != "root"))
(filterAttrs (n: v: builtins.elem "wheel" v.extraGroups))
];
areKeysSet = authKeysOpts: any (x: true) (authKeysOpts.keys ++ authKeysOpts.keyFiles);
isUserAuthed = userOpts: areKeysSet userOpts.openssh.authorizedKeys;
# used facts
isNonRootAuthed = any isUserAuthed (attrValues wheelUsers);
isRootAuthed = isUserAuthed users."root";
doRootAuth = !isNonRootAuthed;
in
{
services.openssh.settings.PermitRootLogin = if isRootAuthed then true else lib.mkDefault false;
users.users.root.openssh.authorizedKeys.keys = lib.mkIf doRootAuth (lib.mkDefault myOpts.sshPublicKeys);
warnings = lib.mkIf doRootAuth [
''
roots authorized keys were automatically configured
because no other user with wheel permission has authorized keys configured
''
];
services.openssh.settings.PermitRootLogin = if isRootAuthed then true else lib.mkDefault false;
}
);
users.users.root.openssh.authorizedKeys.keys = lib.mkIf doRootAuth (
lib.mkDefault myOpts.sshPublicKeys
);
warnings = lib.mkIf doRootAuth [
''
roots authorized keys were automatically configured
because no other user with wheel permission has authorized keys configured
''
];
}
);
}

11
nix/nixos-modules/improvedDefaults/wayland.nix
Unescape Escape View File

@ -1,14 +1,14 @@
{ config
, lib
, pkgs
, ...
{
config,
lib,
pkgs,
...
}:
let
cfg = config.x-banananetwork.improvedDefaults;
in
{
config = lib.mkIf cfg.enable (
let
prgs = config.programs;
@ -33,5 +33,4 @@ in
}
);
}

9
nix/nixos-modules/options.nix
Unescape Escape View File

@ -2,10 +2,11 @@
# for me, most of them are defined in ../mySettings.nix
{ config
, lib
, pkgs
, ...
{
config,
lib,
pkgs,
...
}:
{

16
nix/nixos-modules/privacy.nix
Unescape Escape View File

@ -3,10 +3,11 @@
lib,
pkgs,
...
}: let
}:
let
cfg = config.x-banananetwork.privacy;
in {
in
{
options = {
@ -26,22 +27,17 @@ in {
};
config = lib.mkIf cfg.enable {
boot.kernel.sysctl = {
"net.ipv6.conf.all.temp_prefered_lft" = 1* 60*60; # = 1h
"net.ipv6.conf.all.temp_valid_lft" = 21 *60*60; # = 21h
"net.ipv6.conf.all.temp_prefered_lft" = 1 * 60 * 60; # = 1h
"net.ipv6.conf.all.temp_valid_lft" = 21 * 60 * 60; # = 21h
};
networking = {
tempAddresses = "default";
};
};
}

30
nix/nixos-modules/secrix.nix
Unescape Escape View File

@ -1,7 +1,8 @@
{ config
, lib
, pkgs
, ...
{
config,
lib,
pkgs,
...
}:
let
myOpts = config.x-banananetwork;
@ -9,7 +10,6 @@ let
in
{
options = {
x-banananetwork.secrix = {
@ -40,10 +40,8 @@ in
};
config = lib.mkIf cfg.enable {
assertions = [
{
assertion = config.secrix.hostPubKey != null;
@ -51,28 +49,22 @@ in
}
];
secrix =
let
findHostKey = keyType: lib.lists.findSingle
(key: key.type == keyType)
(abort "cannot find generated OpenSSH host key with type ${keyType}")
(abort "found multiple generated OpenSSH host keys with type ${keyType}")
config.services.openssh.hostKeys;
findHostKey =
keyType:
lib.lists.findSingle (key: key.type == keyType)
(abort "cannot find generated OpenSSH host key with type ${keyType}")
(abort "found multiple generated OpenSSH host keys with type ${keyType}")
config.services.openssh.hostKeys;
hostKeyPrivate = (findHostKey cfg.hostKeyType).path;
in
{
defaultEncryptKeys."${myOpts.userName}" = myOpts.sshPublicKeys;
hostIdentityFile = lib.mkIf (cfg.hostKeyType != null) (lib.mkDefault hostKeyPrivate);
hostPubKey = myOpts.sshHostPublicKey;
};
};
}

14
nix/nixos-modules/sshSecurity.nix
Unescape Escape View File

@ -1,14 +1,14 @@
{ config
, lib
, pkgs
, ...
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.openssh;
in
{
options = {
services.openssh.authorizedKeysOnly = lib.mkEnableOption ''
@ -17,7 +17,6 @@ in
};
config = lib.mkIf cfg.enable {
services.openssh = {
@ -29,9 +28,6 @@ in
};
# TODO add tests
}

84
nix/nixos-modules/useable.nix
Unescape Escape View File

@ -1,14 +1,14 @@
{ config
, lib
, pkgs
, ...
{
config,
lib,
pkgs,
...
}:
let
cfg = config.x-banananetwork.useable;
in
{
options = {
x-banananetwork.useable = {
@ -23,10 +23,8 @@ in
};
config = lib.mkIf cfg.enable {
documentation = {
enable = true;
@ -54,39 +52,39 @@ in
};
environment.systemPackages = with pkgs; let
inherit (lib.lists) flatten optional optionals;
in
flatten [
(optional (config.services.hardware.bolt.enable && config.services.desktopManager.plasma6.enable) kdePackages.plasma-thunderbolt) # TODO upstream
(optionals config.hardware.graphics.amd.enable [
nvtopPackages.amd
])
(optionals config.hardware.graphics.intel.enable [
intel-gpu-tools
nvtopPackages.intel
])
bat
batmon # TODO only on systems wich batteries
jq # JSON
manix
massren
nethogs
reptyr
pciutils
psitop
pv
unixtools.xxd
up # ultimate plumber
usbtop
usbutils
];
environment.systemPackages =
with pkgs;
let
inherit (lib.lists) flatten optional optionals;
in
flatten [
(optional (
config.services.hardware.bolt.enable && config.services.desktopManager.plasma6.enable
) kdePackages.plasma-thunderbolt) # TODO upstream
(optionals config.hardware.graphics.amd.enable [ nvtopPackages.amd ])
(optionals config.hardware.graphics.intel.enable [
intel-gpu-tools
nvtopPackages.intel
])
bat
batmon # TODO only on systems wich batteries
jq # JSON
manix
massren
nethogs
reptyr
pciutils
psitop
pv
unixtools.xxd
up # ultimate plumber
usbtop
usbutils
];
programs = {
@ -101,7 +99,7 @@ in
alias = {
lg1 = "log --graph --abbrev-commit --decorate --format=format:'%C(bold blue)%h%C(reset) - %C(bold green)(%ar)%C(reset) %C(white)%s%C(reset) %C(dim white)- %an%C(reset)%C(bold yellow)%d%C(reset)' --all";
lg2 = "log --graph --abbrev-commit --decorate --format=format:'%C(bold blue)%h%C(reset) - %C(bold cyan)%aD%C(reset) %C(bold green)(%ar)%C(reset)%C(bold yellow)%d%C(reset)%n'' %C(white)%s%C(reset) %C(dim white)- %an%C(reset)' --all";
lg = ''!"git lg1"'';
lg = ''!git lg1'';
};
core = {
autocrlf = "input";
@ -172,7 +170,6 @@ in
};
x-banananetwork = {
allCommon.enable = true;
@ -180,12 +177,9 @@ in
};
# TODO withlist:
# - update tmuxPlugins.sensible in nixpkgs (e.g. https://github.com/NixOS/nixpkgs/pull/272954)
};
}

260
nix/nixos-modules/vmCommon.nix
Unescape Escape View File

@ -1,9 +1,10 @@
# applicable to all service VMs running on a hypervisor (currently Proxmox/QEMU assumed)
{ config
, lib
, pkgs
, ...
{
config,
lib,
pkgs,
...
}:
let
cfg = config.x-banananetwork.vmCommon;
@ -33,10 +34,8 @@ let
in
{
options = {
x-banananetwork.vmCommon = {
enable = lib.mkEnableOption ''
@ -45,188 +44,167 @@ in
};
};
config = lib.mkIf cfg.enable (
lib.mkMerge [
config = lib.mkIf cfg.enable (lib.mkMerge [
{
# timing-related options
# - ordered by chronological order
{
system.autoUpgrade = {
rebootWindow.lower = "01:00";
dates = "01:00";
randomizedDelaySec = "45min";
rebootWindow.upper = "04:00";
};
# timing-related options
# - ordered by chronological order
nix.gc = {
# could take longer
dates = "04:15";
randomizedDelaySec = "30min";
};
nix.optimise = {
# should not take long because of auto-optimise-store
dates = "05:30";
};
system.autoUpgrade = {
rebootWindow.lower = "01:00";
dates = "01:00";
randomizedDelaySec = "45min";
rebootWindow.upper = "04:00";
};
}
nix.gc = {
# could take longer
dates = "04:15";
randomizedDelaySec = "30min";
};
nix.optimise = {
# should not take long because of auto-optimise-store
dates = "05:30";
};
{
}
# all other options
{
# all other options
boot = {
boot = {
kernelParams = "console=ttyS0,115200";
kernelParams = "console=ttyS0,115200";
loader = {
efi.canTouchEfiVariables = true;
grub.enable = false;
systemd-boot = {
enable = true;
configurationLimit = 16;
editor = true; # access to VM console/KVM should be locked
loader = {
efi.canTouchEfiVariables = true;
grub.enable = false;
systemd-boot = {
enable = true;
configurationLimit = 16;
editor = true; # access to VM console/KVM should be locked
};
};
};
};
};
console.keyMap = "de";
console.keyMap = "de";
# for fast debugging of systems, keep small
environment.systemPackages = [ resize ];
# for fast debugging of systems, keep small
environment.systemPackages = [
resize
];
networking = {
firewall = {
logRefusedConnections = false;
# TODO
};
networking = {
useDHCP = true;
useNetworkd = lib.mkDefault false;
usePredictableInterfaceNames = true;
firewall = {
logRefusedConnections = false;
# TODO
};
useDHCP = true;
useNetworkd = lib.mkDefault false;
usePredictableInterfaceNames = true;
nix = {
};
nix = {
gc = {
automatic = true;
options = "--delete-older-than 30d";
};
gc = {
automatic = true;
options = "--delete-older-than 30d";
};
optimise = {
automatic = true;
};
optimise = {
automatic = true;
};
settings = {
max-free = lib.mkDefault (3 * 1024 * 1024 * 1024);
min-free = lib.mkDefault (512 * 1024 * 1024);
};
settings = {
max-free = lib.mkDefault (3 * 1024 * 1024 * 1024);
min-free = lib.mkDefault (512 * 1024 * 1024);
};
};
security = {
security = {
apparmor.enable = true;
apparmor.enable = true;
lockKernelModules = true; # after boot loading not required on VMs
lockKernelModules = true; # after boot loading not required on VMs
sudo = {
enable = true;
execWheelOnly = lib.mkDefault true;
extraConfig = ''
Defaults lecture = never
'';
};
sudo = {
enable = true;
execWheelOnly = lib.mkDefault true;
extraConfig = ''
Defaults lecture = never
'';
};
};
services = {
qemuGuest.enable = true;
openssh = {
enable = true;
authorizedKeysInHomedir = false;
authorizedKeysOnly = true;
openFirewall = true;
};
services = {
};
qemuGuest.enable = true;
sound.enable = false;
openssh = {
system.autoUpgrade = {
enable = true;
authorizedKeysInHomedir = false;
authorizedKeysOnly = true;
openFirewall = true;
allowReboot = true;
fixedRandomDelay = true;
flags = [
"--no-allow-dirty"
"--no-use-registries"
"--no-update-lock-file"
];
flake = lib.mkDefault "git+https://git.bananet.work/banananetwork/server"; # ===SYNC:general/meta/repo/url===
operation = "boot"; # change only on reboots
};
};
sound.enable = false;
system.autoUpgrade = {
enable = true;
allowReboot = true;
fixedRandomDelay = true;
flags = [
"--no-allow-dirty"
"--no-use-registries"
"--no-update-lock-file"
];
flake = lib.mkDefault "git+https://git.bananet.work/banananetwork/server"; #===SYNC:general/meta/repo/url===
operation = "boot"; # change only on reboots
};
systemd.services."serial-getty@".environment.TERM = "xterm-256color";
systemd.services."serial-getty@".environment.TERM = "xterm-256color";
time.hardwareClockInLocalTime = false; # just to make sure
time.hardwareClockInLocalTime = false; # just to make sure
x-banananetwork = {
allCommon.enable = true;
debugMinimal.enable = true;
# TODO think about
#privacy.enable = true;
x-banananetwork = {
allCommon.enable = true;
debugMinimal.enable = true;
# TODO think about
#privacy.enable = true;
};
# TODO disko config, see https://github.com/nix-community/disko/blob/master/docs/INDEX.md
# TODO wishlist items (in prio order):
# - ntfy.sh as mailer
# own script
# or e.g. https://stetsed.xyz/posts/email-notifications-with-ntfy-and-mailrise/
# & connect to: journalwatch, smartd
# - add support for automatic boot assessment (will be added to 24.11)
# - programs.atop.enable = true
# - think about zramSwap
# - NixOS test: ssh-audit
# - networking.useNetworkd
# - networking.tcpcrypt
# environment.loginShellInit = "${resize}/bin/resize"; (see https://github.com/nix-community/srvos/blob/main/nixos/common/serial.nix)
}
]);
};
# TODO disko config, see https://github.com/nix-community/disko/blob/master/docs/INDEX.md
# TODO wishlist items (in prio order):
# - ntfy.sh as mailer
# own script
# or e.g. https://stetsed.xyz/posts/email-notifications-with-ntfy-and-mailrise/
# & connect to: journalwatch, smartd
# - add support for automatic boot assessment (will be added to 24.11)
# - programs.atop.enable = true
# - think about zramSwap
# - NixOS test: ssh-audit
# - networking.useNetworkd
# - networking.tcpcrypt
# environment.loginShellInit = "${resize}/bin/resize"; (see https://github.com/nix-community/srvos/blob/main/nixos/common/serial.nix)
}
]
);
}

5
nix/nixos/default.nix
Unescape Escape View File

@ -1,7 +1,4 @@
{ inputs, outputs, ... }@args:
{
inputs,
outputs,
...
}@args: {
}

Write Preview
Loading…
Cancel
Save