diff --git a/flake.nix b/flake.nix index da05e32..d6d7185 100644 --- a/flake.nix +++ b/flake.nix @@ -1,7 +1,6 @@ { description = "banananet.work Server & Deployment Controller environment"; - inputs = { # packages repositories @@ -26,11 +25,13 @@ }; - - outputs = { self, ... }@inputs: + outputs = + { self, ... }@inputs: let inherit (self) outputs; - flakeArg = { inherit self inputs outputs; }; + flakeArg = { + inherit self inputs outputs; + }; # constants system = "x86_64-linux"; # package repositories @@ -39,28 +40,29 @@ in { - # shortcut to fully configured secrix apps.x86_64-linux.secrix = inputs.secrix.secrix self; - nixosConfigurations = let - nixosSystem = { modules, system }: inputs.nixpkgs.lib.nixosSystem { - modules = [ - outputs.nixosModules.myOptions - outputs.nixosModules.withDepends - ] ++ modules; - specialArgs = { - flake = flakeArg; + nixosSystem = + { modules, system }: + inputs.nixpkgs.lib.nixosSystem { + modules = [ + outputs.nixosModules.myOptions + outputs.nixosModules.withDepends + ] ++ modules; + specialArgs = { + flake = flakeArg; + }; + inherit system; }; - inherit system; - }; in { "x13yz" = nixosSystem { modules = [ + { nixpkgs.overlays = [ (final: prev: { nixfmt-rfc-style = pkgs_unstable.nixfmt-rfc-style; }) ]; } { # TODO check if required & hide into modules boot = { @@ -70,13 +72,9 @@ "rtsx_pci_sdmmc" "xhci_pci" ]; - kernelModules = [ - "dm-snapshot" - ]; + kernelModules = [ "dm-snapshot" ]; }; - kernelModules = [ - "kvm-intel" - ]; + kernelModules = [ "kvm-intel" ]; }; } inputs.nixos-hardware.nixosModules.lenovo-thinkpad-x13-yoga @@ -96,14 +94,22 @@ fileSystems."/" = { device = "/dev/disk/by-uuid/c93557db-e7c5-46ef-9cd8-87eb7c5753dc"; fsType = "ext4"; - options = [ "relatime" "discard" ]; + options = [ + "relatime" + "discard" + ]; }; fileSystems."/boot" = { device = "/dev/disk/by-uuid/5F9A-9A2D"; fsType = "vfat"; - options = [ "uid=0" "gid=0" "fmask=0077" "dmask=0077" ]; + options = [ + "uid=0" + "gid=0" + "fmask=0077" + "dmask=0077" + ]; }; - swapDevices = [{ device = "/dev/disk/by-uuid/8482463b-ceb3-40b3-abef-b49df2de88e5"; }]; + swapDevices = [ { device = "/dev/disk/by-uuid/8482463b-ceb3-40b3-abef-b49df2de88e5"; } ]; system.stateVersion = "24.05"; x-banananetwork.sshHostPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG71dtqG/c0AiFBN9OxoLD35TDQm3m8LXj/BQw60PE0h"; } @@ -121,7 +127,6 @@ }; - nixosModules = { # this one includes all of my modules @@ -146,21 +151,18 @@ }; - devShells."${system}".default = let pkgs = pkgs_unstable; in - pkgs.mkShell - { - packages = with pkgs; [ - curl - rsync - opentofu - terranix - ]; - }; - + pkgs.mkShell { + packages = with pkgs; [ + curl + rsync + opentofu + terranix + ]; + }; }; } diff --git a/nix/home-manager-modules/frontend/base.nix b/nix/home-manager-modules/frontend/base.nix index f5fc1bb..c02bf31 100644 --- a/nix/home-manager-modules/frontend/base.nix +++ b/nix/home-manager-modules/frontend/base.nix @@ -1,9 +1,10 @@ # this stuff replaces all settings which would be configured by the corresponding frontend NixOS module -{ config -, lib -, pkgs -, ... +{ + config, + lib, + pkgs, + ... }: let cfg = config.x-banananetwork.frontend; diff --git a/nix/home-manager-modules/frontend/default.nix b/nix/home-manager-modules/frontend/default.nix index 64e4c3b..d1a1616 100644 --- a/nix/home-manager-modules/frontend/default.nix +++ b/nix/home-manager-modules/frontend/default.nix @@ -1,17 +1,17 @@ -{ config -, lib -, pkgs -, ... - -}: { +{ + config, + lib, + pkgs, + ... +}: +{ imports = [ ./base.nix ./extension.nix ]; - options = { x-banananetwork.frontend = { @@ -31,5 +31,4 @@ }; - } diff --git a/nix/home-manager-modules/frontend/extension.nix b/nix/home-manager-modules/frontend/extension.nix index ff725ed..ba1bd71 100644 --- a/nix/home-manager-modules/frontend/extension.nix +++ b/nix/home-manager-modules/frontend/extension.nix @@ -1,7 +1,9 @@ # this stuff must all be compatible to settings already configured by the corresponding frontend NixOS module -{ config -, lib -, pkgs -, ... -}: { } +{ + config, + lib, + pkgs, + ... +}: +{ } diff --git a/nix/myOptions.nix b/nix/myOptions.nix index 7d33c47..e541141 100644 --- a/nix/myOptions.nix +++ b/nix/myOptions.nix @@ -1,23 +1,20 @@ # configures options only really useable for me - -{ config -, lib -, pkgs -, ... +{ + config, + lib, + pkgs, + ... }: let myOpts = config.x-banananetwork; in { - config = { - x-banananetwork = { - # options defined in nixos-modules/options.nix sshPublicKeys = [ @@ -30,18 +27,14 @@ in userName = "zocker"; - # defaults for other modules, derived from them above frontend = { username = myOpts.userName; }; - }; - }; - } diff --git a/nix/nixos-modules/allCommon.nix b/nix/nixos-modules/allCommon.nix index 69a29b4..b613f0e 100644 --- a/nix/nixos-modules/allCommon.nix +++ b/nix/nixos-modules/allCommon.nix @@ -1,18 +1,18 @@ # applies to all of my machines # examples: PCs, laptops, VMs, hypervisors, ... -{ config -, lib -, options -, pkgs -, ... +{ + config, + lib, + options, + pkgs, + ... }: let cfg = config.x-banananetwork.allCommon; in { - options = { x-banananetwork.allCommon = { @@ -28,10 +28,8 @@ in }; - config = lib.mkIf cfg.enable { - assertions = [ ( let @@ -44,7 +42,6 @@ in ) ]; - documentation = { man.mandoc.settings.output = { @@ -53,7 +50,6 @@ in }; - i18n = { # inspired by https://wiki.archlinux.org/title/Locale defaultLocale = lib.mkDefault "en_US.UTF-8"; @@ -67,7 +63,6 @@ in }; }; - nix = { channel.enable = false; @@ -86,12 +81,8 @@ in "flakes" "nix-command" ]; - hashed-mirrors = [ - "https://tarballs.nixos.org/" - ]; - trusted-users = [ - "root" - ]; + hashed-mirrors = [ "https://tarballs.nixos.org/" ]; + trusted-users = [ "root" ]; }; }; @@ -99,7 +90,6 @@ in OOMScoreAdjust = lib.mkDefault 250; }; - # well-known public keys programs.ssh = { hostKeyAlgorithms = [ @@ -114,7 +104,6 @@ in }; }; - security = { pki = { @@ -155,7 +144,6 @@ in }; - system.activationScripts.diff = { supportsDryActivation = true; text = '' @@ -173,26 +161,19 @@ in ${pkgs.shellcheck}/bin/shellcheck --check-sourced --external-sources --norc --severity=warning $out/activate $out/dry-activate ''; - time = { hardwareClockInLocalTime = lib.mkDefault false; timeZone = lib.mkDefault "Etc/UTC"; }; - x-banananetwork = { - improvedDefaults.enable = true; - secrix = { enable = true; hostKeyType = "ed25519"; }; - }; - }; - } diff --git a/nix/nixos-modules/autoUnfree.nix b/nix/nixos-modules/autoUnfree.nix index c0db1e5..8b6a28d 100644 --- a/nix/nixos-modules/autoUnfree.nix +++ b/nix/nixos-modules/autoUnfree.nix @@ -1,14 +1,14 @@ -{ config -, lib -, pkgs -, ... +{ + config, + lib, + pkgs, + ... }: let cfg = config.x-banananetwork.autoUnfree; in { - options = { x-banananetwork.autoUnfree = { @@ -59,20 +59,16 @@ in }; - config = lib.mkIf cfg.enable { - nixpkgs.config = { allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) (map lib.getName cfg.packages); }; - # TODO add alternative for allowUnfreePredicate for users - x-banananetwork.autoUnfree.packages = let inherit (lib.lists) flatten optional optionals; @@ -97,8 +93,6 @@ in ])) ]; - }; - } diff --git a/nix/nixos-modules/debugMinimal.nix b/nix/nixos-modules/debugMinimal.nix index 2d715d5..3c7b759 100644 --- a/nix/nixos-modules/debugMinimal.nix +++ b/nix/nixos-modules/debugMinimal.nix @@ -1,14 +1,14 @@ -{ config -, lib -, pkgs -, ... +{ + config, + lib, + pkgs, + ... }: let cfg = config.x-banananetwork.debugMinimal; in { - options = { x-banananetwork.debugMinimal = { @@ -21,10 +21,8 @@ in }; - config = lib.mkIf cfg.enable { - programs = { bash = { @@ -85,8 +83,6 @@ in }; - }; - } diff --git a/nix/nixos-modules/frontend/default.nix b/nix/nixos-modules/frontend/default.nix index 96f5033..d3020e7 100644 --- a/nix/nixos-modules/frontend/default.nix +++ b/nix/nixos-modules/frontend/default.nix @@ -1,14 +1,14 @@ -{ config -, lib -, pkgs -, ... +{ + config, + lib, + pkgs, + ... }: let cfg = config.x-banananetwork.frontend; in { - options = { x-banananetwork.frontend = { @@ -27,21 +27,14 @@ in }; - config = lib.mkIf cfg.enable { - # TODO copy modem-manager overlay (for now) - - # NixOS configuration - - console = { useXkbConfig = true; }; - environment = { pathsToLink = [ @@ -54,7 +47,6 @@ in }; - hardware = { bluetooth = { @@ -75,7 +67,6 @@ in }; - home-manager = { useGlobalPkgs = true; @@ -88,13 +79,12 @@ in }; - networking = { firewall = { - trustedInterfaces = with lib.lists; flatten [ - (optional config.services.tailscale.enable "tailscale0") - ]; + trustedInterfaces = + with lib.lists; + flatten [ (optional config.services.tailscale.enable "tailscale0") ]; }; networkmanager.enable = true; @@ -103,12 +93,10 @@ in }; - nix.settings = { builders-use-substitutes = lib.mkDefault true; }; - programs = { captive-browser = { @@ -222,6 +210,7 @@ in PopupBlocking = { Allow = [ "https://app.roll20.net" + # placeholder for more ]; Default = true; Locked = true; @@ -353,14 +342,12 @@ in }; - security = { rtkit.enable = lib.mkIf config.services.pipewire.enable true; }; - services = { desktopManager.plasma6 = { @@ -445,36 +432,38 @@ in }; - users = { users."${cfg.username}" = { description = "${cfg.username}"; - extraGroups = with lib.lists; flatten [ - (optional config.networking.networkmanager.enable "networkmanger") - "wheel" - ]; + extraGroups = + with lib.lists; + flatten [ + (optional config.networking.networkmanager.enable "networkmanger") + "wheel" + ]; isNormalUser = true; openssh.authorizedKeys.keys = config.x-banananetwork.sshPublicKeys; - packages = with pkgs; lib.lists.flatten [ - kdePackages.kate - (lib.lists.optional cfg.convertable [ - maliit-keyboard # on-screen keyboard (should just work, see https://discuss.kde.org/t/how-to-enable-virtual-keyboard-included-in-kde/264/2) - ]) - ]; + packages = + with pkgs; + lib.lists.flatten [ + kdePackages.kate + (lib.lists.optional cfg.convertable [ + maliit-keyboard # on-screen keyboard (should just work, see https://discuss.kde.org/t/how-to-enable-virtual-keyboard-included-in-kde/264/2) + ]) + ]; }; }; - x-banananetwork = { allCommon.enable = true; autoUnfree = { enable = true; - # TODO merge with nixos-modules/frontend/home.nix packages = with pkgs.mpvScripts; [ + # TODO merge with nixos-modules/frontend/home.nix evafast ]; }; @@ -485,7 +474,6 @@ in }; - # TODO wishlist: # - enable & disable touch keyboard automatically based on convertable status # - https://github.com/cynicsketch/nix-mineral (NixOS hardening) @@ -493,8 +481,6 @@ in # - programs.autojump # - programs.yubikey-touch-detector - }; - } diff --git a/nix/nixos-modules/frontend/home.nix b/nix/nixos-modules/frontend/home.nix index b8c3716..d87ffc5 100644 --- a/nix/nixos-modules/frontend/home.nix +++ b/nix/nixos-modules/frontend/home.nix @@ -1,8 +1,9 @@ -{ nixosConfig -, config -, lib -, pkgs -, ... +{ + nixosConfig, + config, + lib, + pkgs, + ... }: let @@ -17,7 +18,6 @@ let in { - # TODO exclude in own home-manager module assertions = let @@ -35,13 +35,7 @@ in } ]; - - home = { - - stateVersion = nixosConfig.system.stateVersion; - - }; - + home.stateVersion = nixosConfig.system.stateVersion; home.file = { @@ -63,7 +57,6 @@ in }; - home.packages = with pkgs; [ # dev @@ -109,7 +102,6 @@ in ]; - programs = { bash = { @@ -174,8 +166,14 @@ in mutableKeys = false; mutableTrust = false; publicKeys = [ - { source = "${myGpgKey}"; trust = 5; } - { source = "${archiveGpgKey}"; trust = 5; } + { + source = "${myGpgKey}"; + trust = 5; + } + { + source = "${archiveGpgKey}"; + trust = 5; + } ]; scdaemonSettings = { disable-ccid = lib.mkIf nixosConfig.services.pcscd.enable true; @@ -400,7 +398,6 @@ in }; - services = { gpg-agent = { @@ -428,7 +425,6 @@ in # TODO improve fix permanently systemd.user.services.syncthingtray.Service.ExecStartPre = "sleep 10"; - # TODO does not work yet (current: manual config) #accounts.email.accounts."Mailbox Personal" = { # primary = true; @@ -456,10 +452,8 @@ in # }; #}; - # ====================================== - # hotfix because GUI is managed on system level (fow now) systemd.user.targets.tray = { Unit = { @@ -470,19 +464,18 @@ in # allow unfree limited # TODO merge with nixos-modules/frontend/default.nix - nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ - # mpv plugins missing licenses - "evafast" - ]; - + nixpkgs.config.allowUnfreePredicate = + pkg: + builtins.elem (lib.getName pkg) [ + # mpv plugins missing licenses + "evafast" + ]; # ZSH config programs.zsh.enable = true; programs.zsh.antidote = { enable = true; - plugins = [ - "djui/alias-tips" - ]; + plugins = [ "djui/alias-tips" ]; }; } diff --git a/nix/nixos-modules/graphics.nix b/nix/nixos-modules/graphics.nix index 33dc7d9..9366307 100644 --- a/nix/nixos-modules/graphics.nix +++ b/nix/nixos-modules/graphics.nix @@ -1,14 +1,14 @@ -{ config -, lib -, pkgs -, ... +{ + config, + lib, + pkgs, + ... }: let cfg = config.hardware.graphics; in { - options = { hardware.graphics = { @@ -23,44 +23,38 @@ in }; - config = lib.mkMerge [ { - assertions = [{ - assertion = cfg.required -> cfg.amd.enable || cfg.intel.enable; - message = "'hardware.graphics.required' not fullfilled by any of 'hardware.graphics.*.enable'"; - }]; + assertions = [ + { + assertion = cfg.required -> cfg.amd.enable || cfg.intel.enable; + message = "'hardware.graphics.required' not fullfilled by any of 'hardware.graphics.*.enable'"; + } + ]; } ( # TODO replace with drivers - lib.mkIf - cfg.amd.enable - { - assertions = [{ - assertion = !cfg.amd.enable; - message = "graphics module missing support for AMD drivers"; - }]; - } + lib.mkIf cfg.amd.enable { + assertions = lib.singleton { + assertion = !cfg.amd.enable; + message = "graphics module missing support for AMD drivers"; + }; + } ) - ( - lib.mkIf - cfg.intel.enable - { - hardware.opengl = { - enable = true; - extraPackages = with pkgs; [ - intel-media-driver - intel-media-sdk - libvdpau-va-gl - ]; - }; - } - ) + (lib.mkIf cfg.intel.enable { + hardware.opengl = { + enable = true; + extraPackages = with pkgs; [ + intel-media-driver + intel-media-sdk + libvdpau-va-gl + ]; + }; + }) ]; - } diff --git a/nix/nixos-modules/hwCommon.nix b/nix/nixos-modules/hwCommon.nix index 5d0dd24..00763cb 100644 --- a/nix/nixos-modules/hwCommon.nix +++ b/nix/nixos-modules/hwCommon.nix @@ -1,9 +1,10 @@ # applicable to all hosts running on bare hardware -{ config -, lib -, pkgs -, ... +{ + config, + lib, + pkgs, + ... }: let cfg = config.x-banananetwork.hwCommon; @@ -11,10 +12,8 @@ let in { - options = { - hardware.cpu = { type = lib.mkOption { @@ -24,10 +23,12 @@ in This setting is required when using generalizing options like option{hardware.cpu.updateMicrocode}. ''; - type = with lib.types; nullOr (enum [ - "amd" - "intel" - ]); + type = + with lib.types; + nullOr (enum [ + "amd" + "intel" + ]); # required }; @@ -40,7 +41,6 @@ in }; - x-banananetwork.hwCommon = { enable = lib.mkEnableOption '' @@ -49,13 +49,10 @@ in }; - }; - config = lib.mkIf cfg.enable { - assertions = [ { assertion = cfg.enable -> !config.x-banananetwork.vmCommon.enable; @@ -63,7 +60,6 @@ in } ]; - boot = { # TODO adapt better @@ -78,7 +74,6 @@ in }; - hardware = { cpu = lib.mkMerge [ @@ -87,9 +82,7 @@ in ( let type = config.hardware.cpu.type; - opts = isType: { - updateMicrocode = lib.mkDefault (isType && config.hardware.cpu.updateMicrocode); - }; + opts = isType: { updateMicrocode = lib.mkDefault (isType && config.hardware.cpu.updateMicrocode); }; in { amd = opts (type == "amd"); @@ -97,9 +90,7 @@ in } ) - { - updateMicrocode = lib.mkDefault true; - } + { updateMicrocode = lib.mkDefault true; } ]; @@ -107,13 +98,11 @@ in }; - powerManagement = { cpuFreqGovernor = "ondemand"; enable = true; }; - services = { fwupd = { @@ -136,7 +125,6 @@ in }; - x-banananetwork = { allCommon.enable = true; @@ -144,8 +132,6 @@ in }; - }; - } diff --git a/nix/nixos-modules/improvedDefaults/command-not-found.nix b/nix/nixos-modules/improvedDefaults/command-not-found.nix index 25817bc..e1c50e3 100644 --- a/nix/nixos-modules/improvedDefaults/command-not-found.nix +++ b/nix/nixos-modules/improvedDefaults/command-not-found.nix @@ -1,22 +1,24 @@ -{ config -, lib -, pkgs -, ... +{ + config, + lib, + pkgs, + ... }: let cfg = config.x-banananetwork.improvedDefaults; in { - config = lib.mkIf cfg.enable ( let nixI = config.programs.nix-index; - shellInt = builtins.any (x: x) (with nixI; + shellInt = builtins.any (x: x) ( + with nixI; [ enableBashIntegration enableZshIntegration - ]); + ] + ); nixIclash = nixI.enable && shellInt; in { @@ -26,5 +28,4 @@ in } ); - } diff --git a/nix/nixos-modules/improvedDefaults/default.nix b/nix/nixos-modules/improvedDefaults/default.nix index 56c694e..0263957 100644 --- a/nix/nixos-modules/improvedDefaults/default.nix +++ b/nix/nixos-modules/improvedDefaults/default.nix @@ -1,14 +1,14 @@ -{ config -, lib -, pkgs -, ... +{ + config, + lib, + pkgs, + ... }: let cfg = config.x-banananetwork.improvedDefaults; in { - imports = [ ./command-not-found.nix ./firefox.nix @@ -17,7 +17,6 @@ in ./wayland.nix ]; - options = { x-banananetwork.improvedDefaults = { @@ -35,5 +34,4 @@ in }; - } diff --git a/nix/nixos-modules/improvedDefaults/firefox.nix b/nix/nixos-modules/improvedDefaults/firefox.nix index 265a600..a99027f 100644 --- a/nix/nixos-modules/improvedDefaults/firefox.nix +++ b/nix/nixos-modules/improvedDefaults/firefox.nix @@ -1,7 +1,8 @@ -{ config -, lib -, pkgs -, ... +{ + config, + lib, + pkgs, + ... }: let cfg = config.x-banananetwork.improvedDefaults; @@ -11,13 +12,11 @@ in config = lib.mkIf (cfg.enable && fx.enable) { - # TODO only on touchscreen / wayland environment.sessionVariables = { MOZ_USE_XINPUT2 = "1"; }; - programs.firefox = { preferences = { @@ -30,7 +29,6 @@ in }; - }; } diff --git a/nix/nixos-modules/improvedDefaults/powertop-tlp.nix b/nix/nixos-modules/improvedDefaults/powertop-tlp.nix index 08bd116..2a3cd3e 100644 --- a/nix/nixos-modules/improvedDefaults/powertop-tlp.nix +++ b/nix/nixos-modules/improvedDefaults/powertop-tlp.nix @@ -1,14 +1,14 @@ -{ config -, lib -, pkgs -, ... +{ + config, + lib, + pkgs, + ... }: let cfg = config.x-banananetwork.improvedDefaults; in { - config = lib.mkIf cfg.enable ( let powertop = config.powerManagement.powertop; @@ -26,5 +26,4 @@ in } ); - } diff --git a/nix/nixos-modules/improvedDefaults/sshAuthorize.nix b/nix/nixos-modules/improvedDefaults/sshAuthorize.nix index b32b2f9..f529fbc 100644 --- a/nix/nixos-modules/improvedDefaults/sshAuthorize.nix +++ b/nix/nixos-modules/improvedDefaults/sshAuthorize.nix @@ -1,7 +1,8 @@ -{ config -, lib -, pkgs -, ... +{ + config, + lib, + pkgs, + ... }: let myOpts = config.x-banananetwork; @@ -9,62 +10,66 @@ let in { - options = { x-banananetwork.improvedDefaults = { - autoSshAuthorizeRoot = lib.mkEnableOption '' - automatically add option{x-banananetwork.sshPublicKeys} to root’s authorized keys - and enable option{services.openssh.settings.PermitRootLogin} - if no other user has "wheel" power & SSH authorized keys defined. + autoSshAuthorizeRoot = + lib.mkEnableOption '' + automatically add option{x-banananetwork.sshPublicKeys} to root’s authorized keys + and enable option{services.openssh.settings.PermitRootLogin} + if no other user has "wheel" power & SSH authorized keys defined. - Also, option{services.openssh.settings.PermitRootLogin} will be disabled - if this module does not require it. - '' // { default = true; }; + Also, option{services.openssh.settings.PermitRootLogin} will be disabled + if this module does not require it. + '' + // { + default = true; + }; }; }; + config = + lib.mkIf + (lib.lists.all (x: x) [ + cfg.enable + cfg.autoSshAuthorizeRoot + config.services.openssh.enable + ]) + ( + let + inherit (lib.attrsets) attrValues filterAttrs; + inherit (lib.lists) any; + # variables + users = config.users.users; + wheelUsers = lib.trivial.pipe users [ + (filterAttrs (n: v: n != "root")) + (filterAttrs (n: v: builtins.elem "wheel" v.extraGroups)) + ]; + areKeysSet = authKeysOpts: any (x: true) (authKeysOpts.keys ++ authKeysOpts.keyFiles); + isUserAuthed = userOpts: areKeysSet userOpts.openssh.authorizedKeys; + # used facts + isNonRootAuthed = any isUserAuthed (attrValues wheelUsers); + isRootAuthed = isUserAuthed users."root"; + doRootAuth = !isNonRootAuthed; + in + { - config = lib.mkIf - (lib.lists.all (x: x) [ - cfg.enable - cfg.autoSshAuthorizeRoot - config.services.openssh.enable - ]) - ( - let - inherit (lib.attrsets) attrValues filterAttrs; - inherit (lib.lists) any; - # variables - users = config.users.users; - wheelUsers = lib.trivial.pipe users [ - (filterAttrs (n: v: n != "root")) - (filterAttrs (n: v: builtins.elem "wheel" v.extraGroups)) - ]; - areKeysSet = authKeysOpts: any (x: true) (authKeysOpts.keys ++ authKeysOpts.keyFiles); - isUserAuthed = userOpts: areKeysSet userOpts.openssh.authorizedKeys; - # used facts - isNonRootAuthed = any isUserAuthed (attrValues wheelUsers); - isRootAuthed = isUserAuthed users."root"; - doRootAuth = !isNonRootAuthed; - in - { - - services.openssh.settings.PermitRootLogin = if isRootAuthed then true else lib.mkDefault false; - - users.users.root.openssh.authorizedKeys.keys = lib.mkIf doRootAuth (lib.mkDefault myOpts.sshPublicKeys); - warnings = lib.mkIf doRootAuth [ - '' - root’s authorized keys were automatically configured - because no other user with wheel permission has authorized keys configured - '' - ]; + services.openssh.settings.PermitRootLogin = if isRootAuthed then true else lib.mkDefault false; - } - ); + users.users.root.openssh.authorizedKeys.keys = lib.mkIf doRootAuth ( + lib.mkDefault myOpts.sshPublicKeys + ); + warnings = lib.mkIf doRootAuth [ + '' + root’s authorized keys were automatically configured + because no other user with wheel permission has authorized keys configured + '' + ]; + } + ); } diff --git a/nix/nixos-modules/improvedDefaults/wayland.nix b/nix/nixos-modules/improvedDefaults/wayland.nix index 661ae20..005d0e5 100644 --- a/nix/nixos-modules/improvedDefaults/wayland.nix +++ b/nix/nixos-modules/improvedDefaults/wayland.nix @@ -1,14 +1,14 @@ -{ config -, lib -, pkgs -, ... +{ + config, + lib, + pkgs, + ... }: let cfg = config.x-banananetwork.improvedDefaults; in { - config = lib.mkIf cfg.enable ( let prgs = config.programs; @@ -33,5 +33,4 @@ in } ); - } diff --git a/nix/nixos-modules/options.nix b/nix/nixos-modules/options.nix index 1f90c02..1a1c458 100644 --- a/nix/nixos-modules/options.nix +++ b/nix/nixos-modules/options.nix @@ -2,10 +2,11 @@ # for me, most of them are defined in ../mySettings.nix -{ config -, lib -, pkgs -, ... +{ + config, + lib, + pkgs, + ... }: { diff --git a/nix/nixos-modules/privacy.nix b/nix/nixos-modules/privacy.nix index 9b39fe1..6a06cc9 100644 --- a/nix/nixos-modules/privacy.nix +++ b/nix/nixos-modules/privacy.nix @@ -3,10 +3,11 @@ lib, pkgs, ... -}: let +}: +let cfg = config.x-banananetwork.privacy; -in { - +in +{ options = { @@ -26,22 +27,17 @@ in { }; - config = lib.mkIf cfg.enable { - boot.kernel.sysctl = { - "net.ipv6.conf.all.temp_prefered_lft" = 1* 60*60; # = 1h - "net.ipv6.conf.all.temp_valid_lft" = 21 *60*60; # = 21h + "net.ipv6.conf.all.temp_prefered_lft" = 1 * 60 * 60; # = 1h + "net.ipv6.conf.all.temp_valid_lft" = 21 * 60 * 60; # = 21h }; - networking = { tempAddresses = "default"; }; - }; - } diff --git a/nix/nixos-modules/secrix.nix b/nix/nixos-modules/secrix.nix index 126f0f9..ae3eb49 100644 --- a/nix/nixos-modules/secrix.nix +++ b/nix/nixos-modules/secrix.nix @@ -1,7 +1,8 @@ -{ config -, lib -, pkgs -, ... +{ + config, + lib, + pkgs, + ... }: let myOpts = config.x-banananetwork; @@ -9,7 +10,6 @@ let in { - options = { x-banananetwork.secrix = { @@ -40,10 +40,8 @@ in }; - config = lib.mkIf cfg.enable { - assertions = [ { assertion = config.secrix.hostPubKey != null; @@ -51,28 +49,22 @@ in } ]; - secrix = let - findHostKey = keyType: lib.lists.findSingle - (key: key.type == keyType) - (abort "cannot find generated OpenSSH host key with type ${keyType}") - (abort "found multiple generated OpenSSH host keys with type ${keyType}") - config.services.openssh.hostKeys; + findHostKey = + keyType: + lib.lists.findSingle (key: key.type == keyType) + (abort "cannot find generated OpenSSH host key with type ${keyType}") + (abort "found multiple generated OpenSSH host keys with type ${keyType}") + config.services.openssh.hostKeys; hostKeyPrivate = (findHostKey cfg.hostKeyType).path; in { - defaultEncryptKeys."${myOpts.userName}" = myOpts.sshPublicKeys; - hostIdentityFile = lib.mkIf (cfg.hostKeyType != null) (lib.mkDefault hostKeyPrivate); - hostPubKey = myOpts.sshHostPublicKey; - }; - }; - } diff --git a/nix/nixos-modules/sshSecurity.nix b/nix/nixos-modules/sshSecurity.nix index 6b28c11..57258a5 100644 --- a/nix/nixos-modules/sshSecurity.nix +++ b/nix/nixos-modules/sshSecurity.nix @@ -1,14 +1,14 @@ -{ config -, lib -, pkgs -, ... +{ + config, + lib, + pkgs, + ... }: let cfg = config.services.openssh; in { - options = { services.openssh.authorizedKeysOnly = lib.mkEnableOption '' @@ -17,7 +17,6 @@ in }; - config = lib.mkIf cfg.enable { services.openssh = { @@ -29,9 +28,6 @@ in }; - # TODO add tests - } - diff --git a/nix/nixos-modules/useable.nix b/nix/nixos-modules/useable.nix index 2f5ceb3..14bbe30 100644 --- a/nix/nixos-modules/useable.nix +++ b/nix/nixos-modules/useable.nix @@ -1,14 +1,14 @@ -{ config -, lib -, pkgs -, ... +{ + config, + lib, + pkgs, + ... }: let cfg = config.x-banananetwork.useable; in { - options = { x-banananetwork.useable = { @@ -23,10 +23,8 @@ in }; - config = lib.mkIf cfg.enable { - documentation = { enable = true; @@ -54,39 +52,39 @@ in }; - - environment.systemPackages = with pkgs; let - inherit (lib.lists) flatten optional optionals; - in - flatten [ - - (optional (config.services.hardware.bolt.enable && config.services.desktopManager.plasma6.enable) kdePackages.plasma-thunderbolt) # TODO upstream - - (optionals config.hardware.graphics.amd.enable [ - nvtopPackages.amd - ]) - (optionals config.hardware.graphics.intel.enable [ - intel-gpu-tools - nvtopPackages.intel - ]) - - bat - batmon # TODO only on systems wich batteries - jq # JSON - manix - massren - nethogs - reptyr - pciutils - psitop - pv - unixtools.xxd - up # ultimate plumber - usbtop - usbutils - - ]; - + environment.systemPackages = + with pkgs; + let + inherit (lib.lists) flatten optional optionals; + in + flatten [ + + (optional ( + config.services.hardware.bolt.enable && config.services.desktopManager.plasma6.enable + ) kdePackages.plasma-thunderbolt) # TODO upstream + + (optionals config.hardware.graphics.amd.enable [ nvtopPackages.amd ]) + (optionals config.hardware.graphics.intel.enable [ + intel-gpu-tools + nvtopPackages.intel + ]) + + bat + batmon # TODO only on systems wich batteries + jq # JSON + manix + massren + nethogs + reptyr + pciutils + psitop + pv + unixtools.xxd + up # ultimate plumber + usbtop + usbutils + + ]; programs = { @@ -101,7 +99,7 @@ in alias = { lg1 = "log --graph --abbrev-commit --decorate --format=format:'%C(bold blue)%h%C(reset) - %C(bold green)(%ar)%C(reset) %C(white)%s%C(reset) %C(dim white)- %an%C(reset)%C(bold yellow)%d%C(reset)' --all"; lg2 = "log --graph --abbrev-commit --decorate --format=format:'%C(bold blue)%h%C(reset) - %C(bold cyan)%aD%C(reset) %C(bold green)(%ar)%C(reset)%C(bold yellow)%d%C(reset)%n'' %C(white)%s%C(reset) %C(dim white)- %an%C(reset)' --all"; - lg = ''!"git lg1"''; + lg = ''!git lg1''; }; core = { autocrlf = "input"; @@ -172,7 +170,6 @@ in }; - x-banananetwork = { allCommon.enable = true; @@ -180,12 +177,9 @@ in }; - # TODO withlist: # - update tmuxPlugins.sensible in nixpkgs (e.g. https://github.com/NixOS/nixpkgs/pull/272954) - }; - } diff --git a/nix/nixos-modules/vmCommon.nix b/nix/nixos-modules/vmCommon.nix index 0733037..2ca989e 100644 --- a/nix/nixos-modules/vmCommon.nix +++ b/nix/nixos-modules/vmCommon.nix @@ -1,9 +1,10 @@ # applicable to all service VMs running on a hypervisor (currently Proxmox/QEMU assumed) -{ config -, lib -, pkgs -, ... +{ + config, + lib, + pkgs, + ... }: let cfg = config.x-banananetwork.vmCommon; @@ -33,10 +34,8 @@ let in { - options = { - x-banananetwork.vmCommon = { enable = lib.mkEnableOption '' @@ -45,188 +44,167 @@ in }; - }; + config = lib.mkIf cfg.enable ( + lib.mkMerge [ - config = lib.mkIf cfg.enable (lib.mkMerge [ - - { - - # timing-related options - # - ordered by chronological order + { - system.autoUpgrade = { - rebootWindow.lower = "01:00"; - dates = "01:00"; - randomizedDelaySec = "45min"; - rebootWindow.upper = "04:00"; - }; + # timing-related options + # - ordered by chronological order - nix.gc = { - # could take longer - dates = "04:15"; - randomizedDelaySec = "30min"; - }; - - nix.optimise = { - # should not take long because of auto-optimise-store - dates = "05:30"; - }; + system.autoUpgrade = { + rebootWindow.lower = "01:00"; + dates = "01:00"; + randomizedDelaySec = "45min"; + rebootWindow.upper = "04:00"; + }; - } + nix.gc = { + # could take longer + dates = "04:15"; + randomizedDelaySec = "30min"; + }; + nix.optimise = { + # should not take long because of auto-optimise-store + dates = "05:30"; + }; - { + } - # all other options + { + # all other options - boot = { + boot = { - kernelParams = "console=ttyS0,115200"; + kernelParams = "console=ttyS0,115200"; - loader = { - efi.canTouchEfiVariables = true; - grub.enable = false; - systemd-boot = { - enable = true; - configurationLimit = 16; - editor = true; # access to VM console/KVM should be locked + loader = { + efi.canTouchEfiVariables = true; + grub.enable = false; + systemd-boot = { + enable = true; + configurationLimit = 16; + editor = true; # access to VM console/KVM should be locked + }; }; - }; - - }; + }; - console.keyMap = "de"; + console.keyMap = "de"; + # for fast debugging of systems, keep small + environment.systemPackages = [ resize ]; - # for fast debugging of systems, keep small - environment.systemPackages = [ - resize - ]; + networking = { + firewall = { + logRefusedConnections = false; + # TODO + }; - networking = { + useDHCP = true; + useNetworkd = lib.mkDefault false; + usePredictableInterfaceNames = true; - firewall = { - logRefusedConnections = false; - # TODO }; - useDHCP = true; - useNetworkd = lib.mkDefault false; - usePredictableInterfaceNames = true; + nix = { - }; - - - nix = { + gc = { + automatic = true; + options = "--delete-older-than 30d"; + }; - gc = { - automatic = true; - options = "--delete-older-than 30d"; - }; + optimise = { + automatic = true; + }; - optimise = { - automatic = true; - }; + settings = { + max-free = lib.mkDefault (3 * 1024 * 1024 * 1024); + min-free = lib.mkDefault (512 * 1024 * 1024); + }; - settings = { - max-free = lib.mkDefault (3 * 1024 * 1024 * 1024); - min-free = lib.mkDefault (512 * 1024 * 1024); }; - }; - + security = { - security = { + apparmor.enable = true; - apparmor.enable = true; + lockKernelModules = true; # after boot loading not required on VMs - lockKernelModules = true; # after boot loading not required on VMs + sudo = { + enable = true; + execWheelOnly = lib.mkDefault true; + extraConfig = '' + Defaults lecture = never + ''; + }; - sudo = { - enable = true; - execWheelOnly = lib.mkDefault true; - extraConfig = '' - Defaults lecture = never - ''; }; - }; + services = { + qemuGuest.enable = true; + openssh = { + enable = true; + authorizedKeysInHomedir = false; + authorizedKeysOnly = true; + openFirewall = true; + }; - services = { + }; - qemuGuest.enable = true; + sound.enable = false; - openssh = { + system.autoUpgrade = { enable = true; - authorizedKeysInHomedir = false; - authorizedKeysOnly = true; - openFirewall = true; + allowReboot = true; + fixedRandomDelay = true; + flags = [ + "--no-allow-dirty" + "--no-use-registries" + "--no-update-lock-file" + ]; + flake = lib.mkDefault "git+https://git.bananet.work/banananetwork/server"; # ===SYNC:general/meta/repo/url=== + operation = "boot"; # change only on reboots }; - }; - - - sound.enable = false; - - - system.autoUpgrade = { - enable = true; - allowReboot = true; - fixedRandomDelay = true; - flags = [ - "--no-allow-dirty" - "--no-use-registries" - "--no-update-lock-file" - ]; - flake = lib.mkDefault "git+https://git.bananet.work/banananetwork/server"; #===SYNC:general/meta/repo/url=== - operation = "boot"; # change only on reboots - }; - - - systemd.services."serial-getty@".environment.TERM = "xterm-256color"; + systemd.services."serial-getty@".environment.TERM = "xterm-256color"; + time.hardwareClockInLocalTime = false; # just to make sure - time.hardwareClockInLocalTime = false; # just to make sure + x-banananetwork = { + allCommon.enable = true; + debugMinimal.enable = true; + # TODO think about + #privacy.enable = true; - x-banananetwork = { - - allCommon.enable = true; - debugMinimal.enable = true; - # TODO think about - #privacy.enable = true; - - }; - - - # TODO disko config, see https://github.com/nix-community/disko/blob/master/docs/INDEX.md - - - # TODO wishlist items (in prio order): - # - ntfy.sh as mailer - # own script - # or e.g. https://stetsed.xyz/posts/email-notifications-with-ntfy-and-mailrise/ - # & connect to: journalwatch, smartd - # - add support for automatic boot assessment (will be added to 24.11) - # - programs.atop.enable = true - # - think about zramSwap - # - NixOS test: ssh-audit - # - networking.useNetworkd - # - networking.tcpcrypt - # environment.loginShellInit = "${resize}/bin/resize"; (see https://github.com/nix-community/srvos/blob/main/nixos/common/serial.nix) - - - } - - - ]); + }; + # TODO disko config, see https://github.com/nix-community/disko/blob/master/docs/INDEX.md + + # TODO wishlist items (in prio order): + # - ntfy.sh as mailer + # own script + # or e.g. https://stetsed.xyz/posts/email-notifications-with-ntfy-and-mailrise/ + # & connect to: journalwatch, smartd + # - add support for automatic boot assessment (will be added to 24.11) + # - programs.atop.enable = true + # - think about zramSwap + # - NixOS test: ssh-audit + # - networking.useNetworkd + # - networking.tcpcrypt + # environment.loginShellInit = "${resize}/bin/resize"; (see https://github.com/nix-community/srvos/blob/main/nixos/common/serial.nix) + + } + + ] + ); } diff --git a/nix/nixos/default.nix b/nix/nixos/default.nix index 7eefcf1..a416709 100644 --- a/nix/nixos/default.nix +++ b/nix/nixos/default.nix @@ -1,7 +1,4 @@ +{ inputs, outputs, ... }@args: { - inputs, - outputs, - ... -}@args: { }