From 4686125f28087ab6b8af0700c0423cd26d0e79f1 Mon Sep 17 00:00:00 2001 From: truxnell <19149206+truxnell@users.noreply.github.com> Date: Tue, 26 Mar 2024 21:11:59 +1100 Subject: [PATCH] hax --- flake.nix | 1 - lib/default.nix | 24 ------- nixos/hosts/dns01/default.nix | 8 +-- nixos/hosts/rickenbacker/default.nix | 24 ++++--- .../services/dnscrypt-proxy2/default.nix | 12 ++-- nixos/modules/nixos/system/nix.nix | 2 +- nixos/modules/nixos/system/security.nix | 62 +++++++++-------- nixos/profiles/global/nix.nix | 69 ++++++++++--------- nixos/profiles/role-worstation.nix | 8 ++- 9 files changed, 99 insertions(+), 111 deletions(-) delete mode 100644 lib/default.nix diff --git a/flake.nix b/flake.nix index 2c0e3e2..275e3ac 100644 --- a/flake.nix +++ b/flake.nix @@ -49,7 +49,6 @@ formatter = forAllSystems (system: nixpkgs.legacyPackages."${system}".nixpkgs-fmt); nixosModules = import ./nixos/modules/nixos; - lib = import ./lib { inherit inputs; } // inputs.nixpkgs.lib; nixosConfigurations = with self.lib; diff --git a/lib/default.nix b/lib/default.nix deleted file mode 100644 index d43a07e..0000000 --- a/lib/default.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ inputs, ... }: - -with inputs.nixpkgs.lib; -let - strToPath = x: path: - if builtins.typeOf x == "string" - then builtins.toPath ("${toString path}/${x}") - else x; - strToFile = x: path: - if builtins.typeOf x == "string" - then builtins.toPath ("${toString path}/${x}.nix") - else x; -in -rec { - - firstOrDefault = first: default: if !isNull first then first else default; - - existsOrDefault = x: set: default: if hasAttr x set then getAttr x set else default; - - mkIfElse = p: yes: no: mkMerge [ - (mkIf p yes) - (mkIf (!p) no) - ]; -} diff --git a/nixos/hosts/dns01/default.nix b/nixos/hosts/dns01/default.nix index dc87959..ddb6605 100644 --- a/nixos/hosts/dns01/default.nix +++ b/nixos/hosts/dns01/default.nix @@ -11,10 +11,10 @@ ]; - mySystem = { - services.maddy.enable = true; - services.dnscrypt-proxy.enable = true; - services.cfDdns.enable = true; + mySystem.services = { + maddy.enable = true; + dnscrypt-proxy.enable = true; + cfDdns.enable = true; }; networking.hostName = "dns01"; # Define your hostname. diff --git a/nixos/hosts/rickenbacker/default.nix b/nixos/hosts/rickenbacker/default.nix index bafde50..96771a6 100644 --- a/nixos/hosts/rickenbacker/default.nix +++ b/nixos/hosts/rickenbacker/default.nix @@ -3,19 +3,20 @@ , pkgs , ... }: { - - # hardware-configuration.nix is missing as I've abstracted out the parts - - config.mySystem = { - services.openssh.enable = true; - security.wheelNeedsSudoPassword = false; - }; - - # TODO build this in from flake host names - config.networking.hostName = "rickenbacker"; - config = { + # hardware-configuration.nix is missing as I've abstracted out the parts + + mySystem = { + services.openssh.enable = true; + security.wheelNeedsSudoPassword = false; + }; + + # TODO build this in from flake host names + networking.hostName = "rickenbacker"; + + + fileSystems."/" = { device = "/dev/disk/by-label/nixos"; @@ -29,5 +30,6 @@ }; swapDevices = [ ]; + }; } diff --git a/nixos/modules/nixos/services/dnscrypt-proxy2/default.nix b/nixos/modules/nixos/services/dnscrypt-proxy2/default.nix index de96e6c..99431f9 100644 --- a/nixos/modules/nixos/services/dnscrypt-proxy2/default.nix +++ b/nixos/modules/nixos/services/dnscrypt-proxy2/default.nix @@ -21,13 +21,15 @@ in dhcpcd.extraConfig = "nohook resolv.conf"; }; + sops.secrets = { - # configure secret for forwarding rules - sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".sopsFile = ./dnscrypt-proxy2.sops.yaml; - sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".mode = "0444"; # This is world-readable but theres nothing security related in the file + # configure secret for forwarding rules + "system/networking/dnscrypt-proxy2/forwarding-rules".sopsFile = ./dnscrypt-proxy2.sops.yaml; + "system/networking/dnscrypt-proxy2/forwarding-rules".mode = "0444"; # This is world-readable but theres nothing security related in the file - # Restart dnscrypt when secret changes - sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".restartUnits = [ "dnscrypt-proxy2" ]; + # Restart dnscrypt when secret changes + "system/networking/dnscrypt-proxy2/forwarding-rules".restartUnits = [ "dnscrypt-proxy2" ]; + }; services.dnscrypt-proxy2 = { enable = true; diff --git a/nixos/modules/nixos/system/nix.nix b/nixos/modules/nixos/system/nix.nix index 0604425..d13b293 100644 --- a/nixos/modules/nixos/system/nix.nix +++ b/nixos/modules/nixos/system/nix.nix @@ -39,7 +39,7 @@ in # garbage collection automatic = cfg.gc.enable; options = "--delete-older-than 30d"; - persistent = cfg.gc.persistent; + inherit (cfg.gc) persistent; }; }; diff --git a/nixos/modules/nixos/system/security.nix b/nixos/modules/nixos/system/security.nix index 69bb1a2..5730385 100644 --- a/nixos/modules/nixos/system/security.nix +++ b/nixos/modules/nixos/system/security.nix @@ -7,41 +7,45 @@ let cfg = config.mySystem.security; in { - options.mySystem.security.sshAgentAuth = { - enable = lib.mkEnableOption "openssh"; - }; - options.mySystem.security.wheelNeedsSudoPassword = lib.mkOption { - type = lib.types.bool; - description = "If wheel group users need password for sudo"; - default = true; - }; - options.mySystem.security.increaseWheelLoginLimits = lib.mkOption { - type = lib.types.bool; - description = "If wheel group users receive increased login limits"; - default = true; + options.mySystem.security = { + + sshAgentAuth.enable = lib.mkEnableOption "openssh"; + + wheelNeedsSudoPassword = lib.mkOption { + type = lib.types.bool; + description = "If wheel group users need password for sudo"; + default = true; + }; + increaseWheelLoginLimits = lib.mkOption { + type = lib.types.bool; + description = "If wheel group users receive increased login limits"; + default = true; + }; }; config = { - security.sudo.wheelNeedsPassword = cfg.wheelNeedsSudoPassword; + security = { + sudo.wheelNeedsPassword = cfg.wheelNeedsSudoPassword; - security.pam.enableSSHAgentAuth = cfg.sshAgentAuth.enable; + pam.enableSSHAgentAuth = cfg.sshAgentAuth.enable; - # Increase open file limit for sudoers - security.pam.loginLimits = mkIf cfg.increaseWheelLoginLimits [ - { - domain = "@wheel"; - item = "nofile"; - type = "soft"; - value = "524288"; - } - { - domain = "@wheel"; - item = "nofile"; - type = "hard"; - value = "1048576"; - } - ]; + # Increase open file limit for sudoers + pam.loginLimits = mkIf cfg.increaseWheelLoginLimits [ + { + domain = "@wheel"; + item = "nofile"; + type = "soft"; + value = "524288"; + } + { + domain = "@wheel"; + item = "nofile"; + type = "hard"; + value = "1048576"; + } + ]; + }; }; } diff --git a/nixos/profiles/global/nix.nix b/nixos/profiles/global/nix.nix index f6b767b..15095c6 100644 --- a/nixos/profiles/global/nix.nix +++ b/nixos/profiles/global/nix.nix @@ -4,52 +4,55 @@ ## Below is to align shell/system to flake's nixpkgs ## ref: https://nixos-and-flakes.thiscute.world/best-practices/nix-path-and-flake-registry - # make `nix run nixpkgs#nixpkgs` use the same nixpkgs as the one used by this flake. - nix.registry.nixpkgs.flake = nixpkgs; - nix.channel.enable = false; # remove nix-channel related tools & configs, we use flakes instead. - - # but NIX_PATH is still used by many useful tools, so we set it to the same value as the one used by this flake. # Make `nix repl ''` use the same nixpkgs as the one used by this flake. environment.etc."nix/inputs/nixpkgs".source = "${nixpkgs}"; - # https://github.com/NixOS/nix/issues/9574 - nix.settings.nix-path = lib.mkForce "nixpkgs=/etc/nix/inputs/nixpkgs"; + nix = { - ### + # make `nix run nixpkgs#nixpkgs` use the same nixpkgs as the one used by this flake. + registry.nixpkgs.flake = nixpkgs; + channel.enable = false; # remove nix-channel related tools & configs, we use flakes instead. - nix.settings = { + # but NIX_PATH is still used by many useful tools, so we set it to the same value as the one used by this flake. + # https://github.com/NixOS/nix/issues/9574 + settings.nix-path = lib.mkForce "nixpkgs=/etc/nix/inputs/nixpkgs"; - # Enable flakes - experimental-features = [ - "nix-command" - "flakes" - ]; + ### - # Substitutions - trusted-substituters = [ - "https://cache.garnix.io" - "https://nix-community.cachix.org" - "https://numtide.cachix.org" - ]; + settings = { - trusted-public-keys = [ - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE=" - "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" - ]; + # Enable flakes + experimental-features = [ + "nix-command" + "flakes" + ]; - # Fallback quickly if substituters are not available. - connect-timeout = 5; - # Avoid copying unnecessary stuff over SSH - builders-use-substitutes = true; + # Substitutions + trusted-substituters = [ + "https://cache.garnix.io" + "https://nix-community.cachix.org" + "https://numtide.cachix.org" + ]; + + trusted-public-keys = [ + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE=" + "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" + ]; + + # Fallback quickly if substituters are not available. + connect-timeout = 5; + # Avoid copying unnecessary stuff over SSH + builders-use-substitutes = true; - trusted-users = [ "root" "@wheel" ]; + trusted-users = [ "root" "@wheel" ]; - warn-dirty = false; + warn-dirty = false; - # The default at 10 is rarely enough. - log-lines = lib.mkDefault 25; + # The default at 10 is rarely enough. + log-lines = lib.mkDefault 25; + }; }; } diff --git a/nixos/profiles/role-worstation.nix b/nixos/profiles/role-worstation.nix index 909d6f2..efe68fb 100644 --- a/nixos/profiles/role-worstation.nix +++ b/nixos/profiles/role-worstation.nix @@ -5,10 +5,12 @@ with config; { + mySystem = { - mySystem.de.gnome.enable = true; - mySystem.editor.vscodium.enable = true; - mySystem.browser.firefox.enable = true; + de.gnome.enable = true; + editor.vscodium.enable = true; + browser.firefox.enable = true; + }; boot = {