This commit is contained in:
truxnell 2024-03-26 21:11:59 +11:00
parent b44499c92e
commit 4686125f28
9 changed files with 99 additions and 111 deletions

View file

@ -49,7 +49,6 @@
formatter = forAllSystems (system: nixpkgs.legacyPackages."${system}".nixpkgs-fmt); formatter = forAllSystems (system: nixpkgs.legacyPackages."${system}".nixpkgs-fmt);
nixosModules = import ./nixos/modules/nixos; nixosModules = import ./nixos/modules/nixos;
lib = import ./lib { inherit inputs; } // inputs.nixpkgs.lib;
nixosConfigurations = nixosConfigurations =
with self.lib; with self.lib;

View file

@ -1,24 +0,0 @@
{ inputs, ... }:
with inputs.nixpkgs.lib;
let
strToPath = x: path:
if builtins.typeOf x == "string"
then builtins.toPath ("${toString path}/${x}")
else x;
strToFile = x: path:
if builtins.typeOf x == "string"
then builtins.toPath ("${toString path}/${x}.nix")
else x;
in
rec {
firstOrDefault = first: default: if !isNull first then first else default;
existsOrDefault = x: set: default: if hasAttr x set then getAttr x set else default;
mkIfElse = p: yes: no: mkMerge [
(mkIf p yes)
(mkIf (!p) no)
];
}

View file

@ -11,10 +11,10 @@
]; ];
mySystem = { mySystem.services = {
services.maddy.enable = true; maddy.enable = true;
services.dnscrypt-proxy.enable = true; dnscrypt-proxy.enable = true;
services.cfDdns.enable = true; cfDdns.enable = true;
}; };
networking.hostName = "dns01"; # Define your hostname. networking.hostName = "dns01"; # Define your hostname.

View file

@ -3,19 +3,20 @@
, pkgs , pkgs
, ... , ...
}: { }: {
# hardware-configuration.nix is missing as I've abstracted out the parts
config.mySystem = {
services.openssh.enable = true;
security.wheelNeedsSudoPassword = false;
};
# TODO build this in from flake host names
config.networking.hostName = "rickenbacker";
config = { config = {
# hardware-configuration.nix is missing as I've abstracted out the parts
mySystem = {
services.openssh.enable = true;
security.wheelNeedsSudoPassword = false;
};
# TODO build this in from flake host names
networking.hostName = "rickenbacker";
fileSystems."/" = fileSystems."/" =
{ {
device = "/dev/disk/by-label/nixos"; device = "/dev/disk/by-label/nixos";
@ -29,5 +30,6 @@
}; };
swapDevices = [ ]; swapDevices = [ ];
}; };
} }

View file

@ -21,13 +21,15 @@ in
dhcpcd.extraConfig = "nohook resolv.conf"; dhcpcd.extraConfig = "nohook resolv.conf";
}; };
sops.secrets = {
# configure secret for forwarding rules # configure secret for forwarding rules
sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".sopsFile = ./dnscrypt-proxy2.sops.yaml; "system/networking/dnscrypt-proxy2/forwarding-rules".sopsFile = ./dnscrypt-proxy2.sops.yaml;
sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".mode = "0444"; # This is world-readable but theres nothing security related in the file "system/networking/dnscrypt-proxy2/forwarding-rules".mode = "0444"; # This is world-readable but theres nothing security related in the file
# Restart dnscrypt when secret changes # Restart dnscrypt when secret changes
sops.secrets."system/networking/dnscrypt-proxy2/forwarding-rules".restartUnits = [ "dnscrypt-proxy2" ]; "system/networking/dnscrypt-proxy2/forwarding-rules".restartUnits = [ "dnscrypt-proxy2" ];
};
services.dnscrypt-proxy2 = { services.dnscrypt-proxy2 = {
enable = true; enable = true;

View file

@ -39,7 +39,7 @@ in
# garbage collection # garbage collection
automatic = cfg.gc.enable; automatic = cfg.gc.enable;
options = "--delete-older-than 30d"; options = "--delete-older-than 30d";
persistent = cfg.gc.persistent; inherit (cfg.gc) persistent;
}; };
}; };

View file

@ -7,41 +7,45 @@ let
cfg = config.mySystem.security; cfg = config.mySystem.security;
in in
{ {
options.mySystem.security.sshAgentAuth = { options.mySystem.security = {
enable = lib.mkEnableOption "openssh";
}; sshAgentAuth.enable = lib.mkEnableOption "openssh";
options.mySystem.security.wheelNeedsSudoPassword = lib.mkOption {
type = lib.types.bool; wheelNeedsSudoPassword = lib.mkOption {
description = "If wheel group users need password for sudo"; type = lib.types.bool;
default = true; description = "If wheel group users need password for sudo";
}; default = true;
options.mySystem.security.increaseWheelLoginLimits = lib.mkOption { };
type = lib.types.bool; increaseWheelLoginLimits = lib.mkOption {
description = "If wheel group users receive increased login limits"; type = lib.types.bool;
default = true; description = "If wheel group users receive increased login limits";
default = true;
};
}; };
config = config =
{ {
security.sudo.wheelNeedsPassword = cfg.wheelNeedsSudoPassword; security = {
sudo.wheelNeedsPassword = cfg.wheelNeedsSudoPassword;
security.pam.enableSSHAgentAuth = cfg.sshAgentAuth.enable; pam.enableSSHAgentAuth = cfg.sshAgentAuth.enable;
# Increase open file limit for sudoers # Increase open file limit for sudoers
security.pam.loginLimits = mkIf cfg.increaseWheelLoginLimits [ pam.loginLimits = mkIf cfg.increaseWheelLoginLimits [
{ {
domain = "@wheel"; domain = "@wheel";
item = "nofile"; item = "nofile";
type = "soft"; type = "soft";
value = "524288"; value = "524288";
} }
{ {
domain = "@wheel"; domain = "@wheel";
item = "nofile"; item = "nofile";
type = "hard"; type = "hard";
value = "1048576"; value = "1048576";
} }
]; ];
};
}; };
} }

View file

@ -4,52 +4,55 @@
## Below is to align shell/system to flake's nixpkgs ## Below is to align shell/system to flake's nixpkgs
## ref: https://nixos-and-flakes.thiscute.world/best-practices/nix-path-and-flake-registry ## ref: https://nixos-and-flakes.thiscute.world/best-practices/nix-path-and-flake-registry
# make `nix run nixpkgs#nixpkgs` use the same nixpkgs as the one used by this flake.
nix.registry.nixpkgs.flake = nixpkgs;
nix.channel.enable = false; # remove nix-channel related tools & configs, we use flakes instead.
# but NIX_PATH is still used by many useful tools, so we set it to the same value as the one used by this flake.
# Make `nix repl '<nixpkgs>'` use the same nixpkgs as the one used by this flake. # Make `nix repl '<nixpkgs>'` use the same nixpkgs as the one used by this flake.
environment.etc."nix/inputs/nixpkgs".source = "${nixpkgs}"; environment.etc."nix/inputs/nixpkgs".source = "${nixpkgs}";
# https://github.com/NixOS/nix/issues/9574 nix = {
nix.settings.nix-path = lib.mkForce "nixpkgs=/etc/nix/inputs/nixpkgs";
### # make `nix run nixpkgs#nixpkgs` use the same nixpkgs as the one used by this flake.
registry.nixpkgs.flake = nixpkgs;
channel.enable = false; # remove nix-channel related tools & configs, we use flakes instead.
nix.settings = { # but NIX_PATH is still used by many useful tools, so we set it to the same value as the one used by this flake.
# https://github.com/NixOS/nix/issues/9574
settings.nix-path = lib.mkForce "nixpkgs=/etc/nix/inputs/nixpkgs";
# Enable flakes ###
experimental-features = [
"nix-command"
"flakes"
];
# Substitutions settings = {
trusted-substituters = [
"https://cache.garnix.io"
"https://nix-community.cachix.org"
"https://numtide.cachix.org"
];
trusted-public-keys = [ # Enable flakes
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" experimental-features = [
"numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE=" "nix-command"
"cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" "flakes"
]; ];
# Fallback quickly if substituters are not available. # Substitutions
connect-timeout = 5; trusted-substituters = [
# Avoid copying unnecessary stuff over SSH "https://cache.garnix.io"
builders-use-substitutes = true; "https://nix-community.cachix.org"
"https://numtide.cachix.org"
];
trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE="
"cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
];
# Fallback quickly if substituters are not available.
connect-timeout = 5;
# Avoid copying unnecessary stuff over SSH
builders-use-substitutes = true;
trusted-users = [ "root" "@wheel" ]; trusted-users = [ "root" "@wheel" ];
warn-dirty = false; warn-dirty = false;
# The default at 10 is rarely enough. # The default at 10 is rarely enough.
log-lines = lib.mkDefault 25; log-lines = lib.mkDefault 25;
};
}; };
} }

View file

@ -5,10 +5,12 @@
with config; with config;
{ {
mySystem = {
mySystem.de.gnome.enable = true; de.gnome.enable = true;
mySystem.editor.vscodium.enable = true; editor.vscodium.enable = true;
mySystem.browser.firefox.enable = true; browser.firefox.enable = true;
};
boot = { boot = {