diff --git a/README.md b/README.md index 74b800d..da70126 100644 --- a/README.md +++ b/README.md @@ -36,6 +36,7 @@ To Install - [ ] JJY emulator Raspi4 - [ ] Documentation! - [ ] ssh_config build from computers? +- [ ] Modularise host to allow vm builds and hw builds - [ ] Add license - [ ] Add taskfiles diff --git a/flake.nix b/flake.nix index eda0fb3..8f39fd5 100644 --- a/flake.nix +++ b/flake.nix @@ -35,26 +35,27 @@ , sops-nix , ... } @ inputs: + let inherit (self) outputs; forAllSystems = nixpkgs.lib.genAttrs [ "aarch64-linux" - # "i686-linux" "x86_64-linux" - # "aarch64-darwin" - # "x86_64-darwin" + ]; in - with inputs; rec { + rec { # Use nixpkgs-fmt for 'nix fmt' formatter = forAllSystems (system: nixpkgs.legacyPackages."${system}".nixpkgs-fmt); - # nixosModules = import ./nixos/modules/nixos; + lib = import ./lib { inherit inputs; } // inputs.nixpkgs.lib; + nixosConfigurations = + with self.lib; let defaultModules = - (builtins.attrValues nixosModules) ++ + (builtins.attrValues lib.nixosModules) ++ [ sops-nix.nixosModules.sops ]; @@ -70,8 +71,8 @@ , nixpkgs ? inputs.nixpkgs , hardwareModules , baseModules ? [ - # home-manager.nixosModules.home-manager - # ./modules/nixos + ./nixos/modules/nixos + ./nixos/profiles sops-nix.nixosModules.sops ./nixos/hosts/${hostname} ] @@ -193,7 +194,7 @@ inherit (configuration.config.nixpkgs.hostPlatform) system; in { - path = deploy-rs.lib."${system}".activate.nixos configuration; + path = inputs.deploy-rs.lib."${system}".activate.nixos configuration; sshUser = "truxnell"; user = "root"; sshOpts = [ "-t" ]; @@ -208,7 +209,7 @@ }; # deploy-rs: This is highly advised, and will prevent many possible mistakes - checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; + checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib; }; } diff --git a/lib/default.nix b/lib/default.nix new file mode 100644 index 0000000..d43a07e --- /dev/null +++ b/lib/default.nix @@ -0,0 +1,24 @@ +{ inputs, ... }: + +with inputs.nixpkgs.lib; +let + strToPath = x: path: + if builtins.typeOf x == "string" + then builtins.toPath ("${toString path}/${x}") + else x; + strToFile = x: path: + if builtins.typeOf x == "string" + then builtins.toPath ("${toString path}/${x}.nix") + else x; +in +rec { + + firstOrDefault = first: default: if !isNull first then first else default; + + existsOrDefault = x: set: default: if hasAttr x set then getAttr x set else default; + + mkIfElse = p: yes: no: mkMerge [ + (mkIf p yes) + (mkIf (!p) no) + ]; +} diff --git a/nixos/hosts/common/nixos/default.nix b/nixos/hosts/common/nixos/default.nix index 9c91935..93114c0 100644 --- a/nixos/hosts/common/nixos/default.nix +++ b/nixos/hosts/common/nixos/default.nix @@ -8,7 +8,7 @@ [ # inputs.home-manager.nixosModules.home-manager #inputs.sops-nix.nixosModules.sops - ./locale.nix + # ./locale.nix ./nix.nix # ./openssh.nix ./packages.nix diff --git a/nixos/hosts/rickenbacker/default.nix b/nixos/hosts/rickenbacker/default.nix index 63631fa..f88927b 100644 --- a/nixos/hosts/rickenbacker/default.nix +++ b/nixos/hosts/rickenbacker/default.nix @@ -23,13 +23,19 @@ ]; + mySystem.services.openssh.enable = true; + mySystem.security.wheelNeedsSudoPassword = false; + boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; # Enabled for raspi4 compilation + boot.initrd.kernelModules = [ "amdgpu" ]; + + boot.plymouth.enable = true; networking.hostName = "rickenbacker"; # Define your hostname. - # Enable OpenGL + # Enable OpenGL hardware.opengl = { enable = true; driSupport = true; @@ -37,39 +43,7 @@ }; # Load nvidia driver for Xorg and Wayland - services.xserver.videoDrivers = ["nvidia"]; # or "nvidiaLegacy470 etc. - - hardware.nvidia = { - - # Modesetting is required. - modesetting.enable = true; - - # Nvidia power management. Experimental, and can cause sleep/suspend to fail. - # Enable this if you have graphical corruption issues or application crashes after waking - # up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead - # of just the bare essentials. - powerManagement.enable = false; - - # Fine-grained power management. Turns off GPU when not in use. - # Experimental and only works on modern Nvidia GPUs (Turing or newer). - powerManagement.finegrained = false; - - # Use the NVidia open source kernel module (not to be confused with the - # independent third-party "nouveau" open source driver). - # Support is limited to the Turing and later architectures. Full list of - # supported GPUs is at: - # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus - # Only available from driver 515.43.04+ - # Currently alpha-quality/buggy, so false is currently the recommended setting. - open = false; - - # Enable the Nvidia settings menu, - # accessible via `nvidia-settings`. - nvidiaSettings = true; - - # Optionally, you may need to select the appropriate driver version for your specific GPU. - package = config.boot.kernelPackages.nvidiaPackages.stable; - }; + services.xserver.videoDrivers = [ "amdgpu" ]; # or "nvidiaLegacy470 etc. # Pick only one of the below networking options. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. diff --git a/nixos/modules/README.md b/nixos/modules/README.md index fe8ab4a..59f655c 100644 --- a/nixos/modules/README.md +++ b/nixos/modules/README.md @@ -1,14 +1,9 @@ -Profiles: +## Modules -Global: Settings for entire site - time local, chrony, timeservers, dns -Role: What the role is of the device - graphical/server -Hardware: Specifics of hardware (hw overlays, rpi4, etc) -Host: Host-specific (services, user setup) +A set of 'custom' modules with the aim to enable easy on/off/settings to build up a system modulary to my 'specs'. -nixos -system -locale -time -openssh -fish -chrony +The main goal is to build up a `mySystem` options key which is easy to read and toggle functionality on and off. + +This option key will largely be manipulated by a profile to build up a host to a base, then toggle specific options from there. + +I will _try_ and only do modules for things I want to be able to configure, and just use nixos config directly for some simple static things. diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix new file mode 100644 index 0000000..8d1b7d9 --- /dev/null +++ b/nixos/modules/default.nix @@ -0,0 +1,5 @@ +{ + + mySystem = import ./nixos; + +} diff --git a/nixos/modules/nixos/system/defaut.nix b/nixos/modules/nixos/system/default.nix similarity index 54% rename from nixos/modules/nixos/system/defaut.nix rename to nixos/modules/nixos/system/default.nix index 4619942..933dabe 100644 --- a/nixos/modules/nixos/system/defaut.nix +++ b/nixos/modules/nixos/system/default.nix @@ -1,5 +1,7 @@ { imports = [ ./openssh.nix + ./time.nix + ./security.nix ]; } diff --git a/nixos/modules/nixos/system/locale.nix b/nixos/modules/nixos/system/locale.nix deleted file mode 100644 index a96135a..0000000 --- a/nixos/modules/nixos/system/locale.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ lib, ... }: { - i18n = { - defaultLocale = lib.mkDefault "en_US.UTF-8"; - }; - time.timeZone = lib.mkDefault "Australia/Melbourne"; -} diff --git a/nixos/modules/nixos/system/openssh.nix b/nixos/modules/nixos/system/openssh.nix index 0ded042..592c3ea 100644 --- a/nixos/modules/nixos/system/openssh.nix +++ b/nixos/modules/nixos/system/openssh.nix @@ -1,25 +1,41 @@ { lib , config +, self , ... }: +with lib; let - cfg = config.modules.services.openssh; + cfg = config.mySystem.services.openssh; in { - options.modules.services.openssh = { - enable = lib.mkEnableOption "openssh"; + options.mySystem.services.openssh = { + enable = mkEnableOption "openssh"; + passwordAuthentication = mkOption + { + type = lib.types.bool; + description = "If password can be accepted for ssh (commonly disable for security hardening)"; + default = false; + + }; + permitRootLogin = mkOption + { + type = types.enum [ "yes" "without-password" "prohibit-password" "forced-commands-only" "no" ]; + description = "If root can login via ssh (commonly disable for security hardening)"; + default = "no"; + + }; }; - config = lib.mkIf cfg.enable { + config = mkIf cfg.enable { services.openssh = { enable = true; # TODO: Enable this when option becomes available # Don't allow home-directory authorized_keys - # authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"]; + # authorizedKeysFiles = mkForce ["/etc/ssh/authorized_keys.d/%u"]; settings = { # Harden - PasswordAuthentication = false; - PermitRootLogin = "no"; + PasswordAuthentication = cfg.passwordAuthentication; + PermitRootLogin = cfg.permitRootLogin; # Automatically remove stale sockets StreamLocalBindUnlink = "yes"; # Allow forwarding ports to everywhere @@ -27,14 +43,5 @@ in }; }; - # Passwordless sudo when SSH'ing with keys - security.pam.enableSSHAgentAuth = true; - # TODO: Enable this when option becomes available - # security.pam.sshAgentAuth = { - # enable = true; - # authorizedKeysFiles = [ - # "/etc/ssh/authorized_keys.d/%u" - # ]; - # }; }; } diff --git a/nixos/modules/nixos/system/security.nix b/nixos/modules/nixos/system/security.nix new file mode 100644 index 0000000..bd9b9df --- /dev/null +++ b/nixos/modules/nixos/system/security.nix @@ -0,0 +1,26 @@ +{ lib +, config +, ... +}: +let + cfg = config.mySystem.security; +in +{ + options.mySystem.security.sshAgentAuth = { + enable = lib.mkEnableOption "openssh"; + }; + options.mySystem.security.wheelNeedsSudoPassword = lib.mkOption { + type = lib.types.bool; + description = "If wheel group users need password for sudo"; + default = true; + }; + + config = + { + security.pam.enableSSHAgentAuth = lib.mkIf cfg.sshAgentAuth.enable true; + security.sudo.wheelNeedsPassword = lib.mkIf cfg.wheelNeedsSudoPassword true; + + }; + + +} diff --git a/nixos/modules/nixos/system/time.nix b/nixos/modules/nixos/system/time.nix new file mode 100644 index 0000000..0f3c7a2 --- /dev/null +++ b/nixos/modules/nixos/system/time.nix @@ -0,0 +1,25 @@ +{ lib +, config +, ... +}: +let + cfg = config.mySystem.time; +in +{ + options.mySystem.time = { + timeZone = lib.mkOption { + type = lib.types.str; + description = "Timezone of system"; + default = "Australia/Melbourne"; + }; + hwClockLocalTime = lib.mkOption { + type = lib.types.bool; + description = "If hardware clock is set to local time (useful for windows dual boot)"; + default = false; + }; + }; + config = { + time.timeZone = cfg.timeZone; + time.hardwareClockInLocalTime = cfg.hwClockLocalTime; + }; +} diff --git a/nixos/profiles/README.md b/nixos/profiles/README.md new file mode 100644 index 0000000..ab3717d --- /dev/null +++ b/nixos/profiles/README.md @@ -0,0 +1,19 @@ +## Profiles + +Here is the profiles that each host picks from to build up a system. + +My headspace for this to have be able to have a set of modular components pull together on a granular system from this nix, from 'Everything will have this set' to per-device config. +Where possible ill use the `mySystem` option list to configure defaults via these profiles, so they _can_ be overridden later. If its not worth writing a custom module for a nixos feature I may just set it directly in the profile. + +## Global + +Default global settings that will apply to every device. Things like locale, timezone, etc that wont change machine to machine + +## Hardware + +Hardware settings so I can apply per set of machines as standard- i.e. all Raspi4's may benefit from a specific set of additions/hardware overlays. + +## Role + +The role the machine have. Machines may have multiple roles +i.e. servers will want to have bare minimal, remote build settings, where as main desktop/laptop will have full blow GUIs. diff --git a/nixos/profiles/default.nix b/nixos/profiles/default.nix new file mode 100644 index 0000000..4e4914c --- /dev/null +++ b/nixos/profiles/default.nix @@ -0,0 +1,13 @@ +{ lib, ... }: + +{ + imports = [ + ./global.nix + # ./desktop.nix + # ./development.nix + # ./extended.nix + ]; + + +} + diff --git a/nixos/profiles/global.nix b/nixos/profiles/global.nix new file mode 100644 index 0000000..ea809c1 --- /dev/null +++ b/nixos/profiles/global.nix @@ -0,0 +1,17 @@ +{ config, lib, pkgs, ... }: + +with lib; +let cfg = config.mySystem.profiles.global; +in +{ + options.mySystem.profiles.global.enable = mkEnableOption "Global profile" // { default = true; }; + + config = mkIf cfg.enable + { + mySystem.time.timeZone = "Australia/Melbourne"; + + i18n = { + defaultLocale = lib.mkDefault "en_AU.UTF-8"; + }; + }; +}