feat: initial global profile refactor
This commit is contained in:
parent
c6f32af795
commit
4e3302f999
15 changed files with 182 additions and 79 deletions
|
@ -36,6 +36,7 @@ To Install
|
||||||
- [ ] JJY emulator Raspi4
|
- [ ] JJY emulator Raspi4
|
||||||
- [ ] Documentation!
|
- [ ] Documentation!
|
||||||
- [ ] ssh_config build from computers?
|
- [ ] ssh_config build from computers?
|
||||||
|
- [ ] Modularise host to allow vm builds and hw builds
|
||||||
- [ ] Add license
|
- [ ] Add license
|
||||||
- [ ] Add taskfiles
|
- [ ] Add taskfiles
|
||||||
|
|
||||||
|
|
21
flake.nix
21
flake.nix
|
@ -35,26 +35,27 @@
|
||||||
, sops-nix
|
, sops-nix
|
||||||
, ...
|
, ...
|
||||||
} @ inputs:
|
} @ inputs:
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (self) outputs;
|
inherit (self) outputs;
|
||||||
forAllSystems = nixpkgs.lib.genAttrs [
|
forAllSystems = nixpkgs.lib.genAttrs [
|
||||||
"aarch64-linux"
|
"aarch64-linux"
|
||||||
# "i686-linux"
|
|
||||||
"x86_64-linux"
|
"x86_64-linux"
|
||||||
# "aarch64-darwin"
|
|
||||||
# "x86_64-darwin"
|
|
||||||
];
|
];
|
||||||
in
|
in
|
||||||
with inputs; rec {
|
rec {
|
||||||
# Use nixpkgs-fmt for 'nix fmt'
|
# Use nixpkgs-fmt for 'nix fmt'
|
||||||
formatter = forAllSystems (system: nixpkgs.legacyPackages."${system}".nixpkgs-fmt);
|
formatter = forAllSystems (system: nixpkgs.legacyPackages."${system}".nixpkgs-fmt);
|
||||||
|
|
||||||
# nixosModules = import ./nixos/modules/nixos;
|
lib = import ./lib { inherit inputs; } // inputs.nixpkgs.lib;
|
||||||
|
|
||||||
|
|
||||||
nixosConfigurations =
|
nixosConfigurations =
|
||||||
|
with self.lib;
|
||||||
let
|
let
|
||||||
defaultModules =
|
defaultModules =
|
||||||
(builtins.attrValues nixosModules) ++
|
(builtins.attrValues lib.nixosModules) ++
|
||||||
[
|
[
|
||||||
sops-nix.nixosModules.sops
|
sops-nix.nixosModules.sops
|
||||||
];
|
];
|
||||||
|
@ -70,8 +71,8 @@
|
||||||
, nixpkgs ? inputs.nixpkgs
|
, nixpkgs ? inputs.nixpkgs
|
||||||
, hardwareModules
|
, hardwareModules
|
||||||
, baseModules ? [
|
, baseModules ? [
|
||||||
# home-manager.nixosModules.home-manager
|
./nixos/modules/nixos
|
||||||
# ./modules/nixos
|
./nixos/profiles
|
||||||
sops-nix.nixosModules.sops
|
sops-nix.nixosModules.sops
|
||||||
./nixos/hosts/${hostname}
|
./nixos/hosts/${hostname}
|
||||||
]
|
]
|
||||||
|
@ -193,7 +194,7 @@
|
||||||
inherit (configuration.config.nixpkgs.hostPlatform) system;
|
inherit (configuration.config.nixpkgs.hostPlatform) system;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
path = deploy-rs.lib."${system}".activate.nixos configuration;
|
path = inputs.deploy-rs.lib."${system}".activate.nixos configuration;
|
||||||
sshUser = "truxnell";
|
sshUser = "truxnell";
|
||||||
user = "root";
|
user = "root";
|
||||||
sshOpts = [ "-t" ];
|
sshOpts = [ "-t" ];
|
||||||
|
@ -208,7 +209,7 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
# deploy-rs: This is highly advised, and will prevent many possible mistakes
|
# deploy-rs: This is highly advised, and will prevent many possible mistakes
|
||||||
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
|
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;
|
||||||
};
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
24
lib/default.nix
Normal file
24
lib/default.nix
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
{ inputs, ... }:
|
||||||
|
|
||||||
|
with inputs.nixpkgs.lib;
|
||||||
|
let
|
||||||
|
strToPath = x: path:
|
||||||
|
if builtins.typeOf x == "string"
|
||||||
|
then builtins.toPath ("${toString path}/${x}")
|
||||||
|
else x;
|
||||||
|
strToFile = x: path:
|
||||||
|
if builtins.typeOf x == "string"
|
||||||
|
then builtins.toPath ("${toString path}/${x}.nix")
|
||||||
|
else x;
|
||||||
|
in
|
||||||
|
rec {
|
||||||
|
|
||||||
|
firstOrDefault = first: default: if !isNull first then first else default;
|
||||||
|
|
||||||
|
existsOrDefault = x: set: default: if hasAttr x set then getAttr x set else default;
|
||||||
|
|
||||||
|
mkIfElse = p: yes: no: mkMerge [
|
||||||
|
(mkIf p yes)
|
||||||
|
(mkIf (!p) no)
|
||||||
|
];
|
||||||
|
}
|
|
@ -8,7 +8,7 @@
|
||||||
[
|
[
|
||||||
# inputs.home-manager.nixosModules.home-manager
|
# inputs.home-manager.nixosModules.home-manager
|
||||||
#inputs.sops-nix.nixosModules.sops
|
#inputs.sops-nix.nixosModules.sops
|
||||||
./locale.nix
|
# ./locale.nix
|
||||||
./nix.nix
|
./nix.nix
|
||||||
# ./openssh.nix
|
# ./openssh.nix
|
||||||
./packages.nix
|
./packages.nix
|
||||||
|
|
|
@ -23,13 +23,19 @@
|
||||||
|
|
||||||
];
|
];
|
||||||
|
|
||||||
|
mySystem.services.openssh.enable = true;
|
||||||
|
mySystem.security.wheelNeedsSudoPassword = false;
|
||||||
|
|
||||||
boot.loader.systemd-boot.enable = true;
|
boot.loader.systemd-boot.enable = true;
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; # Enabled for raspi4 compilation
|
boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; # Enabled for raspi4 compilation
|
||||||
|
boot.initrd.kernelModules = [ "amdgpu" ];
|
||||||
|
|
||||||
|
boot.plymouth.enable = true;
|
||||||
|
|
||||||
networking.hostName = "rickenbacker"; # Define your hostname.
|
networking.hostName = "rickenbacker"; # Define your hostname.
|
||||||
|
|
||||||
# Enable OpenGL
|
# Enable OpenGL
|
||||||
hardware.opengl = {
|
hardware.opengl = {
|
||||||
enable = true;
|
enable = true;
|
||||||
driSupport = true;
|
driSupport = true;
|
||||||
|
@ -37,39 +43,7 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
# Load nvidia driver for Xorg and Wayland
|
# Load nvidia driver for Xorg and Wayland
|
||||||
services.xserver.videoDrivers = ["nvidia"]; # or "nvidiaLegacy470 etc.
|
services.xserver.videoDrivers = [ "amdgpu" ]; # or "nvidiaLegacy470 etc.
|
||||||
|
|
||||||
hardware.nvidia = {
|
|
||||||
|
|
||||||
# Modesetting is required.
|
|
||||||
modesetting.enable = true;
|
|
||||||
|
|
||||||
# Nvidia power management. Experimental, and can cause sleep/suspend to fail.
|
|
||||||
# Enable this if you have graphical corruption issues or application crashes after waking
|
|
||||||
# up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead
|
|
||||||
# of just the bare essentials.
|
|
||||||
powerManagement.enable = false;
|
|
||||||
|
|
||||||
# Fine-grained power management. Turns off GPU when not in use.
|
|
||||||
# Experimental and only works on modern Nvidia GPUs (Turing or newer).
|
|
||||||
powerManagement.finegrained = false;
|
|
||||||
|
|
||||||
# Use the NVidia open source kernel module (not to be confused with the
|
|
||||||
# independent third-party "nouveau" open source driver).
|
|
||||||
# Support is limited to the Turing and later architectures. Full list of
|
|
||||||
# supported GPUs is at:
|
|
||||||
# https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus
|
|
||||||
# Only available from driver 515.43.04+
|
|
||||||
# Currently alpha-quality/buggy, so false is currently the recommended setting.
|
|
||||||
open = false;
|
|
||||||
|
|
||||||
# Enable the Nvidia settings menu,
|
|
||||||
# accessible via `nvidia-settings`.
|
|
||||||
nvidiaSettings = true;
|
|
||||||
|
|
||||||
# Optionally, you may need to select the appropriate driver version for your specific GPU.
|
|
||||||
package = config.boot.kernelPackages.nvidiaPackages.stable;
|
|
||||||
};
|
|
||||||
|
|
||||||
# Pick only one of the below networking options.
|
# Pick only one of the below networking options.
|
||||||
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
|
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
|
||||||
|
|
|
@ -1,14 +1,9 @@
|
||||||
Profiles:
|
## Modules
|
||||||
|
|
||||||
Global: Settings for entire site - time local, chrony, timeservers, dns
|
A set of 'custom' modules with the aim to enable easy on/off/settings to build up a system modulary to my 'specs'.
|
||||||
Role: What the role is of the device - graphical/server
|
|
||||||
Hardware: Specifics of hardware (hw overlays, rpi4, etc)
|
|
||||||
Host: Host-specific (services, user setup)
|
|
||||||
|
|
||||||
nixos
|
The main goal is to build up a `mySystem` options key which is easy to read and toggle functionality on and off.
|
||||||
system
|
|
||||||
locale
|
This option key will largely be manipulated by a profile to build up a host to a base, then toggle specific options from there.
|
||||||
time
|
|
||||||
openssh
|
I will _try_ and only do modules for things I want to be able to configure, and just use nixos config directly for some simple static things.
|
||||||
fish
|
|
||||||
chrony
|
|
||||||
|
|
5
nixos/modules/default.nix
Normal file
5
nixos/modules/default.nix
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
{
|
||||||
|
|
||||||
|
mySystem = import ./nixos;
|
||||||
|
|
||||||
|
}
|
|
@ -1,5 +1,7 @@
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
./openssh.nix
|
./openssh.nix
|
||||||
|
./time.nix
|
||||||
|
./security.nix
|
||||||
];
|
];
|
||||||
}
|
}
|
|
@ -1,6 +0,0 @@
|
||||||
{ lib, ... }: {
|
|
||||||
i18n = {
|
|
||||||
defaultLocale = lib.mkDefault "en_US.UTF-8";
|
|
||||||
};
|
|
||||||
time.timeZone = lib.mkDefault "Australia/Melbourne";
|
|
||||||
}
|
|
|
@ -1,25 +1,41 @@
|
||||||
{ lib
|
{ lib
|
||||||
, config
|
, config
|
||||||
|
, self
|
||||||
, ...
|
, ...
|
||||||
}:
|
}:
|
||||||
|
with lib;
|
||||||
let
|
let
|
||||||
cfg = config.modules.services.openssh;
|
cfg = config.mySystem.services.openssh;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.modules.services.openssh = {
|
options.mySystem.services.openssh = {
|
||||||
enable = lib.mkEnableOption "openssh";
|
enable = mkEnableOption "openssh";
|
||||||
|
passwordAuthentication = mkOption
|
||||||
|
{
|
||||||
|
type = lib.types.bool;
|
||||||
|
description = "If password can be accepted for ssh (commonly disable for security hardening)";
|
||||||
|
default = false;
|
||||||
|
|
||||||
|
};
|
||||||
|
permitRootLogin = mkOption
|
||||||
|
{
|
||||||
|
type = types.enum [ "yes" "without-password" "prohibit-password" "forced-commands-only" "no" ];
|
||||||
|
description = "If root can login via ssh (commonly disable for security hardening)";
|
||||||
|
default = "no";
|
||||||
|
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = lib.mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
services.openssh = {
|
services.openssh = {
|
||||||
enable = true;
|
enable = true;
|
||||||
# TODO: Enable this when option becomes available
|
# TODO: Enable this when option becomes available
|
||||||
# Don't allow home-directory authorized_keys
|
# Don't allow home-directory authorized_keys
|
||||||
# authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
|
# authorizedKeysFiles = mkForce ["/etc/ssh/authorized_keys.d/%u"];
|
||||||
settings = {
|
settings = {
|
||||||
# Harden
|
# Harden
|
||||||
PasswordAuthentication = false;
|
PasswordAuthentication = cfg.passwordAuthentication;
|
||||||
PermitRootLogin = "no";
|
PermitRootLogin = cfg.permitRootLogin;
|
||||||
# Automatically remove stale sockets
|
# Automatically remove stale sockets
|
||||||
StreamLocalBindUnlink = "yes";
|
StreamLocalBindUnlink = "yes";
|
||||||
# Allow forwarding ports to everywhere
|
# Allow forwarding ports to everywhere
|
||||||
|
@ -27,14 +43,5 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# Passwordless sudo when SSH'ing with keys
|
|
||||||
security.pam.enableSSHAgentAuth = true;
|
|
||||||
# TODO: Enable this when option becomes available
|
|
||||||
# security.pam.sshAgentAuth = {
|
|
||||||
# enable = true;
|
|
||||||
# authorizedKeysFiles = [
|
|
||||||
# "/etc/ssh/authorized_keys.d/%u"
|
|
||||||
# ];
|
|
||||||
# };
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
26
nixos/modules/nixos/system/security.nix
Normal file
26
nixos/modules/nixos/system/security.nix
Normal file
|
@ -0,0 +1,26 @@
|
||||||
|
{ lib
|
||||||
|
, config
|
||||||
|
, ...
|
||||||
|
}:
|
||||||
|
let
|
||||||
|
cfg = config.mySystem.security;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.mySystem.security.sshAgentAuth = {
|
||||||
|
enable = lib.mkEnableOption "openssh";
|
||||||
|
};
|
||||||
|
options.mySystem.security.wheelNeedsSudoPassword = lib.mkOption {
|
||||||
|
type = lib.types.bool;
|
||||||
|
description = "If wheel group users need password for sudo";
|
||||||
|
default = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
config =
|
||||||
|
{
|
||||||
|
security.pam.enableSSHAgentAuth = lib.mkIf cfg.sshAgentAuth.enable true;
|
||||||
|
security.sudo.wheelNeedsPassword = lib.mkIf cfg.wheelNeedsSudoPassword true;
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
}
|
25
nixos/modules/nixos/system/time.nix
Normal file
25
nixos/modules/nixos/system/time.nix
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
{ lib
|
||||||
|
, config
|
||||||
|
, ...
|
||||||
|
}:
|
||||||
|
let
|
||||||
|
cfg = config.mySystem.time;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.mySystem.time = {
|
||||||
|
timeZone = lib.mkOption {
|
||||||
|
type = lib.types.str;
|
||||||
|
description = "Timezone of system";
|
||||||
|
default = "Australia/Melbourne";
|
||||||
|
};
|
||||||
|
hwClockLocalTime = lib.mkOption {
|
||||||
|
type = lib.types.bool;
|
||||||
|
description = "If hardware clock is set to local time (useful for windows dual boot)";
|
||||||
|
default = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
config = {
|
||||||
|
time.timeZone = cfg.timeZone;
|
||||||
|
time.hardwareClockInLocalTime = cfg.hwClockLocalTime;
|
||||||
|
};
|
||||||
|
}
|
19
nixos/profiles/README.md
Normal file
19
nixos/profiles/README.md
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
## Profiles
|
||||||
|
|
||||||
|
Here is the profiles that each host picks from to build up a system.
|
||||||
|
|
||||||
|
My headspace for this to have be able to have a set of modular components pull together on a granular system from this nix, from 'Everything will have this set' to per-device config.
|
||||||
|
Where possible ill use the `mySystem` option list to configure defaults via these profiles, so they _can_ be overridden later. If its not worth writing a custom module for a nixos feature I may just set it directly in the profile.
|
||||||
|
|
||||||
|
## Global
|
||||||
|
|
||||||
|
Default global settings that will apply to every device. Things like locale, timezone, etc that wont change machine to machine
|
||||||
|
|
||||||
|
## Hardware
|
||||||
|
|
||||||
|
Hardware settings so I can apply per set of machines as standard- i.e. all Raspi4's may benefit from a specific set of additions/hardware overlays.
|
||||||
|
|
||||||
|
## Role
|
||||||
|
|
||||||
|
The role the machine have. Machines may have multiple roles
|
||||||
|
i.e. servers will want to have bare minimal, remote build settings, where as main desktop/laptop will have full blow GUIs.
|
13
nixos/profiles/default.nix
Normal file
13
nixos/profiles/default.nix
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
{ lib, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./global.nix
|
||||||
|
# ./desktop.nix
|
||||||
|
# ./development.nix
|
||||||
|
# ./extended.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
|
||||||
|
}
|
||||||
|
|
17
nixos/profiles/global.nix
Normal file
17
nixos/profiles/global.nix
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
let cfg = config.mySystem.profiles.global;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.mySystem.profiles.global.enable = mkEnableOption "Global profile" // { default = true; };
|
||||||
|
|
||||||
|
config = mkIf cfg.enable
|
||||||
|
{
|
||||||
|
mySystem.time.timeZone = "Australia/Melbourne";
|
||||||
|
|
||||||
|
i18n = {
|
||||||
|
defaultLocale = lib.mkDefault "en_AU.UTF-8";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
Reference in a new issue