feat: initial global profile refactor

README.md

@@ -36,6 +36,7 @@ To Install
   - [ ] JJY emulator Raspi4
 - [ ] Documentation!
 - [ ] ssh_config build from computers?
+- [ ] Modularise host to allow vm builds and hw builds
 - [ ] Add license
 - [ ] Add taskfiles
 

flake.nix

@@ -35,26 +35,27 @@
     , sops-nix
     , ...
     } @ inputs:
+
     let
       inherit (self) outputs;
       forAllSystems = nixpkgs.lib.genAttrs [
         "aarch64-linux"
-        # "i686-linux"
         "x86_64-linux"
-        # "aarch64-darwin"
+
-        # "x86_64-darwin"
       ];
     in
-    with inputs; rec {
+    rec {
       # Use nixpkgs-fmt for 'nix fmt'
       formatter = forAllSystems (system: nixpkgs.legacyPackages."${system}".nixpkgs-fmt);
 
-      # nixosModules = import ./nixos/modules/nixos;
+      lib = import ./lib { inherit inputs; } // inputs.nixpkgs.lib;
+
 
       nixosConfigurations =
+        with self.lib;
         let
           defaultModules =
-            (builtins.attrValues nixosModules) ++
+            (builtins.attrValues lib.nixosModules) ++
             [
               sops-nix.nixosModules.sops
             ];
@@ -70,8 +71,8 @@
             , nixpkgs ? inputs.nixpkgs
             , hardwareModules
             , baseModules ? [
-                # home-manager.nixosModules.home-manager
+                ./nixos/modules/nixos
-                # ./modules/nixos
+                ./nixos/profiles
                 sops-nix.nixosModules.sops
                 ./nixos/hosts/${hostname}
               ]
@@ -193,7 +194,7 @@
                 inherit (configuration.config.nixpkgs.hostPlatform) system;
               in
               {
-                path = deploy-rs.lib."${system}".activate.nixos configuration;
+                path = inputs.deploy-rs.lib."${system}".activate.nixos configuration;
                 sshUser = "truxnell";
                 user = "root";
                 sshOpts = [ "-t" ];
@@ -208,7 +209,7 @@
         };
 
       # deploy-rs: This is highly advised, and will prevent many possible mistakes
-      checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
+      checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;
     };
 
 }

lib/default.nix

@@ -0,0 +1,24 @@
+{ inputs, ... }:
+
+with inputs.nixpkgs.lib;
+let
+  strToPath = x: path:
+    if builtins.typeOf x == "string"
+    then builtins.toPath ("${toString path}/${x}")
+    else x;
+  strToFile = x: path:
+    if builtins.typeOf x == "string"
+    then builtins.toPath ("${toString path}/${x}.nix")
+    else x;
+in
+rec {
+
+  firstOrDefault = first: default: if !isNull first then first else default;
+
+  existsOrDefault = x: set: default: if hasAttr x set then getAttr x set else default;
+
+  mkIfElse = p: yes: no: mkMerge [
+    (mkIf p yes)
+    (mkIf (!p) no)
+  ];
+}

nixos/hosts/common/nixos/default.nix

@@ -8,7 +8,7 @@
     [
       # inputs.home-manager.nixosModules.home-manager
       #inputs.sops-nix.nixosModules.sops
-      ./locale.nix
+      # ./locale.nix
       ./nix.nix
       # ./openssh.nix
       ./packages.nix

nixos/hosts/rickenbacker/default.nix

@@ -23,13 +23,19 @@
 
   ];
 
+  mySystem.services.openssh.enable = true;
+  mySystem.security.wheelNeedsSudoPassword = false;
+
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
   boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; # Enabled for raspi4 compilation
+  boot.initrd.kernelModules = [ "amdgpu" ];
+
+  boot.plymouth.enable = true;
 
   networking.hostName = "rickenbacker"; # Define your hostname.
 
- # Enable OpenGL
+  # Enable OpenGL
   hardware.opengl = {
     enable = true;
     driSupport = true;
@@ -37,39 +43,7 @@
   };
 
   # Load nvidia driver for Xorg and Wayland
-  services.xserver.videoDrivers = ["nvidia"]; # or "nvidiaLegacy470 etc.
+  services.xserver.videoDrivers = [ "amdgpu" ]; # or "nvidiaLegacy470 etc.
-
-  hardware.nvidia = {
-
-    # Modesetting is required.
-    modesetting.enable = true;
-
-    # Nvidia power management. Experimental, and can cause sleep/suspend to fail.
-    # Enable this if you have graphical corruption issues or application crashes after waking
-    # up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead
-    # of just the bare essentials.
-    powerManagement.enable = false;
-
-    # Fine-grained power management. Turns off GPU when not in use.
-    # Experimental and only works on modern Nvidia GPUs (Turing or newer).
-    powerManagement.finegrained = false;
-
-    # Use the NVidia open source kernel module (not to be confused with the
-    # independent third-party "nouveau" open source driver).
-    # Support is limited to the Turing and later architectures. Full list of
-    # supported GPUs is at:
-    # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus
-    # Only available from driver 515.43.04+
-    # Currently alpha-quality/buggy, so false is currently the recommended setting.
-    open = false;
-
-    # Enable the Nvidia settings menu,
-    # accessible via `nvidia-settings`.
-    nvidiaSettings = true;
-
-    # Optionally, you may need to select the appropriate driver version for your specific GPU.
-    package = config.boot.kernelPackages.nvidiaPackages.stable;
-  };
 
   # Pick only one of the below networking options.
   # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.

nixos/modules/README.md

@@ -1,14 +1,9 @@
-Profiles:
+## Modules
 
-Global: Settings for entire site - time local, chrony, timeservers, dns
+A set of 'custom' modules with the aim to enable easy on/off/settings to build up a system modulary to my 'specs'.
-Role: What the role is of the device - graphical/server
-Hardware: Specifics of hardware (hw overlays, rpi4, etc)
-Host: Host-specific (services, user setup)
 
-nixos
+The main goal is to build up a `mySystem` options key which is easy to read and toggle functionality on and off.
-system
+
-locale
+This option key will largely be manipulated by a profile to build up a host to a base, then toggle specific options from there.
-time
+
-openssh
+I will _try_ and only do modules for things I want to be able to configure, and just use nixos config directly for some simple static things.
-fish
-chrony

nixos/modules/default.nix

@@ -0,0 +1,5 @@
+{
+
+  mySystem = import ./nixos;
+
+}

nixos/modules/nixos/system/default.nix

@@ -1,5 +1,7 @@
 {
   imports = [
     ./openssh.nix
+    ./time.nix
+    ./security.nix
   ];
 }

nixos/modules/nixos/system/locale.nix

@@ -1,6 +0,0 @@
-{ lib, ... }: {
-  i18n = {
-    defaultLocale = lib.mkDefault "en_US.UTF-8";
-  };
-  time.timeZone = lib.mkDefault "Australia/Melbourne";
-}

nixos/modules/nixos/system/openssh.nix

@@ -1,25 +1,41 @@
 { lib
 , config
+, self
 , ...
 }:
+with lib;
 let
-  cfg = config.modules.services.openssh;
+  cfg = config.mySystem.services.openssh;
 in
 {
-  options.modules.services.openssh = {
+  options.mySystem.services.openssh = {
-    enable = lib.mkEnableOption "openssh";
+    enable = mkEnableOption "openssh";
+    passwordAuthentication = mkOption
+      {
+        type = lib.types.bool;
+        description = "If password can be accepted for ssh (commonly disable for security hardening)";
+        default = false;
+
+      };
+    permitRootLogin = mkOption
+      {
+        type = types.enum [ "yes" "without-password" "prohibit-password" "forced-commands-only" "no" ];
+        description = "If root can login via ssh (commonly disable for security hardening)";
+        default = "no";
+
+      };
   };
 
-  config = lib.mkIf cfg.enable {
+  config = mkIf cfg.enable {
     services.openssh = {
       enable = true;
       # TODO: Enable this when option becomes available
       # Don't allow home-directory authorized_keys
-      # authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
+      # authorizedKeysFiles = mkForce ["/etc/ssh/authorized_keys.d/%u"];
       settings = {
         # Harden
-        PasswordAuthentication = false;
+        PasswordAuthentication = cfg.passwordAuthentication;
-        PermitRootLogin = "no";
+        PermitRootLogin = cfg.permitRootLogin;
         # Automatically remove stale sockets
         StreamLocalBindUnlink = "yes";
         # Allow forwarding ports to everywhere
@@ -27,14 +43,5 @@ in
       };
     };
 
-    # Passwordless sudo when SSH'ing with keys
-    security.pam.enableSSHAgentAuth = true;
-    # TODO: Enable this when option becomes available
-    # security.pam.sshAgentAuth = {
-    #   enable = true;
-    #   authorizedKeysFiles = [
-    #     "/etc/ssh/authorized_keys.d/%u"
-    #   ];
-    # };
   };
 }

nixos/modules/nixos/system/security.nix

@@ -0,0 +1,26 @@
+{ lib
+, config
+, ...
+}:
+let
+  cfg = config.mySystem.security;
+in
+{
+  options.mySystem.security.sshAgentAuth = {
+    enable = lib.mkEnableOption "openssh";
+  };
+  options.mySystem.security.wheelNeedsSudoPassword = lib.mkOption {
+    type = lib.types.bool;
+    description = "If wheel group users need password for sudo";
+    default = true;
+  };
+
+  config =
+    {
+      security.pam.enableSSHAgentAuth = lib.mkIf cfg.sshAgentAuth.enable true;
+      security.sudo.wheelNeedsPassword = lib.mkIf cfg.wheelNeedsSudoPassword true;
+
+    };
+
+
+}

nixos/modules/nixos/system/time.nix

@@ -0,0 +1,25 @@
+{ lib
+, config
+, ...
+}:
+let
+  cfg = config.mySystem.time;
+in
+{
+  options.mySystem.time = {
+    timeZone = lib.mkOption {
+      type = lib.types.str;
+      description = "Timezone of system";
+      default = "Australia/Melbourne";
+    };
+    hwClockLocalTime = lib.mkOption {
+      type = lib.types.bool;
+      description = "If hardware clock is set to local time (useful for windows dual boot)";
+      default = false;
+    };
+  };
+  config = {
+    time.timeZone = cfg.timeZone;
+    time.hardwareClockInLocalTime = cfg.hwClockLocalTime;
+  };
+}

nixos/profiles/README.md

@@ -0,0 +1,19 @@
+## Profiles
+
+Here is the profiles that each host picks from to build up a system.
+
+My headspace for this to have be able to have a set of modular components pull together on a granular system from this nix, from 'Everything will have this set' to per-device config.
+Where possible ill use the `mySystem` option list to configure defaults via these profiles, so they _can_ be overridden later. If its not worth writing a custom module for a nixos feature I may just set it directly in the profile.
+
+## Global
+
+Default global settings that will apply to every device. Things like locale, timezone, etc that wont change machine to machine
+
+## Hardware
+
+Hardware settings so I can apply per set of machines as standard- i.e. all Raspi4's may benefit from a specific set of additions/hardware overlays.
+
+## Role
+
+The role the machine have. Machines may have multiple roles
+i.e. servers will want to have bare minimal, remote build settings, where as main desktop/laptop will have full blow GUIs.

nixos/profiles/default.nix

@@ -0,0 +1,13 @@
+{ lib, ... }:
+
+{
+  imports = [
+    ./global.nix
+    # ./desktop.nix
+    # ./development.nix
+    # ./extended.nix
+  ];
+
+
+}
+

nixos/profiles/global.nix

@@ -0,0 +1,17 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let cfg = config.mySystem.profiles.global;
+in
+{
+  options.mySystem.profiles.global.enable = mkEnableOption "Global profile" // { default = true; };
+
+  config = mkIf cfg.enable
+    {
+      mySystem.time.timeZone = "Australia/Melbourne";
+
+      i18n = {
+        defaultLocale = lib.mkDefault "en_AU.UTF-8";
+      };
+    };
+}