feat: initial global profile refactor

This commit is contained in:
Truxnell 2024-03-24 18:34:14 +11:00
parent c6f32af795
commit 4e3302f999
15 changed files with 182 additions and 79 deletions

View file

@ -36,6 +36,7 @@ To Install
- [ ] JJY emulator Raspi4
- [ ] Documentation!
- [ ] ssh_config build from computers?
- [ ] Modularise host to allow vm builds and hw builds
- [ ] Add license
- [ ] Add taskfiles

View file

@ -35,26 +35,27 @@
, sops-nix
, ...
} @ inputs:
let
inherit (self) outputs;
forAllSystems = nixpkgs.lib.genAttrs [
"aarch64-linux"
# "i686-linux"
"x86_64-linux"
# "aarch64-darwin"
# "x86_64-darwin"
];
in
with inputs; rec {
rec {
# Use nixpkgs-fmt for 'nix fmt'
formatter = forAllSystems (system: nixpkgs.legacyPackages."${system}".nixpkgs-fmt);
# nixosModules = import ./nixos/modules/nixos;
lib = import ./lib { inherit inputs; } // inputs.nixpkgs.lib;
nixosConfigurations =
with self.lib;
let
defaultModules =
(builtins.attrValues nixosModules) ++
(builtins.attrValues lib.nixosModules) ++
[
sops-nix.nixosModules.sops
];
@ -70,8 +71,8 @@
, nixpkgs ? inputs.nixpkgs
, hardwareModules
, baseModules ? [
# home-manager.nixosModules.home-manager
# ./modules/nixos
./nixos/modules/nixos
./nixos/profiles
sops-nix.nixosModules.sops
./nixos/hosts/${hostname}
]
@ -193,7 +194,7 @@
inherit (configuration.config.nixpkgs.hostPlatform) system;
in
{
path = deploy-rs.lib."${system}".activate.nixos configuration;
path = inputs.deploy-rs.lib."${system}".activate.nixos configuration;
sshUser = "truxnell";
user = "root";
sshOpts = [ "-t" ];
@ -208,7 +209,7 @@
};
# deploy-rs: This is highly advised, and will prevent many possible mistakes
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;
};
}

24
lib/default.nix Normal file
View file

@ -0,0 +1,24 @@
{ inputs, ... }:
with inputs.nixpkgs.lib;
let
strToPath = x: path:
if builtins.typeOf x == "string"
then builtins.toPath ("${toString path}/${x}")
else x;
strToFile = x: path:
if builtins.typeOf x == "string"
then builtins.toPath ("${toString path}/${x}.nix")
else x;
in
rec {
firstOrDefault = first: default: if !isNull first then first else default;
existsOrDefault = x: set: default: if hasAttr x set then getAttr x set else default;
mkIfElse = p: yes: no: mkMerge [
(mkIf p yes)
(mkIf (!p) no)
];
}

View file

@ -8,7 +8,7 @@
[
# inputs.home-manager.nixosModules.home-manager
#inputs.sops-nix.nixosModules.sops
./locale.nix
# ./locale.nix
./nix.nix
# ./openssh.nix
./packages.nix

View file

@ -23,13 +23,19 @@
];
mySystem.services.openssh.enable = true;
mySystem.security.wheelNeedsSudoPassword = false;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; # Enabled for raspi4 compilation
boot.initrd.kernelModules = [ "amdgpu" ];
boot.plymouth.enable = true;
networking.hostName = "rickenbacker"; # Define your hostname.
# Enable OpenGL
# Enable OpenGL
hardware.opengl = {
enable = true;
driSupport = true;
@ -37,39 +43,7 @@
};
# Load nvidia driver for Xorg and Wayland
services.xserver.videoDrivers = ["nvidia"]; # or "nvidiaLegacy470 etc.
hardware.nvidia = {
# Modesetting is required.
modesetting.enable = true;
# Nvidia power management. Experimental, and can cause sleep/suspend to fail.
# Enable this if you have graphical corruption issues or application crashes after waking
# up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead
# of just the bare essentials.
powerManagement.enable = false;
# Fine-grained power management. Turns off GPU when not in use.
# Experimental and only works on modern Nvidia GPUs (Turing or newer).
powerManagement.finegrained = false;
# Use the NVidia open source kernel module (not to be confused with the
# independent third-party "nouveau" open source driver).
# Support is limited to the Turing and later architectures. Full list of
# supported GPUs is at:
# https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus
# Only available from driver 515.43.04+
# Currently alpha-quality/buggy, so false is currently the recommended setting.
open = false;
# Enable the Nvidia settings menu,
# accessible via `nvidia-settings`.
nvidiaSettings = true;
# Optionally, you may need to select the appropriate driver version for your specific GPU.
package = config.boot.kernelPackages.nvidiaPackages.stable;
};
services.xserver.videoDrivers = [ "amdgpu" ]; # or "nvidiaLegacy470 etc.
# Pick only one of the below networking options.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.

View file

@ -1,14 +1,9 @@
Profiles:
## Modules
Global: Settings for entire site - time local, chrony, timeservers, dns
Role: What the role is of the device - graphical/server
Hardware: Specifics of hardware (hw overlays, rpi4, etc)
Host: Host-specific (services, user setup)
A set of 'custom' modules with the aim to enable easy on/off/settings to build up a system modulary to my 'specs'.
nixos
system
locale
time
openssh
fish
chrony
The main goal is to build up a `mySystem` options key which is easy to read and toggle functionality on and off.
This option key will largely be manipulated by a profile to build up a host to a base, then toggle specific options from there.
I will _try_ and only do modules for things I want to be able to configure, and just use nixos config directly for some simple static things.

View file

@ -0,0 +1,5 @@
{
mySystem = import ./nixos;
}

View file

@ -1,5 +1,7 @@
{
imports = [
./openssh.nix
./time.nix
./security.nix
];
}

View file

@ -1,6 +0,0 @@
{ lib, ... }: {
i18n = {
defaultLocale = lib.mkDefault "en_US.UTF-8";
};
time.timeZone = lib.mkDefault "Australia/Melbourne";
}

View file

@ -1,25 +1,41 @@
{ lib
, config
, self
, ...
}:
with lib;
let
cfg = config.modules.services.openssh;
cfg = config.mySystem.services.openssh;
in
{
options.modules.services.openssh = {
enable = lib.mkEnableOption "openssh";
options.mySystem.services.openssh = {
enable = mkEnableOption "openssh";
passwordAuthentication = mkOption
{
type = lib.types.bool;
description = "If password can be accepted for ssh (commonly disable for security hardening)";
default = false;
};
permitRootLogin = mkOption
{
type = types.enum [ "yes" "without-password" "prohibit-password" "forced-commands-only" "no" ];
description = "If root can login via ssh (commonly disable for security hardening)";
default = "no";
};
};
config = lib.mkIf cfg.enable {
config = mkIf cfg.enable {
services.openssh = {
enable = true;
# TODO: Enable this when option becomes available
# Don't allow home-directory authorized_keys
# authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
# authorizedKeysFiles = mkForce ["/etc/ssh/authorized_keys.d/%u"];
settings = {
# Harden
PasswordAuthentication = false;
PermitRootLogin = "no";
PasswordAuthentication = cfg.passwordAuthentication;
PermitRootLogin = cfg.permitRootLogin;
# Automatically remove stale sockets
StreamLocalBindUnlink = "yes";
# Allow forwarding ports to everywhere
@ -27,14 +43,5 @@ in
};
};
# Passwordless sudo when SSH'ing with keys
security.pam.enableSSHAgentAuth = true;
# TODO: Enable this when option becomes available
# security.pam.sshAgentAuth = {
# enable = true;
# authorizedKeysFiles = [
# "/etc/ssh/authorized_keys.d/%u"
# ];
# };
};
}

View file

@ -0,0 +1,26 @@
{ lib
, config
, ...
}:
let
cfg = config.mySystem.security;
in
{
options.mySystem.security.sshAgentAuth = {
enable = lib.mkEnableOption "openssh";
};
options.mySystem.security.wheelNeedsSudoPassword = lib.mkOption {
type = lib.types.bool;
description = "If wheel group users need password for sudo";
default = true;
};
config =
{
security.pam.enableSSHAgentAuth = lib.mkIf cfg.sshAgentAuth.enable true;
security.sudo.wheelNeedsPassword = lib.mkIf cfg.wheelNeedsSudoPassword true;
};
}

View file

@ -0,0 +1,25 @@
{ lib
, config
, ...
}:
let
cfg = config.mySystem.time;
in
{
options.mySystem.time = {
timeZone = lib.mkOption {
type = lib.types.str;
description = "Timezone of system";
default = "Australia/Melbourne";
};
hwClockLocalTime = lib.mkOption {
type = lib.types.bool;
description = "If hardware clock is set to local time (useful for windows dual boot)";
default = false;
};
};
config = {
time.timeZone = cfg.timeZone;
time.hardwareClockInLocalTime = cfg.hwClockLocalTime;
};
}

19
nixos/profiles/README.md Normal file
View file

@ -0,0 +1,19 @@
## Profiles
Here is the profiles that each host picks from to build up a system.
My headspace for this to have be able to have a set of modular components pull together on a granular system from this nix, from 'Everything will have this set' to per-device config.
Where possible ill use the `mySystem` option list to configure defaults via these profiles, so they _can_ be overridden later. If its not worth writing a custom module for a nixos feature I may just set it directly in the profile.
## Global
Default global settings that will apply to every device. Things like locale, timezone, etc that wont change machine to machine
## Hardware
Hardware settings so I can apply per set of machines as standard- i.e. all Raspi4's may benefit from a specific set of additions/hardware overlays.
## Role
The role the machine have. Machines may have multiple roles
i.e. servers will want to have bare minimal, remote build settings, where as main desktop/laptop will have full blow GUIs.

View file

@ -0,0 +1,13 @@
{ lib, ... }:
{
imports = [
./global.nix
# ./desktop.nix
# ./development.nix
# ./extended.nix
];
}

17
nixos/profiles/global.nix Normal file
View file

@ -0,0 +1,17 @@
{ config, lib, pkgs, ... }:
with lib;
let cfg = config.mySystem.profiles.global;
in
{
options.mySystem.profiles.global.enable = mkEnableOption "Global profile" // { default = true; };
config = mkIf cfg.enable
{
mySystem.time.timeZone = "Australia/Melbourne";
i18n = {
defaultLocale = lib.mkDefault "en_AU.UTF-8";
};
};
}