feat: initial global profile refactor
This commit is contained in:
parent
c6f32af795
commit
4e3302f999
15 changed files with 182 additions and 79 deletions
|
@ -36,6 +36,7 @@ To Install
|
|||
- [ ] JJY emulator Raspi4
|
||||
- [ ] Documentation!
|
||||
- [ ] ssh_config build from computers?
|
||||
- [ ] Modularise host to allow vm builds and hw builds
|
||||
- [ ] Add license
|
||||
- [ ] Add taskfiles
|
||||
|
||||
|
|
21
flake.nix
21
flake.nix
|
@ -35,26 +35,27 @@
|
|||
, sops-nix
|
||||
, ...
|
||||
} @ inputs:
|
||||
|
||||
let
|
||||
inherit (self) outputs;
|
||||
forAllSystems = nixpkgs.lib.genAttrs [
|
||||
"aarch64-linux"
|
||||
# "i686-linux"
|
||||
"x86_64-linux"
|
||||
# "aarch64-darwin"
|
||||
# "x86_64-darwin"
|
||||
|
||||
];
|
||||
in
|
||||
with inputs; rec {
|
||||
rec {
|
||||
# Use nixpkgs-fmt for 'nix fmt'
|
||||
formatter = forAllSystems (system: nixpkgs.legacyPackages."${system}".nixpkgs-fmt);
|
||||
|
||||
# nixosModules = import ./nixos/modules/nixos;
|
||||
lib = import ./lib { inherit inputs; } // inputs.nixpkgs.lib;
|
||||
|
||||
|
||||
nixosConfigurations =
|
||||
with self.lib;
|
||||
let
|
||||
defaultModules =
|
||||
(builtins.attrValues nixosModules) ++
|
||||
(builtins.attrValues lib.nixosModules) ++
|
||||
[
|
||||
sops-nix.nixosModules.sops
|
||||
];
|
||||
|
@ -70,8 +71,8 @@
|
|||
, nixpkgs ? inputs.nixpkgs
|
||||
, hardwareModules
|
||||
, baseModules ? [
|
||||
# home-manager.nixosModules.home-manager
|
||||
# ./modules/nixos
|
||||
./nixos/modules/nixos
|
||||
./nixos/profiles
|
||||
sops-nix.nixosModules.sops
|
||||
./nixos/hosts/${hostname}
|
||||
]
|
||||
|
@ -193,7 +194,7 @@
|
|||
inherit (configuration.config.nixpkgs.hostPlatform) system;
|
||||
in
|
||||
{
|
||||
path = deploy-rs.lib."${system}".activate.nixos configuration;
|
||||
path = inputs.deploy-rs.lib."${system}".activate.nixos configuration;
|
||||
sshUser = "truxnell";
|
||||
user = "root";
|
||||
sshOpts = [ "-t" ];
|
||||
|
@ -208,7 +209,7 @@
|
|||
};
|
||||
|
||||
# deploy-rs: This is highly advised, and will prevent many possible mistakes
|
||||
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
|
||||
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;
|
||||
};
|
||||
|
||||
}
|
||||
|
|
24
lib/default.nix
Normal file
24
lib/default.nix
Normal file
|
@ -0,0 +1,24 @@
|
|||
{ inputs, ... }:
|
||||
|
||||
with inputs.nixpkgs.lib;
|
||||
let
|
||||
strToPath = x: path:
|
||||
if builtins.typeOf x == "string"
|
||||
then builtins.toPath ("${toString path}/${x}")
|
||||
else x;
|
||||
strToFile = x: path:
|
||||
if builtins.typeOf x == "string"
|
||||
then builtins.toPath ("${toString path}/${x}.nix")
|
||||
else x;
|
||||
in
|
||||
rec {
|
||||
|
||||
firstOrDefault = first: default: if !isNull first then first else default;
|
||||
|
||||
existsOrDefault = x: set: default: if hasAttr x set then getAttr x set else default;
|
||||
|
||||
mkIfElse = p: yes: no: mkMerge [
|
||||
(mkIf p yes)
|
||||
(mkIf (!p) no)
|
||||
];
|
||||
}
|
|
@ -8,7 +8,7 @@
|
|||
[
|
||||
# inputs.home-manager.nixosModules.home-manager
|
||||
#inputs.sops-nix.nixosModules.sops
|
||||
./locale.nix
|
||||
# ./locale.nix
|
||||
./nix.nix
|
||||
# ./openssh.nix
|
||||
./packages.nix
|
||||
|
|
|
@ -23,13 +23,19 @@
|
|||
|
||||
];
|
||||
|
||||
mySystem.services.openssh.enable = true;
|
||||
mySystem.security.wheelNeedsSudoPassword = false;
|
||||
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; # Enabled for raspi4 compilation
|
||||
boot.initrd.kernelModules = [ "amdgpu" ];
|
||||
|
||||
boot.plymouth.enable = true;
|
||||
|
||||
networking.hostName = "rickenbacker"; # Define your hostname.
|
||||
|
||||
# Enable OpenGL
|
||||
# Enable OpenGL
|
||||
hardware.opengl = {
|
||||
enable = true;
|
||||
driSupport = true;
|
||||
|
@ -37,39 +43,7 @@
|
|||
};
|
||||
|
||||
# Load nvidia driver for Xorg and Wayland
|
||||
services.xserver.videoDrivers = ["nvidia"]; # or "nvidiaLegacy470 etc.
|
||||
|
||||
hardware.nvidia = {
|
||||
|
||||
# Modesetting is required.
|
||||
modesetting.enable = true;
|
||||
|
||||
# Nvidia power management. Experimental, and can cause sleep/suspend to fail.
|
||||
# Enable this if you have graphical corruption issues or application crashes after waking
|
||||
# up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead
|
||||
# of just the bare essentials.
|
||||
powerManagement.enable = false;
|
||||
|
||||
# Fine-grained power management. Turns off GPU when not in use.
|
||||
# Experimental and only works on modern Nvidia GPUs (Turing or newer).
|
||||
powerManagement.finegrained = false;
|
||||
|
||||
# Use the NVidia open source kernel module (not to be confused with the
|
||||
# independent third-party "nouveau" open source driver).
|
||||
# Support is limited to the Turing and later architectures. Full list of
|
||||
# supported GPUs is at:
|
||||
# https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus
|
||||
# Only available from driver 515.43.04+
|
||||
# Currently alpha-quality/buggy, so false is currently the recommended setting.
|
||||
open = false;
|
||||
|
||||
# Enable the Nvidia settings menu,
|
||||
# accessible via `nvidia-settings`.
|
||||
nvidiaSettings = true;
|
||||
|
||||
# Optionally, you may need to select the appropriate driver version for your specific GPU.
|
||||
package = config.boot.kernelPackages.nvidiaPackages.stable;
|
||||
};
|
||||
services.xserver.videoDrivers = [ "amdgpu" ]; # or "nvidiaLegacy470 etc.
|
||||
|
||||
# Pick only one of the below networking options.
|
||||
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
|
||||
|
|
|
@ -1,14 +1,9 @@
|
|||
Profiles:
|
||||
## Modules
|
||||
|
||||
Global: Settings for entire site - time local, chrony, timeservers, dns
|
||||
Role: What the role is of the device - graphical/server
|
||||
Hardware: Specifics of hardware (hw overlays, rpi4, etc)
|
||||
Host: Host-specific (services, user setup)
|
||||
A set of 'custom' modules with the aim to enable easy on/off/settings to build up a system modulary to my 'specs'.
|
||||
|
||||
nixos
|
||||
system
|
||||
locale
|
||||
time
|
||||
openssh
|
||||
fish
|
||||
chrony
|
||||
The main goal is to build up a `mySystem` options key which is easy to read and toggle functionality on and off.
|
||||
|
||||
This option key will largely be manipulated by a profile to build up a host to a base, then toggle specific options from there.
|
||||
|
||||
I will _try_ and only do modules for things I want to be able to configure, and just use nixos config directly for some simple static things.
|
||||
|
|
5
nixos/modules/default.nix
Normal file
5
nixos/modules/default.nix
Normal file
|
@ -0,0 +1,5 @@
|
|||
{
|
||||
|
||||
mySystem = import ./nixos;
|
||||
|
||||
}
|
|
@ -1,5 +1,7 @@
|
|||
{
|
||||
imports = [
|
||||
./openssh.nix
|
||||
./time.nix
|
||||
./security.nix
|
||||
];
|
||||
}
|
|
@ -1,6 +0,0 @@
|
|||
{ lib, ... }: {
|
||||
i18n = {
|
||||
defaultLocale = lib.mkDefault "en_US.UTF-8";
|
||||
};
|
||||
time.timeZone = lib.mkDefault "Australia/Melbourne";
|
||||
}
|
|
@ -1,25 +1,41 @@
|
|||
{ lib
|
||||
, config
|
||||
, self
|
||||
, ...
|
||||
}:
|
||||
with lib;
|
||||
let
|
||||
cfg = config.modules.services.openssh;
|
||||
cfg = config.mySystem.services.openssh;
|
||||
in
|
||||
{
|
||||
options.modules.services.openssh = {
|
||||
enable = lib.mkEnableOption "openssh";
|
||||
options.mySystem.services.openssh = {
|
||||
enable = mkEnableOption "openssh";
|
||||
passwordAuthentication = mkOption
|
||||
{
|
||||
type = lib.types.bool;
|
||||
description = "If password can be accepted for ssh (commonly disable for security hardening)";
|
||||
default = false;
|
||||
|
||||
};
|
||||
permitRootLogin = mkOption
|
||||
{
|
||||
type = types.enum [ "yes" "without-password" "prohibit-password" "forced-commands-only" "no" ];
|
||||
description = "If root can login via ssh (commonly disable for security hardening)";
|
||||
default = "no";
|
||||
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
config = mkIf cfg.enable {
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
# TODO: Enable this when option becomes available
|
||||
# Don't allow home-directory authorized_keys
|
||||
# authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
|
||||
# authorizedKeysFiles = mkForce ["/etc/ssh/authorized_keys.d/%u"];
|
||||
settings = {
|
||||
# Harden
|
||||
PasswordAuthentication = false;
|
||||
PermitRootLogin = "no";
|
||||
PasswordAuthentication = cfg.passwordAuthentication;
|
||||
PermitRootLogin = cfg.permitRootLogin;
|
||||
# Automatically remove stale sockets
|
||||
StreamLocalBindUnlink = "yes";
|
||||
# Allow forwarding ports to everywhere
|
||||
|
@ -27,14 +43,5 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
# Passwordless sudo when SSH'ing with keys
|
||||
security.pam.enableSSHAgentAuth = true;
|
||||
# TODO: Enable this when option becomes available
|
||||
# security.pam.sshAgentAuth = {
|
||||
# enable = true;
|
||||
# authorizedKeysFiles = [
|
||||
# "/etc/ssh/authorized_keys.d/%u"
|
||||
# ];
|
||||
# };
|
||||
};
|
||||
}
|
||||
|
|
26
nixos/modules/nixos/system/security.nix
Normal file
26
nixos/modules/nixos/system/security.nix
Normal file
|
@ -0,0 +1,26 @@
|
|||
{ lib
|
||||
, config
|
||||
, ...
|
||||
}:
|
||||
let
|
||||
cfg = config.mySystem.security;
|
||||
in
|
||||
{
|
||||
options.mySystem.security.sshAgentAuth = {
|
||||
enable = lib.mkEnableOption "openssh";
|
||||
};
|
||||
options.mySystem.security.wheelNeedsSudoPassword = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
description = "If wheel group users need password for sudo";
|
||||
default = true;
|
||||
};
|
||||
|
||||
config =
|
||||
{
|
||||
security.pam.enableSSHAgentAuth = lib.mkIf cfg.sshAgentAuth.enable true;
|
||||
security.sudo.wheelNeedsPassword = lib.mkIf cfg.wheelNeedsSudoPassword true;
|
||||
|
||||
};
|
||||
|
||||
|
||||
}
|
25
nixos/modules/nixos/system/time.nix
Normal file
25
nixos/modules/nixos/system/time.nix
Normal file
|
@ -0,0 +1,25 @@
|
|||
{ lib
|
||||
, config
|
||||
, ...
|
||||
}:
|
||||
let
|
||||
cfg = config.mySystem.time;
|
||||
in
|
||||
{
|
||||
options.mySystem.time = {
|
||||
timeZone = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "Timezone of system";
|
||||
default = "Australia/Melbourne";
|
||||
};
|
||||
hwClockLocalTime = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
description = "If hardware clock is set to local time (useful for windows dual boot)";
|
||||
default = false;
|
||||
};
|
||||
};
|
||||
config = {
|
||||
time.timeZone = cfg.timeZone;
|
||||
time.hardwareClockInLocalTime = cfg.hwClockLocalTime;
|
||||
};
|
||||
}
|
19
nixos/profiles/README.md
Normal file
19
nixos/profiles/README.md
Normal file
|
@ -0,0 +1,19 @@
|
|||
## Profiles
|
||||
|
||||
Here is the profiles that each host picks from to build up a system.
|
||||
|
||||
My headspace for this to have be able to have a set of modular components pull together on a granular system from this nix, from 'Everything will have this set' to per-device config.
|
||||
Where possible ill use the `mySystem` option list to configure defaults via these profiles, so they _can_ be overridden later. If its not worth writing a custom module for a nixos feature I may just set it directly in the profile.
|
||||
|
||||
## Global
|
||||
|
||||
Default global settings that will apply to every device. Things like locale, timezone, etc that wont change machine to machine
|
||||
|
||||
## Hardware
|
||||
|
||||
Hardware settings so I can apply per set of machines as standard- i.e. all Raspi4's may benefit from a specific set of additions/hardware overlays.
|
||||
|
||||
## Role
|
||||
|
||||
The role the machine have. Machines may have multiple roles
|
||||
i.e. servers will want to have bare minimal, remote build settings, where as main desktop/laptop will have full blow GUIs.
|
13
nixos/profiles/default.nix
Normal file
13
nixos/profiles/default.nix
Normal file
|
@ -0,0 +1,13 @@
|
|||
{ lib, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./global.nix
|
||||
# ./desktop.nix
|
||||
# ./development.nix
|
||||
# ./extended.nix
|
||||
];
|
||||
|
||||
|
||||
}
|
||||
|
17
nixos/profiles/global.nix
Normal file
17
nixos/profiles/global.nix
Normal file
|
@ -0,0 +1,17 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
let cfg = config.mySystem.profiles.global;
|
||||
in
|
||||
{
|
||||
options.mySystem.profiles.global.enable = mkEnableOption "Global profile" // { default = true; };
|
||||
|
||||
config = mkIf cfg.enable
|
||||
{
|
||||
mySystem.time.timeZone = "Australia/Melbourne";
|
||||
|
||||
i18n = {
|
||||
defaultLocale = lib.mkDefault "en_AU.UTF-8";
|
||||
};
|
||||
};
|
||||
}
|
Reference in a new issue