Started work on modularized machine config, does not quite work yet. Changed Ophanim's kernel to hardened.

This commit is contained in:
Kevin Baensch 2019-03-17 11:43:14 +01:00
parent 2efae4f888
commit a0f361425a
10 changed files with 162 additions and 63 deletions

View file

@ -1,8 +1,6 @@
{ config, lib, pkgs, ... }:
let
cfg = import ("/etc/nixos/machines/" + (builtins.replaceStrings ["\n"] [""] (builtins.readFile /etc/hostname)) + "/configuration.nix");
in {
{
imports = [
./etc.nix
./locale.nix
@ -10,5 +8,5 @@ in {
./nix.nix
./users.nix
./zsh.nix
] ++ (if cfg.conf.networking.hostName != "Ophanim" then [./fonts.nix] else [./security.nix]);
] ++ (if (config.machine.hostName != "Ophanim") then [./fonts.nix] else [./security.nix]);
}

View file

@ -1,18 +1,18 @@
{ config, lib, pkgs, ... }:
let
cfg = import ("/etc/nixos/machines/" + (builtins.replaceStrings ["\n"] [""] (builtins.readFile /etc/hostname)) + "/configuration.nix");
firewallcfg = config.machine.networking.firewall;
in {
networking = {
hostName = cfg.conf.networking.hostName;
# should probably add some etc file for this....
hostName = config.machine.hostName;
firewall = {
enable = true;
allowPing = cfg.conf.networking.firewall.allowPing;
allowedUDPPorts = cfg.conf.networking.firewall.allowedUDPPorts;
allowedTCPPorts = cfg.conf.networking.firewall.allowedTCPPorts;
allowedUDPPortRanges = cfg.conf.networking.firewall.allowedUDPPortRanges;
allowedTCPPortRanges = cfg.conf.networking.firewall.allowedTCPPortRanges;
allowPing = firewallcfg.allowPing;
allowedUDPPorts = firewallcfg.allowedUDPPorts;
allowedTCPPorts = firewallcfg.allowedTCPPorts;
allowedUDPPortRanges = firewallcfg.allowedUDPPortRanges;
allowedTCPPortRanges = firewallcfg.allowedTCPPortRanges;
};
};
}

View file

@ -1,8 +1,6 @@
{ config, lib, pkgs, ... }:
let
cfg = with lib; import ("/etc/nixos/machines/" + (replaceStrings ["\n"] [""] (readFile /etc/hostname)) + "/configuration.nix");
in {
{
users = {
mutableUsers = false;
users.derped = {
@ -11,11 +9,11 @@ in {
createHome = true;
description = "";
group = "derped";
extraGroups = [ "audio" "wheel" "network" ] ++ (if cfg.conf.networking.hostName != "Ophanim" then ["input" "cups" "lp"] else []);
extraGroups = [ "audio" "wheel" "network" ] ++ (if config.machine.hostName != "Ophanim" then ["input" "cups" "lp" "docker"] else []);
uid = 1337;
shell = "/run/current-system/sw/bin/zsh";
passwordFile = "/secret/derped";
openssh.authorizedKeys.keyFiles = (if cfg.conf.networking.hostName != "Ophanim" then [] else [ "/secret/derped.pub" ]);
openssh.authorizedKeys.keyFiles = (if config.machine.hostName != "Ophanim" then [] else [ "/secret/derped.pub" ]);
};
groups.derped = {

View file

@ -1,13 +1,24 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = import ("/etc/nixos/machines/" + (builtins.replaceStrings ["\n"] [""] (builtins.readFile /etc/hostname)) + "/configuration.nix");
in {
# hint: use 'echo -n' so there is no newline char in the hostName file
cfgPath = (builtins.toPath ("/etc/nixos/machines/" + (builtins.readFile /secret/hostName) + "/configuration.nix"));
in rec {
imports = [
cfg.confPath
./config/default.nix
cfgPath
# use
# config.machine.confPath
# instead of
./machines/Lilim/Lilim.nix
# ./config/default.nix # same problem as above
./pkgs/nixpkgs.nix
./pkgs/pkgsets.nix
./services/default.nix
# ./services/default.nix # same problem as above
];
}

View file

@ -1,32 +1,38 @@
{ config, lib, pkgs, ... }:
with lib;
{
confPath = ./Lilim.nix;
pkgs = [
"base"
"emacs"
"extra"
"cpp"
"haskell"
"mailutils"
"python3"
"rustpkgs"
"xpkgs"
];
services = [
../../services/xserver.nix
../../services/udev.nix
../../services/cups.nix
];
conf = {
imports = [ ../../options/machine.nix ];
config.machine = {
confPath = ./Lilim.nix;
pkgs = [
"base"
"dict"
"emacs"
"extra"
"cpp"
"haskell"
"mailutils"
"python3"
"rustpkgs"
"xpkgs"
];
services = [
../../services/xserver.nix
../../services/docker.nix
../../services/udev.nix
../../services/cups.nix
];
allowUnfree = true;
networking = {
hostName = "Lilim";
firewall = {
allowPing = true;
allowedUDPPorts = [];
allowedTCPPorts = [];
allowedUDPPortRanges = [ { from = 1714; to = 1764; } ];
allowedTCPPortRanges = [ { from = 1714; to = 1764; } ];
};
hostName = "Lilim";
firewall = {
allowPing = true;
allowedUDPPorts = [];
allowedTCPPorts = [];
allowedUDPPortRanges = [ { from = 1714; to = 1764; } ];
allowedTCPPortRanges = [ { from = 1714; to = 1764; } ];
};
};
}

View file

@ -7,7 +7,7 @@
boot = {
initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ];
kernelPackages = pkgs.linuxPackages_latest;
kernelPackages = pkgs.linuxPackages_latest_hardened;
kernelModules = [ ];
extraModulePackages = [ ];
loader.grub = {

70
options/machine.nix Normal file
View file

@ -0,0 +1,70 @@
{ config, pkgs, lib, ... }:
with lib;
{
options.machine = {
confPath = mkOption {
type = types.path;
description = ''
Path to the machines configuration.nix
'';
};
allowUnfree = mkOption {
type = types.bool;
description = ''
Wether to allow the installation of unfree packages.
'';
};
pkgs = mkOption {
type = types.listOf types.string;
description = ''
The list of metapackages to be installed.
'';
};
services = mkOption {
type = types.listOf types.path;
description = ''
List of services to be enabled.
'';
};
hostName = mkOption {
type = types.str;
description = ''
The Machines HostName
'';
};
firewall = {
allowPing = mkOption {
type = types.bool;
description = ''
See networking.firewall.allowPing.
'';
};
allowedUDPPorts = mkOption {
type = types.listOf types.int;
description = ''
See networking.firewall.allowerdUDPPorts.
'';
};
allowedTCPPorts = mkOption {
type = types.listOf types.int;
description = ''
See networking.firewall.allowedTCPPorts.
'';
};
allowedUDPPortRanges = mkOption {
type = types.listOf (types.attrsOf types.int);
description = ''
See networking.firewall.allowerdUDPPortRanges.
'';
};
allowedTCPPortRanges = mkOption {
type = types.listOf (types.attrsOf types.int);
description = ''
See networking.firewall.allowedTCPPortRanges.
'';
};
};
};
}

View file

@ -3,9 +3,10 @@
gitpkgs ? import /nixpkgs/default.nix,
config, lib, pkgs, ... }:
with lib;
let
cfg = with lib; import ("/etc/nixos/machines/" + (replaceStrings ["\n"] [""] (readFile /etc/hostname)) + "/configuration.nix");
optPkgs = with lib; package: pkgstring: if elem pkgstring cfg.pkgs then package else [];
optPkgs = package: pkgstring: if elem pkgstring config.machine.pkgs then package else [];
gitpkgs = import /nixpkgs/default.nix {};
# Programms I'm likely to want on every machine and/or may execute as root
@ -36,7 +37,7 @@ let
nix-update-source
nix-zsh-completions
nixbang
# nixops
nixops
nmap
nox
ntfs3g
@ -66,6 +67,12 @@ let
zsh
];
dict = with pkgs; [
translate-shell
( hunspellWithDicts (with pkgs.hunspellDicts; [ de-de en-us ] ))
( aspellWithDicts (d: [ d.de d.en d.en-computers d.en-science ] ))
];
emacs = gitpkgs.emacsWithPackages (epkgs: with epkgs; [
/* Theming */
solarized-theme color-theme-sanityinc-tomorrow moe-theme powerline moody minions
@ -80,6 +87,7 @@ let
wsd-mode
plantuml-mode
/* Other Stuff, not yet sorted */
google-translate
transmission
org-plus-contrib orgit ox-gfm ox-rst
eclim
@ -152,7 +160,7 @@ let
})
];
python3 = gitpkgs.python3Full.withPackages(ps: with ps; [
python3 = gitpkgs.python3Full.withPackages(ps: with ps; [
GitPython
bpython
configparser
@ -160,6 +168,7 @@ let
elpy
emoji
epc
genanki
numpy
opencv3
paho-mqtt
@ -168,7 +177,6 @@ let
pip
plotly
pyflakes
pygame_sdl2
pylama
pylint
pyopengl
@ -201,10 +209,9 @@ let
# flask_sqlalchemy
# flask_testing
# flask_wtf
# flaskbabel
# flaskbabel
/* temporarily fix python stuff */
py3status pytz tzlocal
]);
rustpkgs = with pkgs; [
@ -243,6 +250,7 @@ let
in {
environment.systemPackages = base
++ (optPkgs dict "dict")
++ (optPkgs [emacs] "emacs")
++ (optPkgs extra "extra")
++ (optPkgs mailutils "mailutils")
@ -256,8 +264,8 @@ in {
++ (optPkgs xpkgs "xpkgs");
services.emacs = {
enable = (lib.elem "emacs" cfg.pkgs);
install = (lib.elem "emacs" cfg.pkgs);
enable = (elem "emacs" config.machine.pkgs);
install = (elem "emacs" config.machine.pkgs);
package = emacs;
};
}

View file

@ -1,7 +1,7 @@
{ config, lib, pkgs, ... }:
let
cfg = import ("/etc/nixos/machines/" + (builtins.replaceStrings ["\n"] [""] (builtins.readFile /etc/hostname)) + "/configuration.nix");
in {
imports = cfg.services;
with lib;
{
imports = config.machine.services;
}

8
services/docker.nix Normal file
View file

@ -0,0 +1,8 @@
{ config, lib, pkgs, ... }:
# Note: add privileged users to docker group for access
{
virtualisation.docker.enable = true;
environment.systemPackages = with pkgs; [ docker-compose docker-machine ];
### Docker Image stuff will probably follow here
}