Modularized configuration now kind of works. (still need to do some refactoring)

2019-03-20 02:57:59 +01:00 · 2019-03-20 02:57:59 +01:00 · 14332b2c7b
parent a0f361425a
commit 14332b2c7b
24 changed files with 144 additions and 85 deletions
--- a/config/default.nix
+++ b/config/default.nix
@ -3,10 +3,12 @@
 {
  imports = [
    ./etc.nix
+    ./fonts.nix
    ./locale.nix
    ./networking.nix
    ./nix.nix
+    ./security.nix
    ./users.nix
    ./zsh.nix
-    ] ++ (if (config.machine.hostName != "Ophanim") then [./fonts.nix] else [./security.nix]);
+    ];
 }
--- a/config/etc.nix
+++ b/config/etc.nix
@ -1,7 +1,9 @@
 { config, lib, pkgs, ... }:

+with lib;
+
 {
-  environment.etc = {
+  environment.etc = mkIf (elem "etcfiles" config.machine.conffiles) {
    "i3/config".source = ./etc/i3/config;
    "i3/py3status".source = ./etc/i3/py3status;
    "mpv/input.conf".source = ./etc/mpv/input.conf;
@ -9,7 +11,7 @@
    "youtube-dl.conf".source = ./etc/youtube-dl.conf;
  };

-  environment.variables = {
+  environment.variables = mkIf (elem "etcvars" config.machine.conffiles) {
    EDITOR="emacsclient -ca nano";
    NIXPKGS_ALLOW_UNFREE="1";
    WINEDLLOVERRIDES="winemenubuilder.exe=d";
--- a/config/fonts.nix
+++ b/config/fonts.nix
@ -1,6 +1,8 @@
-{ pkgs, config, ... }:
+{ pkgs, lib, config, ... }:

-{
+with lib;
+
+mkIf (elem "fonts" config.machine.conffiles) {
  fonts = {
    enableFontDir = true;
    enableGhostscriptFonts = true;
--- a/config/networking.nix
+++ b/config/networking.nix
@ -1,7 +1,7 @@
 { config, lib, pkgs, ... }:

 let
- firewallcfg = config.machine.networking.firewall;
+ firewallcfg = config.machine.firewall;
 in {
  networking = {
    hostName = config.machine.hostName;
--- a/config/nix.nix
+++ b/config/nix.nix
@ -9,9 +9,9 @@
    extraOptions = ''
      build-timeout = 86400  # 24 hours
    '';
-    sshServe.enable = true;
-    sshServe.keys = ( if config.networking.hostName == "Ophanim" then [ (builtins.replaceStrings ["\n"] [""] (builtins.readFile /secret/nix-ssh.pub)) ] else []);
-    binaryCachePublicKeys = [ (builtins.replaceStrings ["\n"] [""] (builtins.readFile /secret/hydra_cache.pub)) ];
+    sshServe.enable = if config.services.hydra.enable then true else false;
+    sshServe.keys = if config.services.hydra.enable then [ (builtins.readFile /secret/nix-ssh.pub) ] else [];
+    binaryCachePublicKeys = if config.services.hydra.enable then [ (builtins.readFile /secret/hydra_cache.pub) ] else [];
    trustedBinaryCaches = [
      "https://cache.nixos.org"
      "https://cache.ophanim.de"
--- a/config/security.nix
+++ b/config/security.nix
@ -1,6 +1,8 @@
 { config, lib, pkgs, ... }:

-{
+with lib;
+
+mkIf (elem "security" config.machine.conffiles) {
  security = {
    audit.enable = true;
    auditd.enable = true;
--- a/config/zsh.nix
+++ b/config/zsh.nix
@ -1,6 +1,8 @@
 { config, lib, pkgs, ... }:

-{
+with lib;
+
+mkIf (elem "zsh" config.machine.conffiles) {
  programs.zsh = {
    enable = true;
    autosuggestions.enable = true;
--- a/configuration.nix
+++ b/configuration.nix
@ -8,17 +8,9 @@ let
 in rec {
  imports = [
    cfgPath
-
-
-    # use
-#    config.machine.confPath
-    # instead of
-    ./machines/Lilim/Lilim.nix
-
-
-#    ./config/default.nix # same problem as above
+    ./config/default.nix # same problem as above
    ./pkgs/nixpkgs.nix
    ./pkgs/pkgsets.nix
-#    ./services/default.nix # same problem as above
+    ./services/default.nix # same problem as above
  ];
 }
--- a/machines/Lilim/configuration.nix
+++ b/machines/Lilim/configuration.nix
@ -3,10 +3,20 @@
 with lib;

 {
-  imports = [ ../../options/machine.nix ];
+  imports = [ 
+    ../../options/machine.nix 
+    ./Lilim.nix
+  ];

  config.machine = {
-    confPath = ./Lilim.nix;
+    allowUnfree = true;
+    hostName = "Lilim";
+    conffiles = [
+      "etcfiles"
+      "etcvars"
+      "fonts"
+      "zsh"
+    ];
    pkgs = [
      "base"
      "dict"
@ -20,13 +30,11 @@ with lib;
      "xpkgs"
    ];
    services = [
-      ../../services/xserver.nix
-      ../../services/docker.nix
-      ../../services/udev.nix
-      ../../services/cups.nix
+      "xserver"
+      "docker"
+      "udev"
+      "cups"
    ];
-    allowUnfree = true;
-    hostName = "Lilim";
    firewall = {
      allowPing = true;
      allowedUDPPorts = [];
--- a/machines/Ophanim/configuration.nix
+++ b/machines/Ophanim/configuration.nix
@ -1,30 +1,42 @@
+{ config, lib }:
+
+with lib;
+
 {
-  confPath = ./Ophanim.nix;
-  pkgs = [
-    "base"
-    "emacs"
-    "server"
+  imports = [ 
+    ../../options/machine.nix 
+    ./Ophanim.nix
  ];
-  services = [
-    ../../services/gitea.nix
-    ../../services/hydra.nix
-    ../../services/mailserver.nix
-    ../../services/mariaDB.nix
-    ../../services/nextcloud.nix
-    ../../services/nginx.nix
-    ../../services/openssh.nix
-  ];
-  conf = {
+
+  config.machine = {
+    hostName = "Ophanim";
    allowUnfree = true;
-    networking = {
-      hostName = "Ophanim";
-      firewall = {
-        allowPing = false;
-        allowedUDPPorts = [ 22 80 443 ];
-        allowedTCPPorts = [ 80 443 ]; # 5222 5269 ];
-        allowedUDPPortRanges = [];
-        allowedTCPPortRanges = [];
-      };
+    conffiles = [
+      "etcfiles"
+      "etcvars"
+      "fonts"
+      "zsh"
+    ];
+    pkgs = [
+      "base"
+      "emacs"
+      "server"
+    ];
+    services = [
+      "gitea"
+      "hydra"
+      "mailserver"
+      "mariaDB"
+      "nextcloud"
+      "nginx"
+      "openssh"
+    ];
+    firewall = {
+      allowPing = false;
+      allowedUDPPorts = [ 22 80 443 ];
+      allowedTCPPorts = [ 80 443 ]; # 5222 5269 ];
+      allowedUDPPortRanges = [];
+      allowedTCPPortRanges = [];
    };
  };
 }
--- a/options/machine.nix
+++ b/options/machine.nix
@ -23,11 +23,17 @@ with lib;
      '';
    };
    services = mkOption {
-      type = types.listOf types.path;
+      type = types.listOf types.string;
      description = ''
        List of services to be enabled.
      '';
    };
+    conffiles = mkOption {
+      type = types.listOf types.string;
+      description = ''
+        List of configuration files to be enabled.
+      '';
+    };
    hostName = mkOption {
      type = types.str;
      description = ''
--- a/pkgs/pkgsets.nix
+++ b/pkgs/pkgsets.nix
@ -43,6 +43,7 @@ let
    ntfs3g
    oh-my-zsh
    openssl
+    parted
    p7zip
    pciutils
    psmisc
@ -104,7 +105,7 @@ let
    pkgs.ledger
    yaml-mode
    company
-    /* C/C++ */ clang-format irony company-irony  company-irony-c-headers flycheck-irony
+    /* C/C++ */ irony company-irony  company-irony-c-headers flycheck-irony
    /* Haskell */ haskell-mode flycheck-haskell
    /* Org */ org org-ref pdf-tools org-bullets org-caldav
    /* Rust */ rust-mode flycheck-rust racer
--- a/services/cups.nix
+++ b/services/cups.nix
@ -1,6 +1,8 @@
 { config, lib, pkgs, ... }:

-{
+with lib;
+
+mkIf (elem "cups" config.machine.services) {
  services.printing = {
    enable = true;
    startWhenNeeded = true;
--- a/services/default.nix
+++ b/services/default.nix
@ -1,7 +1,19 @@
 { config, lib, pkgs, ... }:

-with lib;
-
 {
-  imports = config.machine.services;
+  imports = [
+    ./cups.nix
+    ./docker.nix
+    ./fail2ban.nix
+    ./gitea.nix
+    ./hydra.nix
+    ./mailserver/default.nix
+    ./mailserver.nix
+    ./mariaDB.nix
+    ./nextcloud.nix
+    ./nginx.nix
+    ./openssh.nix
+    ./udev.nix
+    ./xserver.nix
+  ];
 }
--- a/services/docker.nix
+++ b/services/docker.nix
@ -1,7 +1,9 @@
 { config, lib, pkgs, ... }:

 # Note: add privileged users to docker group for access
-{
+with lib;
+
+mkIf (elem "docker" config.machine.services) {
  virtualisation.docker.enable = true;
  environment.systemPackages = with pkgs; [ docker-compose docker-machine ];
  ### Docker Image stuff will probably follow here
--- a/services/fail2ban.nix
+++ b/services/fail2ban.nix
@ -1,7 +1,9 @@
 { config, lib, pkgs, ... }:

 # mostly taken from https://github.com/davidak/nixos-config/blob/master/services/fail2ban.nix
-{
+with lib;
+
+mkIf (elem "fail2ban" config.machine.services) {
  services.fail2ban = {
    enable = true;
    jails = { 
@ -50,7 +52,7 @@
        action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
        findtime = 600
        bantime = 7200
-      ''
+      '';
    };
  }; 

--- a/services/gitea.nix
+++ b/services/gitea.nix
@ -1,6 +1,8 @@
-{ stdenv, conf, pkgs, ... }:
+{ config, lib, pkgs, ... }:

-{
+with lib;
+
+mkIf (elem "gitea" config.machine.services) {
  services.gitea = {
    enable = true;
    user = "git";
--- a/services/hydra.nix
+++ b/services/hydra.nix
@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:

 # hydra user needs to be manually crated
 # sudo -u hydra -s
@ -8,7 +8,9 @@
 # https://github.com/NixOS/nixos-org-configurations/blob/master/delft/hydra.nix
 # https://gist.github.com/LnL7/fcd5c0bf772f2165a1ac40be6617d2f4

-{
+with lib;
+
+mkIf (elem "hydra" config.machine.services) {
  # also take a look at ../conf/nix.nix
  nix.buildMachines = [
    {
--- a/services/mailserver.nix
+++ b/services/mailserver.nix
@ -1,17 +1,15 @@
-{ lib, config, pkgs, ... }:
+{ config, lib, pkgs, ... }:

-{
-  imports = [
-    ./mailserver/default.nix
-  ];
+with lib;

+mkIf (elem "mailserver" config.machine.services) {
  mailserver = rec {
    enable = true;
    fqdn = "mail.ophanim.de";
    domains = [ "ophanim.de" ];
    loginAccounts = {
        "derped@ophanim.de" = {
-            hashedPassword = (builtins.replaceStrings ["\n"] [""] (builtins.readFile /secret/derped.mail));
+            hashedPassword = (builtins.readFile /secret/derped.mail);
        };
    };
    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
@ -24,9 +22,9 @@

    # Enable IMAP and POP3
    enableImap = true;
-    enablePop3 = true;
+    enablePop3 = false;
    enableImapSsl = true;
-    enablePop3Ssl = true;
+    enablePop3Ssl = false;

    # Enable the ManageSieve protocol
    enableManageSieve = true;
--- a/services/mariaDB.nix
+++ b/services/mariaDB.nix
@ -1,12 +1,14 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
+
+with lib;

 let
-  giteapwd = (builtins.replaceStrings ["\n"] [""] (builtins.readFile /secret/gitea));
-in {
+  giteapwd = if config.services.gitea.enable then (builtins.readFile /secret/gitea) else "";
+in mkIf (elem "mariaDB" config.machine.services) {
  services.mysql = {
    enable = true;
    package = pkgs.mariadb;
-    initialDatabases = [ {
+    initialDatabases = [ mkIf config.services.gitea.enable {
      name = "gitea";
      schema = pkgs.writeText "gitea.sql"
      ''
@ -16,3 +18,4 @@ in {
    } ];
  };
 }
+
--- a/services/nextcloud.nix
+++ b/services/nextcloud.nix
@ -1,6 +1,8 @@
-{ conf, pkgs, ... }:
+{ config, lib, pkgs, ... }:

-{
+with lib;
+
+mkIf (elem "nextcloud" config.machine.services) {
  services.nextcloud = {
    enable = true;
    home = "/var/lib/nextcloud";
--- a/services/nginx.nix
+++ b/services/nginx.nix
@ -8,9 +8,9 @@

 { config, lib, pkgs, ... }:

-let
-  gitpkgs = import /nixpkgs/default.nix {};
-in {
+with lib;
+
+mkIf (elem "nginx" config.machine.services) {
  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
--- a/services/openssh.nix
+++ b/services/openssh.nix
@ -3,7 +3,10 @@
 # For reference:
 # https://infosec.mozilla.org/guidelines/openssh.html
 # https://stribika.github.io/2015/01/04/secure-secure-shell.html
-{
+
+with lib;
+
+mkIf (elem "openssh" config.machine.services) {
  services.openssh = {
    enable = true;
    sftpFlags = [ "-f AUTHPRIV" "-l INFO" ];
--- a/services/udev.nix
+++ b/services/udev.nix
@ -1,6 +1,8 @@
 { config, lib, pkgs, ... }:

-{
+with lib;
+
+mkIf (elem "udev" config.machine.services) {
  services.udev.extraRules = ''
 Valve USB devices
 SUBSYSTEM=="usb", ATTRS{idVendor}=="28de", TAG+="uaccess", TAG+="udev-acl"