From 14332b2c7b598ffb7cfcb3c3f0d3fb6ca889f1bc Mon Sep 17 00:00:00 2001 From: derped Date: Wed, 20 Mar 2019 02:57:59 +0100 Subject: [PATCH] Modularized configuration now kind of works. (still need to do some refactoring) --- config/default.nix | 4 +- config/etc.nix | 6 ++- config/fonts.nix | 6 ++- config/networking.nix | 2 +- config/nix.nix | 6 +-- config/security.nix | 4 +- config/zsh.nix | 4 +- configuration.nix | 12 +----- machines/Lilim/configuration.nix | 24 ++++++++---- machines/Ophanim/configuration.nix | 60 ++++++++++++++++++------------ options/machine.nix | 8 +++- pkgs/pkgsets.nix | 3 +- services/cups.nix | 4 +- services/default.nix | 18 +++++++-- services/docker.nix | 4 +- services/fail2ban.nix | 6 ++- services/gitea.nix | 6 ++- services/hydra.nix | 6 ++- services/mailserver.nix | 14 +++---- services/mariaDB.nix | 11 ++++-- services/nextcloud.nix | 6 ++- services/nginx.nix | 6 +-- services/openssh.nix | 5 ++- services/udev.nix | 4 +- 24 files changed, 144 insertions(+), 85 deletions(-) diff --git a/config/default.nix b/config/default.nix index 898f9d7..a8fe7b5 100644 --- a/config/default.nix +++ b/config/default.nix @@ -3,10 +3,12 @@ { imports = [ ./etc.nix + ./fonts.nix ./locale.nix ./networking.nix ./nix.nix + ./security.nix ./users.nix ./zsh.nix - ] ++ (if (config.machine.hostName != "Ophanim") then [./fonts.nix] else [./security.nix]); + ]; } diff --git a/config/etc.nix b/config/etc.nix index 818814f..2133839 100644 --- a/config/etc.nix +++ b/config/etc.nix @@ -1,7 +1,9 @@ { config, lib, pkgs, ... }: +with lib; + { - environment.etc = { + environment.etc = mkIf (elem "etcfiles" config.machine.conffiles) { "i3/config".source = ./etc/i3/config; "i3/py3status".source = ./etc/i3/py3status; "mpv/input.conf".source = ./etc/mpv/input.conf; @@ -9,7 +11,7 @@ "youtube-dl.conf".source = ./etc/youtube-dl.conf; }; - environment.variables = { + environment.variables = mkIf (elem "etcvars" config.machine.conffiles) { EDITOR="emacsclient -ca nano"; NIXPKGS_ALLOW_UNFREE="1"; WINEDLLOVERRIDES="winemenubuilder.exe=d"; diff --git a/config/fonts.nix b/config/fonts.nix index 9cd5e03..567af7e 100644 --- a/config/fonts.nix +++ b/config/fonts.nix @@ -1,6 +1,8 @@ -{ pkgs, config, ... }: +{ pkgs, lib, config, ... }: -{ +with lib; + +mkIf (elem "fonts" config.machine.conffiles) { fonts = { enableFontDir = true; enableGhostscriptFonts = true; diff --git a/config/networking.nix b/config/networking.nix index 1cb0053..7fc3a42 100644 --- a/config/networking.nix +++ b/config/networking.nix @@ -1,7 +1,7 @@ { config, lib, pkgs, ... }: let - firewallcfg = config.machine.networking.firewall; + firewallcfg = config.machine.firewall; in { networking = { hostName = config.machine.hostName; diff --git a/config/nix.nix b/config/nix.nix index e93241f..1872779 100644 --- a/config/nix.nix +++ b/config/nix.nix @@ -9,9 +9,9 @@ extraOptions = '' build-timeout = 86400 # 24 hours ''; - sshServe.enable = true; - sshServe.keys = ( if config.networking.hostName == "Ophanim" then [ (builtins.replaceStrings ["\n"] [""] (builtins.readFile /secret/nix-ssh.pub)) ] else []); - binaryCachePublicKeys = [ (builtins.replaceStrings ["\n"] [""] (builtins.readFile /secret/hydra_cache.pub)) ]; + sshServe.enable = if config.services.hydra.enable then true else false; + sshServe.keys = if config.services.hydra.enable then [ (builtins.readFile /secret/nix-ssh.pub) ] else []; + binaryCachePublicKeys = if config.services.hydra.enable then [ (builtins.readFile /secret/hydra_cache.pub) ] else []; trustedBinaryCaches = [ "https://cache.nixos.org" "https://cache.ophanim.de" diff --git a/config/security.nix b/config/security.nix index b1c36d9..44568c3 100644 --- a/config/security.nix +++ b/config/security.nix @@ -1,6 +1,8 @@ { config, lib, pkgs, ... }: -{ +with lib; + +mkIf (elem "security" config.machine.conffiles) { security = { audit.enable = true; auditd.enable = true; diff --git a/config/zsh.nix b/config/zsh.nix index 56adc07..cc1b1d6 100644 --- a/config/zsh.nix +++ b/config/zsh.nix @@ -1,6 +1,8 @@ { config, lib, pkgs, ... }: -{ +with lib; + +mkIf (elem "zsh" config.machine.conffiles) { programs.zsh = { enable = true; autosuggestions.enable = true; diff --git a/configuration.nix b/configuration.nix index 3435336..87c7444 100644 --- a/configuration.nix +++ b/configuration.nix @@ -8,17 +8,9 @@ let in rec { imports = [ cfgPath - - - # use -# config.machine.confPath - # instead of - ./machines/Lilim/Lilim.nix - - -# ./config/default.nix # same problem as above + ./config/default.nix # same problem as above ./pkgs/nixpkgs.nix ./pkgs/pkgsets.nix -# ./services/default.nix # same problem as above + ./services/default.nix # same problem as above ]; } diff --git a/machines/Lilim/configuration.nix b/machines/Lilim/configuration.nix index fabd8d9..c519429 100644 --- a/machines/Lilim/configuration.nix +++ b/machines/Lilim/configuration.nix @@ -3,10 +3,20 @@ with lib; { - imports = [ ../../options/machine.nix ]; + imports = [ + ../../options/machine.nix + ./Lilim.nix + ]; config.machine = { - confPath = ./Lilim.nix; + allowUnfree = true; + hostName = "Lilim"; + conffiles = [ + "etcfiles" + "etcvars" + "fonts" + "zsh" + ]; pkgs = [ "base" "dict" @@ -20,13 +30,11 @@ with lib; "xpkgs" ]; services = [ - ../../services/xserver.nix - ../../services/docker.nix - ../../services/udev.nix - ../../services/cups.nix + "xserver" + "docker" + "udev" + "cups" ]; - allowUnfree = true; - hostName = "Lilim"; firewall = { allowPing = true; allowedUDPPorts = []; diff --git a/machines/Ophanim/configuration.nix b/machines/Ophanim/configuration.nix index af22c35..bfd343f 100644 --- a/machines/Ophanim/configuration.nix +++ b/machines/Ophanim/configuration.nix @@ -1,30 +1,42 @@ +{ config, lib }: + +with lib; + { - confPath = ./Ophanim.nix; - pkgs = [ - "base" - "emacs" - "server" + imports = [ + ../../options/machine.nix + ./Ophanim.nix ]; - services = [ - ../../services/gitea.nix - ../../services/hydra.nix - ../../services/mailserver.nix - ../../services/mariaDB.nix - ../../services/nextcloud.nix - ../../services/nginx.nix - ../../services/openssh.nix - ]; - conf = { + + config.machine = { + hostName = "Ophanim"; allowUnfree = true; - networking = { - hostName = "Ophanim"; - firewall = { - allowPing = false; - allowedUDPPorts = [ 22 80 443 ]; - allowedTCPPorts = [ 80 443 ]; # 5222 5269 ]; - allowedUDPPortRanges = []; - allowedTCPPortRanges = []; - }; + conffiles = [ + "etcfiles" + "etcvars" + "fonts" + "zsh" + ]; + pkgs = [ + "base" + "emacs" + "server" + ]; + services = [ + "gitea" + "hydra" + "mailserver" + "mariaDB" + "nextcloud" + "nginx" + "openssh" + ]; + firewall = { + allowPing = false; + allowedUDPPorts = [ 22 80 443 ]; + allowedTCPPorts = [ 80 443 ]; # 5222 5269 ]; + allowedUDPPortRanges = []; + allowedTCPPortRanges = []; }; }; } diff --git a/options/machine.nix b/options/machine.nix index 739eed1..d152190 100644 --- a/options/machine.nix +++ b/options/machine.nix @@ -23,11 +23,17 @@ with lib; ''; }; services = mkOption { - type = types.listOf types.path; + type = types.listOf types.string; description = '' List of services to be enabled. ''; }; + conffiles = mkOption { + type = types.listOf types.string; + description = '' + List of configuration files to be enabled. + ''; + }; hostName = mkOption { type = types.str; description = '' diff --git a/pkgs/pkgsets.nix b/pkgs/pkgsets.nix index c89dbcf..dbc1077 100644 --- a/pkgs/pkgsets.nix +++ b/pkgs/pkgsets.nix @@ -43,6 +43,7 @@ let ntfs3g oh-my-zsh openssl + parted p7zip pciutils psmisc @@ -104,7 +105,7 @@ let pkgs.ledger yaml-mode company - /* C/C++ */ clang-format irony company-irony company-irony-c-headers flycheck-irony + /* C/C++ */ irony company-irony company-irony-c-headers flycheck-irony /* Haskell */ haskell-mode flycheck-haskell /* Org */ org org-ref pdf-tools org-bullets org-caldav /* Rust */ rust-mode flycheck-rust racer diff --git a/services/cups.nix b/services/cups.nix index 20104bb..0f27f66 100644 --- a/services/cups.nix +++ b/services/cups.nix @@ -1,6 +1,8 @@ { config, lib, pkgs, ... }: -{ +with lib; + +mkIf (elem "cups" config.machine.services) { services.printing = { enable = true; startWhenNeeded = true; diff --git a/services/default.nix b/services/default.nix index 54c12fa..b455f70 100644 --- a/services/default.nix +++ b/services/default.nix @@ -1,7 +1,19 @@ { config, lib, pkgs, ... }: -with lib; - { - imports = config.machine.services; + imports = [ + ./cups.nix + ./docker.nix + ./fail2ban.nix + ./gitea.nix + ./hydra.nix + ./mailserver/default.nix + ./mailserver.nix + ./mariaDB.nix + ./nextcloud.nix + ./nginx.nix + ./openssh.nix + ./udev.nix + ./xserver.nix + ]; } diff --git a/services/docker.nix b/services/docker.nix index 9752c51..62de39e 100644 --- a/services/docker.nix +++ b/services/docker.nix @@ -1,7 +1,9 @@ { config, lib, pkgs, ... }: # Note: add privileged users to docker group for access -{ +with lib; + +mkIf (elem "docker" config.machine.services) { virtualisation.docker.enable = true; environment.systemPackages = with pkgs; [ docker-compose docker-machine ]; ### Docker Image stuff will probably follow here diff --git a/services/fail2ban.nix b/services/fail2ban.nix index f6d06de..c0e228a 100644 --- a/services/fail2ban.nix +++ b/services/fail2ban.nix @@ -1,7 +1,9 @@ { config, lib, pkgs, ... }: # mostly taken from https://github.com/davidak/nixos-config/blob/master/services/fail2ban.nix -{ +with lib; + +mkIf (elem "fail2ban" config.machine.services) { services.fail2ban = { enable = true; jails = { @@ -50,7 +52,7 @@ action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp] findtime = 600 bantime = 7200 - '' + ''; }; }; diff --git a/services/gitea.nix b/services/gitea.nix index a9c45a0..36af9ee 100644 --- a/services/gitea.nix +++ b/services/gitea.nix @@ -1,6 +1,8 @@ -{ stdenv, conf, pkgs, ... }: +{ config, lib, pkgs, ... }: -{ +with lib; + +mkIf (elem "gitea" config.machine.services) { services.gitea = { enable = true; user = "git"; diff --git a/services/hydra.nix b/services/hydra.nix index e36a70b..657b68c 100644 --- a/services/hydra.nix +++ b/services/hydra.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, lib, pkgs, ... }: # hydra user needs to be manually crated # sudo -u hydra -s @@ -8,7 +8,9 @@ # https://github.com/NixOS/nixos-org-configurations/blob/master/delft/hydra.nix # https://gist.github.com/LnL7/fcd5c0bf772f2165a1ac40be6617d2f4 -{ +with lib; + +mkIf (elem "hydra" config.machine.services) { # also take a look at ../conf/nix.nix nix.buildMachines = [ { diff --git a/services/mailserver.nix b/services/mailserver.nix index 699db07..6281ffd 100644 --- a/services/mailserver.nix +++ b/services/mailserver.nix @@ -1,17 +1,15 @@ -{ lib, config, pkgs, ... }: +{ config, lib, pkgs, ... }: -{ - imports = [ - ./mailserver/default.nix - ]; +with lib; +mkIf (elem "mailserver" config.machine.services) { mailserver = rec { enable = true; fqdn = "mail.ophanim.de"; domains = [ "ophanim.de" ]; loginAccounts = { "derped@ophanim.de" = { - hashedPassword = (builtins.replaceStrings ["\n"] [""] (builtins.readFile /secret/derped.mail)); + hashedPassword = (builtins.readFile /secret/derped.mail); }; }; # Use Let's Encrypt certificates. Note that this needs to set up a stripped @@ -24,9 +22,9 @@ # Enable IMAP and POP3 enableImap = true; - enablePop3 = true; + enablePop3 = false; enableImapSsl = true; - enablePop3Ssl = true; + enablePop3Ssl = false; # Enable the ManageSieve protocol enableManageSieve = true; diff --git a/services/mariaDB.nix b/services/mariaDB.nix index 5eafc3a..8a1c448 100644 --- a/services/mariaDB.nix +++ b/services/mariaDB.nix @@ -1,12 +1,14 @@ -{ config, pkgs, ... }: +{ config, lib, pkgs, ... }: + +with lib; let - giteapwd = (builtins.replaceStrings ["\n"] [""] (builtins.readFile /secret/gitea)); -in { + giteapwd = if config.services.gitea.enable then (builtins.readFile /secret/gitea) else ""; +in mkIf (elem "mariaDB" config.machine.services) { services.mysql = { enable = true; package = pkgs.mariadb; - initialDatabases = [ { + initialDatabases = [ mkIf config.services.gitea.enable { name = "gitea"; schema = pkgs.writeText "gitea.sql" '' @@ -16,3 +18,4 @@ in { } ]; }; } + diff --git a/services/nextcloud.nix b/services/nextcloud.nix index fff88a7..8555064 100644 --- a/services/nextcloud.nix +++ b/services/nextcloud.nix @@ -1,6 +1,8 @@ -{ conf, pkgs, ... }: +{ config, lib, pkgs, ... }: -{ +with lib; + +mkIf (elem "nextcloud" config.machine.services) { services.nextcloud = { enable = true; home = "/var/lib/nextcloud"; diff --git a/services/nginx.nix b/services/nginx.nix index b699010..d728ed8 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -8,9 +8,9 @@ { config, lib, pkgs, ... }: -let - gitpkgs = import /nixpkgs/default.nix {}; -in { +with lib; + +mkIf (elem "nginx" config.machine.services) { services.nginx = { enable = true; recommendedGzipSettings = true; diff --git a/services/openssh.nix b/services/openssh.nix index 174adc8..6763fde 100644 --- a/services/openssh.nix +++ b/services/openssh.nix @@ -3,7 +3,10 @@ # For reference: # https://infosec.mozilla.org/guidelines/openssh.html # https://stribika.github.io/2015/01/04/secure-secure-shell.html -{ + +with lib; + +mkIf (elem "openssh" config.machine.services) { services.openssh = { enable = true; sftpFlags = [ "-f AUTHPRIV" "-l INFO" ]; diff --git a/services/udev.nix b/services/udev.nix index 5c0fdab..475a5aa 100644 --- a/services/udev.nix +++ b/services/udev.nix @@ -1,6 +1,8 @@ { config, lib, pkgs, ... }: -{ +with lib; + +mkIf (elem "udev" config.machine.services) { services.udev.extraRules = '' Valve USB devices SUBSYSTEM=="usb", ATTRS{idVendor}=="28de", TAG+="uaccess", TAG+="udev-acl"