Added domain option. Maybe fixed binary cache signing.

config/nix.nix

@@ -11,7 +11,7 @@
     '';
     sshServe.enable = if config.services.hydra.enable then true else false;
     sshServe.keys = if config.services.hydra.enable then [ (builtins.readFile /secret/nix-ssh.pub) ] else [];
-    binaryCachePublicKeys = if config.services.hydra.enable then [ (builtins.readFile /secret/hydra_cache.pub) ] else [];
+    binaryCachePublicKeys = [ (builtins.readFile /secret/hydra_cache.pub) ];
     trustedBinaryCaches = [
       "https://cache.nixos.org"
       "https://cache.ophanim.de"

config/users.nix

@@ -1,5 +1,7 @@
 { config, lib, pkgs, ... }:
 
+with lib;
+
 {
   users = {
     mutableUsers = false;
@@ -9,11 +11,14 @@
       createHome = true;
       description = "";
       group = "derped";
-      extraGroups = [ "audio" "wheel" "network" ] ++ (if config.machine.hostName != "Ophanim" then ["input" "cups" "lp" "docker"] else []);
+      extraGroups = [ "audio" "wheel" "network" ]
+        ++ (if config.services.xserver.enable then [ "input" ] else [])
+        ++ (if config.services.printing.enable then [ "cups" "lp" ] else [])
+        ++ (if config.virtualisation.docker.enable then [ "docker"] else []);
       uid = 1337;
       shell = "/run/current-system/sw/bin/zsh";
       passwordFile = "/secret/derped";
-      openssh.authorizedKeys.keyFiles = (if config.machine.hostName != "Ophanim" then [] else [ "/secret/derped.pub" ]);
+      openssh.authorizedKeys.keyFiles = if config.services.openssh.enable then [ "/secret/derped.pub" ] else [];
     };
 
     groups.derped = {

configuration.nix

@@ -2,15 +2,19 @@
 
 with lib;
 
+# hint: use 'echo -n' so there is no newline char in the hostName file
 let
-  # hint: use 'echo -n' so there is no newline char in the hostName file
+  machinePath = (builtins.toPath ("/etc/nixos/machines/" + (builtins.readFile /secret/hostName)));
-  cfgPath = (builtins.toPath ("/etc/nixos/machines/" + (builtins.readFile /secret/hostName) + "/configuration.nix"));
+  machineConf = machinePath + "/configuration.nix";
-in rec {
+  machineOpts = machinePath + "/options.nix";
+in {
   imports = [
-    cfgPath
+    machineConf
-    ./config/default.nix # same problem as above
+    machineOpts
+    ./config/default.nix
     ./pkgs/nixpkgs.nix
     ./pkgs/pkgsets.nix
-    ./services/default.nix # same problem as above
+    ./services/containers.nix
+    ./services/default.nix
   ];
 }

machines/CDServer/configuration.nix

@@ -10,20 +10,12 @@
     ];
 
   system.autoUpgrade.enable = false;
-
-#    services.vsftp = {
-#      enable = true;
-#      ssl_sslv3 = true;
-#      forceLocalDataSSL = true;
-#      writeEnable = false;
-#      userlist = [];
-#    };
   services.haveged.enable = true;
 
   # This value determines the NixOS release with which your system is to be
   # compatible, in order to avoid breaking some software such as database
   # servers. You should change this only after NixOS release notes say you
   # should.
-  system.stateVersion = "18.09";
+  system.stateVersion = "19.03";
 
 }

machines/CDServer/options.nix

@@ -0,0 +1,41 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+  imports = [ 
+    ../../options/machine.nix 
+  ];
+
+  config.machine = {
+    hostName = "CDServer";
+    allowUnfree = true;
+    conffiles = [
+      "etcvars"
+#      "security"
+      "zsh"
+    ];
+    pkgs = [
+      "base"
+      "emacs"
+      "server"
+    ];
+    services = [
+      "docker"
+#      "fail2ban"
+#      "gitea"
+#      "mailserver"
+      "cd-internes"
+      "mariaDB"
+      "nginx"
+      "openssh"
+    ];
+    firewall = {
+      allowPing = false;
+      allowedUDPPorts = [ 22 80 443 ];
+      allowedTCPPorts = [ 80 443 ];
+      allowedUDPPortRanges = [];
+      allowedTCPPortRanges = [];
+    };
+  };
+}

machines/Lilim/Lilim.nix

@@ -1,19 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-{
-  imports = [
-    ./hardware-configuration.nix
-  ];
-
-  services = {
-    gnome3.gnome-terminal-server.enable = true;
-    udev.extraRules = ''
-      SUBSYSTEM=="usb", ATTRS{idVendor}=="28de", MODE="0666"
-      KERNEL=="uinput", MODE="0660", GROUP="input", OPTIONS+="static_mode=uinput"
-    '';
-  };
-
-  environment.systemPackages = with pkgs; [ firmware_surface xdiskusage ];
-
-  system.stateVersion = "19.03";
-}

machines/Lilim/configuration.nix

@@ -1,46 +1,19 @@
 { config, lib, pkgs, ... }:
 
-with lib;
-
 {
   imports = [
-    ../../options/machine.nix 
+    ./hardware-configuration.nix
-    ./Lilim.nix
   ];
 
-  config.machine = {
+  services = {
-    allowUnfree = true;
+    gnome3.gnome-terminal-server.enable = true;
-    hostName = "Lilim";
+    udev.extraRules = ''
-    conffiles = [
+      SUBSYSTEM=="usb", ATTRS{idVendor}=="28de", MODE="0666"
-      "etcfiles"
+      KERNEL=="uinput", MODE="0660", GROUP="input", OPTIONS+="static_mode=uinput"
-      "etcvars"
+    '';
-      "fonts"
-      "zsh"
-    ];
-    pkgs = [
-      "base"
-      "dict"
-      "emacs"
-      "extra"
-      "cpp"
-      "haskell"
-      "mailutils"
-      "python3"
-      "rustpkgs"
-      "xpkgs"
-    ];
-    services = [
-      "xserver"
-      "docker"
-      "udev"
-      "cups"
-    ];
-    firewall = {
-      allowPing = true;
-      allowedUDPPorts = [];
-      allowedTCPPorts = [];
-      allowedUDPPortRanges = [ { from = 1714; to = 1764; } ];
-      allowedTCPPortRanges = [ { from = 1714; to = 1764; } ];
-    };
   };
+
+  environment.systemPackages = with pkgs; [ firmware_surface xdiskusage ];
+
+  system.stateVersion = "19.03";
 }

machines/Lilim/options.nix

@@ -0,0 +1,46 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  imports = [ 
+    ../../options/machine.nix 
+  ];
+
+  config.machine = {
+    allowUnfree = true;
+    hostName = "Lilim";
+    conffiles = [
+      "etcfiles"
+      "etcvars"
+      "fonts"
+      "zsh"
+    ];
+    pkgs = [
+      "base"
+      "dict"
+      "emacs"
+      "extra"
+      "cpp"
+      "haskell"
+      "mailutils"
+      "python3"
+      "rustpkgs"
+      "xpkgs"
+    ];
+    services = [
+#      "containers"
+      "xserver"
+#      "docker"
+      "udev"
+      "cups"
+    ];
+    firewall = {
+      allowPing = true;
+      allowedUDPPorts = [];
+      allowedTCPPorts = [];
+      allowedUDPPortRanges = [ { from = 1714; to = 1764; } ];
+      allowedTCPPortRanges = [ { from = 1714; to = 1764; } ];
+    };
+  };
+}

machines/Ophanim/configuration.nix

@@ -1,42 +1,29 @@
-{ config, lib, ... }:
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
 
-with lib;
+{ config, pkgs, ... }:
 
 {
   imports = [
-    ../../options/machine.nix 
+      ./hardware-configuration.nix
-    ./Ophanim.nix
     ];
 
-  config.machine = {
+  system.autoUpgrade.enable = false;
-    hostName = "Ophanim";
+
-    allowUnfree = true;
+#    services.vsftp = {
-    conffiles = [
+#      enable = true;
-      "etcvars"
+#      ssl_sslv3 = true;
-      "security"
+#      forceLocalDataSSL = true;
-      "zsh"
+#      writeEnable = false;
-    ];
+#      userlist = [];
-    pkgs = [
+#    };
-      "base"
+  services.haveged.enable = true;
-      "emacs"
+
-      "server"
+  # This value determines the NixOS release with which your system is to be
-    ];
+  # compatible, in order to avoid breaking some software such as database
-    services = [
+  # servers. You should change this only after NixOS release notes say you
-      "fail2ban"
+  # should.
-      "gitea"
+  system.stateVersion = "18.09";
-      "hydra"
+
-      "mailserver"
-      "mariaDB"
-      "nextcloud"
-      "nginx"
-      "openssh"
-    ];
-    firewall = {
-      allowPing = false;
-      allowedUDPPorts = [ 22 80 443 ];
-      allowedTCPPorts = [ 80 443 ]; # 5222 5269 ];
-      allowedUDPPortRanges = [];
-      allowedTCPPortRanges = [];
-    };
-  };
 }

machines/Ophanim/options.nix

@@ -0,0 +1,42 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+  imports = [ 
+    ../../options/machine.nix 
+  ];
+
+  config.machine = {
+    hostName = "Ophanim";
+    domain = "ophanim.de";
+    allowUnfree = true;
+    conffiles = [
+      "etcvars"
+      "security"
+      "zsh"
+    ];
+    pkgs = [
+      "base"
+      "emacs"
+      "server"
+    ];
+    services = [
+      "fail2ban"
+      "gitea"
+      "hydra"
+      "mailserver"
+      "mariaDB"
+      "nextcloud"
+      "nginx"
+      "openssh"
+    ];
+    firewall = {
+      allowPing = false;
+      allowedUDPPorts = [ 22 80 443 ];
+      allowedTCPPorts = [ 80 443 ]; # 5222 5269 ];
+      allowedUDPPortRanges = [];
+      allowedTCPPortRanges = [];
+    };
+  };
+}

options/machine.nix

@@ -4,12 +4,6 @@ with lib;
 
 {
   options.machine = {
-    confPath = mkOption {
-      type = types.path;
-      description = ''
-        Path to the machines configuration.nix
-      '';
-    };
     allowUnfree = mkOption {
       type = types.bool;
       description = ''
@@ -40,6 +34,13 @@ with lib;
         The Machines HostName
       '';
     };
+    domain = mkOption {
+      type = types.str;
+      default = "localhost";
+      description = ''
+        The Machines domain name.
+      '';
+    };
     firewall = {
         allowPing = mkOption {
           type = types.bool;

pkgs/pkgsets.nix

@@ -37,7 +37,7 @@ let
     nix-update-source
     nix-zsh-completions
     nixbang
-    nixops
+#    nixops
     nmap
     nox
     ntfs3g
@@ -58,7 +58,7 @@ let
     unzipNLS
     usbutils
     vim
-#    vulnix
+    vulnix
     wget
     whois
     wirelesstools

services/containers.nix

@@ -0,0 +1,23 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+mkIf (elem "containers" config.machine.services) {
+  containers.CDServer = {
+    privateNetwork = true;
+    hostAddress = "192.168.100.10";
+    localAddress = "192.168.100.11";
+    config =
+      { config, lib, pkgs, ... }:
+
+      {
+        imports = [
+          ../machines/CDServer/options.nix
+          ./default.nix
+          ../config/default.nix
+          ../pkgs/nixpkgs.nix
+          ../pkgs/pkgsets.nix
+        ];
+      };
+  };
+}

services/gitea.nix

@@ -7,8 +7,8 @@ mkIf (elem "gitea" config.machine.services) {
     enable = true;
     user = "git";
     cookieSecure = true;
-    domain = "git.ophanim.de";
+    domain = "git.${config.machine.domain}";
-    rootUrl = "http://git.ophanim.de/";
+    rootUrl = "http://git.${config.machine.domain}/";
     database = {
       type = "mysql";
       user = "git";

services/hydra.nix

@@ -4,9 +4,9 @@
 # sudo -u hydra -s
 # hydra-create-user $USERNAME --password $PASSWORD --role admin
 
-# also for reference some other hydra configs:
+# https://qfpl.io/posts/nix/starting-simple-hydra/
+# also for reference a well written hydra config:
 # https://github.com/NixOS/nixos-org-configurations/blob/master/delft/hydra.nix
-# https://gist.github.com/LnL7/fcd5c0bf772f2165a1ac40be6617d2f4
 
 with lib;
 
@@ -23,19 +23,23 @@ mkIf (elem "hydra" config.machine.services) {
 
   services.hydra = {
     enable = true;
-    hydraURL = "https://builder.ophanim.de"; # externally visible URL
+    hydraURL = "https://builder.${config.machine.domain}"; # externally visible URL
     listenHost = "localhost";
     port = 3001;
     minimumDiskFree = 15;
     minimumDiskFreeEvaluator = 15;
-    notificationSender = "hydra@mail.ophanim.de"; # e-mail of hydra service
+    notificationSender = "hydra@mail.${config.machine.domain}"; # e-mail of hydra service
     useSubstitutes = true;
     debugServer = false;
+    # Hints from hydra-queue-runner:
+    # binary_cache_dir is deprecated and ignored. use store_uri=file:// instead
+    # hydra.conf: binary_cache_secret_key_file is deprecated and ignored. use store_uri=...?secret-key= instead
     extraConfig = ''
       max_output_size = 4294967296
-      store_uri = file:///var/cache/hydra?secret-key=/secret/hydra_cache
+      store_uri = file:///var/cache/hydra?secret-key=/secret/hydra_cache&write-nar-listing=1&ls-compression=br&log-compression=br
-      server_store_uri = https://cache.ophanim.de
+      # add ?local-nar-cache= to set nar cache location
-      binary_cache_public_uri https://cache.ophanim.de
+      server_store_uri = https://cache.${config.machine.domain}
+      binary_cache_public_uri https://cache.${config.machine.domain}
       upload_logs_to_binary_cache = true
     '';
   };

services/nextcloud.nix

@@ -6,7 +6,7 @@ mkIf (elem "nextcloud" config.machine.services) {
   services.nextcloud = {
     enable = true;
     home = "/var/lib/nextcloud";
-    hostName = "storage.ophanim.de";
+    hostName = "storage.${config.machine.domain}";
     https = true;
     maxUploadSize = "1024M";
     config = {

services/nginx.nix

@@ -23,12 +23,12 @@ mkIf (elem "nginx" config.machine.services) {
       add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
     '';
     virtualHosts = {
-      "ophanim.de" = {
+      "${config.machine.domain}" = {
         enableACME = true;
         forceSSL = true;
         root = "/var/www";
       };
-      "builder.ophanim.de" = mkIf config.services.hydra.enable {
+      "builder.${config.machine.domain}" = mkIf config.services.hydra.enable {
         enableACME = true;
         forceSSL = true;
         extraConfig = ''
@@ -41,7 +41,7 @@ mkIf (elem "nginx" config.machine.services) {
           }
         '';
       };
-      "cache.ophanim.de" = mkIf config.services.hydra.enable {
+      "cache.${config.machine.domain}" = mkIf config.services.hydra.enable {
         enableACME = true;
         forceSSL = true;
         root = "/var/cache/hydra";
@@ -49,13 +49,13 @@ mkIf (elem "nginx" config.machine.services) {
           autoindex on;
         '';
       };
-      "mail.ophanim.de" = {
+      "mail.${config.machine.domain}" = mkIf config.mailserver.enable {
         enableACME = true;
         forceSSL = true;
         root = "/var/www";
       };
 
-      "${config.services.nextcloud.hostName}" = mkIf config.services.nextcloud.enable {
+      "storage.${config.machine.domain}" = mkIf config.services.nextcloud.enable {
         root = pkgs.nextcloud;
         enableACME = config.services.nextcloud.https;
         forceSSL = config.services.nextcloud.https;
@@ -152,7 +152,7 @@ mkIf (elem "nginx" config.machine.services) {
         '';
       };
 
-      "${config.services.gitea.domain}" = mkIf config.services.gitea.enable {
+      "git.${config.machine.domain}" = mkIf config.services.gitea.enable {
         enableACME = true;
         forceSSL = true;
         root = "${config.services.gitea.stateDir}/public";