Started work on modularized machine config, does not quite work yet. Changed Ophanim's kernel to hardened.

This commit is contained in:
Kevin Baensch 2019-03-17 11:43:14 +01:00
parent 2efae4f888
commit a0f361425a
10 changed files with 162 additions and 63 deletions

View file

@ -1,8 +1,6 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let {
cfg = import ("/etc/nixos/machines/" + (builtins.replaceStrings ["\n"] [""] (builtins.readFile /etc/hostname)) + "/configuration.nix");
in {
imports = [ imports = [
./etc.nix ./etc.nix
./locale.nix ./locale.nix
@ -10,5 +8,5 @@ in {
./nix.nix ./nix.nix
./users.nix ./users.nix
./zsh.nix ./zsh.nix
] ++ (if cfg.conf.networking.hostName != "Ophanim" then [./fonts.nix] else [./security.nix]); ] ++ (if (config.machine.hostName != "Ophanim") then [./fonts.nix] else [./security.nix]);
} }

View file

@ -1,18 +1,18 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
cfg = import ("/etc/nixos/machines/" + (builtins.replaceStrings ["\n"] [""] (builtins.readFile /etc/hostname)) + "/configuration.nix"); firewallcfg = config.machine.networking.firewall;
in { in {
networking = { networking = {
hostName = cfg.conf.networking.hostName; hostName = config.machine.hostName;
# should probably add some etc file for this....
firewall = { firewall = {
enable = true; enable = true;
allowPing = cfg.conf.networking.firewall.allowPing; allowPing = firewallcfg.allowPing;
allowedUDPPorts = cfg.conf.networking.firewall.allowedUDPPorts; allowedUDPPorts = firewallcfg.allowedUDPPorts;
allowedTCPPorts = cfg.conf.networking.firewall.allowedTCPPorts; allowedTCPPorts = firewallcfg.allowedTCPPorts;
allowedUDPPortRanges = cfg.conf.networking.firewall.allowedUDPPortRanges; allowedUDPPortRanges = firewallcfg.allowedUDPPortRanges;
allowedTCPPortRanges = cfg.conf.networking.firewall.allowedTCPPortRanges; allowedTCPPortRanges = firewallcfg.allowedTCPPortRanges;
}; };
}; };
} }

View file

@ -1,8 +1,6 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let {
cfg = with lib; import ("/etc/nixos/machines/" + (replaceStrings ["\n"] [""] (readFile /etc/hostname)) + "/configuration.nix");
in {
users = { users = {
mutableUsers = false; mutableUsers = false;
users.derped = { users.derped = {
@ -11,11 +9,11 @@ in {
createHome = true; createHome = true;
description = ""; description = "";
group = "derped"; group = "derped";
extraGroups = [ "audio" "wheel" "network" ] ++ (if cfg.conf.networking.hostName != "Ophanim" then ["input" "cups" "lp"] else []); extraGroups = [ "audio" "wheel" "network" ] ++ (if config.machine.hostName != "Ophanim" then ["input" "cups" "lp" "docker"] else []);
uid = 1337; uid = 1337;
shell = "/run/current-system/sw/bin/zsh"; shell = "/run/current-system/sw/bin/zsh";
passwordFile = "/secret/derped"; passwordFile = "/secret/derped";
openssh.authorizedKeys.keyFiles = (if cfg.conf.networking.hostName != "Ophanim" then [] else [ "/secret/derped.pub" ]); openssh.authorizedKeys.keyFiles = (if config.machine.hostName != "Ophanim" then [] else [ "/secret/derped.pub" ]);
}; };
groups.derped = { groups.derped = {

View file

@ -1,13 +1,24 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
with lib;
let let
cfg = import ("/etc/nixos/machines/" + (builtins.replaceStrings ["\n"] [""] (builtins.readFile /etc/hostname)) + "/configuration.nix"); # hint: use 'echo -n' so there is no newline char in the hostName file
in { cfgPath = (builtins.toPath ("/etc/nixos/machines/" + (builtins.readFile /secret/hostName) + "/configuration.nix"));
in rec {
imports = [ imports = [
cfg.confPath cfgPath
./config/default.nix
# use
# config.machine.confPath
# instead of
./machines/Lilim/Lilim.nix
# ./config/default.nix # same problem as above
./pkgs/nixpkgs.nix ./pkgs/nixpkgs.nix
./pkgs/pkgsets.nix ./pkgs/pkgsets.nix
./services/default.nix # ./services/default.nix # same problem as above
]; ];
} }

View file

@ -1,7 +1,15 @@
{ config, lib, pkgs, ... }:
with lib;
{ {
imports = [ ../../options/machine.nix ];
config.machine = {
confPath = ./Lilim.nix; confPath = ./Lilim.nix;
pkgs = [ pkgs = [
"base" "base"
"dict"
"emacs" "emacs"
"extra" "extra"
"cpp" "cpp"
@ -13,12 +21,11 @@
]; ];
services = [ services = [
../../services/xserver.nix ../../services/xserver.nix
../../services/docker.nix
../../services/udev.nix ../../services/udev.nix
../../services/cups.nix ../../services/cups.nix
]; ];
conf = {
allowUnfree = true; allowUnfree = true;
networking = {
hostName = "Lilim"; hostName = "Lilim";
firewall = { firewall = {
allowPing = true; allowPing = true;
@ -28,5 +35,4 @@
allowedTCPPortRanges = [ { from = 1714; to = 1764; } ]; allowedTCPPortRanges = [ { from = 1714; to = 1764; } ];
}; };
}; };
};
} }

View file

@ -7,7 +7,7 @@
boot = { boot = {
initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ]; initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ];
kernelPackages = pkgs.linuxPackages_latest; kernelPackages = pkgs.linuxPackages_latest_hardened;
kernelModules = [ ]; kernelModules = [ ];
extraModulePackages = [ ]; extraModulePackages = [ ];
loader.grub = { loader.grub = {

70
options/machine.nix Normal file
View file

@ -0,0 +1,70 @@
{ config, pkgs, lib, ... }:
with lib;
{
options.machine = {
confPath = mkOption {
type = types.path;
description = ''
Path to the machines configuration.nix
'';
};
allowUnfree = mkOption {
type = types.bool;
description = ''
Wether to allow the installation of unfree packages.
'';
};
pkgs = mkOption {
type = types.listOf types.string;
description = ''
The list of metapackages to be installed.
'';
};
services = mkOption {
type = types.listOf types.path;
description = ''
List of services to be enabled.
'';
};
hostName = mkOption {
type = types.str;
description = ''
The Machines HostName
'';
};
firewall = {
allowPing = mkOption {
type = types.bool;
description = ''
See networking.firewall.allowPing.
'';
};
allowedUDPPorts = mkOption {
type = types.listOf types.int;
description = ''
See networking.firewall.allowerdUDPPorts.
'';
};
allowedTCPPorts = mkOption {
type = types.listOf types.int;
description = ''
See networking.firewall.allowedTCPPorts.
'';
};
allowedUDPPortRanges = mkOption {
type = types.listOf (types.attrsOf types.int);
description = ''
See networking.firewall.allowerdUDPPortRanges.
'';
};
allowedTCPPortRanges = mkOption {
type = types.listOf (types.attrsOf types.int);
description = ''
See networking.firewall.allowedTCPPortRanges.
'';
};
};
};
}

View file

@ -3,9 +3,10 @@
gitpkgs ? import /nixpkgs/default.nix, gitpkgs ? import /nixpkgs/default.nix,
config, lib, pkgs, ... }: config, lib, pkgs, ... }:
with lib;
let let
cfg = with lib; import ("/etc/nixos/machines/" + (replaceStrings ["\n"] [""] (readFile /etc/hostname)) + "/configuration.nix"); optPkgs = package: pkgstring: if elem pkgstring config.machine.pkgs then package else [];
optPkgs = with lib; package: pkgstring: if elem pkgstring cfg.pkgs then package else [];
gitpkgs = import /nixpkgs/default.nix {}; gitpkgs = import /nixpkgs/default.nix {};
# Programms I'm likely to want on every machine and/or may execute as root # Programms I'm likely to want on every machine and/or may execute as root
@ -36,7 +37,7 @@ let
nix-update-source nix-update-source
nix-zsh-completions nix-zsh-completions
nixbang nixbang
# nixops nixops
nmap nmap
nox nox
ntfs3g ntfs3g
@ -66,6 +67,12 @@ let
zsh zsh
]; ];
dict = with pkgs; [
translate-shell
( hunspellWithDicts (with pkgs.hunspellDicts; [ de-de en-us ] ))
( aspellWithDicts (d: [ d.de d.en d.en-computers d.en-science ] ))
];
emacs = gitpkgs.emacsWithPackages (epkgs: with epkgs; [ emacs = gitpkgs.emacsWithPackages (epkgs: with epkgs; [
/* Theming */ /* Theming */
solarized-theme color-theme-sanityinc-tomorrow moe-theme powerline moody minions solarized-theme color-theme-sanityinc-tomorrow moe-theme powerline moody minions
@ -80,6 +87,7 @@ let
wsd-mode wsd-mode
plantuml-mode plantuml-mode
/* Other Stuff, not yet sorted */ /* Other Stuff, not yet sorted */
google-translate
transmission transmission
org-plus-contrib orgit ox-gfm ox-rst org-plus-contrib orgit ox-gfm ox-rst
eclim eclim
@ -160,6 +168,7 @@ let
elpy elpy
emoji emoji
epc epc
genanki
numpy numpy
opencv3 opencv3
paho-mqtt paho-mqtt
@ -168,7 +177,6 @@ let
pip pip
plotly plotly
pyflakes pyflakes
pygame_sdl2
pylama pylama
pylint pylint
pyopengl pyopengl
@ -204,7 +212,6 @@ let
# flaskbabel # flaskbabel
/* temporarily fix python stuff */ /* temporarily fix python stuff */
py3status pytz tzlocal py3status pytz tzlocal
]); ]);
rustpkgs = with pkgs; [ rustpkgs = with pkgs; [
@ -243,6 +250,7 @@ let
in { in {
environment.systemPackages = base environment.systemPackages = base
++ (optPkgs dict "dict")
++ (optPkgs [emacs] "emacs") ++ (optPkgs [emacs] "emacs")
++ (optPkgs extra "extra") ++ (optPkgs extra "extra")
++ (optPkgs mailutils "mailutils") ++ (optPkgs mailutils "mailutils")
@ -256,8 +264,8 @@ in {
++ (optPkgs xpkgs "xpkgs"); ++ (optPkgs xpkgs "xpkgs");
services.emacs = { services.emacs = {
enable = (lib.elem "emacs" cfg.pkgs); enable = (elem "emacs" config.machine.pkgs);
install = (lib.elem "emacs" cfg.pkgs); install = (elem "emacs" config.machine.pkgs);
package = emacs; package = emacs;
}; };
} }

View file

@ -1,7 +1,7 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let with lib;
cfg = import ("/etc/nixos/machines/" + (builtins.replaceStrings ["\n"] [""] (builtins.readFile /etc/hostname)) + "/configuration.nix");
in { {
imports = cfg.services; imports = config.machine.services;
} }

8
services/docker.nix Normal file
View file

@ -0,0 +1,8 @@
{ config, lib, pkgs, ... }:
# Note: add privileged users to docker group for access
{
virtualisation.docker.enable = true;
environment.systemPackages = with pkgs; [ docker-compose docker-machine ];
### Docker Image stuff will probably follow here
}