Started work on modularized machine config, does not quite work yet. Changed Ophanim's kernel to hardened.
This commit is contained in:
parent
2efae4f888
commit
a0f361425a
10 changed files with 162 additions and 63 deletions
|
@ -1,8 +1,6 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
cfg = import ("/etc/nixos/machines/" + (builtins.replaceStrings ["\n"] [""] (builtins.readFile /etc/hostname)) + "/configuration.nix");
|
||||
in {
|
||||
{
|
||||
imports = [
|
||||
./etc.nix
|
||||
./locale.nix
|
||||
|
@ -10,5 +8,5 @@ in {
|
|||
./nix.nix
|
||||
./users.nix
|
||||
./zsh.nix
|
||||
] ++ (if cfg.conf.networking.hostName != "Ophanim" then [./fonts.nix] else [./security.nix]);
|
||||
] ++ (if (config.machine.hostName != "Ophanim") then [./fonts.nix] else [./security.nix]);
|
||||
}
|
||||
|
|
|
@ -1,18 +1,18 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
cfg = import ("/etc/nixos/machines/" + (builtins.replaceStrings ["\n"] [""] (builtins.readFile /etc/hostname)) + "/configuration.nix");
|
||||
firewallcfg = config.machine.networking.firewall;
|
||||
in {
|
||||
networking = {
|
||||
hostName = cfg.conf.networking.hostName;
|
||||
# should probably add some etc file for this....
|
||||
hostName = config.machine.hostName;
|
||||
|
||||
firewall = {
|
||||
enable = true;
|
||||
allowPing = cfg.conf.networking.firewall.allowPing;
|
||||
allowedUDPPorts = cfg.conf.networking.firewall.allowedUDPPorts;
|
||||
allowedTCPPorts = cfg.conf.networking.firewall.allowedTCPPorts;
|
||||
allowedUDPPortRanges = cfg.conf.networking.firewall.allowedUDPPortRanges;
|
||||
allowedTCPPortRanges = cfg.conf.networking.firewall.allowedTCPPortRanges;
|
||||
allowPing = firewallcfg.allowPing;
|
||||
allowedUDPPorts = firewallcfg.allowedUDPPorts;
|
||||
allowedTCPPorts = firewallcfg.allowedTCPPorts;
|
||||
allowedUDPPortRanges = firewallcfg.allowedUDPPortRanges;
|
||||
allowedTCPPortRanges = firewallcfg.allowedTCPPortRanges;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,8 +1,6 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
cfg = with lib; import ("/etc/nixos/machines/" + (replaceStrings ["\n"] [""] (readFile /etc/hostname)) + "/configuration.nix");
|
||||
in {
|
||||
{
|
||||
users = {
|
||||
mutableUsers = false;
|
||||
users.derped = {
|
||||
|
@ -11,11 +9,11 @@ in {
|
|||
createHome = true;
|
||||
description = "";
|
||||
group = "derped";
|
||||
extraGroups = [ "audio" "wheel" "network" ] ++ (if cfg.conf.networking.hostName != "Ophanim" then ["input" "cups" "lp"] else []);
|
||||
extraGroups = [ "audio" "wheel" "network" ] ++ (if config.machine.hostName != "Ophanim" then ["input" "cups" "lp" "docker"] else []);
|
||||
uid = 1337;
|
||||
shell = "/run/current-system/sw/bin/zsh";
|
||||
passwordFile = "/secret/derped";
|
||||
openssh.authorizedKeys.keyFiles = (if cfg.conf.networking.hostName != "Ophanim" then [] else [ "/secret/derped.pub" ]);
|
||||
openssh.authorizedKeys.keyFiles = (if config.machine.hostName != "Ophanim" then [] else [ "/secret/derped.pub" ]);
|
||||
};
|
||||
|
||||
groups.derped = {
|
||||
|
|
|
@ -1,13 +1,24 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = import ("/etc/nixos/machines/" + (builtins.replaceStrings ["\n"] [""] (builtins.readFile /etc/hostname)) + "/configuration.nix");
|
||||
in {
|
||||
# hint: use 'echo -n' so there is no newline char in the hostName file
|
||||
cfgPath = (builtins.toPath ("/etc/nixos/machines/" + (builtins.readFile /secret/hostName) + "/configuration.nix"));
|
||||
in rec {
|
||||
imports = [
|
||||
cfg.confPath
|
||||
./config/default.nix
|
||||
cfgPath
|
||||
|
||||
|
||||
# use
|
||||
# config.machine.confPath
|
||||
# instead of
|
||||
./machines/Lilim/Lilim.nix
|
||||
|
||||
|
||||
# ./config/default.nix # same problem as above
|
||||
./pkgs/nixpkgs.nix
|
||||
./pkgs/pkgsets.nix
|
||||
./services/default.nix
|
||||
# ./services/default.nix # same problem as above
|
||||
];
|
||||
}
|
||||
|
|
|
@ -1,32 +1,38 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
{
|
||||
confPath = ./Lilim.nix;
|
||||
pkgs = [
|
||||
"base"
|
||||
"emacs"
|
||||
"extra"
|
||||
"cpp"
|
||||
"haskell"
|
||||
"mailutils"
|
||||
"python3"
|
||||
"rustpkgs"
|
||||
"xpkgs"
|
||||
];
|
||||
services = [
|
||||
../../services/xserver.nix
|
||||
../../services/udev.nix
|
||||
../../services/cups.nix
|
||||
];
|
||||
conf = {
|
||||
imports = [ ../../options/machine.nix ];
|
||||
|
||||
config.machine = {
|
||||
confPath = ./Lilim.nix;
|
||||
pkgs = [
|
||||
"base"
|
||||
"dict"
|
||||
"emacs"
|
||||
"extra"
|
||||
"cpp"
|
||||
"haskell"
|
||||
"mailutils"
|
||||
"python3"
|
||||
"rustpkgs"
|
||||
"xpkgs"
|
||||
];
|
||||
services = [
|
||||
../../services/xserver.nix
|
||||
../../services/docker.nix
|
||||
../../services/udev.nix
|
||||
../../services/cups.nix
|
||||
];
|
||||
allowUnfree = true;
|
||||
networking = {
|
||||
hostName = "Lilim";
|
||||
firewall = {
|
||||
allowPing = true;
|
||||
allowedUDPPorts = [];
|
||||
allowedTCPPorts = [];
|
||||
allowedUDPPortRanges = [ { from = 1714; to = 1764; } ];
|
||||
allowedTCPPortRanges = [ { from = 1714; to = 1764; } ];
|
||||
};
|
||||
hostName = "Lilim";
|
||||
firewall = {
|
||||
allowPing = true;
|
||||
allowedUDPPorts = [];
|
||||
allowedTCPPorts = [];
|
||||
allowedUDPPortRanges = [ { from = 1714; to = 1764; } ];
|
||||
allowedTCPPortRanges = [ { from = 1714; to = 1764; } ];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -7,7 +7,7 @@
|
|||
|
||||
boot = {
|
||||
initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ];
|
||||
kernelPackages = pkgs.linuxPackages_latest;
|
||||
kernelPackages = pkgs.linuxPackages_latest_hardened;
|
||||
kernelModules = [ ];
|
||||
extraModulePackages = [ ];
|
||||
loader.grub = {
|
||||
|
|
70
options/machine.nix
Normal file
70
options/machine.nix
Normal file
|
@ -0,0 +1,70 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
{
|
||||
options.machine = {
|
||||
confPath = mkOption {
|
||||
type = types.path;
|
||||
description = ''
|
||||
Path to the machines configuration.nix
|
||||
'';
|
||||
};
|
||||
allowUnfree = mkOption {
|
||||
type = types.bool;
|
||||
description = ''
|
||||
Wether to allow the installation of unfree packages.
|
||||
'';
|
||||
};
|
||||
pkgs = mkOption {
|
||||
type = types.listOf types.string;
|
||||
description = ''
|
||||
The list of metapackages to be installed.
|
||||
'';
|
||||
};
|
||||
services = mkOption {
|
||||
type = types.listOf types.path;
|
||||
description = ''
|
||||
List of services to be enabled.
|
||||
'';
|
||||
};
|
||||
hostName = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
The Machines HostName
|
||||
'';
|
||||
};
|
||||
firewall = {
|
||||
allowPing = mkOption {
|
||||
type = types.bool;
|
||||
description = ''
|
||||
See networking.firewall.allowPing.
|
||||
'';
|
||||
};
|
||||
allowedUDPPorts = mkOption {
|
||||
type = types.listOf types.int;
|
||||
description = ''
|
||||
See networking.firewall.allowerdUDPPorts.
|
||||
'';
|
||||
};
|
||||
allowedTCPPorts = mkOption {
|
||||
type = types.listOf types.int;
|
||||
description = ''
|
||||
See networking.firewall.allowedTCPPorts.
|
||||
'';
|
||||
};
|
||||
allowedUDPPortRanges = mkOption {
|
||||
type = types.listOf (types.attrsOf types.int);
|
||||
description = ''
|
||||
See networking.firewall.allowerdUDPPortRanges.
|
||||
'';
|
||||
};
|
||||
allowedTCPPortRanges = mkOption {
|
||||
type = types.listOf (types.attrsOf types.int);
|
||||
description = ''
|
||||
See networking.firewall.allowedTCPPortRanges.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -3,9 +3,10 @@
|
|||
gitpkgs ? import /nixpkgs/default.nix,
|
||||
config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = with lib; import ("/etc/nixos/machines/" + (replaceStrings ["\n"] [""] (readFile /etc/hostname)) + "/configuration.nix");
|
||||
optPkgs = with lib; package: pkgstring: if elem pkgstring cfg.pkgs then package else [];
|
||||
optPkgs = package: pkgstring: if elem pkgstring config.machine.pkgs then package else [];
|
||||
gitpkgs = import /nixpkgs/default.nix {};
|
||||
|
||||
# Programms I'm likely to want on every machine and/or may execute as root
|
||||
|
@ -36,7 +37,7 @@ let
|
|||
nix-update-source
|
||||
nix-zsh-completions
|
||||
nixbang
|
||||
# nixops
|
||||
nixops
|
||||
nmap
|
||||
nox
|
||||
ntfs3g
|
||||
|
@ -66,6 +67,12 @@ let
|
|||
zsh
|
||||
];
|
||||
|
||||
dict = with pkgs; [
|
||||
translate-shell
|
||||
( hunspellWithDicts (with pkgs.hunspellDicts; [ de-de en-us ] ))
|
||||
( aspellWithDicts (d: [ d.de d.en d.en-computers d.en-science ] ))
|
||||
];
|
||||
|
||||
emacs = gitpkgs.emacsWithPackages (epkgs: with epkgs; [
|
||||
/* Theming */
|
||||
solarized-theme color-theme-sanityinc-tomorrow moe-theme powerline moody minions
|
||||
|
@ -80,6 +87,7 @@ let
|
|||
wsd-mode
|
||||
plantuml-mode
|
||||
/* Other Stuff, not yet sorted */
|
||||
google-translate
|
||||
transmission
|
||||
org-plus-contrib orgit ox-gfm ox-rst
|
||||
eclim
|
||||
|
@ -160,6 +168,7 @@ let
|
|||
elpy
|
||||
emoji
|
||||
epc
|
||||
genanki
|
||||
numpy
|
||||
opencv3
|
||||
paho-mqtt
|
||||
|
@ -168,7 +177,6 @@ let
|
|||
pip
|
||||
plotly
|
||||
pyflakes
|
||||
pygame_sdl2
|
||||
pylama
|
||||
pylint
|
||||
pyopengl
|
||||
|
@ -204,7 +212,6 @@ let
|
|||
# flaskbabel
|
||||
/* temporarily fix python stuff */
|
||||
py3status pytz tzlocal
|
||||
|
||||
]);
|
||||
|
||||
rustpkgs = with pkgs; [
|
||||
|
@ -243,6 +250,7 @@ let
|
|||
|
||||
in {
|
||||
environment.systemPackages = base
|
||||
++ (optPkgs dict "dict")
|
||||
++ (optPkgs [emacs] "emacs")
|
||||
++ (optPkgs extra "extra")
|
||||
++ (optPkgs mailutils "mailutils")
|
||||
|
@ -256,8 +264,8 @@ in {
|
|||
++ (optPkgs xpkgs "xpkgs");
|
||||
|
||||
services.emacs = {
|
||||
enable = (lib.elem "emacs" cfg.pkgs);
|
||||
install = (lib.elem "emacs" cfg.pkgs);
|
||||
enable = (elem "emacs" config.machine.pkgs);
|
||||
install = (elem "emacs" config.machine.pkgs);
|
||||
package = emacs;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
cfg = import ("/etc/nixos/machines/" + (builtins.replaceStrings ["\n"] [""] (builtins.readFile /etc/hostname)) + "/configuration.nix");
|
||||
in {
|
||||
imports = cfg.services;
|
||||
with lib;
|
||||
|
||||
{
|
||||
imports = config.machine.services;
|
||||
}
|
||||
|
|
8
services/docker.nix
Normal file
8
services/docker.nix
Normal file
|
@ -0,0 +1,8 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
# Note: add privileged users to docker group for access
|
||||
{
|
||||
virtualisation.docker.enable = true;
|
||||
environment.systemPackages = with pkgs; [ docker-compose docker-machine ];
|
||||
### Docker Image stuff will probably follow here
|
||||
}
|
Loading…
Reference in a new issue