commit a65b8d6dbf555cc27d0b944db8406d9ec858a6fc
parent 2be2920b281d396f368bca6c0d17d2d6fa2ad129
Author: Vincent Demeester <vincent@sbr.pm>
Date: Thu, 5 Sep 2024 00:23:24 +0200
Startnig to cleanup systems/modules/profiles
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Diffstat:
19 files changed, 68 insertions(+), 421 deletions(-)
diff --git a/flake.nix b/flake.nix
@@ -52,7 +52,7 @@
./systems/modules/dev/default.nix
./systems/modules/editors/default.nix
./systems/modules/hardware/default.nix
- ./systems/modules/profiles/default.flake.nix # TODO: rename
+ ./systems/modules/profiles/default.nix
./systems/modules/virtualisation/default.nix
./systems/modules/virtualisation/buildkit.nix
./systems/modules/services/default.nix
@@ -60,10 +60,7 @@
# Profiles probably need to go away
./systems/modules/profiles/base.nix
./systems/modules/profiles/builder.nix
- ./systems/modules/profiles/dns.nix
./systems/modules/profiles/i18n.nix
- ./systems/modules/profiles/home.nix
- ./systems/modules/profiles/redhat.nix
./systems/modules/profiles/wireguard.server.nix
inputs.sops-nix.nixosModules.sops
# inputs.envfs.nixosModules.envfs
diff --git a/systems/hosts/aomi.nix b/systems/hosts/aomi.nix
@@ -119,10 +119,6 @@ in
};
};
};
- profiles = {
- # home = true;
- work.redhat = true;
- };
services = {
avahi.enable = true;
ssh.enable = true;
@@ -134,7 +130,7 @@ in
virtualisation.libvirt = { enable = true; nested = true; };
};
- profiles = {
+ modules.profiles = {
# externalbuilder.enable = true;
home = true;
};
diff --git a/systems/hosts/athena.nix b/systems/hosts/athena.nix
@@ -53,7 +53,9 @@ in
# profiles.base.systemd-boot = lib.mkForce true;
#
modules = {
+ profiles.home = true;
services = {
+ bind.enable = true;
# syncthing = {
# enable = true;
# guiAddress = "${metadata.hosts.sakhalin.wireguard.addrs.v4}:8384";
@@ -62,11 +64,6 @@ in
ssh.enable = true;
};
};
- #
- profiles = {
- bind.enable = true;
- home = true;
- };
# services = {
# wireguard = {
diff --git a/systems/hosts/demeter.nix b/systems/hosts/demeter.nix
@@ -53,7 +53,9 @@ in
# profiles.base.systemd-boot = lib.mkForce true;
#
modules = {
+ profiles.home = true;
services = {
+ bind.enable = true;
# syncthing = {
# enable = true;
# guiAddress = "${metadata.hosts.sakhalin.wireguard.addrs.v4}:8384";
@@ -62,11 +64,6 @@ in
ssh.enable = true;
};
};
- #
- profiles = {
- bind.enable = true;
- home = true;
- };
# services = {
# wireguard = {
diff --git a/systems/hosts/k8sn1.nix b/systems/hosts/k8sn1.nix
@@ -1,53 +0,0 @@
-{ sources ? import ../../nix
-, lib ? sources.lib
-, pkgs ? sources.pkgs { }
-, ...
-}:
-
-let
- hostname = "k8sn1.home";
- kubeMasterIP = "192.168.1.130";
-in
-{
- imports = [
- <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
- (import ../../nix).home-manager-stable
- ../modules/default.stable.nix
- # FIXME Need to refactor vincent user as.. it's adding way to much by default...
-
- import ../../users/root
- ];
-
- fileSystems."/" = {
- device = "/dev/disk/by-label/nixos";
- fsType = "ext4";
- autoResize = true;
- };
-
- boot.growPartition = true;
- boot.kernelParams = [ "console=ttyS0" ];
- boot.loader.grub.device = "/dev/vda";
- boot.loader.timeout = 0;
-
- networking = {
- hostName = hostname;
- domain = "home";
- firewall.enable = false;
- };
-
- profiles = {
- nix-auto-update.enable = false;
- ssh.enable = true;
- # systemd-boot doesn't with nixos-generators 🙃
- base.systemd-boot = false;
- kubernetes = {
- enable = true;
- master = {
- enable = true;
- ip = kubeMasterIP;
- };
- };
- };
-
- users.extraUsers.root.password = "";
-}
diff --git a/systems/hosts/k8sn2.nix b/systems/hosts/k8sn2.nix
@@ -1,53 +0,0 @@
-{ sources ? import ../../nix
-, lib ? sources.lib
-, pkgs ? sources.pkgs { }
-, ...
-}:
-
-let
- hostname = "k8sn2.home";
- kubeMasterIP = "192.168.1.130";
-in
-{
- imports = [
- <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
- (import ../../nix).home-manager-stable
- ../modules/default.stable.nix
- # FIXME Need to refactor vincent user as.. it's adding way to much by default...
-
- import ../../users/root
- ];
-
- fileSystems."/" = {
- device = "/dev/disk/by-label/nixos";
- fsType = "ext4";
- autoResize = true;
- };
-
- boot.growPartition = true;
- boot.kernelParams = [ "console=ttyS0" ];
- boot.loader.grub.device = "/dev/vda";
- boot.loader.timeout = 0;
-
- networking = {
- hostName = hostname;
- domain = "home";
- firewall.enable = false;
- };
-
- profiles = {
- nix-auto-update.enable = false;
- ssh.enable = true;
- # systemd-boot doesn't with nixos-generators 🙃
- base.systemd-boot = false;
- kubernetes = {
- enable = true;
- master = {
- enable = false;
- ip = kubeMasterIP;
- };
- };
- };
-
- users.extraUsers.root.password = "";
-}
diff --git a/systems/hosts/k8sn3.nix b/systems/hosts/k8sn3.nix
@@ -1,53 +0,0 @@
-{ sources ? import ../../nix
-, lib ? sources.lib
-, pkgs ? sources.pkgs { }
-, ...
-}:
-
-let
- hostname = "k8sn3.home";
- kubeMasterIP = "192.168.1.130";
-in
-{
- imports = [
- <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
- (import ../../nix).home-manager-stable
- ../modules/default.stable.nix
- # FIXME Need to refactor vincent user as.. it's adding way to much by default...
-
- import ../../users/root
- ];
-
- fileSystems."/" = {
- device = "/dev/disk/by-label/nixos";
- fsType = "ext4";
- autoResize = true;
- };
-
- boot.growPartition = true;
- boot.kernelParams = [ "console=ttyS0" ];
- boot.loader.grub.device = "/dev/vda";
- boot.loader.timeout = 0;
-
- networking = {
- hostName = hostname;
- domain = "home";
- firewall.enable = false;
- };
-
- profiles = {
- nix-auto-update.enable = false;
- ssh.enable = true;
- # systemd-boot doesn't with nixos-generators 🙃
- base.systemd-boot = false;
- kubernetes = {
- enable = true;
- master = {
- enable = false;
- ip = kubeMasterIP;
- };
- };
- };
-
- users.extraUsers.root.password = "";
-}
diff --git a/systems/hosts/sakhalin.nix b/systems/hosts/sakhalin.nix
@@ -60,6 +60,7 @@ in
};
modules = {
+ profiles.home = true;
services = {
syncthing = {
enable = true;
@@ -71,11 +72,6 @@ in
virtualisation.libvirt = { enable = true; nested = true; listenTCP = true; };
};
- profiles = {
- bind.enable = true;
- home = true;
- };
-
fileSystems."/export/gaia" = { device = "/mnt/gaia"; options = [ "bind" ]; };
fileSystems."/export/toshito" = { device = "/mnt/toshito"; options = [ "bind" ]; };
diff --git a/systems/hosts/shikoku.nix b/systems/hosts/shikoku.nix
@@ -139,17 +139,12 @@ in
ssh.enable = true;
};
virtualisation.libvirt = { enable = true; nested = true; listenTCP = true; };
+ profiles.home = true;
};
environment.systemPackages = [ pkgs.python310Packages.aria2p ];
-
-
programs.ssh.setXAuthLocation = true;
- profiles = {
- bind.enable = true;
- home = true;
- };
sops.secrets.aria2RPCSecret = {
mode = "444";
diff --git a/systems/hosts/wakasu.nix b/systems/hosts/wakasu.nix
@@ -126,7 +126,6 @@ in
};
};
profiles = {
- # home = true;
work.redhat = true;
};
services = {
@@ -140,7 +139,7 @@ in
};
# TODO Migrate to modules
- profiles.home = true;
+ modules.profiles.home = true;
virtualisation.podman.dockerSocket.enable = true;
virtualisation.podman.autoPrune.enable = true;
environment.systemPackages = with pkgs; [
diff --git a/systems/modules/profiles/default.flake.nix b/systems/modules/profiles/default.flake.nix
@@ -1,5 +0,0 @@
-{
- imports = [
- ./work.nix
- ];
-}
diff --git a/systems/modules/profiles/default.nix b/systems/modules/profiles/default.nix
@@ -1,32 +1,6 @@
{
imports = [
./work.nix
- # Move this "away"
- ./base.nix
- ./builder.nix
- ./desktop.nix
- ./dev.nix
- ./dns.nix
- ./docker.nix
- ./gaming.nix
- ./git.nix
- ./gnome.nix
./home.nix
- ./i18n.nix
- ./i3.nix
- ./ipfs.nix
- ./kubernetes.nix
- ./laptop.nix
- ./mail.nix
- ./nix-auto-update.nix
- ./printing.nix
- ./pulseaudio.nix
- ./qemu.nix
- ./redhat.nix
- ./scanning.nix
- ./virtualization.nix
- ./wireguard.server.nix
- ./yubikey.nix
- ./zsh.nix
];
}
diff --git a/systems/modules/profiles/default.stable.nix b/systems/modules/profiles/default.stable.nix
@@ -1,34 +0,0 @@
-{
- imports = [
- ./avahi.nix
- ./base.nix
- ./builder.nix
- ./desktop.nix
- ./dev.nix
- ./dns.nix
- ./docker.stable.nix
- ./gaming.nix
- ./git.nix
- ./gnome.nix
- ./home.nix
- ./i18n.nix
- ./i3.nix
- ./ipfs.nix
- ./kubernetes.nix
- ./laptop.nix
- ./mail.nix
- ./nix-auto-update.nix
- ./printing.nix
- ./pulseaudio.nix
- ./qemu.nix
- ./redhat.nix
- ./scanning.nix
- ./ssh.nix
- ./syncthing.nix
- ./sway.nix
- ./virtualization.nix
- ./wireguard.server.nix
- ./yubikey.nix
- ./zsh.nix
- ];
-}
diff --git a/systems/modules/profiles/dns.nix b/systems/modules/profiles/dns.nix
@@ -1,56 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
- inherit (lib) mkIf mkEnableOption;
- cfg = config.profiles.bind;
-in
-{
- options = {
- profiles.bind = {
- enable = mkEnableOption "Enable bind profile";
- };
- };
- config = mkIf cfg.enable {
-
- services = {
- bind = {
- enable = true;
- forwarders = [ "8.8.8.8" "8.8.4.4" ];
- extraOptions = ''
- dnssec-validation no;
- '';
- cacheNetworks = [ "192.168.1.0/24" "127.0.0.0/8" "10.100.0.0/24" ];
- zones = [
- {
- # home
- name = "home";
- master = true;
- slaves = [ ];
- file = ../../../secrets/db.home;
- }
- {
- # home.reverse
- name = "192.168.1.in-addr.arpa";
- master = true;
- slaves = [ ];
- file = ../../../secrets/db.192.168.1;
- }
- {
- # vpn
- name = "vpn";
- master = true;
- slaves = [ ];
- file = ../../../secrets/db.vpn;
- }
- {
- # vpn.reverse
- name = "10.100.0.in-addr.arpa";
- master = true;
- slaves = [ ];
- file = ../../../secrets/db.10.100.0;
- }
- ];
- };
- };
- };
-}
diff --git a/systems/modules/profiles/home.nix b/systems/modules/profiles/home.nix
@@ -2,14 +2,14 @@
with lib;
let
- cfg = config.profiles.home;
+ cfg = config.modules.profiles.home;
secretPath = ../../../secrets/machines.nix;
secretCondition = (builtins.pathExists secretPath);
machines = lib.optionalAttrs secretCondition (import secretPath);
in
{
options = {
- profiles.home = mkEnableOption "Enable home profile";
+ modules.profiles.home = mkEnableOption "Enable home profile";
};
config = mkIf cfg {
boot.kernelParams = [ "nfs.nfs4_disable_idmapping=0" "nfsd.nfs4_disable_idmapping=0" ];
diff --git a/systems/modules/profiles/redhat.nix b/systems/modules/profiles/redhat.nix
@@ -1,106 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-let
- cfg = config.profiles.redhat;
- common = {
- sopsFile = ../../../secrets/desktops/redhat.yaml;
- mode = "444";
- owner = "root";
- group = "root";
- };
-in
-{
- options = {
- profiles.redhat = {
- enable = mkEnableOption "Enable the Red Hat profiles (VPN, certs, …)";
- };
- };
- config = mkIf cfg.enable {
- environment.systemPackages = with pkgs; [
- krb5
- (google-chrome.override {
- commandLineArgs = "--auth-negotiate-delegate-whitelist='*.redhat.com' --auth-server-whitelist=.redhat.com";
- })
- libnotify
- ];
- sops.secrets."krb5.conf" = {
- inherit (common) mode owner group sopsFile;
- path = "/etc/krb5.conf";
- };
- # NetworkManager
- sops.secrets."1-RHVPN.ovpn" = {
- inherit (common) owner group sopsFile;
- path = "/etc/NetworkManager/system-connections/1-RHVPN.ovpn";
- mode = "600";
- };
- sops.secrets."AMS2.ovpn" = {
- inherit (common) owner group sopsFile;
- path = "/etc/NetworkManager/system-connections/AMS2.ovpn";
- mode = "600";
- };
- sops.secrets."BBRQ.ovpn" = {
- inherit (common) owner group sopsFile;
- path = "/etc/NetworkManager/system-connections/BBRQ.ovpn";
- mode = "600";
- };
- sops.secrets."RDU2.ovpn" = {
- inherit (common) owner group sopsFile;
- path = "/etc/NetworkManager/system-connections/RDU2.ovpn";
- mode = "600";
- };
- sops.secrets."PNQ2.ovpn" = {
- inherit (common) owner group sopsFile;
- path = "/etc/NetworkManager/system-connections/PNQ2.ovpn";
- mode = "600";
- };
- sops.secrets."FAB.ovpn" = {
- inherit (common) owner group sopsFile;
- path = "/etc/NetworkManager/system-connections/FAB.ovpn";
- mode = "600";
- };
- # Certificates
- security.pki.certificateFiles = [
- "/etc/pki/tls/certs/2022-IT-Root-CA.pem"
- "/etc/pki/tls/certs/2015-RH-IT-Root-CA.pem"
- "/etc/pki/tls/certs/Eng-CA.crt"
- "/etc/pki/tls/certs/newca.crt"
- ];
- sops.secrets."ipa.crt" = {
- inherit (common) mode owner group sopsFile;
- path = "/etc/ipa/ipa.crt";
- };
- sops.secrets."2022-IT-Root-CA.pem" = {
- inherit (common) mode owner group sopsFile;
- path = "/etc/pki/tls/certs/2022-IT-Root-CA.pem";
- };
- sops.secrets."2015-RH-IT-Root-CA.pem" = {
- inherit (common) mode owner group sopsFile;
- path = "/etc/pki/tls/certs/2015-RH-IT-Root-CA.pem";
- };
- sops.secrets."Eng-CA.crt" = {
- inherit (common) mode owner group sopsFile;
- path = "/etc/pki/tls/certs/Eng-CA.crt";
- };
- sops.secrets."newca.crt" = {
- inherit (common) mode owner group sopsFile;
- path = "/etc/pki/tls/certs/newca.crt";
- };
- sops.secrets."oracle_ebs.crt" = {
- inherit (common) mode owner group sopsFile;
- path = "/etc/pki/tls/certs/oracle_ebs.crt";
- };
- sops.secrets."pki-ca-chain.crt" = {
- inherit (common) mode owner group sopsFile;
- path = "/etc/pki/tls/certs/pki-ca-chain.crt";
- };
- sops.secrets."RH_ITW.crt" = {
- inherit (common) mode owner group sopsFile;
- path = "/etc/pki/tls/certs/RH_ITW.crt";
- };
- sops.secrets."win-intermediate-ca.cer" = {
- inherit (common) mode owner group sopsFile;
- path = "/etc/pki/tls/certs/win-intermediate-ca.cer";
- };
- };
-}
diff --git a/systems/modules/services/bind.nix b/systems/modules/services/bind.nix
@@ -0,0 +1,56 @@
+{ config, lib, pkgs, ... }:
+
+let
+ inherit (lib) mkIf mkEnableOption;
+ cfg = config.modules.services.bind;
+in
+{
+ options = {
+ modules.services.bind = {
+ enable = mkEnableOption "Enable bind profile";
+ };
+ };
+ config = mkIf cfg.enable {
+
+ services = {
+ bind = {
+ enable = true;
+ forwarders = [ "8.8.8.8" "8.8.4.4" ];
+ extraOptions = ''
+ dnssec-validation no;
+ '';
+ cacheNetworks = [ "192.168.1.0/24" "127.0.0.0/8" "10.100.0.0/24" ];
+ zones = [
+ {
+ # home
+ name = "home";
+ master = true;
+ slaves = [ ];
+ file = ../../../secrets/db.home;
+ }
+ {
+ # home.reverse
+ name = "192.168.1.in-addr.arpa";
+ master = true;
+ slaves = [ ];
+ file = ../../../secrets/db.192.168.1;
+ }
+ {
+ # vpn
+ name = "vpn";
+ master = true;
+ slaves = [ ];
+ file = ../../../secrets/db.vpn;
+ }
+ {
+ # vpn.reverse
+ name = "10.100.0.in-addr.arpa";
+ master = true;
+ slaves = [ ];
+ file = ../../../secrets/db.10.100.0;
+ }
+ ];
+ };
+ };
+ };
+}
diff --git a/systems/modules/services/default.nix b/systems/modules/services/default.nix
@@ -2,6 +2,7 @@
imports = [
./avahi.nix
./barrier.nix
+ ./bind.nix
./gosmee.nix
./govanityurl.nix
./nix-binary-cache.nix
diff --git a/users/vincent/desktop/default.nix b/users/vincent/desktop/default.nix
@@ -36,7 +36,6 @@ in
# nyxt
obs-studio
playerctl
- profile-sync-daemon
trash-cli
xdg-user-dirs
xdg-utils