home

My NixOS systems configurations.
Log | Files | Refs | LICENSE

commit a65b8d6dbf555cc27d0b944db8406d9ec858a6fc
parent 2be2920b281d396f368bca6c0d17d2d6fa2ad129
Author: Vincent Demeester <vincent@sbr.pm>
Date:   Thu,  5 Sep 2024 00:23:24 +0200

Startnig to cleanup systems/modules/profiles

Signed-off-by: Vincent Demeester <vincent@sbr.pm>

Diffstat:
Mflake.nix | 5+----
Msystems/hosts/aomi.nix | 6+-----
Msystems/hosts/athena.nix | 7++-----
Msystems/hosts/demeter.nix | 7++-----
Dsystems/hosts/k8sn1.nix | 53-----------------------------------------------------
Dsystems/hosts/k8sn2.nix | 53-----------------------------------------------------
Dsystems/hosts/k8sn3.nix | 53-----------------------------------------------------
Msystems/hosts/sakhalin.nix | 6+-----
Msystems/hosts/shikoku.nix | 7+------
Msystems/hosts/wakasu.nix | 3+--
Dsystems/modules/profiles/default.flake.nix | 5-----
Msystems/modules/profiles/default.nix | 26--------------------------
Dsystems/modules/profiles/default.stable.nix | 34----------------------------------
Dsystems/modules/profiles/dns.nix | 56--------------------------------------------------------
Msystems/modules/profiles/home.nix | 4++--
Dsystems/modules/profiles/redhat.nix | 106-------------------------------------------------------------------------------
Asystems/modules/services/bind.nix | 56++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Msystems/modules/services/default.nix | 1+
Musers/vincent/desktop/default.nix | 1-
19 files changed, 68 insertions(+), 421 deletions(-)

diff --git a/flake.nix b/flake.nix @@ -52,7 +52,7 @@ ./systems/modules/dev/default.nix ./systems/modules/editors/default.nix ./systems/modules/hardware/default.nix - ./systems/modules/profiles/default.flake.nix # TODO: rename + ./systems/modules/profiles/default.nix ./systems/modules/virtualisation/default.nix ./systems/modules/virtualisation/buildkit.nix ./systems/modules/services/default.nix @@ -60,10 +60,7 @@ # Profiles probably need to go away ./systems/modules/profiles/base.nix ./systems/modules/profiles/builder.nix - ./systems/modules/profiles/dns.nix ./systems/modules/profiles/i18n.nix - ./systems/modules/profiles/home.nix - ./systems/modules/profiles/redhat.nix ./systems/modules/profiles/wireguard.server.nix inputs.sops-nix.nixosModules.sops # inputs.envfs.nixosModules.envfs diff --git a/systems/hosts/aomi.nix b/systems/hosts/aomi.nix @@ -119,10 +119,6 @@ in }; }; }; - profiles = { - # home = true; - work.redhat = true; - }; services = { avahi.enable = true; ssh.enable = true; @@ -134,7 +130,7 @@ in virtualisation.libvirt = { enable = true; nested = true; }; }; - profiles = { + modules.profiles = { # externalbuilder.enable = true; home = true; }; diff --git a/systems/hosts/athena.nix b/systems/hosts/athena.nix @@ -53,7 +53,9 @@ in # profiles.base.systemd-boot = lib.mkForce true; # modules = { + profiles.home = true; services = { + bind.enable = true; # syncthing = { # enable = true; # guiAddress = "${metadata.hosts.sakhalin.wireguard.addrs.v4}:8384"; @@ -62,11 +64,6 @@ in ssh.enable = true; }; }; - # - profiles = { - bind.enable = true; - home = true; - }; # services = { # wireguard = { diff --git a/systems/hosts/demeter.nix b/systems/hosts/demeter.nix @@ -53,7 +53,9 @@ in # profiles.base.systemd-boot = lib.mkForce true; # modules = { + profiles.home = true; services = { + bind.enable = true; # syncthing = { # enable = true; # guiAddress = "${metadata.hosts.sakhalin.wireguard.addrs.v4}:8384"; @@ -62,11 +64,6 @@ in ssh.enable = true; }; }; - # - profiles = { - bind.enable = true; - home = true; - }; # services = { # wireguard = { diff --git a/systems/hosts/k8sn1.nix b/systems/hosts/k8sn1.nix @@ -1,53 +0,0 @@ -{ sources ? import ../../nix -, lib ? sources.lib -, pkgs ? sources.pkgs { } -, ... -}: - -let - hostname = "k8sn1.home"; - kubeMasterIP = "192.168.1.130"; -in -{ - imports = [ - <nixpkgs/nixos/modules/profiles/qemu-guest.nix> - (import ../../nix).home-manager-stable - ../modules/default.stable.nix - # FIXME Need to refactor vincent user as.. it's adding way to much by default... - - import ../../users/root - ]; - - fileSystems."/" = { - device = "/dev/disk/by-label/nixos"; - fsType = "ext4"; - autoResize = true; - }; - - boot.growPartition = true; - boot.kernelParams = [ "console=ttyS0" ]; - boot.loader.grub.device = "/dev/vda"; - boot.loader.timeout = 0; - - networking = { - hostName = hostname; - domain = "home"; - firewall.enable = false; - }; - - profiles = { - nix-auto-update.enable = false; - ssh.enable = true; - # systemd-boot doesn't with nixos-generators 🙃 - base.systemd-boot = false; - kubernetes = { - enable = true; - master = { - enable = true; - ip = kubeMasterIP; - }; - }; - }; - - users.extraUsers.root.password = ""; -} diff --git a/systems/hosts/k8sn2.nix b/systems/hosts/k8sn2.nix @@ -1,53 +0,0 @@ -{ sources ? import ../../nix -, lib ? sources.lib -, pkgs ? sources.pkgs { } -, ... -}: - -let - hostname = "k8sn2.home"; - kubeMasterIP = "192.168.1.130"; -in -{ - imports = [ - <nixpkgs/nixos/modules/profiles/qemu-guest.nix> - (import ../../nix).home-manager-stable - ../modules/default.stable.nix - # FIXME Need to refactor vincent user as.. it's adding way to much by default... - - import ../../users/root - ]; - - fileSystems."/" = { - device = "/dev/disk/by-label/nixos"; - fsType = "ext4"; - autoResize = true; - }; - - boot.growPartition = true; - boot.kernelParams = [ "console=ttyS0" ]; - boot.loader.grub.device = "/dev/vda"; - boot.loader.timeout = 0; - - networking = { - hostName = hostname; - domain = "home"; - firewall.enable = false; - }; - - profiles = { - nix-auto-update.enable = false; - ssh.enable = true; - # systemd-boot doesn't with nixos-generators 🙃 - base.systemd-boot = false; - kubernetes = { - enable = true; - master = { - enable = false; - ip = kubeMasterIP; - }; - }; - }; - - users.extraUsers.root.password = ""; -} diff --git a/systems/hosts/k8sn3.nix b/systems/hosts/k8sn3.nix @@ -1,53 +0,0 @@ -{ sources ? import ../../nix -, lib ? sources.lib -, pkgs ? sources.pkgs { } -, ... -}: - -let - hostname = "k8sn3.home"; - kubeMasterIP = "192.168.1.130"; -in -{ - imports = [ - <nixpkgs/nixos/modules/profiles/qemu-guest.nix> - (import ../../nix).home-manager-stable - ../modules/default.stable.nix - # FIXME Need to refactor vincent user as.. it's adding way to much by default... - - import ../../users/root - ]; - - fileSystems."/" = { - device = "/dev/disk/by-label/nixos"; - fsType = "ext4"; - autoResize = true; - }; - - boot.growPartition = true; - boot.kernelParams = [ "console=ttyS0" ]; - boot.loader.grub.device = "/dev/vda"; - boot.loader.timeout = 0; - - networking = { - hostName = hostname; - domain = "home"; - firewall.enable = false; - }; - - profiles = { - nix-auto-update.enable = false; - ssh.enable = true; - # systemd-boot doesn't with nixos-generators 🙃 - base.systemd-boot = false; - kubernetes = { - enable = true; - master = { - enable = false; - ip = kubeMasterIP; - }; - }; - }; - - users.extraUsers.root.password = ""; -} diff --git a/systems/hosts/sakhalin.nix b/systems/hosts/sakhalin.nix @@ -60,6 +60,7 @@ in }; modules = { + profiles.home = true; services = { syncthing = { enable = true; @@ -71,11 +72,6 @@ in virtualisation.libvirt = { enable = true; nested = true; listenTCP = true; }; }; - profiles = { - bind.enable = true; - home = true; - }; - fileSystems."/export/gaia" = { device = "/mnt/gaia"; options = [ "bind" ]; }; fileSystems."/export/toshito" = { device = "/mnt/toshito"; options = [ "bind" ]; }; diff --git a/systems/hosts/shikoku.nix b/systems/hosts/shikoku.nix @@ -139,17 +139,12 @@ in ssh.enable = true; }; virtualisation.libvirt = { enable = true; nested = true; listenTCP = true; }; + profiles.home = true; }; environment.systemPackages = [ pkgs.python310Packages.aria2p ]; - - programs.ssh.setXAuthLocation = true; - profiles = { - bind.enable = true; - home = true; - }; sops.secrets.aria2RPCSecret = { mode = "444"; diff --git a/systems/hosts/wakasu.nix b/systems/hosts/wakasu.nix @@ -126,7 +126,6 @@ in }; }; profiles = { - # home = true; work.redhat = true; }; services = { @@ -140,7 +139,7 @@ in }; # TODO Migrate to modules - profiles.home = true; + modules.profiles.home = true; virtualisation.podman.dockerSocket.enable = true; virtualisation.podman.autoPrune.enable = true; environment.systemPackages = with pkgs; [ diff --git a/systems/modules/profiles/default.flake.nix b/systems/modules/profiles/default.flake.nix @@ -1,5 +0,0 @@ -{ - imports = [ - ./work.nix - ]; -} diff --git a/systems/modules/profiles/default.nix b/systems/modules/profiles/default.nix @@ -1,32 +1,6 @@ { imports = [ ./work.nix - # Move this "away" - ./base.nix - ./builder.nix - ./desktop.nix - ./dev.nix - ./dns.nix - ./docker.nix - ./gaming.nix - ./git.nix - ./gnome.nix ./home.nix - ./i18n.nix - ./i3.nix - ./ipfs.nix - ./kubernetes.nix - ./laptop.nix - ./mail.nix - ./nix-auto-update.nix - ./printing.nix - ./pulseaudio.nix - ./qemu.nix - ./redhat.nix - ./scanning.nix - ./virtualization.nix - ./wireguard.server.nix - ./yubikey.nix - ./zsh.nix ]; } diff --git a/systems/modules/profiles/default.stable.nix b/systems/modules/profiles/default.stable.nix @@ -1,34 +0,0 @@ -{ - imports = [ - ./avahi.nix - ./base.nix - ./builder.nix - ./desktop.nix - ./dev.nix - ./dns.nix - ./docker.stable.nix - ./gaming.nix - ./git.nix - ./gnome.nix - ./home.nix - ./i18n.nix - ./i3.nix - ./ipfs.nix - ./kubernetes.nix - ./laptop.nix - ./mail.nix - ./nix-auto-update.nix - ./printing.nix - ./pulseaudio.nix - ./qemu.nix - ./redhat.nix - ./scanning.nix - ./ssh.nix - ./syncthing.nix - ./sway.nix - ./virtualization.nix - ./wireguard.server.nix - ./yubikey.nix - ./zsh.nix - ]; -} diff --git a/systems/modules/profiles/dns.nix b/systems/modules/profiles/dns.nix @@ -1,56 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - inherit (lib) mkIf mkEnableOption; - cfg = config.profiles.bind; -in -{ - options = { - profiles.bind = { - enable = mkEnableOption "Enable bind profile"; - }; - }; - config = mkIf cfg.enable { - - services = { - bind = { - enable = true; - forwarders = [ "8.8.8.8" "8.8.4.4" ]; - extraOptions = '' - dnssec-validation no; - ''; - cacheNetworks = [ "192.168.1.0/24" "127.0.0.0/8" "10.100.0.0/24" ]; - zones = [ - { - # home - name = "home"; - master = true; - slaves = [ ]; - file = ../../../secrets/db.home; - } - { - # home.reverse - name = "192.168.1.in-addr.arpa"; - master = true; - slaves = [ ]; - file = ../../../secrets/db.192.168.1; - } - { - # vpn - name = "vpn"; - master = true; - slaves = [ ]; - file = ../../../secrets/db.vpn; - } - { - # vpn.reverse - name = "10.100.0.in-addr.arpa"; - master = true; - slaves = [ ]; - file = ../../../secrets/db.10.100.0; - } - ]; - }; - }; - }; -} diff --git a/systems/modules/profiles/home.nix b/systems/modules/profiles/home.nix @@ -2,14 +2,14 @@ with lib; let - cfg = config.profiles.home; + cfg = config.modules.profiles.home; secretPath = ../../../secrets/machines.nix; secretCondition = (builtins.pathExists secretPath); machines = lib.optionalAttrs secretCondition (import secretPath); in { options = { - profiles.home = mkEnableOption "Enable home profile"; + modules.profiles.home = mkEnableOption "Enable home profile"; }; config = mkIf cfg { boot.kernelParams = [ "nfs.nfs4_disable_idmapping=0" "nfsd.nfs4_disable_idmapping=0" ]; diff --git a/systems/modules/profiles/redhat.nix b/systems/modules/profiles/redhat.nix @@ -1,106 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; -let - cfg = config.profiles.redhat; - common = { - sopsFile = ../../../secrets/desktops/redhat.yaml; - mode = "444"; - owner = "root"; - group = "root"; - }; -in -{ - options = { - profiles.redhat = { - enable = mkEnableOption "Enable the Red Hat profiles (VPN, certs, …)"; - }; - }; - config = mkIf cfg.enable { - environment.systemPackages = with pkgs; [ - krb5 - (google-chrome.override { - commandLineArgs = "--auth-negotiate-delegate-whitelist='*.redhat.com' --auth-server-whitelist=.redhat.com"; - }) - libnotify - ]; - sops.secrets."krb5.conf" = { - inherit (common) mode owner group sopsFile; - path = "/etc/krb5.conf"; - }; - # NetworkManager - sops.secrets."1-RHVPN.ovpn" = { - inherit (common) owner group sopsFile; - path = "/etc/NetworkManager/system-connections/1-RHVPN.ovpn"; - mode = "600"; - }; - sops.secrets."AMS2.ovpn" = { - inherit (common) owner group sopsFile; - path = "/etc/NetworkManager/system-connections/AMS2.ovpn"; - mode = "600"; - }; - sops.secrets."BBRQ.ovpn" = { - inherit (common) owner group sopsFile; - path = "/etc/NetworkManager/system-connections/BBRQ.ovpn"; - mode = "600"; - }; - sops.secrets."RDU2.ovpn" = { - inherit (common) owner group sopsFile; - path = "/etc/NetworkManager/system-connections/RDU2.ovpn"; - mode = "600"; - }; - sops.secrets."PNQ2.ovpn" = { - inherit (common) owner group sopsFile; - path = "/etc/NetworkManager/system-connections/PNQ2.ovpn"; - mode = "600"; - }; - sops.secrets."FAB.ovpn" = { - inherit (common) owner group sopsFile; - path = "/etc/NetworkManager/system-connections/FAB.ovpn"; - mode = "600"; - }; - # Certificates - security.pki.certificateFiles = [ - "/etc/pki/tls/certs/2022-IT-Root-CA.pem" - "/etc/pki/tls/certs/2015-RH-IT-Root-CA.pem" - "/etc/pki/tls/certs/Eng-CA.crt" - "/etc/pki/tls/certs/newca.crt" - ]; - sops.secrets."ipa.crt" = { - inherit (common) mode owner group sopsFile; - path = "/etc/ipa/ipa.crt"; - }; - sops.secrets."2022-IT-Root-CA.pem" = { - inherit (common) mode owner group sopsFile; - path = "/etc/pki/tls/certs/2022-IT-Root-CA.pem"; - }; - sops.secrets."2015-RH-IT-Root-CA.pem" = { - inherit (common) mode owner group sopsFile; - path = "/etc/pki/tls/certs/2015-RH-IT-Root-CA.pem"; - }; - sops.secrets."Eng-CA.crt" = { - inherit (common) mode owner group sopsFile; - path = "/etc/pki/tls/certs/Eng-CA.crt"; - }; - sops.secrets."newca.crt" = { - inherit (common) mode owner group sopsFile; - path = "/etc/pki/tls/certs/newca.crt"; - }; - sops.secrets."oracle_ebs.crt" = { - inherit (common) mode owner group sopsFile; - path = "/etc/pki/tls/certs/oracle_ebs.crt"; - }; - sops.secrets."pki-ca-chain.crt" = { - inherit (common) mode owner group sopsFile; - path = "/etc/pki/tls/certs/pki-ca-chain.crt"; - }; - sops.secrets."RH_ITW.crt" = { - inherit (common) mode owner group sopsFile; - path = "/etc/pki/tls/certs/RH_ITW.crt"; - }; - sops.secrets."win-intermediate-ca.cer" = { - inherit (common) mode owner group sopsFile; - path = "/etc/pki/tls/certs/win-intermediate-ca.cer"; - }; - }; -} diff --git a/systems/modules/services/bind.nix b/systems/modules/services/bind.nix @@ -0,0 +1,56 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkIf mkEnableOption; + cfg = config.modules.services.bind; +in +{ + options = { + modules.services.bind = { + enable = mkEnableOption "Enable bind profile"; + }; + }; + config = mkIf cfg.enable { + + services = { + bind = { + enable = true; + forwarders = [ "8.8.8.8" "8.8.4.4" ]; + extraOptions = '' + dnssec-validation no; + ''; + cacheNetworks = [ "192.168.1.0/24" "127.0.0.0/8" "10.100.0.0/24" ]; + zones = [ + { + # home + name = "home"; + master = true; + slaves = [ ]; + file = ../../../secrets/db.home; + } + { + # home.reverse + name = "192.168.1.in-addr.arpa"; + master = true; + slaves = [ ]; + file = ../../../secrets/db.192.168.1; + } + { + # vpn + name = "vpn"; + master = true; + slaves = [ ]; + file = ../../../secrets/db.vpn; + } + { + # vpn.reverse + name = "10.100.0.in-addr.arpa"; + master = true; + slaves = [ ]; + file = ../../../secrets/db.10.100.0; + } + ]; + }; + }; + }; +} diff --git a/systems/modules/services/default.nix b/systems/modules/services/default.nix @@ -2,6 +2,7 @@ imports = [ ./avahi.nix ./barrier.nix + ./bind.nix ./gosmee.nix ./govanityurl.nix ./nix-binary-cache.nix diff --git a/users/vincent/desktop/default.nix b/users/vincent/desktop/default.nix @@ -36,7 +36,6 @@ in # nyxt obs-studio playerctl - profile-sync-daemon trash-cli xdg-user-dirs xdg-utils