diff --git a/.gitignore b/.gitignore index 84e7193..a806510 100644 --- a/.gitignore +++ b/.gitignore @@ -2,4 +2,4 @@ # Ignore build outputs from performing a nix-build or `nix build` command result result-* -.pre-commit-config.yaml + diff --git a/README.md b/README.md index 170ce56..2c6a796 100644 --- a/README.md +++ b/README.md @@ -170,10 +170,6 @@ In your hardware configuration you should basically only write you filesystem layout and your hostPlatform. The bootloading stuff is already taken care of by `../../roles`. -The `flake-inputs` argument is optional, but you can use it if you need to get a hold of the flake inputs, -else this is a complete normal nixos system configuration module (with a lot of settings already imorted -from `../../roles`). - As of moment of writing `network.nix` should contain ip, nameserver and default gateway setup. As parts of this is constant across all systems and will undergo refactor soon. diff --git a/flake-module.nix b/flake-module.nix index e435985..2220d58 100644 --- a/flake-module.nix +++ b/flake-module.nix @@ -1,48 +1,28 @@ -{inputs, ...}: { +{inputs, ...}: +{ # debug = true; # We only define machines config in this flake yet, so we only include # the module that builds these. This file might get fuller, if we need to # build our own packages, that are not flakes. - imports = [ - ./nixos/flake-module.nix - inputs.pre-commit-hooks.flakeModule - # To import a flake module - # 1. Add foo to inputs - # 2. Add foo as a parameter to the outputs function - # 3. Add here: foo.flakeModule + imports = [ ./nixos/flake-module.nix + # To import a flake module + # 1. Add foo to inputs + # 2. Add foo as a parameter to the outputs function + # 3. Add here: foo.flakeModule + ]; - systems = ["x86_64-linux"]; - perSystem = { - config, - inputs', - pkgs, - ... - }: { - devShells.default = pkgs.mkShell { - shellHook = config.pre-commit.installationScript; - }; - - pre-commit = { - check.enable = true; - pkgs = inputs'.nixpkgs.legacyPackages; - settings.hooks = { - nil.enable = true; - statix.enable = true; - deadnix.enable = true; - alejandra.enable = true; - }; - }; - - # Per-system attributes can be defined here. The self' and inputs' - # module parameters provide easy access to attributes of the same - # system. - }; + systems = [ "x86_64-linux"]; +# perSystem = { config, self', inputs', pkgs, system, ... }: { + # Per-system attributes can be defined here. The self' and inputs' + # module parameters provide easy access to attributes of the same + # system. # Equivalent to inputs'.nixpkgs.legacyPackages.hello; - # flake = { - # The usual flake attributes can be defined here, including system- - # agnostic ones like nixosModule and system-enumerating ones, although - # those are more easily expressed in perSystem. +# }; +# flake = { + # The usual flake attributes can be defined here, including system- + # agnostic ones like nixosModule and system-enumerating ones, although + # those are more easily expressed in perSystem. - # }; +# }; } diff --git a/flake.lock b/flake.lock index 8b3b563..8cc319d 100644 --- a/flake.lock +++ b/flake.lock @@ -33,24 +33,6 @@ "type": "indirect" } }, - "flake-utils": { - "inputs": { - "systems": "systems" - }, - "locked": { - "lastModified": 1685518550, - "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, "impermanence": { "locked": { "lastModified": 1694622745, @@ -153,35 +135,12 @@ "type": "github" } }, - "pre-commit-hooks": { - "inputs": { - "flake-compat": [], - "flake-utils": "flake-utils", - "gitignore": [], - "nixpkgs": [], - "nixpkgs-stable": [] - }, - "locked": { - "lastModified": 1699271226, - "narHash": "sha256-8Jt1KW3xTjolD6c6OjJm9USx/jmL+VVmbooADCkdDfU=", - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "rev": "ea758da1a6dcde6dc36db348ed690d09b9864128", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "type": "github" - } - }, "root": { "inputs": { "flake-parts": "flake-parts", "impermanence": "impermanence", "nixos-mailserver": "nixos-mailserver", "nixpkgs": "nixpkgs", - "pre-commit-hooks": "pre-commit-hooks", "sops-nix": "sops-nix" } }, @@ -206,21 +165,6 @@ "type": "github" } }, - "systems": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "utils": { "locked": { "lastModified": 1605370193, diff --git a/flake.nix b/flake.nix index b4b5593..0c61327 100644 --- a/flake.nix +++ b/flake.nix @@ -17,17 +17,8 @@ impermanence = { url = "github:nix-community/impermanence"; }; - pre-commit-hooks = { - url = "github:cachix/pre-commit-hooks.nix"; - inputs = { - flake-compat.follows = ""; - gitignore.follows = ""; - nixpkgs-stable.follows = ""; - nixpkgs.follows = ""; - }; - }; }; - outputs = inputs @ {flake-parts, ...}: - flake-parts.lib.mkFlake {inherit inputs;} (import ./flake-module.nix); + outputs = inputs@{ flake-parts, ... }: + flake-parts.lib.mkFlake { inherit inputs; } (import ./flake-module.nix); } diff --git a/nixos/flake-module.nix b/nixos/flake-module.nix index 3005780..8c44964 100644 --- a/nixos/flake-module.nix +++ b/nixos/flake-module.nix @@ -1,30 +1,20 @@ # copied and adopted from maralorns config + # This automatically searches for nixos configs in ./machines/${name}/configuration.nix # and exposes them as outputs.nixosConfigurations.${name} -{ - withSystem, - lib, - inputs, - ... -}: { +{ withSystem, lib, inputs, ... }: { flake = { - nixosConfigurations = withSystem "x86_64-linux" ({pkgs, ...}: let + nixosConfigurations = withSystem "x86_64-linux" ({ pkgs, ... }: + let machines = builtins.attrNames (builtins.readDir ./machines); - makeSystem = name: let - importedModule = import (./. + "/machines/${name}/configuration.nix"); - configModule = - if lib.isFunction importedModule - then importedModule inputs - else importedModule; - in + makeSystem = name: pkgs.nixos { imports = [ - configModule + (import (./. + "/machines/${name}/configuration.nix") inputs) inputs.sops-nix.nixosModules.sops inputs.impermanence.nixosModules.impermanence ]; }; - in - lib.genAttrs machines makeSystem); + in lib.genAttrs machines makeSystem); }; } diff --git a/nixos/machines/ghatanothoa/configuration.nix b/nixos/machines/ghatanothoa/configuration.nix index 3b4faa5..4e60e1b 100644 --- a/nixos/machines/ghatanothoa/configuration.nix +++ b/nixos/machines/ghatanothoa/configuration.nix @@ -1,17 +1,19 @@ -{ - imports = [ - ./hardware-configuration.nix - ../../modules/jitsi.nix - ../../roles - ./network.nix - ]; +flake-inputs: +{config, pkgs, lib, ... }: { + +imports = [ + ./hardware-configuration.nix + ../../modules/jitsi.nix + ../../roles + ./network.nix +]; services.mathebau-jitsi = { enable = true; hostName = "meet.mathebau.de"; }; - # System configuration here +# System configuration here networking.hostName = "ghatanothoa"; system.stateVersion = "23.11"; } diff --git a/nixos/machines/ghatanothoa/hardware-configuration.nix b/nixos/machines/ghatanothoa/hardware-configuration.nix index 05a48b2..ad588c9 100644 --- a/nixos/machines/ghatanothoa/hardware-configuration.nix +++ b/nixos/machines/ghatanothoa/hardware-configuration.nix @@ -1,15 +1,15 @@ -{lib, ...}: { - imports = []; +{config, lib, pkgs, modulesPath, ...}: { + imports = [ ]; fileSystems."/" = { device = "gha-root"; fsType = "tmpfs"; - options = ["size=1G" "mode=755"]; + options = [ "size=1G" "mode=755" ]; }; fileSystems."/persist" = { device = "/dev/disk/by-uuid/e0a160ef-7d46-4705-9152-a6b602898136"; fsType = "btrfs"; - options = ["subvol=persist"]; + options = [ "subvol=persist" ]; neededForBoot = true; }; fileSystems."/boot" = { @@ -19,10 +19,11 @@ fileSystems."/nix" = { device = "/dev/disk/by-uuid/e0a160ef-7d46-4705-9152-a6b602898136"; fsType = "btrfs"; - options = ["subvol=nix"]; + options = [ "subvol=nix" ]; }; - swapDevices = [{device = "/dev/disk/by-uuid/e6e3ba6b-c9f5-4960-b56d-f49760d76a4a";}]; + swapDevices = + [{ device = "/dev/disk/by-uuid/e6e3ba6b-c9f5-4960-b56d-f49760d76a4a"; }]; nix.settings.max-jobs = lib.mkDefault 4; diff --git a/nixos/machines/ghatanothoa/network.nix b/nixos/machines/ghatanothoa/network.nix index 2a1f4ae..7e26f79 100644 --- a/nixos/machines/ghatanothoa/network.nix +++ b/nixos/machines/ghatanothoa/network.nix @@ -1,16 +1,15 @@ # We sohuld put that config somewhere in roles and give it a parameter or something, # everyone gets the same nameserver and the same prefixLength and address vs defaultGateway alsways -# depend on the same thing +# depend on the same thing { - imports = []; + imports = [ ]; networking = { - interfaces.enX0.ipv4.addresses = [ - { - address = "192.168.0.25"; - prefixLength = 16; - } - ]; + interfaces.enX0.ipv4.addresses = [ { + address = "192.168.0.25"; + prefixLength = 16; + } ]; defaultGateway = "192.168.0.152"; nameservers = ["130.83.2.22" "130.83.56.60" "130.83.22.60" "130.82.22.63"]; }; } + diff --git a/nixos/modules/impermanence.nix b/nixos/modules/impermanence.nix index f5df277..267c9d1 100644 --- a/nixos/modules/impermanence.nix +++ b/nixos/modules/impermanence.nix @@ -1,47 +1,47 @@ -{ - lib, - config, - ... -}: let - inherit - (lib) +{lib, config, ...} : + +let + inherit (lib) mkEnableOption mkIf mkOption types ; cfg = config.impermanence; -in { - imports = []; +in - options.impermanence = { - enable = mkEnableOption "impermanence"; - storagePath = mkOption { - type = types.path; - default = "/persist"; - description = "The path where persistent data is stored"; - }; - name = mkOption { - type = types.str; - default = "persist"; - description = "the name of the persistent data store"; - }; - }; +{ +imports = [ ]; - config = mkIf cfg.enable { - environment.persistence.${cfg.name} = { - persistentStoragePath = cfg.storagePath; - directories = [ - "/var/log" - "/var/lib/nixos" - ]; - files = [ - "/etc/ssh/ssh_host_ed25519_key" - "/etc/ssh/ssh_host_ed25519_key.pub" - "/etc/ssh/ssh_host_rsa_key" - "/etc/ssh/ssh_host_rsa_key.pub" - ]; - }; - environment.etc.machine-id.source = "${cfg.storagePath}/machine-id"; +options.impermanence = { + enable = mkEnableOption "impermanence"; + storagePath = mkOption { + type = types.path; + default = "/persist"; + description = "The path where persistent data is stored"; }; + name = mkOption { + type = types.str; + default = "persist"; + description = "the name of the persistent data store"; + }; +}; + +config = mkIf cfg.enable { + environment.persistence.${cfg.name} = { + persistentStoragePath = cfg.storagePath; + directories = [ + "/var/log" + "/var/lib/nixos" + ]; + files = [ + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_ed25519_key.pub" + "/etc/ssh/ssh_host_rsa_key" + "/etc/ssh/ssh_host_rsa_key.pub" + ]; + }; + environment.etc.machine-id.source = "${cfg.storagePath}/machine-id"; +}; + } diff --git a/nixos/modules/jitsi.nix b/nixos/modules/jitsi.nix index 601e30f..ca2a8a7 100644 --- a/nixos/modules/jitsi.nix +++ b/nixos/modules/jitsi.nix @@ -1,21 +1,16 @@ -{ - config, - lib, - modulesPath, - ... -}: let - inherit - (lib) +{pkgs, config, lib, modulesPath, ...}: +let + inherit (lib) mkIf mkEnableOption mkOption - head - ; + head; inherit (lib.types) str; cfg = config.services.mathebau-jitsi; -in { +in +{ imports = [(modulesPath + "/services/web-apps/jitsi-meet.nix")]; - + options.services.mathebau-jitsi = { enable = mkEnableOption "mathebau jitsi service"; hostName = mkOption { @@ -30,16 +25,16 @@ in { config = mkIf cfg.enable { services.jitsi-meet = { enable = true; + hostName = cfg.hostName; config = { defaultLang = "de"; }; - inherit (cfg) hostName; }; services.jitsi-videobridge = { openFirewall = true; nat = { publicAddress = "130.83.2.184"; - inherit (cfg) localAddress; + localAddress = cfg.localAddress; }; }; environment.persistence.${config.impermanence.name} = { @@ -48,13 +43,13 @@ in { "/var/lib/prosody" ]; }; - #We are behind a reverse proxy that handles TLS + #We are behind a reverse proxy that handles TLS services.nginx.virtualHosts."${cfg.hostName}" = { enableACME = false; forceSSL = false; }; - #The network ports for HTTP(S) are not opened automatically - networking.firewall.allowedTCPPorts = [80 443]; + #The network ports for HTTP(S) are not opened automatically + networking.firewall.allowedTCPPorts = [ 80 443 ]; }; } diff --git a/nixos/roles/admins.nix b/nixos/roles/admins.nix index 3215ccc..32478bf 100644 --- a/nixos/roles/admins.nix +++ b/nixos/roles/admins.nix @@ -1,34 +1,37 @@ -{lib, ...}: -with lib; let +{lib, ...} : +with lib; + +let admins = { nerf = { - hashedPassword = "$y$j9T$SJcjUIcs3JYuM5oyxfEQa/$tUBQT07FK4cb9xm.A6ZKVnFIPNOYMOKC6Dt6hadCuJ7"; - keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEdA4LpEGUUmN8esFyrNZXFb2GiBID9/S6zzhcnofQuP nerf@nerflap2" - ]; + hashedPassword = + "$y$j9T$SJcjUIcs3JYuM5oyxfEQa/$tUBQT07FK4cb9xm.A6ZKVnFIPNOYMOKC6Dt6hadCuJ7"; + keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEdA4LpEGUUmN8esFyrNZXFb2GiBID9/S6zzhcnofQuP nerf@nerflap2" + ]; }; gonne = { - hashedPassword = "$6$EtGpHEcFkOi0yUWp$slXf0CvIUrhdqaoCrQ5YwtYu2IVuE1RGGst4fnDPRLWVm.lYx0ruvSAF2/vw/sLbW37ORJjlb0NHQ.kSG7cVY/"; - keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFopCUadohY3wg9AoEup9TDRDMyEPSLsQoCnN4lsKCrr gonne@mathebau.de NixOS" - ]; + hashedPassword = + "$6$EtGpHEcFkOi0yUWp$slXf0CvIUrhdqaoCrQ5YwtYu2IVuE1RGGst4fnDPRLWVm.lYx0ruvSAF2/vw/sLbW37ORJjlb0NHQ.kSG7cVY/"; + keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFopCUadohY3wg9AoEup9TDRDMyEPSLsQoCnN4lsKCrr gonne@mathebau.de NixOS" + ]; }; }; - mkAdmin = name: { - hashedPassword, - keys, - }: { + mkAdmin = name : + {hashedPassword, keys}: { "${name}" = { isNormalUser = true; createHome = true; - extraGroups = ["wheel"]; + extraGroups = [ "wheel" ]; group = "users"; home = "/home/${name}"; - openssh.authorizedKeys = {inherit keys;}; + openssh.authorizedKeys = { inherit keys; }; inherit hashedPassword; }; }; + in { users.users = mkMerge (mapAttrsToList mkAdmin admins); } diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix index 60284a7..d92b970 100644 --- a/nixos/roles/default.nix +++ b/nixos/roles/default.nix @@ -1,72 +1,62 @@ -{ - pkgs, - lib, - modulesPath, - ... -}: { - imports = [ - ./admins.nix - ./nix_keys.nix - ./prometheusNodeExporter.nix - (modulesPath + "/virtualisation/xen-domU.nix") - ../modules/impermanence.nix +{pkgs, config, lib, modulesPath, ...} : { + +imports = [ + ./admins.nix + ./nix_keys.nix + ./prometheusNodeExporter.nix + (modulesPath + "/virtualisation/xen-domU.nix") + ../modules/impermanence.nix ]; - nix = { - extraOptions = '' - experimental-features = nix-command flakes - builders-use-substitutes = true - ''; +nix = { + extraOptions = '' + experimental-features = nix-command flakes + builders-use-substitutes = true + ''; +}; + +networking = { + firewall = { # these shoud be default, but better make sure! + enable = true; + allowPing = true; + }; + nftables.enable = true; + useDHCP = false; # We don't speak DHCP and even if we would, we should enable it per interface + # hosts = # TODO write something to autogenerate ip adresses! +}; + +users = { + mutableUsers = false; + users.root.hashedPassword = "!"; +}; + +impermanence.enable = true; + +sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + +environment = { + systemPackages = builtins.attrValues { + inherit (pkgs) + htop lsof tmux btop; + }; +}; + +services = { + journald.extraConfig = "SystemMaxUse=5G"; + + nginx = { + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedTlsSettings = true; }; - networking = { - firewall = { - # these shoud be default, but better make sure! - enable = true; - allowPing = true; - }; - nftables.enable = true; - useDHCP = false; # We don't speak DHCP and even if we would, we should enable it per interface - # hosts = # TODO write something to autogenerate ip adresses! - }; - - users = { - mutableUsers = false; - users.root.hashedPassword = "!"; - }; - - impermanence.enable = true; - - sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; - - environment = { - systemPackages = builtins.attrValues { - inherit - (pkgs) - htop - lsof - tmux - btop - ; + openssh = { + enable = true; + settings = { + PermitRootLogin = "no"; + PasswordAuthentication = false; }; }; - - services = { - journald.extraConfig = "SystemMaxUse=5G"; - - nginx = { - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedTlsSettings = true; - }; - - openssh = { - enable = true; - settings = { - PermitRootLogin = "no"; - PasswordAuthentication = false; - }; - }; - #Prevent clock drift due to interaction problem with xen hardware clock - timesyncd.enable = lib.mkForce true; - }; +#Prevent clock drift due to interaction problem with xen hardware clock + timesyncd.enable = lib.mkForce true; +}; } diff --git a/nixos/roles/nix_keys.nix b/nixos/roles/nix_keys.nix index 97e5dc5..14f0b56 100644 --- a/nixos/roles/nix_keys.nix +++ b/nixos/roles/nix_keys.nix @@ -1,5 +1,5 @@ { - imports = []; + imports = [ ]; nix.settings.trusted-public-keys = [ "nerflap2-1:pDZCg0oo9PxNQxwVSQSvycw7WXTl53PGvVeZWvxuqJc=" "gonne.mathebau.de-1:FsXFyFiBFE/JxC9MCkt/WuiXjx5dkRI9RXj0FxOQrV0=" diff --git a/nixos/roles/prometheusNodeExporter.nix b/nixos/roles/prometheusNodeExporter.nix index 37cdbc2..9587b2f 100644 --- a/nixos/roles/prometheusNodeExporter.nix +++ b/nixos/roles/prometheusNodeExporter.nix @@ -1,14 +1,15 @@ -{config, ...}: { - imports = []; +{config, ...}: +{ + imports = [ ]; services.prometheus.exporters.node = { enable = true; port = 9100; - # Aligned with https://git.rwth-aachen.de/fsdmath/server/prometheus/-/blob/main/node_exporter/etc/default/prometheus-node-exporter - # It was compiled along the following steps: - # 1. Does the current Debian release supports the collector? - # 2. Is the collector depracated in the latest release? - # 3. Could you probably use the collected metrics for monitoring or are they useless because they make no sense in our context - # (e.g. power adapter inside a VM, use fibre port connection)? + # Aligned with https://git.rwth-aachen.de/fsdmath/server/prometheus/-/blob/main/node_exporter/etc/default/prometheus-node-exporter + # It was compiled along the following steps: + # 1. Does the current Debian release supports the collector? + # 2. Is the collector depracated in the latest release? + # 3. Could you probably use the collected metrics for monitoring or are they useless because they make no sense in our context + # (e.g. power adapter inside a VM, use fibre port connection)? disabledCollectors = [ "arp" "bcache" @@ -34,6 +35,6 @@ "processes" ]; }; - networking.firewall.allowedTCPPorts = [9100]; - environment.persistence.${config.impermanence.name}.directories = ["/var/lib/${config.services.prometheus.stateDir}"]; + networking.firewall.allowedTCPPorts = [ 9100 ]; + environment.persistence.${config.impermanence.name}.directories = [ "/var/lib/${config.services.prometheus.stateDir}" ]; }