From de19b23d3dadb0acc6dfde91da795c3e09dced78 Mon Sep 17 00:00:00 2001 From: oddlama Date: Mon, 1 May 2023 15:27:28 +0200 Subject: [PATCH] refactor: split hardware related and system related common configuration --- hosts/common/core/default.nix | 87 +++--------------------------- hosts/common/core/system.nix | 54 +++++++++++++++++++ hosts/common/core/tmux.nix | 14 ----- hosts/common/hardware/cloud.nix | 4 ++ hosts/common/hardware/physical.nix | 13 +++++ hosts/nom/default.nix | 1 + hosts/ward/default.nix | 1 + hosts/zackbiene/default.nix | 2 + users/common/git.nix | 5 +- 9 files changed, 82 insertions(+), 99 deletions(-) create mode 100644 hosts/common/core/system.nix delete mode 100644 hosts/common/core/tmux.nix create mode 100644 hosts/common/hardware/cloud.nix create mode 100644 hosts/common/hardware/physical.nix diff --git a/hosts/common/core/default.nix b/hosts/common/core/default.nix index cd45342..5471744 100644 --- a/hosts/common/core/default.nix +++ b/hosts/common/core/default.nix @@ -1,100 +1,25 @@ -{ - inputs, - lib, - pkgs, - config, - nodeName, - ... -}: { +{config, ...}: { imports = [ - ./inputrc.nix ./impermanence.nix + ./inputrc.nix ./issue.nix ./net.nix ./nix.nix ./resolved.nix ./ssh.nix - ./tmux.nix + ./system.nix ./xdg.nix ../../../modules/wireguard.nix ]; - # IP address math library - # https://gist.github.com/duairc/5c9bb3c922e5d501a1edb9e7b3b845ba - # Plus some extensions by us - lib = let - libWithNet = (import "${inputs.lib-net}/net.nix" {inherit lib;}).lib; - in - lib.recursiveUpdate libWithNet { - net.cidr = rec { - hostCidr = n: x: "${libWithNet.net.cidr.host n x}/${libWithNet.net.cidr.length x}"; - ip = x: lib.head (lib.splitString "/" x); - canonicalize = x: libWithNet.net.cidr.make (libWithNet.net.cidr.length x) (ip x); - }; - }; - - # Setup secret rekeying parameters - rekey = { - inherit - (inputs.self.secrets) - masterIdentities - extraEncryptionPubkeys - ; - - # This is technically impure, but intended. We need to rekey on the - # current system due to yubikey availability. - forceRekeyOnSystem = builtins.extraBuiltins.unsafeCurrentSystem; - hostPubkey = let - pubkeyPath = ../.. + "/${nodeName}/secrets/host.pub"; - in - lib.mkIf (lib.pathExists pubkeyPath || lib.trace "Missing pubkey for ${nodeName}: ${toString pubkeyPath} not found, using dummy replacement key for now." false) - pubkeyPath; - }; - - boot = { - initrd.systemd.enable = true; - kernelParams = ["log_buf_len=10M"]; - tmp.useTmpfs = true; - }; - - # Disable sudo which is entierly unnecessary. - security.sudo.enable = false; - - time.timeZone = lib.mkDefault "Europe/Berlin"; - i18n.defaultLocale = "C.UTF-8"; - console.keyMap = "de-latin1-nodeadkeys"; - - hardware = { - enableRedistributableFirmware = true; - enableAllFirmware = true; - }; - - systemd.enableUnifiedCgroupHierarchy = true; - users.mutableUsers = false; - home-manager = { useGlobalPkgs = true; useUserPackages = true; verbose = true; }; - programs = { - # Required even when using home-manager's zsh module since the /etc/profile load order - # is partly controlled by this. See nix-community/home-manager#3681. - zsh.enable = true; - git = { - enable = true; - config = { - init.defaultBranch = "main"; - pull.rebase = true; - }; - }; - }; - - services = { - fwupd.enable = true; - smartd.enable = true; - thermald.enable = builtins.elem config.nixpkgs.system ["x86_64-linux"]; - }; + # Required even when using home-manager's zsh module since the /etc/profile load order + # is partly controlled by this. See nix-community/home-manager#3681. + programs.zsh.enable = true; } diff --git a/hosts/common/core/system.nix b/hosts/common/core/system.nix new file mode 100644 index 0000000..0997b7f --- /dev/null +++ b/hosts/common/core/system.nix @@ -0,0 +1,54 @@ +{ + inputs, + lib, + nodeName, + ... +}: { + # IP address math library + # https://gist.github.com/duairc/5c9bb3c922e5d501a1edb9e7b3b845ba + # Plus some extensions by us + lib = let + libWithNet = (import "${inputs.lib-net}/net.nix" {inherit lib;}).lib; + in + lib.recursiveUpdate libWithNet { + net.cidr = rec { + hostCidr = n: x: "${libWithNet.net.cidr.host n x}/${libWithNet.net.cidr.length x}"; + ip = x: lib.head (lib.splitString "/" x); + canonicalize = x: libWithNet.net.cidr.make (libWithNet.net.cidr.length x) (ip x); + }; + }; + + # Setup secret rekeying parameters + rekey = { + inherit + (inputs.self.secrets) + masterIdentities + extraEncryptionPubkeys + ; + + # This is technically impure, but intended. We need to rekey on the + # current system due to yubikey availability. + forceRekeyOnSystem = builtins.extraBuiltins.unsafeCurrentSystem; + hostPubkey = let + pubkeyPath = ../.. + "/${nodeName}/secrets/host.pub"; + in + lib.mkIf (lib.pathExists pubkeyPath || lib.trace "Missing pubkey for ${nodeName}: ${toString pubkeyPath} not found, using dummy replacement key for now." false) + pubkeyPath; + }; + + boot = { + initrd.systemd.enable = true; + kernelParams = ["log_buf_len=10M"]; + tmp.useTmpfs = true; + }; + + # Disable sudo which is entierly unnecessary. + security.sudo.enable = false; + + time.timeZone = lib.mkDefault "Europe/Berlin"; + i18n.defaultLocale = "C.UTF-8"; + console.keyMap = "de-latin1-nodeadkeys"; + + systemd.enableUnifiedCgroupHierarchy = true; + users.mutableUsers = false; +} diff --git a/hosts/common/core/tmux.nix b/hosts/common/core/tmux.nix deleted file mode 100644 index d7b5078..0000000 --- a/hosts/common/core/tmux.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ - programs.tmux = { - enable = true; - aggressiveResize = true; - clock24 = true; - escapeTime = 0; - historyLimit = 10000; - # breaks tmate - newSession = false; - secureSocket = false; - shortcut = "g"; - terminal = "tmux-256color"; - }; -} diff --git a/hosts/common/hardware/cloud.nix b/hosts/common/hardware/cloud.nix new file mode 100644 index 0000000..87b6526 --- /dev/null +++ b/hosts/common/hardware/cloud.nix @@ -0,0 +1,4 @@ +# Configuration for cloud-servers machines +{ + services.smartd.enable = true; +} diff --git a/hosts/common/hardware/physical.nix b/hosts/common/hardware/physical.nix new file mode 100644 index 0000000..f8349d6 --- /dev/null +++ b/hosts/common/hardware/physical.nix @@ -0,0 +1,13 @@ +# Configuration for actual physical machines +{config, ...}: { + hardware = { + enableRedistributableFirmware = true; + enableAllFirmware = true; + }; + + services = { + fwupd.enable = true; + smartd.enable = true; + thermald.enable = builtins.elem config.nixpkgs.system ["x86_64-linux"]; + }; +} diff --git a/hosts/nom/default.nix b/hosts/nom/default.nix index 9397025..66aa57e 100644 --- a/hosts/nom/default.nix +++ b/hosts/nom/default.nix @@ -14,6 +14,7 @@ ../common/graphical ../common/hardware/intel.nix + ../common/hardware/physical.nix ../common/efi.nix ../common/initrd-ssh.nix ../common/laptop.nix diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix index 543a423..1b04d75 100644 --- a/hosts/ward/default.nix +++ b/hosts/ward/default.nix @@ -10,6 +10,7 @@ ../common/core ../common/hardware/intel.nix + ../common/hardware/physical.nix ../common/initrd-ssh.nix ../common/efi.nix ../common/zfs.nix diff --git a/hosts/zackbiene/default.nix b/hosts/zackbiene/default.nix index f68b579..7666d4c 100644 --- a/hosts/zackbiene/default.nix +++ b/hosts/zackbiene/default.nix @@ -9,6 +9,8 @@ nixos-hardware.common-pc-ssd ../common/core + ../common/hardware/physical.nix + #../common/initrd-ssh.nix ../common/zfs.nix ../../users/root diff --git a/users/common/git.nix b/users/common/git.nix index 97f43e4..af7f88e 100644 --- a/users/common/git.nix +++ b/users/common/git.nix @@ -5,14 +5,11 @@ difftastic.enable = true; lfs.enable = lib.mkDefault false; extraConfig = { - #diff = { - # colorMoved = "default"; - # age.textconv = "${pkgs.rage}/bin/rage -i ~/.ssh/username --decrypt"; - #}; difftool.prompt = true; init.defaultBranch = "main"; merge.conflictstyle = "diff3"; mergetool.prompt = true; + pull.rebase = true; }; aliases = { unstash = "stash pop";