initial(ish) commit
This commit is contained in:
Philipp Hochkamp
commit
b744693f0e
88 changed files with 4925 additions and 0 deletions
39
nixos-modules/system/agenix.nix
Normal file
39
nixos-modules/system/agenix.nix
Normal file
|
|
@ -0,0 +1,39 @@
|
|||
{ options, config, inputs, lib, pkgs, ... }:
|
||||
|
||||
with builtins;
|
||||
with lib;
|
||||
with lib.my;
|
||||
let
|
||||
inherit (inputs) agenix;
|
||||
secretsDir = "${toString ../../secrets}";
|
||||
secretsFile = "${secretsDir}/secrets.nix";
|
||||
cfg = config.ragon.agenix;
|
||||
in
|
||||
{
|
||||
imports = [ agenix.nixosModules.age ];
|
||||
options.ragon.agenix = {
|
||||
enable = mkBoolOpt true;
|
||||
secrets = mkOption {
|
||||
type = types.attrs;
|
||||
default = { };
|
||||
};
|
||||
};
|
||||
config = mkIf cfg.enable {
|
||||
environment.systemPackages = [ agenix.defaultPackage.${pkgs.system} ];
|
||||
# Set passwords
|
||||
users.users.root.passwordFile = config.age.secrets.rootPasswd.path;
|
||||
age.identityPaths =
|
||||
[
|
||||
"/persistent/etc/ssh/ssh_host_ed25519_key"
|
||||
];
|
||||
age.secrets = mapAttrs (name: obj: ({ file = "${secretsDir}/${name}.age"; } // obj))
|
||||
(cfg.secrets //
|
||||
{
|
||||
rootPasswd = { };
|
||||
}
|
||||
);
|
||||
assertions = [
|
||||
{ assertion = (pathExists secretsFile); message = "${secretsFile} does not exist"; }
|
||||
];
|
||||
};
|
||||
}
|
||||
92
nixos-modules/system/fs.nix
Normal file
92
nixos-modules/system/fs.nix
Normal file
|
|
@ -0,0 +1,92 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
with lib;
|
||||
with lib.my;
|
||||
let
|
||||
cfg = config.ragon.system.fs;
|
||||
nix = cfg.nix;
|
||||
varlog = cfg.varlog;
|
||||
persistent = cfg.persistent;
|
||||
persistentSnapshot = cfg.persistentSnapshot;
|
||||
arcSize = cfg.arcSize;
|
||||
hostName = config.networking.hostName;
|
||||
in
|
||||
{
|
||||
options.ragon.system.fs = {
|
||||
enable = lib.mkEnableOption "Enables ragons fs stuff, (tmpfs,zfs,backups,...)";
|
||||
mediadata = mkBoolOpt true;
|
||||
swap = mkBoolOpt true;
|
||||
persistentSnapshot = mkBoolOpt true;
|
||||
nix = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "pool/nix";
|
||||
};
|
||||
varlog = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "pool/varlog";
|
||||
};
|
||||
persistent = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "pool/persist";
|
||||
};
|
||||
arcSize = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = 2;
|
||||
description = "Sets the ZFS Arc Size (in GB)";
|
||||
};
|
||||
};
|
||||
config = lib.mkIf cfg.enable {
|
||||
services.zfs.autoScrub.enable = true;
|
||||
services.sanoid = {
|
||||
enable = mkDefault persistentSnapshot;
|
||||
} // (if persistentSnapshot then { datasets."${persistent}" = { }; } else { });
|
||||
services.syncoid = {
|
||||
user = "root";
|
||||
group = "root";
|
||||
sshKey = /persistent/root/.ssh/id_rsa;
|
||||
enable = mkDefault true;
|
||||
commonArgs = [
|
||||
];
|
||||
commands."${persistent}" = {
|
||||
target = "ragon@ds9:rpool/content/local/backups/${hostName}"; # FIXME extra user
|
||||
recvOptions = "x encryption";
|
||||
};
|
||||
};
|
||||
boot.kernelParams = [ "zfs.zfs_arc_max=${toString (arcSize * 1024 * 1024 * 1024)}" ];
|
||||
fileSystems."/" =
|
||||
{
|
||||
device = "none";
|
||||
fsType = "tmpfs";
|
||||
options = [ "size=8G" "defaults" "mode=755" ];
|
||||
};
|
||||
fileSystems."/nix" =
|
||||
{
|
||||
device = "${nix}";
|
||||
fsType = "zfs";
|
||||
neededForBoot = true;
|
||||
};
|
||||
|
||||
fileSystems."/persistent" =
|
||||
{
|
||||
device = "${persistent}";
|
||||
fsType = "zfs";
|
||||
neededForBoot = true;
|
||||
};
|
||||
|
||||
fileSystems."/var/log" =
|
||||
{
|
||||
device = "${varlog}";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{
|
||||
device = mkDefault "/dev/disk/by-label/boot";
|
||||
fsType = "vfat";
|
||||
options = [ "noauto" "x-systemd.automount" ];
|
||||
};
|
||||
swapDevices = mkIf cfg.swap [
|
||||
{ device = "/persistent/pagefile.sys"; }
|
||||
];
|
||||
|
||||
};
|
||||
}
|
||||
34
nixos-modules/system/persist.nix
Normal file
34
nixos-modules/system/persist.nix
Normal file
|
|
@ -0,0 +1,34 @@
|
|||
{ config, lib, pkgs, inputs, ... }:
|
||||
let
|
||||
cfg = config.ragon.persist;
|
||||
in
|
||||
{
|
||||
options.ragon.persist.enable = lib.mkEnableOption "Enables persistence";
|
||||
options.ragon.persist.extraFiles = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.str;
|
||||
default = [ ];
|
||||
};
|
||||
options.ragon.persist.extraDirectories = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.str;
|
||||
default = [ ];
|
||||
};
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
||||
environment.persistence."/persistent" = {
|
||||
directories = [
|
||||
"/etc/nixos"
|
||||
"/etc/NetworkManager/system-connections"
|
||||
"/root/.ssh"
|
||||
] ++ (lib.unique cfg.extraDirectories);
|
||||
files = [
|
||||
"/etc/machine-id"
|
||||
"/etc/ssh/ssh_host_rsa_key"
|
||||
"/etc/ssh/ssh_host_rsa_key.pub"
|
||||
"/etc/ssh/ssh_host_ed25519_key"
|
||||
"/etc/ssh/ssh_host_ed25519_key.pub"
|
||||
] ++ cfg.extraFiles;
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
}
|
||||
27
nixos-modules/system/security.nix
Normal file
27
nixos-modules/system/security.nix
Normal file
|
|
@ -0,0 +1,27 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
with lib;
|
||||
with lib.my;
|
||||
let
|
||||
cfg = config.ragon.system.security;
|
||||
in
|
||||
{
|
||||
options.ragon.system.security = {
|
||||
enable = mkBoolOpt true;
|
||||
};
|
||||
config = mkIf cfg.enable {
|
||||
security.sudo.execWheelOnly = true;
|
||||
services.openssh = {
|
||||
passwordAuthentication = false;
|
||||
allowSFTP = false; # just use rsync, lol
|
||||
kbdInteractiveAuthentication = false;
|
||||
extraConfig = ''
|
||||
AllowTcpForwarding yes
|
||||
X11Forwarding no
|
||||
AllowAgentForwarding no
|
||||
AllowStreamLocalForwarding no
|
||||
AuthenticationMethods publickey
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue