refactor configuration

2022-09-18 17:26:06 +02:00 · 2022-09-18 17:26:06 +02:00 · 2aafcc9b49
commit 2aafcc9b49
parent d016cc67bc
17 changed files with 154 additions and 149 deletions
--- a/nixos/configurations.nix
+++ b/nixos/configurations.nix
@ -1,6 +1,4 @@
-# TODO refactor adapterModule and redundant module config
 { self
-, admins
 , agenix
 , nixpkgs
 , home-manager
@ -9,99 +7,79 @@
 , nvd
 , scripts
 , recipemd
-, secretsPath
 , ...
-}:
+}@inputs:
 let
-  nixosSystem = nixpkgs.lib.nixosSystem;
-  agenixModule = agenix.nixosModule;
-  adapterModule = system: {
-    nixpkgs.config.allowUnfreePredicate = pkg: true;
-    nixpkgs.overlays =
-      (nixpkgs.lib.attrValues self.overlays)
-      ++ [
-        (final: prev: { homePage = homePage.defaultPackage.${system}; })
-        (final: prev: { s = scripts; })
-        (final: prev: { n = nvd; })
-        (final: prev: { recipemd = recipemd.defaultPackage.${system}; })
-      ];
+  getDefaultPkgs = system: flakes: nixpkgs.lib.mapAttrs (_: value: nixpkgs.lib.getAttr system value.defaultPackage) flakes;
+
+  nixosSystem = { system ? "x86_64-linux", extraModules ? [ ] }: nixpkgs.lib.nixosSystem {
+    inherit system;
+
+    modules = (nixpkgs.lib.attrValues self.nixosModules) ++ [ agenix.nixosModule ] ++ extraModules;
  };
-  lib = nixpkgs.lib;
 in
 {
  gorgon = nixosSystem rec {
    system = "x86_64-linux";
-    specialArgs = { inherit admins secretsPath; };
-    modules =
-      (nixpkgs.lib.attrValues self.nixosModules)
-      ++ [
-        (adapterModule system)
-        agenixModule
-        nixos-hardware.nixosModules.lenovo-thinkpad-t14s-amd-gen1
-        home-manager.nixosModules.home-manager
-        {
-          home-manager.useGlobalPkgs = true;
-          home-manager.useUserPackages = true;
-          home-manager.sharedModules =
-            (nixpkgs.lib.attrValues self.hmModules)
-            ++ [
-              { manual.manpages.enable = false; }
-            ];
-          home-manager.users.dadada = import ../home/home;
-        }
-        ./modules/profiles/laptop.nix
-        ./gorgon/configuration.nix
-      ];
+
+    extraModules = [
+      {
+        nixpkgs.overlays = nixpkgs.lib.attrValues self.overlays;
+        dadada.pkgs = getDefaultPkgs system {
+          inherit scripts nvd recipemd;
+        };
+
+        # Add flakes to registry and nix path.
+        dadada.inputs = inputs // { dadada = self; };
+      }
+
+      nixos-hardware.nixosModules.lenovo-thinkpad-t14s-amd-gen1
+
+      home-manager.nixosModules.home-manager
+      {
+        home-manager.useGlobalPkgs = true;
+        home-manager.useUserPackages = true;
+        home-manager.sharedModules = (nixpkgs.lib.attrValues self.hmModules) ++ [
+          { manual.manpages.enable = false; }
+        ];
+        home-manager.users.dadada = import ../home/home;
+      }
+
+      ./modules/profiles/laptop.nix
+      ./gorgon/configuration.nix
+    ];
  };
-  ifrit = nixosSystem rec {
-    system = "x86_64-linux";
-    specialArgs = { inherit admins secretsPath; };
-    modules =
-      (nixpkgs.lib.attrValues self.nixosModules)
-      ++ [
-        agenixModule
-        (adapterModule system)
-        ./modules/profiles/server.nix
-        ./ifrit/configuration.nix
-        ./ifrit/hardware-configuration.nix
-      ];
+
+  ifrit = nixosSystem {
+    extraModules = [
+      ./modules/profiles/server.nix
+      ./ifrit/configuration.nix
+      ./ifrit/hardware-configuration.nix
+    ];
  };

  surgat = nixosSystem rec {
    system = "x86_64-linux";
-    specialArgs = { inherit admins secretsPath; };
-    modules =
-      (nixpkgs.lib.attrValues self.nixosModules)
-      ++ [
-        (adapterModule system)
-        agenixModule
-        ./modules/profiles/server.nix
-        ./surgat/configuration.nix
-      ];
-  };
-  pruflas = nixosSystem rec {
-    system = "x86_64-linux";
-    specialArgs = { inherit admins secretsPath; };
-    modules =
-      (nixpkgs.lib.attrValues self.nixosModules)
-      ++ [
-        (adapterModule system)
-        agenixModule
-        ./modules/profiles/laptop.nix
-        ./pruflas/configuration.nix
-      ];
+    extraModules = [
+      {
+        dadada.homePage.package = homePage.defaultPackage.${system};
+      }
+      ./modules/profiles/server.nix
+      ./surgat/configuration.nix
+    ];
  };

-  agares = nixosSystem rec {
-    system = "x86_64-linux";
-    specialArgs = { inherit admins secretsPath; };
-    modules =
-      (nixpkgs.lib.attrValues self.nixosModules)
-      ++ [
-        (adapterModule system)
-        agenixModule
-        ./modules/profiles/server.nix
-        ./agares/configuration.nix
-      ];
+  pruflas = nixosSystem {
+    extraModules = [
+      ./modules/profiles/laptop.nix
+      ./pruflas/configuration.nix
+    ];
+  };
+
+  agares = nixosSystem {
+    extraModules = [
+      ./modules/profiles/server.nix
+      ./agares/configuration.nix
+    ];
  };
 }
--- a/nixos/gorgon/configuration.nix
+++ b/nixos/gorgon/configuration.nix
@ -83,7 +83,7 @@ in
  environment.systemPackages = with pkgs; [
    chromium
    ghostscript
-    recipemd
+    config.dadada.pkgs.recipemd
  ];

  networking.firewall = {
--- a/nixos/modules/admin.nix
+++ b/nixos/modules/admin.nix
@ -49,7 +49,7 @@ in

      users = mkOption {
        type = with types; attrsOf (submodule adminOpts);
-        default = { };
+        default = import ../../admins.nix;
        description = ''
          Admin users with root access machine.
        '';
@ -67,6 +67,13 @@ in
  };

  config = mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = cfg.users != [ ];
+        message = "Must provide at least one admin, if the admin module is enabled.";
+      }
+    ];
+
    programs.zsh.enable = mkDefault true;

    services.sshd.enable = true;
--- a/nixos/modules/borg-server.nix
+++ b/nixos/modules/borg-server.nix
@ -1,4 +1,4 @@
-{ config, lib, admins, ... }:
+{ config, lib, ... }:
 let
  inherit (lib) mkEnableOption mkIf mkOption types;
  cfg = config.dadada.borgServer;
@ -26,49 +26,42 @@ in
      "metis" = {
        allowSubRepos = false;
        authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDnc1gCi8lbhlLmPKvaExtCxVaAni8RrOuHUQO6wTbzR root@metis" ];
-        authorizedKeys = admins.dadada.keys;
        path = "${cfg.path}/metis";
        quota = "1T";
      };
      "gorgon" = {
        allowSubRepos = false;
        authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP6p9b2D7y2W+9BGee2yk2xsCRewNNaE6oS3CqlW61ti root@gorgon" ];
-        authorizedKeys = admins.dadada.keys;
        path = "${cfg.path}/gorgon";
        quota = "1T";
      };
      "surgat" = {
        allowSubRepos = false;
        authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGhatanrNG+M6jAkU7Yi44mJmTreJkqyZ6Z+qiEgV7O root@surgat" ];
-        authorizedKeys = admins.dadada.keys;
        path = "${cfg.path}/surgat";
        quota = "50G";
      };
      "pruflas" = {
        allowSubRepos = false;
        authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBk7f9DSnXCOIUsxFsjCKG23vHShV4TSzzPJunPOwa1I root@pruflas" ];
-        authorizedKeys = admins.dadada.keys;
        path = "${cfg.path}/pruflas";
        quota = "50G";
      };
      "wohnzimmerpi" = {
        allowSubRepos = false;
        authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6uZ8mPQJWOL984gZKKPyxp7VLcxk42TpTh5iPP6N6k root@wohnzimmerpi" ];
-        authorizedKeys = admins.dadada.keys;
        path = "${cfg.path}/wohnzimmerpi";
        quota = "50G";
      };
      "fginfo" = {
        allowSubRepos = false;
        authorizedKeysAppendOnly = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxsyJeZVlVix0FPE8S/Gx0DVutS1ZNESVdYvHBwo36wGlYpSsQoSy/2HSwbpxs88MOGw1QNboxvvpBxCWxZ5HyjxuO5SwYgtmpjPXvmqfVqNXXnLChhSnKgk9b+HesQJCbHyrF9ZAJXEFCOGhOL3YTgd6lTX3lQUXgh/LEDlrPrigUMDNPecPWxpPskP6Vvpe9u+duhL+ihyxXaV+CoPk8nkWrov5jCGPiM48pugbwAfqARyZDgFpmWwL7Xg2UKgVZ1ttHZCWwH+htgioVZMYpdkQW1aq6LLGwN34Hj2VKXzmJN5frh6vQoZr2AFGHNKyJwAMpqnoY//QwuREpZTrh root@fginfo.ibr.cs.tu-bs.de" ];
-        authorizedKeys = admins.dadada.keys;
        path = "${cfg.path}/fginfo";
        quota = "10G";
      };
      "fginfo-git" = {
        allowSubRepos = false;
        authorizedKeysAppendOnly = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmI6cUv3j0T9ofFB286sDwXwwczqi41cp4MZyGH3VWQnqBPNjICqAdY3CLhgvGBCxSe6ZgKQ+5YLsGSSlU1uhrJXW2UiVKuIPd0kjMF/9e8hmNoTTh0pdk9THfz9LLAdI1vPin1EeVReuDXlZkCI7DFYuTO9yiyZ1uLZUfT1KBRoqiqyypZhut7zT3UaDs2L+Y5hho6WiTdm7INuz6HEB7qYXzrmx93hlcuLZA7fDfyMO9F4APZFUqefcUIEyDI2b+Q/8Q2/rliT2PoC69XLVlj7HyVhfgKsOnopwBDNF3rRcJ6zz4WICPM18i4ZCmfoDTL/cFr5c41Lan1X7wS5wR root@fginfo-git" ];
-        authorizedKeys = admins.dadada.keys;
        path = "${cfg.path}/fginfo-git";
        quota = "10G";
      };
--- a/nixos/modules/default.nix
+++ b/nixos/modules/default.nix
@ -1,4 +1,4 @@
-{ ... } @ inputs: {
+{
  admin = import ./admin.nix;
  backup = import ./backup.nix;
  borgServer = import ./borg-server.nix;
@ -11,7 +11,10 @@
  homepage = import ./homepage.nix;
  kanboard = import ./kanboard;
  networking = import ./networking.nix;
-  nix = import ./nix.nix inputs;
+  nix = import ./nix.nix;
+  nixpkgs = import ./nixpkgs.nix;
+  packages = import ./packages.nix;
+  secrets = import ./secrets.nix;
  share = import ./share.nix;
  steam = import ./steam.nix;
  update = import ./update.nix;
--- a/nixos/modules/homepage.nix
+++ b/nixos/modules/homepage.nix
@ -9,6 +9,10 @@ in
 with lib; {
  options.dadada.homePage = {
    enable = mkEnableOption "Enable home page";
+    package = mkOption {
+      type = lib.types.package;
+      description = "Package containing the homepage";
+    };
  };
  config = mkIf cfg.enable {
    services.nginx.enable = true;
@ -16,7 +20,7 @@ with lib; {
    services.nginx.virtualHosts."dadada.li" = {
      enableACME = true;
      forceSSL = true;
-      root = "${pkgs.homePage}";
+      root = "${cfg.package}";
    };
  };
 }
--- a/nixos/modules/nix.nix
+++ b/nixos/modules/nix.nix
@ -1,33 +1,36 @@
-{ self
-, home-manager
-, nixpkgs
+{ config
+, pkgs
+, lib
 , ...
-}: { config
-   , pkgs
-   , lib
-   , ...
-   }:
-# Global settings for nix daemon
+}:
+let
+  cfg = config.dadada.inputs;
+in
 {
-  nix.nixPath = [
-    "home-manager=${home-manager}"
-    "nixpkgs=${nixpkgs}"
-    "dadada=${self}"
-  ];
-  nix.registry = {
-    home-manager.flake = home-manager;
-    nixpkgs.flake = nixpkgs;
-    dadada.flake = self;
+  options = {
+    dadada.inputs = lib.mkOption {
+      type = lib.types.attrsOf lib.types.attrs;
+      description = "Flake inputs that should be available inside Nix modules";
+      default = { };
+    };
+  };
+
+  config = {
+    nix.nixPath = lib.mapAttrsToList (name: value: "${name}=${value}") cfg;
+    nix.registry = lib.mapAttrs' (name: value: lib.nameValuePair name { flake = value; }) cfg;
+
+    nix.settings.substituters = [
+      https://cache.nixos.org/
+      https://nix-community.cachix.org/
+    ];
+
+    nix.settings.trusted-public-keys = [
+      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+      "gorgon:eEE/PToceRh34UnnoFENERhk89dGw5yXOpJ2CUbfL/Q="
+      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+    ];
+
+    nix.settings.require-sigs = true;
+    nix.settings.sandbox = true;
  };
-  nix.settings.substituters = [
-    https://cache.nixos.org/
-    https://nix-community.cachix.org/
-  ];
-  nix.settings.trusted-public-keys = [
-    "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
-    "gorgon:eEE/PToceRh34UnnoFENERhk89dGw5yXOpJ2CUbfL/Q="
-    "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-  ];
-  nix.settings.require-sigs = true;
-  nix.settings.sandbox = true;
 }
--- a/nixos/modules/nixpkgs.nix
+++ b/nixos/modules/nixpkgs.nix
@ -0,0 +1,3 @@
+{
+  nixpkgs.config.allowUnfreePredicate = pkg: true;
+}
--- a/nixos/modules/packages.nix
+++ b/nixos/modules/packages.nix
@ -0,0 +1,10 @@
+{ config, lib, ... }:
+{
+  options = {
+    dadada.pkgs = lib.mkOption {
+      type = lib.types.attrsOf lib.types.package;
+      description = "Additional packages that are not sourced from nixpkgs";
+      default = { };
+    };
+  };
+}
--- a/nixos/modules/profiles/backup.nix
+++ b/nixos/modules/profiles/backup.nix
@ -1,4 +1,7 @@
-{ config, secretsPath, ... }:
+{ config, ... }:
+let
+  secretsPath = config.dadada.secrets.path;
+in
 {
  dadada.backupClient.bs = {
    enable = true;
--- a/nixos/modules/profiles/server.nix
+++ b/nixos/modules/profiles/server.nix
@ -1,5 +1,4 @@
 { config
-, admins
 , pkgs
 , lib
 , ...
@ -9,8 +8,6 @@ with lib; {
    ./backup.nix
  ];

-  dadada.admin.users = admins;
-
  networking.domain = mkDefault "dadada.li";
  networking.tempAddresses = "disabled";

--- a/nixos/modules/secrets.nix
+++ b/nixos/modules/secrets.nix
@ -0,0 +1,10 @@
+{ config, lib, ... }:
+{
+  options = {
+    dadada.secrets.path = lib.mkOption {
+      type = lib.types.path;
+      description = "Path to encrypted secrets files";
+      default = ../../secrets;
+    };
+  };
+}
--- a/nixos/pruflas/configuration.nix
+++ b/nixos/pruflas/configuration.nix
@ -1,7 +1,6 @@
 { config
 , pkgs
 , lib
-, admins
 , ...
 }:
 with lib; {
@ -42,7 +41,6 @@ with lib; {
  };

  dadada.admin.enable = true;
-  dadada.admin.users = admins;

  dadada.backupClient = {
    bs.enable = true;