refactor configuration

2022-09-18 17:26:06 +02:00 · 2022-09-18 17:26:06 +02:00 · 2aafcc9b49
commit 2aafcc9b49
parent d016cc67bc
17 changed files with 154 additions and 149 deletions
--- a/nixos/modules/admin.nix
+++ b/nixos/modules/admin.nix
@ -49,7 +49,7 @@ in

      users = mkOption {
        type = with types; attrsOf (submodule adminOpts);
-        default = { };
+        default = import ../../admins.nix;
        description = ''
          Admin users with root access machine.
        '';
@ -67,6 +67,13 @@ in
  };

  config = mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = cfg.users != [ ];
+        message = "Must provide at least one admin, if the admin module is enabled.";
+      }
+    ];
+
    programs.zsh.enable = mkDefault true;

    services.sshd.enable = true;
--- a/nixos/modules/borg-server.nix
+++ b/nixos/modules/borg-server.nix
@ -1,4 +1,4 @@
-{ config, lib, admins, ... }:
+{ config, lib, ... }:
 let
  inherit (lib) mkEnableOption mkIf mkOption types;
  cfg = config.dadada.borgServer;
@ -26,49 +26,42 @@ in
      "metis" = {
        allowSubRepos = false;
        authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDnc1gCi8lbhlLmPKvaExtCxVaAni8RrOuHUQO6wTbzR root@metis" ];
-        authorizedKeys = admins.dadada.keys;
        path = "${cfg.path}/metis";
        quota = "1T";
      };
      "gorgon" = {
        allowSubRepos = false;
        authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP6p9b2D7y2W+9BGee2yk2xsCRewNNaE6oS3CqlW61ti root@gorgon" ];
-        authorizedKeys = admins.dadada.keys;
        path = "${cfg.path}/gorgon";
        quota = "1T";
      };
      "surgat" = {
        allowSubRepos = false;
        authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGhatanrNG+M6jAkU7Yi44mJmTreJkqyZ6Z+qiEgV7O root@surgat" ];
-        authorizedKeys = admins.dadada.keys;
        path = "${cfg.path}/surgat";
        quota = "50G";
      };
      "pruflas" = {
        allowSubRepos = false;
        authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBk7f9DSnXCOIUsxFsjCKG23vHShV4TSzzPJunPOwa1I root@pruflas" ];
-        authorizedKeys = admins.dadada.keys;
        path = "${cfg.path}/pruflas";
        quota = "50G";
      };
      "wohnzimmerpi" = {
        allowSubRepos = false;
        authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6uZ8mPQJWOL984gZKKPyxp7VLcxk42TpTh5iPP6N6k root@wohnzimmerpi" ];
-        authorizedKeys = admins.dadada.keys;
        path = "${cfg.path}/wohnzimmerpi";
        quota = "50G";
      };
      "fginfo" = {
        allowSubRepos = false;
        authorizedKeysAppendOnly = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxsyJeZVlVix0FPE8S/Gx0DVutS1ZNESVdYvHBwo36wGlYpSsQoSy/2HSwbpxs88MOGw1QNboxvvpBxCWxZ5HyjxuO5SwYgtmpjPXvmqfVqNXXnLChhSnKgk9b+HesQJCbHyrF9ZAJXEFCOGhOL3YTgd6lTX3lQUXgh/LEDlrPrigUMDNPecPWxpPskP6Vvpe9u+duhL+ihyxXaV+CoPk8nkWrov5jCGPiM48pugbwAfqARyZDgFpmWwL7Xg2UKgVZ1ttHZCWwH+htgioVZMYpdkQW1aq6LLGwN34Hj2VKXzmJN5frh6vQoZr2AFGHNKyJwAMpqnoY//QwuREpZTrh root@fginfo.ibr.cs.tu-bs.de" ];
-        authorizedKeys = admins.dadada.keys;
        path = "${cfg.path}/fginfo";
        quota = "10G";
      };
      "fginfo-git" = {
        allowSubRepos = false;
        authorizedKeysAppendOnly = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmI6cUv3j0T9ofFB286sDwXwwczqi41cp4MZyGH3VWQnqBPNjICqAdY3CLhgvGBCxSe6ZgKQ+5YLsGSSlU1uhrJXW2UiVKuIPd0kjMF/9e8hmNoTTh0pdk9THfz9LLAdI1vPin1EeVReuDXlZkCI7DFYuTO9yiyZ1uLZUfT1KBRoqiqyypZhut7zT3UaDs2L+Y5hho6WiTdm7INuz6HEB7qYXzrmx93hlcuLZA7fDfyMO9F4APZFUqefcUIEyDI2b+Q/8Q2/rliT2PoC69XLVlj7HyVhfgKsOnopwBDNF3rRcJ6zz4WICPM18i4ZCmfoDTL/cFr5c41Lan1X7wS5wR root@fginfo-git" ];
-        authorizedKeys = admins.dadada.keys;
        path = "${cfg.path}/fginfo-git";
        quota = "10G";
      };
--- a/nixos/modules/default.nix
+++ b/nixos/modules/default.nix
@ -1,4 +1,4 @@
-{ ... } @ inputs: {
+{
  admin = import ./admin.nix;
  backup = import ./backup.nix;
  borgServer = import ./borg-server.nix;
@ -11,7 +11,10 @@
  homepage = import ./homepage.nix;
  kanboard = import ./kanboard;
  networking = import ./networking.nix;
-  nix = import ./nix.nix inputs;
+  nix = import ./nix.nix;
+  nixpkgs = import ./nixpkgs.nix;
+  packages = import ./packages.nix;
+  secrets = import ./secrets.nix;
  share = import ./share.nix;
  steam = import ./steam.nix;
  update = import ./update.nix;
--- a/nixos/modules/homepage.nix
+++ b/nixos/modules/homepage.nix
@ -9,6 +9,10 @@ in
 with lib; {
  options.dadada.homePage = {
    enable = mkEnableOption "Enable home page";
+    package = mkOption {
+      type = lib.types.package;
+      description = "Package containing the homepage";
+    };
  };
  config = mkIf cfg.enable {
    services.nginx.enable = true;
@ -16,7 +20,7 @@ with lib; {
    services.nginx.virtualHosts."dadada.li" = {
      enableACME = true;
      forceSSL = true;
-      root = "${pkgs.homePage}";
+      root = "${cfg.package}";
    };
  };
 }
--- a/nixos/modules/nix.nix
+++ b/nixos/modules/nix.nix
@ -1,33 +1,36 @@
-{ self
-, home-manager
-, nixpkgs
+{ config
+, pkgs
+, lib
 , ...
-}: { config
-   , pkgs
-   , lib
-   , ...
-   }:
-# Global settings for nix daemon
+}:
+let
+  cfg = config.dadada.inputs;
+in
 {
-  nix.nixPath = [
-    "home-manager=${home-manager}"
-    "nixpkgs=${nixpkgs}"
-    "dadada=${self}"
-  ];
-  nix.registry = {
-    home-manager.flake = home-manager;
-    nixpkgs.flake = nixpkgs;
-    dadada.flake = self;
+  options = {
+    dadada.inputs = lib.mkOption {
+      type = lib.types.attrsOf lib.types.attrs;
+      description = "Flake inputs that should be available inside Nix modules";
+      default = { };
+    };
+  };
+
+  config = {
+    nix.nixPath = lib.mapAttrsToList (name: value: "${name}=${value}") cfg;
+    nix.registry = lib.mapAttrs' (name: value: lib.nameValuePair name { flake = value; }) cfg;
+
+    nix.settings.substituters = [
+      https://cache.nixos.org/
+      https://nix-community.cachix.org/
+    ];
+
+    nix.settings.trusted-public-keys = [
+      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+      "gorgon:eEE/PToceRh34UnnoFENERhk89dGw5yXOpJ2CUbfL/Q="
+      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+    ];
+
+    nix.settings.require-sigs = true;
+    nix.settings.sandbox = true;
  };
-  nix.settings.substituters = [
-    https://cache.nixos.org/
-    https://nix-community.cachix.org/
-  ];
-  nix.settings.trusted-public-keys = [
-    "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
-    "gorgon:eEE/PToceRh34UnnoFENERhk89dGw5yXOpJ2CUbfL/Q="
-    "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-  ];
-  nix.settings.require-sigs = true;
-  nix.settings.sandbox = true;
 }
--- a/nixos/modules/nixpkgs.nix
+++ b/nixos/modules/nixpkgs.nix
@ -0,0 +1,3 @@
+{
+  nixpkgs.config.allowUnfreePredicate = pkg: true;
+}
--- a/nixos/modules/packages.nix
+++ b/nixos/modules/packages.nix
@ -0,0 +1,10 @@
+{ config, lib, ... }:
+{
+  options = {
+    dadada.pkgs = lib.mkOption {
+      type = lib.types.attrsOf lib.types.package;
+      description = "Additional packages that are not sourced from nixpkgs";
+      default = { };
+    };
+  };
+}
--- a/nixos/modules/profiles/backup.nix
+++ b/nixos/modules/profiles/backup.nix
@ -1,4 +1,7 @@
-{ config, secretsPath, ... }:
+{ config, ... }:
+let
+  secretsPath = config.dadada.secrets.path;
+in
 {
  dadada.backupClient.bs = {
    enable = true;
--- a/nixos/modules/profiles/server.nix
+++ b/nixos/modules/profiles/server.nix
@ -1,5 +1,4 @@
 { config
-, admins
 , pkgs
 , lib
 , ...
@ -9,8 +8,6 @@ with lib; {
    ./backup.nix
  ];

-  dadada.admin.users = admins;
-
  networking.domain = mkDefault "dadada.li";
  networking.tempAddresses = "disabled";

--- a/nixos/modules/secrets.nix
+++ b/nixos/modules/secrets.nix
@ -0,0 +1,10 @@
+{ config, lib, ... }:
+{
+  options = {
+    dadada.secrets.path = lib.mkOption {
+      type = lib.types.path;
+      description = "Path to encrypted secrets files";
+      default = ../../secrets;
+    };
+  };
+}