modules: refactor common

move common into directory
2023-07-02 08:16:12 +10:00 · 2023-07-02 08:16:12 +10:00 · 1441015937
commit 1441015937
parent f8a2457154
7 changed files with 1 additions and 1 deletions
--- a/modules/nixos/common/auto-upgrade.nix
+++ b/modules/nixos/common/auto-upgrade.nix
@ -0,0 +1,25 @@
+{ config, pkgs, ... }:
+{
+  system.autoUpgrade.enable = true;
+  system.autoUpgrade.flake = "github:nix-community/infra";
+  system.autoUpgrade.dates = "hourly";
+  system.autoUpgrade.flags = [ "--option" "accept-flake-config" "true" "--option" "tarball-ttl" "0" ];
+
+  # adapted from https://github.com/NixOS/nixpkgs/blob/3428bdf3c93a7608615dddd44dec50c3df89b4be/nixos/modules/tasks/auto-upgrade.nix
+  systemd.services.reboot-after-update = {
+    restartIfChanged = false;
+    unitConfig.X-StopOnRemoval = false;
+    serviceConfig.Type = "oneshot";
+    script = ''
+      booted="$(${pkgs.coreutils}/bin/readlink /run/booted-system/{initrd,kernel,kernel-modules})"
+      built="$(${pkgs.coreutils}/bin/readlink /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})"
+      if [ "''${booted}" != "''${built}" ]; then
+        ${config.systemd.package}/bin/shutdown -r now
+      fi
+    '';
+    startAt = "0/6:00";
+  };
+  systemd.timers.reboot-after-update = {
+    timerConfig.RandomizedDelaySec = "6h";
+  };
+}
--- a/modules/nixos/common/default.nix
+++ b/modules/nixos/common/default.nix
@ -0,0 +1,28 @@
+{ inputs, ... }:
+{
+  imports = [
+    ./auto-upgrade.nix
+    ./nix-daemon.nix
+    ./security.nix
+    ./sops-nix.nix
+    ./users.nix
+    inputs.sops-nix.nixosModules.sops
+    inputs.srvos.nixosModules.mixins-telegraf
+    inputs.srvos.nixosModules.server
+  ];
+
+  networking.firewall.allowedTCPPorts = [ 9273 ];
+
+  srvos.flake = inputs.self;
+
+  zramSwap.enable = true;
+
+  security.acme.defaults.email = "trash@nix-community.org";
+  security.acme.acceptTerms = true;
+
+  # Without configuration this unit will fail...
+  # Just disable it since we are using telegraf to monitor raid health.
+  systemd.services.mdmonitor.enable = false;
+
+  networking.domain = "nix-community.org";
+}
--- a/modules/nixos/common/nix-daemon.nix
+++ b/modules/nixos/common/nix-daemon.nix
@ -0,0 +1,40 @@
+{ pkgs, ... }:
+
+let
+  asGB = size: toString (size * 1024 * 1024);
+in
+{
+  nix = {
+    settings.trusted-public-keys = [
+      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+    ];
+
+    settings.substituters = [
+      "https://nix-community.cachix.org"
+    ];
+
+    # Hard-link duplicated files
+    settings.auto-optimise-store = true;
+
+    # auto-free the /nix/store
+    settings.min-free = asGB 10;
+    settings.max-free = asGB 200;
+
+    # users in trusted group are trusted by the nix-daemon
+    settings.trusted-users = [ "@trusted" ];
+
+    # useful for ad-hoc nix-shell's for debugging
+    nixPath = [ "nixpkgs=${pkgs.path}" ];
+
+    gc.automatic = true;
+    gc.options = "--delete-older-than 14d";
+  };
+
+  # Sometimes it fails if a store path is still in use.
+  # This should fix intermediate issues.
+  systemd.services.nix-gc.serviceConfig = {
+    Restart = "on-failure";
+  };
+
+  users.groups.trusted = { };
+}
--- a/modules/nixos/common/security.nix
+++ b/modules/nixos/common/security.nix
@ -0,0 +1,48 @@
+{
+  # Make sure that the firewall is enabled, even if it's the default.
+  networking.firewall.enable = true;
+
+  programs.ssh.knownHosts = {
+    build01 = {
+      hostNames = [ "build01.nix-community.org" ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIElIQ54qAy7Dh63rBudYKdbzJHrrbrrMXLYl7Pkmk88H";
+    };
+    build02 = {
+      hostNames = [ "build02.nix-community.org" ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMm3/o1HguyRL1z/nZxLBY9j/YUNXeNuDoiBLZAyt88Z";
+    };
+    build03 = {
+      hostNames = [ "build03.nix-community.org" ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFiozp1A1+SUfJQPa5DZUQcVc6CZK2ZxL6FJtNdh+2TP";
+    };
+    build04 = {
+      hostNames = [ "build04.nix-community.org" ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINvzMJfCiVKGfEjCfBZqDD7Kib5y+2zz04YI8XrCZ68O";
+    };
+    darwin02 = {
+      hostNames = [ "darwin02.nix-community.org" ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBt6uTauhRbs5A6jwAT3p3i3P1keNC6RpaA1Na859BCa";
+    };
+    aarch64-nixos-community = {
+      hostNames = [ "aarch64.nixos.community" ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUTz5i9u5H2FHNAmZJyoJfIGyUm/HfGhfwnc142L3ds";
+    };
+    hetzner-storage-box = {
+      hostNames = [ "[u348918.your-storagebox.de]:23" ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs";
+    };
+    web01 = {
+      hostNames = [ "web01.nix-community.org" ];
+      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlk4GXei97txlkLtRQDblje0YXZxQnu5w7rVSBPzYRl";
+    };
+  };
+
+  services.openssh = {
+    hostKeys = [
+      { path = "/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; }
+    ];
+  };
+
+  # Ban brute force SSH
+  services.fail2ban.enable = true;
+}
--- a/modules/nixos/common/sops-nix.nix
+++ b/modules/nixos/common/sops-nix.nix
@ -0,0 +1,7 @@
+{ config, inputs, lib, ... }:
+let
+  defaultSopsPath = "${toString inputs.self}/hosts/${config.networking.hostName}/secrets.yaml";
+in
+{
+  sops.defaultSopsFile = lib.mkIf (builtins.pathExists defaultSopsPath) defaultSopsPath;
+}
--- a/modules/nixos/common/users.nix
+++ b/modules/nixos/common/users.nix
@ -0,0 +1,22 @@
+{ inputs, lib, ... }:
+
+let
+  usersDir = "${toString inputs.self}/users";
+  userImports =
+    let
+      toUserPath = f: usersDir + "/${f}";
+      onlyUserFiles = x:
+        lib.hasSuffix ".nix" x &&
+        x != "lib.nix"
+      ;
+      userDirEntries = builtins.readDir usersDir;
+      userFiles = builtins.filter onlyUserFiles (lib.attrNames userDirEntries);
+    in
+    builtins.map toUserPath userFiles;
+in
+{
+  imports = userImports;
+
+  # No mutable users
+  users.mutableUsers = false;
+}