re-consolidate configuration by pulling from srvos

2022-12-19 15:59:28 +01:00 · 2022-12-19 15:59:28 +01:00 · a75b9e41f1
commit a75b9e41f1
parent 1f858631a7
7 changed files with 27 additions and 70 deletions
--- a/flake.lock
+++ b/flake.lock
@ -180,7 +180,8 @@
        "nixpkgs-update": "nixpkgs-update",
        "nixpkgs-update-github-releases": "nixpkgs-update-github-releases",
        "nixpkgs-update-pypi-releases": "nixpkgs-update-pypi-releases",
-        "sops-nix": "sops-nix"
+        "sops-nix": "sops-nix",
+        "srvos": "srvos"
      }
    },
    "sops-nix": {
@ -203,6 +204,26 @@
        "repo": "sops-nix",
        "type": "github"
      }
+    },
+    "srvos": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1671462804,
+        "narHash": "sha256-WPwJpBn9XYwkZp/RsSKM0hKi/pmDl7EPQS7/XS5IgKA=",
+        "owner": "numtide",
+        "repo": "srvos",
+        "rev": "754b897b4c0a925f9bd3130110d5e2d6bb36182f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "srvos",
+        "type": "github"
+      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -22,6 +22,10 @@
    sops-nix.url = "github:Mic92/sops-nix";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";

+    srvos.url = "github:numtide/srvos";
+    # actually not used when using the modules but than nothing ever will try to fetch this nixpkgs variant
+    srvos.inputs.nixpkgs.follows = "nixpkgs";
+
    flake-parts.url = "github:hercules-ci/flake-parts";
    flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
  };
@ -45,6 +49,7 @@
          inherit (inputs.nixpkgs.lib) nixosSystem;
          common = [
            inputs.sops-nix.nixosModules.sops
+            inputs.srvos.nixosModules.common
            { _module.args.inputs = inputs; }
          ];
        in {
--- a/roles/common.nix
+++ b/roles/common.nix
@ -1,21 +1,13 @@
 { pkgs, lib, config, ... }:

 {
-
  imports = [
    ./auto-upgrade.nix
    ./nix-daemon.nix
    ./security.nix
    ./sops-nix.nix
-    ./sshd.nix
    ./telegraf.nix
    ./users.nix
-    ./zfs.nix
-  ];
-
-  environment.systemPackages = [
-    # for quick activity overview
-    pkgs.htop
  ];

  # Nicer interactive shell
@ -30,15 +22,6 @@
  # Just disable it since we are using telegraf to monitor raid health.
  systemd.services.mdmonitor.enable = false;

-  # Make debugging failed units easier
-  systemd.extraConfig = ''
-    DefaultStandardOutput=journal
-    DefaultStandardError=journal
-  '';
-
-  # The nix-community is global :)
-  time.timeZone = "UTC";
-
  # speed-up evaluation & save disk space by disabling manpages
  documentation.enable = false;

--- a/roles/nix-daemon.nix
+++ b/roles/nix-daemon.nix
@ -20,12 +20,6 @@ in
    settings.min-free = asGB 10;
    settings.max-free = asGB 200;

-    # avoid copying unecessary stuff over SSH
-    settings.builders-use-substitutes = true;
-
-    # allow flakes
-    settings.experimental-features = "nix-command flakes";
-
    # users in trusted group are trusted by the nix-daemon
    settings.trusted-users = [ "@trusted" ];

--- a/roles/security.nix
+++ b/roles/security.nix
@ -1,30 +1,9 @@
 { config, pkgs, lib, ... }:
-
 {
  # Make sure that the firewall is enabled, even if it's the default.
  networking.firewall.enable = true;

-  # Allow password-less sudo for wheel users
-  security.sudo.enable = true;
-  security.sudo.wheelNeedsPassword = false;
-
-  # Dont let users create their own authorized keys files
-  services.openssh.authorizedKeysFiles = lib.mkForce [
-    "/etc/ssh/authorized_keys.d/%u"
-  ];
-
-  services.openssh.kbdInteractiveAuthentication = false;
-  services.openssh.passwordAuthentication = false;
-
  programs.ssh.knownHosts = {
-    github-rsa = {
-      extraHostNames = [ "github.com" ];
-      publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==";
-    };
-    github-ed25519 = {
-      extraHostNames = [ "github.com" ];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
-    };
    build01 = {
      hostNames = [ "build01.nix-community.org" ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIElIQ54qAy7Dh63rBudYKdbzJHrrbrrMXLYl7Pkmk88H";
--- a/roles/sshd.nix
+++ b/roles/sshd.nix
@ -1,12 +0,0 @@
-{ config, lib, pkgs, ... }:
-{
-  services.openssh = {
-    enable = true;
-    passwordAuthentication = false;
-    useDns = false;
-    # unbind gnupg sockets if they exists
-    extraConfig = ''
-      StreamLocalBindUnlink yes
-    '';
-  };
-}
--- a/roles/zfs.nix
+++ b/roles/zfs.nix
@ -1,13 +0,0 @@
-{ ... }: {
-  services.zfs = {
-    autoSnapshot.enable = true;
-    # defaults to 12, which is a bit much given how much data is written
-    autoSnapshot.monthly = 1;
-    autoScrub.enable = true;
-  };
-
-  # ZFS already has its own scheduler. Without this my(@Artturin) computer froze for a second when i nix build something.
-  services.udev.extraRules = ''
-    ACTION=="add|change", KERNEL=="sd[a-z]*[0-9]*|mmcblk[0-9]*p[0-9]*|nvme[0-9]*n[0-9]*p[0-9]*", ENV{ID_FS_TYPE}=="zfs_member", ATTR{../queue/scheduler}="none"
-  '';
-}