From a75b9e41f1bd126a49bab4e36a7004cd2e744dd1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Mon, 19 Dec 2022 15:59:28 +0100
Subject: [PATCH] re-consolidate configuration by pulling from srvos
---
flake.lock | 23 ++++++++++++++++++++++-
flake.nix | 5 +++++
roles/common.nix | 17 -----------------
roles/nix-daemon.nix | 6 ------
roles/security.nix | 21 ---------------------
roles/sshd.nix | 12 ------------
roles/zfs.nix | 13 -------------
7 files changed, 27 insertions(+), 70 deletions(-)
delete mode 100644 roles/zfs.nix
diff --git a/flake.lock b/flake.lock
index 172d4bd..825593d 100644
--- a/flake.lock
+++ b/flake.lock
@@ -180,7 +180,8 @@
"nixpkgs-update": "nixpkgs-update",
"nixpkgs-update-github-releases": "nixpkgs-update-github-releases",
"nixpkgs-update-pypi-releases": "nixpkgs-update-pypi-releases",
- "sops-nix": "sops-nix"
+ "sops-nix": "sops-nix",
+ "srvos": "srvos"
}
},
"sops-nix": {
@@ -203,6 +204,26 @@
"repo": "sops-nix",
"type": "github"
}
+ },
+ "srvos": {
+ "inputs": {
+ "nixpkgs": [
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1671462804,
+ "narHash": "sha256-WPwJpBn9XYwkZp/RsSKM0hKi/pmDl7EPQS7/XS5IgKA=",
+ "owner": "numtide",
+ "repo": "srvos",
+ "rev": "754b897b4c0a925f9bd3130110d5e2d6bb36182f",
+ "type": "github"
+ },
+ "original": {
+ "owner": "numtide",
+ "repo": "srvos",
+ "type": "github"
+ }
}
},
"root": "root",
diff --git a/flake.nix b/flake.nix
index 6f9ee6c..5da441d 100644
--- a/flake.nix
+++ b/flake.nix
@@ -22,6 +22,10 @@
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
+ srvos.url = "github:numtide/srvos";
+ # actually not used when using the modules but than nothing ever will try to fetch this nixpkgs variant
+ srvos.inputs.nixpkgs.follows = "nixpkgs";
+
flake-parts.url = "github:hercules-ci/flake-parts";
flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
};
@@ -45,6 +49,7 @@
inherit (inputs.nixpkgs.lib) nixosSystem;
common = [
inputs.sops-nix.nixosModules.sops
+ inputs.srvos.nixosModules.common
{ _module.args.inputs = inputs; }
];
in {
diff --git a/roles/common.nix b/roles/common.nix
index 69505e7..3bc3009 100644
--- a/roles/common.nix
+++ b/roles/common.nix
@@ -1,21 +1,13 @@
{ pkgs, lib, config, ... }:
{
-
imports = [
./auto-upgrade.nix
./nix-daemon.nix
./security.nix
./sops-nix.nix
- ./sshd.nix
./telegraf.nix
./users.nix
- ./zfs.nix
- ];
-
- environment.systemPackages = [
- # for quick activity overview
- pkgs.htop
];
# Nicer interactive shell
@@ -30,15 +22,6 @@
# Just disable it since we are using telegraf to monitor raid health.
systemd.services.mdmonitor.enable = false;
- # Make debugging failed units easier
- systemd.extraConfig = ''
- DefaultStandardOutput=journal
- DefaultStandardError=journal
- '';
-
- # The nix-community is global :)
- time.timeZone = "UTC";
-
# speed-up evaluation & save disk space by disabling manpages
documentation.enable = false;
diff --git a/roles/nix-daemon.nix b/roles/nix-daemon.nix
index 4e01c9d..46edc0d 100644
--- a/roles/nix-daemon.nix
+++ b/roles/nix-daemon.nix
@@ -20,12 +20,6 @@ in
settings.min-free = asGB 10;
settings.max-free = asGB 200;
- # avoid copying unecessary stuff over SSH
- settings.builders-use-substitutes = true;
-
- # allow flakes
- settings.experimental-features = "nix-command flakes";
-
# users in trusted group are trusted by the nix-daemon
settings.trusted-users = [ "@trusted" ];
diff --git a/roles/security.nix b/roles/security.nix
index c378c7b..e27ec76 100644
--- a/roles/security.nix
+++ b/roles/security.nix
@@ -1,30 +1,9 @@
{ config, pkgs, lib, ... }:
-
{
# Make sure that the firewall is enabled, even if it's the default.
networking.firewall.enable = true;
- # Allow password-less sudo for wheel users
- security.sudo.enable = true;
- security.sudo.wheelNeedsPassword = false;
-
- # Dont let users create their own authorized keys files
- services.openssh.authorizedKeysFiles = lib.mkForce [
- "/etc/ssh/authorized_keys.d/%u"
- ];
-
- services.openssh.kbdInteractiveAuthentication = false;
- services.openssh.passwordAuthentication = false;
-
programs.ssh.knownHosts = {
- github-rsa = {
- extraHostNames = [ "github.com" ];
- publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==";
- };
- github-ed25519 = {
- extraHostNames = [ "github.com" ];
- publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
- };
build01 = {
hostNames = [ "build01.nix-community.org" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIElIQ54qAy7Dh63rBudYKdbzJHrrbrrMXLYl7Pkmk88H";
diff --git a/roles/sshd.nix b/roles/sshd.nix
index d4d585c..e69de29 100644
--- a/roles/sshd.nix
+++ b/roles/sshd.nix
@@ -1,12 +0,0 @@
-{ config, lib, pkgs, ... }:
-{
- services.openssh = {
- enable = true;
- passwordAuthentication = false;
- useDns = false;
- # unbind gnupg sockets if they exists
- extraConfig = ''
- StreamLocalBindUnlink yes
- '';
- };
-}
diff --git a/roles/zfs.nix b/roles/zfs.nix
deleted file mode 100644
index 91e485c..0000000
--- a/roles/zfs.nix
+++ /dev/null
@@ -1,13 +0,0 @@
-{ ... }: {
- services.zfs = {
- autoSnapshot.enable = true;
- # defaults to 12, which is a bit much given how much data is written
- autoSnapshot.monthly = 1;
- autoScrub.enable = true;
- };
-
- # ZFS already has its own scheduler. Without this my(@Artturin) computer froze for a second when i nix build something.
- services.udev.extraRules = ''
- ACTION=="add|change", KERNEL=="sd[a-z]*[0-9]*|mmcblk[0-9]*p[0-9]*|nvme[0-9]*n[0-9]*p[0-9]*", ENV{ID_FS_TYPE}=="zfs_member", ATTR{../queue/scheduler}="none"
- '';
-}