nixos-config/modules/default.nix
Simon Bruder b1f4b8b4b5
Add option to mark host as untrusted
This can be used to deploy a host that does not have access to the main
sops secrets file, e.g. because it does not have an encrypted root
partition.
2021-11-01 10:08:23 +01:00

122 lines
3.3 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{ config, lib, pkgs, ... }:
{
# Options that affect multiple modules
options.sbruder = {
full = lib.mkOption {
type = lib.types.bool;
description = ''
Whether to build the full system. If disabled, the system closure will
be smaller, but some features will not be available.
'';
default = true;
};
trusted = (lib.mkEnableOption "the trusted status of this machine (i.e. encrypted root)") // { default = true; };
gui.enable = lib.mkEnableOption "gui";
};
# All modules are imported but non-essential modules are activated by
# configuration options
imports = [
../pkgs/modules.nix
./cups.nix
./docker.nix
./fonts.nix
./games.nix
./grub.nix
./gui.nix
./initrd-ssh.nix
./locales.nix
./mailserver.nix
./media-proxy.nix
./mullvad
./network-manager.nix
./nginx-interactive-index
./nginx.nix
./nix.nix
./office.nix
./prometheus/node_exporter.nix
./pubkeys.nix
./pipewire.nix
./restic
./secrets.nix
./ssh.nix
./tools.nix
./udev.nix
./unfree.nix
./wireguard
];
config = lib.mkMerge [
{
# Essential system tools
environment.systemPackages = with pkgs; [
git
git-crypt # used to store secrets in configuration
git-lfs # not so essential, but required to clone config
htop
tmux
vim
];
# Clean temporary files on boot
boot.cleanTmpDir = true;
# Set zsh as default shell
programs.zsh.enable = true;
users.defaultUserShell = pkgs.zsh;
environment.etc."zshrc.local".source = "${pkgs.grml-zsh-config}/etc/zsh/zshrc";
# command-not-found does not work without channels
programs.command-not-found.enable = false;
# Hard drive monitoring
services.smartd.enable = lib.mkDefault true;
# Network monitoring
services.vnstat.enable = true;
# Support for exotic file systems
boot.supportedFilesystems = lib.optional config.sbruder.full "ntfs";
# Authentication/Encryption agents
programs.gnupg.agent.enable = true;
programs.ssh.startAgent = true;
# When this is set to true (default), routing everything through a
# wireguard tunnel does not work.
networking.firewall.checkReversePath = false;
# Open ports for quick tests
networking.firewall = {
allowedTCPPortRanges = lib.singleton { from = 9990; to = 9999; };
allowedUDPPortRanges = lib.singleton { from = 9990; to = 9999; };
};
# Globally set Lets Encrypt requirements
security.acme = {
acceptTerms = true;
email = "security@sbruder.de";
};
system.activationScripts.diff = ''
[ -L /run/current-system ] && ${pkgs.nixUnstable}/bin/nix \
--experimental-features 'nix-command' \
store \
diff-closures /run/current-system "$systemConfig"
'';
}
(lib.mkIf config.sbruder.full {
services.fwupd.enable = true;
})
(lib.mkIf (!config.sbruder.full) {
# Adapted from nixpkgs/nixos/modules/profiles/minimal.nix
i18n.supportedLocales = map
(locale: locale + "/UTF-8")
((lib.singleton config.i18n.defaultLocale)
++ (lib.attrValues config.i18n.extraLocaleSettings));
documentation.enable = lib.mkDefault false;
})
];
}