diff options
Diffstat (limited to 'modules/nixos')
| -rw-r--r-- | modules/nixos/default.nix | 6 | ||||
| -rw-r--r-- | modules/nixos/filtron.nix | 23 | ||||
| -rw-r--r-- | modules/nixos/personal/boot.nix | 15 | ||||
| -rw-r--r-- | modules/nixos/personal/default.nix | 3 | ||||
| -rw-r--r-- | modules/nixos/personal/environment.nix | 69 | ||||
| -rw-r--r-- | modules/nixos/personal/gui.nix | 176 | ||||
| -rw-r--r-- | modules/nixos/personal/hardware.nix | 44 | ||||
| -rw-r--r-- | modules/nixos/personal/monitoring.nix | 57 | ||||
| -rw-r--r-- | modules/nixos/personal/networking/default.nix | 50 | ||||
| -rw-r--r-- | modules/nixos/personal/networking/wifi.nix | 101 | ||||
| -rw-r--r-- | modules/nixos/personal/nix.nix | 142 | ||||
| -rw-r--r-- | modules/nixos/personal/system.nix | 275 | ||||
| -rw-r--r-- | modules/nixos/personal/user.nix | 53 | ||||
| -rw-r--r-- | modules/nixos/rss-bridge.nix | 91 |
14 files changed, 606 insertions, 499 deletions
diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index d5f15a2..e1ae9dd 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -1,5 +1,9 @@ { ... }: { - imports = [ ./filtron.nix ./personal ./rss-bridge.nix ]; + imports = [ + ./filtron.nix + ./personal + ./rss-bridge.nix + ]; } diff --git a/modules/nixos/filtron.nix b/modules/nixos/filtron.nix index 6d75558..cb681f2 100644 --- a/modules/nixos/filtron.nix +++ b/modules/nixos/filtron.nix @@ -1,4 +1,9 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let cfg = config.services.filtron; @@ -11,7 +16,8 @@ let port = lib.mkOption { type = lib.types.port; }; }; }; -in { +in +{ options.services.filtron = { enable = lib.mkEnableOption "filtron"; package = lib.mkOption { @@ -23,21 +29,28 @@ in { }; api = lib.mkOption { type = addressType; - default = { address = "localhost"; port = 4005; }; + default = { + address = "localhost"; + port = 4005; + }; description = '' API listen address and port. ''; }; listen = lib.mkOption { type = addressType; - default = { port = 4004; }; + default = { + port = 4004; + }; description = '' Proxy listen address and port. ''; }; target = lib.mkOption { type = addressType; - default = { port = 8888; }; + default = { + port = 8888; + }; description = '' Target address and port for reverse proxy. ''; diff --git a/modules/nixos/personal/boot.nix b/modules/nixos/personal/boot.nix index 149d9b9..bde1ab0 100644 --- a/modules/nixos/personal/boot.nix +++ b/modules/nixos/personal/boot.nix @@ -2,9 +2,11 @@ config, lib, ... -}: let +}: +let cfg = config.personal.boot; -in { +in +{ options.personal.boot = { grub.enable = lib.mkEnableOption "grub"; efi.enable = lib.mkEnableOption "EFI"; @@ -16,7 +18,7 @@ in { (lib.mkIf cfg.grub.enable { grub = { enable = true; - enableCryptodisk = config.boot.initrd.luks.devices != {}; + enableCryptodisk = config.boot.initrd.luks.devices != { }; device = lib.mkDefault "nodev"; }; }) @@ -26,9 +28,10 @@ in { }) ]; - initrd = let - crypt = config.personal.hardware.disks.crypted; - in + initrd = + let + crypt = config.personal.hardware.disks.crypted; + in lib.mkIf (cfg.unattendedReboot && crypt != null) { secrets."/keyfile.luks" = /etc/luks/keys/tmp; luks.devices.crypt = { diff --git a/modules/nixos/personal/default.nix b/modules/nixos/personal/default.nix index dfc7291..cab4a97 100644 --- a/modules/nixos/personal/default.nix +++ b/modules/nixos/personal/default.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ./boot.nix ./environment.nix diff --git a/modules/nixos/personal/environment.nix b/modules/nixos/personal/environment.nix index d69f087..5014f14 100644 --- a/modules/nixos/personal/environment.nix +++ b/modules/nixos/personal/environment.nix @@ -3,42 +3,51 @@ lib, pkgs, ... -}: let +}: +let cfg = config.personal.environment; -in { +in +{ options.personal.environment = { enable = lib.mkEnableOption "basic environment"; locale.enable = lib.mkEnableOption "French locale"; }; - config = lib.mkIf cfg.enable (lib.mkMerge [ - { - environment = { - systemPackages = with pkgs; [vim gitMinimal busybox coreutils]; - variables = { - EDITOR = "vim"; - DO_NOT_TRACK = "1"; + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + { + environment = { + systemPackages = with pkgs; [ + vim + gitMinimal + busybox + coreutils + ]; + variables = { + EDITOR = "vim"; + DO_NOT_TRACK = "1"; + }; }; - }; - programs.starship.enable = true; - programs.bash.shellInit = '' - function set_win_title(){ - echo -ne "\033]0;$(whoami)@$(hostname --long):$(dirs)\a" - } - starship_precmd_user_func="set_win_title" - ''; - } - (lib.mkIf cfg.locale.enable { - time.timeZone = "Europe/Paris"; - i18n = { - defaultLocale = "fr_FR.UTF-8"; - extraLocaleSettings.LANG = "en_US.UTF-8"; - }; - console = { - font = "Lat2-Terminus16"; - keyMap = config.personal.hardware.keyboard.keyMap; - }; - }) - ]); + programs.starship.enable = true; + programs.bash.shellInit = '' + function set_win_title(){ + echo -ne "\033]0;$(whoami)@$(hostname --long):$(dirs)\a" + } + starship_precmd_user_func="set_win_title" + ''; + } + (lib.mkIf cfg.locale.enable { + time.timeZone = "Europe/Paris"; + i18n = { + defaultLocale = "fr_FR.UTF-8"; + extraLocaleSettings.LANG = "en_US.UTF-8"; + }; + console = { + font = "Lat2-Terminus16"; + keyMap = config.personal.hardware.keyboard.keyMap; + }; + }) + ] + ); } diff --git a/modules/nixos/personal/gui.nix b/modules/nixos/personal/gui.nix index 0ca7e3a..b339110 100644 --- a/modules/nixos/personal/gui.nix +++ b/modules/nixos/personal/gui.nix @@ -3,11 +3,13 @@ lib, pkgs, ... -} @ extraArgs: let +}@extraArgs: +let cfg = config.personal.gui; - wallpaper = pkgs.personal.static.wallpapers.nga-1973-68-1.override {gravity = "north";}; + wallpaper = pkgs.personal.static.wallpapers.nga-1973-68-1.override { gravity = "north"; }; importedStylix = extraArgs ? stylix; -in { +in +{ imports = lib.optional importedStylix extraArgs.stylix.nixosModules.stylix; options.personal.gui = { @@ -17,93 +19,99 @@ in { stylix.enable = lib.mkEnableOption "stylix"; }; - config = lib.mkIf cfg.enable (lib.mkMerge [ - { - services.xserver = lib.mkIf cfg.xserver.enable { - enable = true; - desktopManager.xfce.enable = true; - displayManager = { - lightdm = { - enable = true; - background = config.stylix.image or wallpaper; - greeters.gtk = { + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + { + services.xserver = lib.mkIf cfg.xserver.enable { + enable = true; + desktopManager.xfce.enable = true; + displayManager = { + lightdm = { enable = true; - extraConfig = '' - user-background = false - ''; - theme = lib.mkDefault { - name = "Arc-Dark"; - package = pkgs.arc-theme; - }; - iconTheme = lib.mkDefault { - name = "Breeze-dark"; - package = pkgs.kdePackages.breeze-icons; + background = config.stylix.image or wallpaper; + greeters.gtk = { + enable = true; + extraConfig = '' + user-background = false + ''; + theme = lib.mkDefault { + name = "Arc-Dark"; + package = pkgs.arc-theme; + }; + iconTheme = lib.mkDefault { + name = "Breeze-dark"; + package = pkgs.kdePackages.breeze-icons; + }; }; }; }; + # Hardware + xkb.layout = config.personal.hardware.keyboard.keyMap; + autoRepeatDelay = 200; }; - # Hardware - xkb.layout = config.personal.hardware.keyboard.keyMap; - autoRepeatDelay = 200; - }; - } - # fragile conf - (lib.mkIf cfg.i3.enable { - services = { - displayManager.defaultSession = "xfce+i3"; - libinput.enable = true; - xserver = { - desktopManager.xfce = { - noDesktop = true; - enableXfwm = false; - }; - windowManager.i3.enable = true; - }; - }; - security.pam.services = { - i3lock.enable = true; - i3lock-color.enable = true; - }; - }) - (lib.mkIf cfg.stylix.enable ({ - assertions = let - missingArgAssertion = name: { - assertion = lib.hasAttr name extraArgs; - message = "attribute ${name} missing: add it in lib.nixosSystem's specialArgs, or set config.personal.gui.stylix.enable to false"; - }; - in [(missingArgAssertion "stylix")]; } - // lib.optionalAttrs importedStylix { - stylix = { - enable = true; - image = lib.mkDefault wallpaper; - base16Scheme = lib.mkDefault { - author = "Stylix"; - base00 = "212a27"; - base01 = "3a4a47"; - base02 = "596e73"; - base03 = "8ba0b5"; - base04 = "b0bbb7"; - base05 = "efe1be"; - base06 = "efefe5"; - base07 = "f1f1e5"; - base08 = "7e93a8"; - base09 = "92917f"; - base0A = "5d9c81"; - base0B = "859394"; - base0C = "8d9657"; - base0D = "b38861"; - base0E = "80977a"; - base0F = "a19052"; - scheme = "Stylix"; - slug = "stylix"; - }; - polarity = lib.mkDefault "dark"; - fonts.sizes = { - applications = 10; - desktop = 12; + # fragile conf + (lib.mkIf cfg.i3.enable { + services = { + displayManager.defaultSession = "xfce+i3"; + libinput.enable = true; + xserver = { + desktopManager.xfce = { + noDesktop = true; + enableXfwm = false; + }; + windowManager.i3.enable = true; }; }; - })) - ]); + security.pam.services = { + i3lock.enable = true; + i3lock-color.enable = true; + }; + }) + (lib.mkIf cfg.stylix.enable ( + { + assertions = + let + missingArgAssertion = name: { + assertion = lib.hasAttr name extraArgs; + message = "attribute ${name} missing: add it in lib.nixosSystem's specialArgs, or set config.personal.gui.stylix.enable to false"; + }; + in + [ (missingArgAssertion "stylix") ]; + } + // lib.optionalAttrs importedStylix { + stylix = { + enable = true; + image = lib.mkDefault wallpaper; + base16Scheme = lib.mkDefault { + author = "Stylix"; + base00 = "212a27"; + base01 = "3a4a47"; + base02 = "596e73"; + base03 = "8ba0b5"; + base04 = "b0bbb7"; + base05 = "efe1be"; + base06 = "efefe5"; + base07 = "f1f1e5"; + base08 = "7e93a8"; + base09 = "92917f"; + base0A = "5d9c81"; + base0B = "859394"; + base0C = "8d9657"; + base0D = "b38861"; + base0E = "80977a"; + base0F = "a19052"; + scheme = "Stylix"; + slug = "stylix"; + }; + polarity = lib.mkDefault "dark"; + fonts.sizes = { + applications = 10; + desktop = 12; + }; + }; + } + )) + ] + ); } diff --git a/modules/nixos/personal/hardware.nix b/modules/nixos/personal/hardware.nix index 6f1183d..dfab964 100644 --- a/modules/nixos/personal/hardware.nix +++ b/modules/nixos/personal/hardware.nix @@ -3,9 +3,11 @@ lib, pkgs, ... -}: let +}: +let cfg = config.personal.hardware; -in { +in +{ options.personal.hardware = { usb.enable = lib.mkEnableOption "usb"; disks.crypted = lib.mkOption { @@ -20,24 +22,26 @@ in { default = "fr"; }; }; - backlights = let - mkBacklightOption = name: - lib.mkOption { - type = with lib.types; nullOr str; - default = null; - description = "Whether to allow all users to change hardware the ${name} brightness."; - }; - in { - screen = mkBacklightOption "screen"; - keyboard = mkBacklightOption "keyboard"; - }; + backlights = + let + mkBacklightOption = + name: + lib.mkOption { + type = with lib.types; nullOr str; + default = null; + description = "Whether to allow all users to change hardware the ${name} brightness."; + }; + in + { + screen = mkBacklightOption "screen"; + keyboard = mkBacklightOption "keyboard"; + }; sound.enable = lib.mkEnableOption "sound"; }; config = lib.mkMerge [ { - hardware.firmware = - lib.optional cfg.firmwareNonFree.enable pkgs.firmwareLinuxNonfree; + hardware.firmware = lib.optional cfg.firmwareNonFree.enable pkgs.firmwareLinuxNonfree; boot.initrd.availableKernelModules = lib.optional cfg.usb.enable "usb_storage"; services.udev.extraRules = @@ -49,15 +53,17 @@ in { ''; } - (let - crypt = cfg.disks.crypted; - in + ( + let + crypt = cfg.disks.crypted; + in lib.mkIf (crypt != null) { boot.initrd.luks.devices.crypt = { device = crypt; preLVM = true; }; - }) + } + ) (lib.mkIf cfg.sound.enable { security.rtkit.enable = true; diff --git a/modules/nixos/personal/monitoring.nix b/modules/nixos/personal/monitoring.nix index 01fe201..e5797fb 100644 --- a/modules/nixos/personal/monitoring.nix +++ b/modules/nixos/personal/monitoring.nix @@ -3,23 +3,30 @@ lib, pkgs, ... -}: let +}: +let cfg = config.personal.monitoring; -in { +in +{ options = { personal.monitoring.enable = lib.mkEnableOption "e-mail monitoring of systemd services"; systemd.services = lib.mkOption { - type = with lib.types; - attrsOf (submodule ({ - name, - config, - lib, - ... - }: { - options.personal.monitor = - lib.mkEnableOption "e-mail monitoring for the ${name} seervice"; - config.onFailure = lib.optional config.personal.monitor "notify@%i.service"; - })); + type = + with lib.types; + attrsOf ( + submodule ( + { + name, + config, + lib, + ... + }: + { + options.personal.monitor = lib.mkEnableOption "e-mail monitoring for the ${name} seervice"; + config.onFailure = lib.optional config.personal.monitor "notify@%i.service"; + } + ) + ); }; }; @@ -42,18 +49,20 @@ in { description = "Send the status of the %i service as an e-mail."; serviceConfig.type = "oneshot"; scriptArgs = "%i"; - script = let - netCfg = config.networking; - host = "${builtins.toString netCfg.hostName}.${builtins.toString netCfg.domain}"; - in '' - service="$1" - echo \ - "Subject: ${host}: service $service failed - Service $soervice failed on ${host}, with the following log: + script = + let + netCfg = config.networking; + host = "${builtins.toString netCfg.hostName}.${builtins.toString netCfg.domain}"; + in + '' + service="$1" + echo \ + "Subject: ${host}: service $service failed + Service $soervice failed on ${host}, with the following log: - $(journalctl --no-pager --unit $service --since -1h) - " | ${pkgs.msmtp}/bin/msmtp quentin@aristote.fr - ''; + $(journalctl --no-pager --unit $service --since -1h) + " | ${pkgs.msmtp}/bin/msmtp quentin@aristote.fr + ''; }; }; } diff --git a/modules/nixos/personal/networking/default.nix b/modules/nixos/personal/networking/default.nix index 3caddb1..cef72eb 100644 --- a/modules/nixos/personal/networking/default.nix +++ b/modules/nixos/personal/networking/default.nix @@ -4,16 +4,19 @@ pkgs, options, ... -}: let +}: +let cfg = config.personal.networking; - mkFirewallEnableOption = name: + mkFirewallEnableOption = + name: lib.mkOption { type = lib.types.bool; default = false; description = "Whether to open ports for ${name}."; }; -in { - imports = [./wifi.nix]; +in +{ + imports = [ ./wifi.nix ]; options.personal.networking = { enable = lib.mkEnableOption "networking"; @@ -28,19 +31,24 @@ in { }; config = lib.mkIf cfg.enable { - environment.systemPackages = - lib.optional cfg.networkmanager.enable pkgs.networkmanager; + environment.systemPackages = lib.optional cfg.networkmanager.enable pkgs.networkmanager; networking = { networkmanager = lib.mkIf cfg.networkmanager.enable { enable = true; - unmanaged = ["interface-name:ve-*"]; + unmanaged = [ "interface-name:ve-*" ]; }; firewall = { enable = true; allowedTCPPorts = lib.optional cfg.firewall.syncthing 22000 - ++ lib.optionals cfg.firewall.http [80 443]; - allowedUDPPorts = lib.optionals cfg.firewall.syncthing [22000 21027]; + ++ lib.optionals cfg.firewall.http [ + 80 + 443 + ]; + allowedUDPPorts = lib.optionals cfg.firewall.syncthing [ + 22000 + 21027 + ]; allowedTCPPortRanges = lib.optional cfg.firewall.kdeconnect { from = 1714; to = 1764; @@ -52,26 +60,26 @@ in { }; }; services = lib.mkIf cfg.ssh.enable { - openssh = - { - enable = true; - extraConfig = '' - AcceptEnv PS1 - ''; - } - // ( - if options.services.openssh ? settings - then { + openssh = { + enable = true; + extraConfig = '' + AcceptEnv PS1 + ''; + } + // ( + if options.services.openssh ? settings then + { settings = { PermitRootLogin = "no"; PasswordAuthentication = false; }; } - else { + else + { permitRootLogin = "no"; passwordAuthentication = false; } - ); + ); fail2ban = { enable = true; maxretry = 16; diff --git a/modules/nixos/personal/networking/wifi.nix b/modules/nixos/personal/networking/wifi.nix index d7415a8..2e23349 100644 --- a/modules/nixos/personal/networking/wifi.nix +++ b/modules/nixos/personal/networking/wifi.nix @@ -2,39 +2,42 @@ config, lib, ... -}: let +}: +let cfg = config.personal.networking.wifi; - mkWifiProfile = { - id, - ssid, - }: { - "${id}" = { - connection = { - id = "${id}"; - type = "wifi"; - }; - wifi = { - inherit ssid; - mode = "infrastructure"; - }; - wifi-security = { - key-mgmt = "wpa-psk"; - # fill-in password on first connection - # this will create a new connection - # disable the personal.networking.wifi.enable option - # to keep it for next rebuild - }; - ipv4 = { - method = "auto"; - }; - ipv6 = { - addr-gen-mode = "stable-privacy"; - method = "auto"; - }; - proxy = { + mkWifiProfile = + { + id, + ssid, + }: + { + "${id}" = { + connection = { + id = "${id}"; + type = "wifi"; + }; + wifi = { + inherit ssid; + mode = "infrastructure"; + }; + wifi-security = { + key-mgmt = "wpa-psk"; + # fill-in password on first connection + # this will create a new connection + # disable the personal.networking.wifi.enable option + # to keep it for next rebuild + }; + ipv4 = { + method = "auto"; + }; + ipv6 = { + addr-gen-mode = "stable-privacy"; + method = "auto"; + }; + proxy = { + }; }; }; - }; knownSSIDs = { home = "Quentintranet"; home-iot = "Quentinternet of Things"; @@ -46,16 +49,20 @@ montlaur = "Nordnet_E080"; montlaur-5g = "Nordnet_E080_5G"; }; -in { +in +{ options.personal.networking.wifi = { enable = lib.mkEnableOption "personal WiFi networks"; networks = lib.mkOption { type = with lib.types; listOf str; - default = ["home-private" "hotspot"]; + default = [ + "home-private" + "hotspot" + ]; }; extraNetworks = lib.mkOption { type = with lib.types; listOf (attrsOf str); - default = []; + default = [ ]; example = [ { id = "my-wifi"; @@ -65,20 +72,16 @@ in { }; }; - config.networking.networkmanager.ensureProfiles.profiles = let - networks = - builtins.map (id: { - inherit id; - ssid = - if lib.hasAttr id knownSSIDs - then lib.getAttr id knownSSIDs - else throw "Unknown WiFi ID: ${id}"; - }) - cfg.networks - ++ cfg.extraNetworks; - profiles = lib.mergeAttrsList (builtins.map mkWifiProfile networks); - in - lib.mkIf - cfg.enable - profiles; + config.networking.networkmanager.ensureProfiles.profiles = + let + networks = + builtins.map (id: { + inherit id; + ssid = + if lib.hasAttr id knownSSIDs then lib.getAttr id knownSSIDs else throw "Unknown WiFi ID: ${id}"; + }) cfg.networks + ++ cfg.extraNetworks; + profiles = lib.mergeAttrsList (builtins.map mkWifiProfile networks); + in + lib.mkIf cfg.enable profiles; } diff --git a/modules/nixos/personal/nix.nix b/modules/nixos/personal/nix.nix index 1eedd1b..f918391 100644 --- a/modules/nixos/personal/nix.nix +++ b/modules/nixos/personal/nix.nix @@ -3,80 +3,96 @@ lib, pkgs, ... -}: let +}: +let cfg = config.personal.nix; -in { +in +{ options.personal.nix = { enable = lib.mkEnableOption "nix configuration"; gc.enable = lib.mkEnableOption "garbage collection"; }; - config = lib.mkIf cfg.enable (lib.mkMerge [ - { - nixpkgs = { - config.allowUnfree = true; - flake = lib.mkDefault { - setNixPath = false; - setFlakeRegistry = false; - }; - }; - nix = { - package = pkgs.lix; - settings = { - auto-optimise-store = true; - experimental-features = ["nix-command" "flakes" "recursive-nix"]; - substituters = ["https://devenv.cachix.org/" "https://nix-community.cachix.org/"]; - trusted-public-keys = ["devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="]; + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + { + nixpkgs = { + config.allowUnfree = true; + flake = lib.mkDefault { + setNixPath = false; + setFlakeRegistry = false; + }; }; - extraOptions = '' - !include secrets.conf - ''; - registry.my-nixpkgs = { - from = { - type = "indirect"; - id = "my-nixpkgs"; + nix = { + package = pkgs.lix; + settings = { + auto-optimise-store = true; + experimental-features = [ + "nix-command" + "flakes" + "recursive-nix" + ]; + substituters = [ + "https://devenv.cachix.org/" + "https://nix-community.cachix.org/" + ]; + trusted-public-keys = [ + "devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; }; - to = { - type = "github"; - owner = "qaristote"; - repo = "my-nixpkgs"; + extraOptions = '' + !include secrets.conf + ''; + registry.my-nixpkgs = { + from = { + type = "indirect"; + id = "my-nixpkgs"; + }; + to = { + type = "github"; + owner = "qaristote"; + repo = "my-nixpkgs"; + }; }; }; - }; - } + } - (lib.mkIf cfg.gc.enable { - nix.gc = { - automatic = true; - dates = "daily"; - options = "--delete-old"; - }; - systemd.services = { - nix-gc = { - after = ["nixos-upgrade.service"]; - personal.monitor = true; + (lib.mkIf cfg.gc.enable { + nix.gc = { + automatic = true; + dates = "daily"; + options = "--delete-old"; }; - nix-gc-remove-dead-roots = { - enable = cfg.gc.enable; - description = "Remove dead symlinks in /nix/var/nix/gcroots"; - serviceConfig.Type = "oneshot"; - script = "find /nix/var/nix/gcroots -xtype l -delete"; - before = ["nix-gc.service"]; - wantedBy = ["nix-gc.service"]; - personal.monitor = true; - }; - nix-gc-remove-old-hm-gens = let - user = config.personal.user; - in { - enable = user.enable && user.homeManager.enable; - description = "Remove old Home Manager generations for user ${user.name}"; - serviceConfig.Type = "oneshot"; - script = "${pkgs.nix}/bin/nix-env --profile /home/${user.name}/.local/state/nix/profiles/home-manager --delete-generations old"; - before = ["nix-gc.service"]; - wantedBy = ["nix-gc.service"]; - personal.monitor = true; + systemd.services = { + nix-gc = { + after = [ "nixos-upgrade.service" ]; + personal.monitor = true; + }; + nix-gc-remove-dead-roots = { + enable = cfg.gc.enable; + description = "Remove dead symlinks in /nix/var/nix/gcroots"; + serviceConfig.Type = "oneshot"; + script = "find /nix/var/nix/gcroots -xtype l -delete"; + before = [ "nix-gc.service" ]; + wantedBy = [ "nix-gc.service" ]; + personal.monitor = true; + }; + nix-gc-remove-old-hm-gens = + let + user = config.personal.user; + in + { + enable = user.enable && user.homeManager.enable; + description = "Remove old Home Manager generations for user ${user.name}"; + serviceConfig.Type = "oneshot"; + script = "${pkgs.nix}/bin/nix-env --profile /home/${user.name}/.local/state/nix/profiles/home-manager --delete-generations old"; + before = [ "nix-gc.service" ]; + wantedBy = [ "nix-gc.service" ]; + personal.monitor = true; + }; }; - }; - }) - ]); + }) + ] + ); } diff --git a/modules/nixos/personal/system.nix b/modules/nixos/personal/system.nix index 332384a..3337b96 100644 --- a/modules/nixos/personal/system.nix +++ b/modules/nixos/personal/system.nix @@ -3,14 +3,16 @@ lib, pkgs, ... -}: let +}: +let cfg = config.personal.system; cfgRemote = cfg.autoUpgrade.remoteBuilding; cfgNix = config.nix; cfgLuks = config.boot.initrd.luks.devices; name = config.networking.hostName; -in { +in +{ options.personal.system = { flake = lib.mkOption { type = with lib.types; nullOr str; @@ -20,7 +22,11 @@ in { enable = lib.mkEnableOption "automatic system and nixpkgs upgrade"; autoUpdateInputs = lib.mkOption { type = with lib.types; listOf str; - default = ["nixpkgs" "my-nixpkgs/nur" "nixos-hardware"]; + default = [ + "nixpkgs" + "my-nixpkgs/nur" + "nixos-hardware" + ]; }; checkHosts = lib.mkOption { type = with lib.types; listOf str; @@ -33,7 +39,7 @@ in { type = lib.types.str; default = "hephaistos"; }; - domain = lib.mkOption {type = lib.types.str;}; + domain = lib.mkOption { type = lib.types.str; }; user = lib.mkOption { type = lib.types.str; default = name; @@ -44,8 +50,7 @@ in { default = "ssh-ng"; }; speedFactor = lib.mkOption { - type = - lib.types.int; + type = lib.types.int; default = 8; }; }; @@ -53,45 +58,55 @@ in { }; }; - config = let - hasFlake = cfg.flake != null; - hasFlakeInputs = cfg.autoUpgrade.autoUpdateInputs != []; + config = + let + hasFlake = cfg.flake != null; + hasFlakeInputs = cfg.autoUpgrade.autoUpdateInputs != [ ]; - reboot = config.system.autoUpgrade.allowReboot; - nixosRebuild = "nixos-rebuild ${toString config.system.autoUpgrade.flags}"; + reboot = config.system.autoUpgrade.allowReboot; + nixosRebuild = "nixos-rebuild ${toString config.system.autoUpgrade.flags}"; - remoteBuilder = with cfgRemote.builder; "${hostName}.${domain}"; + remoteBuilder = with cfgRemote.builder; "${hostName}.${domain}"; - checkNetwork = { - path = [pkgs.unixtools.ping]; - # Check network connectivity - preStart = "(${lib.concatMapStringsSep " && " (host: "ping -c 1 ${host}") cfg.autoUpgrade.checkHosts}) || kill -s SIGUSR1 $$"; - unitConfig = { - StartLimitIntervalSec = 300; - StartLimitBurst = 5; - }; - serviceConfig = lib.mkIf (!config.personal.monitoring.enable) { - Restart = "on-abort"; - RestartSec = 30; - RestartMode = "direct"; # dependent units will not fail + checkNetwork = { + path = [ pkgs.unixtools.ping ]; + # Check network connectivity + preStart = "(${ + lib.concatMapStringsSep " && " (host: "ping -c 1 ${host}") cfg.autoUpgrade.checkHosts + }) || kill -s SIGUSR1 $$"; + unitConfig = { + StartLimitIntervalSec = 300; + StartLimitBurst = 5; + }; + serviceConfig = lib.mkIf (!config.personal.monitoring.enable) { + Restart = "on-abort"; + RestartSec = 30; + RestartMode = "direct"; # dependent units will not fail + }; }; - }; - in + in lib.mkMerge [ (lib.mkIf hasFlake { system.autoUpgrade.flake = cfg.flake; - systemd.services.flake-update = lib.mkIf hasFlakeInputs (lib.mkMerge [ - checkNetwork - { - description = "Update flake inputs"; - serviceConfig.Type = "oneshot"; - script = "nix flake update --commit-lock-file --flake ${cfg.flake} " + lib.concatStringsSep " " cfg.autoUpgrade.autoUpdateInputs; - before = ["nixos-upgrade.service"]; - requiredBy = ["nixos-upgrade.service"]; - path = [pkgs.git cfgNix.package]; - personal.monitor = true; - } - ]); + systemd.services.flake-update = lib.mkIf hasFlakeInputs ( + lib.mkMerge [ + checkNetwork + { + description = "Update flake inputs"; + serviceConfig.Type = "oneshot"; + script = + "nix flake update --commit-lock-file --flake ${cfg.flake} " + + lib.concatStringsSep " " cfg.autoUpgrade.autoUpdateInputs; + before = [ "nixos-upgrade.service" ]; + requiredBy = [ "nixos-upgrade.service" ]; + path = [ + pkgs.git + cfgNix.package + ]; + personal.monitor = true; + } + ] + ); programs.git = lib.mkIf (lib.hasPrefix "git+file" cfg.flake) { enable = true; @@ -102,28 +117,27 @@ in { }; }) - ( - lib.mkIf (cfg.autoUpgrade.enable && cfgRemote.enable) { - assertions = [ - { - assertion = hasFlake && lib.hasPrefix "git+file://" cfg.flake; - message = "Auto remote upgrade is only supported when the system is specified by a flake with path of the shape 'git+file://...'"; - } - ]; + (lib.mkIf (cfg.autoUpgrade.enable && cfgRemote.enable) { + assertions = [ + { + assertion = hasFlake && lib.hasPrefix "git+file://" cfg.flake; + message = "Auto remote upgrade is only supported when the system is specified by a flake with path of the shape 'git+file://...'"; + } + ]; - personal.system.autoUpgrade.checkHosts = lib.mkOptionDefault [remoteBuilder]; + personal.system.autoUpgrade.checkHosts = lib.mkOptionDefault [ remoteBuilder ]; - programs.ssh = { - extraConfig = '' - Host ${remoteBuilder} - IdentitiesOnly yes - IdentityFile /etc/ssh/remoteBuilder - User ${cfgRemote.builder.user} - ''; - knownHosts."${remoteBuilder}".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvtqi8tziBuviUV8LDK2ddQQUbHdJYB02dgWTK5Olxq"; - }; - } - ) + programs.ssh = { + extraConfig = '' + Host ${remoteBuilder} + IdentitiesOnly yes + IdentityFile /etc/ssh/remoteBuilder + User ${cfgRemote.builder.user} + ''; + knownHosts."${remoteBuilder}".publicKey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvtqi8tziBuviUV8LDK2ddQQUbHdJYB02dgWTK5Olxq"; + }; + }) (lib.mkIf cfg.autoUpgrade.enable { personal.boot.unattendedReboot = lib.mkIf reboot true; @@ -137,83 +151,86 @@ in { path = lib.optional reboot pkgs.coreutils ++ [ - ( - if cfgRemote.enable - then cfgNix.package - else pkgs.nixos-rebuild - ) + (if cfgRemote.enable then cfgNix.package else pkgs.nixos-rebuild) ] ++ lib.optional (reboot && cfgLuks ? crypt) pkgs.cryptsetup; personal.monitor = true; - script = lib.mkForce (lib.concatStrings [ - '' - ## build configuration - '' - ( - let - in - if cfgRemote.enable - then '' - # update remote flake - pushd ${lib.removePrefix "git+file://" cfg.flake} - git push --force ${cfgRemote.builder.hostName} local:master - popd - # build remotely - config=$(ssh ${remoteBuilder} -- \ - 'nix build --refresh --print-out-paths \ - git+file://$(pwd)/nixos-configuration#nixosConfigurations.${name}.config.system.build.toplevel') - # copy result locally - nix-copy-closure --from ${remoteBuilder} "$config" - # create new generation - nix-env --profile /nix/var/nix/profiles/system \ - --set "$config" + script = lib.mkForce ( + lib.concatStrings [ + '' + ## build configuration + '' + ( + let + in + if cfgRemote.enable then + '' + # update remote flake + pushd ${lib.removePrefix "git+file://" cfg.flake} + git push --force ${cfgRemote.builder.hostName} local:master + popd + # build remotely + config=$(ssh ${remoteBuilder} -- \ + 'nix build --refresh --print-out-paths \ + git+file://$(pwd)/nixos-configuration#nixosConfigurations.${name}.config.system.build.toplevel') + # copy result locally + nix-copy-closure --from ${remoteBuilder} "$config" + # create new generation + nix-env --profile /nix/var/nix/profiles/system \ + --set "$config" - switch="$config/bin/switch-to-configuration" - '' - else '' - switch="${nixosRebuild}" - '' - ) - '' - ## check whether a reboot is necessary" - '' - ( - if reboot - then '' - $switch boot - booted="$(readlink /run/booted-system/{initrd,kernel,kernel-modules})" - built="$(readlink /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})" - reboot="$([ "$booted" = "$built" ] || echo true)" + switch="$config/bin/switch-to-configuration" + '' + else + '' + switch="${nixosRebuild}" + '' + ) '' - else '' - reboot="" + ## check whether a reboot is necessary" '' - ) - '' - ## switch to new configuration - '' - (let - ifcrypt = lib.optionalString (cfgLuks ? crypt); - crypt = cfgLuks.crypt.device; - luksKey = x: "/etc/luks/keys/" + x; - in '' - if [ "$reboot" ] - then - ${ifcrypt '' - cryptsetup luksAddKey ${crypt} ${luksKey "tmp"} \ - --key-file ${luksKey "master"} \ - --verbose - ''} - shutdown -r now ${ifcrypt '' - || cryptsetup luksRemoveKey ${crypt} \ - --key-file ${luksKey "tmp"} \ - --verbose - ''} - else - $switch switch - fi - '') - ]); + ( + if reboot then + '' + $switch boot + booted="$(readlink /run/booted-system/{initrd,kernel,kernel-modules})" + built="$(readlink /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})" + reboot="$([ "$booted" = "$built" ] || echo true)" + '' + else + '' + reboot="" + '' + ) + '' + ## switch to new configuration + '' + ( + let + ifcrypt = lib.optionalString (cfgLuks ? crypt); + crypt = cfgLuks.crypt.device; + luksKey = x: "/etc/luks/keys/" + x; + in + '' + if [ "$reboot" ] + then + ${ifcrypt '' + cryptsetup luksAddKey ${crypt} ${luksKey "tmp"} \ + --key-file ${luksKey "master"} \ + --verbose + ''} + shutdown -r now ${ifcrypt '' + || cryptsetup luksRemoveKey ${crypt} \ + --key-file ${luksKey "tmp"} \ + --verbose + ''} + else + $switch switch + fi + '' + ) + ] + ); } ]; }) diff --git a/modules/nixos/personal/user.nix b/modules/nixos/personal/user.nix index 938e8f7..29a35cb 100644 --- a/modules/nixos/personal/user.nix +++ b/modules/nixos/personal/user.nix @@ -2,13 +2,13 @@ config, lib, ... -} @ extraArgs: let +}@extraArgs: +let cfg = config.personal.user; importedHomeManager = extraArgs ? home-manager; -in { - imports = - lib.optional importedHomeManager - extraArgs.home-manager.nixosModules.home-manager; +in +{ + imports = lib.optional importedHomeManager extraArgs.home-manager.nixosModules.home-manager; options.personal.user = { enable = lib.mkEnableOption "main user"; @@ -16,31 +16,33 @@ in { type = lib.types.str; default = "qaristote"; }; - homeManager = {enable = lib.mkEnableOption "home-manager";}; + homeManager = { + enable = lib.mkEnableOption "home-manager"; + }; }; - config = lib.mkIf cfg.enable ({ + config = lib.mkIf cfg.enable ( + { users.users."${cfg.name}" = { isNormalUser = true; - extraGroups = - ["wheel"] - ++ lib.optional config.networking.networkmanager.enable - "networkmanager"; + extraGroups = [ "wheel" ] ++ lib.optional config.networking.networkmanager.enable "networkmanager"; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK4wGbl3++lqCjLUhoRyABBrVEeNhIXYO4371srkRoyq qaristote@latitude-7490" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEvPsKWQXX/QsFQjJU0CjG4LllvUVZme45d9JeS/yhLt qaristote@precision-3571" ]; }; - assertions = let - missingArgAssertion = name: { - assertion = lib.hasAttr name extraArgs || !cfg.homeManager.enable; - message = "attribute ${name} missing: add it in lib.nixosSystem's specialArgs, or set config.personal.user.homeManager.enable to false"; - }; - in [ - (missingArgAssertion "homeModules") - (missingArgAssertion "home-manager") - ]; + assertions = + let + missingArgAssertion = name: { + assertion = lib.hasAttr name extraArgs || !cfg.homeManager.enable; + message = "attribute ${name} missing: add it in lib.nixosSystem's specialArgs, or set config.personal.user.homeManager.enable to false"; + }; + in + [ + (missingArgAssertion "homeModules") + (missingArgAssertion "home-manager") + ]; } // lib.optionalAttrs (importedHomeManager && extraArgs ? homeModules) { home-manager = lib.mkIf cfg.homeManager.enable { @@ -51,11 +53,10 @@ in { useGlobalPkgs = lib.mkDefault true; useUserPackages = lib.mkDefault true; # TODO fix this: only config.personal options seem to be passed (or not ?) - extraSpecialArgs = - (extraArgs.homeSpecialArgs or {}) - // { - osConfig = lib.mkDefault config; - }; + extraSpecialArgs = (extraArgs.homeSpecialArgs or { }) // { + osConfig = lib.mkDefault config; + }; }; - }); + } + ); } diff --git a/modules/nixos/rss-bridge.nix b/modules/nixos/rss-bridge.nix index 5a938d8..2f90af7 100644 --- a/modules/nixos/rss-bridge.nix +++ b/modules/nixos/rss-bridge.nix @@ -3,58 +3,67 @@ lib, pkgs, ... -}: let +}: +let cfg = config.services.rss-bridge; -in { +in +{ options.services.rss-bridge = { debug = lib.mkEnableOption "debug mode"; extraBridges = lib.mkOption { - type = lib.types.listOf (lib.types.submodule { - options = { - name = lib.mkOption { - type = lib.types.strMatching "[a-zA-Z0-9]*"; - description = '' - The name of the bridge. - It need not include 'Bridge' at the end, unlike required in RSS-Bridge. - ''; - example = "SomeAppWithANewsletter"; - }; - source = lib.mkOption { - type = lib.types.path; - description = '' - The path to a file whose contents is the PHP sourcecode of the bridge. - See also the RSS-Bridge documentation: https://rss-bridge.github.io/rss-bridge/Bridge_API/index.html. - ''; + type = lib.types.listOf ( + lib.types.submodule { + options = { + name = lib.mkOption { + type = lib.types.strMatching "[a-zA-Z0-9]*"; + description = '' + The name of the bridge. + It need not include 'Bridge' at the end, unlike required in RSS-Bridge. + ''; + example = "SomeAppWithANewsletter"; + }; + source = lib.mkOption { + type = lib.types.path; + description = '' + The path to a file whose contents is the PHP sourcecode of the bridge. + See also the RSS-Bridge documentation: https://rss-bridge.github.io/rss-bridge/Bridge_API/index.html. + ''; + }; }; - }; - }); - default = []; + } + ); + default = [ ]; description = '' A list of additional bridges that aren't already included in RSS-Bridge. These bridges are automatically whitelisted''; }; }; - config.services.rss-bridge.config.system.enabled_bridges = - lib.mkIf cfg.enable - (map (bridge: bridge.name) cfg.extraBridges); + config.services.rss-bridge.config.system.enabled_bridges = lib.mkIf cfg.enable ( + map (bridge: bridge.name) cfg.extraBridges + ); config.services.nginx = lib.mkIf (cfg.virtualHost != null) { - virtualHosts.${cfg.virtualHost}.root = - lib.mkIf (cfg.extraBridges != []) - (lib.mkForce (pkgs.runCommand "rss-bridge" {} ('' - mkdir -p $out/bridges - cp -r ${cfg.package}/* $out/ - pushd $out/bridges - '' - + lib.concatStrings (map (bridge: '' - ln -sf ${bridge.source} "${bridge.name}Bridge.php" - '') - cfg.extraBridges) - + '' - popd - '' - + lib.optionalString cfg.debug '' - touch $out/DEBUG - ''))); + virtualHosts.${cfg.virtualHost}.root = lib.mkIf (cfg.extraBridges != [ ]) ( + lib.mkForce ( + pkgs.runCommand "rss-bridge" { } ( + '' + mkdir -p $out/bridges + cp -r ${cfg.package}/* $out/ + pushd $out/bridges + '' + + lib.concatStrings ( + map (bridge: '' + ln -sf ${bridge.source} "${bridge.name}Bridge.php" + '') cfg.extraBridges + ) + + '' + popd + '' + + lib.optionalString cfg.debug '' + touch $out/DEBUG + '' + ) + ) + ); }; } |