From 679496f5b4f36abbd1ed94b3934f8aa194e159c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikodem=20Rabuli=C5=84ski?= Date: Tue, 2 Jan 2024 20:08:20 +0100 Subject: [PATCH] Consolidated and moved modules/{nixos,darwin} to modules/system --- README.md | 4 +- modules/darwin/common/default.nix | 7 - modules/darwin/default.nix | 6 - modules/darwin/settei/default.nix | 6 - modules/darwin/settei/sane-defaults.nix | 15 -- modules/default.nix | 3 +- modules/nixos/common/default.nix | 17 --- modules/nixos/common/hercules.nix | 34 ----- modules/nixos/default.nix | 6 - modules/nixos/settei/default.nix | 6 - modules/nixos/settei/sane-defaults.nix | 56 -------- modules/shared/common/default.nix | 24 ---- modules/shared/settei/sane-defaults.nix | 65 --------- modules/system/common/default.nix | 56 ++++++++ modules/system/common/hercules.nix | 40 ++++++ modules/system/default.nix | 17 +++ modules/{shared => system}/settei/default.nix | 10 +- .../{shared => system}/settei/flake-qol.nix | 0 modules/system/settei/sane-defaults.nix | 130 ++++++++++++++++++ modules/{shared => system}/settei/user.nix | 6 +- 20 files changed, 258 insertions(+), 250 deletions(-) delete mode 100644 modules/darwin/common/default.nix delete mode 100644 modules/darwin/default.nix delete mode 100644 modules/darwin/settei/default.nix delete mode 100644 modules/darwin/settei/sane-defaults.nix delete mode 100644 modules/nixos/common/default.nix delete mode 100644 modules/nixos/common/hercules.nix delete mode 100644 modules/nixos/default.nix delete mode 100644 modules/nixos/settei/default.nix delete mode 100644 modules/nixos/settei/sane-defaults.nix delete mode 100644 modules/shared/common/default.nix delete mode 100644 modules/shared/settei/sane-defaults.nix create mode 100644 modules/system/common/default.nix create mode 100644 modules/system/common/hercules.nix create mode 100644 modules/system/default.nix rename modules/{shared => system}/settei/default.nix (58%) rename modules/{shared => system}/settei/flake-qol.nix (100%) create mode 100644 modules/system/settei/sane-defaults.nix rename modules/{shared => system}/settei/user.nix (94%) diff --git a/README.md b/README.md index 77a7a74..fdd7be4 100644 --- a/README.md +++ b/README.md @@ -14,8 +14,8 @@ Collection of my personal Nix configurations and opinionated NixOS, nix-darwin, - miyagi - my work machine[^1] - modules - options which in principle should be reusable by others - */common - common options between my machines which aren't meant to be reusable by others - - nixos - - settei - my opinionated nixos options + - system + - settei - my opinionated nixos/nix-darwin options - flake - flake-parts modules - secrets - agenix secrets - wrappers - nix packages wrapped with my configs (see: [wrapper-manager](https://github.com/viperML/wrapper-manager)) diff --git a/modules/darwin/common/default.nix b/modules/darwin/common/default.nix deleted file mode 100644 index d0ca2f2..0000000 --- a/modules/darwin/common/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ - imports = [ - ../../shared/common - ]; - - system.stateVersion = 4; -} diff --git a/modules/darwin/default.nix b/modules/darwin/default.nix deleted file mode 100644 index d86d9c6..0000000 --- a/modules/darwin/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -{config, ...}: { - flake.darwinModules = { - settei = import ./settei {inherit (config) perInput;}; - common = ./common; - }; -} diff --git a/modules/darwin/settei/default.nix b/modules/darwin/settei/default.nix deleted file mode 100644 index 3b18865..0000000 --- a/modules/darwin/settei/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -{perInput}: { - imports = [ - (import ../../shared/settei {inherit perInput;}) - ./sane-defaults.nix - ]; -} diff --git a/modules/darwin/settei/sane-defaults.nix b/modules/darwin/settei/sane-defaults.nix deleted file mode 100644 index 15132e8..0000000 --- a/modules/darwin/settei/sane-defaults.nix +++ /dev/null @@ -1,15 +0,0 @@ -# For sane-default options shared between NixOS and darwin, see modules/shared/settei/sane-defaults.nix -{ - config, - lib, - username, - ... -}: { - config = lib.mkIf config.settei.sane-defaults.enable { - services.nix-daemon.enable = true; - - security.pam.enableSudoTouchIdAuth = true; - - users.users.${username}.home = "/Users/${username}"; - }; -} diff --git a/modules/default.nix b/modules/default.nix index 9268452..a944256 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,7 +1,6 @@ { imports = [ - ./nixos - ./darwin + ./system ./flake ]; } diff --git a/modules/nixos/common/default.nix b/modules/nixos/common/default.nix deleted file mode 100644 index 1978013..0000000 --- a/modules/nixos/common/default.nix +++ /dev/null @@ -1,17 +0,0 @@ -{lib, ...}: { - imports = [ - ../../shared/common - ./hercules.nix - ]; - - system.stateVersion = "22.05"; - - # https://github.com/NixOS/nixpkgs/issues/254807 - boot.swraid.enable = false; - - i18n.defaultLocale = lib.mkDefault "en_US.UTF-8"; - - settei.user.config = { - services.ssh-agent.enable = true; - }; -} diff --git a/modules/nixos/common/hercules.nix b/modules/nixos/common/hercules.nix deleted file mode 100644 index eeed62e..0000000 --- a/modules/nixos/common/hercules.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ - config, - pkgs, - lib, - ... -}: { - _file = ./hercules.nix; - - options.common.hercules.enable = lib.mkEnableOption "Enables hercules-ci-agent with my configuration"; - - config = let - herculesUser = config.systemd.services.hercules-ci-agent.serviceConfig.User; - in - lib.mkIf config.common.hercules.enable { - age.secrets.hercules-token = { - file = ../../../secrets/hercules-token.age; - owner = herculesUser; - }; - age.secrets.hercules-cache = { - file = ../../../secrets/hercules-cache.age; - owner = herculesUser; - }; - - services.hercules-ci-agent = { - enable = true; - settings = { - clusterJoinTokenPath = config.age.secrets.hercules-token.path; - concurrentTasks = lib.mkDefault 4; - binaryCachesPath = config.age.secrets.hercules-cache.path; - secretsJsonPath = pkgs.writeText "secrets.json" "{}"; - }; - }; - }; -} diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix deleted file mode 100644 index 2b36755..0000000 --- a/modules/nixos/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -{config, ...}: { - flake.nixosModules = { - settei = import ./settei {inherit (config) perInput;}; - common = ./common; - }; -} diff --git a/modules/nixos/settei/default.nix b/modules/nixos/settei/default.nix deleted file mode 100644 index 3b18865..0000000 --- a/modules/nixos/settei/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -{perInput}: { - imports = [ - (import ../../shared/settei {inherit perInput;}) - ./sane-defaults.nix - ]; -} diff --git a/modules/nixos/settei/sane-defaults.nix b/modules/nixos/settei/sane-defaults.nix deleted file mode 100644 index 8b9ea0a..0000000 --- a/modules/nixos/settei/sane-defaults.nix +++ /dev/null @@ -1,56 +0,0 @@ -# For sane-default options shared between NixOS and darwin, see modules/shared/settei/sane-defaults.nix -{ - config, - username, - lib, - ... -} @ args: let - cfg = config.settei.sane-defaults; - nmEnabled = config.networking.networkmanager.enable; -in { - config = lib.mkIf cfg.enable { - hardware.enableRedistributableFirmware = true; - - services.openssh.enable = true; - programs.mosh.enable = lib.mkDefault true; - - users = { - mutableUsers = false; - users.${username} = { - isNormalUser = true; - home = "/home/${username}"; - group = username; - extraGroups = ["wheel"]; - # FIXME: Move to common - openssh.authorizedKeys.keys = let - configName' = - args.configurationName - or (throw "pass configurationName to module arguments or set users.users.${username}.openssh.authorizedKeys yourself"); - filteredKeys = lib.filterAttrs (name: _: name != configName') cfg.allSshKeys; - in - lib.mkDefault (lib.attrValues filteredKeys); - }; - groups.${username} = {}; - }; - - # TODO: Actually this should be extraRules which makes wheel users without any password set - # be able to use sudo with no password - security.sudo.wheelNeedsPassword = false; - - # When NetworkManager isn't in use, add tailscale DNS address manually - # FIXME: Move to common - networking = lib.mkIf (!nmEnabled && config.services.tailscale.enable && cfg.tailnet != null) { - nameservers = [ - "100.100.100.100" - "1.1.1.1" - "1.0.0.1" - ]; - search = [cfg.tailnet]; - }; - - # NetworkManager probably means desktop system so we don't want to slow down boot times - systemd.services = lib.mkIf nmEnabled { - NetworkManager-wait-online.enable = false; - }; - }; -} diff --git a/modules/shared/common/default.nix b/modules/shared/common/default.nix deleted file mode 100644 index 853de92..0000000 --- a/modules/shared/common/default.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ - config, - configurationName, - lib, - ... -}: { - settei.user.config = { - programs.git = { - enable = true; - difftastic.enable = true; - lfs.enable = true; - userName = "Nikodem Rabuliński"; - userEmail = lib.mkDefault "nikodem@rabulinski.com"; - signing = { - key = config.settei.sane-defaults.allSshKeys.${configurationName}; - signByDefault = true; - }; - extraConfig = { - gpg.format = "ssh"; - push.followTags = true; - }; - }; - }; -} diff --git a/modules/shared/settei/sane-defaults.nix b/modules/shared/settei/sane-defaults.nix deleted file mode 100644 index 99966d5..0000000 --- a/modules/shared/settei/sane-defaults.nix +++ /dev/null @@ -1,65 +0,0 @@ -# This module is supposed to be a reusable set of options you probably would want to set anyway. -# For options specific to nixos or darwin go to modules/{nixos,darwin}/settei/sane-defaults.nix -{ - config, - pkgs, - lib, - ... -} @ args: { - _file = ./sane-defaults.nix; - - options.settei.sane-defaults = with lib; { - enable = mkEnableOption "Personal sane defaults (but they should make sense for anyone)"; - allSshKeys = mkOption { - type = types.attrsOf types.singleLineStr; - default = {}; - }; - tailnet = mkOption { - type = types.nullOr types.str; - default = null; - }; - }; - - config = lib.mkIf config.settei.sane-defaults.enable (let - cfg = config.settei; - inherit (cfg) username; - adminNeedsPassword = pkgs.stdenv.isLinux -> config.security.sudo.wheelNeedsPassword; - in { - _module.args = { - username = lib.mkDefault username; - }; - - # FIXME: Move to common - services.tailscale.enable = true; - - networking.hostName = lib.mkDefault ( - args.configurationName - or (throw "pass configurationName to module arguments or set networking.hostName yourself") - ); - - # Flakes are unusable without git present so pull it into the environment by default - settei.user.config.programs.git.enable = lib.mkDefault true; - - nix = { - settings = { - experimental-features = ["nix-command" "flakes" "repl-flake" "auto-allocate-uids"]; - trusted-users = lib.optionals (!adminNeedsPassword) [username]; - auto-allocate-uids = true; - extra-substituters = [ - "https://hyprland.cachix.org" - "https://cache.garnix.io" - "https://nix-community.cachix.org" - "https://hercules-ci.cachix.org" - "https://nrabulinski.cachix.org" - ]; - trusted-public-keys = [ - "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc=" - "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "hercules-ci.cachix.org-1:ZZeDl9Va+xe9j+KqdzoBZMFJHVQ42Uu/c/1/KMC5Lw0=" - "nrabulinski.cachix.org-1:Q5FD7+1c68uH74CQK66UWNzxhanZW8xcg1LFXxGK8ic=" - ]; - }; - }; - }); -} diff --git a/modules/system/common/default.nix b/modules/system/common/default.nix new file mode 100644 index 0000000..9938d9c --- /dev/null +++ b/modules/system/common/default.nix @@ -0,0 +1,56 @@ +{isLinux}: { + config, + configurationName, + lib, + pkgs, + ... +}: let + sharedConfig = { + settei.user.config = { + programs.git = { + enable = true; + difftastic.enable = true; + lfs.enable = true; + userName = "Nikodem Rabuliński"; + userEmail = lib.mkDefault "nikodem@rabulinski.com"; + signing = { + key = config.settei.sane-defaults.allSshKeys.${configurationName}; + signByDefault = true; + }; + extraConfig = { + gpg.format = "ssh"; + push.followTags = true; + }; + }; + }; + }; + + linuxConfig = lib.optionalAttrs isLinux { + system.stateVersion = "22.05"; + + # https://github.com/NixOS/nixpkgs/issues/254807 + boot.swraid.enable = false; + + i18n.defaultLocale = lib.mkDefault "en_US.UTF-8"; + + settei.user.config = { + services.ssh-agent.enable = true; + }; + }; + + darwinConfig = lib.optionalAttrs (!isLinux) { + system.stateVersion = 4; + }; +in { + _file = ./default.nix; + + imports = [ + (import ./hercules.nix {inherit isLinux;}) + ]; + + config = lib.mkMerge [ + sharedConfig + linuxConfig + darwinConfig + ]; +} diff --git a/modules/system/common/hercules.nix b/modules/system/common/hercules.nix new file mode 100644 index 0000000..e743f69 --- /dev/null +++ b/modules/system/common/hercules.nix @@ -0,0 +1,40 @@ +{isLinux}: { + config, + pkgs, + lib, + ... +}: let + options = { + common.hercules.enable = lib.mkEnableOption "Enables hercules-ci-agent with my configuration"; + }; + + herculesUser = + if isLinux + then config.systemd.services.hercules-ci-agent.serviceConfig.User + else config.launchd.daemons.hercules-ci-agent.serviceConfig.UserName; +in { + _file = ./hercules.nix; + + inherit options; + + config = lib.mkIf config.common.hercules.enable { + age.secrets.hercules-token = { + file = ../../../secrets/hercules-token.age; + owner = herculesUser; + }; + age.secrets.hercules-cache = { + file = ../../../secrets/hercules-cache.age; + owner = herculesUser; + }; + + services.hercules-ci-agent = { + enable = true; + settings = { + clusterJoinTokenPath = config.age.secrets.hercules-token.path; + concurrentTasks = lib.mkDefault 4; + binaryCachesPath = config.age.secrets.hercules-cache.path; + secretsJsonPath = pkgs.writeText "secrets.json" "{}"; + }; + }; + }; +} diff --git a/modules/system/default.nix b/modules/system/default.nix new file mode 100644 index 0000000..324dabe --- /dev/null +++ b/modules/system/default.nix @@ -0,0 +1,17 @@ +{ + config, + lib, + ... +}: { + flake = lib.genAttrs ["nixosModules" "darwinModules"] (attr: let + isLinux = lib.hasPrefix "nixos" attr; + in { + settei = import ./settei { + inherit (config) perInput; + inherit isLinux; + }; + common = import ./common { + inherit isLinux; + }; + }); +} diff --git a/modules/shared/settei/default.nix b/modules/system/settei/default.nix similarity index 58% rename from modules/shared/settei/default.nix rename to modules/system/settei/default.nix index 7d6ee0f..ec13409 100644 --- a/modules/shared/settei/default.nix +++ b/modules/system/settei/default.nix @@ -1,12 +1,18 @@ -{perInput}: { +{ + perInput, + # TODO: Figure out a nicer way of doing this without infrec? + isLinux, +}: { lib, + pkgs, config, + options, ... }: { _file = ./default.nix; imports = [ - ./sane-defaults.nix + (import ./sane-defaults.nix {inherit isLinux;}) (import ./flake-qol.nix {inherit perInput;}) ./user.nix ]; diff --git a/modules/shared/settei/flake-qol.nix b/modules/system/settei/flake-qol.nix similarity index 100% rename from modules/shared/settei/flake-qol.nix rename to modules/system/settei/flake-qol.nix diff --git a/modules/system/settei/sane-defaults.nix b/modules/system/settei/sane-defaults.nix new file mode 100644 index 0000000..5b7d26f --- /dev/null +++ b/modules/system/settei/sane-defaults.nix @@ -0,0 +1,130 @@ +{isLinux}: { + config, + lib, + username, + ... +} @ args: let + options = { + settei.sane-defaults = with lib; { + enable = mkEnableOption "Personal sane defaults (but they should make sense for anyone)"; + allSshKeys = mkOption { + type = types.attrsOf types.singleLineStr; + default = {}; + }; + tailnet = mkOption { + type = types.nullOr types.str; + default = null; + }; + }; + }; + + sharedConfig = let + cfg = config.settei; + inherit (cfg) username; + adminNeedsPassword = isLinux -> config.security.sudo.wheelNeedsPassword; + in { + _module.args = { + username = lib.mkDefault username; + }; + + # FIXME: Move to common + services.tailscale.enable = true; + + networking.hostName = lib.mkDefault ( + args.configurationName + or (throw "pass configurationName to module arguments or set networking.hostName yourself") + ); + + # Flakes are unusable without git present so pull it into the environment by default + settei.user.config.programs.git.enable = lib.mkDefault true; + + nix = { + settings = { + experimental-features = ["nix-command" "flakes" "repl-flake" "auto-allocate-uids"]; + trusted-users = lib.optionals (!adminNeedsPassword) [username]; + auto-allocate-uids = true; + extra-substituters = [ + "https://hyprland.cachix.org" + "https://cache.garnix.io" + "https://nix-community.cachix.org" + "https://hercules-ci.cachix.org" + "https://nrabulinski.cachix.org" + ]; + trusted-public-keys = [ + "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc=" + "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "hercules-ci.cachix.org-1:ZZeDl9Va+xe9j+KqdzoBZMFJHVQ42Uu/c/1/KMC5Lw0=" + "nrabulinski.cachix.org-1:Q5FD7+1c68uH74CQK66UWNzxhanZW8xcg1LFXxGK8ic=" + ]; + }; + }; + }; + + linuxConfig = lib.optionalAttrs isLinux (let + cfg = config.settei.sane-defaults; + nmEnabled = config.networking.networkmanager.enable; + in { + hardware.enableRedistributableFirmware = true; + + services.openssh.enable = true; + programs.mosh.enable = lib.mkDefault true; + + users = { + mutableUsers = false; + users.${username} = { + isNormalUser = true; + home = "/home/${username}"; + group = username; + extraGroups = ["wheel"]; + # FIXME: Move to common + openssh.authorizedKeys.keys = let + configName' = + args.configurationName + or (throw "pass configurationName to module arguments or set users.users.${username}.openssh.authorizedKeys yourself"); + filteredKeys = lib.filterAttrs (name: _: name != configName') cfg.allSshKeys; + in + lib.mkDefault (lib.attrValues filteredKeys); + }; + groups.${username} = {}; + }; + + # TODO: Actually this should be extraRules which makes wheel users without any password set + # be able to use sudo with no password + security.sudo.wheelNeedsPassword = false; + + # When NetworkManager isn't in use, add tailscale DNS address manually + # FIXME: Move to common + networking = lib.mkIf (!nmEnabled && config.services.tailscale.enable && cfg.tailnet != null) { + nameservers = [ + "100.100.100.100" + "1.1.1.1" + "1.0.0.1" + ]; + search = [cfg.tailnet]; + }; + + # NetworkManager probably means desktop system so we don't want to slow down boot times + systemd.services = lib.mkIf nmEnabled { + NetworkManager-wait-online.enable = false; + }; + }); + + darwinConfig = lib.optionalAttrs (!isLinux) { + services.nix-daemon.enable = true; + + security.pam.enableSudoTouchIdAuth = true; + + users.users.${username}.home = "/Users/${username}"; + }; +in { + _file = ./sane-defaults.nix; + + inherit options; + + config = lib.mkIf config.settei.sane-defaults.enable (lib.mkMerge [ + sharedConfig + linuxConfig + darwinConfig + ]); +} diff --git a/modules/shared/settei/user.nix b/modules/system/settei/user.nix similarity index 94% rename from modules/shared/settei/user.nix rename to modules/system/settei/user.nix index 4ba3c13..086b711 100644 --- a/modules/shared/settei/user.nix +++ b/modules/system/settei/user.nix @@ -43,7 +43,8 @@ in { }; }; in - lib.mkIf cfg.enable ({ + lib.mkIf cfg.enable (lib.mkMerge [ + { assertions = [ { assertion = hasHomeManager; @@ -51,5 +52,6 @@ in { } ]; } - // hmConfig); + hmConfig + ]); }