diff options
| author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-03-12 18:40:38 +0100 | 
|---|---|---|
| committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-03-12 18:40:38 +0100 | 
| commit | ae278d745dd8eca94374b27c1fa9a977e54c23c2 (patch) | |
| tree | 934702c425a46496b046579b6f3f4bacada36e4a /system-profiles | |
| parent | 1f4ff029be789298f7732d6f2a153a234cbb5267 (diff) | |
| download | nixos-ae278d745dd8eca94374b27c1fa9a977e54c23c2.tar nixos-ae278d745dd8eca94374b27c1fa9a977e54c23c2.tar.gz nixos-ae278d745dd8eca94374b27c1fa9a977e54c23c2.tar.bz2 nixos-ae278d745dd8eca94374b27c1fa9a977e54c23c2.tar.xz nixos-ae278d745dd8eca94374b27c1fa9a977e54c23c2.zip | |
vidhar: netboot installer
Diffstat (limited to 'system-profiles')
| -rw-r--r-- | system-profiles/networkmanager.nix | 26 | ||||
| -rw-r--r-- | system-profiles/openssh/default.nix | 50 | ||||
| -rw-r--r-- | system-profiles/zfs.nix | 4 | 
3 files changed, 59 insertions, 21 deletions
| diff --git a/system-profiles/networkmanager.nix b/system-profiles/networkmanager.nix new file mode 100644 index 00000000..d1eb9cd1 --- /dev/null +++ b/system-profiles/networkmanager.nix | |||
| @@ -0,0 +1,26 @@ | |||
| 1 | { lib, ... }: | ||
| 2 | |||
| 3 | with lib; | ||
| 4 | |||
| 5 | { | ||
| 6 | config = { | ||
| 7 | networking = { | ||
| 8 | networkmanager = { | ||
| 9 | enable = true; | ||
| 10 | dhcp = "internal"; | ||
| 11 | dns = mkForce "dnsmasq"; | ||
| 12 | extraConfig = '' | ||
| 13 | [connectivity] | ||
| 14 | uri=https://online.yggdrasil.li | ||
| 15 | ''; | ||
| 16 | }; | ||
| 17 | |||
| 18 | dhcpcd.enable = false; | ||
| 19 | }; | ||
| 20 | |||
| 21 | systemd.services."NetworkManager-wait-online".enable = false; | ||
| 22 | systemd.services."systemd-networkd-wait-online".enable = false; | ||
| 23 | |||
| 24 | services.resolved.enable = false; | ||
| 25 | }; | ||
| 26 | } | ||
| diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix index 048a948f..19bc46b7 100644 --- a/system-profiles/openssh/default.nix +++ b/system-profiles/openssh/default.nix | |||
| @@ -1,22 +1,34 @@ | |||
| 1 | { customUtils, lib, config, hostName, pkgs, ... }: | 1 | { customUtils, lib, config, hostName, pkgs, ... }: | 
| 2 | { | 2 | |
| 3 | with lib; | ||
| 4 | |||
| 5 | let | ||
| 6 | cfg = config.services.openssh; | ||
| 7 | in { | ||
| 8 | options = { | ||
| 9 | services.openssh.staticHostKeys = mkOption { | ||
| 10 | type = types.bool; | ||
| 11 | default = true; | ||
| 12 | }; | ||
| 13 | }; | ||
| 14 | |||
| 3 | config = { | 15 | config = { | 
| 4 | systemd.user.services."ssh-agent".enable = lib.mkForce false; # ssh-agent should be done via home-manager | 16 | systemd.user.services."ssh-agent".enable = mkForce false; # ssh-agent should be done via home-manager | 
| 5 | 17 | ||
| 6 | services.openssh = lib.mkIf config.services.openssh.enable { | 18 | services.openssh = mkIf cfg.enable { | 
| 7 | hostKeys = lib.mkForce []; # done manually | 19 | hostKeys = mkIf cfg.staticHostKeys (mkForce []); # done manually | 
| 8 | ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes256-ctr" ]; | 20 | ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes256-ctr" ]; | 
| 9 | macs = [ "hmac-sha2-256-etm@openssh.com" "hmac-sha2-256" "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512" ]; | 21 | macs = [ "hmac-sha2-256-etm@openssh.com" "hmac-sha2-256" "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512" ]; | 
| 10 | kexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ]; | 22 | kexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ]; | 
| 11 | moduliFile = config.sops.secrets.ssh_moduli.path; | 23 | moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") config.sops.secrets.ssh_moduli.path; | 
| 12 | extraConfig = '' | 24 | extraConfig = '' | 
| 13 | HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512 | 25 | HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512 | 
| 14 | CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512 | 26 | CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512 | 
| 15 | 27 | ||
| 16 | HostKey /etc/ssh/ssh_host_ed25519_key | 28 | ${optionalString cfg.staticHostKeys "HostKey /etc/ssh/ssh_host_ed25519_key"} | 
| 17 | HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub | 29 | ${optionalString (config.environment.etc ? "ssh/ssh_host_ed25519_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"} | 
| 18 | HostKey /etc/ssh/ssh_host_rsa_key | 30 | ${optionalString cfg.staticHostKeys "HostKey /etc/ssh/ssh_host_rsa_key"} | 
| 19 | HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub | 31 | ${optionalString (config.environment.etc ? "ssh/ssh_host_rsa_key-cert.pub") "HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub"} | 
| 20 | RevokedKeys /etc/ssh/krl.bin | 32 | RevokedKeys /etc/ssh/krl.bin | 
| 21 | ''; | 33 | ''; | 
| 22 | logLevel = "VERBOSE"; | 34 | logLevel = "VERBOSE"; | 
| @@ -45,35 +57,35 @@ | |||
| 45 | ''; | 57 | ''; | 
| 46 | }; | 58 | }; | 
| 47 | 59 | ||
| 48 | sops.secrets = lib.mkIf config.services.openssh.enable { | 60 | sops.secrets = mkIf cfg.enable { | 
| 49 | ssh_host_rsa_key = { | 61 | ssh_host_rsa_key = mkIf cfg.staticHostKeys { | 
| 50 | key = "rsa"; | 62 | key = "rsa"; | 
| 51 | path = "/etc/ssh/ssh_host_rsa_key"; | 63 | path = "/etc/ssh/ssh_host_rsa_key"; | 
| 52 | sopsFile = ./host-keys + "/${hostName}.yaml"; | 64 | sopsFile = ./host-keys + "/${hostName}.yaml"; | 
| 53 | }; | 65 | }; | 
| 54 | ssh_host_ed25519_key = { | 66 | ssh_host_ed25519_key = mkIf cfg.staticHostKeys { | 
| 55 | key = "ed25519"; | 67 | key = "ed25519"; | 
| 56 | path = "/etc/ssh/ssh_host_ed25519_key"; | 68 | path = "/etc/ssh/ssh_host_ed25519_key"; | 
| 57 | sopsFile = ./host-keys + "/${hostName}.yaml"; | 69 | sopsFile = ./host-keys + "/${hostName}.yaml"; | 
| 58 | }; | 70 | }; | 
| 59 | ssh_moduli = { | 71 | ssh_moduli = mkIf (pathExists (./host-moduli + "/${hostName}")) { | 
| 60 | format = "binary"; | 72 | format = "binary"; | 
| 61 | path = "/etc/ssh/moduli"; | 73 | path = "/etc/ssh/moduli"; | 
| 62 | sopsFile = ./host-moduli + "/${hostName}"; | 74 | sopsFile = ./host-moduli + "/${hostName}"; | 
| 63 | }; | 75 | }; | 
| 64 | }; | 76 | }; | 
| 65 | 77 | ||
| 66 | environment.etc = lib.mkIf config.services.openssh.enable { | 78 | environment.etc = mkIf cfg.enable { | 
| 67 | "ssh/ssh_host_rsa_key.pub".source = ./known-hosts + "/${hostName}/rsa.pub"; | 79 | "ssh/ssh_host_rsa_key.pub" = mkIf cfg.staticHostKeys { source = ./known-hosts + "/${hostName}/rsa.pub"; }; | 
| 68 | "ssh/ssh_host_ed25519_key.pub".source = ./known-hosts + "/${hostName}/ed25519.pub"; | 80 | "ssh/ssh_host_ed25519_key.pub" = mkIf cfg.staticHostKeys { source = ./known-hosts + "/${hostName}/ed25519.pub"; }; | 
| 69 | 81 | ||
| 70 | "ssh/ssh_host_rsa_key-cert.pub".source = ./known-hosts + "/${hostName}/rsa-cert.pub"; | 82 | "ssh/ssh_host_rsa_key-cert.pub" = mkIf cfg.staticHostKeys { source = ./known-hosts + "/${hostName}/rsa-cert.pub"; }; | 
| 71 | "ssh/ssh_host_ed25519_key-cert.pub".source = ./known-hosts + "/${hostName}/ed25519-cert.pub"; | 83 | "ssh/ssh_host_ed25519_key-cert.pub" = mkIf cfg.staticHostKeys { source = ./known-hosts + "/${hostName}/ed25519-cert.pub"; }; | 
| 72 | 84 | ||
| 73 | "ssh/krl.bin".source = ./ca/krl.bin; | 85 | "ssh/krl.bin".source = ./ca/krl.bin; | 
| 74 | }; | 86 | }; | 
| 75 | 87 | ||
| 76 | environment.systemPackages = lib.mkIf config.services.openssh.enable (with pkgs; [ | 88 | environment.systemPackages = mkIf cfg.enable (with pkgs; [ | 
| 77 | rxvt_unicode.terminfo alacritty.terminfo | 89 | rxvt_unicode.terminfo alacritty.terminfo | 
| 78 | ]); | 90 | ]); | 
| 79 | }; | 91 | }; | 
| diff --git a/system-profiles/zfs.nix b/system-profiles/zfs.nix index 5703f7ed..85e5ad03 100644 --- a/system-profiles/zfs.nix +++ b/system-profiles/zfs.nix | |||
| @@ -1,6 +1,6 @@ | |||
| 1 | { pkgs, ... } : { | 1 | { config, pkgs, ... } : { | 
| 2 | config.boot = { | 2 | config.boot = { | 
| 3 | kernelPackages = pkgs.linuxPackages_5_15; | 3 | kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; | 
| 4 | supportedFilesystems = [ "zfs" ]; | 4 | supportedFilesystems = [ "zfs" ]; | 
| 5 | zfs.enableUnstable = true; | 5 | zfs.enableUnstable = true; | 
| 6 | }; | 6 | }; | 
