diff options
Diffstat (limited to 'system-profiles')
-rw-r--r-- | system-profiles/core/default.nix | 80 | ||||
-rw-r--r-- | system-profiles/initrd-ssh/default.nix | 6 | ||||
-rw-r--r-- | system-profiles/networkmanager.nix | 1 | ||||
-rw-r--r-- | system-profiles/openssh/default.nix | 5 | ||||
-rw-r--r-- | system-profiles/rebuild-machines/default.nix | 1 |
5 files changed, 77 insertions, 16 deletions
diff --git a/system-profiles/core/default.nix b/system-profiles/core/default.nix index 46049e26..67d50606 100644 --- a/system-profiles/core/default.nix +++ b/system-profiles/core/default.nix | |||
@@ -1,7 +1,10 @@ | |||
1 | { flake, flakeInputs, path, hostName, config, lib, pkgs, customUtils, ... }: | 1 | { flake, flakeInputs, path, hostName, config, lib, pkgs, customUtils, ... }: |
2 | |||
3 | with lib; | ||
4 | |||
2 | let | 5 | let |
3 | profileSet = customUtils.types.attrNameSet flake.nixosModules.systemProfiles; | 6 | profileSet = customUtils.types.attrNameSet flake.nixosModules.systemProfiles; |
4 | userProfileSet = customUtils.types.attrNameSet (lib.zipAttrs (lib.attrValues flake.nixosModules.userProfiles)); | 7 | userProfileSet = customUtils.types.attrNameSet (zipAttrs (attrValues flake.nixosModules.userProfiles)); |
5 | hasSops = config.sops.secrets != {}; | 8 | hasSops = config.sops.secrets != {}; |
6 | in { | 9 | in { |
7 | imports = with flakeInputs; | 10 | imports = with flakeInputs; |
@@ -11,7 +14,7 @@ in { | |||
11 | 14 | ||
12 | options = { | 15 | options = { |
13 | # See mkSystemProfile in ../flake.nix | 16 | # See mkSystemProfile in ../flake.nix |
14 | system.profiles = lib.mkOption { | 17 | system.profiles = mkOption { |
15 | type = profileSet; | 18 | type = profileSet; |
16 | default = []; | 19 | default = []; |
17 | description = '' | 20 | description = '' |
@@ -19,9 +22,9 @@ in { | |||
19 | ''; | 22 | ''; |
20 | }; | 23 | }; |
21 | 24 | ||
22 | users.users = lib.mkOption { | 25 | users.users = mkOption { |
23 | type = lib.types.attrsOf (lib.types.submodule { | 26 | type = types.attrsOf (types.submodule { |
24 | options.profiles = lib.mkOption { | 27 | options.profiles = mkOption { |
25 | type = userProfileSet; | 28 | type = userProfileSet; |
26 | default = []; | 29 | default = []; |
27 | description = '' | 30 | description = '' |
@@ -30,14 +33,71 @@ in { | |||
30 | }; | 33 | }; |
31 | }); | 34 | }); |
32 | }; | 35 | }; |
36 | |||
37 | nixpkgs.externalConfig = mkOption { | ||
38 | default = {}; | ||
39 | example = literalExpression | ||
40 | '' | ||
41 | { allowBroken = true; allowUnfree = true; } | ||
42 | ''; | ||
43 | type = mkOptionType { | ||
44 | name = "nixpkgs-config"; | ||
45 | description = "nixpkgs config"; | ||
46 | check = x: | ||
47 | let traceXIfNot = c: | ||
48 | if c x then true | ||
49 | else traceSeqN 1 x false; | ||
50 | isConfig = x: | ||
51 | builtins.isAttrs x || isFunction x; | ||
52 | in traceXIfNot isConfig; | ||
53 | merge = args: | ||
54 | let | ||
55 | optCall = f: x: | ||
56 | if isFunction f | ||
57 | then f x | ||
58 | else f; | ||
59 | mergeConfig = lhs_: rhs_: | ||
60 | let | ||
61 | lhs = optCall lhs_ { inherit pkgs; }; | ||
62 | rhs = optCall rhs_ { inherit pkgs; }; | ||
63 | in | ||
64 | recursiveUpdate lhs rhs // | ||
65 | optionalAttrs (lhs ? packageOverrides) { | ||
66 | packageOverrides = pkgs: | ||
67 | optCall lhs.packageOverrides pkgs // | ||
68 | optCall (attrByPath [ "packageOverrides" ] { } rhs) pkgs; | ||
69 | } // | ||
70 | optionalAttrs (lhs ? perlPackageOverrides) { | ||
71 | perlPackageOverrides = pkgs: | ||
72 | optCall lhs.perlPackageOverrides pkgs // | ||
73 | optCall (attrByPath [ "perlPackageOverrides" ] { } rhs) pkgs; | ||
74 | }; | ||
75 | in foldr (def: mergeConfig def.value) {}; | ||
76 | }; | ||
77 | description = mdDoc '' | ||
78 | The configuration of the Nix Packages collection. (For | ||
79 | details, see the Nixpkgs documentation.) It allows you to set | ||
80 | package configuration options. | ||
81 | |||
82 | Used to construct `nixpkgs.pkgs`. | ||
83 | ''; | ||
84 | }; | ||
85 | |||
86 | nixpkgs.flakeInput = mkOption { | ||
87 | type = types.enum (attrNames flakeInputs); | ||
88 | default = if flakeInputs ? "nixpkgs-${hostName}" then "nixpkgs-${hostName}" else "nixpkgs"; | ||
89 | defaultText = literalExpression ''if flakeInputs ? "nixpkgs-''${hostName}" then "nixpkgs-''${hostName}" else "nixpkgs"''; | ||
90 | internal = true; | ||
91 | }; | ||
33 | }; | 92 | }; |
34 | 93 | ||
35 | config = { | 94 | config = { |
36 | networking.hostName = hostName; | 95 | networking.hostName = hostName; |
37 | system.configurationRevision = lib.mkIf (flake ? rev) flake.rev; | 96 | system.configurationRevision = mkIf (flake ? rev) flake.rev; |
38 | 97 | ||
39 | nixpkgs.pkgs = flake.legacyPackages.${config.nixpkgs.system}.override { | 98 | nixpkgs.pkgs = import (flakeInputs.${config.nixpkgs.flakeInput}.outPath + "/pkgs/top-level") { |
40 | inherit (config.nixpkgs) config; | 99 | overlays = attrValues flake.overlays; |
100 | config = config.nixpkgs.externalConfig; | ||
41 | localSystem = config.nixpkgs.system; | 101 | localSystem = config.nixpkgs.system; |
42 | }; | 102 | }; |
43 | 103 | ||
@@ -64,7 +124,7 @@ in { | |||
64 | ]; | 124 | ]; |
65 | registry = | 125 | registry = |
66 | let override = { self = "nixos"; }; | 126 | let override = { self = "nixos"; }; |
67 | in lib.mapAttrs' (inpName: inpFlake: lib.nameValuePair | 127 | in mapAttrs' (inpName: inpFlake: nameValuePair |
68 | (override.${inpName} or inpName) | 128 | (override.${inpName} or inpName) |
69 | { flake = inpFlake; } ) flakeInputs; | 129 | { flake = inpFlake; } ) flakeInputs; |
70 | }; | 130 | }; |
@@ -97,7 +157,7 @@ in { | |||
97 | backupFileExtension = "bak"; | 157 | backupFileExtension = "bak"; |
98 | }; | 158 | }; |
99 | 159 | ||
100 | sops = lib.mkIf hasSops { | 160 | sops = mkIf hasSops { |
101 | age = { | 161 | age = { |
102 | keyFile = "/var/lib/sops-nix/key.txt"; | 162 | keyFile = "/var/lib/sops-nix/key.txt"; |
103 | generateKey = false; | 163 | generateKey = false; |
diff --git a/system-profiles/initrd-ssh/default.nix b/system-profiles/initrd-ssh/default.nix index 5176234f..ef469343 100644 --- a/system-profiles/initrd-ssh/default.nix +++ b/system-profiles/initrd-ssh/default.nix | |||
@@ -3,8 +3,6 @@ | |||
3 | with lib; | 3 | with lib; |
4 | 4 | ||
5 | { | 5 | { |
6 | imports = [ ./module.nix ]; | ||
7 | |||
8 | config = { | 6 | config = { |
9 | boot.initrd = { | 7 | boot.initrd = { |
10 | network = { | 8 | network = { |
@@ -21,8 +19,8 @@ with lib; | |||
21 | }; | 19 | }; |
22 | 20 | ||
23 | secrets = with config.sops.secrets; { | 21 | secrets = with config.sops.secrets; { |
24 | "/etc/ssh/ssh_host_ed25519_key" = initrd_ssh_host_ed25519_key.path; | 22 | "/etc/ssh/ssh_host_ed25519_key" = mkForce initrd_ssh_host_ed25519_key.path; |
25 | "/etc/ssh/ssh_host_rsa_key" = initrd_ssh_host_rsa_key.path; | 23 | "/etc/ssh/ssh_host_rsa_key" = mkForce initrd_ssh_host_rsa_key.path; |
26 | }; | 24 | }; |
27 | 25 | ||
28 | extraFiles = let | 26 | extraFiles = let |
diff --git a/system-profiles/networkmanager.nix b/system-profiles/networkmanager.nix index d5c85999..0fc25619 100644 --- a/system-profiles/networkmanager.nix +++ b/system-profiles/networkmanager.nix | |||
@@ -9,7 +9,6 @@ with lib; | |||
9 | enable = true; | 9 | enable = true; |
10 | dhcp = "internal"; | 10 | dhcp = "internal"; |
11 | dns = mkForce "dnsmasq"; | 11 | dns = mkForce "dnsmasq"; |
12 | firewallBackend = mkIf config.networking.nftables.enable "nftables"; | ||
13 | logLevel = "INFO"; | 12 | logLevel = "INFO"; |
14 | extraConfig = '' | 13 | extraConfig = '' |
15 | [connectivity] | 14 | [connectivity] |
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix index 3e17e96c..098e2b25 100644 --- a/system-profiles/openssh/default.nix +++ b/system-profiles/openssh/default.nix | |||
@@ -66,7 +66,10 @@ in { | |||
66 | services.openssh = mkIf cfg.enable { | 66 | services.openssh = mkIf cfg.enable { |
67 | hostKeys = mkIf cfg.staticHostKeys (mkForce []); # done manually | 67 | hostKeys = mkIf cfg.staticHostKeys (mkForce []); # done manually |
68 | settings = { | 68 | settings = { |
69 | inherit Ciphers Macs KexAlgorithms HostKeyAlgorithms CASignatureAlgorithms PubkeyAcceptedAlgorithms; | 69 | inherit Ciphers Macs KexAlgorithms; |
70 | HostKeyAlgorithms = concatStringsSep "," HostKeyAlgorithms; | ||
71 | PubkeyAcceptedAlgorithms = concatStringsSep "," PubkeyAcceptedAlgorithms; | ||
72 | CASignatureAlgorithms = concatStringsSep "," CASignatureAlgorithms; | ||
70 | 73 | ||
71 | LogLevel = "VERBOSE"; | 74 | LogLevel = "VERBOSE"; |
72 | RevokedKeys = toString ./ca/krl.bin; | 75 | RevokedKeys = toString ./ca/krl.bin; |
diff --git a/system-profiles/rebuild-machines/default.nix b/system-profiles/rebuild-machines/default.nix index 09832e73..cc01f66b 100644 --- a/system-profiles/rebuild-machines/default.nix +++ b/system-profiles/rebuild-machines/default.nix | |||
@@ -69,6 +69,7 @@ in { | |||
69 | }; | 69 | }; |
70 | }; | 70 | }; |
71 | default = { flake = { type = "git"; url = "ssh://${cfg.repoHost}/nixos"; ref = "flakes"; }; flakeOutput = hostName; }; | 71 | default = { flake = { type = "git"; url = "ssh://${cfg.repoHost}/nixos"; ref = "flakes"; }; flakeOutput = hostName; }; |
72 | defaultText = literalExpression ''{ flake = { type = "git"; url = "ssh://''${config.system.rebuild-machine.repoHost}/nixos"; ref = "flakes"; }; flakeOutput = hostName; }''; | ||
72 | description = '' | 73 | description = '' |
73 | The Flake URI of the NixOS configuration to build. | 74 | The Flake URI of the NixOS configuration to build. |
74 | ''; | 75 | ''; |