2023-08-02 01:59:06 +00:00
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
|
|
|
|
let
|
2023-08-02 02:37:29 +00:00
|
|
|
inherit (lib) mkDefault mkIf mkMerge mkOption mkOverride types;
|
2023-08-02 01:59:06 +00:00
|
|
|
cfg = config.beatific;
|
2023-08-02 15:18:26 +00:00
|
|
|
mkFlag = description: mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
inherit description;
|
|
|
|
default = true;
|
|
|
|
};
|
2023-08-02 01:59:06 +00:00
|
|
|
in {
|
|
|
|
options = {
|
2023-08-02 02:17:10 +00:00
|
|
|
beatific = {
|
2023-08-02 02:28:32 +00:00
|
|
|
# The host name is reused for beatific-specific configuration.
|
|
|
|
# The bulk of common config is handled in beatific.defaults below, but
|
|
|
|
# having one option without a default ensures that the module cannot be
|
|
|
|
# imported accidentally.
|
2023-08-02 02:17:10 +00:00
|
|
|
hostName = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
description = "Hostname";
|
|
|
|
};
|
|
|
|
|
2023-08-02 16:49:50 +00:00
|
|
|
isLighthouse = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
description = "Whether this host is a Nebula lighthouse";
|
|
|
|
default = false;
|
|
|
|
};
|
|
|
|
|
2024-01-04 02:03:46 +00:00
|
|
|
extraPrograms = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
description = "Additional default programs";
|
|
|
|
default = false;
|
|
|
|
};
|
|
|
|
|
2023-08-02 02:28:32 +00:00
|
|
|
# Groups of related defaults can be disabled by flipping off the switches here:
|
|
|
|
# beatific.defaults.${category} = false;
|
|
|
|
# They default to true because the point is to do these things by default.
|
2023-08-02 02:17:10 +00:00
|
|
|
defaults = {
|
2023-08-02 15:19:57 +00:00
|
|
|
time = mkFlag "Default time zone and NTP";
|
|
|
|
i18n = mkFlag "Default locale settings";
|
|
|
|
programs = mkFlag "Default installed programs";
|
2023-08-02 16:49:50 +00:00
|
|
|
ssh = mkFlag "Default sshd settings";
|
|
|
|
nebula = mkFlag "Default beatific nebula settings";
|
2023-08-02 15:19:57 +00:00
|
|
|
tvb = mkFlag "Default tvb account";
|
2023-12-23 21:01:26 +00:00
|
|
|
tvbSync = mkFlag "Configure system syncthing for tvb";
|
2023-10-22 20:52:10 +00:00
|
|
|
hosts = mkFlag "Default 10.22.20.* DNS host entries";
|
2023-08-02 02:17:10 +00:00
|
|
|
};
|
2023-08-02 01:59:06 +00:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2023-08-02 02:17:10 +00:00
|
|
|
config = mkMerge [
|
|
|
|
{
|
2023-08-02 02:28:32 +00:00
|
|
|
# Options to always set
|
2023-08-02 02:17:10 +00:00
|
|
|
networking.hostName = cfg.hostName;
|
2023-08-02 02:19:18 +00:00
|
|
|
nix.extraOptions = "experimental-features = nix-command flakes";
|
2023-09-28 14:37:15 +00:00
|
|
|
environment.etc.nixos.source = ./..;
|
2023-12-18 20:39:12 +00:00
|
|
|
environment.shellAliases.nr = "sudo nixos-rebuild --flake $HOME/nixos-configs";
|
2023-12-20 03:33:25 +00:00
|
|
|
security.sudo.extraRules = [{
|
|
|
|
users = [ "tvb" ];
|
|
|
|
commands = [ { command = "/run/current-system/sw/bin/nixos-rebuild"; options = [ "NOPASSWD" ]; } ];
|
|
|
|
}];
|
2023-08-02 02:17:10 +00:00
|
|
|
}
|
2023-08-02 02:28:32 +00:00
|
|
|
|
2023-08-02 02:17:10 +00:00
|
|
|
(mkIf cfg.defaults.time {
|
2023-08-02 02:28:32 +00:00
|
|
|
# mkDefault time zone to make it easy to configure it to non-UTC
|
|
|
|
time.timeZone = mkDefault "UTC";
|
2023-08-02 02:17:10 +00:00
|
|
|
services.ntp.enable = true;
|
|
|
|
services.ntp.servers = [ "time.nist.gov" ];
|
|
|
|
})
|
2023-08-02 02:28:32 +00:00
|
|
|
|
|
|
|
(mkIf cfg.defaults.i18n {
|
|
|
|
# en_US.UTF-8
|
|
|
|
i18n.defaultLocale = "en_US.UTF-8";
|
|
|
|
i18n.extraLocaleSettings = {
|
|
|
|
LC_ADDRESS = "en_US.UTF-8";
|
|
|
|
LC_IDENTIFICATION = "en_US.UTF-8";
|
|
|
|
LC_MEASUREMENT = "en_US.UTF-8";
|
|
|
|
LC_MONETARY = "en_US.UTF-8";
|
|
|
|
LC_NAME = "en_US.UTF-8";
|
|
|
|
LC_NUMERIC = "en_US.UTF-8";
|
|
|
|
LC_PAPER = "en_US.UTF-8";
|
|
|
|
LC_TELEPHONE = "en_US.UTF-8";
|
|
|
|
LC_TIME = "en_US.UTF-8";
|
|
|
|
};
|
|
|
|
})
|
2023-08-02 02:37:29 +00:00
|
|
|
|
|
|
|
(mkIf cfg.defaults.programs {
|
|
|
|
environment.systemPackages = with pkgs; [
|
2023-12-09 04:44:35 +00:00
|
|
|
bc # Terminal calculator
|
2023-08-02 02:37:29 +00:00
|
|
|
curl
|
2023-09-13 20:32:21 +00:00
|
|
|
duf
|
2023-12-27 05:17:45 +00:00
|
|
|
file # File type inspector
|
2023-12-30 00:28:49 +00:00
|
|
|
htmlq # jq for html
|
|
|
|
jq # jq for json
|
2023-08-02 16:29:18 +00:00
|
|
|
nebula
|
2023-12-27 05:17:45 +00:00
|
|
|
psmisc # provides killall
|
2023-08-02 02:37:29 +00:00
|
|
|
python3
|
2023-12-27 05:17:45 +00:00
|
|
|
rsync
|
|
|
|
tree # Directory tree view
|
|
|
|
unzip
|
2023-08-02 02:37:29 +00:00
|
|
|
vim
|
|
|
|
wget
|
2023-12-27 05:17:45 +00:00
|
|
|
zip
|
2023-08-02 02:37:29 +00:00
|
|
|
];
|
2023-09-28 14:30:33 +00:00
|
|
|
programs = {
|
2023-12-23 21:15:42 +00:00
|
|
|
git = {
|
|
|
|
enable = true;
|
|
|
|
config.init.defaultBranch = "master";
|
|
|
|
};
|
2023-09-28 14:30:33 +00:00
|
|
|
htop.enable = true;
|
|
|
|
};
|
2023-08-02 02:37:29 +00:00
|
|
|
# The nixpkgs default is "nano", so we go one priority higher
|
|
|
|
environment.variables.EDITOR = mkOverride 999 "vim";
|
|
|
|
})
|
2023-08-02 15:18:26 +00:00
|
|
|
|
2024-01-04 02:03:46 +00:00
|
|
|
(mkIf cfg.extraPrograms {
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
|
|
calibre # provides ebook-convert
|
|
|
|
imagemagick # image convertion cli
|
|
|
|
tesseract # OCR engine
|
|
|
|
];
|
|
|
|
})
|
|
|
|
|
2023-08-02 15:18:26 +00:00
|
|
|
(mkIf cfg.defaults.ssh {
|
|
|
|
services.openssh.enable = true;
|
2023-08-04 05:32:29 +00:00
|
|
|
services.openssh.banner = let
|
|
|
|
ascii = import ./ascii.nix;
|
|
|
|
in ascii.${cfg.hostName} or ascii.beatific;
|
2023-08-02 15:23:52 +00:00
|
|
|
networking.firewall.allowPing = true;
|
2023-08-02 15:18:26 +00:00
|
|
|
networking.firewall.allowedTCPPorts = [ 22 ];
|
|
|
|
})
|
|
|
|
|
2023-08-02 16:49:50 +00:00
|
|
|
(mkIf cfg.defaults.nebula {
|
|
|
|
services.nebula.networks.beatific = let
|
|
|
|
empyreanExternalDns = "vpn.alogoulogoi.com";
|
|
|
|
empyreanInternalIp = "10.22.20.1";
|
|
|
|
nebulaPort = 4242;
|
|
|
|
in {
|
|
|
|
enable = true;
|
|
|
|
|
|
|
|
# The lighthouse only listens on the designated subdomain
|
|
|
|
listen.host = if cfg.isLighthouse then empyreanExternalDns else "0.0.0.0";
|
|
|
|
listen.port = nebulaPort;
|
|
|
|
|
|
|
|
# Standard certificate paths
|
|
|
|
ca = "/etc/nebula/beatific/beatific.crt";
|
|
|
|
cert = "/etc/nebula/beatific/${cfg.hostName}.crt";
|
|
|
|
key = "/etc/nebula/beatific/${cfg.hostName}.key";
|
|
|
|
|
|
|
|
isLighthouse = cfg.isLighthouse;
|
|
|
|
# Non-lighthouses connect to the lighthouse at empyrean
|
|
|
|
# This should be a VPN address in the static host map
|
|
|
|
lighthouses = mkIf (! cfg.isLighthouse) [ empyreanInternalIp ];
|
|
|
|
|
|
|
|
# Currently there is no VPN-level traffic filtering
|
|
|
|
firewall.outbound = [ { port = "any"; proto = "any"; host = "any"; } ];
|
|
|
|
firewall.inbound = [ { port = "any"; proto = "any"; host = "any"; } ];
|
|
|
|
|
|
|
|
# Map the lighthouse address to its public address
|
|
|
|
staticHostMap = { ${empyreanInternalIp} = [ "${empyreanExternalDns}:${toString nebulaPort}" ]; };
|
|
|
|
|
|
|
|
settings = {
|
|
|
|
# Enable UDP holepunching both ways, which allows nodes to establish more direct connections with each other
|
|
|
|
punchy = { punch = true; response = true; };
|
|
|
|
};
|
|
|
|
};
|
|
|
|
})
|
|
|
|
|
2023-08-02 15:18:26 +00:00
|
|
|
(mkIf cfg.defaults.tvb {
|
|
|
|
users.groups.tvb = {};
|
|
|
|
users.users.tvb = {
|
|
|
|
isNormalUser = true;
|
|
|
|
group = "tvb";
|
|
|
|
extraGroups = [ "wheel" ];
|
|
|
|
initialPassword = "password";
|
|
|
|
openssh.authorizedKeys.keyFiles = [
|
2023-12-24 16:03:54 +00:00
|
|
|
../keys/nix-on-droid.vagrant.pub
|
2023-08-02 17:30:48 +00:00
|
|
|
../keys/tvb.backyard.pub
|
2023-08-02 15:18:26 +00:00
|
|
|
../keys/tvb.catacomb.pub
|
|
|
|
../keys/tvb.empyrean.pub
|
2023-12-15 21:41:18 +00:00
|
|
|
../keys/tvb.imperium.pub
|
2023-08-02 15:18:26 +00:00
|
|
|
../keys/tvb.palamas.pub
|
|
|
|
../keys/tvb.stagirite.pub
|
|
|
|
../keys/tvb.unfolder.pub
|
|
|
|
../keys/tvb.vagrant.pub
|
|
|
|
];
|
|
|
|
};
|
|
|
|
})
|
2023-10-22 20:52:10 +00:00
|
|
|
|
2023-12-23 21:01:26 +00:00
|
|
|
(mkIf cfg.defaults.tvbSync {
|
|
|
|
# I haven't gotten user services to work correctly yet,
|
|
|
|
# so for now, tvb monopolizes the system syncthing instance.
|
|
|
|
# Adding users in the future should probably involve multiple
|
|
|
|
# system services so as not to require login to sync.
|
|
|
|
services.syncthing = {
|
|
|
|
enable = true;
|
2024-01-04 02:24:14 +00:00
|
|
|
configDir = "/home/tvb/.config/syncthing";
|
|
|
|
# this doesn't prevent syncthing from putting sync points in other locations, it's just a default
|
|
|
|
# normally it would make sense to put it at ~ but see https://github.com/NixOS/nixpkgs/pull/273693
|
|
|
|
dataDir = "/home/tvb/.config/syncthing";
|
2023-12-23 21:01:26 +00:00
|
|
|
openDefaultPorts = true;
|
|
|
|
user = "tvb";
|
|
|
|
group = "tvb";
|
|
|
|
};
|
|
|
|
})
|
|
|
|
|
2023-10-22 20:52:10 +00:00
|
|
|
(mkIf cfg.defaults.hosts {
|
|
|
|
# Create *.home host entries for all the beatific members
|
|
|
|
networking.hosts = {
|
|
|
|
"10.22.20.1" = [
|
|
|
|
"empyrean.home"
|
|
|
|
];
|
|
|
|
"10.22.20.2" = [
|
|
|
|
"catacomb.home"
|
|
|
|
];
|
|
|
|
"10.22.20.3" = [
|
|
|
|
"palamas.home"
|
|
|
|
];
|
|
|
|
"10.22.20.4" = [
|
|
|
|
"stagirite.home"
|
|
|
|
];
|
|
|
|
"10.22.20.5" = [
|
|
|
|
"vagrant.home"
|
|
|
|
];
|
|
|
|
"10.22.20.6" = [
|
|
|
|
"unfolder.home"
|
|
|
|
];
|
|
|
|
"10.22.20.7" = [
|
|
|
|
"centroid.home"
|
|
|
|
];
|
|
|
|
"10.22.20.8" = [
|
|
|
|
"backyard.home"
|
2023-10-22 20:56:06 +00:00
|
|
|
"jellyfin.backyard.home"
|
2023-10-22 20:52:10 +00:00
|
|
|
];
|
2023-12-23 06:07:21 +00:00
|
|
|
"10.22.20.9" = [
|
|
|
|
"imperium.home"
|
|
|
|
];
|
2023-10-22 20:52:10 +00:00
|
|
|
};
|
|
|
|
})
|
2023-08-02 02:17:10 +00:00
|
|
|
];
|
2023-08-02 01:59:06 +00:00
|
|
|
}
|