machine/backyard/default.nix

@@ -5,29 +5,75 @@
     ./hardware-configuration.nix
   ];
 
+  # Bootloader.
   boot.loader = {
     systemd-boot.enable = true;
     efi.canTouchEfiVariables = true;
   };
 
   beatific.hostName = "backyard";
+  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
 
   # Enable networking
   networking.networkmanager.enable = true;
-  users.users.tvb.extraGroups = [ "networkmanager" ];
 
-  networking.firewall = {
+  # Set your time zone.
+  time.timeZone = "UTC";
+
+  services.ntp = {
     enable = true;
-    allowedTCPPorts = [
-      80  # http
-      443 # https
-    ];
+    servers = [ "time.nist.gov" ];
   };
 
-  # This value governs how some stateful data, like databases, are handled
-  # across different versions of NixOS. This should not be changed to a new
-  # release unless the sysadmin has determined that no services would be
-  # adversely affected by changing this.
-  system.stateVersion = "23.05";
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  i18n.extraLocaleSettings = {
+    LC_ADDRESS = "en_US.UTF-8";
+    LC_IDENTIFICATION = "en_US.UTF-8";
+    LC_MEASUREMENT = "en_US.UTF-8";
+    LC_MONETARY = "en_US.UTF-8";
+    LC_NAME = "en_US.UTF-8";
+    LC_NUMERIC = "en_US.UTF-8";
+    LC_PAPER = "en_US.UTF-8";
+    LC_TELEPHONE = "en_US.UTF-8";
+    LC_TIME = "en_US.UTF-8";
+  };
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users.users.tvb = {
+    isNormalUser = true;
+    group = "tvb";
+    extraGroups = [ "networkmanager" "wheel" ];
+    openssh.authorizedKeys.keyFiles = [
+      ../../keys/tvb.palamas.pub
+      ../../keys/tvb.stagirite.pub
+      ../../keys/tvb.catacomb.pub
+      ../../keys/tvb.unfolder.pub
+    ];
+  };
+  users.groups.tvb = {};
+
+  environment.systemPackages = with pkgs; [
+    vim
+    git
+  ];
+
+  # Enable the OpenSSH daemon.
+  services.openssh.enable = true;
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  networking.firewall.enable = false;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
 
 }

modules/beatific.nix

@@ -1,156 +1,18 @@
 { config, lib, pkgs, ... }:
 
 let
-  inherit (lib) mkDefault mkIf mkMerge mkOption mkOverride types;
+  inherit (lib) mkOption types;
   cfg = config.beatific;
-  mkFlag = description: mkOption {
-    type = types.bool;
-    inherit description;
-    default = true;
-  };
 in {
   options = {
-    beatific = {
-      # The host name is reused for beatific-specific configuration.
-      # The bulk of common config is handled in beatific.defaults below, but
-      # having one option without a default ensures that the module cannot be
-      # imported accidentally.
-      hostName = mkOption {
+    beatific.hostName = mkOption {
       type = types.str;
       description = "Hostname";
     };
-
-      isLighthouse = mkOption {
-        type = types.bool;
-        description = "Whether this host is a Nebula lighthouse";
-        default = false;
   };
 
-      # Groups of related defaults can be disabled by flipping off the switches here:
-      #   beatific.defaults.${category} = false;
-      # They default to true because the point is to do these things by default.
-      defaults = {
-        time = mkFlag "Default time zone and NTP";
-        i18n = mkFlag "Default locale settings";
-        programs = mkFlag "Default installed programs";
-        ssh = mkFlag "Default sshd settings";
-        nebula = mkFlag "Default beatific nebula settings";
-        tvb = mkFlag "Default tvb account";
-      };
-    };
-  };
-
-  config = mkMerge [
-    {
-      # Options to always set
-      networking.hostName = cfg.hostName;
-      nix.extraOptions = "experimental-features = nix-command flakes";
-    }
-
-    (mkIf cfg.defaults.time {
-      # mkDefault time zone to make it easy to configure it to non-UTC
-      time.timeZone = mkDefault "UTC";
-      services.ntp.enable = true;
-      services.ntp.servers = [ "time.nist.gov" ];
-    })
-
-    (mkIf cfg.defaults.i18n {
-      # en_US.UTF-8
-      i18n.defaultLocale = "en_US.UTF-8";
-      i18n.extraLocaleSettings = {
-        LC_ADDRESS = "en_US.UTF-8";
-        LC_IDENTIFICATION = "en_US.UTF-8";
-        LC_MEASUREMENT = "en_US.UTF-8";
-        LC_MONETARY = "en_US.UTF-8";
-        LC_NAME = "en_US.UTF-8";
-        LC_NUMERIC = "en_US.UTF-8";
-        LC_PAPER = "en_US.UTF-8";
-        LC_TELEPHONE = "en_US.UTF-8";
-        LC_TIME = "en_US.UTF-8";
-      };
-    })
-
-    (mkIf cfg.defaults.programs {
-      environment.systemPackages = with pkgs; [
-        curl
-        git
-        htop
-        nebula
-        python3
-        vim
-        wget
-      ];
-      # The nixpkgs default is "nano", so we go one priority higher
-      environment.variables.EDITOR = mkOverride 999 "vim";
-    })
-
-    (mkIf cfg.defaults.ssh {
-      services.openssh.enable = true;
-      services.openssh.banner = ''
-         ____  ______       _______ _____ ______ _____  ______  ./|,,/|
-        |  _ \|  ____|  /\ |__   __|_   _|  ____|_   _|/ ____/ <  o  o|
-        | |_) | |__    /  \   | |    | | | |__    | | | |     <\ (    |
-        |  _ <|  __|  / /\ \  | |    | | |  __|   | | | |    <\\  |\  |
-        | |_) | |____/ ____ \ | |   _| |_| |     _| |_| |___<\\\  |(__)
-        |____/|_____/_/    \_\|_|  |_____|_|    |_____|\_____|\\  |
-
-      '';
-      networking.firewall.allowPing = true;
-      networking.firewall.allowedTCPPorts = [ 22 ];
-    })
-
-    (mkIf cfg.defaults.nebula {
-      services.nebula.networks.beatific = let
-        empyreanExternalDns = "vpn.alogoulogoi.com";
-        empyreanInternalIp = "10.22.20.1";
-        nebulaPort = 4242;
+  config = let
   in {
-        enable = true;
-
-        # The lighthouse only listens on the designated subdomain
-        listen.host = if cfg.isLighthouse then empyreanExternalDns else "0.0.0.0";
-        listen.port = nebulaPort;
-
-        # Standard certificate paths
-        ca = "/etc/nebula/beatific/beatific.crt";
-        cert = "/etc/nebula/beatific/${cfg.hostName}.crt";
-        key = "/etc/nebula/beatific/${cfg.hostName}.key";
-
-        isLighthouse = cfg.isLighthouse;
-        # Non-lighthouses connect to the lighthouse at empyrean
-        # This should be a VPN address in the static host map
-        lighthouses = mkIf (! cfg.isLighthouse) [ empyreanInternalIp ];
-
-        # Currently there is no VPN-level traffic filtering
-        firewall.outbound = [ { port = "any"; proto = "any"; host = "any"; } ];
-        firewall.inbound  = [ { port = "any"; proto = "any"; host = "any"; } ];
-
-        # Map the lighthouse address to its public address
-        staticHostMap = { ${empyreanInternalIp} = [ "${empyreanExternalDns}:${toString nebulaPort}" ]; };
-
-        settings = {
-          # Enable UDP holepunching both ways, which allows nodes to establish more direct connections with each other
-          punchy = { punch = true; response = true; };
+    networking.hostName = cfg.hostName;
   };
-      };
-    })
-
-    (mkIf cfg.defaults.tvb {
-      users.groups.tvb = {};
-      users.users.tvb = {
-        isNormalUser = true;
-        group = "tvb";
-        extraGroups = [ "wheel" ];
-        initialPassword = "password";
-        openssh.authorizedKeys.keyFiles = [
-          ../keys/tvb.catacomb.pub
-          ../keys/tvb.empyrean.pub
-          ../keys/tvb.palamas.pub
-          ../keys/tvb.stagirite.pub
-          ../keys/tvb.unfolder.pub
-          ../keys/tvb.vagrant.pub
-        ];
-      };
-    })
-  ];
 }