prepare configuration for server use

2023-09-10 14:12:01 +02:00 · 2023-09-10 14:12:01 +02:00 · e65ba7c8a6
commit e65ba7c8a6
parent db67663eb6
12 changed files with 188 additions and 7 deletions
--- a/hardware/common-desktop.nix
+++ b/hardware/common-desktop.nix
@ -0,0 +1,33 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  isEnabled = config.my.hardware.common-desktop.enable;
+in {
+  imports = [
+  ];
+
+  options.my.hardware.common-desktop = {
+    enable = lib.mkEnableOption "common desktop hardware settings";
+  };
+
+  config = lib.mkIf isEnabled {
+    boot.loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+
+    # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+    # (the default) this is the recommended approach. When using systemd-networkd it's
+    # still possible to use this option, but it's recommended to use it in conjunction
+    # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+    networking.useDHCP = lib.mkDefault true;
+    # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+    # networking.interfaces.wlp5s0.useDHCP = lib.mkDefault true;
+
+    hardware.enableRedistributableFirmware = true;
+
+    nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  };
+}
--- a/hardware/default.nix
+++ b/hardware/default.nix
@ -6,6 +6,7 @@ hostName: {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
    (builtins.toString ./. + "/${hostName}.nix")
+    ./common-desktop.nix
  ];

  config = {
--- a/hardware/hetzner-vpn1.nix
+++ b/hardware/hetzner-vpn1.nix
@ -0,0 +1,80 @@
+{
+  lib,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot.cleanTmpDir = true;
+  zramSwap.enable = true;
+  networking.domain = "";
+
+  boot.loader.grub = {
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+    device = "nodev";
+  };
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/77CF-345D";
+    fsType = "vfat";
+  };
+  boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront"];
+  boot.initrd.kernelModules = ["nvme"];
+  fileSystems."/" = {
+    device = "/dev/sda1";
+    fsType = "ext4";
+  };
+
+  # This file was populated at runtime with the networking
+  # details gathered from the active system.
+  networking = {
+    nameservers = [
+      "8.8.8.8"
+    ];
+    defaultGateway = "172.31.1.1";
+    defaultGateway6 = {
+      address = "fe80::1";
+      interface = "eth0";
+    };
+    dhcpcd.enable = false;
+    usePredictableInterfaceNames = lib.mkForce false;
+    interfaces = {
+      eth0 = {
+        ipv4.addresses = [
+          {
+            address = "157.90.146.125";
+            prefixLength = 32;
+          }
+        ];
+        ipv6.addresses = [
+          {
+            address = "2a01:4f8:c012:7137::1";
+            prefixLength = 64;
+          }
+          {
+            address = "fe80::9400:2ff:fe87:7fc9";
+            prefixLength = 64;
+          }
+        ];
+        ipv4.routes = [
+          {
+            address = "172.31.1.1";
+            prefixLength = 32;
+          }
+        ];
+        ipv6.routes = [
+          {
+            address = "fe80::1";
+            prefixLength = 128;
+          }
+        ];
+      };
+    };
+  };
+  services.udev.extraRules = ''
+    ATTR{address}=="96:00:02:87:7f:c9", NAME="eth0"
+
+  '';
+}
--- a/hardware/vinzenz-lpt.nix
+++ b/hardware/vinzenz-lpt.nix
@ -1,5 +1,7 @@
 {...}: {
  config = {
+    my.hardware.common-desktop.enable = true;
+
    boot = {
      initrd.availableKernelModules = ["xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci"];
      initrd.kernelModules = [];
--- a/hardware/vinzenz-pc2.nix
+++ b/hardware/vinzenz-pc2.nix
@ -1,5 +1,7 @@
 {...}: {
  config = {
+    my.hardware.common-desktop.enable = true;
+
    boot = {
      initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usbhid" "sd_mod"]; # "usb_storage"
      initrd.kernelModules = [];
--- a/helpers/default.nix
+++ b/helpers/default.nix
@ -0,0 +1,7 @@
+{lib, ...}: {
+  mkIfElse = p: yes: no:
+    lib.mkMerge [
+      (mkIf p yes)
+      (mkIf (!p) no)
+    ];
+}
--- a/hetzner-vpn1.nix
+++ b/hetzner-vpn1.nix
@ -0,0 +1,16 @@
+{...}: {
+  imports = [
+    ./modules
+    (import ./hardware "hetzner-vpn1")
+  ];
+
+  config = {
+    my = {
+      desktop.enable = false;
+      server.enable = true;
+    };
+    users.users.root.openssh.authorizedKeys.keys = [
+      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICdYqY3Y1/f1bsAi5Qfyr/UWuX9ixu96IeAlhoQaJkbf''
+    ];
+  };
+}
--- a/modules/default.nix
+++ b/modules/default.nix
@ -4,6 +4,7 @@
  ...
 }: let
  cfg = config.my;
+  helpers = import ../helpers;
 in {
  imports = [
    ./home
@ -22,7 +23,7 @@ in {
    services.openssh = {
      enable = true;
      settings = {
-        PermitRootLogin = "no";
+        PermitRootLogin = helpers.mkIfElse config.my.server.enable "yes" "no";
        PasswordAuthentication = false;
        KbdInteractiveAuthentication = false;
      };
--- a/modules/desktop/default.nix
+++ b/modules/desktop/default.nix
@ -22,6 +22,8 @@ in {

      # Enable CUPS to print documents.
      printing.enable = true;
+
+      openssh.settings.PermitRootLogin = "no";
    };

    # Enable sound with pipewire.
--- a/modules/server/default.nix
+++ b/modules/server/default.nix
@ -0,0 +1,33 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  cfg = config.my.server;
+in {
+  imports = [];
+
+  options.my.server = {
+    enable = lib.mkEnableOption "server role";
+  };
+
+  config = lib.mkIf cfg.enable {
+    services = {
+      services.openssh.enable = true;
+    };
+
+    programs = {
+    };
+
+    networking.firewall = {
+      allowedTCPPortRanges = [
+        {
+          # ssh
+          from = 22;
+          to = 22;
+        }
+      ];
+    };
+  };
+}
--- a/vinzenz-lpt.nix
+++ b/vinzenz-lpt.nix
@ -5,8 +5,10 @@
  ];

  config = {
-    my.gnome.enable = true;
-    my.home.vinzenz.enable = true;
+    my = {
+      gnome.enable = true;
+      home.vinzenz.enable = true;
+    };

    services.flatpak.enable = true;
  };
--- a/vinzenz-pc2.nix
+++ b/vinzenz-pc2.nix
@ -5,10 +5,12 @@
  ];

  config = {
-    my.kde.enable = true;
-    my.home = {
-      vinzenz.enable = true;
-      ronja.enable = true;
+    my = {
+      kde.enable = true;
+      home = {
+        vinzenz.enable = true;
+        ronja.enable = true;
+      };
    };

    users.groups."games" = {