2023-01-30

13 files changed, 164 insertions, 26 deletions

diff --git a/modules/nixos/bluetooth.nix b/modules/nixos/bluetooth.nix
index 8347361..cf92179 100644
--- a/modules/nixos/bluetooth.nix
+++ b/modules/nixos/bluetooth.nix
@@ -11,6 +11,8 @@ in {
     mkEnableOption "Bluetooth support";
 
   config = mkIf cfg.enable {
+    ark.directories = ["/var/lib/bluetooth"];
+
     hardware.bluetooth = {
       enable = true;
       settings.General.FastConnectable = true;
diff --git a/modules/nixos/common/ark.nix b/modules/nixos/common/ark.nix
new file mode 100644
index 0000000..3a12050
--- /dev/null
+++ b/modules/nixos/common/ark.nix
@@ -0,0 +1,56 @@
+{
+  config,
+  inputs,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.nixfiles.modules.ark;
+in {
+  imports = [
+    (mkAliasOptionModule ["ark"] ["nixfiles" "modules" "ark"])
+    inputs.impermanence.nixosModules.impermanence
+  ];
+
+  options.nixfiles.modules.ark = let
+    mkListOfAnythingOption = mkOption {
+      type = with types; listOf anything; # Assumed to be matching with the upstream type.
+      default = [];
+    };
+  in {
+    enable = mkEnableOption "persistent storage support via impermanence";
+
+    path = mkOption {
+      type = types.str;
+      default = "/ark";
+    };
+
+    directories = mkListOfAnythingOption;
+    files = mkListOfAnythingOption;
+    # hm = {
+    #   directories = mkListOfAnythingOption;
+    #   files = mkListOfAnythingOption;
+    # };
+  };
+
+  config = mkIf cfg.enable {
+    environment.persistence.${cfg.path} = {
+      hideMounts = true;
+      enableDebugging = false;
+      inherit (cfg) directories files;
+    };
+
+    # NOTE We can't reliably[1] use this, so for the time being, this will stay
+    # commented out. Probably forever.
+    #
+    # [1]: https://github.com/nix-community/impermanence/issues/18
+    #
+    # hm = {
+    #   imports = [inputs.impermanence.nixosModules.home-manager.impermanence];
+    #   home.persistence."${cfg.path}/${config.my.home}" = {
+    #     allowOther = false;
+    #     inherit (cfg.hm) directories files;
+    #   };
+    # };
+  };
+}
diff --git a/modules/nixos/common/default.nix b/modules/nixos/common/default.nix
index 8724c8b..54f8f51 100644
--- a/modules/nixos/common/default.nix
+++ b/modules/nixos/common/default.nix
@@ -1,5 +1,6 @@
 _: {
   imports = [
+    ./ark.nix
     ./console.nix
     ./documentation.nix
     ./home-manager.nix
diff --git a/modules/nixos/common/networking.nix b/modules/nixos/common/networking.nix
index 0c44159..8d94a4e 100644
--- a/modules/nixos/common/networking.nix
+++ b/modules/nixos/common/networking.nix
@@ -12,6 +12,10 @@ in {
     mkEnableOption "custom networking settings";
 
   config = mkIf (!cfg.onlyDefault) {
+    ark.directories = with config.networking;
+      optional networkmanager.enable "/etc/NetworkManager/system-connections"
+      ++ optional wireless.iwd.enable "/var/lib/iwd";
+
     # TODO Support multiple interfaces and IP addresses.
     networking = mkMerge [
       {
@@ -20,8 +24,8 @@ in {
         hostName = this.hostname;
         hostId = substring 0 8 (builtins.hashString "md5" this.hostname);
 
-        # Remove default hostname mappings. This is required at least by the current
-        # implementation of the montoring module.
+        # Remove default hostname mappings. This is required at least by the
+        # current implementation of the monitoring module.
         hosts = {
           "127.0.0.2" = mkForce [];
           "::1" = mkForce [];
diff --git a/modules/nixos/common/nix.nix b/modules/nixos/common/nix.nix
index 71f62fd..48c52b3 100644
--- a/modules/nixos/common/nix.nix
+++ b/modules/nixos/common/nix.nix
@@ -21,10 +21,10 @@ in {
       config.allowUnfreePredicate = p: elem (getName p) cfg.allowedUnfreePackages;
 
       overlays = with inputs; [
-        agenix.overlay
+        agenix.overlays.default
+        nix-minecraft.overlay
         pollymc.overlay
         xmonad-ng.overlays.default
-        # nix-minecraft-servers.overlays.default
       ];
     };
 
diff --git a/modules/nixos/common/secrets.nix b/modules/nixos/common/secrets.nix
index 4fcdc61..c229882 100644
--- a/modules/nixos/common/secrets.nix
+++ b/modules/nixos/common/secrets.nix
@@ -8,7 +8,7 @@
 }:
 with lib; {
   imports = [
-    inputs.agenix.nixosModule
+    inputs.agenix.nixosModules.default
     (mkAliasOptionModule ["secrets"] ["age" "secrets"])
   ];
 
diff --git a/modules/nixos/common/security.nix b/modules/nixos/common/security.nix
index 09c5da1..d146cee 100644
--- a/modules/nixos/common/security.nix
+++ b/modules/nixos/common/security.nix
@@ -9,17 +9,21 @@ with lib; {
       enable = true;
       execWheelOnly = true;
       wheelNeedsPassword = false;
-      # https://mwl.io/archives/1000
       extraConfig = ''
-        Defaults env_keep += "SSH_CLIENT SSH_CONNECTION SSH_TTY SSH_AUTH_SOCK"
+        Defaults lecture=never
       '';
     };
 
     polkit = {
       enable = true;
-      # https://wiki.archlinux.org/title/Polkit#Bypass_password_prompt
       extraConfig = ''
-        polkit.addRule(function (action, subject) {
+        /*
+         * Allow members of the wheel group to execute any actions
+         * without password authentication, similar to "sudo NOPASSWD:".
+         *
+         * https://wiki.archlinux.org/title/Polkit#Bypass_password_prompt
+         */
+        polkit.addRule(function(action, subject) {
           if (subject.isInGroup('wheel'))
             return polkit.Result.YES;
         });
diff --git a/modules/nixos/common/systemd.nix b/modules/nixos/common/systemd.nix
index 5c7282d..c1b2539 100644
--- a/modules/nixos/common/systemd.nix
+++ b/modules/nixos/common/systemd.nix
@@ -1,4 +1,10 @@
 {pkgs, ...}: {
+  ark = {
+    # FIXME Enable on a fresh system!
+    # files = ["/etc/machine-id"];
+    directories = ["/var/lib/systemd/coredump"];
+  };
+
   hm.systemd.user.startServices = "sd-switch";
 
   services.journald.extraConfig = ''
diff --git a/modules/nixos/common/users.nix b/modules/nixos/common/users.nix
index 22e8023..400bf33 100644
--- a/modules/nixos/common/users.nix
+++ b/modules/nixos/common/users.nix
@@ -1,5 +1,8 @@
 {lib, ...}:
 with lib; {
+  # TODO Enable on a fresh system.
+  # ark.directories = [config.my.home];
+
   users = {
     mutableUsers = false;
 
diff --git a/modules/nixos/games/minecraft.nix b/modules/nixos/games/minecraft.nix
index 7b21195..09b9239 100644
--- a/modules/nixos/games/minecraft.nix
+++ b/modules/nixos/games/minecraft.nix
@@ -1,5 +1,6 @@
 {
   config,
+  inputs,
   lib,
   pkgs,
   ...
@@ -7,11 +8,19 @@
 with lib; let
   cfg = config.nixfiles.modules.games.minecraft;
 in {
+  imports = [inputs.nix-minecraft.nixosModules.minecraft-servers];
+
   options.nixfiles.modules.games.minecraft = {
     client.enable = mkEnableOption "Minecraft client";
     server = {
       enable = mkEnableOption "Minecraft server";
 
+      port = mkOption {
+        description = "OpenSSH server port.";
+        type = types.port;
+        default = 50505; # Keeping 25565 as the default is a big security risk.
+      };
+
       memory = mkOption {
         description = "Amount of RAM to allocate.";
         type = types.str;
@@ -25,26 +34,53 @@ in {
       hm.home.packages = with pkgs; [prismlauncher];
     })
     (mkIf cfg.server.enable {
-      # Configurations, opslist, whitelist and plugins are managed imperatively.
-      # TODO Make it declarative.
-      services.minecraft-server = {
+      nixfiles.modules.common.nix.allowedUnfreePackages = ["minecraft-server"];
+
+      ark.directories = [config.services.minecraft-servers.dataDir];
+
+      services.minecraft-servers = {
         enable = true;
         eula = true;
 
-        package = pkgs.minecraftServers.purpur_1_19_3;
+        openFirewall = true;
+
+        servers.default = {
+          enable = true;
+          autoStart = true;
+
+          package = pkgs.paperServers.paper-1_19_3;
+
+          serverProperties = {
+            # motd = "";
+            # white-list = true;
+            allow-flight = true;
+            difficulty = "hard";
+            enable-command-block = true;
+            enforce-secure-profile = false;
+            enforce-whitelist = true;
+            gamemode = "survival";
+            level-name = "default";
+            max-players = 8;
+            online-mode = false;
+            previews-chat = false;
+            pvp = false;
+            server-port = cfg.server.port;
+            snooper-enabled = false;
+          };
+
+          whitelist = {}; # TODO Fill this.
 
-        # TODO Make a PR fixing trailing whitespace on this.
-        jvmOpts =
-          (concatStringsSep " " [
-            "-Xmx${cfg.server.memory}"
-            "-Xms${cfg.server.memory}"
-            "--add-modules=jdk.incubator.vector"
-          ])
-          + " ";
+          jvmOpts =
+            (concatStringsSep " " [
+              "-Xms${cfg.server.memory}"
+              "-Xmx${cfg.server.memory}"
+              "--add-modules=jdk.incubator.vector" # Required by some plugins.
+            ])
+            + " ";
+        };
       };
 
-      # Defined in /var/lib/minecraft/server.properties.
-      networking.firewall.allowedTCPPorts = [55565];
+      my.extraGroups = [config.services.minecraft-servers.group];
     })
   ];
 }
diff --git a/modules/nixos/libvirtd.nix b/modules/nixos/libvirtd.nix
index 58dfc50..a246c98 100644
--- a/modules/nixos/libvirtd.nix
+++ b/modules/nixos/libvirtd.nix
@@ -10,6 +10,8 @@ in {
   options.nixfiles.modules.libvirtd.enable = mkEnableOption "libvirtd";
 
   config = mkIf cfg.enable {
+    ark.directories = ["/var/lib/libvirt"];
+
     hm.home.packages = with pkgs; [
       qemu-utils
       quickemu
diff --git a/modules/nixos/openssh.nix b/modules/nixos/openssh.nix
index 36b85f8..0cd44bd 100644
--- a/modules/nixos/openssh.nix
+++ b/modules/nixos/openssh.nix
@@ -18,15 +18,36 @@ in {
   };
 
   config = mkIf cfg.server.enable {
+    # TODO Enable on a fresh system.
+    # ark = {
+    #   files = [
+    #     "/etc/ssh/ssh_host_ed25519_key"
+    #     "/etc/ssh/ssh_host_ed25519_key.pub"
+    #     "/etc/ssh/ssh_host_rsa_key"
+    #     "/etc/ssh/ssh_host_rsa_key.pub"
+    #   ];
+    #   directories = ["/etc/ssh/authorized_keys.d"];
+    # };
+
     programs.mosh.enable = true;
 
     services = {
       openssh = {
         enable = true;
         ports = [cfg.server.port];
-        logLevel = "VERBOSE"; # Required by fail2ban.
-        permitRootLogin = mkForce "no";
-        passwordAuthentication = false;
+        settings = {
+          AllowUsers = my.username;
+          ClientAliveCountMax = 3;
+          ClientAliveInterval = 60;
+          KbdInteractiveAuthentication = false;
+          LogLevel =
+            if config.nixfiles.modules.fail2ban.enable
+            then "VERBOSE"
+            else "ERROR";
+          MaxAuthTries = 3;
+          PasswordAuthentication = false;
+          PermitRootLogin = "no";
+        };
       };
 
       fail2ban.jails.sshd = ''
diff --git a/modules/nixos/profiles/default.nix b/modules/nixos/profiles/default.nix
index d5ab838..23eb455 100644
--- a/modules/nixos/profiles/default.nix
+++ b/modules/nixos/profiles/default.nix
@@ -15,6 +15,9 @@ in {
   ];
 
   config = mkIf cfg.enable {
+    # FIXME Enable on a fresh system!
+    # ark.directories = ["/var/log"];
+
     programs.less = {
       enable = true;
       envVariables.LESSHISTFILE = "-";