From e8dbb049452e014fe89df34cb8f29e7c21c37666 Mon Sep 17 00:00:00 2001 From: Azat Bahawi Date: Mon, 30 Jan 2023 01:48:52 +0300 Subject: 2023-01-30 --- modules/nixos/common/ark.nix | 56 +++++++++++++++++++++++++++++++++++++ modules/nixos/common/default.nix | 1 + modules/nixos/common/networking.nix | 8 ++++-- modules/nixos/common/nix.nix | 4 +-- modules/nixos/common/secrets.nix | 2 +- modules/nixos/common/security.nix | 12 +++++--- modules/nixos/common/systemd.nix | 6 ++++ modules/nixos/common/users.nix | 3 ++ 8 files changed, 83 insertions(+), 9 deletions(-) create mode 100644 modules/nixos/common/ark.nix (limited to 'modules/nixos/common') diff --git a/modules/nixos/common/ark.nix b/modules/nixos/common/ark.nix new file mode 100644 index 0000000..3a12050 --- /dev/null +++ b/modules/nixos/common/ark.nix @@ -0,0 +1,56 @@ +{ + config, + inputs, + lib, + ... +}: +with lib; let + cfg = config.nixfiles.modules.ark; +in { + imports = [ + (mkAliasOptionModule ["ark"] ["nixfiles" "modules" "ark"]) + inputs.impermanence.nixosModules.impermanence + ]; + + options.nixfiles.modules.ark = let + mkListOfAnythingOption = mkOption { + type = with types; listOf anything; # Assumed to be matching with the upstream type. + default = []; + }; + in { + enable = mkEnableOption "persistent storage support via impermanence"; + + path = mkOption { + type = types.str; + default = "/ark"; + }; + + directories = mkListOfAnythingOption; + files = mkListOfAnythingOption; + # hm = { + # directories = mkListOfAnythingOption; + # files = mkListOfAnythingOption; + # }; + }; + + config = mkIf cfg.enable { + environment.persistence.${cfg.path} = { + hideMounts = true; + enableDebugging = false; + inherit (cfg) directories files; + }; + + # NOTE We can't reliably[1] use this, so for the time being, this will stay + # commented out. Probably forever. + # + # [1]: https://github.com/nix-community/impermanence/issues/18 + # + # hm = { + # imports = [inputs.impermanence.nixosModules.home-manager.impermanence]; + # home.persistence."${cfg.path}/${config.my.home}" = { + # allowOther = false; + # inherit (cfg.hm) directories files; + # }; + # }; + }; +} diff --git a/modules/nixos/common/default.nix b/modules/nixos/common/default.nix index 8724c8b..54f8f51 100644 --- a/modules/nixos/common/default.nix +++ b/modules/nixos/common/default.nix @@ -1,5 +1,6 @@ _: { imports = [ + ./ark.nix ./console.nix ./documentation.nix ./home-manager.nix diff --git a/modules/nixos/common/networking.nix b/modules/nixos/common/networking.nix index 0c44159..8d94a4e 100644 --- a/modules/nixos/common/networking.nix +++ b/modules/nixos/common/networking.nix @@ -12,6 +12,10 @@ in { mkEnableOption "custom networking settings"; config = mkIf (!cfg.onlyDefault) { + ark.directories = with config.networking; + optional networkmanager.enable "/etc/NetworkManager/system-connections" + ++ optional wireless.iwd.enable "/var/lib/iwd"; + # TODO Support multiple interfaces and IP addresses. networking = mkMerge [ { @@ -20,8 +24,8 @@ in { hostName = this.hostname; hostId = substring 0 8 (builtins.hashString "md5" this.hostname); - # Remove default hostname mappings. This is required at least by the current - # implementation of the montoring module. + # Remove default hostname mappings. This is required at least by the + # current implementation of the monitoring module. hosts = { "127.0.0.2" = mkForce []; "::1" = mkForce []; diff --git a/modules/nixos/common/nix.nix b/modules/nixos/common/nix.nix index 71f62fd..48c52b3 100644 --- a/modules/nixos/common/nix.nix +++ b/modules/nixos/common/nix.nix @@ -21,10 +21,10 @@ in { config.allowUnfreePredicate = p: elem (getName p) cfg.allowedUnfreePackages; overlays = with inputs; [ - agenix.overlay + agenix.overlays.default + nix-minecraft.overlay pollymc.overlay xmonad-ng.overlays.default - # nix-minecraft-servers.overlays.default ]; }; diff --git a/modules/nixos/common/secrets.nix b/modules/nixos/common/secrets.nix index 4fcdc61..c229882 100644 --- a/modules/nixos/common/secrets.nix +++ b/modules/nixos/common/secrets.nix @@ -8,7 +8,7 @@ }: with lib; { imports = [ - inputs.agenix.nixosModule + inputs.agenix.nixosModules.default (mkAliasOptionModule ["secrets"] ["age" "secrets"]) ]; diff --git a/modules/nixos/common/security.nix b/modules/nixos/common/security.nix index 09c5da1..d146cee 100644 --- a/modules/nixos/common/security.nix +++ b/modules/nixos/common/security.nix @@ -9,17 +9,21 @@ with lib; { enable = true; execWheelOnly = true; wheelNeedsPassword = false; - # https://mwl.io/archives/1000 extraConfig = '' - Defaults env_keep += "SSH_CLIENT SSH_CONNECTION SSH_TTY SSH_AUTH_SOCK" + Defaults lecture=never ''; }; polkit = { enable = true; - # https://wiki.archlinux.org/title/Polkit#Bypass_password_prompt extraConfig = '' - polkit.addRule(function (action, subject) { + /* + * Allow members of the wheel group to execute any actions + * without password authentication, similar to "sudo NOPASSWD:". + * + * https://wiki.archlinux.org/title/Polkit#Bypass_password_prompt + */ + polkit.addRule(function(action, subject) { if (subject.isInGroup('wheel')) return polkit.Result.YES; }); diff --git a/modules/nixos/common/systemd.nix b/modules/nixos/common/systemd.nix index 5c7282d..c1b2539 100644 --- a/modules/nixos/common/systemd.nix +++ b/modules/nixos/common/systemd.nix @@ -1,4 +1,10 @@ {pkgs, ...}: { + ark = { + # FIXME Enable on a fresh system! + # files = ["/etc/machine-id"]; + directories = ["/var/lib/systemd/coredump"]; + }; + hm.systemd.user.startServices = "sd-switch"; services.journald.extraConfig = '' diff --git a/modules/nixos/common/users.nix b/modules/nixos/common/users.nix index 22e8023..400bf33 100644 --- a/modules/nixos/common/users.nix +++ b/modules/nixos/common/users.nix @@ -1,5 +1,8 @@ {lib, ...}: with lib; { + # TODO Enable on a fresh system. + # ark.directories = [config.my.home]; + users = { mutableUsers = false; -- cgit 1.4.1