Convert common NixOS config to a module

2022-06-21 14:13:32 -07:00 · 2022-06-21 14:13:32 -07:00 · 88ab8e0d76
commit 88ab8e0d76
parent 67ac31ff22
3 changed files with 265 additions and 264 deletions
--- a/common/nixos.nix
+++ b/common/nixos.nix
@ -1,6 +1,10 @@
 { config, lib, pkgs, ... }:

 let
+  # Module
+  host = config.host;
+
+  # Resources
  palette = import ./resources/palette.nix;
 in
 {
@ -9,230 +13,249 @@ in
    ../packages/kmonad.nix
  ];

-  # Overrides
-  nixpkgs.overlays = [
-    # Pending https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/5370
-    (_: pkgs: {
-      gnome = pkgs.gnome.overrideScope' (_: gnome: {
-        gnome-shell = gnome.gnome-shell.overrideAttrs (gnome-shell: {
-          patches = gnome-shell.patches ++ [ ../patches/gnome-shell_screenshot-location.patch ];
+  options.host = {
+    name = lib.mkOption { type = lib.types.str; };
+    local = lib.mkOption { type = lib.types.path; };
+    resources = lib.mkOption { type = lib.types.path; };
+  };
+
+  config = {
+    # Overrides
+    nixpkgs.overlays = [
+      # Pending https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/5370
+      (_: pkgs: {
+        gnome = pkgs.gnome.overrideScope' (_: gnome: {
+          gnome-shell = gnome.gnome-shell.overrideAttrs (gnome-shell: {
+            patches = gnome-shell.patches ++ [ ../patches/gnome-shell_screenshot-location.patch ];
+          });
        });
-      });
-    })
-  ];
-
-  # Nix
-  nix.autoOptimiseStore = true;
-  nix.gc = { automatic = true; options = "--delete-older-than 7d"; };
-  nix.extraOptions = ''
-    # Recommended by nix-direnv
-    keep-outputs = true
-    keep-derivations = true
-  '';
-  nixpkgs.config.allowUnfree = true;
-
-  # Boot
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.systemd-boot.memtest86.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-  boot.plymouth.enable = true;
-
-  # Swap
-  zramSwap.enable = true;
-
-  # Filesystems
-  boot.initrd.luks = {
-    gpgSupport = true;
-    devices.pv = {
-      device = "/dev/disk/by-partlabel/pv-enc";
-      allowDiscards = true;
-      fallbackToPassword = true;
-      gpgCard.encryptedPass = ./local/resources/luks-passphrase.gpg;
-      gpgCard.publicKey = ./resources/andrew.asc;
-    };
-  };
-  fileSystems."/".options = [ "compress=zstd:2" "discard=async" "noatime" ];
-  services.btrfs.autoScrub.enable = true;
-  boot.cleanTmpDir = true;
-
-  # Time and locale
-  time.timeZone = "America/Los_Angeles";
-  i18n.extraLocaleSettings.LC_TIME = "en_DK.UTF-8";
-
-  # Networking
-  networking.domain = "home.arpa";
-  networking.search = [ "home.arpa" ];
-  # Workaround for `avahi-daemon[1234]: Failed to read /etc/avahi/services.`
-  # Upstream: https://github.com/lathiat/avahi/blob/v0.8/avahi-daemon/static-services.c#L917-L919
-  system.activationScripts.etcAvahiServices = "mkdir -p /etc/avahi/services";
-
-  # Console
-  console.packages = with pkgs; [ terminus_font ];
-  console.font = "ter-v32n";
-  console.colors = map (lib.removePrefix "#") (with palette; [
-    "#000000" red green yellow blue orange purple white
-    gray red green yellow blue orange purple white
-  ]);
-
-  # Keyboard
-  services.xserver.extraLayouts.halmakish = {
-    description = "Halmakish";
-    languages = [ "eng" ];
-    symbolsFile = ./resources/halmakish.xkb;
-  };
-  services.xserver.layout = "halmakish";
-  console.useXkbConfig = true;
-  services.kmonad.enable = true;
-
-  # Power
-  systemd.ctrlAltDelUnit = "poweroff.target";
-
-  # Authentication
-  security.pam.u2f = {
-    enable = true;
-    control = "sufficient";
-    cue = true;
-  };
-
-  # Authorization
-  security.sudo.extraRules = [
-    {
-      groups = [ "wheel" ];
-      commands = [
-        { command = "/run/current-system/sw/bin/btrfs balance start --enqueue -dusage=50 -musage=50 /"; options = [ "NOPASSWD" ]; }
-        { command = "/run/current-system/sw/bin/nix-channel --update"; options = [ "NOPASSWD" ]; }
-        { command = "/run/current-system/sw/bin/nixos-rebuild boot"; options = [ "NOPASSWD" ]; }
-        { command = "/run/current-system/sw/bin/nixos-rebuild switch"; options = [ "NOPASSWD" ]; }
-        { command = "/run/current-system/sw/bin/poweroff"; options = [ "NOPASSWD" ]; }
-      ];
-    }
-  ];
-
-  # SSH
-  services.openssh = { enable = true; passwordAuthentication = false; };
-
-  # Mail
-  services.postfix = {
-    enable = true;
-    config = {
-      relayhost = "[email-smtp.us-west-2.amazonaws.com]:587";
-      smtp_use_tls = "yes";
-      smtp_tls_security_level = "encrypt";
-      smtp_tls_note_starttls_offer = "yes";
-      smtp_sasl_auth_enable = "yes";
-      smtp_sasl_security_options = "noanonymous";
-      smtp_sasl_password_maps = "hash:/var/lib/postfix/conf/smtp_sasl_password_maps";
-    };
-    origin = "andrew.kvalhe.im";
-    destination = [ ]; # Disable local delivery
-  };
-  systemd.services."alert@" = {
-    description = "Alert of failed %I";
-    serviceConfig.SyslogIdentifier = "%p";
-    serviceConfig.Type = "oneshot";
-    serviceConfig.ExecStart = ''
-      ${pkgs.bash}/bin/bash -c "${pkgs.system-sendmail}/bin/sendmail -i root \
-      <<< $'Subject: %I failed\n\n'\"$(systemctl --full status %I)\""
-    '';
-  };
-
-  # SMART monitoring
-  services.smartd = {
-    enable = true;
-    notifications.mail.enable = true;
-  };
-
-  # Firmware updates
-  services.fwupd.enable = true;
-
-  # Audio
-  hardware.pulseaudio.enable = false;
-  security.rtkit.enable = true;
-  services.pipewire = {
-    enable = true;
-    alsa = { enable = true; support32Bit = true; };
-    pulse.enable = true;
-  };
-
-  # Printer
-  services.printing.enable = true;
-  services.printing.drivers = with pkgs; [ brgenml1cupswrapper ];
-  hardware.printers = {
-    ensureDefaultPrinter = "DCP-7065DN";
-    ensurePrinters = [{
-      name = "DCP-7065DN";
-      description = "Brother DCP-7065DN";
-      model = "brother-BrGenML1-cups-en.ppd";
-      deviceUri = "lpd://lumberjack/binary_p1";
-    }];
-  };
-
-  # Scanner
-  hardware.sane.enable = true;
-  hardware.sane.brscan4 = {
-    enable = true;
-    netDevices.DCP-7065DN = { model = "DCP-7065DN"; nodename = "lumberjack"; };
-  };
-
-  # Graphical environment
-  services.xserver.enable = true;
-  services.xserver.displayManager.gdm.enable = true;
-  services.xserver.desktopManager.gnome.enable = true;
-
-  # Applications
-  environment.gnome.excludePackages = with pkgs; [
-    gnome.epiphany
-    gnome.geary
-    gnome.gnome-calculator
-    gnome.gnome-maps
-    gnome.gnome-music
-    gnome.gnome-weather
-    gnome-photos
-  ];
-  services.pcscd.enable = true;
-  programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
-  virtualisation = {
-    containers.registries.search = [ "docker.io" ];
-    docker = { enable = true; enableOnBoot = false; autoPrune.enable = true; };
-    podman.enable = true;
-    libvirtd.enable = true;
-  };
-  programs.zsh.enable = true;
-  environment.localBinInPath = true;
-
-  # Users
-  users.mutableUsers = false;
-  users.groups.ak.gid = 1000;
-  users.users.ak = {
-    isNormalUser = true;
-    uid = 1000;
-    group = "ak";
-    extraGroups = [
-      "wheel"
-      "networkmanager"
-      "lp"
-      "scanner"
-      "podman"
-      "docker"
-      "libvirtd"
+      })
    ];
-    description = "Andrew";
-    hashedPassword = builtins.readFile ./local/resources/ak.passwd;
-    shell = pkgs.zsh;
-    openssh.authorizedKeys.keys = [ (builtins.readFile ./resources/andrew.pub) ];
-  };

-  # Backup
-  systemd.services.mirror = {
-    description = "Mirror to closet";
-    serviceConfig.Type = "oneshot";
-    serviceConfig.Nice = 10;
-    onFailure = [ "alert@%n.service" ];
-    path = with pkgs; [ netcat openssh rsync ];
-  };
-  systemd.timers.mirror = {
-    timerConfig.OnCalendar = "00,12,17:00 America/Los_Angeles";
-    timerConfig.Persistent = true;
-    wantedBy = [ "timers.target" ];
+    # Nix
+    nix.autoOptimiseStore = true;
+    nix.gc = { automatic = true; options = "--delete-older-than 7d"; };
+    nix.extraOptions = ''
+      # Recommended by nix-direnv
+      keep-outputs = true
+      keep-derivations = true
+    '';
+    nixpkgs.config.allowUnfree = true;
+
+    # Boot
+    boot.loader.systemd-boot.enable = true;
+    boot.loader.systemd-boot.memtest86.enable = true;
+    boot.loader.efi.canTouchEfiVariables = true;
+    boot.plymouth.enable = true;
+
+    # Swap
+    zramSwap.enable = true;
+
+    # Filesystems
+    boot.initrd.luks = {
+      gpgSupport = true;
+      devices.pv = {
+        device = "/dev/disk/by-partlabel/pv-enc";
+        allowDiscards = true;
+        fallbackToPassword = true;
+        gpgCard.encryptedPass = ./local/resources/luks-passphrase.gpg;
+        gpgCard.publicKey = ./resources/andrew.asc;
+      };
+    };
+    fileSystems."/".options = [ "compress=zstd:2" "discard=async" "noatime" ];
+    services.btrfs.autoScrub.enable = true;
+    boot.cleanTmpDir = true;
+
+    # Time and locale
+    time.timeZone = "America/Los_Angeles";
+    i18n.extraLocaleSettings.LC_TIME = "en_DK.UTF-8";
+
+    # Networking
+    networking.hostName = host.name;
+    networking.domain = "home.arpa";
+    networking.search = [ "home.arpa" ];
+    # Workaround for `avahi-daemon[1234]: Failed to read /etc/avahi/services.`
+    # Upstream: https://github.com/lathiat/avahi/blob/v0.8/avahi-daemon/static-services.c#L917-L919
+    system.activationScripts.etcAvahiServices = "mkdir -p /etc/avahi/services";
+
+    # Console
+    console.packages = with pkgs; [ terminus_font ];
+    console.font = "ter-v32n";
+    console.colors = map (lib.removePrefix "#") (with palette; [
+      "#000000" red green yellow blue orange purple white
+      gray red green yellow blue orange purple white
+    ]);
+
+    # Keyboard
+    services.xserver.extraLayouts.halmakish = {
+      description = "Halmakish";
+      languages = [ "eng" ];
+      symbolsFile = ./resources/halmakish.xkb;
+    };
+    services.xserver.layout = "halmakish";
+    console.useXkbConfig = true;
+    services.kmonad = {
+      enable = true;
+      keyboards.default = {
+        config = builtins.readFile (host.resources + "/halmakish.kbd");
+        fallthrough = true;
+        allowCommands = false;
+      };
+    };
+
+    # Power
+    systemd.ctrlAltDelUnit = "poweroff.target";
+
+    # Authentication
+    security.pam.u2f = {
+      enable = true;
+      appId = "pam://${host.name}";
+      control = "sufficient";
+      cue = true;
+    };
+
+    # Authorization
+    security.sudo.extraRules = [
+      {
+        groups = [ "wheel" ];
+        commands = [
+          { command = "/run/current-system/sw/bin/btrfs balance start --enqueue -dusage=50 -musage=50 /"; options = [ "NOPASSWD" ]; }
+          { command = "/run/current-system/sw/bin/nix-channel --update"; options = [ "NOPASSWD" ]; }
+          { command = "/run/current-system/sw/bin/nixos-rebuild boot"; options = [ "NOPASSWD" ]; }
+          { command = "/run/current-system/sw/bin/nixos-rebuild switch"; options = [ "NOPASSWD" ]; }
+          { command = "/run/current-system/sw/bin/poweroff"; options = [ "NOPASSWD" ]; }
+        ];
+      }
+    ];
+
+    # SSH
+    services.openssh = { enable = true; passwordAuthentication = false; };
+
+    # Mail
+    services.postfix = {
+      enable = true;
+      config = {
+        relayhost = "[email-smtp.us-west-2.amazonaws.com]:587";
+        smtp_use_tls = "yes";
+        smtp_tls_security_level = "encrypt";
+        smtp_tls_note_starttls_offer = "yes";
+        smtp_sasl_auth_enable = "yes";
+        smtp_sasl_security_options = "noanonymous";
+        smtp_sasl_password_maps = "hash:/var/lib/postfix/conf/smtp_sasl_password_maps";
+      };
+      origin = "andrew.kvalhe.im";
+      destination = [ ]; # Disable local delivery
+      mapFiles.smtp_sasl_password_maps = (host.local + "/resources/smtp-sasl-password-maps");
+    };
+    systemd.services."alert@" = {
+      description = "Alert of failed %I";
+      serviceConfig.SyslogIdentifier = "%p";
+      serviceConfig.Type = "oneshot";
+      serviceConfig.ExecStart = ''
+        ${pkgs.bash}/bin/bash -c "${pkgs.system-sendmail}/bin/sendmail -i root \
+        <<< $'Subject: %I failed\n\n'\"$(systemctl --full status %I)\""
+      '';
+    };
+
+    # SMART monitoring
+    services.smartd = {
+      enable = true;
+      notifications.mail.enable = true;
+    };
+
+    # Firmware updates
+    services.fwupd.enable = true;
+
+    # Audio
+    hardware.pulseaudio.enable = false;
+    security.rtkit.enable = true;
+    services.pipewire = {
+      enable = true;
+      alsa = { enable = true; support32Bit = true; };
+      pulse.enable = true;
+    };
+
+    # Printer
+    services.printing.enable = true;
+    services.printing.drivers = with pkgs; [ brgenml1cupswrapper ];
+    hardware.printers = {
+      ensureDefaultPrinter = "DCP-7065DN";
+      ensurePrinters = [{
+        name = "DCP-7065DN";
+        description = "Brother DCP-7065DN";
+        model = "brother-BrGenML1-cups-en.ppd";
+        deviceUri = "lpd://lumberjack/binary_p1";
+      }];
+    };
+
+    # Scanner
+    hardware.sane.enable = true;
+    hardware.sane.brscan4 = {
+      enable = true;
+      netDevices.DCP-7065DN = { model = "DCP-7065DN"; nodename = "lumberjack"; };
+    };
+
+    # Graphical environment
+    services.xserver.enable = true;
+    services.xserver.displayManager.gdm.enable = true;
+    services.xserver.desktopManager.gnome.enable = true;
+
+    # Applications
+    environment.gnome.excludePackages = with pkgs; [
+      gnome.epiphany
+      gnome.geary
+      gnome.gnome-calculator
+      gnome.gnome-maps
+      gnome.gnome-music
+      gnome.gnome-weather
+      gnome-photos
+    ];
+    services.pcscd.enable = true;
+    programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
+    virtualisation = {
+      containers.registries.search = [ "docker.io" ];
+      docker = { enable = true; enableOnBoot = false; autoPrune.enable = true; };
+      podman.enable = true;
+      libvirtd.enable = true;
+    };
+    programs.zsh.enable = true;
+    environment.localBinInPath = true;
+
+    # Users
+    users.mutableUsers = false;
+    users.groups.ak.gid = 1000;
+    users.users.ak = {
+      isNormalUser = true;
+      uid = 1000;
+      group = "ak";
+      extraGroups = [
+        "wheel"
+        "networkmanager"
+        "lp"
+        "scanner"
+        "podman"
+        "docker"
+        "libvirtd"
+      ];
+      description = "Andrew";
+      hashedPassword = builtins.readFile ./local/resources/ak.passwd;
+      shell = pkgs.zsh;
+      openssh.authorizedKeys.keys = [ (builtins.readFile ./resources/andrew.pub) ];
+    };
+
+    # Backup
+    systemd.services.mirror = {
+      description = "Mirror to closet";
+      serviceConfig.Type = "oneshot";
+      serviceConfig.Nice = 10;
+      onFailure = [ "alert@%n.service" ];
+      path = with pkgs; [ netcat openssh rsync ];
+      script = builtins.readFile (host.local + "/resources/mirror.sh");
+    };
+    systemd.timers.mirror = {
+      timerConfig.OnCalendar = "00,12,17:00 America/Los_Angeles";
+      timerConfig.Persistent = true;
+      wantedBy = [ "timers.target" ];
+    };
  };
 }
--- a/hosts/main/nixos.nix
+++ b/hosts/main/nixos.nix
@ -9,7 +9,16 @@
    ./local/nixos.nix
  ];

+  # Host parameters
+  host = {
+    name = "main";
+    local = ./local;
+    resources = ./resources;
+  };
+
  # Hardware
+  services.fstrim.enable = true;
+  services.kmonad.keyboards.default.device = "/dev/input/by-path/platform-i8042-serio-0-event-kbd";
  systemd.tmpfiles.rules = [ "w /sys/class/sound/ctl-led/mic/mode - - - - follow-route" ];

  # Nix
@ -17,7 +26,6 @@
  nixpkgs = import ./nixpkgs.nix;

  # Filesystems
-  services.fstrim.enable = true;
  # TODO: Set `chattr +i` on intermittent mount points
  fileSystems = {
    "/home/ak/annex" = {
@ -53,32 +61,12 @@
  };

  # Networking
-  networking.hostName = "main";
-  networking.domain = "home.arpa";
-  networking.search = [ "home.arpa" ];
  systemd.network.links = {
    "10-dock".linkConfig.Name = "dock";
    "10-jack".linkConfig.Name = "jack";
    "10-wifi".linkConfig.Name = "wifi";
  };

-  # Keyboard
-  services.kmonad.keyboards.default = {
-    device = "/dev/input/by-path/platform-i8042-serio-0-event-kbd";
-    config = builtins.readFile ./resources/halmakish.kbd;
-    fallthrough = true;
-    allowCommands = false;
-  };
-
-  # Authentication
-  security.pam.u2f.appId = "pam://main";
-
-  # Mail
-  services.postfix.mapFiles.smtp_sasl_password_maps = ./local/resources/smtp-sasl-password-maps;
-
-  # Backup
-  systemd.services.mirror.script = builtins.readFile ./local/resources/mirror.sh;
-
  # Wireshark
  programs.wireshark.enable = true;
  users.users.ak.extraGroups = [ "wireshark" ];
--- a/hosts/wrangler/nixos.nix
+++ b/hosts/wrangler/nixos.nix
@ -8,33 +8,23 @@
    ./local/nixos.nix
  ];

+  # Host parameters
+  host = {
+    name = "wrangler";
+    local = ./local;
+    resources = ./resources;
+  };
+
+  # Hardware
+  services.fstrim.enable = true;
+  services.kmonad.keyboards.default.device = "/dev/input/by-path/platform-i8042-serio-0-event-kbd";
+
  # Nix
  system.stateVersion = "21.11"; # Permanent
  nixpkgs = import ./nixpkgs.nix;

-  # Filesystems
-  services.fstrim.enable = true;
-
  # Networking
-  networking.hostName = "wrangler";
  systemd.network.links = {
    "10-wifi".linkConfig.Name = "wifi";
  };
-
-  # Keyboard
-  services.kmonad.keyboards.default = {
-    device = "/dev/input/by-path/platform-i8042-serio-0-event-kbd";
-    config = builtins.readFile ./resources/halmakish.kbd;
-    fallthrough = true;
-    allowCommands = false;
-  };
-
-  # Authentication
-  security.pam.u2f.appId = "pam://wrangler";
-
-  # Mail
-  services.postfix.mapFiles.smtp_sasl_password_maps = ./local/resources/smtp-sasl-password-maps;
-
-  # Backup
-  systemd.services.mirror.script = builtins.readFile ./local/resources/mirror.sh;
 }