nix/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Extract host type to host.nix

Browse Source
This commit is contained in:
niten 2021-10-04 13:23:40 -07:00
parent 2551908093
commit 2ea4f6be5a
9 changed files with 201 additions and 197 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
flake.lock generated
View File

@ -223,7 +223,7 @@
"niten-doom-config": "niten-doom-config" "niten-doom-config": "niten-doom-config"
}, },
"locked": { "locked": {
"narHash": "sha256-LwOAmTxY+qMr6iLedi+ZOOjDQPoALkYOa6fqt6Oz/ew=", "narHash": "sha256-bUeeulkb1X9oZu8fOM35ABq/ib/aJMOoRLJkJ3ww0wM=",
"path": "./nix-home", "path": "./nix-home",
"type": "path" "type": "path"
}, },
@ -242,7 +242,7 @@
"ssh-keypairs": "ssh-keypairs" "ssh-keypairs": "ssh-keypairs"
}, },
"locked": { "locked": {
"narHash": "sha256-p257NrEQFyj3GYNy+F9NBzEtOqMdyOsrpwMtnGnrOYc=", "narHash": "sha256-WK+CxCQwHe1o90s0VLiYRQ62KPiDVf3HSpvt8MOBW8o=",
"path": "/state/secrets", "path": "/state/secrets",
"type": "path" "type": "path"
}, },
@ -332,11 +332,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1633366555, "lastModified": 1633372662,
"narHash": "sha256-xWgLN0MwTbf+mJgbj313KZOoUFvXxo3FNZgXJtUaXeE=", "narHash": "sha256-/SNblv/N9m+We6/GSyu2KU+U+5Ze5FsLkjJEE9lnhaA=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "2ba20b2080e9a0f79e1ba55780cfb5dd61c147ce", "rev": "0699530f08290f34c532beedd66046825d9756fa",
"type": "github" "type": "github"
}, },
"original": { "original": {

1
lib/fudo/dns.nix
View File

@ -1,7 +1,6 @@
{ lib, config, pkgs, ... }: { lib, config, pkgs, ... }:
with lib; with lib;
let let
cfg = config.fudo.dns; cfg = config.fudo.dns;

178
lib/fudo/hosts.nix
View File

@ -4,186 +4,12 @@ with lib;
let let
mapOptional = f: val: if (val != null) then (f val) else null; mapOptional = f: val: if (val != null) then (f val) else null;
masterKeyOpts = { ... }: { host = import ../types/host.nix { inherit lib; };
options = with types; {
key-path = mkOption {
type = str;
description = "Path of the host master key file, used to decrypt secrets.";
};
public-key = mkOption {
type = str;
description = "Public key used during deployment to decrypt secrets for the host.";
};
};
};
hostOpts = { hostname, ... }: {
options = with types; {
master-key = mkOption {
type = nullOr (submodule masterKeyOpts);
description = "Public key for the host master key, used by the host to decrypt secrets.";
default = null;
};
domain = mkOption {
type = str;
description =
"Primary domain to which the host belongs, in the form of a domain name.";
default = "fudo.org";
};
extra-domains = mkOption {
type = listOf str;
description = "Extra domain in which this host is reachable.";
default = [ ];
};
aliases = mkOption {
type = listOf str;
description =
"Host aliases used by the current host. Note this will be multiplied with extra-domains.";
default = [ ];
};
site = mkOption {
type = str;
description = "Site at which the host is located.";
};
local-networks = mkOption {
type = listof str;
description =
"A list of networks to be considered trusted by this host.";
default = [ "127.0.0.0/8" ];
};
profile = mkOption {
type = listOf (enumOf (attrNames config.fudo.profiles));
description =
"The profile to be applied to the host, determining what software is included.";
};
admin-email = mkOption {
type = nullOr str;
description = "Email for the administrator of this host.";
default = null;
};
local-users = mkOption {
type = listOf str;
description =
"List of users who should have local (i.e. login) access to the host.";
default = [ ];
};
description = mkOption {
type = str;
description = "Description of this host.";
default = "Another Fudo Host.";
};
local-admins = mkOption {
type = listOf str;
description =
"A list of users who should have admin access to this host.";
default = [ ];
};
local-groups = mkOption {
type = listOf str;
description = "List of groups which should exist on this host.";
default = [ ];
};
ssh-fingerprints = mkOption {
type = listOf str;
description = ''
A list of DNS SSHFP records for this host. Get with `ssh-keygen -r <hostname>`
'';
default = [ ];
};
rp = mkOption {
type = nullOr str;
description = "Responsible person.";
default = null;
};
tmp-on-tmpfs = mkOption {
type = bool;
description =
"Use tmpfs for /tmp. Great if you've got enough (>16G) RAM.";
default = true;
};
enable-gui = mkEnableOption "Install desktop GUI software.";
docker-server = mkEnableOption "Enable Docker on the current host.";
kerberos-services = mkOption {
type = listOf str;
description =
"List of services which should exist for this host, if it belongs to a realm.";
default = [ "ssh" "host" ];
};
ssh-pubkeys = mkOption {
type = listOf path;
description =
"SSH key files of the host.";
default = [];
};
build-pubkeys = mkOption {
type = listOf str;
description = "SSH public keys used to access the build server.";
default = [ ];
};
external-interfaces = mkOption {
type = listOf str;
description = "A list of interfaces on which to enable the firewall.";
default = [ ];
};
keytab-secret-file = mkOption {
type = nullOr str;
description = "Keytab from which to create a keytab secret.";
default = null;
};
keep-cool = mkOption {
type = bool;
description = "A host that tends to overheat. Try to keep it cooler.";
default = false;
};
nixos-system = mkOption {
type = bool;
description = "Whether the host is a NixOS system.";
default = true;
};
arch = mkOption {
type = str;
description = "System architecture of the system.";
};
machine-id = mkOption {
type = nullOr str;
description = "Machine id of the system. See: man machine-id.";
default = null;
};
android-dev = mkEnableOption "Enable ADB on the host.";
};
};
in { in {
options.fudo.hosts = with types; options.fudo.hosts = with types;
mkOption { mkOption {
type = attrsOf (submodule hostOpts); type = attrsOf (submodule host.hostOpts);
description = "Host configurations for all hosts known to the system."; description = "Host configurations for all hosts known to the system.";
default = { }; default = { };
}; };

14
lib/fudo/local-network.nix
View File

@ -108,20 +108,20 @@ in {
interfaces = cfg.dhcp-interfaces; interfaces = cfg.dhcp-interfaces;
extraConfig = '' extraConfig = ''
subnet ${lib.fudo.ip.getNetworkBase cfg.network} netmask ${ subnet ${pkgs.lib.fudo.ip.getNetworkBase cfg.network} netmask ${
lib.fudo.ip.maskFromV32Network cfg.network pkgs.lib.fudo.ip.maskFromV32Network cfg.network
} { } {
authoritative; authoritative;
option subnet-mask ${lib.fudo.ip.maskFromV32Network cfg.network}; option subnet-mask ${pkgs.lib.fudo.ip.maskFromV32Network cfg.network};
option broadcast-address ${lib.fudo.ip.networkMaxIp cfg.network}; option broadcast-address ${pkgs.lib.fudo.ip.networkMaxIp cfg.network};
option routers ${cfg.gateway}; option routers ${cfg.gateway};
option domain-name-servers ${concatStringsSep " " cfg.dns-servers}; option domain-name-servers ${concatStringsSep " " cfg.dns-servers};
option domain-name "${cfg.domain}"; option domain-name "${cfg.domain}";
option domain-search "${ option domain-search "${
concatStringsSep " " ([ cfg.domain ] ++ cfg.search-domains) concatStringsSep " " ([ cfg.domain ] ++ cfg.search-domains)
}"; }";
range ${lib.fudo.ip.networkMinIp cfg.dhcp-dynamic-network} ${ range ${pkgs.lib.fudo.ip.networkMinIp cfg.dhcp-dynamic-network} ${
lib.fudo.ip.networkMaxButOneIp cfg.dhcp-dynamic-network pkgs.lib.fudo.ip.networkMaxButOneIp cfg.dhcp-dynamic-network
}; };
} }
''; '';
@ -223,7 +223,7 @@ in {
${join-lines (mapAttrsToList hostSshFpRecords network.hosts)} ${join-lines (mapAttrsToList hostSshFpRecords network.hosts)}
${join-lines (mapAttrsToList cnameRecord network.aliases)} ${join-lines (mapAttrsToList cnameRecord network.aliases)}
${join-lines network.verbatim-dns-records} ${join-lines network.verbatim-dns-records}
${lib.fudo.dns.srvRecordsToBindZone network.srv-records} ${pkgs.lib.fudo.dns.srvRecordsToBindZone network.srv-records}
''; '';
}] ++ blockZones; }] ++ blockZones;
}; };

3
lib/instance.nix
View File

@ -3,6 +3,7 @@
with lib; with lib;
let let
user = import ./types/user.nix { inherit lib; }; user = import ./types/user.nix { inherit lib; };
host = import ./types/host.nix { inherit lib; };
in { in {
options.instance = with types; { options.instance = with types; {
@ -37,7 +38,7 @@ in {
}; };
local-hosts = mkOption { local-hosts = mkOption {
type = listOf str; type = listOf (submodule host.hostOpts);
description = "List of hosts that should be considered local to the current host."; description = "List of hosts that should be considered local to the current host.";
}; };

6
lib/ip.nix
View File

@ -2,8 +2,6 @@
with lib; with lib;
let let
joinString = concatStringsSep;
pow = x: e: if (e == 0) then 1 else x * (pow x (e - 1)); pow = x: e: if (e == 0) then 1 else x * (pow x (e - 1));
generateNBits = n: generateNBits = n:
@ -17,7 +15,7 @@ let
rightPadBits = int: bits: bitOr int (generateNBits bits); rightPadBits = int: bits: bitOr int (generateNBits bits);
reverseIpv4 = ip: joinString "." (reverseList (splitString "." ip)); reverseIpv4 = ip: concatStringsSep "." (reverseList (splitString "." ip));
intToBinaryList = int: intToBinaryList = int:
let let
@ -41,7 +39,7 @@ in rec {
in foldr (a: b: a + b) 0 (imap0 (i: el: (leftShift el (i * 8))) els); in foldr (a: b: a + b) 0 (imap0 (i: el: (leftShift el (i * 8))) els);
intToIpv4 = int: intToIpv4 = int:
joinString "." concatStringsSep "."
(map (i: toString (bitAnd (rightShift int (i * 8)) 255)) [ 3 2 1 0 ]); (map (i: toString (bitAnd (rightShift int (i * 8)) 255)) [ 3 2 1 0 ]);
maskFromV32Network = network: maskFromV32Network = network:

4
lib/overlay.nix
View File

@ -1,6 +1,6 @@
(final: prev: let (final: prev: let
ip = import ./lib/ip.nix { lib = prev; }; ip = import ./ip.nix { lib = prev.lib; };
dns = import ./lib/dns.nix { lib = prev; }; dns = import ./dns.nix { lib = prev.lib; };
in { in {
lib = prev.lib // { lib = prev.lib // {
fudo = { fudo = {

180
lib/types/host.nix Normal file
View File

@ -0,0 +1,180 @@
{ lib, ... }:
with lib;
rec {
masterKeyOpts = { ... }: {
options = with types; {
key-path = mkOption {
type = str;
description = "Path of the host master key file, used to decrypt secrets.";
};
public-key = mkOption {
type = str;
description = "Public key used during deployment to decrypt secrets for the host.";
};
};
};
hostOpts = { hostname, ... }: {
options = with types; {
master-key = mkOption {
type = nullOr (submodule masterKeyOpts);
description = "Public key for the host master key, used by the host to decrypt secrets.";
default = null;
};
domain = mkOption {
type = str;
description =
"Primary domain to which the host belongs, in the form of a domain name.";
default = "fudo.org";
};
extra-domains = mkOption {
type = listOf str;
description = "Extra domain in which this host is reachable.";
default = [ ];
};
aliases = mkOption {
type = listOf str;
description =
"Host aliases used by the current host. Note this will be multiplied with extra-domains.";
default = [ ];
};
site = mkOption {
type = str;
description = "Site at which the host is located.";
};
local-networks = mkOption {
type = listOf str;
description =
"A list of networks to be considered trusted by this host.";
default = [ "127.0.0.0/8" ];
};
profile = mkOption {
type = listOf (enum ["desktop" "server" "laptop"]);
description =
"The profile to be applied to the host, determining what software is included.";
};
admin-email = mkOption {
type = nullOr str;
description = "Email for the administrator of this host.";
default = null;
};
local-users = mkOption {
type = listOf str;
description =
"List of users who should have local (i.e. login) access to the host.";
default = [ ];
};
description = mkOption {
type = str;
description = "Description of this host.";
default = "Another Fudo Host.";
};
local-admins = mkOption {
type = listOf str;
description =
"A list of users who should have admin access to this host.";
default = [ ];
};
local-groups = mkOption {
type = listOf str;
description = "List of groups which should exist on this host.";
default = [ ];
};
ssh-fingerprints = mkOption {
type = listOf str;
description = ''
A list of DNS SSHFP records for this host. Get with `ssh-keygen -r <hostname>`
'';
default = [ ];
};
rp = mkOption {
type = nullOr str;
description = "Responsible person.";
default = null;
};
tmp-on-tmpfs = mkOption {
type = bool;
description =
"Use tmpfs for /tmp. Great if you've got enough (>16G) RAM.";
default = true;
};
enable-gui = mkEnableOption "Install desktop GUI software.";
docker-server = mkEnableOption "Enable Docker on the current host.";
kerberos-services = mkOption {
type = listOf str;
description =
"List of services which should exist for this host, if it belongs to a realm.";
default = [ "ssh" "host" ];
};
ssh-pubkeys = mkOption {
type = listOf path;
description =
"SSH key files of the host.";
default = [];
};
build-pubkeys = mkOption {
type = listOf str;
description = "SSH public keys used to access the build server.";
default = [ ];
};
external-interfaces = mkOption {
type = listOf str;
description = "A list of interfaces on which to enable the firewall.";
default = [ ];
};
keytab-secret-file = mkOption {
type = nullOr str;
description = "Keytab from which to create a keytab secret.";
default = null;
};
keep-cool = mkOption {
type = bool;
description = "A host that tends to overheat. Try to keep it cooler.";
default = false;
};
nixos-system = mkOption {
type = bool;
description = "Whether the host is a NixOS system.";
default = true;
};
arch = mkOption {
type = str;
description = "System architecture of the system.";
};
machine-id = mkOption {
type = nullOr str;
description = "Machine id of the system. See: man machine-id.";
default = null;
};
android-dev = mkEnableOption "Enable ADB on the host.";
};
};
}

2
nix-home

@ -1 +1 @@
Subproject commit e47f7bf571ffb300427c3d6855a57b2feb913b4f Subproject commit d40a3ae2c6790afbea81a921b15f465ee63b66d7