291 lines
7.8 KiB
Nix
291 lines
7.8 KiB
Nix
{ lib, ... }:
|
|
|
|
with lib;
|
|
rec {
|
|
encryptedFSOpts = { ... }: let
|
|
mountpoint = { mp, ... }: {
|
|
options = with types; {
|
|
mountpoint = mkOption {
|
|
type = str;
|
|
description = "Path at which to mount the filesystem.";
|
|
default = mp;
|
|
};
|
|
|
|
options = mkOption {
|
|
type = listOf str;
|
|
description = "List of filesystem options specific to this mountpoint (eg: subvol).";
|
|
};
|
|
|
|
group = mkOption {
|
|
type = nullOr str;
|
|
description = "Group to which the mountpoint should belong.";
|
|
default = null;
|
|
};
|
|
|
|
users = mkOption {
|
|
type = listOf str;
|
|
description = ''
|
|
List of users who should have access to the filesystem.
|
|
|
|
Requires a group to be set.
|
|
'';
|
|
default = [ ];
|
|
};
|
|
};
|
|
};
|
|
in {
|
|
options = with types; {
|
|
encrypted-device = mkOption {
|
|
type = str;
|
|
description = "Path to the encrypted device.";
|
|
};
|
|
|
|
key-path = mkOption {
|
|
type = str;
|
|
description = ''
|
|
Path at which to locate the key file.
|
|
|
|
The filesystem will be decrypted and mounted once available.";
|
|
'';
|
|
};
|
|
|
|
filesystem-type = mkOption {
|
|
type = str;
|
|
description = "Filesystem type of the decrypted filesystem.";
|
|
};
|
|
|
|
options = mkOption {
|
|
type = listOf str;
|
|
description = "List of filesystem options with which to mount.";
|
|
};
|
|
|
|
mountpoints = mkOption {
|
|
type = attrsOf (submodule mountpoint);
|
|
description = "A map of mountpoints for this filesystem to fs options. Multiple to support btrfs.";
|
|
default = {};
|
|
};
|
|
};
|
|
};
|
|
|
|
masterKeyOpts = { ... }: {
|
|
options = with types; {
|
|
key-path = mkOption {
|
|
type = str;
|
|
description = "Path of the host master key file, used to decrypt secrets.";
|
|
};
|
|
|
|
public-key = mkOption {
|
|
type = str;
|
|
description = "Public key used during deployment to decrypt secrets for the host.";
|
|
};
|
|
};
|
|
};
|
|
|
|
hostOpts = { hostname, ... }: {
|
|
options = with types; {
|
|
master-key = mkOption {
|
|
type = nullOr (submodule masterKeyOpts);
|
|
description = "Public key for the host master key, used by the host to decrypt secrets.";
|
|
default = null;
|
|
};
|
|
|
|
domain = mkOption {
|
|
type = str;
|
|
description =
|
|
"Primary domain to which the host belongs, in the form of a domain name.";
|
|
default = "fudo.org";
|
|
};
|
|
|
|
extra-domains = mkOption {
|
|
type = listOf str;
|
|
description = "Extra domain in which this host is reachable.";
|
|
default = [ ];
|
|
};
|
|
|
|
aliases = mkOption {
|
|
type = listOf str;
|
|
description =
|
|
"Host aliases used by the current host. Note this will be multiplied with extra-domains.";
|
|
default = [ ];
|
|
};
|
|
|
|
site = mkOption {
|
|
type = str;
|
|
description = "Site at which the host is located.";
|
|
default = "unsited";
|
|
};
|
|
|
|
local-networks = mkOption {
|
|
type = listOf str;
|
|
description =
|
|
"A list of networks to be considered trusted by this host.";
|
|
default = [ "127.0.0.0/8" ];
|
|
};
|
|
|
|
profile = mkOption {
|
|
type = listOf (enum ["desktop" "server" "laptop"]);
|
|
description =
|
|
"The profile to be applied to the host, determining what software is included.";
|
|
};
|
|
|
|
admin-email = mkOption {
|
|
type = nullOr str;
|
|
description = "Email for the administrator of this host.";
|
|
default = null;
|
|
};
|
|
|
|
local-users = mkOption {
|
|
type = listOf str;
|
|
description =
|
|
"List of users who should have local (i.e. login) access to the host.";
|
|
default = [ ];
|
|
};
|
|
|
|
description = mkOption {
|
|
type = str;
|
|
description = "Description of this host.";
|
|
default = "Another Fudo Host.";
|
|
};
|
|
|
|
local-admins = mkOption {
|
|
type = listOf str;
|
|
description =
|
|
"A list of users who should have admin access to this host.";
|
|
default = [ ];
|
|
};
|
|
|
|
local-groups = mkOption {
|
|
type = listOf str;
|
|
description = "List of groups which should exist on this host.";
|
|
default = [ ];
|
|
};
|
|
|
|
ssh-fingerprints = mkOption {
|
|
type = listOf str;
|
|
description = ''
|
|
A list of DNS SSHFP records for this host. Get with `ssh-keygen -r <hostname>`
|
|
'';
|
|
default = [ ];
|
|
};
|
|
|
|
rp = mkOption {
|
|
type = nullOr str;
|
|
description = "Responsible person.";
|
|
default = null;
|
|
};
|
|
|
|
tmp-on-tmpfs = mkOption {
|
|
type = bool;
|
|
description =
|
|
"Use tmpfs for /tmp. Great if you've got enough (>16G) RAM.";
|
|
default = true;
|
|
};
|
|
|
|
enable-gui = mkEnableOption "Install desktop GUI software.";
|
|
|
|
docker-server = mkEnableOption "Enable Docker on the current host.";
|
|
|
|
kerberos-services = mkOption {
|
|
type = listOf str;
|
|
description =
|
|
"List of services which should exist for this host, if it belongs to a realm.";
|
|
default = [ "ssh" "host" ];
|
|
};
|
|
|
|
ssh-pubkeys = mkOption {
|
|
type = listOf path;
|
|
description =
|
|
"SSH key files of the host.";
|
|
default = [];
|
|
};
|
|
|
|
build-pubkeys = mkOption {
|
|
type = listOf str;
|
|
description = "SSH public keys used to access the build server.";
|
|
default = [ ];
|
|
};
|
|
|
|
external-interfaces = mkOption {
|
|
type = listOf str;
|
|
description = "A list of interfaces on which to enable the firewall.";
|
|
default = [ ];
|
|
};
|
|
|
|
keytab-secret-file = mkOption {
|
|
type = nullOr str;
|
|
description = "Keytab from which to create a keytab secret.";
|
|
default = null;
|
|
};
|
|
|
|
keep-cool = mkOption {
|
|
type = bool;
|
|
description = "A host that tends to overheat. Try to keep it cooler.";
|
|
default = false;
|
|
};
|
|
|
|
nixos-system = mkOption {
|
|
type = bool;
|
|
description = "Whether the host is a NixOS system.";
|
|
default = true;
|
|
};
|
|
|
|
arch = mkOption {
|
|
type = str;
|
|
description = "System architecture of the system.";
|
|
};
|
|
|
|
machine-id = mkOption {
|
|
type = nullOr str;
|
|
description = "Machine id of the system. See: man machine-id.";
|
|
default = null;
|
|
};
|
|
|
|
android-dev = mkEnableOption "Enable ADB on the host.";
|
|
|
|
encrypted-filesystems = mkOption {
|
|
type = attrsOf (submodule encryptedFSOpts);
|
|
description = "List of encrypted filesystems to mount on the local host when the key is available.";
|
|
default = { };
|
|
};
|
|
|
|
initrd-network = let
|
|
keypair-type = { ... }: {
|
|
options = {
|
|
public-key = mkOption {
|
|
type = str;
|
|
description = "SSH public key.";
|
|
};
|
|
|
|
private-key-file = mkOption {
|
|
type = str;
|
|
description = "Path to SSH private key (on the local host!).";
|
|
};
|
|
};
|
|
};
|
|
|
|
initrd-network-config = { ... }: {
|
|
options = {
|
|
ip = mkOption {
|
|
type = str;
|
|
description = "IP to assign to the initrd image, allowing access to host during bootup.";
|
|
};
|
|
keypair = mkOption {
|
|
type = (submodule keypair-type);
|
|
description = "SSH host key pair to use for initrd.";
|
|
};
|
|
interface = mkOption {
|
|
type = str;
|
|
description = "Name of interface on which to listen for connections.";
|
|
};
|
|
};
|
|
};
|
|
|
|
in mkOption {
|
|
type = nullOr (submodule initrd-network-config);
|
|
description = "Configuration parameters to set up initrd SSH network.";
|
|
default = null;
|
|
};
|
|
};
|
|
};
|
|
}
|