From 509f2839240bfe300067aa6b7942ac9b1de5ad28 Mon Sep 17 00:00:00 2001 From: Ingolf Wagner Date: Thu, 8 Aug 2024 16:39:50 +0200 Subject: [PATCH] introduced features --- components/gui/browser.nix | 9 ++ components/nixos/boot/default.nix | 16 ---- components/nixos/boot/tor.nix | 95 --------------------- components/nixos/default.nix | 1 - features/boot/default.nix | 6 ++ {components/nixos => features}/boot/ssh.nix | 13 +-- features/boot/tor.nix | 65 ++++++++++++++ features/default.nix | 3 + flake.nix | 9 ++ machines/cherry/configuration.nix | 3 - machines/chungus/configuration.nix | 6 +- machines/cream/configuration.nix | 3 - machines/orbi/configuration.nix | 6 +- machines/orbi/media-nextcloud.nix | 4 +- machines/orbi/media-transmission2.nix | 4 +- machines/orbi/service-photoprism.nix | 4 +- machines/orbi/service-surrealdb.nix | 4 +- machines/orbi/service-vikunja.nix | 4 +- machines/orbi/social-matrix-terranix.nix | 4 +- machines/probe/configuration.nix | 7 +- machines/sternchen/configuration.nix | 2 - modules/browser.nix | 1 - system/all/default.nix | 2 - 23 files changed, 113 insertions(+), 158 deletions(-) delete mode 100644 components/nixos/boot/default.nix delete mode 100644 components/nixos/boot/tor.nix create mode 100644 features/boot/default.nix rename {components/nixos => features}/boot/ssh.nix (64%) create mode 100644 features/boot/tor.nix create mode 100644 features/default.nix diff --git a/components/gui/browser.nix b/components/gui/browser.nix index b6ff7ba..38528af 100644 --- a/components/gui/browser.nix +++ b/components/gui/browser.nix @@ -34,50 +34,59 @@ in home = "${homeFolder}/development-browser"; homeBackup = "${backupFolder}/development-browser"; gpu = false; + sudoUsers = [ config.users.users.mainUser.name ]; }; google = { home = "${homeFolder}/google-browser"; homeBackup = "${backupFolder}/google-browser"; gpu = false; + sudoUsers = [ config.users.users.mainUser.name ]; }; finance = { home = "${homeFolder}/finance-browser"; homeBackup = "${backupFolder}/finance-browser"; gpu = false; + sudoUsers = [ config.users.users.mainUser.name ]; }; facebook = { home = "${homeFolder}/facebook-browser"; homeBackup = "${backupFolder}/facebook-browser"; gpu = false; + sudoUsers = [ config.users.users.mainUser.name ]; }; shopping = { home = "${homeFolder}/shopping-browser"; homeBackup = "${backupFolder}/shopping-browser"; gpu = false; + sudoUsers = [ config.users.users.mainUser.name ]; }; jobrad = { browserType = "chrome"; home = "${homeFolder}/jobrad-chrome"; homeBackup = "${backupFolder}/jobrad-chrome"; gpu = false; + sudoUsers = [ config.users.users.mainUser.name ]; }; firefox-tmp = { browserType = "firefox"; home = "${homeFolder}/firefox-tmp"; homeBackup = "${backupFolder}/firefox-tmp-browser"; gpu = false; + sudoUsers = [ config.users.users.mainUser.name ]; }; chromium-tmp = { browserType = "chrome"; home = "${homeFolder}/chromium-tmp"; homeBackup = "${backupFolder}/chrome-tmp-browser"; gpu = false; + sudoUsers = [ config.users.users.mainUser.name ]; }; google-tmp = { browserType = "google"; home = "${homeFolder}/google-tmp"; homeBackup = "${backupFolder}google-tmp-browser"; gpu = false; + sudoUsers = [ config.users.users.mainUser.name ]; }; }; diff --git a/components/nixos/boot/default.nix b/components/nixos/boot/default.nix deleted file mode 100644 index 10c8491..0000000 --- a/components/nixos/boot/default.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ lib, config, ... }: -{ - - imports = [ - ./ssh.nix - ./tor.nix - ]; - - options.components.nixos.boot.enable = lib.mkOption { - type = lib.types.bool; - default = false; - }; - - config = lib.mkIf (config.components.nixos.boot.enable) { }; - -} diff --git a/components/nixos/boot/tor.nix b/components/nixos/boot/tor.nix deleted file mode 100644 index bc11d2a..0000000 --- a/components/nixos/boot/tor.nix +++ /dev/null @@ -1,95 +0,0 @@ -{ config, lib, pkgs, factsGenerator, clanLib, ... }: -with lib; -with types; - -{ - options.components.nixos.boot.tor = { - enable = lib.mkOption { - type = lib.types.bool; - default = false; - }; - }; - - config = mkMerge [ - - # todo : not working at the moment, because onion hostnames are secrets - #( - # let - # onionIds = clanLib.readFactFromAllMachines "tor.initrd.hostname"; - # generateOnionUnlockScript = machine: onionId: pkgs.writers.writeDashBin "unlock-boot-${machine}-via-tor" '' - # ${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 2222 - # ''; - # in - # { - # # add known hosts - # services.openssh.knownHosts = - # mapAttrs - # (_machine: onionId: { - # hostNames = [ "[${onionId}]:2222" ]; - # }) - # onionIds; - # # create unlook tor boot script - # environment.systemPackages = - # mapAttrsToList generateOnionUnlockScript onionIds; - # } - #) - - # tor part - # -------- - (mkIf (config.components.nixos.boot.tor.enable) { - - # tor secrets - clan.core.facts.services."initrd.tor" = factsGenerator.tor { - name = "initrd"; - addressPrefix = "init"; - }; - boot.initrd.secrets = { - "/etc/tor/onion/bootup/tor.priv" = config.clan.core.facts.services."initrd.tor".secret."tor.initrd.priv".path; - "/etc/tor/onion/bootup/hostname" = config.clan.core.facts.services."initrd.tor".secret."tor.initrd.hostname".path; - }; - - boot.initrd.systemd.storePaths = [ - pkgs.tor - pkgs.iproute2 - pkgs.coreutils - ]; - boot.initrd.systemd.contents = { - "/etc/tor/tor.rc".text = '' - DataDirectory /etc/tor - SOCKSPort 127.0.0.1:9050 IsolateDestAddr - SOCKSPort 127.0.0.1:9063 - HiddenServiceDir /etc/tor/onion/bootup - HiddenServicePort 2222 127.0.0.1:2222 - ''; - }; - - boot.initrd.systemd.services.tor = { - description = "tor during init"; - wantedBy = [ "initrd.target" ]; - after = [ "network.target" "initrd-nixos-copy-secrets.service" ]; - before = [ "shutdown.target" ]; - conflicts = [ "shutdown.target" ]; - - unitConfig.DefaultDependencies = false; - path = [ - pkgs.tor - pkgs.iproute2 - pkgs.coreutils - ]; - script = - '' - echo "tor: preparing onion folder" - # have to do this otherwise tor does not want to start - chmod -R 700 /etc/tor - - echo "tor: starting tor" - tor -f /etc/tor/tor.rc --verify-config - tor -f /etc/tor/tor.rc - ''; - }; - }) - - - ]; -} - diff --git a/components/nixos/default.nix b/components/nixos/default.nix index 838850e..14d0aba 100644 --- a/components/nixos/default.nix +++ b/components/nixos/default.nix @@ -2,7 +2,6 @@ { imports = [ ./upgrade-diff.nix - ./boot ]; options.components.nixos.enable = lib.mkOption { diff --git a/features/boot/default.nix b/features/boot/default.nix new file mode 100644 index 0000000..21ee595 --- /dev/null +++ b/features/boot/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./ssh.nix + ./tor.nix + ]; +} diff --git a/components/nixos/boot/ssh.nix b/features/boot/ssh.nix similarity index 64% rename from components/nixos/boot/ssh.nix rename to features/boot/ssh.nix index b774840..a8674ab 100644 --- a/components/nixos/boot/ssh.nix +++ b/features/boot/ssh.nix @@ -3,10 +3,10 @@ with lib; with types; { - options.components.nixos.boot.ssh = { + options.features.boot.ssh = { enable = lib.mkOption { type = lib.types.bool; - default = config.components.nixos.boot.enable; + default = false; }; kernelModules = mkOption { type = listOf str; @@ -16,12 +16,7 @@ with types; }; }; - config = mkIf (config.components.nixos.boot.ssh.enable) { - - # root password - #clan.core.facts.services.rootPassword = factsGenerator.password { name = "root"; }; - #users.users.root.hashedPasswordFile = config.clan.core.facts.services.rootPassword.secret."password.root.pam".path; # fixme not working for some reason - #users.users.root.initalPassword = "admin"; + config = mkIf (config.features.boot.ssh.enable) { # ssh host key clan.core.facts.services."boot.ssh" = factsGenerator.ssh { name = "boot"; }; @@ -32,7 +27,7 @@ with types; # network boot.initrd.systemd.network.enable = true; - boot.initrd.availableKernelModules = config.components.nixos.boot.ssh.kernelModules; + boot.initrd.availableKernelModules = config.features.boot.ssh.kernelModules; # ssh boot.initrd.network.enable = true; diff --git a/features/boot/tor.nix b/features/boot/tor.nix new file mode 100644 index 0000000..307fc2d --- /dev/null +++ b/features/boot/tor.nix @@ -0,0 +1,65 @@ +{ config, lib, pkgs, factsGenerator, clanLib, ... }: +with lib; +with types; +{ + options.features.boot.tor = { + enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + }; + + config = mkIf (config.features.boot.tor.enable) { + + # tor secrets + clan.core.facts.services."initrd.tor" = factsGenerator.tor { + name = "initrd"; + addressPrefix = "init"; + }; + boot.initrd.secrets = { + "/etc/tor/onion/bootup/tor.priv" = config.clan.core.facts.services."initrd.tor".secret."tor.initrd.priv".path; + "/etc/tor/onion/bootup/hostname" = config.clan.core.facts.services."initrd.tor".secret."tor.initrd.hostname".path; + }; + + boot.initrd.systemd.storePaths = [ + pkgs.tor + pkgs.iproute2 + pkgs.coreutils + ]; + boot.initrd.systemd.contents = { + "/etc/tor/tor.rc".text = '' + DataDirectory /etc/tor + SOCKSPort 127.0.0.1:9050 IsolateDestAddr + SOCKSPort 127.0.0.1:9063 + HiddenServiceDir /etc/tor/onion/bootup + HiddenServicePort 2222 127.0.0.1:2222 + ''; + }; + + boot.initrd.systemd.services.tor = { + description = "tor during init"; + wantedBy = [ "initrd.target" ]; + after = [ "network.target" "initrd-nixos-copy-secrets.service" ]; + before = [ "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; + + unitConfig.DefaultDependencies = false; + path = [ + pkgs.tor + pkgs.iproute2 + pkgs.coreutils + ]; + script = + '' + echo "tor: preparing onion folder" + # have to do this otherwise tor does not want to start + chmod -R 700 /etc/tor + + echo "tor: starting tor" + tor -f /etc/tor/tor.rc --verify-config + tor -f /etc/tor/tor.rc + ''; + }; + }; +} + diff --git a/features/default.nix b/features/default.nix new file mode 100644 index 0000000..98f8788 --- /dev/null +++ b/features/default.nix @@ -0,0 +1,3 @@ +{ + imports = [ ./boot ]; +} diff --git a/flake.nix b/flake.nix index 086f501..99eee69 100644 --- a/flake.nix +++ b/flake.nix @@ -172,6 +172,7 @@ clanLib = import ./lib/clanlib.nix { inherit (pkgs) lib; machineDir = ./machines; }; zerotierDeviceName = "ztbn67ogn2"; components = ./components; + features = ./features; }; }; @@ -260,6 +261,8 @@ documentation.nixos.options.warningsAreErrors = false; # todo make this true again documentation.nixos.extraModules = [ ./components + ./features + #./modules inputs.clan-core.nixosModules.clanCore # inputs.stylix.nixosModules.stylix # fixme: not working permown.nixosModules.permown @@ -272,6 +275,12 @@ boot.loader.generic-extlinux-compatible.configurationLimit = lib.mkDefault 10; boot.loader.grub.configurationLimit = lib.mkDefault 10; }) + # My Structure + ./components + ./features + ./modules # todo : spread this across features and components + #./system/all # todo : spread this across features and components + # some modules I always use permown.nixosModules.permown kmonad.nixosModules.default diff --git a/machines/cherry/configuration.nix b/machines/cherry/configuration.nix index 46c7abd..c2286bd 100644 --- a/machines/cherry/configuration.nix +++ b/machines/cherry/configuration.nix @@ -3,9 +3,6 @@ imports = [ - ../../components - ../../modules - ./hardware-configuration ./syncthing.nix diff --git a/machines/chungus/configuration.nix b/machines/chungus/configuration.nix index fab3704..fc5e110 100644 --- a/machines/chungus/configuration.nix +++ b/machines/chungus/configuration.nix @@ -5,9 +5,6 @@ # todo : remove ../../system/all - ../../components - ../../modules - ./hardware-configuration ./packages.nix @@ -58,8 +55,7 @@ components.network.wifi.enable = false; components.terminal.enable = true; - components.nixos.boot.enable = true; - components.nixos.boot.ssh.kernelModules = [ "e1000e" ]; + features.boot.ssh.kernelModules = [ "e1000e" ]; components.monitor.enable = true; components.monitor.opentelemetry.receiver.endpoint = "0.0.0.0:4317"; diff --git a/machines/cream/configuration.nix b/machines/cream/configuration.nix index 33ed5a9..0a3cfc9 100644 --- a/machines/cream/configuration.nix +++ b/machines/cream/configuration.nix @@ -3,9 +3,6 @@ imports = [ - ../../components - ../../modules - ./hardware-configuration.nix ./syncthing.nix diff --git a/machines/orbi/configuration.nix b/machines/orbi/configuration.nix index 73c58b8..ac1fb83 100644 --- a/machines/orbi/configuration.nix +++ b/machines/orbi/configuration.nix @@ -5,9 +5,6 @@ ../../system/all/defaults.nix - ../../components - ../../modules - ./service-forgejo-runner.nix ./service-forgejo.nix ./service-hedgedoc.nix @@ -50,7 +47,8 @@ components.network.fail2ban.enable = true; components.network.sshd.sshguard.enable = false; - components.nixos.boot.enable = true; + features.boot.ssh.enable = true; + features.boot.tor.enable = true; components.monitor.enable = true; networking.firewall.interfaces.wg0.allowedTCPPorts = [ 4317 ]; diff --git a/machines/orbi/media-nextcloud.nix b/machines/orbi/media-nextcloud.nix index a0715c8..fdf2fbe 100644 --- a/machines/orbi/media-nextcloud.nix +++ b/machines/orbi/media-nextcloud.nix @@ -1,4 +1,4 @@ -{ pkgs, config, factsGenerator, ... }: +{ pkgs, config, factsGenerator, components, ... }: # don't forget the database backup before upgrading # ------------------------------------------------- @@ -85,7 +85,7 @@ in config = { config, lib, ... }: { nixpkgs.pkgs = pkgs; - imports = [ ../../components/monitor/container.nix ]; + imports = [ "${components}/monitor/container.nix" ]; system.stateVersion = "23.11"; services.logrotate.checkConfig = false; # because uid 3000 does not exist in here diff --git a/machines/orbi/media-transmission2.nix b/machines/orbi/media-transmission2.nix index 35a4349..45ad7da 100644 --- a/machines/orbi/media-transmission2.nix +++ b/machines/orbi/media-transmission2.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, config, ... }: +{ lib, pkgs, config, components, ... }: let uiPort = 9091; in @@ -25,7 +25,7 @@ in config = { config, lib, ... }: { nixpkgs.pkgs = pkgs; - imports = [ ../../components/monitor/container.nix ]; + imports = [ "${components}/monitor/container.nix" ]; system.stateVersion = "21.05"; services.logrotate.checkConfig = false; # because uid 3000 does not exist in here diff --git a/machines/orbi/service-photoprism.nix b/machines/orbi/service-photoprism.nix index 9e462e0..78d1259 100644 --- a/machines/orbi/service-photoprism.nix +++ b/machines/orbi/service-photoprism.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, ... }: +{ config, pkgs, lib, components, ... }: let mySQLPackage = pkgs.mysql; photoprismPort = 2342; @@ -15,7 +15,7 @@ in config = { config, lib, ... }: { nixpkgs.pkgs = pkgs; - imports = [ ../../components/monitor/container.nix ]; + imports = [ "${components}/monitor/container.nix" ]; system.stateVersion = "23.11"; services.logrotate.checkConfig = false; # because uid 3000 does not exist in here diff --git a/machines/orbi/service-surrealdb.nix b/machines/orbi/service-surrealdb.nix index cc58c5c..82cfe81 100644 --- a/machines/orbi/service-surrealdb.nix +++ b/machines/orbi/service-surrealdb.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, clanCore, factsGenerator, ... }: +{ config, pkgs, lib, clanCore, factsGenerator, components, ... }: let surrealdbPort = 8000; in @@ -12,7 +12,7 @@ in config = { config, lib, ... }: { nixpkgs.pkgs = pkgs; - imports = [ ../../components/monitor/container.nix ]; + imports = [ "${components}/monitor/container.nix" ]; system.stateVersion = "24.05"; services.logrotate.checkConfig = false; # because uid 3000 does not exist in here diff --git a/machines/orbi/service-vikunja.nix b/machines/orbi/service-vikunja.nix index b6970eb..5fb5149 100644 --- a/machines/orbi/service-vikunja.nix +++ b/machines/orbi/service-vikunja.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, ... }: +{ config, pkgs, lib, components, ... }: let vikunjaPort = 3456; mysqlPort = 3337; @@ -13,7 +13,7 @@ in config = { config, lib, ... }: { nixpkgs.pkgs = pkgs; - imports = [ ../../components/monitor/container.nix ]; + imports = [ "${components}/monitor/container.nix" ]; system.stateVersion = "24.05"; services.logrotate.checkConfig = false; # because uid 3000 does not exist in here diff --git a/machines/orbi/social-matrix-terranix.nix b/machines/orbi/social-matrix-terranix.nix index 1b66b26..ecd41bd 100644 --- a/machines/orbi/social-matrix-terranix.nix +++ b/machines/orbi/social-matrix-terranix.nix @@ -1,4 +1,4 @@ -{ config, pkgs, factsGenerator, ... }: +{ config, pkgs, factsGenerator, components, ... }: let # 1. create DNS entry `matrix.terranix.org A - 95.216.66.212` # 2. test with : https://federationtester.matrix.org/#terranix.org @@ -66,7 +66,7 @@ in config = { config, lib, ... }: { nixpkgs.pkgs = pkgs; - imports = [ ../../components/monitor/container.nix ]; + imports = [ "${components}/monitor/container.nix" ]; system.stateVersion = "23.11"; services.logrotate.checkConfig = false; # because uid 3000 does not exist in here diff --git a/machines/probe/configuration.nix b/machines/probe/configuration.nix index 453ead3..a67f16f 100644 --- a/machines/probe/configuration.nix +++ b/machines/probe/configuration.nix @@ -1,8 +1,6 @@ { lib, config, pkgs, ... }: { imports = [ ./hardware-configuration - ../../components - ../../modules ]; system.stateVersion = "24.11"; @@ -10,9 +8,8 @@ components.mainUser.enable = true; components.network.enable = true; - components.nixos.boot.enable = true; - components.nixos.boot.ssh.enable = true; - components.nixos.boot.tor.enable = true; + features.boot.ssh.enable = true; + features.boot.tor.enable = true; components.monitor.enable = false; diff --git a/machines/sternchen/configuration.nix b/machines/sternchen/configuration.nix index 26dd070..2537585 100644 --- a/machines/sternchen/configuration.nix +++ b/machines/sternchen/configuration.nix @@ -2,8 +2,6 @@ imports = [ - ../../components - ../../modules ./hardware-configuration.nix ./packages.nix ./syncthing.nix diff --git a/modules/browser.nix b/modules/browser.nix index d306e49..46dadc0 100644 --- a/modules/browser.nix +++ b/modules/browser.nix @@ -232,7 +232,6 @@ in ''; }; sudoUsers = mkOption { - default = [ config.users.users.mainUser.name ]; type = with types; listOf str; description = '' user allowed to run sudo without password to start the browser diff --git a/system/all/default.nix b/system/all/default.nix index 7941162..f337504 100644 --- a/system/all/default.nix +++ b/system/all/default.nix @@ -2,8 +2,6 @@ imports = [ - ../../modules - ../../components/network ./defaults.nix ./grub.nix ./packages.nix