gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 04:19:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

chore: nf-fmt-nix

Browse source
This commit is contained in:
arcnmx 2024-05-13 15:13:58 -07:00
parent 7486517713
commit 9903866044
160 changed files with 4570 additions and 3019 deletions
Download patch file Download diff file Expand all files Collapse all files

6
modules/extern/home/args.nix vendored
View file

@ -1,4 +1,8 @@
{inputs, ...}: {lib, osConfig, ...}: let
{inputs, ...}: {
lib,
osConfig,
...
}: let
inherit (inputs.self.lib) meta;
inherit (lib.modules) mkIf;
in {

180
modules/extern/home/ssh.nix vendored
View file

@ -19,18 +19,25 @@ let
system = gensokyo-zone.systems.${config.systemName}.config;
networks = let
fallbackNetwork =
if system.network.networks.local.enable or false && access.local.enable then "local"
else if system.access.global.enable then null
else if system.network.networks.int.enable or false then "int"
else if system.network.networks.local.enable or false then "local"
if system.network.networks.local.enable or false && access.local.enable
then "local"
else if system.access.global.enable
then null
else if system.network.networks.int.enable or false
then "int"
else if system.network.networks.local.enable or false
then "local"
else null;
networks = map (name: coalesce [ name fallbackNetwork ]) config.networks;
in unique networks;
networks = map (name: coalesce [name fallbackNetwork]) config.networks;
in
unique networks;
in {
options = with lib.types; {
enable = mkEnableOption "ssh client configuration" // {
default = true;
};
enable =
mkEnableOption "ssh client configuration"
// {
default = true;
};
name = mkOption {
type = str;
default = name;
@ -66,38 +73,46 @@ let
enabledNetworks = filterAttrs (_: net: net.enable) system.network.networks;
networkNames = mapAttrsToList (_: net: net.name) enabledNetworks;
networks = filter (name: name == null || elem name networkNames) cfg.networks;
in mkOptionDefault networks;
in
mkOptionDefault networks;
set = {
matchBlocksSettings = let
canonNetworkName' = intersectLists networks [ null "int" "local" ];
canonNetworkName = if canonNetworkName' != [ ] then head canonNetworkName' else null;
in mapListToAttrs (network: let
name = config.name + optionalString (network != canonNetworkName) "-${network}";
inherit (system.exports.services) sshd;
port = head (
optional (network == null && sshd.ports.global.enable or false) sshd.ports.global.port
++ optional (sshd.ports.public.enable or false) sshd.ports.public.port
++ [ sshd.ports.standard.port ]
);
needsProxy = network == "int" || (network == "local" && !access.local.enable);
in nameValuePair name {
hostname = mkDefault (
if network == null then system.access.fqdn
else system.network.networks.${network}.fqdn
);
user = mkIf (config.user != null) (mkDefault config.user);
port = mkIf (port != 22) (mkDefault port);
proxyJump = mkIf needsProxy (lib.warnIf (config.name == cfg.proxyJump) "proxyJump self-reference" (mkAlmostOptionDefault (
cfg.proxyJump
)));
identitiesOnly = mkIf (config.systemName == "u7pro") (mkAlmostOptionDefault true);
extraOptions = mkMerge [
(unmerged.mergeAttrs config.extraOptions)
{
HostKeyAlias = mkIf (config.hostName != null && network != null) (mkOptionDefault system.access.fqdn);
}
];
}) networks;
canonNetworkName' = intersectLists networks [null "int" "local"];
canonNetworkName =
if canonNetworkName' != []
then head canonNetworkName'
else null;
in
mapListToAttrs (network: let
name = config.name + optionalString (network != canonNetworkName) "-${network}";
inherit (system.exports.services) sshd;
port = head (
optional (network == null && sshd.ports.global.enable or false) sshd.ports.global.port
++ optional (sshd.ports.public.enable or false) sshd.ports.public.port
++ [sshd.ports.standard.port]
);
needsProxy = network == "int" || (network == "local" && !access.local.enable);
in
nameValuePair name {
hostname = mkDefault (
if network == null
then system.access.fqdn
else system.network.networks.${network}.fqdn
);
user = mkIf (config.user != null) (mkDefault config.user);
port = mkIf (port != 22) (mkDefault port);
proxyJump = mkIf needsProxy (lib.warnIf (config.name == cfg.proxyJump) "proxyJump self-reference" (mkAlmostOptionDefault (
cfg.proxyJump
)));
identitiesOnly = mkIf (config.systemName == "u7pro") (mkAlmostOptionDefault true);
extraOptions = mkMerge [
(unmerged.mergeAttrs config.extraOptions)
{
HostKeyAlias = mkIf (config.hostName != null && network != null) (mkOptionDefault system.access.fqdn);
}
];
})
networks;
};
};
};
@ -124,7 +139,7 @@ let
};
hosts = mkOption {
type = attrsOf (submoduleWith {
modules = [ sshHostModule ];
modules = [sshHostModule];
specialArgs = {
inherit gensokyo-zone osConfig homeConfig pkgs;
};
@ -132,7 +147,7 @@ let
};
networks = mkOption {
type = listOf (nullOr str);
default = [ null ];
default = [null];
};
proxyJump = mkOption {
type = str;
@ -150,7 +165,8 @@ let
};
config = {
proxyJump = mkOptionDefault (
if config.hosts.hakurei.enable then config.hosts.hakurei.name
if config.hosts.hakurei.enable
then config.hosts.hakurei.name
else gensokyo-zone.systems.hakurei.config.access.fqdn
);
networks = mkOptionDefault [
@ -159,51 +175,55 @@ let
];
hosts = mapAttrs (name: system: let
enabled = system.config.access.online.enable && system.config.exports.services.sshd.enable;
in mkIf enabled {
systemName = mkOptionDefault name;
}) gensokyo-zone.systems;
in
mkIf enabled {
systemName = mkOptionDefault name;
})
gensokyo-zone.systems;
set = {
matchBlocksSettings = let
mkMatchBlocksHost = host: mkIf host.enable (unmerged.mergeAttrs host.set.matchBlocksSettings);
in mkMerge (
mapAttrsToList (_: mkMatchBlocksHost) config.hosts
);
in
mkMerge (
mapAttrsToList (_: mkMatchBlocksHost) config.hosts
);
};
};
};
in {
config,
osConfig,
lib,
gensokyo-zone,
pkgs,
...
}: let
inherit (lib.options) mkOption;
inherit (lib.modules) mkIf;
inherit (gensokyo-zone.lib) unmerged;
cfg = config.gensokyo-zone.ssh;
in {
options.gensokyo-zone.ssh = mkOption {
type = lib.types.submoduleWith {
modules = [sshModule];
specialArgs = {
inherit gensokyo-zone pkgs;
inherit osConfig;
homeConfig = config;
in
{
config,
osConfig,
lib,
gensokyo-zone,
pkgs,
...
}: let
inherit (lib.options) mkOption;
inherit (lib.modules) mkIf;
inherit (gensokyo-zone.lib) unmerged;
cfg = config.gensokyo-zone.ssh;
in {
options.gensokyo-zone.ssh = mkOption {
type = lib.types.submoduleWith {
modules = [sshModule];
specialArgs = {
inherit gensokyo-zone pkgs;
inherit osConfig;
homeConfig = config;
};
};
default = {};
};
default = { };
};
config = {
gensokyo-zone.ssh = {
config = {
gensokyo-zone.ssh = {
};
programs.ssh = mkIf cfg.enable {
matchBlocks = unmerged.mergeAttrs cfg.set.matchBlocksSettings;
};
lib.gensokyo-zone.ssh = {
inherit cfg sshModule sshHostModule;
};
};
programs.ssh = mkIf cfg.enable {
matchBlocks = unmerged.mergeAttrs cfg.set.matchBlocksSettings;
};
lib.gensokyo-zone.ssh = {
inherit cfg sshModule sshHostModule;
};
};
}
}

2
modules/extern/misc/ipa.nix vendored
View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
imports = [
../../nixos/ipa.nix
];

2
modules/extern/misc/netgroups.nix vendored
View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
imports = [
../../nixos/network/netgroups.nix
];

2
modules/extern/misc/sssd.nix vendored
View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
imports = [
../../nixos/sssd/sssd.nix
../../nixos/sssd/pam.nix

2
modules/extern/nixos/access.nix vendored
View file

@ -35,7 +35,7 @@ in {
nixosConfig = config;
};
};
default = { };
default = {};
};
config = {

62
modules/extern/nixos/dns.nix vendored
View file

@ -42,7 +42,7 @@
type = listOf str;
};
fallback = mkOption {
type = nullOr (enum [ "cloudflare" "google" ]);
type = nullOr (enum ["cloudflare" "google"]);
default = "cloudflare";
};
fallbackNameservers = mkOption {
@ -67,32 +67,38 @@
];
nameservers = let
inherit (gensokyo-zone.systems) utsuho hakurei;
in mkMerge [
(mkOptionDefault [ ])
(mkIf access.local.enable [
(mkIf enableIPv6 utsuho.config.access.address6ForNetwork.local)
utsuho.config.access.address4ForNetwork.local
])
# TODO: mirror or tunnel on hakurei or something .-.
(mkIf (access.tail.enabled && false) [
(mkIf enableIPv6 hakurei.config.access.address6ForNetwork.tail)
hakurei.config.access.address4ForNetwork.tail
])
];
fallbackNameservers = mkOptionDefault {
cloudflare = [
"1.1.1.1#cloudflare-dns.com"
"1.0.0.1#cloudflare-dns.com"
in
mkMerge [
(mkOptionDefault [])
(mkIf access.local.enable [
(mkIf enableIPv6 utsuho.config.access.address6ForNetwork.local)
utsuho.config.access.address4ForNetwork.local
])
# TODO: mirror or tunnel on hakurei or something .-.
(mkIf (access.tail.enabled && false) [
(mkIf enableIPv6 hakurei.config.access.address6ForNetwork.tail)
hakurei.config.access.address4ForNetwork.tail
])
];
google = optionals enableIPv6 [
"[2001:4860:4860::8888]#dns.google"
"[2001:4860:4860::8844]#dns.google"
] ++ [
"8.8.8.8#dns.google"
"8.8.4.4#dns.google"
];
${toString null} = [ ];
}.${toString config.fallback};
fallbackNameservers =
mkOptionDefault
{
cloudflare = [
"1.1.1.1#cloudflare-dns.com"
"1.0.0.1#cloudflare-dns.com"
];
google =
optionals enableIPv6 [
"[2001:4860:4860::8888]#dns.google"
"[2001:4860:4860::8844]#dns.google"
]
++ [
"8.8.8.8#dns.google"
"8.8.4.4#dns.google"
];
${toString null} = [];
}
.${toString config.fallback};
set = {
nssSettings = {
hosts = mkMerge [
@ -123,11 +129,11 @@ in {
nixosConfig = config;
};
};
default = { };
default = {};
};
config = {
networking.nameservers = mkIf (cfg.enable && cfg.nameservers != [ ]) (mkMerge [
networking.nameservers = mkIf (cfg.enable && cfg.nameservers != []) (mkMerge [
(mkBefore cfg.nameservers)
cfg.fallbackNameservers
]);

217
modules/extern/nixos/krb5.nix vendored
View file

@ -40,9 +40,11 @@
default = toUpper config.domain;
};
ca = {
trust = mkEnableOption "trust CA" // {
default = true;
};
trust =
mkEnableOption "trust CA"
// {
default = true;
};
pem = mkOption {
type = path;
};
@ -59,7 +61,7 @@
};
urls = mkOption {
type = listOf str;
default = [ "ldaps://${config.ldap.host}" ];
default = ["ldaps://${config.ldap.host}"];
};
baseDn = mkOption {
type = str;
@ -75,21 +77,21 @@
};
passwordFileKrb5 = mkOption {
type = path;
example = lib.literalExpression "\${pkgs.writeText "ldap.kdb5" ''
example = lib.literalExpression "\${pkgs.writeText " ldap.kdb5 " ''
${config.bind.dn}#{HEX}616e6f6e796d6f7573
''}";
};
passwordFileSssdEnv = mkOption {
type = path;
example = lib.literalExpression "\${pkgs.writeText "ldap.kdb5" ''
${"SSSD_AUTHTOK_" + replaceStrings [ "." ] [ "_" ] (toUpper config.domain)}=verysecretpassword
example = lib.literalExpression "\${pkgs.writeText " ldap.kdb5 " ''
${"SSSD_AUTHTOK_" + replaceStrings ["."] ["_"] (toUpper config.domain)}=verysecretpassword
''}";
};
};
};
db = {
backend = mkOption {
type = enum [ "kldap" "ipa" ];
type = enum ["kldap" "ipa"];
default = "kldap";
};
};
@ -99,7 +101,7 @@
};
authToLocalNames = mkOption {
type = attrsOf str;
default = { };
default = {};
example = {
"arc@${config.realm}" = "arc";
};
@ -108,26 +110,30 @@
enable = mkEnableOption "sssd";
pam.enable = mkEnableOption "PAM";
backend = mkOption {
type = enum [ "ipa" "ldap" ];
default = {
ipa = "ipa";
kldap = "ldap";
}.${config.db.backend};
type = enum ["ipa" "ldap"];
default =
{
ipa = "ipa";
kldap = "ldap";
}
.${config.db.backend};
};
};
ntp = {
enable = mkEnableOption "ntp" // {
default = true;
};
enable =
mkEnableOption "ntp"
// {
default = true;
};
servers = mkOption {
type = listOf str;
example = [ config.ipa.host ];
default = [ "2.fedora.pool.ntp.org" ];
example = [config.ipa.host];
default = ["2.fedora.pool.ntp.org"];
};
};
nfs = {
enable = mkEnableOption "nfs";
package = mkPackageOption pkgs "nfs-utils" { };
package = mkPackageOption pkgs "nfs-utils" {};
idmapd = {
localDomain = mkOption {
type = bool;
@ -135,11 +141,11 @@
};
localRealms = mkOption {
type = listOf str;
default = [ config.realm ];
default = [config.realm];
};
methods = mkOption {
type = listOf str;
default = [ "nsswitch" ];
default = ["nsswitch"];
};
authToLocalNames = mkOption {
type = attrsOf str;
@ -185,7 +191,8 @@
url = "https://${config.ipa.httpHost}/ipa/config/ca.crt";
sha256 = "sha256-PKjnjn1jIq9x4BX8+WGkZfj4HQtmnHqmFSALqggo91o=";
};
in mkOptionDefault caPem;
in
mkOptionDefault caPem;
ldap = {
urls = mkMerge [
(mkIf access.local.enable (mkOptionDefault (mkBefore [
@ -200,22 +207,23 @@
];
bind = let
inherit (nixosConfig.sops) secrets;
in mkIf (nixosOptions ? sops.secrets && secrets ? gensokyo-zone-krb5-passwords) {
passwordFileKrb5 = mkOptionDefault nixosConfig.sops.secrets.gensokyo-zone-krb5-passwords.path;
passwordFile = mkOptionDefault nixosConfig.sops.secrets.gensokyo-zone-krb5-peep-password.path;
passwordFileSssdEnv = mkOptionDefault nixosConfig.sops.secrets.gensokyo-zone-sssd-passwords.path;
};
in
mkIf (nixosOptions ? sops.secrets && secrets ? gensokyo-zone-krb5-passwords) {
passwordFileKrb5 = mkOptionDefault nixosConfig.sops.secrets.gensokyo-zone-krb5-passwords.path;
passwordFile = mkOptionDefault nixosConfig.sops.secrets.gensokyo-zone-krb5-peep-password.path;
passwordFileSssdEnv = mkOptionDefault nixosConfig.sops.secrets.gensokyo-zone-sssd-passwords.path;
};
};
db.backend = mkIf enabled.ipa (mkAlmostOptionDefault "ipa");
nfs = {
package = mkIf (elem "umich_ldap" config.nfs.idmapd.methods) (mkAlmostOptionDefault pkgs.nfs-utils-ldap);
idmapd = {
methods = mkMerge [
(mkIf (config.nfs.idmapd.authToLocalNames != { }) (
mkOptionDefault (mkBefore [ "static" ])
(mkIf (config.nfs.idmapd.authToLocalNames != {}) (
mkOptionDefault (mkBefore ["static"])
))
(mkIf (!enabled.sssd) (
mkOptionDefault [ "umich_ldap" ]
mkOptionDefault ["umich_ldap"]
))
];
};
@ -243,55 +251,63 @@
};
};
sssdSettings = let
servers = optional access.local.enable "idp.local.${config.domain}"
++ [ "_srv" ];
servers =
optional access.local.enable "idp.local.${config.domain}"
++ ["_srv"];
backups = mkMerge [
(mkIf access.tail.enabled (mkAlmostOptionDefault [ "ipa.tail.${config.domain}" ]))
(mkIf access.local.enable (mkAlmostOptionDefault [ "ipa.local.${config.domain}" ]))
(mkIf access.tail.enabled (mkAlmostOptionDefault ["ipa.tail.${config.domain}"]))
(mkIf access.local.enable (mkAlmostOptionDefault ["ipa.local.${config.domain}"]))
];
in mkIf config.sssd.enable {
enable = mkAlmostOptionDefault true;
gensokyo-zone = {
backend = mkAlmostOptionDefault config.sssd.backend;
krb5.servers = {
servers = servers ++ [ config.host ];
inherit backups;
in
mkIf config.sssd.enable {
enable = mkAlmostOptionDefault true;
gensokyo-zone = {
backend = mkAlmostOptionDefault config.sssd.backend;
krb5.servers = {
servers = servers ++ [config.host];
inherit backups;
};
ipa.servers = {
servers = servers ++ [config.ipa.host];
inherit backups;
};
ldap = {
bind.passwordFile = mkAlmostOptionDefault config.ldap.bind.passwordFile;
uris.backups = mkIf access.tail.enabled (mkAlmostOptionDefault (mkAfter [
"ldaps://ldap.tail.${config.domain}"
]));
};
};
ipa.servers = {
servers = servers ++ [ config.ipa.host ];
inherit backups;
};
ldap = {
bind.passwordFile = mkAlmostOptionDefault config.ldap.bind.passwordFile;
uris.backups = mkIf access.tail.enabled (mkAlmostOptionDefault (mkAfter [
"ldaps://ldap.tail.${config.domain}"
]));
environmentFile = mkIf (config.sssd.backend == "ldap") (
mkAlmostOptionDefault
config.ldap.bind.passwordFileSssdEnv
);
services = {
ifp.enable = mkAlmostOptionDefault true;
pam.enable = mkIf (!config.sssd.pam.enable) (mkDefault false);
};
};
environmentFile = mkIf (config.sssd.backend == "ldap") (mkAlmostOptionDefault
config.ldap.bind.passwordFileSssdEnv
);
services = {
ifp.enable = mkAlmostOptionDefault true;
pam.enable = mkIf (!config.sssd.pam.enable) (mkDefault false);
};
};
ipaSettings = mkIf config.ipa.enable (mapAlmostOptionDefaults {
enable = true;
certificate = config.ca.pem;
basedn = config.ldap.baseDn;
domain = config.domain;
realm = config.realm;
server = config.ipa.server;
# TODO: dyndns?
} // {
overrideConfigs = mapAlmostOptionDefaults {
sssd = false;
krb5 = false;
};
});
enable = true;
certificate = config.ca.pem;
basedn = config.ldap.baseDn;
domain = config.domain;
realm = config.realm;
server = config.ipa.server;
# TODO: dyndns?
}
// {
overrideConfigs = mapAlmostOptionDefaults {
sssd = false;
krb5 = false;
};
});
nfsSettings = mkIf config.nfs.enable {
${if nixosOptions ? services.nfs.settings then "settings" else null} = mkMerge [
${
if nixosOptions ? services.nfs.settings
then "settings"
else null
} = mkMerge [
{
gssd = mapOptionDefaults {
#use-machine-creds = false;
@ -314,7 +330,11 @@
};
})
];
${if nixosOptions ? services.nfs.settings then null else "extraConfig"} = mkMerge [
${
if nixosOptions ? services.nfs.settings
then null
else "extraConfig"
} = mkMerge [
''
[gssd]
#use-machine-creds = false
@ -344,10 +364,10 @@
Domain = mkForce config.domain;
Local-Realms = concatStringsSep "," config.nfs.idmapd.localRealms;
};
Translation.Method = mkIf (config.nfs.idmapd.methods != [ "nsswitch" ]) (mkForce (
Translation.Method = mkIf (config.nfs.idmapd.methods != ["nsswitch"]) (mkForce (
concatStringsSep "," config.nfs.idmapd.methods
));
Static = mkIf (config.nfs.idmapd.authToLocalNames != { }) config.nfs.idmapd.authToLocalNames;
Static = mkIf (config.nfs.idmapd.authToLocalNames != {}) config.nfs.idmapd.authToLocalNames;
UMICH_SCHEMA = mkIf (elem "umich_ldap" config.nfs.idmapd.methods) (mapOptionDefaults {
LDAP_server = config.ldap.host;
LDAP_use_ssl = true;
@ -389,7 +409,7 @@ in {
nixosOptions = options;
};
};
default = { };
default = {};
};
config = {
@ -413,10 +433,11 @@ in {
hosts = let
inherit (gensokyo-zone.systems) freeipa;
# TODO: consider hakurei instead...
in mkIf (cfg.enable && !config.gensokyo-zone.dns.enable or false && config.gensokyo-zone.access.local.enable) {
${freeipa.config.access.address6ForNetwork.local} = mkIf config.networking.enableIPv6 (mkBefore [ cfg.host ]);
${freeipa.config.access.address4ForNetwork.local} = mkBefore [ cfg.host ];
};
in
mkIf (cfg.enable && !config.gensokyo-zone.dns.enable or false && config.gensokyo-zone.access.local.enable) {
${freeipa.config.access.address6ForNetwork.local} = mkIf config.networking.enableIPv6 (mkBefore [cfg.host]);
${freeipa.config.access.address4ForNetwork.local} = mkBefore [cfg.host];
};
};
environment.etc = {
"request-key.conf" = mkIf (cfg.enable && cfg.nfs.enable && cfg.sssd.enable) {
@ -425,24 +446,30 @@ in {
export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:${config.system.nssModules.path}"
exec ${cfg.nfs.package}/bin/nfsidmap "$@"
'';
in mkForce (pkgs.writeText "request-key.conf" ''
create id_resolver * * ${nfsidmap} -t 600 %k %d
'');
in
mkForce (pkgs.writeText "request-key.conf" ''
create id_resolver * * ${nfsidmap} -t 600 %k %d
'');
};
};
${if options ? sops.secrets then "sops" else null}.secrets = let
${
if options ? sops.secrets
then "sops"
else null
}.secrets = let
sopsFile = mkDefault ../secrets/krb5.yaml;
in mkIf cfg.enable {
gensokyo-zone-krb5-passwords = mkIf (cfg.db.backend == "kldap") {
inherit sopsFile;
in
mkIf cfg.enable {
gensokyo-zone-krb5-passwords = mkIf (cfg.db.backend == "kldap") {
inherit sopsFile;
};
gensokyo-zone-krb5-peep-password = mkIf (cfg.sssd.backend == "ldap") {
inherit sopsFile;
};
gensokyo-zone-sssd-passwords = mkIf (cfg.sssd.backend == "ldap") {
inherit sopsFile;
};
};
gensokyo-zone-krb5-peep-password = mkIf (cfg.sssd.backend == "ldap") {
inherit sopsFile;
};
gensokyo-zone-sssd-passwords = mkIf (cfg.sssd.backend == "ldap") {
inherit sopsFile;
};
};
lib.gensokyo-zone.krb5 = {
inherit cfg krb5Module;
};

64
modules/extern/nixos/kyuuto.nix vendored
View file

@ -33,20 +33,28 @@
options = with lib.types; {
enable = mkEnableOption "kyuuto";
media = {
enable = mkEnableOption "/mnt/kyuuto-media" // {
default = true;
};
krb5.enable = mkEnableOption "krb5" // {
default = enabled.krb5;
};
enable =
mkEnableOption "/mnt/kyuuto-media"
// {
default = true;
};
krb5.enable =
mkEnableOption "krb5"
// {
default = enabled.krb5;
};
};
transfer = {
enable = mkEnableOption "/mnt/kyuuto-transfer" // {
default = true;
};
krb5.enable = mkEnableOption "krb5" // {
default = enabled.krb5;
};
enable =
mkEnableOption "/mnt/kyuuto-transfer"
// {
default = true;
};
krb5.enable =
mkEnableOption "krb5"
// {
default = enabled.krb5;
};
};
shared.enable = mkEnableOption "/mnt/kyuuto-shared";
domain = mkOption {
@ -135,12 +143,13 @@
(mkIf config.nfs.enable "nfs4")
(mkIf config.smb.enable "smb3")
];
options = mkMerge (setFilesystemOptions ++ [
(mkIf config.media.krb5.enable [
"sec=krb5"
(mkIf config.nfs.enable "nfsvers=4")
])
]);
options = mkMerge (setFilesystemOptions
++ [
(mkIf config.media.krb5.enable [
"sec=krb5"
(mkIf config.nfs.enable "nfsvers=4")
])
]);
};
"/mnt/kyuuto-transfer" = mkIf config.transfer.enable {
device = mkMerge [
@ -151,12 +160,17 @@
(mkIf config.nfs.enable "nfs4")
(mkIf config.smb.enable "smb3")
];
options = mkMerge (setFilesystemOptions ++ [
(mkIf config.media.krb5.enable [
(if access.local.enable || access.tail.enabled then "sec=sys:krb5" else "sec=krb5")
#(mkIf config.nfs.enable "nfsvers=3")
])
]);
options = mkMerge (setFilesystemOptions
++ [
(mkIf config.media.krb5.enable [
(
if access.local.enable || access.tail.enabled
then "sec=sys:krb5"
else "sec=krb5"
)
#(mkIf config.nfs.enable "nfsvers=3")
])
]);
};
"/mnt/kyuuto-shared" = mkIf (config.shared.enable && config.smb.enable) {
device = mkIf (config.smb.user != null) ''\\smb.${config.domain}\shared'';
@ -204,7 +218,7 @@ in {
nixosConfig = config;
};
};
default = { };
default = {};
};
config = {

37
modules/extern/nixos/nix.nix vendored
View file

@ -46,9 +46,11 @@
default = "ssh";
};
ssh = {
commonKey = mkEnableOption "shared secret nixbld key" // {
default = true;
};
commonKey =
mkEnableOption "shared secret nixbld key"
// {
default = true;
};
user = mkOption {
type = str;
default = "nixbld";
@ -105,8 +107,8 @@
];
builder = {
systems = mkMerge [
(mkIf config.builder.cross.aarch64 (mkOptionDefault [ "aarch64-linux" ]))
(mkIf config.builder.cross.armv7l (mkOptionDefault [ "armv7l-linux" ]))
(mkIf config.builder.cross.aarch64 (mkOptionDefault ["aarch64-linux"]))
(mkIf config.builder.cross.armv7l (mkOptionDefault ["armv7l-linux"]))
];
domain = mkMerge [
(mkIf access.tail.enabled (mkAlmostOptionDefault "nixbld.tail.${domain}"))
@ -114,9 +116,11 @@
];
ssh.key = let
inherit (nixosConfig.sops) secrets;
in mkIf (nixosOptions ? sops.secrets && secrets ? gensokyo-zone-nix-bld-key) (mkAlmostOptionDefault
nixosConfig.sops.secrets.gensokyo-zone-nix-bld-key.path
);
in
mkIf (nixosOptions ? sops.secrets && secrets ? gensokyo-zone-nix-bld-key) (
mkAlmostOptionDefault
nixosConfig.sops.secrets.gensokyo-zone-nix-bld-key.path
);
setBuildMachine = {
hostName = config.builder.domain;
protocol = config.builder.protocol;
@ -145,7 +149,7 @@ in {
nixosOptions = options;
};
};
default = { };
default = {};
};
config = {
@ -153,13 +157,18 @@ in {
settings = unmerged.merge cfg.setNixSettings;
buildMachines = unmerged.merge cfg.setNixBuildMachines;
};
${if options ? sops.secrets then "sops" else null}.secrets = let
${
if options ? sops.secrets
then "sops"
else null
}.secrets = let
sopsFile = mkDefault ../secrets/nix.yaml;
in mkIf cfg.enable {
gensokyo-zone-nix-bld-key = mkIf cfg.builder.ssh.commonKey {
inherit sopsFile;
in
mkIf cfg.enable {
gensokyo-zone-nix-bld-key = mkIf cfg.builder.ssh.commonKey {
inherit sopsFile;
};
};
};
lib.gensokyo-zone.nix = {
inherit cfg nixModule;
};

4
modules/extern/nixos/users.nix vendored
View file

@ -162,7 +162,7 @@
modules = [userModule];
inherit specialArgs;
});
default = { };
default = {};
};
excludeUsers = mkOption {
type = listOf str;
@ -172,7 +172,7 @@
modules = [groupModule];
inherit specialArgs;
});
default = { };
default = {};
};
excludeGroups = mkOption {
type = listOf str;