Simon Gardling
d00ff42e8e
new site-config.nix holds values previously duplicated across hosts:
domain, old_domain, contact_email, timezone, binary_cache (url + pubkey),
dns_servers, lan (cidr + gateway), hosts.{muffin,yarn} (ip/alias/ssh_host_key),
ssh_keys.{laptop,desktop,ci_deploy}.
threaded through specialArgs on all three hosts + home-manager extraSpecialArgs +
homeConfigurations.primary + serverLib. service-configs.nix now takes
{ site_config } as a function arg and drops its https namespace; per-service
domains (gitea/matrix/ntfy/mollysocket/livekit/firefox-sync/grafana) are
derived from site_config.domain. ~15 service files and 6 vm tests migrated.
breakage fixes rolled in:
- home/progs/zen/dark-reader.nix: 5 stale *.gardling.com entries in
disabledFor rewritten to *.sigkill.computer (caddy 301s the old names so
these never fired and the new sigkill urls were getting dark-reader applied)
- modules/desktop-common.nix: drop unused hugepagesz=1G/hugepages=3
kernelParams (no consumer on mreow or yarn; xmrig on muffin still reserves
its own via services/monero/xmrig.nix)
verification: muffin toplevel is bit-identical to pre-refactor baseline.
mreow/yarn toplevels differ only in boot.json kernelParams + darkreader
storage.js (nix-diff verified). deployGuardTest and fail2banVaultwardenTest
(latter exercises site_config.domain via bitwarden.nix) pass.
81 lines
1.9 KiB
Nix
81 lines
1.9 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
site_config,
|
|
username,
|
|
...
|
|
}:
|
|
{
|
|
# Shared timezone. Plain priority so it wins against srvos's mkDefault "UTC";
|
|
# mreow overrides via lib.mkForce when travelling.
|
|
time.timeZone = site_config.timezone;
|
|
|
|
# Common Nix daemon settings. Host-specific overrides (binary cache substituters,
|
|
# gc retention) live in the host's default.nix.
|
|
nix = {
|
|
optimise.automatic = true;
|
|
|
|
gc = {
|
|
automatic = true;
|
|
dates = "weekly";
|
|
# Default retention: override per-host via lib.mkForce if different.
|
|
options = lib.mkDefault "--delete-older-than 30d";
|
|
};
|
|
|
|
settings = {
|
|
experimental-features = [
|
|
"nix-command"
|
|
"flakes"
|
|
];
|
|
};
|
|
};
|
|
|
|
# https://nixos.wiki/wiki/Fish#Setting_fish_as_your_shell
|
|
# Login shells stay bash but immediately `exec fish` so fish is the effective shell
|
|
# without breaking scripts that hardcode #!/bin/bash.
|
|
programs.fish.enable = true;
|
|
programs.bash = {
|
|
interactiveShellInit = ''
|
|
if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]
|
|
then
|
|
shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION=""
|
|
exec ${lib.getExe pkgs.fish} $LOGIN_OPTION
|
|
fi
|
|
'';
|
|
};
|
|
|
|
# doas replaces sudo on every host
|
|
security = {
|
|
doas.enable = true;
|
|
sudo.enable = false;
|
|
doas.extraRules = [
|
|
{
|
|
users = [ username ];
|
|
keepEnv = true;
|
|
persist = true;
|
|
}
|
|
];
|
|
};
|
|
|
|
services.kmscon.enable = true;
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
doas-sudo-shim
|
|
];
|
|
|
|
hardware.enableRedistributableFirmware = true;
|
|
hardware.cpu.amd.updateMicrocode = true;
|
|
|
|
environment.etc = {
|
|
# override default nixos /etc/issue
|
|
"issue".text = "";
|
|
};
|
|
|
|
# for updating firmware
|
|
services.fwupd = {
|
|
enable = true;
|
|
extraRemotes = [ "lvfs-testing" ];
|
|
};
|
|
}
|