modularize baseline system configuration

2024-12-02 14:04:55 -06:00 · 2024-12-02 14:04:55 -06:00 · d5afd4b1a7
commit d5afd4b1a7
parent 80e5a5e8a6
7 changed files with 107 additions and 70 deletions
--- a/home/modules/baseline.nix
+++ b/home/modules/baseline.nix
@ -8,7 +8,7 @@ with lib; let
  cfg = config.local.baseline;
 in {
  options.local.baseline = {
-    enable = mkEnableOption "Basic settings";
+    enable = mkEnableOption "Basic home settings";
  };
  config = mkIf cfg.enable {
    xdg.enable = true;
--- a/sys/default.nix
+++ b/sys/default.nix
@ -1 +1,12 @@
-{}
+{
+  flakes,
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib; {
+  imports = [
+    ./modules
+  ];
+}
--- a/sys/modules/baseline.nix
+++ b/sys/modules/baseline.nix
@ -0,0 +1,76 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.local.sys.baseline;
+in {
+  options.local.sys.baseline = {
+    enable = mkEnableOption "Basic system settings";
+  };
+  config = mkIf cfg.enable {
+    system.stateVersion = "24.05"; # DO NOT CHANGE
+
+    nix = {
+      package = pkgs.nixVersions.stable;
+
+      extraOptions = ''
+        experimental-features = nix-command flakes
+      '';
+
+      # Not interested in the global flake registry
+      settings.flake-registry = "";
+    };
+
+    console = {
+      keyMap = "us";
+    };
+
+    programs = {
+      zsh.enable = true;
+      fuse.userAllowOther = true;
+    };
+
+    environment = {
+      pathsToLink = [
+        "/share/zsh"
+      ];
+
+      systemPackages = with pkgs;
+        [
+          git
+          vim
+        ]
+        ++ optionals (!config.boot.isContainer) [
+          lm_sensors
+          lshw
+          parted
+          pciutils
+          smartmontools
+          usbutils
+        ];
+    };
+
+    services = {
+      openssh.enable = mkDefault true;
+
+      earlyoom = {
+        enable = mkDefault true;
+        enableNotifications = true;
+      };
+    };
+
+    # Coredumps are a security risk and may use up a lot of disk space
+    systemd.coredump.extraConfig = ''
+      Storage=none
+      ProcessSizeMax=0
+    '';
+
+    security.dhparams = {
+      enable = true;
+      defaultBitSize = 4096;
+    };
+  };
+}
--- a/sys/modules/default.nix
+++ b/sys/modules/default.nix
@ -0,0 +1,10 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  imports = [
+    ./baseline.nix
+  ];
+}
--- a/sys/platforms/posixlycorrect/default.nix
+++ b/sys/platforms/posixlycorrect/default.nix
@ -13,6 +13,10 @@
    ./yubikey.nix
  ];

+  local.sys = {
+    baseline.enable = true;
+  };
+
  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
@ -34,10 +38,6 @@

  # Select internationalisation properties.
  i18n.defaultLocale = "en_US.UTF-8";
-  console = {
-    font = "Lat2-Terminus16";
-    keyMap = "us";
-  };

  # Enable the X11 windowing system.
  services.xserver = {
@ -64,9 +64,6 @@
    wireplumber.enable = true;
  };

-  programs.zsh.enable = true;
-  environment.pathsToLink = ["/share/zsh"];
-
  users = {
    users.fabian = {
      isNormalUser = true;
@ -82,11 +79,6 @@
    pkgs.android-udev-rules
  ];

-  users.users.temp = {
-    isNormalUser = true;
-    extraGroups = ["wheel"];
-  };
-
  virtualisation.libvirtd.qemu.package = pkgs.qemu_kvm;
  virtualisation.libvirtd.qemu.ovmf.enable = true;
  virtualisation.libvirtd.qemu.ovmf.packages = [pkgs.OVMFFull.fd];
@ -95,20 +87,4 @@
  # boot.kernelModules = [ "vfio" "vfio_iommu_type1" "vfio_pci" "vfio_virqfd" ];
  # boot.kernelParams = [ "amd_iommu=on" "iommu=pt" "vfio-pci.ids=1002:699f,1002:aae0" "video=efifb:off" ];
  virtualisation.libvirtd.onBoot = "start";
-
-  nix = {
-    package = pkgs.nixVersions.stable;
-    extraOptions = ''
-      experimental-features = nix-command flakes
-    '';
-  };
-
-  services.openssh.enable = true;
-
-  services.earlyoom = {
-    enable = true;
-    enableNotifications = true;
-  };
-
-  system.stateVersion = "24.05"; # DO NOT CHANGE
 }
--- a/sys/platforms/posixlycorrect/yubikey.nix
+++ b/sys/platforms/posixlycorrect/yubikey.nix
@ -29,7 +29,7 @@
      control = "sufficient";
      settings = {
        debug = false;
-      cue = true;
+        cue = true;
      };
    };
  };
--- a/sys/platforms/vps/default.nix
+++ b/sys/platforms/vps/default.nix
@ -13,13 +13,11 @@ with lib; {
    ./srv
  ];

-  environment.systemPackages = with pkgs; [
-    vim
-    git
-  ];
+  local.sys = {
+    baseline.enable = true;
+  };

  services.openssh = {
-    enable = true;
    settings.PasswordAuthentication = false;
  };

@ -38,24 +36,8 @@ with lib; {
    };
  };

-  programs = {
-    zsh.enable = true;
-    fuse.userAllowOther = true;
-  };
-
  networking.hostName = "vps";

-  nix = {
-    package = pkgs.nixVersions.stable;
-
-    extraOptions = ''
-      experimental-features = nix-command flakes
-    '';
-
-    # No me interesa el global registry
-    settings.flake-registry = "";
-  };
-
  users = {
    users.fabian = {
      isNormalUser = true;
@ -72,11 +54,6 @@ with lib; {
    DefaultTimeoutStartSec=900s
  '';

-  security.dhparams = {
-    enable = true;
-    defaultBitSize = 4096;
-  };
-
  fileSystems = {
    "/mnt/export2008" = {
      device = "172.16.129.19:/nas/5876";
@ -91,18 +68,5 @@ with lib; {
    };
  };

-  services.earlyoom = {
-    enable = mkDefault true;
-    enableNotifications = true;
-  };
-
-  # Coredumps son un riesgo de seguridad y puden usar mucho disco
-  systemd.coredump.extraConfig = ''
-    Storage=none
-    ProcessSizeMax=0
-  '';
-
  time.timeZone = "Europe/Amsterdam";
-
-  system.stateVersion = "24.05"; # DO NOT CHANGE
 }