better hardware/logical separation

2017-02-02 16:31:19 +01:00 · 2017-02-02 16:31:19 +01:00 · 258d0d6253
parent fbb3463bd4
commit 258d0d6253
11 changed files with 68 additions and 111 deletions
--- a/ascanius/configuration.nix
+++ b/ascanius/configuration.nix
@ -10,7 +10,7 @@ in
  imports =
    [ ./hardware-configuration.nix
      ../roles/common.nix
-      ../roles/graphical.nix
+      ../roles/workstation.nix
      ../modules/tor-hidden-service.nix
    ];

@ -22,7 +22,6 @@ in
  systemd.services.scsi-link-pm.enable = false;

  nixpkgs.config = {
-    allowUnfree = true;
    packageOverrides = pkgs : {
      bluez = pkgs.bluez5;
      # https://github.com/NixOS/nixpkgs/issues/22099
@ -30,22 +29,6 @@ in
    };
  };

-  services.openssh.enable = true;
-
-  # List packages installed in system profile. To search by name, run:
-  # $ nix-env -qaP | grep wget
-  environment.systemPackages = with pkgs; [
-    btrfs-progs ghostscript
-  ];
-
-  virtualisation.virtualbox.host.enable = true;
-
-  users.extraUsers.yorick.hashedPassword = secrets.yorick_hashedPassword;
-  services.xserver.displayManager.sessionCommands = ''
-    gpg-connect-agent /bye
-    unset SSH_AGENT_PID
-    export SSH_AUTH_SOCK="''${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh"
-  '';

  services.tor.hiddenServices = [
    { name = "ssh";
--- a/ascanius/hardware-configuration.nix
+++ b/ascanius/hardware-configuration.nix
@ -59,13 +59,12 @@
      fsType = "ext2";
    };

+
+
  swapDevices = [ ];
-  services.printing = {
-    enable = true;
-    drivers = [ pkgs.gutenprint ];
-  };
+
  nix.maxJobs = 8;

  services.tcsd.enable = true; # it has a TPM. maybe use this?
-  environment.systemPackages = with pkgs; [tpm-tools];
+  environment.systemPackages = with pkgs; [btrfs-progs tpm-tools];
 }
--- a/frumar/configuration.nix
+++ b/frumar/configuration.nix
@ -23,9 +23,6 @@ in

  networking.hostName = secrets.hostnames.frumar;

-  # Enable the OpenSSH daemon.
-  services.openssh.enable = true;
-
  # The NixOS release to be compatible with for stateful data such as databases.
  system.stateVersion = "15.09";

--- a/jarvis/configuration.nix
+++ b/jarvis/configuration.nix
@ -4,48 +4,22 @@

 { config, pkgs, ... }:

-let secrets = import <secrets>;
-in
 {
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
      ../roles/common.nix
-      ../roles/graphical.nix
+      ../roles/workstation.nix
    ];

-  # Use the systemd-boot EFI boot loader.
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
  networking.hostName = "jarvis"; # Define your hostname.
-  # Select internationalisation properties.
-  i18n.consoleFont = "latarcyrheb-sun32";
-
-  # List services that you want to enable:
-
-  # Enable the OpenSSH daemon.
-  # services.openssh.enable = true; # temp
-  # Enable CUPS to print documents.
-  services.printing.enable = true;


  # The NixOS release to be compatible with for stateful data such as databases.
  system.stateVersion = "17.03";

-  # List packages installed in system profile. To search by name, run:
-  # $ nix-env -qaP | grep wget
-  environment.systemPackages = with pkgs; [
-    btrfs-progs
-  ];

-  #virtualisation.virtualbox.host.enable = true;
-
-  users.extraUsers.yorick.hashedPassword = secrets.yorick_hashedPassword;
  services.xserver.displayManager.sessionCommands = ''
-    gpg-connect-agent /bye
-    unset SSH_AGENT_PID
-    export SSH_AUTH_SOCK="''${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh"
    ${pkgs.xorg.xrandr}/bin/xrandr --dpi 192
  '';
  nix.gc.automatic = pkgs.lib.mkOverride 30 false;
--- a/jarvis/hardware-configuration.nix
+++ b/jarvis/hardware-configuration.nix
@ -13,6 +13,12 @@
  boot.extraModulePackages = [ ];
  boot.blacklistedKernelModules = ["psmouse"];
  
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+
  hardware.cpu.intel.updateMicrocode = true;


@ -44,6 +50,8 @@
    ];

  nix.maxJobs = lib.mkDefault 4;
+
+  environment.systemPackages = [pkgs.btrfs-progs];
  
  # ideal... doesn't work.
  #services.udev.extraRules = ''
@ -60,5 +68,6 @@

  services.xserver.videoDrivers = ["modesetting"];
  hardware.opengl.extraPackages = [ pkgs.vaapiIntel ];
-
+  # bigger console font
+  i18n.consoleFont = "latarcyrheb-sun32";
 }
--- a/pennyworth/configuration.nix
+++ b/pennyworth/configuration.nix
@ -31,14 +31,10 @@ in

  environment.noXlibs = true;

-  services.openssh.enable = true;
  networking.enableIPv6 = lib.mkOverride 30 true;

  system.stateVersion = "16.03";

-  # root password is useful from console, ssh has password logins disabled
-  users.extraUsers.root.hashedPassword = secrets.pennyworth_hashedPassword;
-
  # email
  services.mailz = {
    domain = config.networking.hostName;
--- a/roles/common.nix
+++ b/roles/common.nix
@ -1,3 +1,5 @@
+let secrets = import <secrets>;
+in
 { config, pkgs, lib, ...}:
 {
 	imports = [];
@ -5,6 +7,9 @@
 	users.mutableUsers = false;
 	users.extraUsers.root = {
 		openssh.authorizedKeys.keys = config.users.extraUsers.yorick.openssh.authorizedKeys.keys;
+    # root password is useful from console, ssh has password logins disabled
+    hashedPassword = secrets.pennyworth_hashedPassword; # TODO: generate own
+
 	};
  services.timesyncd.enable = true;
 	users.extraUsers.yorick = {
@ -36,6 +41,7 @@
  networking.enableIPv6 = false;

  services.openssh = {
+    enable = true;
  	passwordAuthentication = false;
  	challengeResponseAuthentication = false;
  };
--- a/roles/graphical.nix
+++ b/roles/graphical.nix
@ -1,5 +1,10 @@
+let secrets = import <secrets>;
+in
 { config, lib, pkgs, ... }:
 {
+  options.yorick.support32bit = with lib;
+    mkOption { type = types.bool; default = false; };
+  config = {
  # Enable the X11 windowing system.
  services.xserver = {
    enable = true;
@ -23,10 +28,10 @@
  };
  hardware.opengl = {
    enable = true;
-    driSupport32Bit = true;
+    driSupport32Bit = config.yorick.support32bit;
  };
  hardware.pulseaudio.enable = true;
-  hardware.pulseaudio.support32Bit = true;
+  hardware.pulseaudio.support32Bit = config.yorick.support32bit;

  fonts = {
    enableFontDir = true;
@ -39,16 +44,10 @@
      source-han-sans-japanese
    ];
  };
-  services.redshift = {
-    enable = true;
-    latitude = "51.8";
-    longitude = "5.8";
-    temperature = {
-      day = 6500;
-      night = 5500;
-    };
-  };
  # spotify
  networking.firewall.allowedTCPPorts = [57621];
  networking.firewall.allowedUDPPorts = [57621];
+
+  users.extraUsers.yorick.hashedPassword = secrets.yorick_hashedPassword;
+};
 }
--- a/roles/workstation.nix
+++ b/roles/workstation.nix
@ -0,0 +1,28 @@
+{ config, lib, pkgs, ... }:
+{
+  imports = [
+    ../roles/graphical.nix
+  ];
+  users.extraUsers.yorick.extraGroups = ["input"];
+  services.redshift = {
+    enable = true;
+    latitude = "51.8";
+    longitude = "5.8";
+    temperature = {
+      day = 6500;
+      night = 5500;
+    };
+  };
+  services.printing = {
+    enable = true;
+    drivers = [ pkgs.gutenprint ];
+  };
+  environment.systemPackages = [pkgs.ghostscript];
+  services.xserver.displayManager.sessionCommands = ''
+    gpg-connect-agent /bye
+    unset SSH_AGENT_PID
+    export SSH_AUTH_SOCK="''${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh"
+  '';
+  virtualisation.virtualbox.host.enable = true;
+  yorick.support32bit = true;
+}
--- a/woodhouse/configuration.nix
+++ b/woodhouse/configuration.nix
@ -16,59 +16,18 @@ in
      ../roles/graphical.nix
    ];

-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
  networking.hostName = secrets.hostnames.woodhouse;

-  # Select internationalisation properties.
-  # i18n = {
-  #   consoleFont = "Lat2-Terminus16";
-  #   consoleKeyMap = "us";
-  #   defaultLocale = "en_US.UTF-8";
-  # };
-
-
-  # List services that you want to enable:
-
-  hardware.opengl.driSupport32Bit = lib.mkOverride 30 false;
-  hardware.pulseaudio.support32Bit = lib.mkOverride 30 false;
-
-
-  # Enable the OpenSSH daemon.
-  services.openssh.enable = true;
-
-
-  # root password is useful from console, ssh has password logins disabled
-  users.extraUsers.root.hashedPassword = secrets.pennyworth_hashedPassword; # TODO: generate own
-
-
-  # Enable CUPS to print documents.
-  # services.printing.enable = true;
-
-  # Enable the X11 windowing system.
-  # services.xserver.enable = true;
-  # services.xserver.layout = "us";
-  # services.xserver.xkbOptions = "eurosign:e";
-
-  # Enable the KDE Desktop Environment.
-  # services.xserver.displayManager.kdm.enable = true;
-  # services.xserver.desktopManager.kde4.enable = true;
-
  # The NixOS release to be compatible with for stateful data such as databases.
  system.stateVersion = "16.09";


-  services.redshift.enable = lib.mkOverride 30 false;
  services.xserver = {
  	# displayManager.slim.autoLogin = true; # TODO: debug this
  };

-  users.extraUsers.yorick.hashedPassword = secrets.yorick_hashedPassword;

-  environment.systemPackages = with pkgs; [
-    btrfs-progs
-  ];
+
  services.tor.hiddenServices = [
    { name = "ssh";
      port = 22;
--- a/woodhouse/hardware-configuration.nix
+++ b/woodhouse/hardware-configuration.nix
@ -13,6 +13,9 @@
  boot.extraModulePackages = [ ];
  hardware.cpu.intel.updateMicrocode = true;

+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+

  fileSystems."/" =
    { device = "/dev/disk/by-uuid/fa5026b1-0f73-4233-a417-780c65f3f038";
@ -30,4 +33,8 @@

  nix.maxJobs = lib.mkDefault 4;
  services.xserver.videoDrivers = ["intel"];
+
+  environment.systemPackages = with pkgs; [
+    btrfs-progs
+  ];
 }