Move role folder to defaults

2020-11-28 22:27:24 +00:00 · 2020-11-28 22:27:24 +00:00 · 78f95b4e11
commit 78f95b4e11
parent ea23be5e80
19 changed files with 17 additions and 16 deletions
--- a/defaults/base/README.adoc
+++ b/defaults/base/README.adoc
@ -0,0 +1,10 @@
+== Base Role
+
+The base role handles basic system configuration, which includes:
+
+* User management
+* Nix configuration
+* System default settings
+* Global packages (like `git` and `curl`) and sane configuration
+defaults for them
+* Basic networking configuration (like firewall and ssh)
--- a/defaults/base/default.nix
+++ b/defaults/base/default.nix
@ -0,0 +1,101 @@
+# Default configuration for hosts
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [ ../../modules ];
+
+  system.autoUpgrade.enable = true;
+  system.autoUpgrade.allowReboot = false;
+
+  boot.loader.timeout = 2;
+  boot.tmpOnTmpfs = true;
+
+  console = {
+    font = "Lat2-Terminus16";
+    keyMap = "sg-latin1";
+  };
+
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  environment.systemPackages = with pkgs; [
+    wget
+    curl
+    vim
+    tmux
+    git
+    ncat
+    bind
+    ack
+    fwupd
+    pciutils
+    dmidecode
+    smartmontools
+    parted
+    borgbackup
+    nixfmt
+    iw
+  ];
+
+  services.fwupd.enable = true;
+
+  # Networking
+  networking.firewall = {
+    allowPing = true;
+    allowedTCPPorts = [ 22 ];
+  };
+
+  # Enable the OpenSSH daemon.
+  services.openssh = {
+    enable = true;
+    passwordAuthentication = false;
+  };
+
+  nix.trustedUsers = [ "root" "@wheel" ];
+
+  users.mutableUsers = false;
+  users.users = rec {
+    root.openssh.authorizedKeys.keys =
+      lib.flatten (map (u: u.openssh.authorizedKeys.keys) [ fhauser das-g ]);
+
+    fhauser = {
+      isNormalUser = true;
+      description = "Fabian Hauser";
+      extraGroups = [ "wheel" ];
+      uid = 1000;
+      hashedPassword =
+        "$6$rounds=20000$TYZ8CojfBLwejcwn$smEJe6/anL9NGf.Ytfny14nBfhr4TRPv2XK1lgHz7yg.zQow1HACePirEjsjxzFC6vTHGaT8t2NxobUsHbWLg1";
+      openssh.authorizedKeys.keys = [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIPF8ZV7vhpbVvLxiKq8ANVusNUHMbtii5MuvjxCbVz7vSNVPo9OOLvYyDqhbRAWMTdQeGZVAaALBufKKmprDTRFMpnA7Ut4TFrdz/5DTaR2KEjJ7P75moH+0xooR/GsbzFGsNBSQSXK3u1igndPYEC/PqCHN++32kDo2wLqTB4VLrEovU3iq8BMckn329Bu1fGbXKTgDpEvUEEwFO2brQZLMmzILGF/v4B9ImEGtinAUNgDSfEpgPN23sdWQH9rwEClGv95JmWNf05tuVomhZzOBtCFoAno3XB1nj16avjsqJ3aGFY2CCcfsNrwKzhIotmm82bcI4BJuJIVRIKbZ1 cardno:000603507108"
+      ];
+    };
+
+    das-g = {
+      isNormalUser = true;
+      description = "Raphael Das Gupta";
+      extraGroups = [ "wheel" ];
+      uid = 1001;
+      hashedPassword =
+        "$6$rounds=37000$omA92cfwup$Ri9FXHbeOUIIDKf83D6UNa5NWGac.G9A3voJmrivwkVtaDGVMGLIa5qdgkaDeCKoMkl8YRjJ7smEyrMwTnuRD0";
+      openssh.authorizedKeys.keys = [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDRWDaUzbDyCNee/K8iCcXtoLrR0fZoGpXAV4f/CjB8kKb42lWKWXc67Juy0RnRVCZQc21ooApuQPJZ08Cawj9Okgz0j3vYdMnDBY1Ox9Ik12hzbpdLDHhOrIj3BOJuAKfFy5OM9Z2ZLwdvjXFk+1RQK1Qadd3PwtGjxLAgp5eBHj8TgUP8DXKGQQElphjfVLua4ufqoTldT1mrmDn/+GDgNY5HUTQb+YZ6AwjcemG+eAdG30Al1JRkOogke83hIXBVNCD9ObPtRv/KiAZv3TV8bgP2mzeeG2aDDb9qz8HXKvBlbN2ouz0cWTA5D5+Ua+wkOggEfhfPKBauF9sbQ8bRuknWm8VnuVXkikzdYZVGKdzvoHRdOfoTCL4JHzpGW6H3jVqdQuGTv5r28y/jxbDY95w6KmxLS+2u8SHVBh6hVAxf5i3P8aIHkOTEN//SyS/fa1uXHSQt0sVya2+4pTsCQfwWjE3TrQg6W6bmguVMjaICze5wWwckap+57jKbK9sPCuLFfYPwOvQ3nfb6wwNBhvNxmD9xGfk8/UzXsoq6OgPvF7GE5UWA04GHCnF4H0tEAQBK0vsjKxqC2lM8nK9msbqkSxadIFYqiG1+DAZyju3uZgkkInev8dh02yNsVJKYoCm60PWaMTLeVsrYZuvNDWXsXm7+nD02wWI0lxnkVw== das-g@x1carbon"
+      ];
+    };
+  };
+
+  nix.gc = {
+    automatic = true;
+    dates = "weekly";
+    options = "--delete-older-than 30d";
+  };
+
+  environment.etc = {
+    gitconfig.source = ./etc/gitconfig;
+    vimrc.source = ./etc/vimrc;
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    email = "sysadmin@qo.is";
+  };
+
+}
--- a/defaults/base/etc/gitconfig
+++ b/defaults/base/etc/gitconfig
@ -0,0 +1,31 @@
+[core]
+        packedGitWindowSize = 16m
+        packedGitLimit = 64m
+[pack]
+        windowMemory = 64m
+        packSizeLimit = 64m
+        thread = 1
+        deltaCacheSize = 1m
+[color]
+    branch = auto
+    diff = auto
+    status = auto
+[push]
+    default = simple
+[pull]
+    rebase = true
+[branch]
+    autosetuprebase = always
+[commit]
+#   gpgsign = true
+[tag]
+#   gpgsign = true
+
+[alias]
+    s = status --short --branch
+    a = add --patch
+    c = commit --message
+    l = log --color --graph --pretty=format:'%Cred%h%Creset - %C(bold)%s%Creset%C(yellow)%d%Creset %C(green)%an%Creset %C(cyan)%cr%Creset' --abbrev-commit
+    d = diff
+[diff]
+#   noprefix = true
--- a/defaults/base/etc/vimrc
+++ b/defaults/base/etc/vimrc
@ -0,0 +1,54 @@
+
+" Use Vim settings, rather than Vi settings (much better!).
+" This must be first, because it changes other options as a side effect.
+" Avoid side effects when it was already reset.
+if &compatible
+  set nocompatible
+endif
+
+" Convenient command to see the difference between the current buffer and the
+" file it was loaded from, thus the changes you made.
+" Only define it when not defined already.
+" Revert with: ":delcommand DiffOrig".
+if !exists(":DiffOrig")
+  command DiffOrig vert new | set bt=nofile | r ++edit # | 0d_ | diffthis
+          \ | wincmd p | diffthis
+endif
+
+" Don't wake up system with blinking cursor:
+" http://www.linuxpowertop.org/known.php
+let &guicursor = &guicursor . ",a:blinkon0"
+
+
+
+
+""""""""""""""""""""""""""
+"  Design Settings
+""""""""""""""""""""""""""
+set background=dark
+colorscheme elflord
+
+""""""""""""""""""""""""""
+" Other Settings
+""""""""""""""""""""""""""
+set ignorecase                  " Ignore search case
+set autoindent                  " Newline with automatic text indent
+set ruler                       " Show current position
+set pastetoggle=<F2>
+set ignorecase
+set hidden
+
+set splitbelow
+set splitright
+
+set tabstop=2
+set shiftwidth=2
+set softtabstop=2
+set expandtab
+
+set listchars="eol:¬,tab:>·,trail:~,extends:>,precedes:<,space:␣"
+set grepprg=ack\ -k
+
+filetype plugin indent on
+syntax on
+
--- a/defaults/database/default.nix
+++ b/defaults/database/default.nix
@ -0,0 +1,11 @@
+{ config, pkgs, ... }:
+
+{
+
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_12;
+  };
+
+  services.postgresqlBackup.enable = true;
+}
--- a/defaults/nextcloud/README.adoc
+++ b/defaults/nextcloud/README.adoc
@ -0,0 +1,4 @@
+== Nextcloud Role
+
+This role manages the nextcloud installation.
+
--- a/defaults/nextcloud/default.nix
+++ b/defaults/nextcloud/default.nix
@ -0,0 +1,23 @@
+# Default configuration for hosts
+{ config, lib, pkgs, ... }:
+
+{
+  services.nextcloud = {
+    enable = true;
+    https = true;
+    webfinger = true;
+    maxUploadSize = "1G";
+
+    config = {
+      adminpassFile = "/secrets/nextcloud-admin"; # TODO
+      adminuser = "root";
+      dbtype = "pgsql";
+      dbhost = "/run/postgresql";
+    };
+  };
+
+  systemd.services."nextcloud-setup" = {
+    requires = [ "postgresql.service" ];
+    after = [ "postgresql.service" ];
+  };
+}
--- a/defaults/tt-rss/default.nix
+++ b/defaults/tt-rss/default.nix
@ -0,0 +1,10 @@
+{ config, lib, pkgs, ... }:
+
+{
+  services.tt-rss = {
+    enable = true;
+    sessionCookieLifetime = 0;
+
+    database = { type = "pgsql"; };
+  };
+}
--- a/defaults/webserver/default.nix
+++ b/defaults/webserver/default.nix
@ -0,0 +1,5 @@
+{ config, lib, pkgs, ... }:
+
+{
+  services.nginx = { logError = "stderr warn"; };
+}