enable.nix - nixfiles

1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 
26 
27 
28 
29 
30 
31 
32 
33 
34 
35 
36 
37 
38 
39 
40 
41 
42 
43 
44 
45 
46 
47 
48 
49 
50 
51 
52 
53 
54 
55 
56 
57 
58 
59 
60 
61 
62 
63 
64 
65 
66 
67 
68 
69 
70 
71 
72 
73 
74 
75 
76 
77 
78 
79 
80 
81 
82 
83 
84 
85 
86 
87 
88 
89 
90 
91 
92 
93 
94 
95 
96 
97 
98 
99 
100 
101 
102 
103 
104 
105 
106 
107 
108 
109 
110 
111 
112 
113 
114 
115 
116 
117 
118 
119 
120 
121 
122 
123 
124 
125 
126 
127 
128 
129 
130 
131 
132 
133 
{
  povSelf,
  pkgs,
  lib,
  config,
  hostConfig,
  ...
}:
let
  inherit (lib) types;
  cfg = lib.getAttrFromPath povSelf config;

in
{

  option = {
    type = types.bool;
    default = false;
  };

  config = lib.mkIf cfg {
    sops.secrets.acmeTSIGKey = { };

    users.users.root = {
      extraGroups = [ "ssh" ];
      openssh.authorizedKeys.keys = [
        (builtins.readFile "${pkgs.zaphyra-website}/ssh_pubkey.asc")
      ];
    };

    dns.zones."zaphyra.eu".subdomains."${lib.removeSuffix ".zaphyra.eu" config.networking.fqdn}" =
      lib.mkIf (hostConfig ? networking)
        (
          let
            networkCfg = hostConfig.networking;
          in
          {
            AAAA = lib.mkIf ((networkCfg ? ip6Address) && !networkCfg.ip6IsPrivate) [ networkCfg.ip6Address ];
            A = lib.mkIf ((networkCfg ? ip4Address) && !networkCfg.ip4IsPrivate) [ networkCfg.ip4Address ];
          }
        );

    modules = {
      presets.zaphyra = {
        syncthing.enable = lib.mkDefault true;
      };

      hardware.smartcard.enable = lib.mkDefault config.modules.presets.graphical.enable;

      services = {
        keyd.enable = lib.mkDefault config.modules.presets.graphical.enable;
        openssh = {
          enable = lib.mkDefault true;
          enableRSASupport = lib.mkDefault true;
        };
        prometheusExporters.enable = lib.mkDefault true;
        vnstat.enable = true;
        vnstat.vnstati.enable = true;
      };
    };

    modules.filesystem.impermanence.system.dirs = [ "/var/lib/acme" ];
    security.acme = {
      acceptTerms = true;
      defaults = {
        email = "letsencrypt@zaphyra.eu";
        keyType = "ec384";
        dnsProvider = "rfc2136";
        environmentFile = pkgs.writeText "acme-dns-env" ''
          RFC2136_NAMESERVER=morio.infra.zaphyra.eu
          RFC2136_TSIG_KEY=acme-nix-${config.networking.hostName}
          RFC2136_TSIG_ALGORITHM=hmac-sha384
        '';
        credentialFiles = {
          RFC2136_TSIG_SECRET_FILE = config.sops.secrets.acmeTSIGKey.path;
        };
      };
      certs."${config.networking.fqdn}" = {
        group = lib.mkIf config.services.nginx.enable "nginx";
        extraDomainNames = (
          config.services.nginx.virtualHosts
          |> lib.mapAttrsToList (
            key: config: [
              (if config ? serverAliases then config.serverAliases else [ ])
              key
            ]
          )
          |> lib.flatten
        );
      };
    };

    services = {
      timesyncd.enable = lib.mkDefault true;
      fstrim.enable = lib.mkDefault true;

      journald.extraConfig = "SystemMaxUse=2.5G";

      logind.killUserProcesses = lib.mkDefault true;

      nginx = {
        enable = lib.mkDefault true;
        recommendedGzipSettings = true;
        recommendedOptimisation = true;
        recommendedProxySettings = true;
        recommendedTlsSettings = true;
        commonHttpConfig = ''
          server_names_hash_bucket_size 64;
          charset utf-8;

          access_log off;
        '';

        virtualHosts."${config.networking.fqdn}" = {
          useACMEHost = "${config.networking.fqdn}";
          forceSSL = true;
          kTLS = true;
          default = true;
        };
      };
    };

    networking.firewall.allowedTCPPorts = [
      80
      443
    ];

    environment.systemPackages = with pkgs; [
      ghostty.terminfo
    ];
  };

}