142 lines
3.2 KiB
Nix
142 lines
3.2 KiB
Nix
{
|
|
lib,
|
|
inputs,
|
|
self,
|
|
...
|
|
}:
|
|
let
|
|
inherit (lib) mkOption;
|
|
in
|
|
{
|
|
systemdHardening = {
|
|
IPAddressDeny = "any";
|
|
NoNewPrivileges = true;
|
|
ProtectSystem = "full";
|
|
PrivateDevices = true;
|
|
ProtectKernelTunables = true;
|
|
ProtectHostname = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectKernelModules = true;
|
|
MemoryDenyWriteExecute = true;
|
|
PrivateTmp = true;
|
|
LockPersonality = true;
|
|
RestrictRealtime = true;
|
|
DevicePolicy = "closed";
|
|
ProtectClock = true;
|
|
PrivateNetwork = true;
|
|
ProtectControlGroups = true;
|
|
SystemCallArchitectures = "native";
|
|
};
|
|
|
|
mkSystem =
|
|
{
|
|
withSystem,
|
|
hostname,
|
|
username,
|
|
extraModules ? [ ],
|
|
system,
|
|
}:
|
|
withSystem system (
|
|
{ inputs', self', ... }:
|
|
lib.nixosSystem {
|
|
inherit system;
|
|
modules = [
|
|
"${self}/hosts/${hostname}"
|
|
"${self}/options"
|
|
"${self}/modules"
|
|
{ modules.meta = { inherit hostname username; }; }
|
|
] ++ extraModules;
|
|
specialArgs = {
|
|
inherit inputs inputs';
|
|
inherit self self';
|
|
pubkeys = import ../../options/keys.nix { inherit lib; };
|
|
};
|
|
}
|
|
);
|
|
|
|
mkPortOption =
|
|
port: name:
|
|
lib.mkOption {
|
|
type = lib.types.port;
|
|
default = port;
|
|
description = "The port ${name} should listen on";
|
|
};
|
|
|
|
mkOption' =
|
|
type: default: description:
|
|
mkOption { inherit type default description; };
|
|
|
|
validatePath =
|
|
s: if (builtins.pathExists s) then (builtins.baseNameOf s) else throw "${s} does not exist";
|
|
|
|
# Return the main executable of a derivation, throwing if it doesn't exist
|
|
getExe =
|
|
pkg:
|
|
let
|
|
abs = lib.getExe pkg;
|
|
in
|
|
if builtins.pathExists abs then abs else throw "${abs} does not exist.";
|
|
|
|
# Verify the existence of a binary inside of a derivation.
|
|
# Returns the path to the binary or throws.
|
|
getExe' =
|
|
pkg: bin:
|
|
let
|
|
abs = lib.getExe' pkg bin;
|
|
in
|
|
if builtins.pathExists abs then abs else throw "${abs} does not exist.";
|
|
|
|
# Returns the string if the given predicate is true, otherwise returns an empty string is returned
|
|
mkStringIf = predicate: string: if predicate then string else "";
|
|
|
|
mkVHost = name: port: ssl: {
|
|
inherit name;
|
|
value = {
|
|
enableACME = ssl;
|
|
forceSSL = ssl;
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:${toString port}";
|
|
extraConfig = ''
|
|
proxy_ssl_server_name on;
|
|
proxy_pass_header Authorization;
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
slugify =
|
|
let
|
|
inherit (lib.strings) sanitizeDerivationName;
|
|
in
|
|
str: (sanitizeDerivationName (lib.toLower str));
|
|
|
|
disko = {
|
|
mkBoot = size: {
|
|
size = size;
|
|
type = "EF00";
|
|
content = {
|
|
type = "filesystem";
|
|
format = "vfat";
|
|
mountpoint = "/boot";
|
|
mountOptions = [ "umask=0077" ];
|
|
};
|
|
};
|
|
mkSwap = size: {
|
|
inherit size;
|
|
content = {
|
|
type = "swap";
|
|
randomEncryption = true;
|
|
priority = 100;
|
|
};
|
|
};
|
|
mkRoot = size: format: {
|
|
inherit size;
|
|
content = {
|
|
inherit format;
|
|
type = "filesystem";
|
|
mountpoint = "/";
|
|
mountOptions = [ "defaults" ];
|
|
};
|
|
};
|
|
};
|
|
}
|