nix-da/parts/lib/functions.nix

142 lines
3.2 KiB
Nix

{
lib,
inputs,
self,
...
}:
let
inherit (lib) mkOption;
in
{
systemdHardening = {
IPAddressDeny = "any";
NoNewPrivileges = true;
ProtectSystem = "full";
PrivateDevices = true;
ProtectKernelTunables = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
MemoryDenyWriteExecute = true;
PrivateTmp = true;
LockPersonality = true;
RestrictRealtime = true;
DevicePolicy = "closed";
ProtectClock = true;
PrivateNetwork = true;
ProtectControlGroups = true;
SystemCallArchitectures = "native";
};
mkSystem =
{
withSystem,
hostname,
username,
extraModules ? [ ],
system,
}:
withSystem system (
{ inputs', self', ... }:
lib.nixosSystem {
inherit system;
modules = [
"${self}/hosts/${hostname}"
"${self}/options"
"${self}/modules"
{ modules.meta = { inherit hostname username; }; }
] ++ extraModules;
specialArgs = {
inherit inputs inputs';
inherit self self';
pubkeys = import ../../options/keys.nix { inherit lib; };
};
}
);
mkPortOption =
port: name:
lib.mkOption {
type = lib.types.port;
default = port;
description = "The port ${name} should listen on";
};
mkOption' =
type: default: description:
mkOption { inherit type default description; };
validatePath =
s: if (builtins.pathExists s) then (builtins.baseNameOf s) else throw "${s} does not exist";
# Return the main executable of a derivation, throwing if it doesn't exist
getExe =
pkg:
let
abs = lib.getExe pkg;
in
if builtins.pathExists abs then abs else throw "${abs} does not exist.";
# Verify the existence of a binary inside of a derivation.
# Returns the path to the binary or throws.
getExe' =
pkg: bin:
let
abs = lib.getExe' pkg bin;
in
if builtins.pathExists abs then abs else throw "${abs} does not exist.";
# Returns the string if the given predicate is true, otherwise returns an empty string is returned
mkStringIf = predicate: string: if predicate then string else "";
mkVHost = name: port: ssl: {
inherit name;
value = {
enableACME = ssl;
forceSSL = ssl;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString port}";
extraConfig = ''
proxy_ssl_server_name on;
proxy_pass_header Authorization;
'';
};
};
};
slugify =
let
inherit (lib.strings) sanitizeDerivationName;
in
str: (sanitizeDerivationName (lib.toLower str));
disko = {
mkBoot = size: {
size = size;
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
mkSwap = size: {
inherit size;
content = {
type = "swap";
randomEncryption = true;
priority = 100;
};
};
mkRoot = size: format: {
inherit size;
content = {
inherit format;
type = "filesystem";
mountpoint = "/";
mountOptions = [ "defaults" ];
};
};
};
}