Convert some older nixos-system code

2025-07-08 23:43:17 +02:00 · 2025-07-08 23:43:17 +02:00 · 84bf6d0350
commit 84bf6d0350
parent 1a3c10ea78
45 changed files with 1653 additions and 54 deletions
--- a/nix/modules/nixos/infrastructure/hetzner-instance/default.nix
+++ b/nix/modules/nixos/infrastructure/hetzner-instance/default.nix
@ -6,7 +6,7 @@
 }:
 let
  cfg = config.khscodes.infrastructure.hetzner-instance;
-  fqdn = config.khscodes.fqdn;
+  fqdn = config.khscodes.networking.fqdn;
  firewallTcpRules = lib.lists.map (p: {
    direction = "in";
    protocol = "tcp";
@ -205,8 +205,8 @@ in
    {
      assertions = [
        {
-          assertion = config.khscodes.fqdn != null;
-          message = "Must set config.khscodes.fqdn when using opentofu";
+          assertion = config.khscodes.networking.fqdn != null;
+          message = "Must set config.khscodes.networking.fqdn when using opentofu";
        }
      ];

--- a/nix/modules/nixos/infrastructure/khs-openstack-instance/default.nix
+++ b/nix/modules/nixos/infrastructure/khs-openstack-instance/default.nix
@ -6,7 +6,7 @@
 }:
 let
  cfg = config.khscodes.infrastructure.khs-openstack-instance;
-  fqdn = config.khscodes.fqdn;
+  fqdn = config.khscodes.networking.fqdn;
  firewallTcpRules = lib.lists.flatten (
    lib.lists.map (p: [
      {
@ -232,8 +232,8 @@ in
    {
      assertions = [
        {
-          assertion = config.khscodes.fqdn != null;
-          message = "Must set config.khscodes.fqdn when using opentofu";
+          assertion = config.khscodes.networking.fqdn != null;
+          message = "Must set config.khscodes.networking.fqdn when using opentofu";
        }
      ];

--- a/nix/modules/nixos/networking/default.nix
+++ b/nix/modules/nixos/networking/default.nix
@ -0,0 +1 @@
+{ ... }: { }
--- a/nix/modules/nixos/networking/fqdn/default.nix
+++ b/nix/modules/nixos/networking/fqdn/default.nix
@ -4,10 +4,10 @@
  ...
 }:
 let
-  cfg = config.khscodes.fqdn;
+  cfg = config.khscodes.networking.fqdn;
 in
 {
-  options.khscodes.fqdn = lib.mkOption {
+  options.khscodes.networking.fqdn = lib.mkOption {
    type = lib.types.nullOr lib.types.str;
    default = null;
    description = "Sets the FQDN of the machine. This is a prerequisite for many modules to be used";
--- a/nix/modules/nixos/security/default.nix
+++ b/nix/modules/nixos/security/default.nix
@ -0,0 +1 @@
+{ ... }: { }
--- a/nix/modules/nixos/security/yubikey/default.nix
+++ b/nix/modules/nixos/security/yubikey/default.nix
@ -0,0 +1,31 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.khscodes.security.yubikey;
+in
+{
+  options.khscodes.security.yubikey = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    services.pcscd.enable = true;
+    services.udev.packages = [ pkgs.yubikey-personalization ];
+
+    environment.systemPackages = [
+      pkgs.yubikey-manager
+      pkgs.yubico-piv-tool
+    ];
+
+    programs.gnupg.agent = {
+      enable = true;
+      enableSSHSupport = true;
+    };
+  };
+}
--- a/nix/modules/nixos/users/default.nix
+++ b/nix/modules/nixos/users/default.nix
@ -0,0 +1 @@
+{ ... }: { }
--- a/nix/modules/nixos/users/khs/default.nix
+++ b/nix/modules/nixos/users/khs/default.nix
@ -0,0 +1,21 @@
+{ lib, config, ... }:
+let
+  cfg = config.khscodes.users.khs;
+in
+{
+  options.khscodes.users.khs = {
+    enable = lib.mkEnableOption "Enables settings for the khs user. This should be used in conjunction with homes";
+  };
+
+  config = lib.mkIf cfg.enable {
+    snowfallorg.users.khs.admin = true;
+    users.users.khs = {
+      # TODO: What should I do wrt. ensuring the passwords are consistent?
+      #       Maybe set them through OpenBAO and some service?
+      initialPassword = "changeme";
+      openssh.authorizedKeys.keys = [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqY0FHnWFKfLG2yfgr4qka5sR9CK+EMAhzlHUkaQyWHTKD+G0/vC/fNPyL1VV3Dxc/ajxGuPzVE+mBMoyxazL3EtuCDOVvHJ5CR+MUSEckg/DDwcGHqy6rC8BvVVpTAVL04ByQdwFnpE1qNSBaQLkxaFVdtriGKkgMkc7+UNeYX/bv7yn+APqfP1a3xr6wdkSSdO8x4N2jsSygOIMx10hLyCV4Ueu7Kp8Ww4rGY8j5o7lKJhbgfItBfSOuQHdppHVF/GKYRhdnK6Y2fZVYbhq4KipUtclbZ6O/VYd8/sOO98+LMm7cOX+K35PQjUpYgcoNy5+Sw3CNS/NHn4JvOtTaUEYP7fK6c9LhMULOO3T7Cm6TMdiFjUKHkyG+s2Mu/LXJJoilw571zwuh6chkeitW8+Ht7k0aPV96kNEvTdoXwLhBifVEaChlAsLAzSUjUq+YYCiXVk0VIXCZQWKj8LoVNTmaqDksWwbcT64fw/FpVC0N18WHbKcFUEIW/O4spJMa30CQwf9FeqpoWoaF1oRClCSDPvX0AauCu0JcmRinz1/JmlXljnXWbSfm20/V+WyvktlI0wTD0cdpNuSasT9vS77YfJ8nutcWWZKSkCj4R4uHeCNpDTX5YXzapy7FxpM9ANCXLIvoGX7Yafba2Po+er7SSsUIY1AsnBBr8ZoDVw=="
+      ];
+    };
+  };
+}
--- a/nix/modules/nixos/virtualisation/default.nix
+++ b/nix/modules/nixos/virtualisation/default.nix
@ -1,10 +1 @@
-# TODO: Why is this needed just for this directory?
-# In the other directories this will create the modules twice.
-# Perhaps because there's only a single sub directory here?
-args@{ lib, ... }:
-let
-  modules = lib.khscodes.dirsInPath ./.;
-in
-{
-  imports = lib.lists.map (d: import d args) modules;
-}
+{ ... }: { }
--- a/nix/modules/nixos/virtualisation/qemu-guest/default.nix
+++ b/nix/modules/nixos/virtualisation/qemu-guest/default.nix
@ -6,11 +6,41 @@
 }:
 let
  cfg = config.khscodes.virtualisation.qemu-guest;
+  rng = "-device virtio-rng-pci,rng=rng0 -object rng-random,id=rng0,filename=/dev/urandom";
+  spice = [
+    "-spice disable-ticketing=on,gl=on,unix=on,addr=/tmp/spice.sock"
+    "-device virtio-serial-pci"
+    "-chardev socket,id=agent0,path=vm.sock,server=on,wait=off"
+    "-device virtserialport,chardev=agent0,name=org.qemu.guest_agent.0"
+    "-chardev spicevmc,id=vdagent0,name=vdagent"
+    "-device virtserialport,chardev=vdagent0,name=com.redhat.spice.0"
+    "-chardev spiceport,id=webdav0,name=org.spice-space.webdav.0"
+    "-device virtserialport,chardev=webdav0,name=org.spice-space.webdav.0"
+  ];
 in
 {
  options.khscodes.virtualisation.qemu-guest = {
    enable = lib.mkEnableOption "Configures machine with NixOS profile for qemu guest";
+    enableWhenVmTarget = lib.mkEnableOption "Enables some enhancement settings when building as a vm";
  };

-  config = lib.mkIf cfg.enable (import "${modulesPath}/profiles/qemu-guest.nix" { });
+  imports = [ "${modulesPath}/virtualisation/qemu-vm.nix" ];
+
+  config = lib.mkIf cfg.enableWhenVmTarget {
+    virtualisation = {
+      vmVariant = {
+        services.qemuGuest.enable = true;
+        services.spice-vdagentd.enable = true;
+        khscodes.virtualisation.qemu-guest.enable = true;
+      };
+      memorySize = 1024 * 8;
+      qemu = {
+        options = [
+          "-smp 8"
+          "-vga none -device virtio-gpu-gl,hostmem=2G,blob=true,venus=true"
+          rng
+        ] ++ spice;
+      };
+    };
+  };
 }
--- a/nix/modules/nixos/virtualisation/qemu-guest/profile.nix
+++ b/nix/modules/nixos/virtualisation/qemu-guest/profile.nix
@ -0,0 +1,12 @@
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+let
+  cfg = config.khscodes.virtualisation.qemu-guest;
+in
+{
+  config = lib.mkIf cfg.enable (import "${modulesPath}/profiles/qemu-guest.nix" { });
+}