treewide: overhaul structure

flake.nix

@@ -8,7 +8,6 @@
 
       imports = [
         ./hosts
-        ./modules
         ./pre-commit-hooks.nix
       ];
 
@@ -19,11 +18,6 @@
         inputs',
         ...
       }: {
-        _module.args.pkgs = import inputs.nixpkgs {
-          inherit system;
-          config.allowUnfree = true;
-        };
-
         formatter = pkgs.alejandra;
 
         devShells.default = pkgs.mkShell {

hosts/default.nix

@@ -1,30 +1,34 @@
 {
   inputs,
-  shared_modules,
+  self,
   ...
 }: let
   inherit (inputs.nixpkgs.lib) nixosSystem;
+
+  mod = "${self}/modules";
+  specialArgs = {inherit inputs self;};
 in {
   flake.nixosConfigurations = {
     germanium = nixosSystem {
-      modules =
-        [
-          ./germanium
-          ../modules/vaultwarden.nix
-          ../modules/website.nix
-        ]
-        ++ shared_modules;
+      inherit specialArgs;
+      modules = [
+        ./germanium
+        mod
+        "${mod}/networking"
+        "${mod}/services/caddy.nix"
+        "${mod}/services/vaultwarden.nix"
+        "${mod}/services/website.nix"
+      ];
     };
 
     homesv = nixosSystem {
-      modules =
-        [
-          ./homesv
-          ../modules/samba.nix
-        ]
-        ++ shared_modules;
-
-      system = "x86_64-linux";
+      inherit specialArgs;
+      modules = [
+        ./homesv
+        mod
+        "${mod}/networking"
+        "${mod}/services/samba.nix"
+      ];
     };
   };
 }

modules/core/default.nix

@@ -0,0 +1,31 @@
+{
+  inputs,
+  pkgs,
+  lib,
+  ...
+}:
+# configuration shared by all hosts
+{
+  imports = [
+    inputs.agenix.nixosModules.default
+    inputs.srvos.nixosModules.server
+    ./nix.nix
+    ./security.nix
+    ./users.nix
+  ];
+
+  environment.systemPackages = [pkgs.helix];
+
+  i18n = {
+    defaultLocale = "en_US.UTF-8";
+    supportedLocales = ["en_US.UTF-8/UTF-8"];
+  };
+
+  networking.domain = "fufexan.net";
+
+  programs.vim.defaultEditor = false;
+
+  system.stateVersion = lib.mkDefault "23.11";
+
+  zramSwap.enable = true;
+}

modules/core/nix.nix

@@ -0,0 +1,28 @@
+{
+  config,
+  inputs,
+  lib,
+  ...
+}: {
+  nix = {
+    gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 7d";
+    };
+
+    # pin the registry to avoid downloading and evaling a new nixpkgs version every time
+    registry = let
+      flakeInputs = lib.filterAttrs (_: v: lib.isType "flake" v) inputs;
+    in
+      lib.mapAttrs (_: v: {flake = v;}) flakeInputs;
+
+    # set the path for channels compat
+    nixPath = lib.mapAttrsToList (key: _: "${key}=flake:${key}") config.nix.registry;
+    settings = {
+      auto-optimise-store = true;
+      flake-registry = "/etc/nix/registry.json";
+      trusted-users = ["root" "@wheel"];
+    };
+  };
+}

modules/security.nix → modules/core/security.nix

@@ -36,15 +36,5 @@
     # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for
     # both incoming and outgoing connections:
     "net.ipv4.tcp_fastopen" = 3;
-    # Bufferbloat mitigations + slight improvement in throughput & latency
-    "net.ipv4.tcp_congestion_control" = "bbr";
-    "net.core.default_qdisc" = "cake";
-  };
-  boot.kernelModules = ["tcp_bbr"];
-
-  # So we don't have to do this later...
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "[email protected]";
   };
 }

modules/core/users.nix

@@ -0,0 +1,10 @@
+{
+  users.users.mihai = {
+    isNormalUser = true;
+    extraGroups = ["wheel"];
+    initialPassword = "123";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOq9Gew1rgfdIyuriJ/Ne0B8FE1s8O/U2ajErVQLUDu9 mihai@io"
+    ];
+  };
+}

modules/default.nix

@@ -1,16 +1,5 @@
 {
-  inputs,
-  self,
-  ...
-}: {
   imports = [
-    {
-      _module.args.shared_modules = [
-        {_module.args = {inherit inputs self;};}
-        inputs.agenix.nixosModules.default
-        inputs.srvos.nixosModules.server
-        ./core.nix
-      ];
-    }
+    ./core
   ];
 }

modules/networking/default.nix

@@ -0,0 +1,17 @@
+{lib, ...}: {
+  imports = [
+    ./tailscale.nix
+    ./openssh.nix
+  ];
+
+  systemd.network = {
+    enable = true;
+    networks."90-ethernet" = lib.mkDefault {
+      matchConfig.Name = "ether";
+      networkConfig = {
+        DHCP = "yes";
+        IPv6AcceptRA = "yes";
+      };
+    };
+  };
+}

modules/networking/openssh.nix

@@ -0,0 +1,13 @@
+{
+  services.openssh = {
+    enable = true;
+    openFirewall = true;
+    hostKeys = [
+      {
+        path = "/etc/ssh/ssh_host_ed25519_key";
+        type = "ed25519";
+        rounds = 100;
+      }
+    ];
+  };
+}

modules/networking/tailscale.nix

@@ -0,0 +1,15 @@
+{
+  # used by tailscale for exit node
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = true;
+    "net.ipv6.conf.all.forwarding" = true;
+  };
+
+  networking.firewall.trustedInterfaces = ["tailscale0"];
+
+  # inter-machine VPN
+  services.tailscale = {
+    enable = true;
+    openFirewall = true;
+  };
+}

modules/services/caddy.nix

@@ -0,0 +1,10 @@
+{
+  networking.firewall = let
+    ports = [80 443];
+  in {
+    allowedTCPPorts = ports;
+    allowedUDPPorts = ports;
+  };
+
+  services.caddy.enable = true;
+}