From 48b7ab9fab9811e52ee5b4a5cbd5b215675b5675 Mon Sep 17 00:00:00 2001 From: reidlab Date: Mon, 26 Feb 2024 17:42:29 -0800 Subject: [PATCH 1/4] disable metrics, for now --- hosts/server/webapps/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/server/webapps/default.nix b/hosts/server/webapps/default.nix index d3e8abd..cdacaeb 100755 --- a/hosts/server/webapps/default.nix +++ b/hosts/server/webapps/default.nix @@ -13,7 +13,7 @@ in { }; metrics = { - enable = true; + enable = false; domain = "metrics.reidlab.online"; port = 2342; }; From af804c63f874595963939c9f6ac515183a586da7 Mon Sep 17 00:00:00 2001 From: reidlab Date: Tue, 27 Feb 2024 23:10:03 -0800 Subject: [PATCH 2/4] rework lib and some general changes --- default.nix | 17 +++++---- flake.lock | 22 +++--------- flake.nix | 43 ++++++++++++++-------- hosts/server/authorizedKeys.nix | 10 ------ hosts/server/default.nix | 6 ++-- lib/attrs.nix | 25 +++++++++++++ lib/default.nix | 27 +++++++------- lib/helpers.nix | 18 ---------- lib/modules.nix | 64 ++++++++++++++++++++------------- lib/nixos.nix | 34 ++++++++++++------ readme.md | 7 ++-- 11 files changed, 152 insertions(+), 121 deletions(-) delete mode 100755 hosts/server/authorizedKeys.nix create mode 100644 lib/attrs.nix delete mode 100755 lib/helpers.nix diff --git a/default.nix b/default.nix index c6e0ae6..b8e345d 100755 --- a/default.nix +++ b/default.nix @@ -1,11 +1,13 @@ { config, inputs, lib, pkgs, ... }: let - inherit (lib) filterAttrs _; + inherit (builtins) toString; + inherit (lib.modules) mkDefault; + inherit (lib.my) mapModulesRec'; in { imports = [ inputs.home-manager.nixosModules.home-manager ] - ++ _.mapModulesRec' ./modules import; + ++ (mapModulesRec' (toString ./modules) import); nix = { settings = { @@ -25,14 +27,15 @@ in { environment.systemPackages = with pkgs; [ unrar unzip curl wget - # hello! if you remove this, good luck - # ever rebuilding your system using flakes! + # nix does not work without git. + # do not remove this. + # nix is awesome git ]; - time.timeZone = lib.mkDefault "America/Los_Angeles"; + time.timeZone = mkDefault "America/Los_Angeles"; - i18n.defaultLocale = lib.mkDefault "en_US.UTF-8"; + i18n.defaultLocale = mkDefault "en_US.UTF-8"; - system.stateVersion = lib.mkDefault "23.11"; + system.stateVersion = mkDefault "23.11"; } diff --git a/flake.lock b/flake.lock index d8114d2..88e4268 100755 --- a/flake.lock +++ b/flake.lock @@ -2,7 +2,9 @@ "nodes": { "home-manager": { "inputs": { - "nixpkgs": "nixpkgs" + "nixpkgs": [ + "nixpkgs" + ] }, "locked": { "lastModified": 1705535278, @@ -19,22 +21,6 @@ } }, "nixpkgs": { - "locked": { - "lastModified": 1705316053, - "narHash": "sha256-J2Ey5mPFT8gdfL2XC0JTZvKaBw/b2pnyudEXFvl+dQM=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "c3e128f3c0ecc1fb04aef9f72b3dcc2f6cecf370", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_2": { "locked": { "lastModified": 1705496572, "narHash": "sha256-rPIe9G5EBLXdBdn9ilGc0nq082lzQd0xGGe092R/5QE=", @@ -53,7 +39,7 @@ "root": { "inputs": { "home-manager": "home-manager", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs" } } }, diff --git a/flake.nix b/flake.nix index a4e0cb3..5e5f2c7 100755 --- a/flake.nix +++ b/flake.nix @@ -5,29 +5,44 @@ nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; home-manager.url = "github:nix-community/home-manager"; + home-manager.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = inputs @ { self, nixpkgs, ... }: let + inherit (lib.my) mapModules mapModulesRec mkHost; system = "aarch64-linux"; - lib = import ./lib { inherit pkgs inputs; lib = nixpkgs.lib; }; - inherit (lib._) mapModules mapModulesRec mkHost; + mkPkgs = pkgs: extraOverlays: + import pkgs { + inherit system; + config.allowUnfree = true; + config.allowAliases = false; + overlays = extraOverlays ++ (lib.attrValues self.overlays); + }; + pkgs = mkPkgs nixpkgs [ self.overlays.default ]; - mkPkgs = pkgs: overlays: import pkgs { - inherit system; - config.allowUnfree = true; - overlays = overlays ++ (lib.attrValues self.overlays); - }; - - pkgs = mkPkgs nixpkgs [ self.overlay ]; + lib = nixpkgs.lib.extend (final: prev: { + my = import ./lib { + inherit pkgs inputs; + lib = final; + }; + }); in { + lib = lib.my; + + overlays = + (mapModules ./overlays import) + // { + default = final: prev: { + my = self.packages.${system}; + }; + }; + packages."${system}" = mapModules ./packages (p: pkgs.callPackage p {}); - overlay = final: prev: { - _ = self.packages."${system}"; - }; - overlays = mapModules ./overlays import; - nixosModules = (mapModulesRec ./modules import); + + nixosModules = mapModulesRec ./modules import; + nixosConfigurations = mapModules ./hosts (host: mkHost host { inherit system; }); }; } diff --git a/hosts/server/authorizedKeys.nix b/hosts/server/authorizedKeys.nix deleted file mode 100755 index 3c1f840..0000000 --- a/hosts/server/authorizedKeys.nix +++ /dev/null @@ -1,10 +0,0 @@ -[ - # reidlab - { hostname = "reidlab@rei-pc"; - ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICmwWuwS+a1GzYFSNOkgk/zF5bolXqat1RP5FXJv+vto reidlab@rei-pc"; - } - { - hostname = "reidlab@rei-phone"; - ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKC12NkyZAFNDHfq1ECh4uAgM4mpKfsQnL3XF/ZzSyCJ reidlab@rei-phone"; - } -] diff --git a/hosts/server/default.nix b/hosts/server/default.nix index 431ca38..7c50346 100755 --- a/hosts/server/default.nix +++ b/hosts/server/default.nix @@ -17,9 +17,9 @@ in { conf = { packages = with pkgs; [ bat tree micro duf ]; extraGroups = [ "wheel" "dotfiles" ]; - openssh.authorizedKeys.keys = fetchSSHKeys [ - "reidlab@rei-pc" - "reidlab@rei-phone" + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICmwWuwS+a1GzYFSNOkgk/zF5bolXqat1RP5FXJv+vto reidlab@rei-pc" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKC12NkyZAFNDHfq1ECh4uAgM4mpKfsQnL3XF/ZzSyCJ reidlab@rei-phone" ]; }; diff --git a/lib/attrs.nix b/lib/attrs.nix new file mode 100644 index 0000000..e5890b4 --- /dev/null +++ b/lib/attrs.nix @@ -0,0 +1,25 @@ +{lib, ...}: let + inherit (lib.lists) any count; + inherit (lib.attrsets) filterAttrs listToAttrs mapAttrs' mapAttrsToList; +in rec { + # attrsToList + attrsToList = attrs: + mapAttrsToList (name: value: {inherit name value;}) attrs; + + # mapFilterAttrs :: + # (name -> value -> bool) + # (name -> value -> { name = any; value = any; }) + # attrs + mapFilterAttrs = pred: f: attrs: filterAttrs pred (mapAttrs' f attrs); + + # Generate an attribute set by mapping a function over a list of values. + genAttrs' = values: f: listToAttrs (map f values); + + # anyAttrs :: (name -> value -> bool) attrs + anyAttrs = pred: attrs: + any (attr: pred attr.name attr.value) (attrsToList attrs); + + # countAttrs :: (name -> value -> bool) attrs + countAttrs = pred: attrs: + count (attr: pred attr.name attr.value) (attrsToList attrs); +} diff --git a/lib/default.nix b/lib/default.nix index bb1cb9e..1bb3d04 100755 --- a/lib/default.nix +++ b/lib/default.nix @@ -1,17 +1,20 @@ { inputs, lib, pkgs, ... }: -lib.extend (self: super: let - inherit (lib) attrValues foldr; + inherit (lib.attrsets) attrValues; + inherit (lib.fixedPoints) makeExtensible; + inherit (lib.lists) foldr; inherit (modules) mapModules; - inherit (helpers) getSSH; - modules = import ./modules.nix { inherit lib; }; - helpers = import ./helpers.nix { inherit lib; }; - in { - _ = foldr (a: b: a // b) {} (attrValues (mapModules ./. (file: import file { - inherit pkgs inputs; - lib = self; - }))); - } -) + modules = import ./modules.nix { + inherit lib; + self.attrs = import ./attrs.nix { + inherit lib; + self = {}; + }; + }; + mylib = + makeExtensible (self: + mapModules ./. (file: import file {inherit self lib pkgs inputs;})); + in + mylib.extend (self: super: foldr (a: b: a // b) {} (attrValues super)) diff --git a/lib/helpers.nix b/lib/helpers.nix deleted file mode 100755 index 158ba75..0000000 --- a/lib/helpers.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ lib, ... }: - -with lib; -rec { - indexFrom = origin: name: item: list: foldr - (h: t: - if h.${origin} == name && hasAttr item h - then h.${item} - else t) - (error '' - No item at the origin point ${origin} with element ${name} found. - Please make sure that the item with that origin exists, and, - failing that, that it also has the requested item defined. - '') - list; - - getSSH = name: keys: indexFrom "hostname" name "ssh" keys; -} diff --git a/lib/modules.nix b/lib/modules.nix index 287c1f6..bb30ed5 100755 --- a/lib/modules.nix +++ b/lib/modules.nix @@ -1,27 +1,43 @@ -{ lib, ... }: - -let - inherit (builtins) attrValues readDir pathExists; - inherit (lib) id filterAttrs hasPrefix hasSuffix nameValuePair removeSuffix mapAttrs' trace fix fold isAttrs; +{ + lib, + self, + ... +}: let + inherit (builtins) attrValues readDir pathExists concatLists; + inherit (lib.attrsets) mapAttrsToList filterAttrs nameValuePair; + inherit (lib.strings) hasPrefix hasSuffix removeSuffix; + inherit (lib.trivial) id; + inherit (self.attrs) mapFilterAttrs; in rec { - mapModules' = dir: fn: dirfn: - filterAttrs - (name: type: type != null && !(hasPrefix "_" name)) - (mapAttrs' - (name: type: - let path = "${toString dir}/${name}"; in - if type == "directory" - then nameValuePair name (dirfn path) - else if - type == "regular" && - name != "default.nix" && - hasSuffix ".nix" name - then nameValuePair (removeSuffix ".nix" name) (fn path) - else nameValuePair "" null - ) - (readDir dir)); + mapModules = dir: fn: + mapFilterAttrs (n: v: v != null && !(hasPrefix "_" n)) (n: v: let + path = "${toString dir}/${n}"; + in + if v == "directory" && pathExists "${path}/default.nix" + then nameValuePair n (fn path) + else if v == "regular" && n != "default.nix" && hasSuffix ".nix" n + then nameValuePair (removeSuffix ".nix" n) (fn path) + else nameValuePair "" null) (readDir dir); - mapModules = dir: fn: mapModules' dir fn (path: if pathExists "${path}/default.nix" then fn path else null); - mapModulesRec = dir: fn: mapModules' dir fn (path: mapModulesRec path fn); - mapModulesRec' = dir: fn: fix (f: attrs: fold (x: xs: (if isAttrs x then f x else [x]) ++ xs) [] (attrValues attrs)) (mapModulesRec dir fn); + mapModules' = dir: fn: attrValues (mapModules dir fn); + + mapModulesRec = dir: fn: + mapFilterAttrs (n: v: v != null && !(hasPrefix "_" n)) (n: v: let + path = "${toString dir}/${n}"; + in + if v == "directory" + then nameValuePair n (mapModulesRec path fn) + else if v == "regular" && n != "default.nix" && hasSuffix ".nix" n + then nameValuePair (removeSuffix ".nix" n) (fn path) + else nameValuePair "" null) (readDir dir); + + mapModulesRec' = dir: fn: let + dirs = + mapAttrsToList (k: _: "${dir}/${k}") + (filterAttrs (n: v: v == "directory" && !(hasPrefix "_" n)) + (readDir dir)); + files = attrValues (mapModules dir id); + paths = files ++ concatLists (map (d: mapModulesRec' d id) dirs); + in + map fn paths; } diff --git a/lib/nixos.nix b/lib/nixos.nix index 464bf91..e39e809 100755 --- a/lib/nixos.nix +++ b/lib/nixos.nix @@ -1,21 +1,35 @@ -{ inputs, lib, pkgs, ... }: - -with lib; { - mkHost = path: attrs@{ system, ... }: + inputs, + lib, + pkgs, + self, + ... +}: let + inherit (inputs.nixpkgs.lib) nixosSystem; + inherit (builtins) baseNameOf elem; + inherit (lib.attrsets) filterAttrs; + inherit (lib.modules) mkDefault; + inherit (lib.strings) removeSuffix; + inherit (self.modules) mapModules; +in rec { + mkHost = path: attrs @ {system ? "aarch64-linux", ...}: nixosSystem { inherit system; - specialArgs = { inherit lib inputs system; }; + + specialArgs = {inherit lib inputs system;}; + modules = [ { nixpkgs.pkgs = pkgs; - networking.hostName = mkDefault (removeSuffix ".nix" (baseNameOf path)); + networking.hostName = + mkDefault (removeSuffix ".nix" (baseNameOf path)); } - (filterAttrs (n: v: !elem n [ "system" ]) attrs) - - ../. - + (filterAttrs (n: v: !elem n ["system"]) attrs) + ../. # /default.nix (import path) ]; }; + + mapHosts = dir: attrs @ {system ? system, ...}: + mapModules dir (hostPath: mkHost hostPath attrs); } diff --git a/readme.md b/readme.md index a0fc4d7..6aa4b26 100755 --- a/readme.md +++ b/readme.md @@ -18,8 +18,5 @@ before committing, please run `nix flake check` and make sure everything is ok ## todo -- analytics using matomo -- php support in staticsites -- no more luapackagepath. please stop. -- not sure if this is cloudflare doing this or our acme config, but accessing invalid subdomains returns a dumb ssl error -- this is not related to the flake but it is to the site. transfer from namecheap to porkbun plz +- remove the lua static stuff from nginx +- add a helper for per-host architecture picking, atm it is hardcoded to `aarch64` From 06b42a1aa6aa4fcfbbad814ae54b6503ac45b297 Mon Sep 17 00:00:00 2001 From: reidlab Date: Wed, 28 Feb 2024 00:07:58 -0800 Subject: [PATCH 3/4] we can compile! --- default.nix | 1 + flake.nix | 4 ++-- hosts/server/default.nix | 6 +----- readme.md | 5 +++-- 4 files changed, 7 insertions(+), 9 deletions(-) diff --git a/default.nix b/default.nix index b8e345d..c685d66 100755 --- a/default.nix +++ b/default.nix @@ -31,6 +31,7 @@ in { # do not remove this. # nix is awesome git + neofetch ]; time.timeZone = mkDefault "America/Los_Angeles"; diff --git a/flake.nix b/flake.nix index 5e5f2c7..3d96afd 100755 --- a/flake.nix +++ b/flake.nix @@ -10,7 +10,7 @@ outputs = inputs @ { self, nixpkgs, ... }: let - inherit (lib.my) mapModules mapModulesRec mkHost; + inherit (lib.my) mapModules mapModulesRec mapHosts; system = "aarch64-linux"; mkPkgs = pkgs: extraOverlays: @@ -43,6 +43,6 @@ nixosModules = mapModulesRec ./modules import; - nixosConfigurations = mapModules ./hosts (host: mkHost host { inherit system; }); + nixosConfigurations = mapHosts ./hosts {}; }; } diff --git a/hosts/server/default.nix b/hosts/server/default.nix index 7c50346..cf0c096 100755 --- a/hosts/server/default.nix +++ b/hosts/server/default.nix @@ -1,9 +1,7 @@ { config, lib, pkgs, ... }: let - keys = import ./authorizedKeys.nix; - fetchSSH = (host: lib._.getSSH host keys); - fetchSSHKeys = map fetchSSH; + in { imports = [ ./hardware-configuration.nix @@ -53,8 +51,6 @@ in { security.useDoas = true; }; - time.timeZone = "America/Los_Angeles"; - networking = { hostName = "nixos-server-reid"; networkmanager.enable = true; diff --git a/readme.md b/readme.md index 6aa4b26..dabed97 100755 --- a/readme.md +++ b/readme.md @@ -18,5 +18,6 @@ before committing, please run `nix flake check` and make sure everything is ok ## todo -- remove the lua static stuff from nginx -- add a helper for per-host architecture picking, atm it is hardcoded to `aarch64` +- remove the lua static stuff from nginx + the cf ip +- per-host architecture selection, atm it is hardcoded to `aarch64` +- some weird perl error abt locales when building??? it only happened after the big lib update. help me From 5d5cd7979c738114ae37461e51aed8c813b409c1 Mon Sep 17 00:00:00 2001 From: reidlab Date: Wed, 28 Feb 2024 19:02:34 -0800 Subject: [PATCH 4/4] simplify enable opts, and fix security.nix --- default.nix | 9 +++++---- modules/security.nix | 28 +++++++++++++++++++++------- modules/services/forgejo.nix | 5 +---- modules/services/metrics.nix | 5 +---- modules/services/mosh.nix | 5 +---- modules/services/nginx-conf.nix | 5 +---- modules/services/postgres.nix | 5 +---- modules/services/redis.nix | 5 +---- modules/services/ssh.nix | 6 +----- readme.md | 1 + 10 files changed, 34 insertions(+), 40 deletions(-) diff --git a/default.nix b/default.nix index c685d66..b42b9a8 100755 --- a/default.nix +++ b/default.nix @@ -6,7 +6,9 @@ let inherit (lib.my) mapModulesRec'; in { imports = - [ inputs.home-manager.nixosModules.home-manager ] + [ + inputs.home-manager.nixosModules.home-manager + ] ++ (mapModulesRec' (toString ./modules) import); nix = { @@ -27,11 +29,10 @@ in { environment.systemPackages = with pkgs; [ unrar unzip curl wget - # nix does not work without git. - # do not remove this. + # nixos-rebuild w/ flakes does not work without git + # do not remove this # nix is awesome git - neofetch ]; time.timeZone = mkDefault "America/Los_Angeles"; diff --git a/modules/security.nix b/modules/security.nix index 7f56006..474b50c 100755 --- a/modules/security.nix +++ b/modules/security.nix @@ -14,24 +14,38 @@ in { tmp.cleanOnBoot = lib.mkDefault (!config.boot.tmp.useTmpfs); kernel.sysctl = { + # magic sysrq key, allows low-level commands through keyboard input "kernel.sysrq" = 0; - "net.ipv4.conf.all.accept_source_code" = 0; - "net.ipv6.conf.all.accept_source_code" = 0; - "net.ipv4.conf.default.send_redirects" = 0; + ## TCP hardening + # prevent bogus ICMP errors from filling up logs + "net.ipv4.icmp_ignore_bogus_error_responses" = 1; + # do not accept IP source packets (we are not a router) + "net.ipv4.conf.all.accept_source_route" = 0; + "net.ipv6.conf.all.accept_source_route" = 0; + # Don't send ICMP redirects (again, we're not a router) "net.ipv4.conf.all.send_redirects" = 0; - "net.ipv4.conf.default.accept_redirects" = 0; + "net.ipv4.conf.default.send_redirects" = 0; + # refuse ICMP redirects (MITM mitigations) "net.ipv4.conf.all.accept_redirects" = 0; - "net.ipv6.conf.default.accept_redirects" = 0; - "net.ipv6.conf.all.accept_redirects" = 0; - "net.ipv4.conf.default.secure_redirects" = 0; + "net.ipv4.conf.default.accept_redirects" = 0; "net.ipv4.conf.all.secure_redirects" = 0; + "net.ipv4.conf.default.secure_redirects" = 0; + "net.ipv6.conf.all.accept_redirects" = 0; + "net.ipv6.conf.default.accept_redirects" = 0; + # protects against SYN flood attacks "net.ipv4.tcp_syncookies" = 1; + # incomplete protection against TIME-WAIT assassination "net.ipv4.tcp_rfc1337" = 1; + + ## TCP optimization + # TCP fastopen "net.ipv4.tcp_fastopen" = 3; + # bufferbloat mitigations + improvement in throughput and latency "net.ipv4.tcp_conjestion_control" = "bbr"; "net.core.default_qdisc" = "cake"; }; + kernelModules = [ "tcp_bbr" ]; }; security = { diff --git a/modules/services/forgejo.nix b/modules/services/forgejo.nix index babc2bd..4743b4c 100755 --- a/modules/services/forgejo.nix +++ b/modules/services/forgejo.nix @@ -11,10 +11,7 @@ let }; in { options.modules.services.forgejo = { - enable = mkOption { - type = types.bool; - default = false; - }; + enable = mkEnableOption "enable forgejo, a lightweight git server"; domain = mkOption { type = types.str; default = "git.reidlab.online"; diff --git a/modules/services/metrics.nix b/modules/services/metrics.nix index 270f71c..1cbd26b 100644 --- a/modules/services/metrics.nix +++ b/modules/services/metrics.nix @@ -5,10 +5,7 @@ let cfg = config.modules.services.metrics; in { options.modules.services.metrics = { - enable = mkOption { - type = types.bool; - default = false; - }; + enable = mkEnableOption "enable grafana with loki, prometheus, and promtail"; domain = mkOption { type = types.str; default = "grafana.reidlab.online"; diff --git a/modules/services/mosh.nix b/modules/services/mosh.nix index da344a3..2860c6f 100755 --- a/modules/services/mosh.nix +++ b/modules/services/mosh.nix @@ -5,10 +5,7 @@ let cfg = config.modules.services.mosh; in { options.modules.services.mosh = { - enable = mkOption { - type = types.bool; - default = false; - }; + enable = mkEnableOption "enable mosh, the mobile SSH shell"; }; config = mkIf cfg.enable { diff --git a/modules/services/nginx-conf.nix b/modules/services/nginx-conf.nix index f3dc6a8..f446f57 100755 --- a/modules/services/nginx-conf.nix +++ b/modules/services/nginx-conf.nix @@ -5,10 +5,7 @@ let cfg = config.modules.services.nginx-config; in { options.modules.services.nginx-config = { - enable = mkOption { - type = types.bool; - default = false; - }; + enable = mkEnableOption "enable nginx, a high performance web server along with default configurations"; package = mkOption { type = types.package; diff --git a/modules/services/postgres.nix b/modules/services/postgres.nix index abde301..5074c6c 100755 --- a/modules/services/postgres.nix +++ b/modules/services/postgres.nix @@ -5,10 +5,7 @@ let cfg = config.modules.services.postgres; in { options.modules.services.postgres = { - enable = mkOption { - type = types.bool; - default = false; - }; + enable = mkEnableOption "enable postgres, the database industry standard"; }; config = mkIf cfg.enable { diff --git a/modules/services/redis.nix b/modules/services/redis.nix index cc8ae4b..30f1888 100755 --- a/modules/services/redis.nix +++ b/modules/services/redis.nix @@ -5,10 +5,7 @@ let cfg = config.modules.services.redis; in { options.modules.services.redis = { - enable = mkOption { - type = types.bool; - default = false; - }; + enable = mkEnableOption "enable redis, a speedy cache database"; }; config = mkIf cfg.enable { diff --git a/modules/services/ssh.nix b/modules/services/ssh.nix index e8dba7c..59fc01c 100755 --- a/modules/services/ssh.nix +++ b/modules/services/ssh.nix @@ -5,11 +5,7 @@ let cfg = config.modules.services.ssh; in { options.modules.services.ssh = { - enable = mkOption { - type = types.bool; - default = false; - description = "Provide system SSH support though OpenSSH."; - }; + enable = mkEnableOption "enable openssh, a server for remote shell access"; requirePassword = mkOption { type = types.bool; diff --git a/readme.md b/readme.md index dabed97..955a65a 100755 --- a/readme.md +++ b/readme.md @@ -21,3 +21,4 @@ before committing, please run `nix flake check` and make sure everything is ok - remove the lua static stuff from nginx + the cf ip - per-host architecture selection, atm it is hardcoded to `aarch64` - some weird perl error abt locales when building??? it only happened after the big lib update. help me +- leverage nixos-hardware