os/modules/core/networking.nix

{
  config,
  pkgs,
  lib,
  ...
}:
with lib; let
  cfg = config.pub-solar.core;
in {
  options.pub-solar.core = {
    enableCaddy = mkOption {
      type = types.bool;
      default = !cfg.lite;
    };
    enableHelp = mkOption {
      type = types.bool;
      default = !cfg.lite;
    };

    binaryCaches = mkOption {
      type = types.listOf types.str;
      default = [];
      description = "Binary caches to use.";
    };
    publicKeys = mkOption {
      type = types.listOf types.str;
      default = [];
      description = "Public keys of binary caches.";
    };
  };
  config = {
    # disable NetworkManager and systemd-networkd -wait-online by default
    systemd.services.NetworkManager-wait-online.enable = lib.mkDefault false;
    systemd.services.systemd-networkd-wait-online.enable = lib.mkDefault false;

    networking.networkmanager = {
      # Enable networkmanager. REMEMBER to add yourself to group in order to use nm related stuff.
      enable = true;
      # not as stable as wpa_supplicant yet, also more trouble with 5 GHz networks
      #wifi.backend = "iwd";
    };

    networking.firewall.enable = true;

    # Customized binary caches list (with fallback to official binary cache)
    nix.settings.substituters = cfg.binaryCaches;
    nix.settings.trusted-public-keys = cfg.publicKeys;

    # These entries get added to /etc/hosts
    networking.hosts = {
      "127.0.0.1" =
        []
        ++ lib.optionals cfg.enableCaddy ["caddy.local"]
        ++ lib.optionals config.pub-solar.printing.enable ["cups.local"]
        ++ lib.optionals cfg.enableHelp ["help.local"];
    };

    # Changing the Caddyfile should only trigger a reload, not a restart
    systemd.services.caddy.reloadTriggers = [
      config.services.caddy.configFile
    ];

    # Caddy reverse proxy for local services like cups
    services.caddy = {
      enable = cfg.enableCaddy;
      globalConfig = ''
        default_bind 127.0.0.1
        auto_https off
      '';
      extraConfig = concatStringsSep "\n" [
        (lib.optionalString
          config.pub-solar.printing.enable
          ''
            cups.local:80 {
              request_header Host localhost:631
              reverse_proxy unix//run/cups/cups.sock
            }
          '')

        (lib.optionalString
          cfg.enableHelp
          ''
            help.local:80 {
              root * ${pkgs.psos-docs}/lib/html
              # Caddy builds the etag with only the file size & latest modified
              # date, which is always 1970-01-01 in the Nix store
              header -ETag
              file_server
            }
          '')
      ];
    };
  };
}
Initial PubSolarOS commit 2021-05-30 19:10:28 +00:00			`{`
nix: use new nix.settings syntax 2022-11-22 11:30:54 +00:00			`config,`
			`pkgs,`
			`lib,`
			`...`
			`}:`
			`with lib; let`
			`cfg = config.pub-solar.core;`
			`in {`
Rework of x-os module / core profile * move core settings to x-os * add option to only install a lite core * rename x-os module to core * remove core profile from flake.nix 2022-08-13 20:59:05 +00:00			`options.pub-solar.core = {`
Improve core module (#132) Reviewed-on: https://git.b12f.io/pub-solar/os/pulls/132 Reviewed-by: Benjamin Bädorf <hello@benjaminbaedorf.eu> 2022-10-02 01:17:34 +00:00			`enableCaddy = mkOption {`
			`type = types.bool;`
			`default = !cfg.lite;`
			`};`
			`enableHelp = mkOption {`
			`type = types.bool;`
			`default = !cfg.lite;`
			`};`

Initial PubSolarOS commit 2021-05-30 19:10:28 +00:00			`binaryCaches = mkOption {`
			`type = types.listOf types.str;`
nix: use new nix.settings syntax 2022-11-22 11:30:54 +00:00			`default = [];`
Initial PubSolarOS commit 2021-05-30 19:10:28 +00:00			`description = "Binary caches to use.";`
			`};`
			`publicKeys = mkOption {`
			`type = types.listOf types.str;`
nix: use new nix.settings syntax 2022-11-22 11:30:54 +00:00			`default = [];`
Initial PubSolarOS commit 2021-05-30 19:10:28 +00:00			`description = "Public keys of binary caches.";`
			`};`
			`};`
			`config = {`
networking: don't wait for network-online It failed upon deployment with deploy-rs and caused it to rollback 2023-01-28 14:13:47 +00:00			`# disable NetworkManager and systemd-networkd -wait-online by default`
Disable NetworkManager-wait-online system service This service is presumably useful for devices that need to ensure there is an active internet connection before starting other systemd units. This is neither the case for end-user devices as the an active internet connection is only needed after login nor the case for server-like systems as they normally have a static / dhcp-based network configuration which does not require switchable network configuration profiles. 2022-08-24 16:19:03 +00:00			`systemd.services.NetworkManager-wait-online.enable = lib.mkDefault false;`
networking: don't wait for network-online It failed upon deployment with deploy-rs and caused it to rollback 2023-01-28 14:13:47 +00:00			`systemd.services.systemd-networkd-wait-online.enable = lib.mkDefault false;`
Disable NetworkManager-wait-online system service This service is presumably useful for devices that need to ensure there is an active internet connection before starting other systemd units. This is neither the case for end-user devices as the an active internet connection is only needed after login nor the case for server-like systems as they normally have a static / dhcp-based network configuration which does not require switchable network configuration profiles. 2022-08-24 16:19:03 +00:00
Initial PubSolarOS commit 2021-05-30 19:10:28 +00:00			`networking.networkmanager = {`
			`# Enable networkmanager. REMEMBER to add yourself to group in order to use nm related stuff.`
			`enable = true;`
wifi: switch backend back to wpa_supplicant 2022-10-17 20:15:22 +00:00			`# not as stable as wpa_supplicant yet, also more trouble with 5 GHz networks`
			`#wifi.backend = "iwd";`
Initial PubSolarOS commit 2021-05-30 19:10:28 +00:00			`};`

Be more paranoid The paranoia mode now also enables the firewall and closes down a couple of small openSSH holes. `noexec` on the whole FS is left out as it will make every existing PubSolarOS installation panic. 2022-10-03 01:57:34 +00:00			`networking.firewall.enable = true;`

Initial PubSolarOS commit 2021-05-30 19:10:28 +00:00			`# Customized binary caches list (with fallback to official binary cache)`
nix: use new nix.settings syntax 2022-11-22 11:30:54 +00:00			`nix.settings.substituters = cfg.binaryCaches;`
			`nix.settings.trusted-public-keys = cfg.publicKeys;`
Initial PubSolarOS commit 2021-05-30 19:10:28 +00:00
			`# These entries get added to /etc/hosts`
			`networking.hosts = {`
nix: use new nix.settings syntax 2022-11-22 11:30:54 +00:00			`"127.0.0.1" =`
			`[]`
			`++ lib.optionals cfg.enableCaddy ["caddy.local"]`
			`++ lib.optionals config.pub-solar.printing.enable ["cups.local"]`
			`++ lib.optionals cfg.enableHelp ["help.local"];`
Initial PubSolarOS commit 2021-05-30 19:10:28 +00:00			`};`

core: reload caddy instead of always restarting when config file changes 2023-03-16 10:49:36 +00:00			`# Changing the Caddyfile should only trigger a reload, not a restart`
			`systemd.services.caddy.reloadTriggers = [`
			`config.services.caddy.configFile`
			`];`

Initial PubSolarOS commit 2021-05-30 19:10:28 +00:00			`# Caddy reverse proxy for local services like cups`
			`services.caddy = {`
Improve core module (#132) Reviewed-on: https://git.b12f.io/pub-solar/os/pulls/132 Reviewed-by: Benjamin Bädorf <hello@benjaminbaedorf.eu> 2022-10-02 01:17:34 +00:00			`enable = cfg.enableCaddy;`
nixos: follow release-22.05 home: follow release-22.05 branch Fixes for upstream changes: ag renamed to silver-searcher, extfat-utils is now exfat, lot's of overrides no longer needed, as they're now in the release branch, services.caddy.config split up into globalConfig and extraConfig 2022-06-02 08:09:42 +00:00			`globalConfig = ''`
Improve help and screen recording keybindings in sway This commit shuffles around some sway keybindings and improves the screen recording experience by adding a small wrapper around `slurp` and `wf-recorder` conveniently called `record-screen`. * `$mod+F5` now reload the sway configuration, * `$mod+Ctrl+r` starts a screen recording (to stop it, go to workspace 7 and kill the process), * `record-screen` and the firefox sharing indicator are both on workspace 7 now, making it the "trash" workspace, * `$mod+F1` and `$mod+Shift+h` now open Firefox with the docs of our repository availabe under `help.local`. * To not infuriate `qMasterPassword` users, that is now available under `$mod+Shift+m` instead of `$mod+F1`. 2022-08-14 16:03:32 +00:00			`default_bind 127.0.0.1`
nixos: follow release-22.05 home: follow release-22.05 branch Fixes for upstream changes: ag renamed to silver-searcher, extfat-utils is now exfat, lot's of overrides no longer needed, as they're now in the release branch, services.caddy.config split up into globalConfig and extraConfig 2022-06-02 08:09:42 +00:00			`auto_https off`
			`'';`
Improve core module (#132) Reviewed-on: https://git.b12f.io/pub-solar/os/pulls/132 Reviewed-by: Benjamin Bädorf <hello@benjaminbaedorf.eu> 2022-10-02 01:17:34 +00:00			`extraConfig = concatStringsSep "\n" [`
			`(lib.optionalString`
			`config.pub-solar.printing.enable`
			`''`
			`cups.local:80 {`
			`request_header Host localhost:631`
			`reverse_proxy unix//run/cups/cups.sock`
			`}`
			`'')`
Improve help and screen recording keybindings in sway This commit shuffles around some sway keybindings and improves the screen recording experience by adding a small wrapper around `slurp` and `wf-recorder` conveniently called `record-screen`. * `$mod+F5` now reload the sway configuration, * `$mod+Ctrl+r` starts a screen recording (to stop it, go to workspace 7 and kill the process), * `record-screen` and the firefox sharing indicator are both on workspace 7 now, making it the "trash" workspace, * `$mod+F1` and `$mod+Shift+h` now open Firefox with the docs of our repository availabe under `help.local`. * To not infuriate `qMasterPassword` users, that is now available under `$mod+Shift+m` instead of `$mod+F1`. 2022-08-14 16:03:32 +00:00
Improve core module (#132) Reviewed-on: https://git.b12f.io/pub-solar/os/pulls/132 Reviewed-by: Benjamin Bädorf <hello@benjaminbaedorf.eu> 2022-10-02 01:17:34 +00:00			`(lib.optionalString`
			`cfg.enableHelp`
			`''`
			`help.local:80 {`
			`root * ${pkgs.psos-docs}/lib/html`
networking: caddy file_server without etag header 2023-03-22 08:32:47 +00:00			`# Caddy builds the etag with only the file size & latest modified`
			`# date, which is always 1970-01-01 in the Nix store`
			`header -ETag`
Improve core module (#132) Reviewed-on: https://git.b12f.io/pub-solar/os/pulls/132 Reviewed-by: Benjamin Bädorf <hello@benjaminbaedorf.eu> 2022-10-02 01:17:34 +00:00			`file_server`
			`}`
			`'')`
			`];`
Initial PubSolarOS commit 2021-05-30 19:10:28 +00:00			`};`
			`};`
			`}`