clean up and improve docs

2025-07-05 12:40:13 +00:00 · 2023-07-30 20:26:23 -04:00
parent ef2ee7b871
commit 3d6f57c324
18 changed files with 102 additions and 65 deletions
--- a/modules/nixos/system/auto-upgrade.nix
+++ b/modules/nixos/system/auto-upgrade.nix
@ -0,0 +1,47 @@
+{ config, pkgs, lib, ... }: {
+
+  # This setting only applies to NixOS, different on Darwin
+  nix.gc.dates = "03:03"; # Run every morning (but before upgrade)
+
+  # Update the system daily by pointing it at the flake repository
+  system.autoUpgrade = {
+    enable = config.server; # Only auto upgrade servers
+    dates = "03:33";
+    flake = "git+${config.dotfilesRepo}";
+    randomizedDelaySec = "25min";
+    operation = "switch";
+    allowReboot = true;
+    rebootWindow = {
+      lower = "00:01";
+      upper = "06:00";
+    };
+  };
+
+  # Create an email notification service for failed jobs
+  systemd.services."notify-email@" =
+    let address = "system@${config.mail.server}";
+    in {
+      enable = config.mail.enable;
+      environment.SERVICE_ID = "%i";
+      script = ''
+        TEMPFILE=$(mktemp)
+        echo "From: ${address}" > $TEMPFILE
+        echo "To: ${address}" >> $TEMPFILE
+        echo "Subject: Failure in $SERVICE_ID" >> $TEMPFILE
+        echo -e "\nGot an error with $SERVICE_ID\n\n" >> $TEMPFILE
+        set +e
+        systemctl status $SERVICE_ID >> $TEMPFILE
+        set -e
+        ${pkgs.msmtp}/bin/msmtp \
+            --file=${config.homePath}/.config/msmtp/config \
+            --account=system \
+            ${address} < $TEMPFILE
+      '';
+    };
+
+  # Send an email whenever auto upgrade fails
+  systemd.services.nixos-upgrade.onFailure =
+    lib.mkIf config.systemd.services."notify-email@".enable
+    [ "notify-email@%i.service" ];
+
+}
--- a/modules/nixos/system/default.nix
+++ b/modules/nixos/system/default.nix
@ -1,6 +1,7 @@
 { config, pkgs, lib, ... }: {

-  imports = [ ./doas.nix ./journald.nix ./user.nix ./timezone.nix ];
+  imports =
+    [ ./auto-upgrade.nix ./doas.nix ./journald.nix ./user.nix ./timezone.nix ];

  config = lib.mkIf pkgs.stdenv.isLinux {

@ -8,54 +9,6 @@
    system.stateVersion =
      config.home-manager.users.${config.user}.home.stateVersion;

-    # This setting only applies to NixOS, different on Darwin
-    nix.gc.dates = "weekly";
-
-    systemd.timers.nix-gc.timerConfig = { WakeSystem = true; };
-    systemd.services.nix-gc.postStop =
-      lib.mkIf (!config.server) "systemctl suspend";
-
-    # Update the system daily
-    system.autoUpgrade = {
-      enable = config.server; # Only auto upgrade servers
-      dates = "03:33";
-      flake = "git+${config.dotfilesRepo}";
-      randomizedDelaySec = "45min";
-      operation = "switch";
-      allowReboot = config.server; # Reboot servers
-      rebootWindow = {
-        lower = "00:01";
-        upper = "06:00";
-      };
-    };
-
-    # Create an email notification service for failed jobs
-    systemd.services."notify-email@" =
-      let address = "system@${config.mail.server}";
-      in {
-        enable = config.mail.enable;
-        environment.SERVICE_ID = "%i";
-        script = ''
-          TEMPFILE=$(mktemp)
-          echo "From: ${address}" > $TEMPFILE
-          echo "To: ${address}" >> $TEMPFILE
-          echo "Subject: Failure in $SERVICE_ID" >> $TEMPFILE
-          echo -e "\nGot an error with $SERVICE_ID\n\n" >> $TEMPFILE
-          set +e
-          systemctl status $SERVICE_ID >> $TEMPFILE
-          set -e
-          ${pkgs.msmtp}/bin/msmtp \
-              --file=${config.homePath}/.config/msmtp/config \
-              --account=system \
-              ${address} < $TEMPFILE
-        '';
-      };
-
-    # Send an email whenever auto upgrade fails
-    systemd.services.nixos-upgrade.onFailure =
-      lib.mkIf config.systemd.services."notify-email@".enable
-      [ "notify-email@%i.service" ];
-
  };

 }
--- a/modules/nixos/system/doas.nix
+++ b/modules/nixos/system/doas.nix
@ -13,11 +13,11 @@
      doas = {
        enable = true;

-        # No password required
+        # No password required for trusted users
        wheelNeedsPassword = false;

        # Pass environment variables from user to root
-        # Also requires removing password here
+        # Also requires specifying that we are removing password here
        extraRules = [{
          groups = [ "wheel" ];
          noPass = true;
@ -26,6 +26,7 @@
      };
    };

+    # Alias sudo to doas for convenience
    home-manager.users.${config.user}.programs.fish.shellAliases = {
      sudo = "doas";
    };
--- a/modules/nixos/system/journald.nix
+++ b/modules/nixos/system/journald.nix
@ -1,6 +1,7 @@
 { ... }: {

  # How long to keep journalctl entries
+  # This helps to make sure log disk usage doesn't grow too unwieldy
  services.journald.extraConfig = ''
    SystemMaxUse=100M
    MaxFileSec=1month
--- a/modules/nixos/system/user.nix
+++ b/modules/nixos/system/user.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }: {
+{ config, lib, ... }: {

  options = {

@ -11,7 +11,7 @@

  };

-  config = lib.mkIf (pkgs.stdenv.isLinux) {
+  config = {

    # Allows us to declaritively set password
    users.mutableUsers = false;