hosts: make security settings common

Signed-off-by: Amneesh Singh <natto@weirdnatto.in>
2025-06-29 18:48:14 +05:30
parent e1e72965f9
commit da4309e2e0
9 changed files with 24 additions and 32 deletions
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -12,6 +12,7 @@ let
    ./programs/gnupg
    ./programs/git
    ./programs/doas
+    ./security
  ];
  desktopModules = [
    ./programs/adb
--- a/hosts/hina/services.nix
+++ b/hosts/hina/services.nix
@@ -31,12 +31,5 @@ in
      };
    };
  };
-
-  security.acme = {
-    acceptTerms = true;
-    certs = lib.mapAttrs (n: _: { email = "natto@${domain}"; })
-      (lib.filterAttrs (_: v: v.enableACME) config.services.nginx.virtualHosts);
-  };
-  security.pki.certificateFiles = [ ../../cert.pem ];
 }

--- a/hosts/marisa/default.nix
+++ b/hosts/marisa/default.nix
@@ -17,6 +17,4 @@

  time.timeZone = "Asia/Kolkata";
  system.stateVersion = "21.05";
-
-  security.pki.certificateFiles = [ ../../cert.pem ../../consul-agent-ca.pem ];
 }
--- a/hosts/okina/services.nix
+++ b/hosts/okina/services.nix
@@ -24,7 +24,6 @@
    libvirtd.wantedBy = lib.mkForce [ ];
  };

-  security.pki.certificateFiles = [ ../../cert.pem ];
  virtualisation = {
    docker = {
      enable = true;
--- a/hosts/remilia/services.nix
+++ b/hosts/remilia/services.nix
@@ -79,15 +79,5 @@ in
        };
    };
  };
-
-  security.acme = {
-    acceptTerms = true;
-    certs = {
-      "${domain}".extraDomainNames = lib.singleton "www.${domain}";
-    } //
-    lib.mapAttrs (n: _: { email = "natto@${domain}"; })
-      (lib.filterAttrs (_: v: v.enableACME) config.services.nginx.virtualHosts);
-  };
-  security.pki.certificateFiles = [ ../../cert.pem ];
 }

--- a/hosts/satori/services.nix
+++ b/hosts/satori/services.nix
@@ -21,7 +21,6 @@
    libvirtd.wantedBy = lib.mkForce [ ];
  };

-  security.pki.certificateFiles = [ ../../cert.pem ];
  virtualisation = {
    docker = {
      enable = true;
--- a/hosts/security/default.nix
+++ b/hosts/security/default.nix
@@ -0,0 +1,21 @@
+{
+  lib,
+  conf,
+  config,
+  ...
+}:
+let
+  domain = conf.network.addresses.domain.natto;
+  nginx = config.services.nginx;
+in
+{
+  security = {
+    acme = lib.mkIf nginx.enable {
+      acceptTerms = true;
+      certs = lib.mapAttrs (n: _: { email = "natto@${domain}"; }) (
+        lib.filterAttrs (_: v: v.enableACME) nginx.virtualHosts
+      );
+    };
+    pki.certificateFiles = [ ../../cert.pem ];
+  };
+}
--- a/hosts/services/pipewire/default.nix
+++ b/hosts/services/pipewire/default.nix
@@ -1,6 +1,5 @@
-{ lib, config, pkgs, ... }: {
-  # sound stuff
-  sound.enable = true;
+{ ... }:
+{
  services.pipewire = {
    enable = true;
    alsa = {
--- a/hosts/suwako/services.nix
+++ b/hosts/suwako/services.nix
@@ -12,13 +12,5 @@ in
      ports = [ 22 ];
    };
  };
-
-  security.acme = {
-    acceptTerms = true;
-    certs = lib.mapAttrs (n: _: { email = "natto@${domain}"; })
-      (lib.filterAttrs (_: v: v.enableACME) config.services.nginx.virtualHosts);
-  };
-
-  security.pki.certificateFiles = [ ../../cert.pem ];
 }