Only enable acme module on servers where certificates are configured

This reverts commit d0b81511ff.

flake.lock

@@ -12,11 +12,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1707830867,
+        "lastModified": 1712079060,
-        "narHash": "sha256-PAdwm5QqdlwIqGrfzzvzZubM+FXtilekQ/FA0cI49/o=",
+        "narHash": "sha256-/JdiT9t+zzjChc5qQiF+jhrVhRt8figYH29rZO7pFe4=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "8cb01a0e717311680e0cbca06a76cbceba6f3ed6",
+        "rev": "1381a759b205dff7a6818733118d02253340fd5e",
         "type": "github"
       },
       "original": {
@@ -53,11 +53,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1711915616,
+        "lastModified": 1712266167,
-        "narHash": "sha256-co6LoFA+j6BZEeJNSR8nZ4oOort5qYPskjrDHBaJgmo=",
+        "narHash": "sha256-gr2CBgT8t+utDqzWSp2vSjX/c39Q0BNtrWE6/cDhhEE=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "820be197ccf3adaad9a8856ef255c13b6cc561a6",
+        "rev": "0c73c1b8da28a24c4fe842ced3f2548d5828b550",
         "type": "github"
       },
       "original": {
@@ -120,11 +120,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1711668574,
+        "lastModified": 1712168706,
-        "narHash": "sha256-u1dfs0ASQIEr1icTVrsKwg2xToIpn7ZXxW3RHfHxshg=",
+        "narHash": "sha256-XP24tOobf6GGElMd0ux90FEBalUtw6NkBSVh/RlA6ik=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "219951b495fc2eac67b1456824cc1ec1fd2ee659",
+        "rev": "1487bdea619e4a7a53a4590c475deabb5a9d1bfb",
         "type": "github"
       },
       "original": {
@@ -136,11 +136,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1711703276,
+        "lastModified": 1712163089,
-        "narHash": "sha256-iMUFArF0WCatKK6RzfUJknjem0H9m4KgorO/p3Dopkk=",
+        "narHash": "sha256-Um+8kTIrC19vD4/lUCN9/cU9kcOsD1O1m+axJqQPyMM=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d8fe5e6c92d0d190646fb9f1056741a229980089",
+        "rev": "fd281bd6b7d3e32ddfa399853946f782553163b5",
         "type": "github"
       },
       "original": {
@@ -165,11 +165,11 @@
     },
     "secrets": {
       "locked": {
-        "lastModified": 1711905032,
+        "lastModified": 1712273928,
-        "narHash": "sha256-+hLmLxA2gejnokzOwGuKg9Q0EOHLdWJLhXrIRpbMDjA=",
+        "narHash": "sha256-+IXhsd5kJP5R5RxqEbaAI/s3QznTH4xUEL4+1Ho9jvA=",
         "ref": "refs/heads/master",
-        "rev": "2f6734ceecf871e24d90e545e1fcadbcb50b3f8b",
+        "rev": "67f2b19f91b48e008b0c956fd9e06522b609767d",
-        "revCount": 12,
+        "revCount": 13,
         "type": "git",
         "url": "ssh://git@git.caspervk.net/caspervk/nixos-secrets.git"
       },

hosts/omega/sway.nix

@@ -14,10 +14,6 @@
           };
         };
         workspaceOutputAssign = [
-          {
-            workspace = "8";
-            output = "DP-2";
-          }
           {
             workspace = "9";
             output = "DP-2";

modules/base/impermanence.nix

@@ -15,25 +15,11 @@
     impermanence.nixosModules.impermanence
   ];
 
-  # We *don't* want to use tmpfs for /tmp in case we have to put big files
-  # there. Instead, we mount it to the disk and instruct systemd to clean it on
-  # boot.
-  # TODO: There might be a way to configure /tmp to be in-memory storage until
-  # it gets too big.
-  boot.tmp.cleanOnBoot = true;
-
   # Each module will configure the paths they need persisted. Here we define
   # some general system paths that don't really fit anywhere else.
   environment.persistence."/nix/persist" = {
     hideMounts = true;
     directories = [
-      # See comment above for /tmp
-      {
-        directory = "/tmp";
-        user = "root";
-        group = "root";
-        mode = "1777";
-      }
       # The uid and gid maps for entities without a static id is saved in
       # /var/lib/nixos. Persist to ensure they aren't changed between reboots.
       {
@@ -55,6 +41,15 @@
         group = "root";
         mode = "0755";
       }
+      # /var/tmp is meant for temporary files that are preserved across
+      # reboots. Some programs might store files too big for in-memory /tmp
+      # there. Files older than 10 days are cleaned by systemd.
+      {
+        directory = "/var/tmp";
+        user = "root";
+        group = "root";
+        mode = "1777";
+      }
     ];
     files = [
       "/etc/machine-id" # needed for /var/log

modules/base/network.nix

@@ -1,4 +1,4 @@
-{lib, ...}: {
+{config, ...}: {
   # https://nixos.wiki/wiki/Networking
   # https://nixos.wiki/wiki/Systemd-networkd
 
@@ -10,7 +10,7 @@
       # Do not spam dmesg/journalctl with refused connections
       logRefusedConnections = false;
     };
-    nameservers = ["127.0.0.1"]; # unbound
+    nameservers = ["159.69.4.2#dns.caspervk.net" "2a01:4f8:1c0c:70d1::1#dns.caspervk.net"];
     search = ["caspervk.net"];
   };
 
@@ -19,34 +19,38 @@
   networking.useNetworkd = true;
   systemd.network.enable = true;
 
-  # Force-disable the systemd-resolved stub resolver, which is enabled
+  # systemd-resolved provides DNS resolution to local applications through
-  # automatically in some cases, such as when enabling systemd-networkd.
+  # D-Bus, NSS, and a local stub resolver on 127.0.0.53. It implements caching
-  services.resolved.enable = lib.mkForce false;
+  # and DNSSEC validation. We configure it to only, and always, use
-
+  # dns.caspervk.net over TLS.
-  # Unbound provides DNS resolution to local applications on 127.0.0.1. It
+  # NOTE: It's surprisingly hard to get the system to always follow the custom
-  # enables caching and DNSSEC validation by default. We configure it to only,
+  # DNS servers rather than the DHCP-provided ones. Check the traffic with:
-  # and always, use dns.caspervk.net over TLS.
+  # > sudo tcpdump -n --interface=any '(udp port 53) or (tcp port 853)'
-  # By the way, it's surprisingly hard to get the system to always follow the
+  # or
-  # custom DNS servers rather than the DHCP-provided ones. Check the traffic
+  # > sudo resolvectl log-level debug
-  # with: sudo tcpdump -n --interface=any '(udp port 53) or (tcp port 853)'
+  # > sudo journalctl -fu systemd-resolved.service
-  # https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html
+  # https://nixos.wiki/wiki/Encrypted_DNS
-  services.unbound = {
+  # https://nixos.wiki/wiki/Systemd-resolved
+  services.resolved = {
     enable = true;
-    settings = {
+    dnsovertls = "true";
-      server = {
+    # TODO: DNSSEC support in systemd-resolved is considered experimental and
-        interface = ["127.0.0.1"];
+    # incomplete. Upstream will validate for us anyway, and we trust it.
-      };
+    # https://wiki.archlinux.org/title/systemd-resolved#DNSSEC
-      forward-zone = [
+    dnssec = "false";
-        {
+    # 'Domains' is used for two distinct purposes; first, any domains *not*
-          name = ".";
+    # prefixed with '~' are used as search suffixes when resolving single-label
-          forward-addr = [
+    # hostnames into FQDNs. The NixOS default is to set this to
-            "159.69.4.2#dns.caspervk.net"
+    # `config.networking.search`, which we maintain. Second, domains prefixed
-            "2a01:4f8:1c0c:70d1::1#dns.caspervk.net"
+    # with '~' ("route-only domains") define a search path that preferably
-          ];
+    # directs DNS queries to this interface. The '~.' construct use the DNS
-          forward-tls-upstream = "yes";
+    # servers defined here preferably for the root (all) domain(s).
-        }
+    # https://man.archlinux.org/man/resolved.conf.5
-      ];
+    domains = config.networking.search ++ ["~."];
-    };
+    # Resolved falls back to DNS servers operated by American internet
+    # surveillance and adtech companies by default. No thanks, I'd rather have
+    # no DNS at all.
+    fallbackDns = config.networking.nameservers;
   };
 
   # TCP BBR has significantly increased throughput and reduced latency. Note

modules/desktop/network.nix

@@ -4,7 +4,7 @@
     # Instead, we enable NetworkManager and the nmtui interface.
     networkmanager = {
       enable = true;
-      dns = lib.mkForce "none";
+      dns = lib.mkForce "none"; # see modules/base/network.nix
     };
   };
 

modules/desktop/programs.nix

@@ -23,7 +23,6 @@
     tor-browser-bundle-bin
     ungoogled-chromium
     vlc
-    webcord # discord
   ];
 
   nixpkgs.config.allowUnfreePredicate = pkg:

modules/desktop/sway.nix

@@ -82,7 +82,6 @@
           "XF86AudioPrev" = "exec 'playerctl previous'";
         };
         assigns = {
-          "8" = [{class = "WebCord";}];
           "9" = [{class = "Spotify";}];
         };
         floating = {

modules/server/acme.nix

@@ -1,8 +1,12 @@
 {
   config,
+  lib,
   secrets,
   ...
-}: {
+}:
+# Only enable module if certificates are configured so we don't try to decrypt
+# acme-lego-environment-file.age on servers that aren't allowed to.
+lib.mkIf (config.security.acme.certs != {}) {
   # Instead of managing certificates in each individual service, NixOS supports
   # automatic certificate retrieval and renewal using
   # `security.acme.certs.<name>` through the ACME protocol.