diff --git a/base/nix.nix b/base/nix.nix
index d5eae56..61b3e5d 100644
--- a/base/nix.nix
+++ b/base/nix.nix
@@ -1,4 +1,9 @@
-{ lib, config, inputs, ... }:
+{
+ lib,
+ config,
+ inputs,
+ ...
+}:
{
nix = {
gc = {
@@ -11,16 +16,21 @@
allow-dirty = true;
auto-allocate-uids = true;
builders-use-substitutes = true;
- experimental-features = [ "nix-command" "flakes" "auto-allocate-uids" ];
+ experimental-features = [
+ "nix-command"
+ "flakes"
+ "auto-allocate-uids"
+ ];
log-lines = 50;
use-xdg-base-directories = true;
};
- /* This makes commandline tools like
- ** nix run nixpkgs#hello
- ** and nix-shell -p hello
- ** use the same channel the system
- ** was built with
+ /*
+ This makes commandline tools like
+ ** nix run nixpkgs#hello
+ ** and nix-shell -p hello
+ ** use the same channel the system
+ ** was built with
*/
registry = lib.mkMerge [
{
diff --git a/base/services/auto-upgrade.nix b/base/services/auto-upgrade.nix
index 8b003e8..3586ce2 100644
--- a/base/services/auto-upgrade.nix
+++ b/base/services/auto-upgrade.nix
@@ -1,4 +1,10 @@
-{ config, inputs, pkgs, lib, ... }:
+{
+ config,
+ inputs,
+ pkgs,
+ lib,
+ ...
+}:
let
inputUrls = lib.mapAttrs (input: value: value.url) (import "${inputs.self}/flake.nix").inputs;
@@ -16,26 +22,34 @@ in
# --update-input is deprecated since nix 2.22, and removed in lix 2.90
# as such we instead use --override-input combined with --refresh
# https://git.lix.systems/lix-project/lix/issues/400
- ] ++ (lib.pipe inputUrls [
+ ]
+ ++ (lib.pipe inputUrls [
(lib.intersectAttrs {
nixpkgs = { };
nixpkgs-unstable = { };
})
- (lib.mapAttrsToList (input: url: ["--override-input" input url]))
+ (lib.mapAttrsToList (
+ input: url: [
+ "--override-input"
+ input
+ url
+ ]
+ ))
lib.concatLists
]);
};
# workaround for https://github.com/NixOS/nix/issues/6895
# via https://git.lix.systems/lix-project/lix/issues/400
- environment.etc = lib.mkIf (!config.virtualisation.isVmVariant && config.system.autoUpgrade.enable) {
- "current-system-flake-inputs.json".source
- = pkgs.writers.writeJSON "flake-inputs.json" (
- lib.flip lib.mapAttrs inputs (name: input:
- # inputs.*.sourceInfo sans outPath, since writeJSON will otherwise serialize sourceInfo like a derivation
- lib.removeAttrs (input.sourceInfo or {}) [ "outPath" ]
- // { store-path = input.outPath; } # comment this line if you don't want to retain a store reference to the flake inputs
- )
- );
- };
+ environment.etc =
+ lib.mkIf (!config.virtualisation.isVmVariant && config.system.autoUpgrade.enable)
+ {
+ "current-system-flake-inputs.json".source = pkgs.writers.writeJSON "flake-inputs.json" (
+ lib.flip lib.mapAttrs inputs (
+ name: input:
+ # inputs.*.sourceInfo sans outPath, since writeJSON will otherwise serialize sourceInfo like a derivation
+ lib.removeAttrs (input.sourceInfo or { }) [ "outPath" ] // { store-path = input.outPath; } # comment this line if you don't want to retain a store reference to the flake inputs
+ )
+ );
+ };
}
diff --git a/base/services/irqbalance.nix b/base/services/irqbalance.nix
index 078e569..2fc96fe 100644
--- a/base/services/irqbalance.nix
+++ b/base/services/irqbalance.nix
@@ -1,4 +1,4 @@
{ ... }:
{
services.irqbalance.enable = true;
-}
\ No newline at end of file
+}
diff --git a/base/services/journald-upload.nix b/base/services/journald-upload.nix
index 1d84d98..17d13fe 100644
--- a/base/services/journald-upload.nix
+++ b/base/services/journald-upload.nix
@@ -1,4 +1,9 @@
-{ config, lib, values, ... }:
+{
+ config,
+ lib,
+ values,
+ ...
+}:
let
cfg = config.services.journald.upload;
in
diff --git a/base/services/logrotate.nix b/base/services/logrotate.nix
index fe61c03..f04a2a0 100644
--- a/base/services/logrotate.nix
+++ b/base/services/logrotate.nix
@@ -1,7 +1,10 @@
{ ... }:
{
systemd.services.logrotate = {
- documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
+ documentation = [
+ "man:logrotate(8)"
+ "man:logrotate.conf(5)"
+ ];
unitConfig.RequiresMountsFor = "/var/log";
serviceConfig.ReadWritePaths = [ "/var/log" ];
};
diff --git a/base/services/nginx.nix b/base/services/nginx.nix
index 9053c09..9ff9fcc 100644
--- a/base/services/nginx.nix
+++ b/base/services/nginx.nix
@@ -11,7 +11,10 @@
};
};
- networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ];
+ networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [
+ 80
+ 443
+ ];
services.nginx = {
recommendedTlsSettings = true;
diff --git a/base/services/openssh.nix b/base/services/openssh.nix
index d61dd2e..dd1fff8 100644
--- a/base/services/openssh.nix
+++ b/base/services/openssh.nix
@@ -12,10 +12,9 @@
settings.PermitRootLogin = "yes";
};
- users.users."root".openssh.authorizedKeys.keys = [
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqVt4LCe0YIttr9swFxjkjn37ZDY9JxwVC+2gvfSINDJorOCtqPjDOTD2fTS1Gz08QCwpnLWq2kyvRchu6WgriAbSACpbZZBgxRaF/FVh3oiMVFGnNKGnv6/fdo/vZtu8mUVuqtmTrgLYpZdbR4oD3XiBlDKs7Cv5hPqt95lnP6MNFvE8mICCfd1PwhsABd2IQ5laz3u77/RXhNFJL0Kf2/+6gk9awcLuwHrPdvq7c3BxRHbc9UMRQENyjyQPa7aLe+uJBFLKP51I8VBuDpDacuibQx7nMt6N2UJ2KWI0JxRMHuJNq4S5jidR82aOw9gzGbTv30SKNLMqsZ0xj4LtdqCXDiZF6Lr09PsJYsvnBUFWa14HGcThKDtgwQwBryNViYmfv//0h9+RLZiU0ab+NEwSs7Zh5iAD+vhx64QqNX3tR7Le4SWXh8W0eShU9N78qYdSkiC3Ui7htxeqOocXM/P4AwbnHsLELIvkHdvgchCPvl8ygZa4WJTEWv16+ICskJcAKWGuqjvXAFuwjJJmPp9xLW9O0DFfQhMELiGamQR9wK07yYQVr34iah6qZO7cwhSKyEPFrVPIaNtfDhsjED639F7vmktf26SWNJHWfW0wOHILjI6TgqUvy0JDd8W8w0CHlAfz6Fs2l99NNgNF8dB3vBASbxS0hu/y0PVu/xQ== openstack-sleipner"
+ users.users."root".openssh.authorizedKeys.keys = [
+ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqVt4LCe0YIttr9swFxjkjn37ZDY9JxwVC+2gvfSINDJorOCtqPjDOTD2fTS1Gz08QCwpnLWq2kyvRchu6WgriAbSACpbZZBgxRaF/FVh3oiMVFGnNKGnv6/fdo/vZtu8mUVuqtmTrgLYpZdbR4oD3XiBlDKs7Cv5hPqt95lnP6MNFvE8mICCfd1PwhsABd2IQ5laz3u77/RXhNFJL0Kf2/+6gk9awcLuwHrPdvq7c3BxRHbc9UMRQENyjyQPa7aLe+uJBFLKP51I8VBuDpDacuibQx7nMt6N2UJ2KWI0JxRMHuJNq4S5jidR82aOw9gzGbTv30SKNLMqsZ0xj4LtdqCXDiZF6Lr09PsJYsvnBUFWa14HGcThKDtgwQwBryNViYmfv//0h9+RLZiU0ab+NEwSs7Zh5iAD+vhx64QqNX3tR7Le4SWXh8W0eShU9N78qYdSkiC3Ui7htxeqOocXM/P4AwbnHsLELIvkHdvgchCPvl8ygZa4WJTEWv16+ICskJcAKWGuqjvXAFuwjJJmPp9xLW9O0DFfQhMELiGamQR9wK07yYQVr34iah6qZO7cwhSKyEPFrVPIaNtfDhsjED639F7vmktf26SWNJHWfW0wOHILjI6TgqUvy0JDd8W8w0CHlAfz6Fs2l99NNgNF8dB3vBASbxS0hu/y0PVu/xQ== openstack-sleipner"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICCbgJ0Uwh9VSVhfId7l9i5/jk4CvAK5rbkiab8R+moF root@sleipner"
- ];
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICCbgJ0Uwh9VSVhfId7l9i5/jk4CvAK5rbkiab8R+moF root@sleipner"
+ ];
}
-
diff --git a/base/services/postfix.nix b/base/services/postfix.nix
index e721faf..d869187 100644
--- a/base/services/postfix.nix
+++ b/base/services/postfix.nix
@@ -1,4 +1,9 @@
-{ config, pkgs, lib, ... }:
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
let
cfg = config.services.postfix;
in
diff --git a/base/services/prometheus-node-exporter.nix b/base/services/prometheus-node-exporter.nix
index bdacdb1..1e17095 100644
--- a/base/services/prometheus-node-exporter.nix
+++ b/base/services/prometheus-node-exporter.nix
@@ -1,4 +1,9 @@
-{ config, lib, values, ... }:
+{
+ config,
+ lib,
+ values,
+ ...
+}:
let
cfg = config.services.prometheus.exporters.node;
in
diff --git a/base/services/prometheus-systemd-exporter.nix b/base/services/prometheus-systemd-exporter.nix
index 0599c04..4df7454 100644
--- a/base/services/prometheus-systemd-exporter.nix
+++ b/base/services/prometheus-systemd-exporter.nix
@@ -1,4 +1,9 @@
-{ config, lib, values, ... }:
+{
+ config,
+ lib,
+ values,
+ ...
+}:
let
cfg = config.services.prometheus.exporters.systemd;
in
diff --git a/base/services/promtail.nix b/base/services/promtail.nix
index f8f7b85..96c93a0 100644
--- a/base/services/promtail.nix
+++ b/base/services/promtail.nix
@@ -1,4 +1,9 @@
-{ config, lib, values, ... }:
+{
+ config,
+ lib,
+ values,
+ ...
+}:
let
cfg = config.services.prometheus.exporters.node;
in
@@ -10,29 +15,33 @@ in
http_listen_port = 28183;
grpc_listen_port = 0;
};
- clients = [{
- url = "http://ildkule.pvv.ntnu.no:3100/loki/api/v1/push";
- }];
- scrape_configs = [{
- job_name = "systemd-journal";
- journal = {
- max_age = "12h";
- labels = {
- job = "systemd-journal";
- host = config.networking.hostName;
+ clients = [
+ {
+ url = "http://ildkule.pvv.ntnu.no:3100/loki/api/v1/push";
+ }
+ ];
+ scrape_configs = [
+ {
+ job_name = "systemd-journal";
+ journal = {
+ max_age = "12h";
+ labels = {
+ job = "systemd-journal";
+ host = config.networking.hostName;
+ };
};
- };
- relabel_configs = [
- {
- source_labels = [ "__journal__systemd_unit" ];
- target_label = "unit";
- }
- {
- source_labels = [ "__journal_priority_keyword" ];
- target_label = "level";
- }
- ];
- }];
+ relabel_configs = [
+ {
+ source_labels = [ "__journal__systemd_unit" ];
+ target_label = "unit";
+ }
+ {
+ source_labels = [ "__journal_priority_keyword" ];
+ target_label = "level";
+ }
+ ];
+ }
+ ];
};
};
}
diff --git a/base/services/smartd.nix b/base/services/smartd.nix
index ff708a9..9edc82c 100644
--- a/base/services/smartd.nix
+++ b/base/services/smartd.nix
@@ -1,4 +1,9 @@
-{ config, pkgs, lib, ... }:
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
{
services.smartd = {
# NOTE: qemu guests tend not to have SMART-reporting disks. Please override for the
@@ -14,9 +19,12 @@
};
};
- environment.systemPackages = lib.optionals config.services.smartd.enable (with pkgs; [
- smartmontools
- ]);
+ environment.systemPackages = lib.optionals config.services.smartd.enable (
+ with pkgs;
+ [
+ smartmontools
+ ]
+ );
systemd.services.smartd.unitConfig.ConditionVirtualization = "no";
}
diff --git a/base/services/thermald.nix b/base/services/thermald.nix
index ced2dad..5fbeae9 100644
--- a/base/services/thermald.nix
+++ b/base/services/thermald.nix
@@ -2,7 +2,7 @@
{
# Let's not thermal throttle
services.thermald.enable = lib.mkIf (lib.all (x: x) [
- (config.nixpkgs.system == "x86_64-linux")
- (!config.boot.isContainer or false)
- ]) true;
-}
\ No newline at end of file
+ (config.nixpkgs.system == "x86_64-linux")
+ (!config.boot.isContainer or false)
+ ]) true;
+}
diff --git a/base/services/uptimed.nix b/base/services/uptimed.nix
index 9bc192c..1a849bf 100644
--- a/base/services/uptimed.nix
+++ b/base/services/uptimed.nix
@@ -1,4 +1,9 @@
-{ config, pkgs, lib, ... }:
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
let
cfg = config.services.uptimed;
in
@@ -15,45 +20,48 @@ in
services.uptimed = {
enable = true;
- settings = let
- stateDir = "/var/lib/uptimed";
- in {
- PIDFILE = "${stateDir}/pid";
- SENDMAIL = lib.mkDefault "${pkgs.system-sendmail}/bin/sendmail -t";
- };
+ settings =
+ let
+ stateDir = "/var/lib/uptimed";
+ in
+ {
+ PIDFILE = "${stateDir}/pid";
+ SENDMAIL = lib.mkDefault "${pkgs.system-sendmail}/bin/sendmail -t";
+ };
};
systemd.services.uptimed = lib.mkIf (cfg.enable) {
- serviceConfig = let
- uptimed = pkgs.uptimed.overrideAttrs (prev: {
- postPatch = ''
- substituteInPlace Makefile.am \
- --replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf'
- substituteInPlace src/Makefile.am \
- --replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf'
- '';
- });
+ serviceConfig =
+ let
+ uptimed = pkgs.uptimed.overrideAttrs (prev: {
+ postPatch = ''
+ substituteInPlace Makefile.am \
+ --replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf'
+ substituteInPlace src/Makefile.am \
+ --replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf'
+ '';
+ });
- in {
- Type = "notify";
+ in
+ {
+ Type = "notify";
- ExecStart = lib.mkForce "${uptimed}/sbin/uptimed -f";
+ ExecStart = lib.mkForce "${uptimed}/sbin/uptimed -f";
- BindReadOnlyPaths = let
- configFile = lib.pipe cfg.settings [
- (lib.mapAttrsToList
- (k: v:
- if builtins.isList v
- then lib.mapConcatStringsSep "\n" (v': "${k}=${v'}") v
- else "${k}=${v}")
- )
- (lib.concatStringsSep "\n")
- (pkgs.writeText "uptimed.conf")
- ];
- in [
- "${configFile}:/var/lib/uptimed/uptimed.conf"
- ];
- };
+ BindReadOnlyPaths =
+ let
+ configFile = lib.pipe cfg.settings [
+ (lib.mapAttrsToList (
+ k: v: if builtins.isList v then lib.mapConcatStringsSep "\n" (v': "${k}=${v'}") v else "${k}=${v}"
+ ))
+ (lib.concatStringsSep "\n")
+ (pkgs.writeText "uptimed.conf")
+ ];
+ in
+ [
+ "${configFile}:/var/lib/uptimed/uptimed.conf"
+ ];
+ };
};
};
}
diff --git a/base/sops.nix b/base/sops.nix
index a050f79..5d6c250 100644
--- a/base/sops.nix
+++ b/base/sops.nix
@@ -1,8 +1,15 @@
-{ config, fp, lib, ... }:
{
- sops.defaultSopsFile = let
- secretsFilePath = fp /secrets/${config.networking.hostName}/${config.networking.hostName}.yaml;
- in lib.mkIf (builtins.pathExists secretsFilePath) secretsFilePath;
+ config,
+ fp,
+ lib,
+ ...
+}:
+{
+ sops.defaultSopsFile =
+ let
+ secretsFilePath = fp /secrets/${config.networking.hostName}/${config.networking.hostName}.yaml;
+ in
+ lib.mkIf (builtins.pathExists secretsFilePath) secretsFilePath;
sops.age = lib.mkIf (config.sops.defaultSopsFile != null) {
sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];
diff --git a/flake.nix b/flake.nix
index 6322b6b..feb88af 100644
--- a/flake.nix
+++ b/flake.nix
@@ -49,348 +49,403 @@
qotd.inputs.nixpkgs.follows = "nixpkgs";
};
- outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
- let
- inherit (nixpkgs) lib;
- systems = [
- "x86_64-linux"
- "aarch64-linux"
- "aarch64-darwin"
- ];
- forAllSystems = f: lib.genAttrs systems f;
- allMachines = builtins.attrNames self.nixosConfigurations;
- importantMachines = [
- "bekkalokk"
- "bicep"
- "brzeczyszczykiewicz"
- "georg"
- "ildkule"
- ];
- in {
- inputs = lib.mapAttrs (_: src: src.outPath) inputs;
+ outputs =
+ {
+ self,
+ nixpkgs,
+ nixpkgs-unstable,
+ sops-nix,
+ disko,
+ ...
+ }@inputs:
+ let
+ inherit (nixpkgs) lib;
+ systems = [
+ "x86_64-linux"
+ "aarch64-linux"
+ "aarch64-darwin"
+ ];
+ forAllSystems = f: lib.genAttrs systems f;
+ allMachines = builtins.attrNames self.nixosConfigurations;
+ importantMachines = [
+ "bekkalokk"
+ "bicep"
+ "brzeczyszczykiewicz"
+ "georg"
+ "ildkule"
+ ];
+ in
+ {
+ inputs = lib.mapAttrs (_: src: src.outPath) inputs;
- pkgs = forAllSystems (system: import nixpkgs {
- inherit system;
- config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
- [
- "nvidia-x11"
- "nvidia-settings"
- ];
- });
-
- nixosConfigurations = let
- nixosConfig =
- nixpkgs:
- name:
- configurationPath:
- extraArgs@{
- localSystem ? "x86_64-linux", # buildPlatform
- crossSystem ? "x86_64-linux", # hostPlatform
- specialArgs ? { },
- modules ? [ ],
- overlays ? [ ],
- enableDefaults ? true,
- ...
- }:
- let
- commonPkgsConfig = {
- inherit localSystem crossSystem;
- config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
- [
- "nvidia-x11"
- "nvidia-settings"
- ];
- overlays = (lib.optionals enableDefaults [
- # Global overlays go here
- inputs.roowho2.overlays.default
- ]) ++ overlays;
- };
-
- pkgs = import nixpkgs commonPkgsConfig;
- unstablePkgs = import nixpkgs-unstable commonPkgsConfig;
- in
- lib.nixosSystem (lib.recursiveUpdate
- {
- system = crossSystem;
-
- inherit pkgs;
-
- specialArgs = {
- inherit inputs unstablePkgs;
- values = import ./values.nix;
- fp = path: ./${path};
- } // specialArgs;
-
- modules = [
- {
- networking.hostName = lib.mkDefault name;
- }
- configurationPath
- ] ++ (lib.optionals enableDefaults [
- sops-nix.nixosModules.sops
- inputs.roowho2.nixosModules.default
- self.nixosModules.rsync-pull-targets
- ]) ++ modules;
+ pkgs = forAllSystems (
+ system:
+ import nixpkgs {
+ inherit system;
+ config.allowUnfreePredicate =
+ pkg:
+ builtins.elem (lib.getName pkg) [
+ "nvidia-x11"
+ "nvidia-settings"
+ ];
}
- (builtins.removeAttrs extraArgs [
- "localSystem"
- "crossSystem"
- "modules"
- "overlays"
- "specialArgs"
- "enableDefaults"
- ])
);
- stableNixosConfig = name: extraArgs:
- nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs;
- in {
- bakke = stableNixosConfig "bakke" {
- modules = [
- inputs.disko.nixosModules.disko
- ];
- };
- bicep = stableNixosConfig "bicep" {
- modules = [
- inputs.matrix-next.nixosModules.default
- inputs.pvv-calendar-bot.nixosModules.default
- inputs.minecraft-heatmap.nixosModules.default
- self.nixosModules.gickup
- self.nixosModules.matrix-ooye
- ];
- overlays = [
- inputs.pvv-calendar-bot.overlays.default
- inputs.minecraft-heatmap.overlays.default
- (final: prev: {
- inherit (self.packages.${prev.stdenv.hostPlatform.system}) out-of-your-element;
- })
- ];
- };
- bekkalokk = stableNixosConfig "bekkalokk" {
- overlays = [
- (final: prev: {
- mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
- simplesamlphp = final.callPackage ./packages/simplesamlphp { };
- bluemap = final.callPackage ./packages/bluemap.nix { };
- })
- inputs.pvv-nettsiden.overlays.default
- inputs.qotd.overlays.default
- ];
- modules = [
- inputs.pvv-nettsiden.nixosModules.default
- self.nixosModules.bluemap
- inputs.qotd.nixosModules.default
- ];
- };
- ildkule = stableNixosConfig "ildkule" { };
- #ildkule-unstable = unstableNixosConfig "ildkule" { };
- skrot = stableNixosConfig "skrot" {
- modules = [
- inputs.disko.nixosModules.disko
- inputs.dibbler.nixosModules.default
- ];
- overlays = [inputs.dibbler.overlays.default];
- };
- shark = stableNixosConfig "shark" { };
- wenche = stableNixosConfig "wenche" { };
- temmie = stableNixosConfig "temmie" { };
- gluttony = stableNixosConfig "gluttony" { };
+ nixosConfigurations =
+ let
+ nixosConfig =
+ nixpkgs: name: configurationPath:
+ extraArgs@{
+ localSystem ? "x86_64-linux", # buildPlatform
+ crossSystem ? "x86_64-linux", # hostPlatform
+ specialArgs ? { },
+ modules ? [ ],
+ overlays ? [ ],
+ enableDefaults ? true,
+ ...
+ }:
+ let
+ commonPkgsConfig = {
+ inherit localSystem crossSystem;
+ config.allowUnfreePredicate =
+ pkg:
+ builtins.elem (lib.getName pkg) [
+ "nvidia-x11"
+ "nvidia-settings"
+ ];
+ overlays =
+ (lib.optionals enableDefaults [
+ # Global overlays go here
+ inputs.roowho2.overlays.default
+ ])
+ ++ overlays;
+ };
- kommode = stableNixosConfig "kommode" {
- overlays = [
- inputs.nix-gitea-themes.overlays.default
- ];
- modules = [
- inputs.nix-gitea-themes.nixosModules.default
- inputs.disko.nixosModules.disko
- ];
- };
+ pkgs = import nixpkgs commonPkgsConfig;
+ unstablePkgs = import nixpkgs-unstable commonPkgsConfig;
+ in
+ lib.nixosSystem (
+ lib.recursiveUpdate
+ {
+ system = crossSystem;
- ustetind = stableNixosConfig "ustetind" {
- modules = [
- "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
- ];
- };
+ inherit pkgs;
- brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
- modules = [
- inputs.grzegorz-clients.nixosModules.grzegorz-webui
- inputs.gergle.nixosModules.default
- inputs.greg-ng.nixosModules.default
- ];
- overlays = [
- inputs.greg-ng.overlays.default
- inputs.gergle.overlays.default
- ];
- };
- georg = stableNixosConfig "georg" {
- modules = [
- inputs.grzegorz-clients.nixosModules.grzegorz-webui
- inputs.gergle.nixosModules.default
- inputs.greg-ng.nixosModules.default
- ];
- overlays = [
- inputs.greg-ng.overlays.default
- inputs.gergle.overlays.default
- ];
- };
- }
- //
- (let
- skrottConfig = {
- modules = [
- (nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64.nix")
- inputs.dibbler.nixosModules.default
- ];
- overlays = [
- inputs.dibbler.overlays.default
- (final: prev: {
- # NOTE: Yeetus (these break crosscompile ¯\_(ツ)_/¯)
- atool = prev.emptyDirectory;
- micro = prev.emptyDirectory;
- ncdu = prev.emptyDirectory;
- })
- ];
- };
- in {
- skrott = self.nixosConfigurations.skrott-native;
- skrott-native = stableNixosConfig "skrott" (skrottConfig // {
- localSystem = "aarch64-linux";
- crossSystem = "aarch64-linux";
- });
- skrott-cross = stableNixosConfig "skrott" (skrottConfig // {
- localSystem = "x86_64-linux";
- crossSystem = "aarch64-linux";
- });
- skrott-x86_64 = stableNixosConfig "skrott" (skrottConfig // {
- localSystem = "x86_64-linux";
- crossSystem = "x86_64-linux";
- });
- })
- //
- (let
- machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
- stableLupineNixosConfig = name: extraArgs:
- nixosConfig nixpkgs name ./hosts/lupine/configuration.nix extraArgs;
- in lib.genAttrs machineNames (name: stableLupineNixosConfig name {
- modules = [{ networking.hostName = name; }];
- specialArgs.lupineName = name;
- }));
+ specialArgs = {
+ inherit inputs unstablePkgs;
+ values = import ./values.nix;
+ fp = path: ./${path};
+ }
+ // specialArgs;
- nixosModules = {
- bluemap = ./modules/bluemap.nix;
- gickup = ./modules/gickup;
- matrix-ooye = ./modules/matrix-ooye.nix;
- robots-txt = ./modules/robots-txt.nix;
- rsync-pull-targets = ./modules/rsync-pull-targets.nix;
- snakeoil-certs = ./modules/snakeoil-certs.nix;
- snappymail = ./modules/snappymail.nix;
- };
+ modules = [
+ {
+ networking.hostName = lib.mkDefault name;
+ }
+ configurationPath
+ ]
+ ++ (lib.optionals enableDefaults [
+ sops-nix.nixosModules.sops
+ inputs.roowho2.nixosModules.default
+ self.nixosModules.rsync-pull-targets
+ ])
+ ++ modules;
+ }
+ (
+ builtins.removeAttrs extraArgs [
+ "localSystem"
+ "crossSystem"
+ "modules"
+ "overlays"
+ "specialArgs"
+ "enableDefaults"
+ ]
+ )
+ );
- devShells = forAllSystems (system: {
- default = let
- pkgs = import nixpkgs-unstable {
- inherit system;
- overlays = [
- (final: prev: {
- inherit (inputs.disko.packages.${system}) disko;
- })
- ];
- };
- in pkgs.callPackage ./shell.nix { };
- cuda = let
- cuda-pkgs = import nixpkgs-unstable {
- inherit system;
- config = {
- allowUnfree = true;
- cudaSupport = true;
+ stableNixosConfig =
+ name: extraArgs: nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs;
+ in
+ {
+ bakke = stableNixosConfig "bakke" {
+ modules = [
+ inputs.disko.nixosModules.disko
+ ];
};
- };
- in cuda-pkgs.callPackage ./shells/cuda.nix { };
- });
-
- packages = {
- "x86_64-linux" = let
- system = "x86_64-linux";
- pkgs = nixpkgs.legacyPackages.${system};
- in rec {
- default = important-machines;
- important-machines = pkgs.linkFarm "important-machines"
- (lib.getAttrs importantMachines self.packages.${system});
- all-machines = pkgs.linkFarm "all-machines"
- (lib.getAttrs allMachines self.packages.${system});
-
- simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
-
- bluemap = pkgs.callPackage ./packages/bluemap.nix { };
-
- out-of-your-element = pkgs.callPackage ./packages/ooye/package.nix { };
- }
- //
- # Mediawiki extensions
- (lib.pipe null [
- (_: pkgs.callPackage ./packages/mediawiki-extensions { })
- (lib.flip builtins.removeAttrs ["override" "overrideDerivation"])
- (lib.mapAttrs' (name: lib.nameValuePair "mediawiki-${name}"))
- ])
- //
- # Machines
- lib.genAttrs allMachines
- (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel)
- //
- # Skrott is exception
- {
- skrott = self.packages.${system}.skrott-native-sd;
- skrott-native = self.nixosConfigurations.skrott-native.config.system.build.toplevel;
- skrott-native-sd = self.nixosConfigurations.skrott-native.config.system.build.sdImage;
- skrott-cross = self.nixosConfigurations.skrott-cross.config.system.build.toplevel;
- skrott-cross-sd = self.nixosConfigurations.skrott-cross.config.system.build.sdImage;
- skrott-x86_64 = self.nixosConfigurations.skrott-x86_64.config.system.build.toplevel;
- }
- //
- # Nix-topology
- (let
- topology' = import inputs.nix-topology {
- pkgs = import nixpkgs {
- inherit system;
+ bicep = stableNixosConfig "bicep" {
+ modules = [
+ inputs.matrix-next.nixosModules.default
+ inputs.pvv-calendar-bot.nixosModules.default
+ inputs.minecraft-heatmap.nixosModules.default
+ self.nixosModules.gickup
+ self.nixosModules.matrix-ooye
+ ];
overlays = [
- inputs.nix-topology.overlays.default
+ inputs.pvv-calendar-bot.overlays.default
+ inputs.minecraft-heatmap.overlays.default
(final: prev: {
- inherit (nixpkgs-unstable.legacyPackages.${system}) super-tiny-icons;
+ inherit (self.packages.${prev.stdenv.hostPlatform.system}) out-of-your-element;
})
];
};
+ bekkalokk = stableNixosConfig "bekkalokk" {
+ overlays = [
+ (final: prev: {
+ mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
+ simplesamlphp = final.callPackage ./packages/simplesamlphp { };
+ bluemap = final.callPackage ./packages/bluemap.nix { };
+ })
+ inputs.pvv-nettsiden.overlays.default
+ inputs.qotd.overlays.default
+ ];
+ modules = [
+ inputs.pvv-nettsiden.nixosModules.default
+ self.nixosModules.bluemap
+ inputs.qotd.nixosModules.default
+ ];
+ };
+ ildkule = stableNixosConfig "ildkule" { };
+ #ildkule-unstable = unstableNixosConfig "ildkule" { };
+ skrot = stableNixosConfig "skrot" {
+ modules = [
+ inputs.disko.nixosModules.disko
+ inputs.dibbler.nixosModules.default
+ ];
+ overlays = [ inputs.dibbler.overlays.default ];
+ };
+ shark = stableNixosConfig "shark" { };
+ wenche = stableNixosConfig "wenche" { };
+ temmie = stableNixosConfig "temmie" { };
+ gluttony = stableNixosConfig "gluttony" { };
- specialArgs = {
- values = import ./values.nix;
+ kommode = stableNixosConfig "kommode" {
+ overlays = [
+ inputs.nix-gitea-themes.overlays.default
+ ];
+ modules = [
+ inputs.nix-gitea-themes.nixosModules.default
+ inputs.disko.nixosModules.disko
+ ];
};
- modules = [
- ./topology
- {
- nixosConfigurations = lib.mapAttrs (_name: nixosCfg: nixosCfg.extendModules {
- modules = [
- inputs.nix-topology.nixosModules.default
- ./topology/service-extractors/greg-ng.nix
- ./topology/service-extractors/postgresql.nix
- ./topology/service-extractors/mysql.nix
- ./topology/service-extractors/gitea-runners.nix
- ];
- }) self.nixosConfigurations;
+ ustetind = stableNixosConfig "ustetind" {
+ modules = [
+ "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
+ ];
+ };
+
+ brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
+ modules = [
+ inputs.grzegorz-clients.nixosModules.grzegorz-webui
+ inputs.gergle.nixosModules.default
+ inputs.greg-ng.nixosModules.default
+ ];
+ overlays = [
+ inputs.greg-ng.overlays.default
+ inputs.gergle.overlays.default
+ ];
+ };
+ georg = stableNixosConfig "georg" {
+ modules = [
+ inputs.grzegorz-clients.nixosModules.grzegorz-webui
+ inputs.gergle.nixosModules.default
+ inputs.greg-ng.nixosModules.default
+ ];
+ overlays = [
+ inputs.greg-ng.overlays.default
+ inputs.gergle.overlays.default
+ ];
+ };
+ }
+ // (
+ let
+ skrottConfig = {
+ modules = [
+ (nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64.nix")
+ inputs.dibbler.nixosModules.default
+ ];
+ overlays = [
+ inputs.dibbler.overlays.default
+ (final: prev: {
+ # NOTE: Yeetus (these break crosscompile ¯\_(ツ)_/¯)
+ atool = prev.emptyDirectory;
+ micro = prev.emptyDirectory;
+ ncdu = prev.emptyDirectory;
+ })
+ ];
+ };
+ in
+ {
+ skrott = self.nixosConfigurations.skrott-native;
+ skrott-native = stableNixosConfig "skrott" (
+ skrottConfig
+ // {
+ localSystem = "aarch64-linux";
+ crossSystem = "aarch64-linux";
+ }
+ );
+ skrott-cross = stableNixosConfig "skrott" (
+ skrottConfig
+ // {
+ localSystem = "x86_64-linux";
+ crossSystem = "aarch64-linux";
+ }
+ );
+ skrott-x86_64 = stableNixosConfig "skrott" (
+ skrottConfig
+ // {
+ localSystem = "x86_64-linux";
+ crossSystem = "x86_64-linux";
+ }
+ );
+ }
+ )
+ // (
+ let
+ machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
+ stableLupineNixosConfig =
+ name: extraArgs: nixosConfig nixpkgs name ./hosts/lupine/configuration.nix extraArgs;
+ in
+ lib.genAttrs machineNames (
+ name:
+ stableLupineNixosConfig name {
+ modules = [ { networking.hostName = name; } ];
+ specialArgs.lupineName = name;
}
- ];
- };
- in {
- topology = topology'.config.output;
- topology-png = pkgs.runCommand "pvv-config-topology-png" {
- nativeBuildInputs = [ pkgs.writableTmpDirAsHomeHook ];
- } ''
- mkdir -p "$out"
- for file in '${topology'.config.output}'/*.svg; do
- ${lib.getExe pkgs.imagemagick} -density 300 -background none "$file" "$out"/"$(basename "''${file%.svg}.png")"
- done
- '';
+ )
+ );
+
+ nixosModules = {
+ bluemap = ./modules/bluemap.nix;
+ gickup = ./modules/gickup;
+ matrix-ooye = ./modules/matrix-ooye.nix;
+ robots-txt = ./modules/robots-txt.nix;
+ rsync-pull-targets = ./modules/rsync-pull-targets.nix;
+ snakeoil-certs = ./modules/snakeoil-certs.nix;
+ snappymail = ./modules/snappymail.nix;
+ };
+
+ devShells = forAllSystems (system: {
+ default =
+ let
+ pkgs = import nixpkgs-unstable {
+ inherit system;
+ overlays = [
+ (final: prev: {
+ inherit (inputs.disko.packages.${system}) disko;
+ })
+ ];
+ };
+ in
+ pkgs.callPackage ./shell.nix { };
+ cuda =
+ let
+ cuda-pkgs = import nixpkgs-unstable {
+ inherit system;
+ config = {
+ allowUnfree = true;
+ cudaSupport = true;
+ };
+ };
+ in
+ cuda-pkgs.callPackage ./shells/cuda.nix { };
});
+
+ packages = {
+ "x86_64-linux" =
+ let
+ system = "x86_64-linux";
+ pkgs = nixpkgs.legacyPackages.${system};
+ in
+ rec {
+ default = important-machines;
+ important-machines = pkgs.linkFarm "important-machines" (
+ lib.getAttrs importantMachines self.packages.${system}
+ );
+ all-machines = pkgs.linkFarm "all-machines" (lib.getAttrs allMachines self.packages.${system});
+
+ simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
+
+ bluemap = pkgs.callPackage ./packages/bluemap.nix { };
+
+ out-of-your-element = pkgs.callPackage ./packages/ooye/package.nix { };
+ }
+ //
+ # Mediawiki extensions
+ (lib.pipe null [
+ (_: pkgs.callPackage ./packages/mediawiki-extensions { })
+ (lib.flip builtins.removeAttrs [
+ "override"
+ "overrideDerivation"
+ ])
+ (lib.mapAttrs' (name: lib.nameValuePair "mediawiki-${name}"))
+ ])
+ //
+ # Machines
+ lib.genAttrs allMachines (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel)
+ //
+ # Skrott is exception
+ {
+ skrott = self.packages.${system}.skrott-native-sd;
+ skrott-native = self.nixosConfigurations.skrott-native.config.system.build.toplevel;
+ skrott-native-sd = self.nixosConfigurations.skrott-native.config.system.build.sdImage;
+ skrott-cross = self.nixosConfigurations.skrott-cross.config.system.build.toplevel;
+ skrott-cross-sd = self.nixosConfigurations.skrott-cross.config.system.build.sdImage;
+ skrott-x86_64 = self.nixosConfigurations.skrott-x86_64.config.system.build.toplevel;
+ }
+ //
+ # Nix-topology
+ (
+ let
+ topology' = import inputs.nix-topology {
+ pkgs = import nixpkgs {
+ inherit system;
+ overlays = [
+ inputs.nix-topology.overlays.default
+ (final: prev: {
+ inherit (nixpkgs-unstable.legacyPackages.${system}) super-tiny-icons;
+ })
+ ];
+ };
+
+ specialArgs = {
+ values = import ./values.nix;
+ };
+
+ modules = [
+ ./topology
+ {
+ nixosConfigurations = lib.mapAttrs (
+ _name: nixosCfg:
+ nixosCfg.extendModules {
+ modules = [
+ inputs.nix-topology.nixosModules.default
+ ./topology/service-extractors/greg-ng.nix
+ ./topology/service-extractors/postgresql.nix
+ ./topology/service-extractors/mysql.nix
+ ./topology/service-extractors/gitea-runners.nix
+ ];
+ }
+ ) self.nixosConfigurations;
+ }
+ ];
+ };
+ in
+ {
+ topology = topology'.config.output;
+ topology-png =
+ pkgs.runCommand "pvv-config-topology-png"
+ {
+ nativeBuildInputs = [ pkgs.writableTmpDirAsHomeHook ];
+ }
+ ''
+ mkdir -p "$out"
+ for file in '${topology'.config.output}'/*.svg; do
+ ${lib.getExe pkgs.imagemagick} -density 300 -background none "$file" "$out"/"$(basename "''${file%.svg}.png")"
+ done
+ '';
+ }
+ );
+ };
};
- };
}
diff --git a/hosts/bakke/configuration.nix b/hosts/bakke/configuration.nix
index 5478f9f..9dae903 100644
--- a/hosts/bakke/configuration.nix
+++ b/hosts/bakke/configuration.nix
@@ -1,15 +1,23 @@
-{ config, pkgs, values, ... }:
+{
+ config,
+ pkgs,
+ values,
+ ...
+}:
{
imports = [
- ./hardware-configuration.nix
- ../../base
- ./filesystems.nix
- ];
+ ./hardware-configuration.nix
+ ../../base
+ ./filesystems.nix
+ ];
networking.hostId = "99609ffc";
systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
matchConfig.Name = "enp2s0";
- address = with values.hosts.bakke; [ (ipv4 + "/25") (ipv6 + "/64") ];
+ address = with values.hosts.bakke; [
+ (ipv4 + "/25")
+ (ipv6 + "/64")
+ ];
};
# Don't change (even during upgrades) unless you know what you are doing.
diff --git a/hosts/bakke/filesystems.nix b/hosts/bakke/filesystems.nix
index c7cde6a..ca27a85 100644
--- a/hosts/bakke/filesystems.nix
+++ b/hosts/bakke/filesystems.nix
@@ -1,4 +1,4 @@
-{ pkgs,... }:
+{ pkgs, ... }:
{
# Boot drives:
boot.swraid.enable = true;
diff --git a/hosts/bakke/hardware-configuration.nix b/hosts/bakke/hardware-configuration.nix
index 2ad5b63..c88a8a8 100644
--- a/hosts/bakke/hardware-configuration.nix
+++ b/hosts/bakke/hardware-configuration.nix
@@ -1,41 +1,59 @@
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{
+ config,
+ lib,
+ pkgs,
+ modulesPath,
+ ...
+}:
{
- imports =
- [ (modulesPath + "/installer/scan/not-detected.nix")
- ];
+ imports = [
+ (modulesPath + "/installer/scan/not-detected.nix")
+ ];
- boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
+ boot.initrd.availableKernelModules = [
+ "ehci_pci"
+ "ahci"
+ "usbhid"
+ "usb_storage"
+ "sd_mod"
+ ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
- fileSystems."/" =
- { device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
- fsType = "btrfs";
- options = [ "subvol=root" ];
- };
+ fileSystems."/" = {
+ device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
+ fsType = "btrfs";
+ options = [ "subvol=root" ];
+ };
- fileSystems."/home" =
- { device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
- fsType = "btrfs";
- options = [ "subvol=home" ];
- };
+ fileSystems."/home" = {
+ device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
+ fsType = "btrfs";
+ options = [ "subvol=home" ];
+ };
- fileSystems."/nix" =
- { device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
- fsType = "btrfs";
- options = [ "subvol=nix" "noatime" ];
- };
+ fileSystems."/nix" = {
+ device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
+ fsType = "btrfs";
+ options = [
+ "subvol=nix"
+ "noatime"
+ ];
+ };
- fileSystems."/boot" =
- { device = "/dev/sdc2";
- fsType = "vfat";
- options = [ "fmask=0022" "dmask=0022" ];
- };
+ fileSystems."/boot" = {
+ device = "/dev/sdc2";
+ fsType = "vfat";
+ options = [
+ "fmask=0022"
+ "dmask=0022"
+ ];
+ };
swapDevices = [ ];
diff --git a/hosts/bekkalokk/configuration.nix b/hosts/bekkalokk/configuration.nix
index f208a48..16b50fc 100644
--- a/hosts/bekkalokk/configuration.nix
+++ b/hosts/bekkalokk/configuration.nix
@@ -1,4 +1,9 @@
-{ fp, pkgs, values, ... }:
+{
+ fp,
+ pkgs,
+ values,
+ ...
+}:
{
imports = [
./hardware-configuration.nix
@@ -21,7 +26,10 @@
systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
matchConfig.Name = "enp2s0";
- address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ];
+ address = with values.hosts.bekkalokk; [
+ (ipv4 + "/25")
+ (ipv6 + "/64")
+ ];
};
services.btrfs.autoScrub.enable = true;
diff --git a/hosts/bekkalokk/hardware-configuration.nix b/hosts/bekkalokk/hardware-configuration.nix
index 9d84289..a3f6ac8 100644
--- a/hosts/bekkalokk/hardware-configuration.nix
+++ b/hosts/bekkalokk/hardware-configuration.nix
@@ -1,31 +1,43 @@
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{
+ config,
+ lib,
+ pkgs,
+ modulesPath,
+ ...
+}:
{
- imports =
- [ (modulesPath + "/installer/scan/not-detected.nix")
- ];
+ imports = [
+ (modulesPath + "/installer/scan/not-detected.nix")
+ ];
- boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
+ boot.initrd.availableKernelModules = [
+ "ehci_pci"
+ "ahci"
+ "usbhid"
+ "usb_storage"
+ "sd_mod"
+ ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
- fileSystems."/" =
- { device = "/dev/sda1";
- fsType = "btrfs";
- };
+ fileSystems."/" = {
+ device = "/dev/sda1";
+ fsType = "btrfs";
+ };
- fileSystems."/boot" =
- { device = "/dev/disk/by-uuid/CE63-3B9B";
- fsType = "vfat";
- };
+ fileSystems."/boot" = {
+ device = "/dev/disk/by-uuid/CE63-3B9B";
+ fsType = "vfat";
+ };
- swapDevices =
- [ { device = "/dev/disk/by-uuid/2df10c7b-0dec-45c6-a728-533f7da7f4b9"; }
- ];
+ swapDevices = [
+ { device = "/dev/disk/by-uuid/2df10c7b-0dec-45c6-a728-533f7da7f4b9"; }
+ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
diff --git a/hosts/bekkalokk/services/bluemap.nix b/hosts/bekkalokk/services/bluemap.nix
index bb14b70..eff2566 100644
--- a/hosts/bekkalokk/services/bluemap.nix
+++ b/hosts/bekkalokk/services/bluemap.nix
@@ -1,8 +1,15 @@
-{ config, lib, pkgs, inputs, ... }:
+{
+ config,
+ lib,
+ pkgs,
+ inputs,
+ ...
+}:
let
vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world";
format = pkgs.formats.hocon { };
-in {
+in
+{
# NOTE: our versino of the module gets added in flake.nix
disabledModules = [ "services/web-apps/bluemap.nix" ];
@@ -17,82 +24,88 @@ in {
host = "minecraft.pvv.ntnu.no";
- maps = let
- inherit (inputs.minecraft-kartverket.packages.${pkgs.stdenv.hostPlatform.system}) bluemap-export;
- in {
- "verden" = {
- extraHoconMarkersFile = "${bluemap-export}/overworld.hocon";
- settings = {
- world = vanillaSurvival;
- dimension = "minecraft:overworld";
- name = "Verden";
- sorting = 0;
- start-pos = {
- x = 0;
- z = 0;
+ maps =
+ let
+ inherit (inputs.minecraft-kartverket.packages.${pkgs.stdenv.hostPlatform.system}) bluemap-export;
+ in
+ {
+ "verden" = {
+ extraHoconMarkersFile = "${bluemap-export}/overworld.hocon";
+ settings = {
+ world = vanillaSurvival;
+ dimension = "minecraft:overworld";
+ name = "Verden";
+ sorting = 0;
+ start-pos = {
+ x = 0;
+ z = 0;
+ };
+ ambient-light = 0.1;
+ cave-detection-ocean-floor = -5;
+ };
+ };
+ "underverden" = {
+ extraHoconMarkersFile = "${bluemap-export}/nether.hocon";
+ settings = {
+ world = vanillaSurvival;
+ dimension = "minecraft:the_nether";
+ name = "Underverden";
+ sorting = 100;
+ start-pos = {
+ x = 0;
+ z = 0;
+ };
+ sky-color = "#290000";
+ void-color = "#150000";
+ sky-light = 1;
+ ambient-light = 0.6;
+ remove-caves-below-y = -10000;
+ cave-detection-ocean-floor = -5;
+ cave-detection-uses-block-light = true;
+ render-mask = [
+ {
+ max-y = 90;
+ }
+ ];
+ };
+ };
+ "enden" = {
+ extraHoconMarkersFile = "${bluemap-export}/the-end.hocon";
+ settings = {
+ world = vanillaSurvival;
+ dimension = "minecraft:the_end";
+ name = "Enden";
+ sorting = 200;
+ start-pos = {
+ x = 0;
+ z = 0;
+ };
+ sky-color = "#080010";
+ void-color = "#080010";
+ sky-light = 1;
+ ambient-light = 0.6;
+ remove-caves-below-y = -10000;
+ cave-detection-ocean-floor = -5;
};
- ambient-light = 0.1;
- cave-detection-ocean-floor = -5;
};
};
- "underverden" = {
- extraHoconMarkersFile = "${bluemap-export}/nether.hocon";
- settings = {
- world = vanillaSurvival;
- dimension = "minecraft:the_nether";
- name = "Underverden";
- sorting = 100;
- start-pos = {
- x = 0;
- z = 0;
- };
- sky-color = "#290000";
- void-color = "#150000";
- sky-light = 1;
- ambient-light = 0.6;
- remove-caves-below-y = -10000;
- cave-detection-ocean-floor = -5;
- cave-detection-uses-block-light = true;
- render-mask = [{
- max-y = 90;
- }];
- };
- };
- "enden" = {
- extraHoconMarkersFile = "${bluemap-export}/the-end.hocon";
- settings = {
- world = vanillaSurvival;
- dimension = "minecraft:the_end";
- name = "Enden";
- sorting = 200;
- start-pos = {
- x = 0;
- z = 0;
- };
- sky-color = "#080010";
- void-color = "#080010";
- sky-light = 1;
- ambient-light = 0.6;
- remove-caves-below-y = -10000;
- cave-detection-ocean-floor = -5;
- };
- };
- };
};
systemd.services."render-bluemap-maps" = {
serviceConfig = {
StateDirectory = [ "bluemap/world" ];
- ExecStartPre = let
- rsyncArgs = lib.cli.toCommandLineShellGNU { } {
- archive = true;
- compress = true;
- verbose = true;
- no-owner = true;
- no-group = true;
- rsh = "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey";
- };
- in "${lib.getExe pkgs.rsync} ${rsyncArgs} root@innovation.pvv.ntnu.no:/ ${vanillaSurvival}";
+ ExecStartPre =
+ let
+ rsyncArgs = lib.cli.toCommandLineShellGNU { } {
+ archive = true;
+ compress = true;
+ verbose = true;
+ no-owner = true;
+ no-group = true;
+ rsh = "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey";
+ };
+ in
+ "${lib.getExe pkgs.rsync} ${rsyncArgs} root@innovation.pvv.ntnu.no:/ ${vanillaSurvival}";
LoadCredential = [
"sshkey:${config.sops.secrets."bluemap/ssh-key".path}"
"ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}"
diff --git a/hosts/bekkalokk/services/idp-simplesamlphp/default.nix b/hosts/bekkalokk/services/idp-simplesamlphp/default.nix
index 1781f46..8e4392e 100644
--- a/hosts/bekkalokk/services/idp-simplesamlphp/default.nix
+++ b/hosts/bekkalokk/services/idp-simplesamlphp/default.nix
@@ -1,8 +1,16 @@
-{ config, pkgs, lib, ... }:
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
let
pwAuthScript = pkgs.writeShellApplication {
name = "pwauth";
- runtimeInputs = with pkgs; [ coreutils heimdal ];
+ runtimeInputs = with pkgs; [
+ coreutils
+ heimdal
+ ];
text = ''
read -r user1
user2="$(echo -n "$user1" | tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz')"
@@ -33,7 +41,7 @@ let
"metadata/saml20-sp-remote.php" = pkgs.writeText "saml20-sp-remote.php" ''
[
@@ -85,14 +93,20 @@ let
substituteInPlace "$out" \
--replace-warn '$SAML_COOKIE_SECURE' 'true' \
- --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."idp/cookie_salt".path}")' \
+ --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${
+ config.sops.secrets."idp/cookie_salt".path
+ }")' \
--replace-warn '$SAML_ADMIN_NAME' '"Drift"' \
--replace-warn '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
- --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \
+ --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${
+ config.sops.secrets."idp/admin_password".path
+ }")' \
--replace-warn '$SAML_TRUSTED_DOMAINS' 'array( "idp.pvv.ntnu.no" )' \
--replace-warn '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \
--replace-warn '$SAML_DATABASE_USERNAME' '"idp"' \
- --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \
+ --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${
+ config.sops.secrets."idp/postgres_password".path
+ }")' \
--replace-warn '$CACHE_DIRECTORY' '/var/cache/idp'
'';
@@ -158,23 +172,25 @@ in
services.phpfpm.pools.idp = {
user = "idp";
group = "idp";
- settings = let
- listenUser = config.services.nginx.user;
- listenGroup = config.services.nginx.group;
- in {
- "pm" = "dynamic";
- "pm.max_children" = 32;
- "pm.max_requests" = 500;
- "pm.start_servers" = 2;
- "pm.min_spare_servers" = 2;
- "pm.max_spare_servers" = 4;
- "listen.owner" = listenUser;
- "listen.group" = listenGroup;
+ settings =
+ let
+ listenUser = config.services.nginx.user;
+ listenGroup = config.services.nginx.group;
+ in
+ {
+ "pm" = "dynamic";
+ "pm.max_children" = 32;
+ "pm.max_requests" = 500;
+ "pm.start_servers" = 2;
+ "pm.min_spare_servers" = 2;
+ "pm.max_spare_servers" = 4;
+ "listen.owner" = listenUser;
+ "listen.group" = listenGroup;
- "catch_workers_output" = true;
- "php_admin_flag[log_errors]" = true;
- # "php_admin_value[error_log]" = "stderr";
- };
+ "catch_workers_output" = true;
+ "php_admin_flag[log_errors]" = true;
+ # "php_admin_value[error_log]" = "stderr";
+ };
};
services.nginx.virtualHosts."idp.pvv.ntnu.no" = {
@@ -182,7 +198,7 @@ in
enableACME = true;
kTLS = true;
root = "${package}/share/php/simplesamlphp/public";
- locations = {
+ locations = {
# based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
"/" = {
alias = "${package}/share/php/simplesamlphp/public/";
diff --git a/hosts/bekkalokk/services/kerberos.nix b/hosts/bekkalokk/services/kerberos.nix
index 54d17e3..b9051d5 100644
--- a/hosts/bekkalokk/services/kerberos.nix
+++ b/hosts/bekkalokk/services/kerberos.nix
@@ -1,4 +1,9 @@
-{ config, pkgs, lib, ... }:
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
{
security.krb5 = {
enable = true;
diff --git a/hosts/bekkalokk/services/mediawiki/default.nix b/hosts/bekkalokk/services/mediawiki/default.nix
index ec37d89..aba855b 100644
--- a/hosts/bekkalokk/services/mediawiki/default.nix
+++ b/hosts/bekkalokk/services/mediawiki/default.nix
@@ -1,4 +1,12 @@
-{ pkgs, lib, fp, config, values, ... }: let
+{
+ pkgs,
+ lib,
+ fp,
+ config,
+ values,
+ ...
+}:
+let
cfg = config.services.mediawiki;
# "mediawiki"
@@ -9,7 +17,9 @@
simplesamlphp = pkgs.simplesamlphp.override {
extra_files = {
- "metadata/saml20-idp-remote.php" = pkgs.writeText "mediawiki-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
+ "metadata/saml20-idp-remote.php" = pkgs.writeText "mediawiki-saml20-idp-remote.php" (
+ import ../idp-simplesamlphp/metadata.php.nix
+ );
"config/authsources.php" = ./simplesaml-authsources.php;
@@ -18,36 +28,49 @@
substituteInPlace "$out" \
--replace-warn '$SAML_COOKIE_SECURE' 'true' \
- --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path}")' \
+ --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${
+ config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path
+ }")' \
--replace-warn '$SAML_ADMIN_NAME' '"Drift"' \
--replace-warn '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
- --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/admin_password".path}")' \
+ --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${
+ config.sops.secrets."mediawiki/simplesamlphp/admin_password".path
+ }")' \
--replace-warn '$SAML_TRUSTED_DOMAINS' 'array( "wiki.pvv.ntnu.no" )' \
--replace-warn '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=mediawiki_simplesamlphp"' \
--replace-warn '$SAML_DATABASE_USERNAME' '"mediawiki_simplesamlphp"' \
- --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path}")' \
+ --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${
+ config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path
+ }")' \
--replace-warn '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp'
'';
};
};
-in {
+in
+{
services.idp.sp-remote-metadata = [ "https://wiki.pvv.ntnu.no/simplesaml/" ];
- sops.secrets = lib.pipe [
- "mediawiki/secret-key"
- "mediawiki/password"
- "mediawiki/postgres_password"
- "mediawiki/simplesamlphp/postgres_password"
- "mediawiki/simplesamlphp/cookie_salt"
- "mediawiki/simplesamlphp/admin_password"
- ] [
- (map (key: lib.nameValuePair key {
- owner = user;
- group = group;
- restartUnits = [ "phpfpm-mediawiki.service" ];
- }))
- lib.listToAttrs
- ];
+ sops.secrets =
+ lib.pipe
+ [
+ "mediawiki/secret-key"
+ "mediawiki/password"
+ "mediawiki/postgres_password"
+ "mediawiki/simplesamlphp/postgres_password"
+ "mediawiki/simplesamlphp/cookie_salt"
+ "mediawiki/simplesamlphp/admin_password"
+ ]
+ [
+ (map (
+ key:
+ lib.nameValuePair key {
+ owner = user;
+ group = group;
+ restartUnits = [ "phpfpm-mediawiki.service" ];
+ }
+ ))
+ lib.listToAttrs
+ ];
services.rsync-pull-targets = {
enable = true;
@@ -215,11 +238,13 @@ in {
# Cache directory for simplesamlphp
# systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
- systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = lib.mkIf cfg.enable {
- user = "mediawiki";
- group = "mediawiki";
- mode = "0770";
- };
+ systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d =
+ lib.mkIf cfg.enable
+ {
+ user = "mediawiki";
+ group = "mediawiki";
+ mode = "0770";
+ };
users.groups.mediawiki.members = lib.mkIf cfg.enable [ "nginx" ];
@@ -227,7 +252,7 @@ in {
kTLS = true;
forceSSL = true;
enableACME = true;
- locations = {
+ locations = {
"= /wiki/Main_Page" = lib.mkForce {
return = "301 /wiki/Programvareverkstedet";
};
@@ -253,19 +278,22 @@ in {
"= /PNG/PVV-logo.svg".alias = fp /assets/logo_blue_regular.svg;
"= /PNG/PVV-logo.png".alias = fp /assets/logo_blue_regular.png;
- "= /favicon.ico".alias = pkgs.runCommandLocal "mediawiki-favicon.ico" {
- buildInputs = with pkgs; [ imagemagick ];
- } ''
- magick \
- ${fp /assets/logo_blue_regular.png} \
- -resize x64 \
- -gravity center \
- -crop 64x64+0+0 \
- -flatten \
- -colors 256 \
- -background transparent \
- $out
- '';
+ "= /favicon.ico".alias =
+ pkgs.runCommandLocal "mediawiki-favicon.ico"
+ {
+ buildInputs = with pkgs; [ imagemagick ];
+ }
+ ''
+ magick \
+ ${fp /assets/logo_blue_regular.png} \
+ -resize x64 \
+ -gravity center \
+ -crop 64x64+0+0 \
+ -flatten \
+ -colors 256 \
+ -background transparent \
+ $out
+ '';
};
};
@@ -273,7 +301,9 @@ in {
systemd.services.mediawiki-init = lib.mkIf cfg.enable {
after = [ "sops-install-secrets.service" ];
serviceConfig = {
- BindReadOnlyPaths = [ "/run/credentials/mediawiki-init.service/secret-key:/var/lib/mediawiki/secret.key" ];
+ BindReadOnlyPaths = [
+ "/run/credentials/mediawiki-init.service/secret-key:/var/lib/mediawiki/secret.key"
+ ];
LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
UMask = lib.mkForce "0007";
};
@@ -282,7 +312,9 @@ in {
systemd.services.phpfpm-mediawiki = lib.mkIf cfg.enable {
after = [ "sops-install-secrets.service" ];
serviceConfig = {
- BindReadOnlyPaths = [ "/run/credentials/phpfpm-mediawiki.service/secret-key:/var/lib/mediawiki/secret.key" ];
+ BindReadOnlyPaths = [
+ "/run/credentials/phpfpm-mediawiki.service/secret-key:/var/lib/mediawiki/secret.key"
+ ];
LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
UMask = lib.mkForce "0007";
};
diff --git a/hosts/bekkalokk/services/phpfpm.nix b/hosts/bekkalokk/services/phpfpm.nix
index d796ff7..3ed51b9 100644
--- a/hosts/bekkalokk/services/phpfpm.nix
+++ b/hosts/bekkalokk/services/phpfpm.nix
@@ -11,41 +11,43 @@ in
{
# Source: https://www.pierreblazquez.com/2023/06/17/how-to-harden-apache-php-fpm-daemons-using-systemd/
systemd.services = lib.genAttrs pools (_: {
- serviceConfig = let
- caps = [
- "CAP_NET_BIND_SERVICE"
- "CAP_SETGID"
- "CAP_SETUID"
- "CAP_CHOWN"
- "CAP_KILL"
- "CAP_IPC_LOCK"
- "CAP_DAC_OVERRIDE"
- ];
- in {
- AmbientCapabilities = caps;
- CapabilityBoundingSet = caps;
- DeviceAllow = [ "" ];
- LockPersonality = true;
- MemoryDenyWriteExecute = false;
- NoNewPrivileges = true;
- PrivateMounts = true;
- ProtectClock = true;
- ProtectControlGroups = true;
- ProtectHome = true;
- ProtectHostname = true;
- ProtectKernelLogs = true;
- ProtectKernelModules = true;
- ProtectKernelTunables = true;
- RemoveIPC = true;
- UMask = "0077";
- RestrictNamespaces = "~mnt";
- RestrictRealtime = true;
- RestrictSUIDSGID = true;
- SystemCallArchitectures = "native";
- KeyringMode = "private";
- SystemCallFilter = [
- "@system-service"
- ];
- };
+ serviceConfig =
+ let
+ caps = [
+ "CAP_NET_BIND_SERVICE"
+ "CAP_SETGID"
+ "CAP_SETUID"
+ "CAP_CHOWN"
+ "CAP_KILL"
+ "CAP_IPC_LOCK"
+ "CAP_DAC_OVERRIDE"
+ ];
+ in
+ {
+ AmbientCapabilities = caps;
+ CapabilityBoundingSet = caps;
+ DeviceAllow = [ "" ];
+ LockPersonality = true;
+ MemoryDenyWriteExecute = false;
+ NoNewPrivileges = true;
+ PrivateMounts = true;
+ ProtectClock = true;
+ ProtectControlGroups = true;
+ ProtectHome = true;
+ ProtectHostname = true;
+ ProtectKernelLogs = true;
+ ProtectKernelModules = true;
+ ProtectKernelTunables = true;
+ RemoveIPC = true;
+ UMask = "0077";
+ RestrictNamespaces = "~mnt";
+ RestrictRealtime = true;
+ RestrictSUIDSGID = true;
+ SystemCallArchitectures = "native";
+ KeyringMode = "private";
+ SystemCallFilter = [
+ "@system-service"
+ ];
+ };
});
}
diff --git a/hosts/bekkalokk/services/vaultwarden.nix b/hosts/bekkalokk/services/vaultwarden.nix
index f552c69..bc1dd97 100644
--- a/hosts/bekkalokk/services/vaultwarden.nix
+++ b/hosts/bekkalokk/services/vaultwarden.nix
@@ -1,11 +1,18 @@
-{ config, pkgs, lib, values, ... }:
+{
+ config,
+ pkgs,
+ lib,
+ values,
+ ...
+}:
let
cfg = config.services.vaultwarden;
domain = "pw.pvv.ntnu.no";
address = "127.0.1.2";
port = 3011;
wsPort = 3012;
-in {
+in
+{
sops.secrets."vaultwarden/environ" = {
owner = "vaultwarden";
group = "vaultwarden";
diff --git a/hosts/bekkalokk/services/webmail/default.nix b/hosts/bekkalokk/services/webmail/default.nix
index 97bc502..28cf46e 100644
--- a/hosts/bekkalokk/services/webmail/default.nix
+++ b/hosts/bekkalokk/services/webmail/default.nix
@@ -1,4 +1,10 @@
-{ config, values, pkgs, lib, ... }:
+{
+ config,
+ values,
+ pkgs,
+ lib,
+ ...
+}:
{
imports = [
./roundcube.nix
diff --git a/hosts/bekkalokk/services/webmail/roundcube.nix b/hosts/bekkalokk/services/webmail/roundcube.nix
index 960fb67..bce1bc5 100644
--- a/hosts/bekkalokk/services/webmail/roundcube.nix
+++ b/hosts/bekkalokk/services/webmail/roundcube.nix
@@ -1,4 +1,9 @@
-{ config, pkgs, lib, ... }:
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
with lib;
let
@@ -14,14 +19,24 @@ in
services.roundcube = {
enable = true;
- package = pkgs.roundcube.withPlugins (plugins: with plugins; [
- persistent_login
- thunderbird_labels
- contextmenu
- custom_from
- ]);
+ package = pkgs.roundcube.withPlugins (
+ plugins: with plugins; [
+ persistent_login
+ thunderbird_labels
+ contextmenu
+ custom_from
+ ]
+ );
- dicts = with pkgs.aspellDicts; [ en en-computers nb nn fr de it ];
+ dicts = with pkgs.aspellDicts; [
+ en
+ en-computers
+ nb
+ nn
+ fr
+ de
+ it
+ ];
maxAttachmentSize = 20;
hostName = "roundcubeplaceholder.example.com";
@@ -54,21 +69,23 @@ in
ln -s ${cfg.package} $out/roundcube
'';
extraConfig = ''
- location ~ ^/roundcube/(${builtins.concatStringsSep "|" [
- # https://wiki.archlinux.org/title/Roundcube
- "README"
- "INSTALL"
- "LICENSE"
- "CHANGELOG"
- "UPGRADING"
- "bin"
- "SQL"
- ".+\\.md"
- "\\."
- "config"
- "temp"
- "logs"
- ]})/? {
+ location ~ ^/roundcube/(${
+ builtins.concatStringsSep "|" [
+ # https://wiki.archlinux.org/title/Roundcube
+ "README"
+ "INSTALL"
+ "LICENSE"
+ "CHANGELOG"
+ "UPGRADING"
+ "bin"
+ "SQL"
+ ".+\\.md"
+ "\\."
+ "config"
+ "temp"
+ "logs"
+ ]
+ })/? {
deny all;
}
diff --git a/hosts/bekkalokk/services/webmail/snappymail.nix b/hosts/bekkalokk/services/webmail/snappymail.nix
index 3b8e5b5..2ee366a 100644
--- a/hosts/bekkalokk/services/webmail/snappymail.nix
+++ b/hosts/bekkalokk/services/webmail/snappymail.nix
@@ -1,7 +1,15 @@
-{ config, lib, fp, pkgs, values, ... }:
+{
+ config,
+ lib,
+ fp,
+ pkgs,
+ values,
+ ...
+}:
let
cfg = config.services.snappymail;
-in {
+in
+{
imports = [ (fp /modules/snappymail.nix) ];
services.snappymail = {
diff --git a/hosts/bekkalokk/services/website/default.nix b/hosts/bekkalokk/services/website/default.nix
index 9a35cb6..2b77858 100644
--- a/hosts/bekkalokk/services/website/default.nix
+++ b/hosts/bekkalokk/services/website/default.nix
@@ -1,22 +1,31 @@
-{ pkgs, lib, config, ... }:
+{
+ pkgs,
+ lib,
+ config,
+ ...
+}:
let
format = pkgs.formats.php { };
cfg = config.services.pvv-nettsiden;
-in {
+in
+{
imports = [
./fetch-gallery.nix
];
- sops.secrets = lib.genAttrs [
- "nettsiden/door_secret"
- "nettsiden/mysql_password"
- "nettsiden/simplesamlphp/admin_password"
- "nettsiden/simplesamlphp/cookie_salt"
- ] (_: {
- owner = config.services.phpfpm.pools.pvv-nettsiden.user;
- group = config.services.phpfpm.pools.pvv-nettsiden.group;
- restartUnits = [ "phpfpm-pvv-nettsiden.service" ];
- });
+ sops.secrets =
+ lib.genAttrs
+ [
+ "nettsiden/door_secret"
+ "nettsiden/mysql_password"
+ "nettsiden/simplesamlphp/admin_password"
+ "nettsiden/simplesamlphp/cookie_salt"
+ ]
+ (_: {
+ owner = config.services.phpfpm.pools.pvv-nettsiden.user;
+ group = config.services.phpfpm.pools.pvv-nettsiden.group;
+ restartUnits = [ "phpfpm-pvv-nettsiden.service" ];
+ });
security.acme.certs."www.pvv.ntnu.no" = {
extraDomainNames = [
@@ -35,48 +44,53 @@ in {
package = pkgs.pvv-nettsiden.override {
extra_files = {
- "${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/metadata/saml20-idp-remote.php" = pkgs.writeText "pvv-nettsiden-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
- "${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/config/authsources.php" = pkgs.writeText "pvv-nettsiden-authsources.php" ''
- array(
- 'core:AdminPassword'
- ),
- 'default-sp' => array(
- 'saml:SP',
- 'entityID' => 'https://${cfg.domainName}/simplesaml/',
- 'idp' => 'https://idp.pvv.ntnu.no/',
- ),
- );
- '';
+ "${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/metadata/saml20-idp-remote.php" =
+ pkgs.writeText "pvv-nettsiden-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
+ "${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/config/authsources.php" =
+ pkgs.writeText "pvv-nettsiden-authsources.php" ''
+ array(
+ 'core:AdminPassword'
+ ),
+ 'default-sp' => array(
+ 'saml:SP',
+ 'entityID' => 'https://${cfg.domainName}/simplesaml/',
+ 'idp' => 'https://idp.pvv.ntnu.no/',
+ ),
+ );
+ '';
};
};
domainName = "www.pvv.ntnu.no";
- settings = let
- includeFromSops = path: format.lib.mkRaw "file_get_contents('${config.sops.secrets."nettsiden/${path}".path}')";
- in {
- DOOR_SECRET = includeFromSops "door_secret";
+ settings =
+ let
+ includeFromSops =
+ path: format.lib.mkRaw "file_get_contents('${config.sops.secrets."nettsiden/${path}".path}')";
+ in
+ {
+ DOOR_SECRET = includeFromSops "door_secret";
- DB = {
- DSN = "mysql:dbname=www-data_nettside;host=mysql.pvv.ntnu.no";
- USER = "www-data_nettsi";
- PASS = includeFromSops "mysql_password";
- };
+ DB = {
+ DSN = "mysql:dbname=www-data_nettside;host=mysql.pvv.ntnu.no";
+ USER = "www-data_nettsi";
+ PASS = includeFromSops "mysql_password";
+ };
- # TODO: set up postgres session for simplesamlphp
- SAML = {
- COOKIE_SALT = includeFromSops "simplesamlphp/cookie_salt";
- COOKIE_SECURE = true;
- ADMIN_NAME = "PVV Drift";
- ADMIN_EMAIL = "drift@pvv.ntnu.no";
- ADMIN_PASSWORD = includeFromSops "simplesamlphp/admin_password";
- TRUSTED_DOMAINS = [
- "www.pvv.ntnu.no"
- ];
+ # TODO: set up postgres session for simplesamlphp
+ SAML = {
+ COOKIE_SALT = includeFromSops "simplesamlphp/cookie_salt";
+ COOKIE_SECURE = true;
+ ADMIN_NAME = "PVV Drift";
+ ADMIN_EMAIL = "drift@pvv.ntnu.no";
+ ADMIN_PASSWORD = includeFromSops "simplesamlphp/admin_password";
+ TRUSTED_DOMAINS = [
+ "www.pvv.ntnu.no"
+ ];
+ };
};
- };
};
services.phpfpm.pools."pvv-nettsiden".settings = {
diff --git a/hosts/bekkalokk/services/website/fetch-gallery.nix b/hosts/bekkalokk/services/website/fetch-gallery.nix
index 236bd41..e8ad9f9 100644
--- a/hosts/bekkalokk/services/website/fetch-gallery.nix
+++ b/hosts/bekkalokk/services/website/fetch-gallery.nix
@@ -1,8 +1,15 @@
-{ pkgs, lib, config, values, ... }:
+{
+ pkgs,
+ lib,
+ config,
+ values,
+ ...
+}:
let
galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR;
transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer";
-in {
+in
+{
users.users.${config.services.pvv-nettsiden.user} = {
# NOTE: the user unfortunately needs a registered shell for rrsync to function...
# is there anything we can do to remove this?
@@ -37,14 +44,20 @@ in {
};
systemd.services.pvv-nettsiden-gallery-update = {
- path = with pkgs; [ imagemagick gnutar gzip ];
+ path = with pkgs; [
+ imagemagick
+ gnutar
+ gzip
+ ];
script = ''
- tar ${lib.cli.toGNUCommandLineShell {} {
- extract = true;
- file = "${transferDir}/gallery.tar.gz";
- directory = ".";
- }}
+ tar ${
+ lib.cli.toGNUCommandLineShell { } {
+ extract = true;
+ file = "${transferDir}/gallery.tar.gz";
+ directory = ".";
+ }
+ }
# Delete files and directories that exists in the gallery that don't exist in the tarball
filesToRemove=$(uniq -u <(sort <(find . -not -path "./.thumbnails*") <(tar -tf ${transferDir}/gallery.tar.gz | sed 's|/$||')))
diff --git a/hosts/bekkalokk/services/well-known/default.nix b/hosts/bekkalokk/services/well-known/default.nix
index e78c406..f0db2b3 100644
--- a/hosts/bekkalokk/services/well-known/default.nix
+++ b/hosts/bekkalokk/services/well-known/default.nix
@@ -1,25 +1,28 @@
{ lib, ... }:
{
- services.nginx.virtualHosts = lib.genAttrs [
- "pvv.ntnu.no"
- "www.pvv.ntnu.no"
- "pvv.org"
- "www.pvv.org"
- ] (_: {
- locations = {
- "^~ /.well-known/" = {
- alias = (toString ./root) + "/";
- };
+ services.nginx.virtualHosts =
+ lib.genAttrs
+ [
+ "pvv.ntnu.no"
+ "www.pvv.ntnu.no"
+ "pvv.org"
+ "www.pvv.org"
+ ]
+ (_: {
+ locations = {
+ "^~ /.well-known/" = {
+ alias = (toString ./root) + "/";
+ };
- # Proxy the matrix well-known files
- # Host has be set before proxy_pass
- # The header must be set so nginx on the other side routes it to the right place
- "^~ /.well-known/matrix/" = {
- extraConfig = ''
- proxy_set_header Host matrix.pvv.ntnu.no;
- proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
- '';
- };
- };
- });
+ # Proxy the matrix well-known files
+ # Host has be set before proxy_pass
+ # The header must be set so nginx on the other side routes it to the right place
+ "^~ /.well-known/matrix/" = {
+ extraConfig = ''
+ proxy_set_header Host matrix.pvv.ntnu.no;
+ proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
+ '';
+ };
+ };
+ });
}
diff --git a/hosts/bicep/configuration.nix b/hosts/bicep/configuration.nix
index ecca68e..dc68f99 100644
--- a/hosts/bicep/configuration.nix
+++ b/hosts/bicep/configuration.nix
@@ -1,4 +1,9 @@
-{ fp, pkgs, values, ... }:
+{
+ fp,
+ pkgs,
+ values,
+ ...
+}:
{
imports = [
./hardware-configuration.nix
@@ -19,8 +24,16 @@
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
#matchConfig.Name = "enp6s0f0";
matchConfig.Name = "ens18";
- address = with values.hosts.bicep; [ (ipv4 + "/25") (ipv6 + "/64") ]
- ++ (with values.services.turn; [ (ipv4 + "/25") (ipv6 + "/64") ]);
+ address =
+ with values.hosts.bicep;
+ [
+ (ipv4 + "/25")
+ (ipv6 + "/64")
+ ]
+ ++ (with values.services.turn; [
+ (ipv4 + "/25")
+ (ipv6 + "/64")
+ ]);
};
systemd.network.wait-online = {
anyInterface = true;
diff --git a/hosts/bicep/hardware-configuration.nix b/hosts/bicep/hardware-configuration.nix
index a5fa9e9..88aad0f 100644
--- a/hosts/bicep/hardware-configuration.nix
+++ b/hosts/bicep/hardware-configuration.nix
@@ -1,34 +1,49 @@
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{
+ config,
+ lib,
+ pkgs,
+ modulesPath,
+ ...
+}:
{
- imports =
- [ (modulesPath + "/profiles/qemu-guest.nix")
- ];
+ imports = [
+ (modulesPath + "/profiles/qemu-guest.nix")
+ ];
- boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "ahci" "sd_mod" "sr_mod" ];
+ boot.initrd.availableKernelModules = [
+ "ata_piix"
+ "uhci_hcd"
+ "ahci"
+ "sd_mod"
+ "sr_mod"
+ ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
- fileSystems."/" =
- { device = "/dev/disk/by-uuid/20e06202-7a09-47cc-8ef6-5e7afe19453a";
- fsType = "ext4";
- };
+ fileSystems."/" = {
+ device = "/dev/disk/by-uuid/20e06202-7a09-47cc-8ef6-5e7afe19453a";
+ fsType = "ext4";
+ };
# temp data disk, only 128gb not enough until we can add another disk to the system.
- fileSystems."/data" =
- { device = "/dev/disk/by-uuid/c81af266-0781-4084-b8eb-c2587cbcf1ba";
- fsType = "ext4";
- };
+ fileSystems."/data" = {
+ device = "/dev/disk/by-uuid/c81af266-0781-4084-b8eb-c2587cbcf1ba";
+ fsType = "ext4";
+ };
- fileSystems."/boot" =
- { device = "/dev/disk/by-uuid/198B-E363";
- fsType = "vfat";
- options = [ "fmask=0022" "dmask=0022" ];
- };
+ fileSystems."/boot" = {
+ device = "/dev/disk/by-uuid/198B-E363";
+ fsType = "vfat";
+ options = [
+ "fmask=0022"
+ "dmask=0022"
+ ];
+ };
swapDevices = [ ];
diff --git a/hosts/bicep/services/calendar-bot.nix b/hosts/bicep/services/calendar-bot.nix
index ad5bbe5..21c6416 100644
--- a/hosts/bicep/services/calendar-bot.nix
+++ b/hosts/bicep/services/calendar-bot.nix
@@ -1,7 +1,14 @@
-{ config, fp, lib, pkgs, ... }:
+{
+ config,
+ fp,
+ lib,
+ pkgs,
+ ...
+}:
let
cfg = config.services.pvv-calendar-bot;
-in {
+in
+{
sops.secrets = {
"calendar-bot/matrix_token" = {
sopsFile = fp /secrets/bicep/bicep.yaml;
diff --git a/hosts/bicep/services/git-mirrors/default.nix b/hosts/bicep/services/git-mirrors/default.nix
index 4f2f730..9ee7e9a 100644
--- a/hosts/bicep/services/git-mirrors/default.nix
+++ b/hosts/bicep/services/git-mirrors/default.nix
@@ -1,4 +1,10 @@
-{ config, pkgs, lib, fp, ... }:
+{
+ config,
+ pkgs,
+ lib,
+ fp,
+ ...
+}:
let
cfg = config.services.gickup;
in
@@ -20,79 +26,88 @@ in
lfs = false;
};
- instances = let
- defaultGithubConfig = {
- settings.token_file = config.sops.secrets."gickup/github-token".path;
- };
- defaultGitlabConfig = {
- # settings.token_file = ...
- };
- in {
- "github:Git-Mediawiki/Git-Mediawiki" = defaultGithubConfig;
- "github:NixOS/nixpkgs" = defaultGithubConfig;
- "github:go-gitea/gitea" = defaultGithubConfig;
- "github:heimdal/heimdal" = defaultGithubConfig;
- "github:saltstack/salt" = defaultGithubConfig;
- "github:typst/typst" = defaultGithubConfig;
- "github:unmojang/FjordLauncher" = defaultGithubConfig;
- "github:unmojang/drasl" = defaultGithubConfig;
- "github:yushijinhun/authlib-injector" = defaultGithubConfig;
+ instances =
+ let
+ defaultGithubConfig = {
+ settings.token_file = config.sops.secrets."gickup/github-token".path;
+ };
+ defaultGitlabConfig = {
+ # settings.token_file = ...
+ };
+ in
+ {
+ "github:Git-Mediawiki/Git-Mediawiki" = defaultGithubConfig;
+ "github:NixOS/nixpkgs" = defaultGithubConfig;
+ "github:go-gitea/gitea" = defaultGithubConfig;
+ "github:heimdal/heimdal" = defaultGithubConfig;
+ "github:saltstack/salt" = defaultGithubConfig;
+ "github:typst/typst" = defaultGithubConfig;
+ "github:unmojang/FjordLauncher" = defaultGithubConfig;
+ "github:unmojang/drasl" = defaultGithubConfig;
+ "github:yushijinhun/authlib-injector" = defaultGithubConfig;
- "gitlab:mx-puppet/discord/better-discord.js" = defaultGitlabConfig;
- "gitlab:mx-puppet/discord/discord-markdown" = defaultGitlabConfig;
- "gitlab:mx-puppet/discord/matrix-discord-parser" = defaultGitlabConfig;
- "gitlab:mx-puppet/discord/mx-puppet-discord" = defaultGitlabConfig;
- "gitlab:mx-puppet/mx-puppet-bridge" = defaultGitlabConfig;
+ "gitlab:mx-puppet/discord/better-discord.js" = defaultGitlabConfig;
+ "gitlab:mx-puppet/discord/discord-markdown" = defaultGitlabConfig;
+ "gitlab:mx-puppet/discord/matrix-discord-parser" = defaultGitlabConfig;
+ "gitlab:mx-puppet/discord/mx-puppet-discord" = defaultGitlabConfig;
+ "gitlab:mx-puppet/mx-puppet-bridge" = defaultGitlabConfig;
- "any:glibc" = {
- settings.url = "https://sourceware.org/git/glibc.git";
- };
+ "any:glibc" = {
+ settings.url = "https://sourceware.org/git/glibc.git";
+ };
- "any:out-of-your-element" = {
- settings.url = "https://gitdab.com/cadence/out-of-your-element.git";
- };
+ "any:out-of-your-element" = {
+ settings.url = "https://gitdab.com/cadence/out-of-your-element.git";
+ };
- "any:out-of-your-element-module" = {
- settings.url = "https://cgit.rory.gay/nix/OOYE-module.git";
+ "any:out-of-your-element-module" = {
+ settings.url = "https://cgit.rory.gay/nix/OOYE-module.git";
+ };
};
- };
};
- services.cgit = let
- domain = "mirrors.pvv.ntnu.no";
- in {
- ${domain} = {
- enable = true;
- package = pkgs.callPackage (fp /packages/cgit.nix) { };
- group = "gickup";
- scanPath = "${cfg.dataDir}/linktree";
- gitHttpBackend.checkExportOkFiles = false;
- settings = {
- enable-commit-graph = true;
- enable-follow-links = true;
- enable-http-clone = true;
- enable-remote-branches = true;
- clone-url = "https://${domain}/$CGIT_REPO_URL";
- remove-suffix = true;
- root-title = "PVVSPPP";
- root-desc = "PVV Speiler Praktisk og Prominent Programvare";
- snapshots = "all";
- logo = "/PVV-logo.png";
+ services.cgit =
+ let
+ domain = "mirrors.pvv.ntnu.no";
+ in
+ {
+ ${domain} = {
+ enable = true;
+ package = pkgs.callPackage (fp /packages/cgit.nix) { };
+ group = "gickup";
+ scanPath = "${cfg.dataDir}/linktree";
+ gitHttpBackend.checkExportOkFiles = false;
+ settings = {
+ enable-commit-graph = true;
+ enable-follow-links = true;
+ enable-http-clone = true;
+ enable-remote-branches = true;
+ clone-url = "https://${domain}/$CGIT_REPO_URL";
+ remove-suffix = true;
+ root-title = "PVVSPPP";
+ root-desc = "PVV Speiler Praktisk og Prominent Programvare";
+ snapshots = "all";
+ logo = "/PVV-logo.png";
+ };
};
};
- };
services.nginx.virtualHosts."mirrors.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
- locations."= /PVV-logo.png".alias = let
- small-pvv-logo = pkgs.runCommandLocal "pvv-logo-96x96" {
- nativeBuildInputs = [ pkgs.imagemagick ];
- } ''
- magick '${fp /assets/logo_blue_regular.svg}' -resize 96x96 PNG:"$out"
- '';
- in toString small-pvv-logo;
+ locations."= /PVV-logo.png".alias =
+ let
+ small-pvv-logo =
+ pkgs.runCommandLocal "pvv-logo-96x96"
+ {
+ nativeBuildInputs = [ pkgs.imagemagick ];
+ }
+ ''
+ magick '${fp /assets/logo_blue_regular.svg}' -resize 96x96 PNG:"$out"
+ '';
+ in
+ toString small-pvv-logo;
};
systemd.services."fcgiwrap-cgit-mirrors.pvv.ntnu.no" = {
diff --git a/hosts/bicep/services/matrix/coturn.nix b/hosts/bicep/services/matrix/coturn.nix
index c2f218f..99e12db 100644
--- a/hosts/bicep/services/matrix/coturn.nix
+++ b/hosts/bicep/services/matrix/coturn.nix
@@ -1,4 +1,12 @@
-{ config, lib, fp, pkgs, secrets, values, ... }:
+{
+ config,
+ lib,
+ fp,
+ pkgs,
+ secrets,
+ values,
+ ...
+}:
{
sops.secrets."matrix/coturn/static-auth-secret" = {
@@ -127,18 +135,31 @@
};
networking.firewall = {
- interfaces.enp6s0f0 = let
- range = with config.services.coturn; [ {
- from = min-port;
- to = max-port;
- } ];
- in
- {
- allowedUDPPortRanges = range;
- allowedUDPPorts = [ 443 3478 3479 5349 ];
- allowedTCPPortRanges = range;
- allowedTCPPorts = [ 443 3478 3479 5349 ];
- };
+ interfaces.enp6s0f0 =
+ let
+ range = with config.services.coturn; [
+ {
+ from = min-port;
+ to = max-port;
+ }
+ ];
+ in
+ {
+ allowedUDPPortRanges = range;
+ allowedUDPPorts = [
+ 443
+ 3478
+ 3479
+ 5349
+ ];
+ allowedTCPPortRanges = range;
+ allowedTCPPorts = [
+ 443
+ 3478
+ 3479
+ 5349
+ ];
+ };
};
}
diff --git a/hosts/bicep/services/matrix/discord.nix b/hosts/bicep/services/matrix/discord.nix
index 726f1ef..12954f3 100644
--- a/hosts/bicep/services/matrix/discord.nix
+++ b/hosts/bicep/services/matrix/discord.nix
@@ -1,4 +1,9 @@
-{ config, lib, fp, ... }:
+{
+ config,
+ lib,
+ fp,
+ ...
+}:
let
cfg = config.services.mx-puppet-discord;
@@ -44,7 +49,6 @@ in
];
};
-
services.mx-puppet-discord.enable = false;
services.mx-puppet-discord.settings = {
bridge = {
@@ -52,16 +56,21 @@ in
domain = "pvv.ntnu.no";
homeserverUrl = "https://matrix.pvv.ntnu.no";
};
- provisioning.whitelist = [ "@dandellion:dodsorf\\.as" "@danio:pvv\\.ntnu\\.no"];
+ provisioning.whitelist = [
+ "@dandellion:dodsorf\\.as"
+ "@danio:pvv\\.ntnu\\.no"
+ ];
relay.whitelist = [ ".*" ];
- selfService.whitelist = [ "@danio:pvv\\.ntnu\\.no" "@dandellion:dodsorf\\.as" ];
+ selfService.whitelist = [
+ "@danio:pvv\\.ntnu\\.no"
+ "@dandellion:dodsorf\\.as"
+ ];
};
services.mx-puppet-discord.serviceDependencies = [
"matrix-synapse.target"
"nginx.service"
];
-
services.matrix-synapse-next.settings = {
app_service_config_files = [
config.sops.templates."discord-registration.yaml".path
diff --git a/hosts/bicep/services/matrix/element.nix b/hosts/bicep/services/matrix/element.nix
index b6f3d38..13c7017 100644
--- a/hosts/bicep/services/matrix/element.nix
+++ b/hosts/bicep/services/matrix/element.nix
@@ -1,7 +1,13 @@
-{ config, lib, pkgs, ... }:
+{
+ config,
+ lib,
+ pkgs,
+ ...
+}:
let
synapse-cfg = config.services.matrix-synapse-next;
-in {
+in
+{
services.pvv-matrix-well-known.client = {
"m.homeserver" = {
base_url = "https://matrix.pvv.ntnu.no";
@@ -21,12 +27,12 @@ in {
default_server_config = config.services.pvv-matrix-well-known.client;
disable_3pid_login = true;
-# integrations_ui_url = "https://dimension.dodsorf.as/riot";
-# integrations_rest_url = "https://dimension.dodsorf.as/api/v1/scalar";
-# integrations_widgets_urls = [
-# "https://dimension.dodsorf.as/widgets"
-# ];
-# integration_jitsi_widget_url = "https://dimension.dodsorf.as/widgets/jitsi";
+ # integrations_ui_url = "https://dimension.dodsorf.as/riot";
+ # integrations_rest_url = "https://dimension.dodsorf.as/api/v1/scalar";
+ # integrations_widgets_urls = [
+ # "https://dimension.dodsorf.as/widgets"
+ # ];
+ # integration_jitsi_widget_url = "https://dimension.dodsorf.as/widgets/jitsi";
defaultCountryCode = "NO";
showLabsSettings = true;
features = {
diff --git a/hosts/bicep/services/matrix/hookshot/default.nix b/hosts/bicep/services/matrix/hookshot/default.nix
index 8b89eec..5fcaae7 100644
--- a/hosts/bicep/services/matrix/hookshot/default.nix
+++ b/hosts/bicep/services/matrix/hookshot/default.nix
@@ -1,4 +1,11 @@
-{ config, lib, fp, unstablePkgs, inputs, ... }:
+{
+ config,
+ lib,
+ fp,
+ unstablePkgs,
+ inputs,
+ ...
+}:
let
cfg = config.services.matrix-hookshot;
@@ -100,7 +107,8 @@ in
};
serviceBots = [
- { localpart = "bot_feeds";
+ {
+ localpart = "bot_feeds";
displayname = "Aya";
avatar = ./feeds.png;
prefix = "!aya";
@@ -115,20 +123,44 @@ in
permissions = [
# Users of the PVV Server
- { actor = "pvv.ntnu.no";
- services = [ { service = "*"; level = "commands"; } ];
+ {
+ actor = "pvv.ntnu.no";
+ services = [
+ {
+ service = "*";
+ level = "commands";
+ }
+ ];
}
# Members of Medlem space (for people with their own hs)
- { actor = "!pZOTJQinWyyTWaeOgK:pvv.ntnu.no";
- services = [ { service = "*"; level = "commands"; } ];
+ {
+ actor = "!pZOTJQinWyyTWaeOgK:pvv.ntnu.no";
+ services = [
+ {
+ service = "*";
+ level = "commands";
+ }
+ ];
}
# Members of Drift
- { actor = "!eYgeufLrninXxQpYml:pvv.ntnu.no";
- services = [ { service = "*"; level = "admin"; } ];
+ {
+ actor = "!eYgeufLrninXxQpYml:pvv.ntnu.no";
+ services = [
+ {
+ service = "*";
+ level = "admin";
+ }
+ ];
}
# Dan bootstrap
- { actor = "@dandellion:dodsorf.as";
- services = [ { service = "*"; level = "admin"; } ];
+ {
+ actor = "@dandellion:dodsorf.as";
+ services = [
+ {
+ service = "*";
+ level = "admin";
+ }
+ ];
}
];
};
diff --git a/hosts/bicep/services/matrix/livekit.nix b/hosts/bicep/services/matrix/livekit.nix
index 3342404..b11eebb 100644
--- a/hosts/bicep/services/matrix/livekit.nix
+++ b/hosts/bicep/services/matrix/livekit.nix
@@ -1,4 +1,9 @@
-{ config, lib, fp, ... }:
+{
+ config,
+ lib,
+ fp,
+ ...
+}:
let
synapseConfig = config.services.matrix-synapse-next;
matrixDomain = "matrix.pvv.ntnu.no";
@@ -20,10 +25,12 @@ in
};
services.pvv-matrix-well-known.client = lib.mkIf cfg.enable {
- "org.matrix.msc4143.rtc_foci" = [{
- type = "livekit";
- livekit_service_url = "https://${matrixDomain}/livekit/jwt";
- }];
+ "org.matrix.msc4143.rtc_foci" = [
+ {
+ type = "livekit";
+ livekit_service_url = "https://${matrixDomain}/livekit/jwt";
+ }
+ ];
};
services.livekit = {
@@ -43,7 +50,12 @@ in
keyFile = config.sops.templates."matrix-livekit-keyfile".path;
};
- systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = lib.mkIf cfg.enable (builtins.concatStringsSep "," [ "pvv.ntnu.no" "dodsorf.as" ]);
+ systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = lib.mkIf cfg.enable (
+ builtins.concatStringsSep "," [
+ "pvv.ntnu.no"
+ "dodsorf.as"
+ ]
+ );
services.nginx.virtualHosts.${matrixDomain} = lib.mkIf cfg.enable {
locations."^~ /livekit/jwt/" = {
diff --git a/hosts/bicep/services/matrix/mjolnir.nix b/hosts/bicep/services/matrix/mjolnir.nix
index 6dbb83f..07e7d9b 100644
--- a/hosts/bicep/services/matrix/mjolnir.nix
+++ b/hosts/bicep/services/matrix/mjolnir.nix
@@ -1,4 +1,9 @@
-{ config, lib, fp, ... }:
+{
+ config,
+ lib,
+ fp,
+ ...
+}:
{
sops.secrets."matrix/mjolnir/access_token" = {
diff --git a/hosts/bicep/services/matrix/out-of-your-element.nix b/hosts/bicep/services/matrix/out-of-your-element.nix
index 16ec794..4186413 100644
--- a/hosts/bicep/services/matrix/out-of-your-element.nix
+++ b/hosts/bicep/services/matrix/out-of-your-element.nix
@@ -1,4 +1,11 @@
-{ config, pkgs, lib, values, fp, ... }:
+{
+ config,
+ pkgs,
+ lib,
+ values,
+ fp,
+ ...
+}:
let
cfg = config.services.matrix-ooye;
in
diff --git a/hosts/bicep/services/matrix/smtp-authenticator/default.nix b/hosts/bicep/services/matrix/smtp-authenticator/default.nix
index d8a7000..bbdef03 100644
--- a/hosts/bicep/services/matrix/smtp-authenticator/default.nix
+++ b/hosts/bicep/services/matrix/smtp-authenticator/default.nix
@@ -1,4 +1,9 @@
-{ lib, buildPythonPackage, fetchFromGitHub, setuptools }:
+{
+ lib,
+ buildPythonPackage,
+ fetchFromGitHub,
+ setuptools,
+}:
buildPythonPackage rec {
pname = "matrix-synapse-smtp-auth";
diff --git a/hosts/bicep/services/matrix/synapse-admin.nix b/hosts/bicep/services/matrix/synapse-admin.nix
index b17c21e..d200100 100644
--- a/hosts/bicep/services/matrix/synapse-admin.nix
+++ b/hosts/bicep/services/matrix/synapse-admin.nix
@@ -1,5 +1,9 @@
-{ config, lib, pkgs, ... }:
-
+{
+ config,
+ lib,
+ pkgs,
+ ...
+}:
# This service requires you to have access to endpoints not available over the internet
# Use an ssh proxy or similar to access this dashboard.
diff --git a/hosts/bicep/services/matrix/synapse-auto-compressor.nix b/hosts/bicep/services/matrix/synapse-auto-compressor.nix
index 5f77092..e37c918 100644
--- a/hosts/bicep/services/matrix/synapse-auto-compressor.nix
+++ b/hosts/bicep/services/matrix/synapse-auto-compressor.nix
@@ -1,4 +1,9 @@
-{ config, lib, utils, ... }:
+{
+ config,
+ lib,
+ utils,
+ ...
+}:
let
cfg = config.services.synapse-auto-compressor;
in
diff --git a/hosts/bicep/services/matrix/synapse.nix b/hosts/bicep/services/matrix/synapse.nix
index c9a055d..33dfa90 100644
--- a/hosts/bicep/services/matrix/synapse.nix
+++ b/hosts/bicep/services/matrix/synapse.nix
@@ -1,13 +1,23 @@
-{ config, lib, fp, pkgs, values, inputs, ... }:
+{
+ config,
+ lib,
+ fp,
+ pkgs,
+ values,
+ inputs,
+ ...
+}:
let
cfg = config.services.matrix-synapse-next;
matrix-lib = inputs.matrix-next.lib;
- imap0Attrs = with lib; f: set:
- listToAttrs (imap0 (i: attr: nameValuePair attr (f i attr set.${attr})) (attrNames set));
-in {
+ imap0Attrs =
+ with lib;
+ f: set: listToAttrs (imap0 (i: attr: nameValuePair attr (f i attr set.${attr})) (attrNames set));
+in
+{
sops.secrets."matrix/synapse/signing_key" = {
key = "synapse/signing_key";
sopsFile = fp /secrets/bicep/matrix.yaml;
@@ -23,7 +33,9 @@ in {
owner = config.users.users.matrix-synapse.name;
group = config.users.users.matrix-synapse.group;
content = ''
- registration_shared_secret: ${config.sops.placeholder."matrix/synapse/user_registration/registration_shared_secret"}
+ registration_shared_secret: ${
+ config.sops.placeholder."matrix/synapse/user_registration/registration_shared_secret"
+ }
'';
};
@@ -68,7 +80,7 @@ in {
signing_key_path = config.sops.secrets."matrix/synapse/signing_key".path;
- media_store_path = "${cfg.dataDir}/media";
+ media_store_path = "${cfg.dataDir}/media";
database = {
name = "psycopg2";
@@ -110,7 +122,8 @@ in {
password_config.enabled = true;
modules = [
- { module = "smtp_auth_provider.SMTPAuthProvider";
+ {
+ module = "smtp_auth_provider.SMTPAuthProvider";
config = {
smtp_host = "smtp.pvv.ntnu.no";
};
@@ -183,61 +196,79 @@ in {
services.pvv-matrix-well-known.server."m.server" = "matrix.pvv.ntnu.no:443";
services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
- {
- kTLS = true;
- }
- {
- locations."/_synapse/admin" = {
- proxyPass = "http://$synapse_backend";
- extraConfig = ''
- allow 127.0.0.1;
- allow ::1;
- allow ${values.hosts.bicep.ipv4};
- allow ${values.hosts.bicep.ipv6};
- deny all;
- '';
- };
- }
- {
- locations = let
- connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;
- socketAddress = w: let c = connectionInfo w; in "${c.host}:${toString c.port}";
+ {
+ kTLS = true;
+ }
+ {
+ locations."/_synapse/admin" = {
+ proxyPass = "http://$synapse_backend";
+ extraConfig = ''
+ allow 127.0.0.1;
+ allow ::1;
+ allow ${values.hosts.bicep.ipv4};
+ allow ${values.hosts.bicep.ipv6};
+ deny all;
+ '';
+ };
+ }
+ {
+ locations =
+ let
+ connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;
+ socketAddress =
+ w:
+ let
+ c = connectionInfo w;
+ in
+ "${c.host}:${toString c.port}";
- metricsPath = w: "/metrics/${w.type}/${toString w.index}";
- proxyPath = w: "http://${socketAddress w}/_synapse/metrics";
- in lib.mapAttrs' (n: v: lib.nameValuePair
- (metricsPath v) {
- proxyPass = proxyPath v;
+ metricsPath = w: "/metrics/${w.type}/${toString w.index}";
+ proxyPath = w: "http://${socketAddress w}/_synapse/metrics";
+ in
+ lib.mapAttrs' (
+ n: v:
+ lib.nameValuePair (metricsPath v) {
+ proxyPass = proxyPath v;
+ extraConfig = ''
+ allow ${values.hosts.ildkule.ipv4};
+ allow ${values.hosts.ildkule.ipv6};
+ deny all;
+ '';
+ }
+ ) cfg.workers.instances;
+ }
+ {
+ locations."/metrics/master/1" = {
+ proxyPass = "http://127.0.0.1:9000/_synapse/metrics";
extraConfig = ''
allow ${values.hosts.ildkule.ipv4};
allow ${values.hosts.ildkule.ipv6};
deny all;
'';
- })
- cfg.workers.instances;
- }
- {
- locations."/metrics/master/1" = {
- proxyPass = "http://127.0.0.1:9000/_synapse/metrics";
- extraConfig = ''
- allow ${values.hosts.ildkule.ipv4};
- allow ${values.hosts.ildkule.ipv6};
- deny all;
- '';
- };
+ };
- locations."/metrics/" = let
- endpoints = lib.pipe cfg.workers.instances [
- (lib.mapAttrsToList (_: v: v))
- (map (w: "${w.type}/${toString w.index}"))
- (map (w: "matrix.pvv.ntnu.no/metrics/${w}"))
- ] ++ [ "matrix.pvv.ntnu.no/metrics/master/1" ];
- in {
- alias = pkgs.writeTextDir "/config.json"
- (builtins.toJSON [
- { targets = endpoints;
- labels = { };
- }]) + "/";
- };
- }];
+ locations."/metrics/" =
+ let
+ endpoints =
+ lib.pipe cfg.workers.instances [
+ (lib.mapAttrsToList (_: v: v))
+ (map (w: "${w.type}/${toString w.index}"))
+ (map (w: "matrix.pvv.ntnu.no/metrics/${w}"))
+ ]
+ ++ [ "matrix.pvv.ntnu.no/metrics/master/1" ];
+ in
+ {
+ alias =
+ pkgs.writeTextDir "/config.json" (
+ builtins.toJSON [
+ {
+ targets = endpoints;
+ labels = { };
+ }
+ ]
+ )
+ + "/";
+ };
+ }
+ ];
}
diff --git a/hosts/bicep/services/matrix/well-known.nix b/hosts/bicep/services/matrix/well-known.nix
index 64eacfe..162827a 100644
--- a/hosts/bicep/services/matrix/well-known.nix
+++ b/hosts/bicep/services/matrix/well-known.nix
@@ -1,4 +1,9 @@
-{ config, pkgs, lib, ... }:
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
let
cfg = config.services.pvv-matrix-well-known;
format = pkgs.formats.json { };
diff --git a/hosts/bicep/services/minecraft-heatmap.nix b/hosts/bicep/services/minecraft-heatmap.nix
index 5917ab3..6fd8aa0 100644
--- a/hosts/bicep/services/minecraft-heatmap.nix
+++ b/hosts/bicep/services/minecraft-heatmap.nix
@@ -1,4 +1,9 @@
-{ config, lib, pkgs, ... }:
+{
+ config,
+ lib,
+ pkgs,
+ ...
+}:
let
cfg = config.services.minecraft-heatmap;
in
@@ -27,23 +32,25 @@ in
"sshkey:${config.sops.secrets."minecraft-heatmap/ssh-key/private".path}"
];
- preStart = let
- knownHostsFile = pkgs.writeText "minecraft-heatmap-known-hosts" ''
- innovation.pvv.ntnu.no ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9O/y5uqcLKCodg2Q+XfZPH/AoUIyBlDhigImU+4+Kn
- innovation.pvv.ntnu.no ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClR9GvWeVPZHudlnFXhGHUX5sGX9nscsOsotnlQ4uVuGsgvRifsVsuDULlAFXwoV1tYp4vnyXlsVtMddpLI5ANOIDcZ4fgDxpfSQmtHKssNpDcfMhFJbfRVyacipjA4osxTxvLox/yjtVt+URjTHUA1MWzEwc26KfiOvWO5tCBTan7doN/4KOyT05GwBxwzUAwUmoGTacIITck2Y9qp4+xFYqehbXqPdBb15hFyd38OCQhtU1hWV2Yi18+hJ4nyjc/g5pr6mW09ULlFghe/BaTUXrTisYC6bMcJZsTDwsvld9581KPvoNZOTQhZPTEQCZZ1h54fe0ZHuveVB3TIHovZyjoUuaf4uiFOjJVaKRB+Ig+Il6r7tMUn9CyHtus/Nd86E0TFBzoKxM0OFu88oaUlDtZVrUJL5En1lGoimajebb1JPxllFN5hqIT+gVyMY6nRzkcfS7ieny/U4rzXY2rfz98selftgh3LsBywwADv65i+mPw1A/1QdND1R6fV4U=
- innovation.pvv.ntnu.no ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNjl3HfsDqmALWCL9uhz9k93RAD2565ndBqUh4N/rvI7MCwEJ6iRCdDev0YzB1Fpg24oriyYoxZRP24ifC2sQf8=
+ preStart =
+ let
+ knownHostsFile = pkgs.writeText "minecraft-heatmap-known-hosts" ''
+ innovation.pvv.ntnu.no ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9O/y5uqcLKCodg2Q+XfZPH/AoUIyBlDhigImU+4+Kn
+ innovation.pvv.ntnu.no ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClR9GvWeVPZHudlnFXhGHUX5sGX9nscsOsotnlQ4uVuGsgvRifsVsuDULlAFXwoV1tYp4vnyXlsVtMddpLI5ANOIDcZ4fgDxpfSQmtHKssNpDcfMhFJbfRVyacipjA4osxTxvLox/yjtVt+URjTHUA1MWzEwc26KfiOvWO5tCBTan7doN/4KOyT05GwBxwzUAwUmoGTacIITck2Y9qp4+xFYqehbXqPdBb15hFyd38OCQhtU1hWV2Yi18+hJ4nyjc/g5pr6mW09ULlFghe/BaTUXrTisYC6bMcJZsTDwsvld9581KPvoNZOTQhZPTEQCZZ1h54fe0ZHuveVB3TIHovZyjoUuaf4uiFOjJVaKRB+Ig+Il6r7tMUn9CyHtus/Nd86E0TFBzoKxM0OFu88oaUlDtZVrUJL5En1lGoimajebb1JPxllFN5hqIT+gVyMY6nRzkcfS7ieny/U4rzXY2rfz98selftgh3LsBywwADv65i+mPw1A/1QdND1R6fV4U=
+ innovation.pvv.ntnu.no ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNjl3HfsDqmALWCL9uhz9k93RAD2565ndBqUh4N/rvI7MCwEJ6iRCdDev0YzB1Fpg24oriyYoxZRP24ifC2sQf8=
+ '';
+ in
+ ''
+ mkdir -p '${cfg.minecraftLogsDir}'
+ "${lib.getExe pkgs.rsync}" \
+ --archive \
+ --verbose \
+ --progress \
+ --no-owner \
+ --no-group \
+ --rsh="${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=\"${knownHostsFile}\" -i \"$CREDENTIALS_DIRECTORY\"/sshkey" \
+ root@innovation.pvv.ntnu.no:/ \
+ '${cfg.minecraftLogsDir}'/
'';
- in ''
- mkdir -p '${cfg.minecraftLogsDir}'
- "${lib.getExe pkgs.rsync}" \
- --archive \
- --verbose \
- --progress \
- --no-owner \
- --no-group \
- --rsh="${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=\"${knownHostsFile}\" -i \"$CREDENTIALS_DIRECTORY\"/sshkey" \
- root@innovation.pvv.ntnu.no:/ \
- '${cfg.minecraftLogsDir}'/
- '';
};
}
diff --git a/hosts/bicep/services/mysql/backup.nix b/hosts/bicep/services/mysql/backup.nix
index 2936a2a..d04d46b 100644
--- a/hosts/bicep/services/mysql/backup.nix
+++ b/hosts/bicep/services/mysql/backup.nix
@@ -1,4 +1,10 @@
-{ config, lib, pkgs, values, ... }:
+{
+ config,
+ lib,
+ pkgs,
+ values,
+ ...
+}:
let
cfg = config.services.mysql;
backupDir = "/data/mysql-backups";
@@ -10,10 +16,10 @@ in
# };
systemd.tmpfiles.settings."10-mysql-backups".${backupDir}.d = {
- user = "mysql";
- group = "mysql";
- mode = "700";
- };
+ user = "mysql";
+ group = "mysql";
+ mode = "700";
+ };
services.rsync-pull-targets = lib.mkIf cfg.enable {
enable = true;
@@ -44,23 +50,25 @@ in
zstd
];
- script = let
- rotations = 2;
- in ''
- set -euo pipefail
+ script =
+ let
+ rotations = 2;
+ in
+ ''
+ set -euo pipefail
- OUT_FILE="$STATE_DIRECTORY/mysql-dump-$(date --iso-8601).sql.zst"
+ OUT_FILE="$STATE_DIRECTORY/mysql-dump-$(date --iso-8601).sql.zst"
- mysqldump --all-databases | zstd --compress -9 --rsyncable -o "$OUT_FILE"
+ mysqldump --all-databases | zstd --compress -9 --rsyncable -o "$OUT_FILE"
- # NOTE: this needs to be a hardlink for rrsync to allow sending it
- rm "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ||:
- ln -T "$OUT_FILE" "$STATE_DIRECTORY/mysql-dump-latest.sql.zst"
+ # NOTE: this needs to be a hardlink for rrsync to allow sending it
+ rm "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ||:
+ ln -T "$OUT_FILE" "$STATE_DIRECTORY/mysql-dump-latest.sql.zst"
- while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
- rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
- done
- '';
+ while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
+ rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
+ done
+ '';
serviceConfig = {
Type = "oneshot";
diff --git a/hosts/bicep/services/mysql/default.nix b/hosts/bicep/services/mysql/default.nix
index 1e9e1bd..c82da9e 100644
--- a/hosts/bicep/services/mysql/default.nix
+++ b/hosts/bicep/services/mysql/default.nix
@@ -1,4 +1,10 @@
-{ config, pkgs, lib, values, ... }:
+{
+ config,
+ pkgs,
+ lib,
+ values,
+ ...
+}:
let
cfg = config.services.mysql;
dataDir = "/data/mysql";
@@ -36,12 +42,14 @@ in
# a password which can be found in /secrets/ildkule/ildkule.yaml
# We have also changed both the host and auth plugin of this user
# to be 'ildkule.pvv.ntnu.no' and 'mysql_native_password' respectively.
- ensureUsers = [{
- name = "prometheus_mysqld_exporter";
- ensurePermissions = {
- "*.*" = "PROCESS, REPLICATION CLIENT, SELECT, SLAVE MONITOR";
- };
- }];
+ ensureUsers = [
+ {
+ name = "prometheus_mysqld_exporter";
+ ensurePermissions = {
+ "*.*" = "PROCESS, REPLICATION CLIENT, SELECT, SLAVE MONITOR";
+ };
+ }
+ ];
};
networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 3306 ];
diff --git a/hosts/bicep/services/postgresql/backup.nix b/hosts/bicep/services/postgresql/backup.nix
index ebb508a..0f79157 100644
--- a/hosts/bicep/services/postgresql/backup.nix
+++ b/hosts/bicep/services/postgresql/backup.nix
@@ -1,4 +1,10 @@
-{ config, lib, pkgs, values, ... }:
+{
+ config,
+ lib,
+ pkgs,
+ values,
+ ...
+}:
let
cfg = config.services.postgresql;
backupDir = "/data/postgresql-backups";
@@ -11,10 +17,10 @@ in
# };
systemd.tmpfiles.settings."10-postgresql-backups".${backupDir}.d = {
- user = "postgres";
- group = "postgres";
- mode = "700";
- };
+ user = "postgres";
+ group = "postgres";
+ mode = "700";
+ };
services.rsync-pull-targets = lib.mkIf cfg.enable {
enable = true;
@@ -45,23 +51,25 @@ in
cfg.package
];
- script = let
- rotations = 2;
- in ''
- set -euo pipefail
+ script =
+ let
+ rotations = 2;
+ in
+ ''
+ set -euo pipefail
- OUT_FILE="$STATE_DIRECTORY/postgresql-dump-$(date --iso-8601).sql.zst"
+ OUT_FILE="$STATE_DIRECTORY/postgresql-dump-$(date --iso-8601).sql.zst"
- pg_dumpall -U postgres | zstd --compress -9 --rsyncable -o "$OUT_FILE"
+ pg_dumpall -U postgres | zstd --compress -9 --rsyncable -o "$OUT_FILE"
- # NOTE: this needs to be a hardlink for rrsync to allow sending it
- rm "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ||:
- ln -T "$OUT_FILE" "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst"
+ # NOTE: this needs to be a hardlink for rrsync to allow sending it
+ rm "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ||:
+ ln -T "$OUT_FILE" "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst"
- while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
- rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
- done
- '';
+ while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
+ rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
+ done
+ '';
serviceConfig = {
Type = "oneshot";
diff --git a/hosts/bicep/services/postgresql/default.nix b/hosts/bicep/services/postgresql/default.nix
index 9e8ce45..c504d85 100644
--- a/hosts/bicep/services/postgresql/default.nix
+++ b/hosts/bicep/services/postgresql/default.nix
@@ -1,4 +1,10 @@
-{ config, lib, pkgs, values, ... }:
+{
+ config,
+ lib,
+ pkgs,
+ values,
+ ...
+}:
let
cfg = config.services.postgresql;
in
diff --git a/hosts/bikkje/configuration.nix b/hosts/bikkje/configuration.nix
index 3c98f79..64c0f70 100644
--- a/hosts/bikkje/configuration.nix
+++ b/hosts/bikkje/configuration.nix
@@ -1,8 +1,14 @@
-{ config, pkgs, values, ... }:
+{
+ lib,
+ config,
+ pkgs,
+ values,
+ ...
+}:
{
networking.nat = {
enable = true;
- internalInterfaces = ["ve-+"];
+ internalInterfaces = [ "ve-+" ];
externalInterface = "ens3";
# Lazy IPv6 connectivity for the container
enableIPv6 = true;
@@ -10,9 +16,11 @@
containers.bikkje = {
autoStart = true;
- config = { config, pkgs, ... }: {
- #import packages
- packages = with pkgs; [
+ config =
+ { config, pkgs, ... }:
+ {
+ #import packages
+ packages = with pkgs; [
alpine
mutt
mutt-ics
@@ -22,26 +30,66 @@
hexchat
irssi
pidgin
- ];
+ ];
- networking = {
- hostName = "bikkje";
- firewall = {
- enable = true;
- # Allow SSH and HTTP and ports for email and irc
- allowedTCPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ];
- allowedUDPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ];
+ networking = {
+ hostName = "bikkje";
+ firewall = {
+ enable = true;
+ # Allow SSH and HTTP and ports for email and irc
+ allowedTCPPorts = [
+ 80
+ 22
+ 194
+ 994
+ 6665
+ 6666
+ 6667
+ 6668
+ 6669
+ 6697
+ 995
+ 993
+ 25
+ 465
+ 587
+ 110
+ 143
+ 993
+ 995
+ ];
+ allowedUDPPorts = [
+ 80
+ 22
+ 194
+ 994
+ 6665
+ 6666
+ 6667
+ 6668
+ 6669
+ 6697
+ 995
+ 993
+ 25
+ 465
+ 587
+ 110
+ 143
+ 993
+ 995
+ ];
+ };
+ # Use systemd-resolved inside the container
+ # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
+ useHostResolvConf = lib.mkForce false;
};
- # Use systemd-resolved inside the container
- # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
- useHostResolvConf = mkForce false;
+
+ services.resolved.enable = true;
+
+ # Don't change (even during upgrades) unless you know what you are doing.
+ # See https://search.nixos.org/options?show=system.stateVersion
+ system.stateVersion = "23.11";
};
-
- services.resolved.enable = true;
-
- # Don't change (even during upgrades) unless you know what you are doing.
- # See https://search.nixos.org/options?show=system.stateVersion
- system.stateVersion = "23.11";
- };
};
-};
+}
diff --git a/hosts/brzeczyszczykiewicz/configuration.nix b/hosts/brzeczyszczykiewicz/configuration.nix
index 4c637b1..a73210f 100644
--- a/hosts/brzeczyszczykiewicz/configuration.nix
+++ b/hosts/brzeczyszczykiewicz/configuration.nix
@@ -1,16 +1,25 @@
-{ config, fp, pkgs, values, ... }:
+{
+ config,
+ fp,
+ pkgs,
+ values,
+ ...
+}:
{
imports = [
- # Include the results of the hardware scan.
- ./hardware-configuration.nix
- (fp /base)
+ # Include the results of the hardware scan.
+ ./hardware-configuration.nix
+ (fp /base)
- ./services/grzegorz.nix
- ];
+ ./services/grzegorz.nix
+ ];
systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
matchConfig.Name = "eno1";
- address = with values.hosts.brzeczyszczykiewicz; [ (ipv4 + "/25") (ipv6 + "/64") ];
+ address = with values.hosts.brzeczyszczykiewicz; [
+ (ipv4 + "/25")
+ (ipv6 + "/64")
+ ];
};
fonts.fontconfig.enable = true;
diff --git a/hosts/brzeczyszczykiewicz/hardware-configuration.nix b/hosts/brzeczyszczykiewicz/hardware-configuration.nix
index c9099c0..cd9b334 100644
--- a/hosts/brzeczyszczykiewicz/hardware-configuration.nix
+++ b/hosts/brzeczyszczykiewicz/hardware-configuration.nix
@@ -1,31 +1,45 @@
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{
+ config,
+ lib,
+ pkgs,
+ modulesPath,
+ ...
+}:
{
- imports =
- [ (modulesPath + "/installer/scan/not-detected.nix")
- ];
+ imports = [
+ (modulesPath + "/installer/scan/not-detected.nix")
+ ];
- boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
+ boot.initrd.availableKernelModules = [
+ "xhci_pci"
+ "ehci_pci"
+ "ahci"
+ "usbhid"
+ "usb_storage"
+ "sd_mod"
+ "sr_mod"
+ ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
- fileSystems."/" =
- { device = "/dev/disk/by-uuid/4e8667f8-55de-4103-8369-b94665f42204";
- fsType = "ext4";
- };
+ fileSystems."/" = {
+ device = "/dev/disk/by-uuid/4e8667f8-55de-4103-8369-b94665f42204";
+ fsType = "ext4";
+ };
- fileSystems."/boot" =
- { device = "/dev/disk/by-uuid/82E3-3D03";
- fsType = "vfat";
- };
+ fileSystems."/boot" = {
+ device = "/dev/disk/by-uuid/82E3-3D03";
+ fsType = "vfat";
+ };
- swapDevices =
- [ { device = "/dev/disk/by-uuid/d0bf9a21-44bc-44a3-ae55-8f0971875883"; }
- ];
+ swapDevices = [
+ { device = "/dev/disk/by-uuid/d0bf9a21-44bc-44a3-ae55-8f0971875883"; }
+ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
diff --git a/hosts/georg/configuration.nix b/hosts/georg/configuration.nix
index 05082d4..b16dc64 100644
--- a/hosts/georg/configuration.nix
+++ b/hosts/georg/configuration.nix
@@ -1,16 +1,25 @@
-{ config, fp, pkgs, values, ... }:
+{
+ config,
+ fp,
+ pkgs,
+ values,
+ ...
+}:
{
imports = [
- # Include the results of the hardware scan.
- ./hardware-configuration.nix
- (fp /base)
+ # Include the results of the hardware scan.
+ ./hardware-configuration.nix
+ (fp /base)
- (fp /modules/grzegorz.nix)
- ];
+ (fp /modules/grzegorz.nix)
+ ];
systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
matchConfig.Name = "eno1";
- address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ];
+ address = with values.hosts.georg; [
+ (ipv4 + "/25")
+ (ipv6 + "/64")
+ ];
};
services.spotifyd = {
diff --git a/hosts/georg/hardware-configuration.nix b/hosts/georg/hardware-configuration.nix
index 539ae37..4c84916 100644
--- a/hosts/georg/hardware-configuration.nix
+++ b/hosts/georg/hardware-configuration.nix
@@ -1,31 +1,44 @@
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{
+ config,
+ lib,
+ pkgs,
+ modulesPath,
+ ...
+}:
{
- imports =
- [ (modulesPath + "/installer/scan/not-detected.nix")
- ];
+ imports = [
+ (modulesPath + "/installer/scan/not-detected.nix")
+ ];
- boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
+ boot.initrd.availableKernelModules = [
+ "xhci_pci"
+ "ehci_pci"
+ "ahci"
+ "usb_storage"
+ "usbhid"
+ "sd_mod"
+ ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
- fileSystems."/" =
- { device = "/dev/disk/by-uuid/33825f0d-5a63-40fc-83db-bfa1ebb72ba0";
- fsType = "ext4";
- };
+ fileSystems."/" = {
+ device = "/dev/disk/by-uuid/33825f0d-5a63-40fc-83db-bfa1ebb72ba0";
+ fsType = "ext4";
+ };
- fileSystems."/boot" =
- { device = "/dev/disk/by-uuid/145E-7362";
- fsType = "vfat";
- };
+ fileSystems."/boot" = {
+ device = "/dev/disk/by-uuid/145E-7362";
+ fsType = "vfat";
+ };
- swapDevices =
- [ { device = "/dev/disk/by-uuid/7ed27e21-3247-44cd-8bcc-5d4a2efebf57"; }
- ];
+ swapDevices = [
+ { device = "/dev/disk/by-uuid/7ed27e21-3247-44cd-8bcc-5d4a2efebf57"; }
+ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
diff --git a/hosts/ildkule/configuration.nix b/hosts/ildkule/configuration.nix
index 0a7192c..bd65cc1 100644
--- a/hosts/ildkule/configuration.nix
+++ b/hosts/ildkule/configuration.nix
@@ -1,14 +1,21 @@
-{ config, fp, pkgs, lib, values, ... }:
+{
+ config,
+ fp,
+ pkgs,
+ lib,
+ values,
+ ...
+}:
{
imports = [
- # Include the results of the hardware scan.
- ./hardware-configuration.nix
- (fp /base)
+ # Include the results of the hardware scan.
+ ./hardware-configuration.nix
+ (fp /base)
- ./services/monitoring
- ./services/nginx
- ./services/journald-remote.nix
- ];
+ ./services/monitoring
+ ./services/nginx
+ ./services/journald-remote.nix
+ ];
boot.loader.systemd-boot.enable = false;
boot.loader.grub.device = "/dev/vda";
@@ -17,26 +24,37 @@
# Openstack Neutron and systemd-networkd are not best friends, use something else:
systemd.network.enable = lib.mkForce false;
- networking = let
- hostConf = values.hosts.ildkule;
- in {
- tempAddresses = "disabled";
- useDHCP = lib.mkForce true;
+ networking =
+ let
+ hostConf = values.hosts.ildkule;
+ in
+ {
+ tempAddresses = "disabled";
+ useDHCP = lib.mkForce true;
- search = values.defaultNetworkConfig.domains;
- nameservers = values.defaultNetworkConfig.dns;
- defaultGateway.address = hostConf.ipv4_internal_gw;
+ search = values.defaultNetworkConfig.domains;
+ nameservers = values.defaultNetworkConfig.dns;
+ defaultGateway.address = hostConf.ipv4_internal_gw;
- interfaces."ens4" = {
- ipv4.addresses = [
- { address = hostConf.ipv4; prefixLength = 32; }
- { address = hostConf.ipv4_internal; prefixLength = 24; }
- ];
- ipv6.addresses = [
- { address = hostConf.ipv6; prefixLength = 64; }
- ];
+ interfaces."ens4" = {
+ ipv4.addresses = [
+ {
+ address = hostConf.ipv4;
+ prefixLength = 32;
+ }
+ {
+ address = hostConf.ipv4_internal;
+ prefixLength = 24;
+ }
+ ];
+ ipv6.addresses = [
+ {
+ address = hostConf.ipv6;
+ prefixLength = 64;
+ }
+ ];
+ };
};
- };
services.qemuGuest.enable = true;
diff --git a/hosts/ildkule/hardware-configuration.nix b/hosts/ildkule/hardware-configuration.nix
index ccc6737..7ce6ac6 100644
--- a/hosts/ildkule/hardware-configuration.nix
+++ b/hosts/ildkule/hardware-configuration.nix
@@ -1,7 +1,12 @@
{ modulesPath, lib, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
- boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+ boot.initrd.availableKernelModules = [
+ "ata_piix"
+ "uhci_hcd"
+ "xen_blkfront"
+ "vmw_pvscsi"
+ ];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/e35eb4ce-aac3-4f91-8383-6e7cd8bbf942";
diff --git a/hosts/ildkule/services/journald-remote.nix b/hosts/ildkule/services/journald-remote.nix
index fe99c67..9611848 100644
--- a/hosts/ildkule/services/journald-remote.nix
+++ b/hosts/ildkule/services/journald-remote.nix
@@ -1,4 +1,9 @@
-{ config, lib, values, ... }:
+{
+ config,
+ lib,
+ values,
+ ...
+}:
let
cfg = config.services.journald.remote;
domainName = "journald.pvv.ntnu.no";
@@ -22,13 +27,15 @@ in
services.journald.remote = {
enable = true;
- settings.Remote = let
- inherit (config.security.acme.certs.${domainName}) directory;
- in {
- ServerKeyFile = "/run/credentials/systemd-journal-remote.service/key.pem";
- ServerCertificateFile = "/run/credentials/systemd-journal-remote.service/cert.pem";
- TrustedCertificateFile = "-";
- };
+ settings.Remote =
+ let
+ inherit (config.security.acme.certs.${domainName}) directory;
+ in
+ {
+ ServerKeyFile = "/run/credentials/systemd-journal-remote.service/key.pem";
+ ServerCertificateFile = "/run/credentials/systemd-journal-remote.service/cert.pem";
+ TrustedCertificateFile = "-";
+ };
};
systemd.sockets."systemd-journal-remote" = {
@@ -47,12 +54,14 @@ in
systemd.services."systemd-journal-remote" = {
serviceConfig = {
- LoadCredential = let
- inherit (config.security.acme.certs.${domainName}) directory;
- in [
- "key.pem:${directory}/key.pem"
- "cert.pem:${directory}/cert.pem"
- ];
+ LoadCredential =
+ let
+ inherit (config.security.acme.certs.${domainName}) directory;
+ in
+ [
+ "key.pem:${directory}/key.pem"
+ "cert.pem:${directory}/cert.pem"
+ ];
};
};
}
diff --git a/hosts/ildkule/services/monitoring/grafana.nix b/hosts/ildkule/services/monitoring/grafana.nix
index f5c251a..f4b05d1 100644
--- a/hosts/ildkule/services/monitoring/grafana.nix
+++ b/hosts/ildkule/services/monitoring/grafana.nix
@@ -1,32 +1,43 @@
-{ config, pkgs, values, ... }: let
+{
+ config,
+ pkgs,
+ values,
+ ...
+}:
+let
cfg = config.services.grafana;
-in {
- sops.secrets = let
- owner = "grafana";
- group = "grafana";
- in {
- "keys/grafana/secret_key" = { inherit owner group; };
- "keys/grafana/admin_password" = { inherit owner group; };
- };
+in
+{
+ sops.secrets =
+ let
+ owner = "grafana";
+ group = "grafana";
+ in
+ {
+ "keys/grafana/secret_key" = { inherit owner group; };
+ "keys/grafana/admin_password" = { inherit owner group; };
+ };
services.grafana = {
enable = true;
- settings = let
- # See https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider
- secretFile = path: "$__file{${path}}";
- in {
- server = {
- domain = "grafana.pvv.ntnu.no";
- http_port = 2342;
- http_addr = "127.0.0.1";
- };
+ settings =
+ let
+ # See https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider
+ secretFile = path: "$__file{${path}}";
+ in
+ {
+ server = {
+ domain = "grafana.pvv.ntnu.no";
+ http_port = 2342;
+ http_addr = "127.0.0.1";
+ };
- security = {
- secret_key = secretFile config.sops.secrets."keys/grafana/secret_key".path;
- admin_password = secretFile config.sops.secrets."keys/grafana/admin_password".path;
+ security = {
+ secret_key = secretFile config.sops.secrets."keys/grafana/secret_key".path;
+ admin_password = secretFile config.sops.secrets."keys/grafana/admin_password".path;
+ };
};
- };
provision = {
enable = true;
diff --git a/hosts/ildkule/services/monitoring/loki.nix b/hosts/ildkule/services/monitoring/loki.nix
index 4eba3e6..2475aef 100644
--- a/hosts/ildkule/services/monitoring/loki.nix
+++ b/hosts/ildkule/services/monitoring/loki.nix
@@ -3,7 +3,8 @@
let
cfg = config.services.loki;
stateDir = "/data/monitoring/loki";
-in {
+in
+{
services.loki = {
enable = true;
configuration = {
diff --git a/hosts/ildkule/services/monitoring/prometheus/default.nix b/hosts/ildkule/services/monitoring/prometheus/default.nix
index 1b52007..f205db1 100644
--- a/hosts/ildkule/services/monitoring/prometheus/default.nix
+++ b/hosts/ildkule/services/monitoring/prometheus/default.nix
@@ -1,6 +1,8 @@
-{ config, ... }: let
+{ config, ... }:
+let
stateDir = "/data/monitoring/prometheus";
-in {
+in
+{
imports = [
./exim.nix
./gitea.nix
diff --git a/hosts/ildkule/services/monitoring/prometheus/exim.nix b/hosts/ildkule/services/monitoring/prometheus/exim.nix
index 65d97e9..df4d4d1 100644
--- a/hosts/ildkule/services/monitoring/prometheus/exim.nix
+++ b/hosts/ildkule/services/monitoring/prometheus/exim.nix
@@ -5,9 +5,11 @@
{
job_name = "exim";
scrape_interval = "15s";
- static_configs = [{
- targets = [ "microbel.pvv.ntnu.no:9636" ];
- }];
+ static_configs = [
+ {
+ targets = [ "microbel.pvv.ntnu.no:9636" ];
+ }
+ ];
}
];
};
diff --git a/hosts/ildkule/services/monitoring/prometheus/gitea.nix b/hosts/ildkule/services/monitoring/prometheus/gitea.nix
index c7573e7..6325c90 100644
--- a/hosts/ildkule/services/monitoring/prometheus/gitea.nix
+++ b/hosts/ildkule/services/monitoring/prometheus/gitea.nix
@@ -1,16 +1,18 @@
{ ... }:
{
- services.prometheus.scrapeConfigs = [{
- job_name = "gitea";
- scrape_interval = "60s";
- scheme = "https";
+ services.prometheus.scrapeConfigs = [
+ {
+ job_name = "gitea";
+ scrape_interval = "60s";
+ scheme = "https";
- static_configs = [
- {
- targets = [
- "git.pvv.ntnu.no:443"
- ];
- }
- ];
- }];
+ static_configs = [
+ {
+ targets = [
+ "git.pvv.ntnu.no:443"
+ ];
+ }
+ ];
+ }
+ ];
}
diff --git a/hosts/ildkule/services/monitoring/prometheus/machines.nix b/hosts/ildkule/services/monitoring/prometheus/machines.nix
index 4967bc2..daa38c3 100644
--- a/hosts/ildkule/services/monitoring/prometheus/machines.nix
+++ b/hosts/ildkule/services/monitoring/prometheus/machines.nix
@@ -1,4 +1,5 @@
-{ config, ... }: let
+{ config, ... }:
+let
cfg = config.services.prometheus;
mkHostScrapeConfig = name: ports: {
@@ -9,32 +10,98 @@
defaultNodeExporterPort = 9100;
defaultSystemdExporterPort = 9101;
defaultNixosExporterPort = 9102;
-in {
- services.prometheus.scrapeConfigs = [{
- job_name = "base_info";
- static_configs = [
- (mkHostScrapeConfig "ildkule" [ cfg.exporters.node.port cfg.exporters.systemd.port defaultNixosExporterPort ])
+in
+{
+ services.prometheus.scrapeConfigs = [
+ {
+ job_name = "base_info";
+ static_configs = [
+ (mkHostScrapeConfig "ildkule" [
+ cfg.exporters.node.port
+ cfg.exporters.systemd.port
+ defaultNixosExporterPort
+ ])
- (mkHostScrapeConfig "bekkalokk" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
- (mkHostScrapeConfig "bicep" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
- (mkHostScrapeConfig "brzeczyszczykiewicz" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
- (mkHostScrapeConfig "georg" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
- (mkHostScrapeConfig "gluttony" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
- (mkHostScrapeConfig "kommode" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
- (mkHostScrapeConfig "lupine-1" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
- (mkHostScrapeConfig "lupine-2" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
- (mkHostScrapeConfig "lupine-3" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
- (mkHostScrapeConfig "lupine-4" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
- (mkHostScrapeConfig "lupine-5" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
- (mkHostScrapeConfig "temmie" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
- (mkHostScrapeConfig "ustetind" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
- (mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
+ (mkHostScrapeConfig "bekkalokk" [
+ defaultNodeExporterPort
+ defaultSystemdExporterPort
+ defaultNixosExporterPort
+ ])
+ (mkHostScrapeConfig "bicep" [
+ defaultNodeExporterPort
+ defaultSystemdExporterPort
+ defaultNixosExporterPort
+ ])
+ (mkHostScrapeConfig "brzeczyszczykiewicz" [
+ defaultNodeExporterPort
+ defaultSystemdExporterPort
+ defaultNixosExporterPort
+ ])
+ (mkHostScrapeConfig "georg" [
+ defaultNodeExporterPort
+ defaultSystemdExporterPort
+ defaultNixosExporterPort
+ ])
+ (mkHostScrapeConfig "gluttony" [
+ defaultNodeExporterPort
+ defaultSystemdExporterPort
+ defaultNixosExporterPort
+ ])
+ (mkHostScrapeConfig "kommode" [
+ defaultNodeExporterPort
+ defaultSystemdExporterPort
+ defaultNixosExporterPort
+ ])
+ (mkHostScrapeConfig "lupine-1" [
+ defaultNodeExporterPort
+ defaultSystemdExporterPort
+ defaultNixosExporterPort
+ ])
+ (mkHostScrapeConfig "lupine-2" [
+ defaultNodeExporterPort
+ defaultSystemdExporterPort
+ defaultNixosExporterPort
+ ])
+ (mkHostScrapeConfig "lupine-3" [
+ defaultNodeExporterPort
+ defaultSystemdExporterPort
+ defaultNixosExporterPort
+ ])
+ (mkHostScrapeConfig "lupine-4" [
+ defaultNodeExporterPort
+ defaultSystemdExporterPort
+ defaultNixosExporterPort
+ ])
+ (mkHostScrapeConfig "lupine-5" [
+ defaultNodeExporterPort
+ defaultSystemdExporterPort
+ defaultNixosExporterPort
+ ])
+ (mkHostScrapeConfig "temmie" [
+ defaultNodeExporterPort
+ defaultSystemdExporterPort
+ defaultNixosExporterPort
+ ])
+ (mkHostScrapeConfig "ustetind" [
+ defaultNodeExporterPort
+ defaultSystemdExporterPort
+ defaultNixosExporterPort
+ ])
+ (mkHostScrapeConfig "wenche" [
+ defaultNodeExporterPort
+ defaultSystemdExporterPort
+ defaultNixosExporterPort
+ ])
- (mkHostScrapeConfig "skrott" [ defaultNodeExporterPort defaultSystemdExporterPort ])
+ (mkHostScrapeConfig "skrott" [
+ defaultNodeExporterPort
+ defaultSystemdExporterPort
+ ])
- (mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ])
- (mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ])
- (mkHostScrapeConfig "microbel" [ defaultNodeExporterPort ])
- ];
- }];
+ (mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ])
+ (mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ])
+ (mkHostScrapeConfig "microbel" [ defaultNodeExporterPort ])
+ ];
+ }
+ ];
}
diff --git a/hosts/ildkule/services/monitoring/prometheus/matrix-synapse.nix b/hosts/ildkule/services/monitoring/prometheus/matrix-synapse.nix
index 8a9f400..23c713d 100644
--- a/hosts/ildkule/services/monitoring/prometheus/matrix-synapse.nix
+++ b/hosts/ildkule/services/monitoring/prometheus/matrix-synapse.nix
@@ -1,40 +1,44 @@
{ ... }:
{
- services.prometheus.scrapeConfigs = [{
- job_name = "synapse";
- scrape_interval = "15s";
- scheme = "https";
+ services.prometheus.scrapeConfigs = [
+ {
+ job_name = "synapse";
+ scrape_interval = "15s";
+ scheme = "https";
- http_sd_configs = [{
- url = "https://matrix.pvv.ntnu.no/metrics/config.json";
- }];
+ http_sd_configs = [
+ {
+ url = "https://matrix.pvv.ntnu.no/metrics/config.json";
+ }
+ ];
- relabel_configs = [
- {
- source_labels = [ "__address__" ];
- regex = "[^/]+(/.*)";
- target_label = "__metrics_path__";
- }
- {
- source_labels = [ "__address__" ];
- regex = "([^/]+)/.*";
- target_label = "instance";
- }
- {
- source_labels = [ "__address__" ];
- regex = "[^/]+\\/+[^/]+/(.*)/\\d+$";
- target_label = "job";
- }
- {
- source_labels = [ "__address__" ];
- regex = "[^/]+\\/+[^/]+/.*/(\\d+)$";
- target_label = "index";
- }
- {
- source_labels = [ "__address__" ];
- regex = "([^/]+)/.*";
- target_label = "__address__";
- }
- ];
- }];
+ relabel_configs = [
+ {
+ source_labels = [ "__address__" ];
+ regex = "[^/]+(/.*)";
+ target_label = "__metrics_path__";
+ }
+ {
+ source_labels = [ "__address__" ];
+ regex = "([^/]+)/.*";
+ target_label = "instance";
+ }
+ {
+ source_labels = [ "__address__" ];
+ regex = "[^/]+\\/+[^/]+/(.*)/\\d+$";
+ target_label = "job";
+ }
+ {
+ source_labels = [ "__address__" ];
+ regex = "[^/]+\\/+[^/]+/.*/(\\d+)$";
+ target_label = "index";
+ }
+ {
+ source_labels = [ "__address__" ];
+ regex = "([^/]+)/.*";
+ target_label = "__address__";
+ }
+ ];
+ }
+ ];
}
diff --git a/hosts/ildkule/services/monitoring/prometheus/mysqld.nix b/hosts/ildkule/services/monitoring/prometheus/mysqld.nix
index 6ffa9d1..f4368f5 100644
--- a/hosts/ildkule/services/monitoring/prometheus/mysqld.nix
+++ b/hosts/ildkule/services/monitoring/prometheus/mysqld.nix
@@ -1,36 +1,42 @@
-{ config, ... }: let
+{ config, ... }:
+let
cfg = config.services.prometheus;
-in {
+in
+{
sops = {
secrets."config/mysqld_exporter_password" = { };
templates."mysqld_exporter.conf" = {
restartUnits = [ "prometheus-mysqld-exporter.service" ];
- content = let
- inherit (config.sops) placeholder;
- in ''
- [client]
- host = mysql.pvv.ntnu.no
- port = 3306
- user = prometheus_mysqld_exporter
- password = ${placeholder."config/mysqld_exporter_password"}
- '';
+ content =
+ let
+ inherit (config.sops) placeholder;
+ in
+ ''
+ [client]
+ host = mysql.pvv.ntnu.no
+ port = 3306
+ user = prometheus_mysqld_exporter
+ password = ${placeholder."config/mysqld_exporter_password"}
+ '';
};
};
services.prometheus = {
- scrapeConfigs = [{
- job_name = "mysql";
- scheme = "http";
- metrics_path = cfg.exporters.mysqld.telemetryPath;
- static_configs = [
- {
- targets = [
- "localhost:${toString cfg.exporters.mysqld.port}"
- ];
- }
- ];
- }];
+ scrapeConfigs = [
+ {
+ job_name = "mysql";
+ scheme = "http";
+ metrics_path = cfg.exporters.mysqld.telemetryPath;
+ static_configs = [
+ {
+ targets = [
+ "localhost:${toString cfg.exporters.mysqld.port}"
+ ];
+ }
+ ];
+ }
+ ];
exporters.mysqld = {
enable = true;
diff --git a/hosts/ildkule/services/monitoring/prometheus/postgres.nix b/hosts/ildkule/services/monitoring/prometheus/postgres.nix
index 5cde1b2..cb341c4 100644
--- a/hosts/ildkule/services/monitoring/prometheus/postgres.nix
+++ b/hosts/ildkule/services/monitoring/prometheus/postgres.nix
@@ -1,9 +1,17 @@
-{ pkgs, lib, config, values, ... }: let
+{
+ pkgs,
+ lib,
+ config,
+ values,
+ ...
+}:
+let
cfg = config.services.prometheus;
-in {
+in
+{
sops.secrets = {
- "keys/postgres/postgres_exporter_env" = {};
- "keys/postgres/postgres_exporter_knakelibrak_env" = {};
+ "keys/postgres/postgres_exporter_env" = { };
+ "keys/postgres/postgres_exporter_knakelibrak_env" = { };
};
services.prometheus = {
@@ -11,22 +19,26 @@ in {
{
job_name = "postgres";
scrape_interval = "15s";
- static_configs = [{
- targets = [ "localhost:${toString cfg.exporters.postgres.port}" ];
- labels = {
- server = "bicep";
- };
- }];
+ static_configs = [
+ {
+ targets = [ "localhost:${toString cfg.exporters.postgres.port}" ];
+ labels = {
+ server = "bicep";
+ };
+ }
+ ];
}
{
job_name = "postgres-knakelibrak";
scrape_interval = "15s";
- static_configs = [{
- targets = [ "localhost:${toString (cfg.exporters.postgres.port + 1)}" ];
- labels = {
- server = "knakelibrak";
- };
- }];
+ static_configs = [
+ {
+ targets = [ "localhost:${toString (cfg.exporters.postgres.port + 1)}" ];
+ labels = {
+ server = "knakelibrak";
+ };
+ }
+ ];
}
];
@@ -37,9 +49,11 @@ in {
};
};
- systemd.services.prometheus-postgres-exporter-knakelibrak.serviceConfig = let
- localCfg = config.services.prometheus.exporters.postgres;
- in lib.recursiveUpdate config.systemd.services.prometheus-postgres-exporter.serviceConfig {
+ systemd.services.prometheus-postgres-exporter-knakelibrak.serviceConfig =
+ let
+ localCfg = config.services.prometheus.exporters.postgres;
+ in
+ lib.recursiveUpdate config.systemd.services.prometheus-postgres-exporter.serviceConfig {
EnvironmentFile = config.sops.secrets."keys/postgres/postgres_exporter_knakelibrak_env".path;
ExecStart = ''
${pkgs.prometheus-postgres-exporter}/bin/postgres_exporter \
diff --git a/hosts/ildkule/services/monitoring/uptime-kuma.nix b/hosts/ildkule/services/monitoring/uptime-kuma.nix
index 9b1c0fc..00d3b51 100644
--- a/hosts/ildkule/services/monitoring/uptime-kuma.nix
+++ b/hosts/ildkule/services/monitoring/uptime-kuma.nix
@@ -1,9 +1,15 @@
-{ config, pkgs, lib, ... }:
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
let
cfg = config.services.uptime-kuma;
domain = "status.pvv.ntnu.no";
stateDir = "/data/monitoring/uptime-kuma";
-in {
+in
+{
services.uptime-kuma = {
enable = true;
settings = {
diff --git a/hosts/kommode/configuration.nix b/hosts/kommode/configuration.nix
index a79a5b3..3610895 100644
--- a/hosts/kommode/configuration.nix
+++ b/hosts/kommode/configuration.nix
@@ -1,4 +1,9 @@
-{ pkgs, values, fp, ... }:
+{
+ pkgs,
+ values,
+ fp,
+ ...
+}:
{
imports = [
# Include the results of the hardware scan.
@@ -12,7 +17,10 @@
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
matchConfig.Name = "ens18";
- address = with values.hosts.kommode; [ (ipv4 + "/25") (ipv6 + "/64") ];
+ address = with values.hosts.kommode; [
+ (ipv4 + "/25")
+ (ipv6 + "/64")
+ ];
};
services.btrfs.autoScrub.enable = true;
diff --git a/hosts/kommode/hardware-configuration.nix b/hosts/kommode/hardware-configuration.nix
index caea79b..c74d530 100644
--- a/hosts/kommode/hardware-configuration.nix
+++ b/hosts/kommode/hardware-configuration.nix
@@ -1,14 +1,27 @@
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{
+ config,
+ lib,
+ pkgs,
+ modulesPath,
+ ...
+}:
{
- imports =
- [ (modulesPath + "/profiles/qemu-guest.nix")
- ];
+ imports = [
+ (modulesPath + "/profiles/qemu-guest.nix")
+ ];
- boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+ boot.initrd.availableKernelModules = [
+ "ata_piix"
+ "uhci_hcd"
+ "virtio_pci"
+ "virtio_scsi"
+ "sd_mod"
+ "sr_mod"
+ ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
diff --git a/hosts/kommode/services/gitea/customization/default.nix b/hosts/kommode/services/gitea/customization/default.nix
index cfe28ea..3914102 100644
--- a/hosts/kommode/services/gitea/customization/default.nix
+++ b/hosts/kommode/services/gitea/customization/default.nix
@@ -1,4 +1,10 @@
-{ config, pkgs, lib, fp, ... }:
+{
+ config,
+ pkgs,
+ lib,
+ fp,
+ ...
+}:
let
cfg = config.services.gitea;
in
@@ -68,54 +74,59 @@ in
wantedBy = [ "gitea.service" ];
requiredBy = [ "gitea.service" ];
- serviceConfig = {
+ serviceConfig = {
Type = "oneshot";
User = cfg.user;
Group = cfg.group;
};
- script = let
- logo-svg = fp /assets/logo_blue_regular.svg;
- logo-png = fp /assets/logo_blue_regular.png;
+ script =
+ let
+ logo-svg = fp /assets/logo_blue_regular.svg;
+ logo-png = fp /assets/logo_blue_regular.png;
- extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
- Tokyo Drift Issues
+ extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
+ Tokyo Drift Issues
+ '';
+
+ extraLinksFooter = pkgs.writeText "gitea-extra-links-footer.tmpl" ''
+ PVV
+ Wiki
+ PVV Gitea Howto
+ '';
+
+ project-labels = (pkgs.formats.yaml { }).generate "gitea-project-labels.yaml" {
+ labels = lib.importJSON ./labels/projects.json;
+ };
+
+ customTemplates =
+ pkgs.runCommandLocal "gitea-templates"
+ {
+ nativeBuildInputs = with pkgs; [
+ coreutils
+ gnused
+ ];
+ }
+ ''
+ # Bigger icons
+ install -Dm444 "${cfg.package.src}/templates/repo/icon.tmpl" "$out/repo/icon.tmpl"
+ sed -i -e 's/24/60/g' "$out/repo/icon.tmpl"
+ '';
+ in
+ ''
+ install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
+ install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
+ install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
+ install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
+ install -Dm444 ${extraLinksFooter} ${cfg.customDir}/templates/custom/extra_links_footer.tmpl
+ install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
+
+ install -Dm644 ${./emotes/bruh.png} ${cfg.customDir}/public/assets/img/emoji/bruh.png
+ install -Dm644 ${./emotes/huh.gif} ${cfg.customDir}/public/assets/img/emoji/huh.png
+ install -Dm644 ${./emotes/grr.png} ${cfg.customDir}/public/assets/img/emoji/grr.png
+ install -Dm644 ${./emotes/okiedokie.jpg} ${cfg.customDir}/public/assets/img/emoji/okiedokie.png
+
+ "${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/
'';
-
- extraLinksFooter = pkgs.writeText "gitea-extra-links-footer.tmpl" ''
- PVV
- Wiki
- PVV Gitea Howto
- '';
-
- project-labels = (pkgs.formats.yaml { }).generate "gitea-project-labels.yaml" {
- labels = lib.importJSON ./labels/projects.json;
- };
-
- customTemplates = pkgs.runCommandLocal "gitea-templates" {
- nativeBuildInputs = with pkgs; [
- coreutils
- gnused
- ];
- } ''
- # Bigger icons
- install -Dm444 "${cfg.package.src}/templates/repo/icon.tmpl" "$out/repo/icon.tmpl"
- sed -i -e 's/24/60/g' "$out/repo/icon.tmpl"
- '';
- in ''
- install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
- install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
- install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
- install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
- install -Dm444 ${extraLinksFooter} ${cfg.customDir}/templates/custom/extra_links_footer.tmpl
- install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
-
- install -Dm644 ${./emotes/bruh.png} ${cfg.customDir}/public/assets/img/emoji/bruh.png
- install -Dm644 ${./emotes/huh.gif} ${cfg.customDir}/public/assets/img/emoji/huh.png
- install -Dm644 ${./emotes/grr.png} ${cfg.customDir}/public/assets/img/emoji/grr.png
- install -Dm644 ${./emotes/okiedokie.jpg} ${cfg.customDir}/public/assets/img/emoji/okiedokie.png
-
- "${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/
- '';
};
}
diff --git a/hosts/kommode/services/gitea/default.nix b/hosts/kommode/services/gitea/default.nix
index 29a4aaf..6227c9c 100644
--- a/hosts/kommode/services/gitea/default.nix
+++ b/hosts/kommode/services/gitea/default.nix
@@ -1,9 +1,17 @@
-{ config, values, lib, pkgs, unstablePkgs, ... }:
+{
+ config,
+ values,
+ lib,
+ pkgs,
+ unstablePkgs,
+ ...
+}:
let
cfg = config.services.gitea;
domain = "git.pvv.ntnu.no";
- sshPort = 2222;
-in {
+ sshPort = 2222;
+in
+{
imports = [
./customization
./gpg.nix
@@ -11,19 +19,21 @@ in {
./web-secret-provider
];
- sops.secrets = let
- defaultConfig = {
- owner = "gitea";
- group = "gitea";
- restartUnits = [ "gitea.service" ];
+ sops.secrets =
+ let
+ defaultConfig = {
+ owner = "gitea";
+ group = "gitea";
+ restartUnits = [ "gitea.service" ];
+ };
+ in
+ {
+ "gitea/database" = defaultConfig;
+ "gitea/email-password" = defaultConfig;
+ "gitea/lfs-jwt-secret" = defaultConfig;
+ "gitea/oauth2-jwt-secret" = defaultConfig;
+ "gitea/secret-key" = defaultConfig;
};
- in {
- "gitea/database" = defaultConfig;
- "gitea/email-password" = defaultConfig;
- "gitea/lfs-jwt-secret" = defaultConfig;
- "gitea/oauth2-jwt-secret" = defaultConfig;
- "gitea/secret-key" = defaultConfig;
- };
services.gitea = {
enable = true;
@@ -44,7 +54,7 @@ in {
# https://docs.gitea.com/administration/config-cheat-sheet
settings = {
server = {
- DOMAIN = domain;
+ DOMAIN = domain;
ROOT_URL = "https://${domain}/";
PROTOCOL = "http+unix";
SSH_PORT = sshPort;
@@ -215,29 +225,33 @@ in {
};
systemd.services.gitea-dump = {
- serviceConfig.ExecStart = let
- args = lib.cli.toGNUCommandLineShell { } {
- type = cfg.dump.type;
+ serviceConfig.ExecStart =
+ let
+ args = lib.cli.toGNUCommandLineShell { } {
+ type = cfg.dump.type;
- # This should be declarative on nixos, no need to backup.
- skip-custom-dir = true;
+ # This should be declarative on nixos, no need to backup.
+ skip-custom-dir = true;
- # This can be regenerated, no need to backup
- skip-index = true;
+ # This can be regenerated, no need to backup
+ skip-index = true;
- # Logs are stored in the systemd journal
- skip-log = true;
- };
- in lib.mkForce "${lib.getExe cfg.package} ${args}";
+ # Logs are stored in the systemd journal
+ skip-log = true;
+ };
+ in
+ lib.mkForce "${lib.getExe cfg.package} ${args}";
# Only keep n backup files at a time
- postStop = let
- cu = prog: "'${lib.getExe' pkgs.coreutils prog}'";
- backupCount = 3;
- in ''
- for file in $(${cu "ls"} -t1 '${cfg.dump.backupDir}' | ${cu "sort"} --reverse | ${cu "tail"} -n+${toString (backupCount + 1)}); do
- ${cu "rm"} "$file"
- done
+ postStop =
+ let
+ cu = prog: "'${lib.getExe' pkgs.coreutils prog}'";
+ backupCount = 3;
+ in
+ ''
+ for file in $(${cu "ls"} -t1 '${cfg.dump.backupDir}' | ${cu "sort"} --reverse | ${cu "tail"} -n+${toString (backupCount + 1)}); do
+ ${cu "rm"} "$file"
+ done
'';
};
}
diff --git a/hosts/kommode/services/gitea/gpg.nix b/hosts/kommode/services/gitea/gpg.nix
index 06a36bd..71f022a 100644
--- a/hosts/kommode/services/gitea/gpg.nix
+++ b/hosts/kommode/services/gitea/gpg.nix
@@ -1,4 +1,9 @@
-{ config, pkgs, lib, ... }:
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
let
cfg = config.services.gitea;
GNUPGHOME = "${config.users.users.gitea.home}/gnupg";
diff --git a/hosts/kommode/services/gitea/import-users/default.nix b/hosts/kommode/services/gitea/import-users/default.nix
index 421227a..d68e369 100644
--- a/hosts/kommode/services/gitea/import-users/default.nix
+++ b/hosts/kommode/services/gitea/import-users/default.nix
@@ -1,4 +1,9 @@
-{ config, pkgs, lib, ... }:
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
let
cfg = config.services.gitea;
in
@@ -11,7 +16,7 @@ in
systemd.services.gitea-import-users = lib.mkIf cfg.enable {
enable = true;
- preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /run/gitea-import-users/passwd'';
+ preStart = ''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /run/gitea-import-users/passwd'';
environment.PASSWD_FILE_PATH = "/run/gitea-import-users/passwd";
serviceConfig = {
ExecStart = pkgs.writers.writePython3 "gitea-import-users" {
@@ -20,12 +25,12 @@ in
];
libraries = with pkgs.python3Packages; [ requests ];
} (builtins.readFile ./gitea-import-users.py);
- LoadCredential=[
+ LoadCredential = [
"sshkey:${config.sops.secrets."gitea/passwd-ssh-key".path}"
"ssh-known-hosts:${config.sops.secrets."gitea/ssh-known-hosts".path}"
];
- DynamicUser="yes";
- EnvironmentFile=config.sops.secrets."gitea/import-user-env".path;
+ DynamicUser = "yes";
+ EnvironmentFile = config.sops.secrets."gitea/import-user-env".path;
RuntimeDirectory = "gitea-import-users";
};
};
diff --git a/hosts/kommode/services/gitea/web-secret-provider/default.nix b/hosts/kommode/services/gitea/web-secret-provider/default.nix
index ba19c7e..ab7a4e2 100644
--- a/hosts/kommode/services/gitea/web-secret-provider/default.nix
+++ b/hosts/kommode/services/gitea/web-secret-provider/default.nix
@@ -1,4 +1,9 @@
-{ config, pkgs, lib, ... }:
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
let
organizations = [
"Drift"
@@ -36,7 +41,8 @@ in
group = "gitea-web";
restartUnits = [
"gitea-web-secret-provider@"
- ] ++ (map (org: "gitea-web-secret-provider@${org}") organizations);
+ ]
+ ++ (map (org: "gitea-web-secret-provider@${org}") organizations);
};
systemd.slices.system-giteaweb = {
@@ -48,25 +54,30 @@ in
# %d - secrets directory
systemd.services."gitea-web-secret-provider@" = {
description = "Ensure all repos in %i has an SSH key to push web content";
- requires = [ "gitea.service" "network.target" ];
+ requires = [
+ "gitea.service"
+ "network.target"
+ ];
serviceConfig = {
Slice = "system-giteaweb.slice";
Type = "oneshot";
- ExecStart = let
- args = lib.cli.toGNUCommandLineShell { } {
- org = "%i";
- token-path = "%d/token";
- api-url = "${giteaCfg.settings.server.ROOT_URL}api/v1";
- key-dir = "/var/lib/gitea-web/keys/%i";
- authorized-keys-path = "/var/lib/gitea-web/authorized_keys.d/%i";
- rrsync-script = pkgs.writeShellScript "rrsync-chown" ''
- mkdir -p "$1"
- ${lib.getExe pkgs.rrsync} -wo "$1"
- ${pkgs.coreutils}/bin/chown -R gitea-web:gitea-web "$1"
- '';
- web-dir = "/var/lib/gitea-web/web";
- };
- in "${giteaWebSecretProviderScript} ${args}";
+ ExecStart =
+ let
+ args = lib.cli.toGNUCommandLineShell { } {
+ org = "%i";
+ token-path = "%d/token";
+ api-url = "${giteaCfg.settings.server.ROOT_URL}api/v1";
+ key-dir = "/var/lib/gitea-web/keys/%i";
+ authorized-keys-path = "/var/lib/gitea-web/authorized_keys.d/%i";
+ rrsync-script = pkgs.writeShellScript "rrsync-chown" ''
+ mkdir -p "$1"
+ ${lib.getExe pkgs.rrsync} -wo "$1"
+ ${pkgs.coreutils}/bin/chown -R gitea-web:gitea-web "$1"
+ '';
+ web-dir = "/var/lib/gitea-web/web";
+ };
+ in
+ "${giteaWebSecretProviderScript} ${args}";
User = "gitea-web";
Group = "gitea-web";
@@ -85,7 +96,10 @@ in
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
- RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+ RestrictAddressFamilies = [
+ "AF_INET"
+ "AF_INET6"
+ ];
RestrictRealtime = true;
RestrictSUIDSGID = true;
MemoryDenyWriteExecute = true;
@@ -105,7 +119,9 @@ in
systemd.targets.timers.wants = map (org: "gitea-web-secret-provider@${org}.timer") organizations;
- services.openssh.authorizedKeysFiles = map (org: "/var/lib/gitea-web/authorized_keys.d/${org}") organizations;
+ services.openssh.authorizedKeysFiles = map (
+ org: "/var/lib/gitea-web/authorized_keys.d/${org}"
+ ) organizations;
users.users.nginx.extraGroups = [ "gitea-web" ];
services.nginx.virtualHosts."pages.pvv.ntnu.no" = {
diff --git a/hosts/lupine/configuration.nix b/hosts/lupine/configuration.nix
index 43d35c1..a4dda67 100644
--- a/hosts/lupine/configuration.nix
+++ b/hosts/lupine/configuration.nix
@@ -1,4 +1,9 @@
-{ fp, values, lupineName, ... }:
+{
+ fp,
+ values,
+ lupineName,
+ ...
+}:
{
imports = [
./hardware-configuration/${lupineName}.nix
@@ -12,7 +17,10 @@
systemd.network.networks."30-enp0s31f6" = values.defaultNetworkConfig // {
matchConfig.Name = "enp0s31f6";
- address = with values.hosts.${lupineName}; [ (ipv4 + "/25") (ipv6 + "/64") ];
+ address = with values.hosts.${lupineName}; [
+ (ipv4 + "/25")
+ (ipv6 + "/64")
+ ];
networkConfig.LLDP = false;
};
systemd.network.wait-online = {
diff --git a/hosts/lupine/hardware-configuration/lupine-1.nix b/hosts/lupine/hardware-configuration/lupine-1.nix
index d97536c..7cb4ae2 100644
--- a/hosts/lupine/hardware-configuration/lupine-1.nix
+++ b/hosts/lupine/hardware-configuration/lupine-1.nix
@@ -1,32 +1,46 @@
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{
+ config,
+ lib,
+ pkgs,
+ modulesPath,
+ ...
+}:
{
- imports =
- [ (modulesPath + "/installer/scan/not-detected.nix")
- ];
+ imports = [
+ (modulesPath + "/installer/scan/not-detected.nix")
+ ];
- boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
+ boot.initrd.availableKernelModules = [
+ "xhci_pci"
+ "ahci"
+ "usbhid"
+ "sd_mod"
+ ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
- fileSystems."/" =
- { device = "/dev/disk/by-uuid/a949e2e8-d973-4925-83e4-bcd815e65af7";
- fsType = "ext4";
- };
+ fileSystems."/" = {
+ device = "/dev/disk/by-uuid/a949e2e8-d973-4925-83e4-bcd815e65af7";
+ fsType = "ext4";
+ };
- fileSystems."/boot" =
- { device = "/dev/disk/by-uuid/81D6-38D3";
- fsType = "vfat";
- options = [ "fmask=0077" "dmask=0077" ];
- };
-
- swapDevices =
- [ { device = "/dev/disk/by-uuid/82c2d7fa-7cd0-4398-8cf6-c892bc56264b"; }
+ fileSystems."/boot" = {
+ device = "/dev/disk/by-uuid/81D6-38D3";
+ fsType = "vfat";
+ options = [
+ "fmask=0077"
+ "dmask=0077"
];
+ };
+
+ swapDevices = [
+ { device = "/dev/disk/by-uuid/82c2d7fa-7cd0-4398-8cf6-c892bc56264b"; }
+ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
diff --git a/hosts/lupine/hardware-configuration/lupine-2.nix b/hosts/lupine/hardware-configuration/lupine-2.nix
index e1b480c..f123ac4 100644
--- a/hosts/lupine/hardware-configuration/lupine-2.nix
+++ b/hosts/lupine/hardware-configuration/lupine-2.nix
@@ -1,32 +1,46 @@
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{
+ config,
+ lib,
+ pkgs,
+ modulesPath,
+ ...
+}:
{
- imports =
- [ (modulesPath + "/installer/scan/not-detected.nix")
- ];
+ imports = [
+ (modulesPath + "/installer/scan/not-detected.nix")
+ ];
- boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
+ boot.initrd.availableKernelModules = [
+ "xhci_pci"
+ "ahci"
+ "usbhid"
+ "sd_mod"
+ ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
- fileSystems."/" =
- { device = "/dev/disk/by-uuid/aa81d439-800b-403d-ac10-9d2aac3619d0";
- fsType = "ext4";
- };
+ fileSystems."/" = {
+ device = "/dev/disk/by-uuid/aa81d439-800b-403d-ac10-9d2aac3619d0";
+ fsType = "ext4";
+ };
- fileSystems."/boot" =
- { device = "/dev/disk/by-uuid/4A34-6AE5";
- fsType = "vfat";
- options = [ "fmask=0077" "dmask=0077" ];
- };
-
- swapDevices =
- [ { device = "/dev/disk/by-uuid/efb7cd0c-c1ae-4a86-8bc2-8e7fd0066650"; }
+ fileSystems."/boot" = {
+ device = "/dev/disk/by-uuid/4A34-6AE5";
+ fsType = "vfat";
+ options = [
+ "fmask=0077"
+ "dmask=0077"
];
+ };
+
+ swapDevices = [
+ { device = "/dev/disk/by-uuid/efb7cd0c-c1ae-4a86-8bc2-8e7fd0066650"; }
+ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
diff --git a/hosts/lupine/hardware-configuration/lupine-3.nix b/hosts/lupine/hardware-configuration/lupine-3.nix
index 3855e11..101943b 100644
--- a/hosts/lupine/hardware-configuration/lupine-3.nix
+++ b/hosts/lupine/hardware-configuration/lupine-3.nix
@@ -1,32 +1,46 @@
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{
+ config,
+ lib,
+ pkgs,
+ modulesPath,
+ ...
+}:
{
- imports =
- [ (modulesPath + "/installer/scan/not-detected.nix")
- ];
+ imports = [
+ (modulesPath + "/installer/scan/not-detected.nix")
+ ];
- boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
+ boot.initrd.availableKernelModules = [
+ "xhci_pci"
+ "ahci"
+ "usbhid"
+ "sd_mod"
+ ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
- fileSystems."/" =
- { device = "/dev/disk/by-uuid/39ba059b-3205-4701-a832-e72c0122cb88";
- fsType = "ext4";
- };
+ fileSystems."/" = {
+ device = "/dev/disk/by-uuid/39ba059b-3205-4701-a832-e72c0122cb88";
+ fsType = "ext4";
+ };
- fileSystems."/boot" =
- { device = "/dev/disk/by-uuid/63FA-297B";
- fsType = "vfat";
- options = [ "fmask=0077" "dmask=0077" ];
- };
-
- swapDevices =
- [ { device = "/dev/disk/by-uuid/9c72eb54-ea8c-4b09-808a-8be9b9a33869"; }
+ fileSystems."/boot" = {
+ device = "/dev/disk/by-uuid/63FA-297B";
+ fsType = "vfat";
+ options = [
+ "fmask=0077"
+ "dmask=0077"
];
+ };
+
+ swapDevices = [
+ { device = "/dev/disk/by-uuid/9c72eb54-ea8c-4b09-808a-8be9b9a33869"; }
+ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
diff --git a/hosts/lupine/hardware-configuration/lupine-4.nix b/hosts/lupine/hardware-configuration/lupine-4.nix
index 803830a..a131eba 100644
--- a/hosts/lupine/hardware-configuration/lupine-4.nix
+++ b/hosts/lupine/hardware-configuration/lupine-4.nix
@@ -1,26 +1,37 @@
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{
+ config,
+ lib,
+ pkgs,
+ modulesPath,
+ ...
+}:
{
- imports =
- [ (modulesPath + "/installer/scan/not-detected.nix")
- ];
+ imports = [
+ (modulesPath + "/installer/scan/not-detected.nix")
+ ];
- boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
+ boot.initrd.availableKernelModules = [
+ "xhci_pci"
+ "ahci"
+ "usbhid"
+ "sd_mod"
+ ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
- fileSystems."/" =
- { device = "/dev/disk/by-uuid/c7bbb293-a0a3-4995-8892-0ec63e8c67dd";
- fsType = "ext4";
- };
+ fileSystems."/" = {
+ device = "/dev/disk/by-uuid/c7bbb293-a0a3-4995-8892-0ec63e8c67dd";
+ fsType = "ext4";
+ };
- swapDevices =
- [ { device = "/dev/disk/by-uuid/a86ffda8-8ecb-42a1-bf9f-926072e90ca5"; }
- ];
+ swapDevices = [
+ { device = "/dev/disk/by-uuid/a86ffda8-8ecb-42a1-bf9f-926072e90ca5"; }
+ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
diff --git a/hosts/lupine/hardware-configuration/lupine-5.nix b/hosts/lupine/hardware-configuration/lupine-5.nix
index a47b892..436d774 100644
--- a/hosts/lupine/hardware-configuration/lupine-5.nix
+++ b/hosts/lupine/hardware-configuration/lupine-5.nix
@@ -1,32 +1,46 @@
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{
+ config,
+ lib,
+ pkgs,
+ modulesPath,
+ ...
+}:
{
- imports =
- [ (modulesPath + "/installer/scan/not-detected.nix")
- ];
+ imports = [
+ (modulesPath + "/installer/scan/not-detected.nix")
+ ];
- boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
+ boot.initrd.availableKernelModules = [
+ "xhci_pci"
+ "ahci"
+ "usbhid"
+ "sd_mod"
+ ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
- fileSystems."/" =
- { device = "/dev/disk/by-uuid/5f8418ad-8ec1-4f9e-939e-f3a4c36ef343";
- fsType = "ext4";
- };
+ fileSystems."/" = {
+ device = "/dev/disk/by-uuid/5f8418ad-8ec1-4f9e-939e-f3a4c36ef343";
+ fsType = "ext4";
+ };
- fileSystems."/boot" =
- { device = "/dev/disk/by-uuid/F372-37DF";
- fsType = "vfat";
- options = [ "fmask=0077" "dmask=0077" ];
- };
-
- swapDevices =
- [ { device = "/dev/disk/by-uuid/27bf292d-bbb3-48c4-a86e-456e0f1f648f"; }
+ fileSystems."/boot" = {
+ device = "/dev/disk/by-uuid/F372-37DF";
+ fsType = "vfat";
+ options = [
+ "fmask=0077"
+ "dmask=0077"
];
+ };
+
+ swapDevices = [
+ { device = "/dev/disk/by-uuid/27bf292d-bbb3-48c4-a86e-456e0f1f648f"; }
+ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
diff --git a/hosts/lupine/services/gitea-runner.nix b/hosts/lupine/services/gitea-runner.nix
index 3245759..ae6bc8d 100644
--- a/hosts/lupine/services/gitea-runner.nix
+++ b/hosts/lupine/services/gitea-runner.nix
@@ -67,5 +67,8 @@
networking.dhcpcd.IPv6rs = false;
- networking.firewall.interfaces."podman+".allowedUDPPorts = [53 5353];
+ networking.firewall.interfaces."podman+".allowedUDPPorts = [
+ 53
+ 5353
+ ];
}
diff --git a/hosts/shark/configuration.nix b/hosts/shark/configuration.nix
index c53a220..8cc8e5c 100644
--- a/hosts/shark/configuration.nix
+++ b/hosts/shark/configuration.nix
@@ -1,14 +1,23 @@
-{ config, fp, pkgs, values, ... }:
+{
+ config,
+ fp,
+ pkgs,
+ values,
+ ...
+}:
{
imports = [
- # Include the results of the hardware scan.
- ./hardware-configuration.nix
- (fp /base)
- ];
+ # Include the results of the hardware scan.
+ ./hardware-configuration.nix
+ (fp /base)
+ ];
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
matchConfig.Name = "ens18";
- address = with values.hosts.shark; [ (ipv4 + "/25") (ipv6 + "/64") ];
+ address = with values.hosts.shark; [
+ (ipv4 + "/25")
+ (ipv6 + "/64")
+ ];
};
services.qemuGuest.enable = true;
diff --git a/hosts/shark/hardware-configuration.nix b/hosts/shark/hardware-configuration.nix
index 2536bab..b86512e 100644
--- a/hosts/shark/hardware-configuration.nix
+++ b/hosts/shark/hardware-configuration.nix
@@ -1,31 +1,44 @@
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{
+ config,
+ lib,
+ pkgs,
+ modulesPath,
+ ...
+}:
{
- imports =
- [ (modulesPath + "/profiles/qemu-guest.nix")
- ];
+ imports = [
+ (modulesPath + "/profiles/qemu-guest.nix")
+ ];
- boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+ boot.initrd.availableKernelModules = [
+ "ata_piix"
+ "uhci_hcd"
+ "virtio_pci"
+ "virtio_scsi"
+ "sd_mod"
+ "sr_mod"
+ ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
- fileSystems."/" =
- { device = "/dev/disk/by-uuid/224c45db-9fdc-45d4-b3ad-aaf20b3efa8a";
- fsType = "ext4";
- };
+ fileSystems."/" = {
+ device = "/dev/disk/by-uuid/224c45db-9fdc-45d4-b3ad-aaf20b3efa8a";
+ fsType = "ext4";
+ };
- fileSystems."/boot" =
- { device = "/dev/disk/by-uuid/CC37-F5FE";
- fsType = "vfat";
- };
+ fileSystems."/boot" = {
+ device = "/dev/disk/by-uuid/CC37-F5FE";
+ fsType = "vfat";
+ };
- swapDevices =
- [ { device = "/dev/disk/by-uuid/a1ce3234-78b1-4565-9643-f4a05004424f"; }
- ];
+ swapDevices = [
+ { device = "/dev/disk/by-uuid/a1ce3234-78b1-4565-9643-f4a05004424f"; }
+ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
diff --git a/hosts/skrot/hardware-configuration.nix b/hosts/skrot/hardware-configuration.nix
index cafc847..0edb290 100644
--- a/hosts/skrot/hardware-configuration.nix
+++ b/hosts/skrot/hardware-configuration.nix
@@ -1,11 +1,22 @@
-{ config, lib, pkgs, modulesPath, ... }:
+{
+ config,
+ lib,
+ pkgs,
+ modulesPath,
+ ...
+}:
{
- imports =
- [ (modulesPath + "/installer/scan/not-detected.nix")
- ];
+ imports = [
+ (modulesPath + "/installer/scan/not-detected.nix")
+ ];
- boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
+ boot.initrd.availableKernelModules = [
+ "xhci_pci"
+ "ahci"
+ "usbhid"
+ "sd_mod"
+ ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
diff --git a/hosts/skrott/configuration.nix b/hosts/skrott/configuration.nix
index b946e1f..2c8f27d 100644
--- a/hosts/skrott/configuration.nix
+++ b/hosts/skrott/configuration.nix
@@ -1,4 +1,13 @@
-{ config, pkgs, lib, modulesPath, fp, values, ... }: {
+{
+ config,
+ pkgs,
+ lib,
+ modulesPath,
+ fp,
+ values,
+ ...
+}:
+{
imports = [
(modulesPath + "/profiles/perlless.nix")
@@ -64,14 +73,18 @@
defaultGateway6 = values.hosts.gateway6;
interfaces.eth0 = {
useDHCP = false;
- ipv4.addresses = [{
- address = values.hosts.skrott.ipv4;
- prefixLength = 25;
- }];
- ipv6.addresses = [{
- address = values.hosts.skrott.ipv6;
- prefixLength = 25;
- }];
+ ipv4.addresses = [
+ {
+ address = values.hosts.skrott.ipv4;
+ prefixLength = 25;
+ }
+ ];
+ ipv6.addresses = [
+ {
+ address = values.hosts.skrott.ipv6;
+ prefixLength = 25;
+ }
+ ];
};
};
diff --git a/hosts/temmie/configuration.nix b/hosts/temmie/configuration.nix
index a7e2b19..029368c 100644
--- a/hosts/temmie/configuration.nix
+++ b/hosts/temmie/configuration.nix
@@ -1,4 +1,10 @@
-{ config, fp, pkgs, values, ... }:
+{
+ config,
+ fp,
+ pkgs,
+ values,
+ ...
+}:
{
imports = [
# Include the results of the hardware scan.
@@ -11,7 +17,10 @@
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
matchConfig.Name = "ens18";
- address = with values.hosts.temmie; [ (ipv4 + "/25") (ipv6 + "/64") ];
+ address = with values.hosts.temmie; [
+ (ipv4 + "/25")
+ (ipv6 + "/64")
+ ];
};
services.nginx.enable = false;
diff --git a/hosts/temmie/hardware-configuration.nix b/hosts/temmie/hardware-configuration.nix
index a7a165e..8613a46 100644
--- a/hosts/temmie/hardware-configuration.nix
+++ b/hosts/temmie/hardware-configuration.nix
@@ -1,28 +1,44 @@
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{
+ config,
+ lib,
+ pkgs,
+ modulesPath,
+ ...
+}:
{
- imports =
- [ (modulesPath + "/profiles/qemu-guest.nix")
- ];
+ imports = [
+ (modulesPath + "/profiles/qemu-guest.nix")
+ ];
- boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+ boot.initrd.availableKernelModules = [
+ "ata_piix"
+ "uhci_hcd"
+ "virtio_pci"
+ "virtio_scsi"
+ "sd_mod"
+ "sr_mod"
+ ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
- fileSystems."/" =
- { device = "/dev/disk/by-uuid/c3aed415-0054-4ac5-8d29-75a99cc26451";
- fsType = "btrfs";
- };
+ fileSystems."/" = {
+ device = "/dev/disk/by-uuid/c3aed415-0054-4ac5-8d29-75a99cc26451";
+ fsType = "btrfs";
+ };
- fileSystems."/boot" =
- { device = "/dev/disk/by-uuid/A367-83FD";
- fsType = "vfat";
- options = [ "fmask=0022" "dmask=0022" ];
- };
+ fileSystems."/boot" = {
+ device = "/dev/disk/by-uuid/A367-83FD";
+ fsType = "vfat";
+ options = [
+ "fmask=0022"
+ "dmask=0022"
+ ];
+ };
swapDevices = [ ];
diff --git a/hosts/temmie/services/nfs-mounts.nix b/hosts/temmie/services/nfs-mounts.nix
index 35211e4..ae84ba2 100644
--- a/hosts/temmie/services/nfs-mounts.nix
+++ b/hosts/temmie/services/nfs-mounts.nix
@@ -1,7 +1,19 @@
{ lib, values, ... }:
let
# See microbel:/etc/exports
- letters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ];
+ letters = [
+ "a"
+ "b"
+ "c"
+ "d"
+ "h"
+ "i"
+ "j"
+ "k"
+ "l"
+ "m"
+ "z"
+ ];
in
{
systemd.targets."pvv-homedirs" = {
diff --git a/hosts/temmie/services/userweb.nix b/hosts/temmie/services/userweb.nix
index 2fb928e..52d492e 100644
--- a/hosts/temmie/services/userweb.nix
+++ b/hosts/temmie/services/userweb.nix
@@ -1,16 +1,36 @@
-{ config, lib, pkgs, ... }:
+{
+ config,
+ lib,
+ pkgs,
+ ...
+}:
let
cfg = config.services.httpd;
- homeLetters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ];
+ homeLetters = [
+ "a"
+ "b"
+ "c"
+ "d"
+ "h"
+ "i"
+ "j"
+ "k"
+ "l"
+ "m"
+ "z"
+ ];
# https://nixos.org/manual/nixpkgs/stable/#ssec-php-user-guide-installing-with-extensions
phpEnv = pkgs.php.buildEnv {
- extensions = { all, ... }: with all; [
- imagick
- opcache
- protobuf
- ];
+ extensions =
+ { all, ... }:
+ with all;
+ [
+ imagick
+ opcache
+ protobuf
+ ];
extraConfig = ''
display_errors=0
@@ -19,45 +39,47 @@ let
'';
};
- perlEnv = pkgs.perl.withPackages (ps: with ps; [
- pkgs.exiftool
- pkgs.ikiwiki
- pkgs.irssi
- pkgs.nix.libs.nix-perl-bindings
+ perlEnv = pkgs.perl.withPackages (
+ ps: with ps; [
+ pkgs.exiftool
+ pkgs.ikiwiki
+ pkgs.irssi
+ pkgs.nix.libs.nix-perl-bindings
- AlgorithmDiff
- AnyEvent
- AnyEventI3
- ArchiveZip
- CGI
- CPAN
- CPANPLUS
- DBDPg
- DBDSQLite
- DBI
- EmailAddress
- EmailSimple
- Env
- Git
- HTMLMason
- HTMLParser
- HTMLTagset
- HTTPDAV
- HTTPDaemon
- ImageMagick
- JSON
- LWP
- MozillaCA
- PathTiny
- Switch
- SysSyslog
- TestPostgreSQL
- TextPDF
- TieFile
- Tk
- URI
- XMLLibXML
- ]);
+ AlgorithmDiff
+ AnyEvent
+ AnyEventI3
+ ArchiveZip
+ CGI
+ CPAN
+ CPANPLUS
+ DBDPg
+ DBDSQLite
+ DBI
+ EmailAddress
+ EmailSimple
+ Env
+ Git
+ HTMLMason
+ HTMLParser
+ HTMLTagset
+ HTTPDAV
+ HTTPDaemon
+ ImageMagick
+ JSON
+ LWP
+ MozillaCA
+ PathTiny
+ Switch
+ SysSyslog
+ TestPostgreSQL
+ TextPDF
+ TieFile
+ Tk
+ URI
+ XMLLibXML
+ ]
+ );
# https://nixos.org/manual/nixpkgs/stable/#python.buildenv-function
pythonEnv = pkgs.python3.buildEnv.override {
@@ -73,100 +95,102 @@ let
# https://nixos.org/manual/nixpkgs/stable/#sec-building-environment
fhsEnv = pkgs.buildEnv {
name = "userweb-env";
- paths = with pkgs; [
- bash
+ paths =
+ with pkgs;
+ [
+ bash
- perlEnv
- pythonEnv
+ perlEnv
+ pythonEnv
- phpEnv
- ]
- ++ (with phpEnv.packages; [
- # composer
- ])
- ++ [
- acl
- aspell
- autoconf
- autotrash
- bazel
- bintools
- bison
- bsd-finger
- catdoc
- ccache
- clang
- cmake
- coreutils-full
- curl
- devcontainer
- diffutils
- emacs
- # exiftags
- exiftool
- ffmpeg
- file
- findutils
- gawk
- gcc
- glibc
- gnugrep
- gnumake
- gnupg
- gnuplot
- gnused
- gnutar
- gzip
- html-tidy
- imagemagick
- inetutils
- iproute2
- jhead
- less
- libgcc
- lndir
- mailutils
- man # TODO: does this one want a mandb instance?
- meson
- more
- mpc
- mpi
- mplayer
- ninja
- nix
- openssh
- openssl
- patchelf
- pkg-config
- ppp
- procmail
- procps
- qemu
- rc
- rhash
- rsync
- ruby # TODO: does this one want systemwide packages?
- salt
- sccache
- sourceHighlight
- spamassassin
- strace
- subversion
- system-sendmail
- systemdMinimal
- texliveMedium
- tmux
- unzip
- util-linux
- valgrind
- vim
- wget
- which
- wine
- xdg-utils
- zip
- zstd
- ];
+ phpEnv
+ ]
+ ++ (with phpEnv.packages; [
+ # composer
+ ])
+ ++ [
+ acl
+ aspell
+ autoconf
+ autotrash
+ bazel
+ bintools
+ bison
+ bsd-finger
+ catdoc
+ ccache
+ clang
+ cmake
+ coreutils-full
+ curl
+ devcontainer
+ diffutils
+ emacs
+ # exiftags
+ exiftool
+ ffmpeg
+ file
+ findutils
+ gawk
+ gcc
+ glibc
+ gnugrep
+ gnumake
+ gnupg
+ gnuplot
+ gnused
+ gnutar
+ gzip
+ html-tidy
+ imagemagick
+ inetutils
+ iproute2
+ jhead
+ less
+ libgcc
+ lndir
+ mailutils
+ man # TODO: does this one want a mandb instance?
+ meson
+ more
+ mpc
+ mpi
+ mplayer
+ ninja
+ nix
+ openssh
+ openssl
+ patchelf
+ pkg-config
+ ppp
+ procmail
+ procps
+ qemu
+ rc
+ rhash
+ rsync
+ ruby # TODO: does this one want systemwide packages?
+ salt
+ sccache
+ sourceHighlight
+ spamassassin
+ strace
+ subversion
+ system-sendmail
+ systemdMinimal
+ texliveMedium
+ tmux
+ unzip
+ util-linux
+ valgrind
+ vim
+ wget
+ which
+ wine
+ xdg-utils
+ zip
+ zstd
+ ];
extraOutputsToInstall = [
"man"
@@ -299,7 +323,7 @@ in
];
SystemCallArchitectures = "native";
SystemCallFilter = [
- "@system-service"
+ "@system-service"
];
UMask = "0077";
@@ -317,7 +341,8 @@ in
"${fhsEnv}/sbin:/sbin"
"${fhsEnv}/lib:/lib"
"${fhsEnv}/share:/share"
- ] ++ (lib.mapCartesianProduct ({ parent, child }: "${fhsEnv}${child}:${parent}${child}") {
+ ]
+ ++ (lib.mapCartesianProduct ({ parent, child }: "${fhsEnv}${child}:${parent}${child}") {
parent = [
"/local"
"/opt"
diff --git a/hosts/ustetind/configuration.nix b/hosts/ustetind/configuration.nix
index acbdcda..6ab0392 100644
--- a/hosts/ustetind/configuration.nix
+++ b/hosts/ustetind/configuration.nix
@@ -1,4 +1,11 @@
-{ config, fp, pkgs, lib, values, ... }:
+{
+ config,
+ fp,
+ pkgs,
+ lib,
+ values,
+ ...
+}:
{
imports = [
@@ -20,7 +27,10 @@
"eth*"
];
};
- address = with values.hosts.ustetind; [ (ipv4 + "/25") (ipv6 + "/64") ];
+ address = with values.hosts.ustetind; [
+ (ipv4 + "/25")
+ (ipv6 + "/64")
+ ];
};
"40-podman-veth" = values.defaultNetworkConfig // {
matchConfig = {
diff --git a/hosts/ustetind/services/gitea-runners.nix b/hosts/ustetind/services/gitea-runners.nix
index a3e8521..a77cc93 100644
--- a/hosts/ustetind/services/gitea-runners.nix
+++ b/hosts/ustetind/services/gitea-runners.nix
@@ -1,4 +1,9 @@
-{ config, lib, values, ... }:
+{
+ config,
+ lib,
+ values,
+ ...
+}:
let
mkRunner = name: {
# This is unfortunately state, and has to be generated one at a time :(
@@ -13,7 +18,8 @@ let
services.gitea-actions-runner.instances = {
${name} = {
enable = true;
- name = "git-runner-${name}"; url = "https://git.pvv.ntnu.no";
+ name = "git-runner-${name}";
+ url = "https://git.pvv.ntnu.no";
labels = [
"debian-latest:docker://node:current-bookworm"
"ubuntu-latest:docker://node:current-bookworm"
@@ -36,6 +42,9 @@ lib.mkMerge [
networking.dhcpcd.IPv6rs = false;
- networking.firewall.interfaces."podman+".allowedUDPPorts = [53 5353];
+ networking.firewall.interfaces."podman+".allowedUDPPorts = [
+ 53
+ 5353
+ ];
}
]
diff --git a/hosts/wenche/configuration.nix b/hosts/wenche/configuration.nix
index 00b94a3..4ad379f 100644
--- a/hosts/wenche/configuration.nix
+++ b/hosts/wenche/configuration.nix
@@ -1,10 +1,17 @@
-{ config, fp, pkgs, values, lib, ... }:
+{
+ config,
+ fp,
+ pkgs,
+ values,
+ lib,
+ ...
+}:
{
imports = [
- # Include the results of the hardware scan.
- ./hardware-configuration.nix
- (fp /base)
- ];
+ # Include the results of the hardware scan.
+ ./hardware-configuration.nix
+ (fp /base)
+ ];
nix.settings.trusted-users = [ "@nix-builder-users" ];
nix.daemonCPUSchedPolicy = "batch";
@@ -19,7 +26,10 @@
systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
matchConfig.Name = "ens18";
- address = with values.hosts.wenche; [ (ipv4 + "/25") (ipv6 + "/64") ];
+ address = with values.hosts.wenche; [
+ (ipv4 + "/25")
+ (ipv6 + "/64")
+ ];
};
hardware.graphics.enable = true;
diff --git a/hosts/wenche/hardware-configuration.nix b/hosts/wenche/hardware-configuration.nix
index 51d8a1b..680fed0 100644
--- a/hosts/wenche/hardware-configuration.nix
+++ b/hosts/wenche/hardware-configuration.nix
@@ -1,24 +1,39 @@
-{ config, lib, pkgs, modulesPath, ... }:
+{
+ config,
+ lib,
+ pkgs,
+ modulesPath,
+ ...
+}:
{
- imports =
- [ (modulesPath + "/profiles/qemu-guest.nix")
- ];
+ imports = [
+ (modulesPath + "/profiles/qemu-guest.nix")
+ ];
- boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+ boot.initrd.availableKernelModules = [
+ "ata_piix"
+ "uhci_hcd"
+ "virtio_pci"
+ "virtio_scsi"
+ "sd_mod"
+ "sr_mod"
+ ];
boot.initrd.kernelModules = [ ];
- boot.kernelModules = [ "nvidia" ];
+ boot.kernelModules = [ "nvidia" ];
boot.extraModulePackages = [ ];
- fileSystems."/" =
- { device = "/dev/disk/by-uuid/4e8ecdd2-d453-4fff-b952-f06da00f3b85";
- fsType = "ext4";
- };
+ fileSystems."/" = {
+ device = "/dev/disk/by-uuid/4e8ecdd2-d453-4fff-b952-f06da00f3b85";
+ fsType = "ext4";
+ };
- swapDevices = [ {
- device = "/var/lib/swapfile";
- size = 16*1024;
- } ];
+ swapDevices = [
+ {
+ device = "/var/lib/swapfile";
+ size = 16 * 1024;
+ }
+ ];
networking.useDHCP = lib.mkDefault false;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
diff --git a/modules/bluemap.nix b/modules/bluemap.nix
index b9150fa..ac4847b 100644
--- a/modules/bluemap.nix
+++ b/modules/bluemap.nix
@@ -1,4 +1,9 @@
-{ config, lib, pkgs, ... }:
+{
+ config,
+ lib,
+ pkgs,
+ ...
+}:
let
cfg = config.services.bluemap;
format = pkgs.formats.hocon { };
@@ -7,36 +12,48 @@ let
webappConfig = format.generate "webapp.conf" cfg.webappSettings;
webserverConfig = format.generate "webserver.conf" cfg.webserverSettings;
- storageFolder = pkgs.linkFarm "storage"
- (lib.attrsets.mapAttrs' (name: value:
- lib.nameValuePair "${name}.conf"
- (format.generate "${name}.conf" value))
- cfg.storage);
+ storageFolder = pkgs.linkFarm "storage" (
+ lib.attrsets.mapAttrs' (
+ name: value: lib.nameValuePair "${name}.conf" (format.generate "${name}.conf" value)
+ ) cfg.storage
+ );
- generateMapConfigWithMarkerData = name: { extraHoconMarkersFile, settings, ... }:
+ generateMapConfigWithMarkerData =
+ name:
+ { extraHoconMarkersFile, settings, ... }:
assert (extraHoconMarkersFile == null) != ((settings.marker-sets or { }) == { });
lib.pipe settings (
(lib.optionals (extraHoconMarkersFile != null) [
- (settings: lib.recursiveUpdate settings {
- marker-placeholder = "###ASDF###";
- })
- ]) ++ [
+ (
+ settings:
+ lib.recursiveUpdate settings {
+ marker-placeholder = "###ASDF###";
+ }
+ )
+ ])
+ ++ [
(format.generate "${name}.conf")
- ] ++ (lib.optionals (extraHoconMarkersFile != null) [
- (hoconFile: pkgs.runCommand "${name}-patched.conf" { } ''
- mkdir -p "$(dirname "$out")"
- cp '${hoconFile}' "$out"
- substituteInPlace "$out" \
- --replace-fail '"marker-placeholder" = "###ASDF###"' "\"marker-sets\" = $(cat '${extraHoconMarkersFile}')"
- '')
+ ]
+ ++ (lib.optionals (extraHoconMarkersFile != null) [
+ (
+ hoconFile:
+ pkgs.runCommand "${name}-patched.conf" { } ''
+ mkdir -p "$(dirname "$out")"
+ cp '${hoconFile}' "$out"
+ substituteInPlace "$out" \
+ --replace-fail '"marker-placeholder" = "###ASDF###"' "\"marker-sets\" = $(cat '${extraHoconMarkersFile}')"
+ ''
+ )
])
);
mapsFolder = lib.pipe cfg.maps [
- (lib.attrsets.mapAttrs' (name: value: {
- name = "${name}.conf";
- value = generateMapConfigWithMarkerData name value;
- }))
+ (lib.attrsets.mapAttrs' (
+ name: value: {
+ name = "${name}.conf";
+ value = generateMapConfigWithMarkerData name value;
+ }
+ ))
(pkgs.linkFarm "maps")
];
@@ -49,19 +66,24 @@ let
"packs" = cfg.packs;
};
- renderConfigFolder = name: value: pkgs.linkFarm "bluemap-${name}-config" {
- "maps" = pkgs.linkFarm "maps" {
- "${name}.conf" = generateMapConfigWithMarkerData name value;
+ renderConfigFolder =
+ name: value:
+ pkgs.linkFarm "bluemap-${name}-config" {
+ "maps" = pkgs.linkFarm "maps" {
+ "${name}.conf" = generateMapConfigWithMarkerData name value;
+ };
+ "storages" = storageFolder;
+ "core.conf" = coreConfig;
+ "webapp.conf" = format.generate "webapp.conf" (
+ cfg.webappSettings // { "update-settings-file" = false; }
+ );
+ "webserver.conf" = webserverConfig;
+ "packs" = value.packs;
};
- "storages" = storageFolder;
- "core.conf" = coreConfig;
- "webapp.conf" = format.generate "webapp.conf" (cfg.webappSettings // { "update-settings-file" = false; });
- "webserver.conf" = webserverConfig;
- "packs" = value.packs;
- };
inherit (lib) mkOption;
-in {
+in
+{
options.services.bluemap = {
enable = lib.mkEnableOption "bluemap";
package = lib.mkPackageOption pkgs "bluemap" { };
@@ -173,70 +195,77 @@ in {
};
maps = mkOption {
- type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
- options = {
- packs = mkOption {
- type = lib.types.path;
- default = cfg.packs;
- defaultText = lib.literalExpression "config.services.bluemap.packs";
- description = "A set of resourcepacks, datapacks, and mods to extract resources from, loaded in alphabetical order.";
- };
-
- extraHoconMarkersFile = mkOption {
- type = lib.types.nullOr lib.types.path;
- default = null;
- description = ''
- Path to a hocon file containing marker data.
- The content of this file will be injected into the map config file in a separate derivation.
-
- DO NOT SEND THIS TO NIXPKGS, IT'S AN UGLY HACK.
- '';
- };
-
- settings = mkOption {
- type = (lib.types.submodule {
- freeformType = format.type;
- options = {
- world = mkOption {
- type = lib.types.path;
- description = "Path to world folder containing the dimension to render";
- };
- name = mkOption {
- type = lib.types.str;
- description = "The display name of this map (how this map will be named on the webapp)";
- default = name;
- defaultText = lib.literalExpression "";
- };
- render-mask = mkOption {
- type = with lib.types; listOf (attrsOf format.type);
- description = "Limits for the map render";
- default = [ ];
- example = [
- {
- min-x = -4000;
- max-x = 4000;
- min-z = -4000;
- max-z = 4000;
- min-y = 50;
- max-y = 100;
- }
- {
- subtract = true;
- min-y = 90;
- max-y = 127;
- }
- ];
- };
+ type = lib.types.attrsOf (
+ lib.types.submodule (
+ { name, ... }:
+ {
+ options = {
+ packs = mkOption {
+ type = lib.types.path;
+ default = cfg.packs;
+ defaultText = lib.literalExpression "config.services.bluemap.packs";
+ description = "A set of resourcepacks, datapacks, and mods to extract resources from, loaded in alphabetical order.";
};
- });
- description = ''
- Settings for files in `maps/`.
- See the default for an example with good options for the different world types.
- For valid values [consult upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/common/src/main/resources/de/bluecolored/bluemap/config/maps/map.conf).
- '';
- };
- };
- }));
+
+ extraHoconMarkersFile = mkOption {
+ type = lib.types.nullOr lib.types.path;
+ default = null;
+ description = ''
+ Path to a hocon file containing marker data.
+ The content of this file will be injected into the map config file in a separate derivation.
+
+ DO NOT SEND THIS TO NIXPKGS, IT'S AN UGLY HACK.
+ '';
+ };
+
+ settings = mkOption {
+ type = (
+ lib.types.submodule {
+ freeformType = format.type;
+ options = {
+ world = mkOption {
+ type = lib.types.path;
+ description = "Path to world folder containing the dimension to render";
+ };
+ name = mkOption {
+ type = lib.types.str;
+ description = "The display name of this map (how this map will be named on the webapp)";
+ default = name;
+ defaultText = lib.literalExpression "";
+ };
+ render-mask = mkOption {
+ type = with lib.types; listOf (attrsOf format.type);
+ description = "Limits for the map render";
+ default = [ ];
+ example = [
+ {
+ min-x = -4000;
+ max-x = 4000;
+ min-z = -4000;
+ max-z = 4000;
+ min-y = 50;
+ max-y = 100;
+ }
+ {
+ subtract = true;
+ min-y = 90;
+ max-y = 127;
+ }
+ ];
+ };
+ };
+ }
+ );
+ description = ''
+ Settings for files in `maps/`.
+ See the default for an example with good options for the different world types.
+ For valid values [consult upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/common/src/main/resources/de/bluecolored/bluemap/config/maps/map.conf).
+ '';
+ };
+ };
+ }
+ )
+ );
default = {
"overworld".settings = {
world = cfg.defaultWorld;
@@ -320,16 +349,21 @@ in {
};
storage = mkOption {
- type = lib.types.attrsOf (lib.types.submodule {
- freeformType = format.type;
- options = {
- storage-type = mkOption {
- type = lib.types.enum [ "FILE" "SQL" ];
- description = "Type of storage config";
- default = "FILE";
+ type = lib.types.attrsOf (
+ lib.types.submodule {
+ freeformType = format.type;
+ options = {
+ storage-type = mkOption {
+ type = lib.types.enum [
+ "FILE"
+ "SQL"
+ ];
+ description = "Type of storage config";
+ default = "FILE";
+ };
};
- };
- });
+ }
+ );
description = ''
Where the rendered map will be stored.
Unless you are doing something advanced you should probably leave this alone and configure webRoot instead.
@@ -359,16 +393,16 @@ in {
};
};
-
config = lib.mkIf cfg.enable {
- assertions =
- [ { assertion = config.services.bluemap.eula;
- message = ''
- You have enabled bluemap but have not accepted minecraft's EULA.
- You can achieve this through setting `services.bluemap.eula = true`
- '';
- }
- ];
+ assertions = [
+ {
+ assertion = config.services.bluemap.eula;
+ message = ''
+ You have enabled bluemap but have not accepted minecraft's EULA.
+ You can achieve this through setting `services.bluemap.eula = true`
+ '';
+ }
+ ];
services.bluemap.coreSettings.accept-download = cfg.eula;
@@ -384,9 +418,9 @@ in {
]
++
# Render each minecraft map
- lib.attrsets.mapAttrsToList
- (name: value: "${lib.getExe cfg.package} -c ${renderConfigFolder name value} -r")
- cfg.maps
+ lib.attrsets.mapAttrsToList (
+ name: value: "${lib.getExe cfg.package} -c ${renderConfigFolder name value} -r"
+ ) cfg.maps
++ [
# Generate updated webapp
"${lib.getExe cfg.package} -c ${webappConfigFolder} -gs"
@@ -417,6 +451,9 @@ in {
};
meta = {
- maintainers = with lib.maintainers; [ dandellion h7x4 ];
+ maintainers = with lib.maintainers; [
+ dandellion
+ h7x4
+ ];
};
}
diff --git a/modules/gickup/default.nix b/modules/gickup/default.nix
index f3018f4..d48b1aa 100644
--- a/modules/gickup/default.nix
+++ b/modules/gickup/default.nix
@@ -1,4 +1,10 @@
-{ config, pkgs, lib, utils, ... }:
+{
+ config,
+ pkgs,
+ lib,
+ utils,
+ ...
+}:
let
cfg = config.services.gickup;
format = pkgs.formats.yaml { };
@@ -45,113 +51,125 @@ in
};
instances = lib.mkOption {
- type = lib.types.attrsOf (lib.types.submodule (submoduleInputs@{ name, ... }: let
- submoduleName = name;
+ type = lib.types.attrsOf (
+ lib.types.submodule (
+ submoduleInputs@{ name, ... }:
+ let
+ submoduleName = name;
- nameParts = rec {
- repoType = builtins.head (lib.splitString ":" submoduleName);
+ nameParts = rec {
+ repoType = builtins.head (lib.splitString ":" submoduleName);
- owner = if repoType == "any"
- then null
- else lib.pipe submoduleName [
+ owner =
+ if repoType == "any" then
+ null
+ else
+ lib.pipe submoduleName [
(lib.removePrefix "${repoType}:")
(lib.splitString "/")
builtins.head
];
- repo = if repoType == "any"
- then null
- else lib.pipe submoduleName [
+ repo =
+ if repoType == "any" then
+ null
+ else
+ lib.pipe submoduleName [
(lib.removePrefix "${repoType}:")
(lib.splitString "/")
lib.last
];
- slug = if repoType == "any"
- then lib.toLower (builtins.replaceStrings [ ":" "/" ] [ "-" "-" ] submoduleName)
- else "${lib.toLower repoType}-${lib.toLower owner}-${lib.toLower repo}";
- };
- in {
- options = {
- interval = lib.mkOption {
- type = lib.types.str;
- default = "daily";
- example = "weekly";
- description = ''
- Specification (in the format described by {manpage}`systemd.time(7)`) of the time
- interval at which to run the service.
- '';
- };
-
- type = lib.mkOption {
- type = lib.types.enum [
- "github"
- "gitlab"
- "gitea"
- "gogs"
- "bitbucket"
- "onedev"
- "sourcehut"
- "any"
- ];
- example = "github";
- default = nameParts.repoType;
- description = ''
- The type of the repository to mirror.
- '';
- };
-
- owner = lib.mkOption {
- type = with lib.types; nullOr str;
- example = "go-gitea";
- default = nameParts.owner;
- description = ''
- The owner of the repository to mirror (if applicable)
- '';
- };
-
- repo = lib.mkOption {
- type = with lib.types; nullOr str;
- example = "gitea";
- default = nameParts.repo;
- description = ''
- The name of the repository to mirror (if applicable)
- '';
- };
-
- slug = lib.mkOption {
- type = lib.types.str;
- default = nameParts.slug;
- example = "github-go-gitea-gitea";
- description = ''
- The slug of the repository to mirror.
- '';
- };
-
- description = lib.mkOption {
- type = with lib.types; nullOr str;
- example = "A project which does this and that";
- description = ''
- A description of the project. This isn't used directly by gickup for anything,
- but can be useful if gickup is used together with cgit or similar.
- '';
- };
-
- settings = lib.mkOption {
- description = "Instance specific settings, see gickup configuration file";
- type = lib.types.submodule {
- freeformType = format.type;
+ slug =
+ if repoType == "any" then
+ lib.toLower (builtins.replaceStrings [ ":" "/" ] [ "-" "-" ] submoduleName)
+ else
+ "${lib.toLower repoType}-${lib.toLower owner}-${lib.toLower repo}";
};
- default = { };
- example = {
- username = "gickup";
- password = "hunter2";
- wiki = true;
- issues = true;
+ in
+ {
+ options = {
+ interval = lib.mkOption {
+ type = lib.types.str;
+ default = "daily";
+ example = "weekly";
+ description = ''
+ Specification (in the format described by {manpage}`systemd.time(7)`) of the time
+ interval at which to run the service.
+ '';
+ };
+
+ type = lib.mkOption {
+ type = lib.types.enum [
+ "github"
+ "gitlab"
+ "gitea"
+ "gogs"
+ "bitbucket"
+ "onedev"
+ "sourcehut"
+ "any"
+ ];
+ example = "github";
+ default = nameParts.repoType;
+ description = ''
+ The type of the repository to mirror.
+ '';
+ };
+
+ owner = lib.mkOption {
+ type = with lib.types; nullOr str;
+ example = "go-gitea";
+ default = nameParts.owner;
+ description = ''
+ The owner of the repository to mirror (if applicable)
+ '';
+ };
+
+ repo = lib.mkOption {
+ type = with lib.types; nullOr str;
+ example = "gitea";
+ default = nameParts.repo;
+ description = ''
+ The name of the repository to mirror (if applicable)
+ '';
+ };
+
+ slug = lib.mkOption {
+ type = lib.types.str;
+ default = nameParts.slug;
+ example = "github-go-gitea-gitea";
+ description = ''
+ The slug of the repository to mirror.
+ '';
+ };
+
+ description = lib.mkOption {
+ type = with lib.types; nullOr str;
+ example = "A project which does this and that";
+ description = ''
+ A description of the project. This isn't used directly by gickup for anything,
+ but can be useful if gickup is used together with cgit or similar.
+ '';
+ };
+
+ settings = lib.mkOption {
+ description = "Instance specific settings, see gickup configuration file";
+ type = lib.types.submodule {
+ freeformType = format.type;
+ };
+ default = { };
+ example = {
+ username = "gickup";
+ password = "hunter2";
+ wiki = true;
+ issues = true;
+ };
+ };
};
- };
- };
- }));
+ }
+ )
+ );
};
};
@@ -197,114 +215,122 @@ in
};
}
//
- # Overrides for mirrors which are not "daily"
- (lib.pipe cfg.instances [
- builtins.attrValues
- (builtins.filter (instance: instance.interval != "daily"))
- (map ({ slug, interval, ... }: {
- name = "gickup@${slug}";
- value = {
- overrideStrategy = "asDropin";
- timerConfig.OnCalendar = interval;
- };
- }))
- builtins.listToAttrs
- ]);
+ # Overrides for mirrors which are not "daily"
+ (lib.pipe cfg.instances [
+ builtins.attrValues
+ (builtins.filter (instance: instance.interval != "daily"))
+ (map (
+ { slug, interval, ... }:
+ {
+ name = "gickup@${slug}";
+ value = {
+ overrideStrategy = "asDropin";
+ timerConfig.OnCalendar = interval;
+ };
+ }
+ ))
+ builtins.listToAttrs
+ ]);
- systemd.targets.timers.wants = map ({ slug, ... }: "gickup@${slug}.timer") (lib.attrValues cfg.instances);
+ systemd.targets.timers.wants = map ({ slug, ... }: "gickup@${slug}.timer") (
+ lib.attrValues cfg.instances
+ );
systemd.services = {
- "gickup@" = let
- configDir = lib.pipe cfg.instances [
- (lib.mapAttrsToList (name: instance: {
- name = "${instance.slug}.yml";
- path = format.generate "gickup-configuration-${name}.yml" {
- destination.local = [ cfg.destinationSettings ];
- source.${instance.type} = [
- (
- (lib.optionalAttrs (instance.type != "any") {
- user = instance.owner;
- includeorgs = [ instance.owner ];
- include = [ instance.repo ];
- })
- //
- instance.settings
- )
- ];
- };
- }))
- (pkgs.linkFarm "gickup-configuration-files")
- ];
- in {
- description = "Gickup git repository mirroring service for %i";
- after = [ "network.target" ];
+ "gickup@" =
+ let
+ configDir = lib.pipe cfg.instances [
+ (lib.mapAttrsToList (
+ name: instance: {
+ name = "${instance.slug}.yml";
+ path = format.generate "gickup-configuration-${name}.yml" {
+ destination.local = [ cfg.destinationSettings ];
+ source.${instance.type} = [
+ (
+ (lib.optionalAttrs (instance.type != "any") {
+ user = instance.owner;
+ includeorgs = [ instance.owner ];
+ include = [ instance.repo ];
+ })
+ // instance.settings
+ )
+ ];
+ };
+ }
+ ))
+ (pkgs.linkFarm "gickup-configuration-files")
+ ];
+ in
+ {
+ description = "Gickup git repository mirroring service for %i";
+ after = [ "network.target" ];
- path = [
- cfg.gitPackage
- cfg.gitLfsPackage
- ];
-
- restartIfChanged = false;
-
- serviceConfig = {
- Type = "oneshot";
- ExecStart = "'${pkgs.gickup}/bin/gickup' '${configDir}/%i.yml'";
- ExecStartPost = "";
-
- User = "gickup";
- Group = "gickup";
-
- BindPaths = lib.optionals (cfg.dataDir != "/var/lib/gickup") [
- "${cfg.dataDir}:/var/lib/gickup"
+ path = [
+ cfg.gitPackage
+ cfg.gitLfsPackage
];
- Slice = "system-gickup.slice";
+ restartIfChanged = false;
- SyslogIdentifier = "gickup-%i";
- StateDirectory = "gickup";
- # WorkingDirectory = "gickup";
- # RuntimeDirectory = "gickup";
- # RuntimeDirectoryMode = "0700";
+ serviceConfig = {
+ Type = "oneshot";
+ ExecStart = "'${pkgs.gickup}/bin/gickup' '${configDir}/%i.yml'";
+ ExecStartPost = "";
- # https://discourse.nixos.org/t/how-to-prevent-custom-systemd-service-from-restarting-on-nixos-rebuild-switch/43431
- RemainAfterExit = true;
+ User = "gickup";
+ Group = "gickup";
- # Hardening options
- AmbientCapabilities = [];
- LockPersonality = true;
- NoNewPrivileges = true;
- PrivateDevices = true;
- PrivateMounts = true;
- PrivateTmp = true;
- PrivateUsers = true;
- ProcSubset = "pid";
- ProtectClock = true;
- ProtectControlGroups = true;
- ProtectHome = true;
- ProtectHostname = true;
- ProtectKernelLogs = true;
- ProtectKernelModules = true;
- ProtectKernelTunables = true;
- # ProtectProc = "invisible";
- # ProtectSystem = "strict";
- RemoveIPC = true;
- RestrictAddressFamilies = [
- "AF_INET"
- "AF_INET6"
- ];
- RestrictNamespaces = true;
- RestrictRealtime = true;
- RestrictSUIDSGID = true;
- SystemCallArchitectures = "native";
- # SystemCallFilter = [
- # "@system-service"
- # "~@resources"
- # "~@privileged"
- # ];
- UMask = "0002";
- CapabilityBoundingSet = [];
+ BindPaths = lib.optionals (cfg.dataDir != "/var/lib/gickup") [
+ "${cfg.dataDir}:/var/lib/gickup"
+ ];
+
+ Slice = "system-gickup.slice";
+
+ SyslogIdentifier = "gickup-%i";
+ StateDirectory = "gickup";
+ # WorkingDirectory = "gickup";
+ # RuntimeDirectory = "gickup";
+ # RuntimeDirectoryMode = "0700";
+
+ # https://discourse.nixos.org/t/how-to-prevent-custom-systemd-service-from-restarting-on-nixos-rebuild-switch/43431
+ RemainAfterExit = true;
+
+ # Hardening options
+ AmbientCapabilities = [ ];
+ LockPersonality = true;
+ NoNewPrivileges = true;
+ PrivateDevices = true;
+ PrivateMounts = true;
+ PrivateTmp = true;
+ PrivateUsers = true;
+ ProcSubset = "pid";
+ ProtectClock = true;
+ ProtectControlGroups = true;
+ ProtectHome = true;
+ ProtectHostname = true;
+ ProtectKernelLogs = true;
+ ProtectKernelModules = true;
+ ProtectKernelTunables = true;
+ # ProtectProc = "invisible";
+ # ProtectSystem = "strict";
+ RemoveIPC = true;
+ RestrictAddressFamilies = [
+ "AF_INET"
+ "AF_INET6"
+ ];
+ RestrictNamespaces = true;
+ RestrictRealtime = true;
+ RestrictSUIDSGID = true;
+ SystemCallArchitectures = "native";
+ # SystemCallFilter = [
+ # "@system-service"
+ # "~@resources"
+ # "~@privileged"
+ # ];
+ UMask = "0002";
+ CapabilityBoundingSet = [ ];
+ };
};
- };
};
};
}
diff --git a/modules/gickup/hardlink-files.nix b/modules/gickup/hardlink-files.nix
index c16abf7..6407ca5 100644
--- a/modules/gickup/hardlink-files.nix
+++ b/modules/gickup/hardlink-files.nix
@@ -1,4 +1,9 @@
-{ config, lib, pkgs, ... }:
+{
+ config,
+ lib,
+ pkgs,
+ ...
+}:
let
cfg = config.services.gickup;
in
diff --git a/modules/gickup/import-from-toml.nix b/modules/gickup/import-from-toml.nix
index 26b09ca..390c481 100644
--- a/modules/gickup/import-from-toml.nix
+++ b/modules/gickup/import-from-toml.nix
@@ -1,4 +1,9 @@
-{ config, lib, pkgs, ... }:
+{
+ config,
+ lib,
+ pkgs,
+ ...
+}:
let
cfg = config.services.gickup;
diff --git a/modules/gickup/set-description.nix b/modules/gickup/set-description.nix
index 745769b..fb79f06 100644
--- a/modules/gickup/set-description.nix
+++ b/modules/gickup/set-description.nix
@@ -1,4 +1,9 @@
-{ config, lib, pkgs, ... }:
+{
+ config,
+ lib,
+ pkgs,
+ ...
+}:
let
cfg = config.services.gickup;
in
diff --git a/modules/gickup/update-linktree.nix b/modules/gickup/update-linktree.nix
index 18013ac..ddde283 100644
--- a/modules/gickup/update-linktree.nix
+++ b/modules/gickup/update-linktree.nix
@@ -1,4 +1,9 @@
-{ config, lib, pkgs, ... }:
+{
+ config,
+ lib,
+ pkgs,
+ ...
+}:
let
cfg = config.services.gickup;
in
@@ -20,50 +25,52 @@ in
wantedBy = [ "gickup.target" ];
serviceConfig = {
Type = "oneshot";
- ExecStart = let
- script = pkgs.writeShellApplication {
- name = "gickup-update-symlink-tree.sh";
- runtimeInputs = [
- pkgs.coreutils
- pkgs.findutils
- ];
- text = ''
- shopt -s nullglob
+ ExecStart =
+ let
+ script = pkgs.writeShellApplication {
+ name = "gickup-update-symlink-tree.sh";
+ runtimeInputs = [
+ pkgs.coreutils
+ pkgs.findutils
+ ];
+ text = ''
+ shopt -s nullglob
- for repository in ./*/*/*; do
- REPOSITORY_RELATIVE_DIRS=''${repository#"./"}
+ for repository in ./*/*/*; do
+ REPOSITORY_RELATIVE_DIRS=''${repository#"./"}
- echo "Checking $REPOSITORY_RELATIVE_DIRS"
+ echo "Checking $REPOSITORY_RELATIVE_DIRS"
- declare -a REVISIONS
- readarray -t REVISIONS < <(find "$repository" -mindepth 1 -maxdepth 1 -printf "%f\n" | sort --numeric-sort --reverse)
+ declare -a REVISIONS
+ readarray -t REVISIONS < <(find "$repository" -mindepth 1 -maxdepth 1 -printf "%f\n" | sort --numeric-sort --reverse)
- if [[ "''${#REVISIONS[@]}" == 0 ]]; then
- echo "Found no revisions for $repository, continuing"
- continue
- fi
+ if [[ "''${#REVISIONS[@]}" == 0 ]]; then
+ echo "Found no revisions for $repository, continuing"
+ continue
+ fi
- LAST_REVISION="''${REVISIONS[0]}"
- SYMLINK_PATH="../linktree/''${REPOSITORY_RELATIVE_DIRS}"
+ LAST_REVISION="''${REVISIONS[0]}"
+ SYMLINK_PATH="../linktree/''${REPOSITORY_RELATIVE_DIRS}"
- mkdir -p "$(dirname "$SYMLINK_PATH")"
+ mkdir -p "$(dirname "$SYMLINK_PATH")"
- EXPECTED_SYMLINK_TARGET=$(realpath "''${repository}/''${LAST_REVISION}")
- EXISTING_SYMLINK_TARGET=$(realpath "$SYMLINK_PATH" || echo "")
+ EXPECTED_SYMLINK_TARGET=$(realpath "''${repository}/''${LAST_REVISION}")
+ EXISTING_SYMLINK_TARGET=$(realpath "$SYMLINK_PATH" || echo "")
- if [[ "$EXISTING_SYMLINK_TARGET" != "$EXPECTED_SYMLINK_TARGET" ]]; then
- echo "Updating symlink for $REPOSITORY_RELATIVE_DIRS"
- rm "$SYMLINK_PATH" ||:
- ln -rs "$EXPECTED_SYMLINK_TARGET" "$SYMLINK_PATH"
- else
- echo "Symlink already up to date, continuing..."
- fi
+ if [[ "$EXISTING_SYMLINK_TARGET" != "$EXPECTED_SYMLINK_TARGET" ]]; then
+ echo "Updating symlink for $REPOSITORY_RELATIVE_DIRS"
+ rm "$SYMLINK_PATH" ||:
+ ln -rs "$EXPECTED_SYMLINK_TARGET" "$SYMLINK_PATH"
+ else
+ echo "Symlink already up to date, continuing..."
+ fi
- echo "---"
- done
- '';
- };
- in lib.getExe script;
+ echo "---"
+ done
+ '';
+ };
+ in
+ lib.getExe script;
User = "gickup";
Group = "gickup";
diff --git a/modules/grzegorz.nix b/modules/grzegorz.nix
index fb0eee9..64ba0dc 100644
--- a/modules/grzegorz.nix
+++ b/modules/grzegorz.nix
@@ -1,10 +1,18 @@
-{config, lib, pkgs, unstablePkgs, values, ...}:
+{
+ config,
+ lib,
+ pkgs,
+ unstablePkgs,
+ values,
+ ...
+}:
let
grg = config.services.greg-ng;
grgw = config.services.grzegorz-webui;
machine = config.networking.hostName;
-in {
+in
+{
services.greg-ng = {
enable = true;
settings.host = "localhost";
@@ -124,4 +132,3 @@ in {
};
};
}
-
diff --git a/modules/matrix-ooye.nix b/modules/matrix-ooye.nix
index 071e8f6..9f9d3c8 100644
--- a/modules/matrix-ooye.nix
+++ b/modules/matrix-ooye.nix
@@ -58,7 +58,8 @@ in
sender_localpart = "${cfg.namespace}bot";
rate_limited = false;
socket = cfg.socket; # Can either be a TCP port or a unix socket path
- url = if (lib.hasPrefix "/" cfg.socket) then "unix:${cfg.socket}" else "http://localhost:${cfg.socket}";
+ url =
+ if (lib.hasPrefix "/" cfg.socket) then "unix:${cfg.socket}" else "http://localhost:${cfg.socket}";
ooye = {
server_name = cfg.homeserverName;
namespace_prefix = cfg.namespace;
@@ -66,7 +67,8 @@ in
content_length_workaround = false;
include_user_id_in_mxid = true;
server_origin = cfg.homeserver;
- bridge_origin = if (cfg.bridgeOrigin == "") then "http://localhost:${cfg.socket}" else cfg.bridgeOrigin;
+ bridge_origin =
+ if (cfg.bridgeOrigin == "") then "http://localhost:${cfg.socket}" else cfg.bridgeOrigin;
};
}
);
diff --git a/modules/robots-txt.nix b/modules/robots-txt.nix
index 0363859..987d004 100644
--- a/modules/robots-txt.nix
+++ b/modules/robots-txt.nix
@@ -1,55 +1,81 @@
-{ config, pkgs, lib, ... }:
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
let
cfg = config.environment.robots-txt;
robots-txt-format = {
- type = let
- coercedStrToNonEmptyListOfStr = lib.types.coercedTo lib.types.str lib.singleton (lib.types.nonEmptyListOf lib.types.str);
- in lib.types.listOf (lib.types.submodule {
- freeformType = lib.types.attrsOf coercedStrToNonEmptyListOfStr;
- options = {
- pre_comment = lib.mkOption {
- description = "Comment to add before the rule";
- type = lib.types.lines;
- default = "";
- };
- post_comment = lib.mkOption {
- description = "Comment to add after the rule";
- type = lib.types.lines;
- default = "";
- };
- };
- });
+ type =
+ let
+ coercedStrToNonEmptyListOfStr = lib.types.coercedTo lib.types.str lib.singleton (
+ lib.types.nonEmptyListOf lib.types.str
+ );
+ in
+ lib.types.listOf (
+ lib.types.submodule {
+ freeformType = lib.types.attrsOf coercedStrToNonEmptyListOfStr;
+ options = {
+ pre_comment = lib.mkOption {
+ description = "Comment to add before the rule";
+ type = lib.types.lines;
+ default = "";
+ };
+ post_comment = lib.mkOption {
+ description = "Comment to add after the rule";
+ type = lib.types.lines;
+ default = "";
+ };
+ };
+ }
+ );
- generate = name: value: let
- makeComment = comment: lib.pipe comment [
- (lib.splitString "\n")
- (lib.map (line: if line == "" then "#" else "# ${line}"))
- (lib.concatStringsSep "\n")
- ];
+ generate =
+ name: value:
+ let
+ makeComment =
+ comment:
+ lib.pipe comment [
+ (lib.splitString "\n")
+ (lib.map (line: if line == "" then "#" else "# ${line}"))
+ (lib.concatStringsSep "\n")
+ ];
- ruleToString = rule: let
- user_agent = rule.User-agent or [];
- pre_comment = rule.pre_comment;
- post_comment = rule.post_comment;
- rest = builtins.removeAttrs rule [ "User-agent" "pre_comment" "post_comment" ];
- in lib.concatStringsSep "\n" (lib.filter (x: x != null) [
- (if (pre_comment != "") then makeComment pre_comment else null)
- (let
- user-agents = lib.concatMapStringsSep "\n" (value: "User-agent: ${value}") user_agent;
- in
- if user_agent == [] then null else user-agents
- )
- (lib.pipe rest [
- (lib.mapAttrsToList (ruleName: map (value: "${ruleName}: ${value}")))
- lib.concatLists
- (lib.concatStringsSep "\n")
- ])
- (if (post_comment != "") then makeComment post_comment else null)
- ]);
+ ruleToString =
+ rule:
+ let
+ user_agent = rule.User-agent or [ ];
+ pre_comment = rule.pre_comment;
+ post_comment = rule.post_comment;
+ rest = builtins.removeAttrs rule [
+ "User-agent"
+ "pre_comment"
+ "post_comment"
+ ];
+ in
+ lib.concatStringsSep "\n" (
+ lib.filter (x: x != null) [
+ (if (pre_comment != "") then makeComment pre_comment else null)
+ (
+ let
+ user-agents = lib.concatMapStringsSep "\n" (value: "User-agent: ${value}") user_agent;
+ in
+ if user_agent == [ ] then null else user-agents
+ )
+ (lib.pipe rest [
+ (lib.mapAttrsToList (ruleName: map (value: "${ruleName}: ${value}")))
+ lib.concatLists
+ (lib.concatStringsSep "\n")
+ ])
+ (if (post_comment != "") then makeComment post_comment else null)
+ ]
+ );
- content = lib.concatMapStringsSep "\n\n" ruleToString value;
- in pkgs.writeText name content;
+ content = lib.concatMapStringsSep "\n\n" ruleToString value;
+ in
+ pkgs.writeText name content;
};
in
{
@@ -58,36 +84,50 @@ in
description = ''
Different instances of robots.txt to use with web services.
'';
- type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
- options = {
- enable = lib.mkEnableOption "this instance of robots.txt" // {
- default = true;
- };
+ type = lib.types.attrsOf (
+ lib.types.submodule (
+ { name, ... }:
+ {
+ options = {
+ enable = lib.mkEnableOption "this instance of robots.txt" // {
+ default = true;
+ };
- path = lib.mkOption {
- description = "The resulting path of the dir containing the robots.txt file";
- type = lib.types.path;
- readOnly = true;
- default = "/etc/robots-txt/${name}";
- };
+ path = lib.mkOption {
+ description = "The resulting path of the dir containing the robots.txt file";
+ type = lib.types.path;
+ readOnly = true;
+ default = "/etc/robots-txt/${name}";
+ };
- rules = lib.mkOption {
- description = "Rules to include in robots.txt";
- default = [ ];
- example = [
- { User-agent = "Googlebot"; Disallow = "/no-googlebot"; }
- { User-agent = "Bingbot"; Disallow = [ "/no-bingbot" "/no-bingbot2" ]; }
- ];
- type = robots-txt-format.type;
- };
+ rules = lib.mkOption {
+ description = "Rules to include in robots.txt";
+ default = [ ];
+ example = [
+ {
+ User-agent = "Googlebot";
+ Disallow = "/no-googlebot";
+ }
+ {
+ User-agent = "Bingbot";
+ Disallow = [
+ "/no-bingbot"
+ "/no-bingbot2"
+ ];
+ }
+ ];
+ type = robots-txt-format.type;
+ };
- virtualHost = lib.mkOption {
- description = "An nginx virtual host to add the robots.txt to";
- type = lib.types.nullOr lib.types.str;
- default = null;
- };
- };
- }));
+ virtualHost = lib.mkOption {
+ description = "An nginx virtual host to add the robots.txt to";
+ type = lib.types.nullOr lib.types.str;
+ default = null;
+ };
+ };
+ }
+ )
+ );
};
config = {
@@ -98,19 +138,21 @@ in
services.nginx.virtualHosts = lib.pipe cfg [
(lib.filterAttrs (_: value: value.virtualHost != null))
- (lib.mapAttrs' (name: value: {
- name = value.virtualHost;
- value = {
- locations = {
- "= /robots.txt" = {
- extraConfig = ''
- add_header Content-Type text/plain;
- '';
- root = cfg.${name}.path;
+ (lib.mapAttrs' (
+ name: value: {
+ name = value.virtualHost;
+ value = {
+ locations = {
+ "= /robots.txt" = {
+ extraConfig = ''
+ add_header Content-Type text/plain;
+ '';
+ root = cfg.${name}.path;
+ };
};
};
- };
- }))
+ }
+ ))
];
};
}
diff --git a/modules/rsync-pull-targets.nix b/modules/rsync-pull-targets.nix
index 79ce537..9fea167 100644
--- a/modules/rsync-pull-targets.nix
+++ b/modules/rsync-pull-targets.nix
@@ -1,4 +1,9 @@
-{ config, lib, pkgs, ... }:
+{
+ config,
+ lib,
+ pkgs,
+ ...
+}:
let
cfg = config.services.rsync-pull-targets;
in
@@ -9,116 +14,121 @@ in
rrsyncPackage = lib.mkPackageOption pkgs "rrsync" { };
locations = lib.mkOption {
- type = lib.types.attrsOf (lib.types.submodule ({ name, ... }@submoduleArgs: {
- options = {
- enable = lib.mkEnableOption "" // {
- default = true;
- example = false;
- };
+ type = lib.types.attrsOf (
+ lib.types.submodule (
+ { name, ... }@submoduleArgs:
+ {
+ options = {
+ enable = lib.mkEnableOption "" // {
+ default = true;
+ example = false;
+ };
- user = lib.mkOption {
- type = lib.types.str;
- description = "Which user to use as SSH login";
- example = "root";
- };
+ user = lib.mkOption {
+ type = lib.types.str;
+ description = "Which user to use as SSH login";
+ example = "root";
+ };
- location = lib.mkOption {
- type = lib.types.path;
- default = name;
- defaultText = lib.literalExpression "";
- example = "/path/to/rsyncable/item";
- };
+ location = lib.mkOption {
+ type = lib.types.path;
+ default = name;
+ defaultText = lib.literalExpression "";
+ example = "/path/to/rsyncable/item";
+ };
- # TODO: handle autogeneration of keys
- # autoGenerateSSHKeypair = lib.mkOption {
- # type = lib.types.bool;
- # default = config.publicKey == null;
- # defaultText = lib.literalExpression "config.services.rsync-pull-targets..publicKey != null";
- # example = true;
- # };
+ # TODO: handle autogeneration of keys
+ # autoGenerateSSHKeypair = lib.mkOption {
+ # type = lib.types.bool;
+ # default = config.publicKey == null;
+ # defaultText = lib.literalExpression "config.services.rsync-pull-targets..publicKey != null";
+ # example = true;
+ # };
- publicKey = lib.mkOption {
- type = lib.types.str;
- # type = lib.types.nullOr lib.types.str;
- # default = null;
- example = "ssh-ed25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA comment";
- };
+ publicKey = lib.mkOption {
+ type = lib.types.str;
+ # type = lib.types.nullOr lib.types.str;
+ # default = null;
+ example = "ssh-ed25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA comment";
+ };
- rrsyncPackage = lib.mkPackageOption pkgs "rrsync" { } // {
- default = cfg.rrsyncPackage;
- defaultText = lib.literalExpression "config.services.rsync-pull-targets.rrsyncPackage";
- };
+ rrsyncPackage = lib.mkPackageOption pkgs "rrsync" { } // {
+ default = cfg.rrsyncPackage;
+ defaultText = lib.literalExpression "config.services.rsync-pull-targets.rrsyncPackage";
+ };
- enableRecommendedHardening = lib.mkEnableOption "a commonly used security profile for authorizedKeys attributes and rrsync args";
+ enableRecommendedHardening = lib.mkEnableOption "a commonly used security profile for authorizedKeys attributes and rrsync args";
- rrsyncArgs = {
- ro = lib.mkEnableOption "" // {
- description = "Allow only reading from the DIR. Implies -no-del and -no-lock.";
+ rrsyncArgs = {
+ ro = lib.mkEnableOption "" // {
+ description = "Allow only reading from the DIR. Implies -no-del and -no-lock.";
+ };
+ wo = lib.mkEnableOption "" // {
+ description = "Allow only writing to the DIR.";
+ };
+ munge = lib.mkEnableOption "" // {
+ description = "Enable rsync's --munge-links on the server side.";
+ # TODO: set a default?
+ };
+ no-del = lib.mkEnableOption "" // {
+ description = "Disable rsync's --delete* and --remove* options.";
+ default = submoduleArgs.config.enableRecommendedHardening;
+ defaultText = lib.literalExpression "config.services.rsync-pull-targets..enableRecommendedHardening";
+ };
+ no-lock = lib.mkEnableOption "" // {
+ description = "Avoid the single-run (per-user) lock check.";
+ default = submoduleArgs.config.enableRecommendedHardening;
+ defaultText = lib.literalExpression "config.services.rsync-pull-targets..enableRecommendedHardening";
+ };
+ no-overwrite = lib.mkEnableOption "" // {
+ description = "Prevent overwriting existing files by enforcing --ignore-existing";
+ default = submoduleArgs.config.enableRecommendedHardening;
+ defaultText = lib.literalExpression "config.services.rsync-pull-targets..enableRecommendedHardening";
+ };
+ };
+
+ authorizedKeysAttrs = lib.mkOption {
+ type = lib.types.listOf lib.types.str;
+ default = lib.optionals submoduleArgs.config.enableRecommendedHardening [
+ "restrict"
+ "no-agent-forwarding"
+ "no-port-forwarding"
+ "no-pty"
+ "no-X11-forwarding"
+ ];
+ defaultText = lib.literalExpression ''
+ lib.optionals config.services.rsync-pull-targets..enableRecommendedHardening [
+ "restrict"
+ "no-agent-forwarding"
+ "no-port-forwarding"
+ "no-pty"
+ "no-X11-forwarding"
+ ]
+ '';
+ example = [
+ "restrict"
+ "no-agent-forwarding"
+ "no-port-forwarding"
+ "no-pty"
+ "no-X11-forwarding"
+ ];
+ };
};
- wo = lib.mkEnableOption "" // {
- description = "Allow only writing to the DIR.";
- };
- munge = lib.mkEnableOption "" // {
- description = "Enable rsync's --munge-links on the server side.";
- # TODO: set a default?
- };
- no-del = lib.mkEnableOption "" // {
- description = "Disable rsync's --delete* and --remove* options.";
- default = submoduleArgs.config.enableRecommendedHardening;
- defaultText = lib.literalExpression "config.services.rsync-pull-targets..enableRecommendedHardening";
- };
- no-lock = lib.mkEnableOption "" // {
- description = "Avoid the single-run (per-user) lock check.";
- default = submoduleArgs.config.enableRecommendedHardening;
- defaultText = lib.literalExpression "config.services.rsync-pull-targets..enableRecommendedHardening";
- };
- no-overwrite = lib.mkEnableOption "" // {
- description = "Prevent overwriting existing files by enforcing --ignore-existing";
- default = submoduleArgs.config.enableRecommendedHardening;
- defaultText = lib.literalExpression "config.services.rsync-pull-targets..enableRecommendedHardening";
- };
- };
-
- authorizedKeysAttrs = lib.mkOption {
- type = lib.types.listOf lib.types.str;
- default = lib.optionals submoduleArgs.config.enableRecommendedHardening [
- "restrict"
- "no-agent-forwarding"
- "no-port-forwarding"
- "no-pty"
- "no-X11-forwarding"
- ];
- defaultText = lib.literalExpression ''
- lib.optionals config.services.rsync-pull-targets..enableRecommendedHardening [
- "restrict"
- "no-agent-forwarding"
- "no-port-forwarding"
- "no-pty"
- "no-X11-forwarding"
- ]
- '';
- example = [
- "restrict"
- "no-agent-forwarding"
- "no-port-forwarding"
- "no-pty"
- "no-X11-forwarding"
- ];
- };
- };
- }));
+ }
+ )
+ );
};
};
config = lib.mkIf cfg.enable {
# assertions = lib.pipe cfg.locations [
# (lib.filterAttrs (_: value: value.enable))
- # TODO: assert that there are no duplicate (user, publicKey) pairs.
- # if there are then ssh won't know which command to provide and might provide a random one, not sure.
- # (lib.mapAttrsToList (_: { user, location, publicKey, ... }: {
- # assertion =
- # message = "";
- # })
+ # TODO: assert that there are no duplicate (user, publicKey) pairs.
+ # if there are then ssh won't know which command to provide and might provide a random one, not sure.
+ # (lib.mapAttrsToList (_: { user, location, publicKey, ... }: {
+ # assertion =
+ # message = "";
+ # })
# ];
services.openssh.enable = true;
@@ -128,19 +138,36 @@ in
lib.attrValues
# Index locations by SSH user
- (lib.foldl (acc: location: acc // {
- ${location.user} = (acc.${location.user} or [ ]) ++ [ location ];
- }) { })
+ (lib.foldl (
+ acc: location:
+ acc
+ // {
+ ${location.user} = (acc.${location.user} or [ ]) ++ [ location ];
+ }
+ ) { })
- (lib.mapAttrs (_name: locations: {
- openssh.authorizedKeys.keys = map ({ user, location, rrsyncPackage, rrsyncArgs, authorizedKeysAttrs, publicKey, ... }: let
- rrsyncArgString = lib.cli.toCommandLineShellGNU {
- isLong = _: false;
- } rrsyncArgs;
- # TODO: handle " in location
- in "command=\"${lib.getExe rrsyncPackage} ${rrsyncArgString} ${location}\",${lib.concatStringsSep "," authorizedKeysAttrs} ${publicKey}"
- ) locations;
- }))
+ (lib.mapAttrs (
+ _name: locations: {
+ openssh.authorizedKeys.keys = map (
+ {
+ user,
+ location,
+ rrsyncPackage,
+ rrsyncArgs,
+ authorizedKeysAttrs,
+ publicKey,
+ ...
+ }:
+ let
+ rrsyncArgString = lib.cli.toCommandLineShellGNU {
+ isLong = _: false;
+ } rrsyncArgs;
+ # TODO: handle " in location
+ in
+ "command=\"${lib.getExe rrsyncPackage} ${rrsyncArgString} ${location}\",${lib.concatStringsSep "," authorizedKeysAttrs} ${publicKey}"
+ ) locations;
+ }
+ ))
];
};
}
diff --git a/modules/snakeoil-certs.nix b/modules/snakeoil-certs.nix
index 61f086a..7a432ff 100644
--- a/modules/snakeoil-certs.nix
+++ b/modules/snakeoil-certs.nix
@@ -1,4 +1,9 @@
-{ config, pkgs, lib, ... }:
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
let
cfg = config.environment.snakeoil-certs;
in
@@ -6,72 +11,82 @@ in
options.environment.snakeoil-certs = lib.mkOption {
default = { };
description = "Self signed certs, which are rotated regularly";
- type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
- options = {
- owner = lib.mkOption {
- type = lib.types.str;
- default = "root";
- };
- group = lib.mkOption {
- type = lib.types.str;
- default = "root";
- };
- mode = lib.mkOption {
- type = lib.types.str;
- default = "0660";
- };
- daysValid = lib.mkOption {
- type = lib.types.str;
- default = "90";
- };
- extraOpenSSLArgs = lib.mkOption {
- type = with lib.types; listOf str;
- default = [ ];
- };
- certificate = lib.mkOption {
- type = lib.types.str;
- default = "${name}.crt";
- };
- certificateKey = lib.mkOption {
- type = lib.types.str;
- default = "${name}.key";
- };
- subject = lib.mkOption {
- type = lib.types.str;
- default = "/C=NO/O=Programvareverkstedet/CN=*.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
- };
- };
- }));
+ type = lib.types.attrsOf (
+ lib.types.submodule (
+ { name, ... }:
+ {
+ options = {
+ owner = lib.mkOption {
+ type = lib.types.str;
+ default = "root";
+ };
+ group = lib.mkOption {
+ type = lib.types.str;
+ default = "root";
+ };
+ mode = lib.mkOption {
+ type = lib.types.str;
+ default = "0660";
+ };
+ daysValid = lib.mkOption {
+ type = lib.types.str;
+ default = "90";
+ };
+ extraOpenSSLArgs = lib.mkOption {
+ type = with lib.types; listOf str;
+ default = [ ];
+ };
+ certificate = lib.mkOption {
+ type = lib.types.str;
+ default = "${name}.crt";
+ };
+ certificateKey = lib.mkOption {
+ type = lib.types.str;
+ default = "${name}.key";
+ };
+ subject = lib.mkOption {
+ type = lib.types.str;
+ default = "/C=NO/O=Programvareverkstedet/CN=*.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
+ };
+ };
+ }
+ )
+ );
};
config = {
systemd.services."generate-snakeoil-certs" = {
enable = true;
serviceConfig.Type = "oneshot";
- script = let
- openssl = lib.getExe pkgs.openssl;
- in lib.concatMapStringsSep "\n" ({ name, value }: ''
- mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}")
- if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate}
- then
- echo "Regenerating '${value.certificate}'"
- ${openssl} req \
- -newkey rsa:4096 \
- -new -x509 \
- -days "${toString value.daysValid}" \
- -nodes \
- -subj "${value.subject}" \
- -out "${value.certificate}" \
- -keyout "${value.certificateKey}" \
- ${lib.escapeShellArgs value.extraOpenSSLArgs}
- fi
- chown "${value.owner}:${value.group}" "${value.certificate}"
- chown "${value.owner}:${value.group}" "${value.certificateKey}"
- chmod "${value.mode}" "${value.certificate}"
- chmod "${value.mode}" "${value.certificateKey}"
+ script =
+ let
+ openssl = lib.getExe pkgs.openssl;
+ in
+ lib.concatMapStringsSep "\n" (
+ { name, value }:
+ ''
+ mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}")
+ if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate}
+ then
+ echo "Regenerating '${value.certificate}'"
+ ${openssl} req \
+ -newkey rsa:4096 \
+ -new -x509 \
+ -days "${toString value.daysValid}" \
+ -nodes \
+ -subj "${value.subject}" \
+ -out "${value.certificate}" \
+ -keyout "${value.certificateKey}" \
+ ${lib.escapeShellArgs value.extraOpenSSLArgs}
+ fi
+ chown "${value.owner}:${value.group}" "${value.certificate}"
+ chown "${value.owner}:${value.group}" "${value.certificateKey}"
+ chmod "${value.mode}" "${value.certificate}"
+ chmod "${value.mode}" "${value.certificateKey}"
- echo "\n-----------------\n"
- '') (lib.attrsToList cfg);
+ echo "\n-----------------\n"
+ ''
+ ) (lib.attrsToList cfg);
};
systemd.timers."generate-snakeoil-certs" = {
wantedBy = [ "timers.target" ];
diff --git a/modules/snappymail.nix b/modules/snappymail.nix
index 33a8107..2aadcde 100644
--- a/modules/snappymail.nix
+++ b/modules/snappymail.nix
@@ -1,11 +1,26 @@
-{ config, pkgs, lib, ... }:
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
let
- inherit (lib) mkDefault mkEnableOption mkForce mkIf mkOption mkPackageOption generators types;
+ inherit (lib)
+ mkDefault
+ mkEnableOption
+ mkForce
+ mkIf
+ mkOption
+ mkPackageOption
+ generators
+ types
+ ;
cfg = config.services.snappymail;
maxUploadSize = "256M";
-in {
+in
+{
options.services.snappymail = {
enable = mkEnableOption "Snappymail";
@@ -48,13 +63,13 @@ in {
};
users.groups = mkIf (cfg.group == "snappymail") {
- snappymail = {};
+ snappymail = { };
};
services.phpfpm.pools.snappymail = {
user = cfg.user;
group = cfg.group;
- phpOptions = generators.toKeyValue {} {
+ phpOptions = generators.toKeyValue { } {
upload_max_filesize = maxUploadSize;
post_max_size = maxUploadSize;
memory_limit = maxUploadSize;
@@ -91,13 +106,14 @@ in {
client_max_body_size ${maxUploadSize};
'';
- root = if (cfg.package == pkgs.snappymail) then
- pkgs.snappymail.override {
- dataPath = cfg.dataDir;
- }
- else cfg.package;
+ root =
+ if (cfg.package == pkgs.snappymail) then
+ pkgs.snappymail.override {
+ dataPath = cfg.dataDir;
+ }
+ else
+ cfg.package;
};
};
};
}
-
diff --git a/packages/bluemap.nix b/packages/bluemap.nix
index 41337e9..f11ab27 100644
--- a/packages/bluemap.nix
+++ b/packages/bluemap.nix
@@ -1,4 +1,10 @@
-{ lib, stdenvNoCC, fetchurl, makeWrapper, jre }:
+{
+ lib,
+ stdenvNoCC,
+ fetchurl,
+ makeWrapper,
+ jre,
+}:
stdenvNoCC.mkDerivation rec {
pname = "bluemap";
diff --git a/packages/mediawiki-extensions/default.nix b/packages/mediawiki-extensions/default.nix
index d5b4ca4..a7ec706 100644
--- a/packages/mediawiki-extensions/default.nix
+++ b/packages/mediawiki-extensions/default.nix
@@ -1,31 +1,33 @@
{ pkgs, lib }:
let
- kebab-case-name = project-name: lib.pipe project-name [
- (builtins.replaceStrings
- lib.upperChars
- (map (x: "-${x}") lib.lowerChars)
- )
- (lib.removePrefix "-")
- ];
+ kebab-case-name =
+ project-name:
+ lib.pipe project-name [
+ (builtins.replaceStrings lib.upperChars (map (x: "-${x}") lib.lowerChars))
+ (lib.removePrefix "-")
+ ];
- mw-ext = {
- name
- , commit
- , hash
- , tracking-branch ? "REL1_44"
- , kebab-name ? kebab-case-name name
- , fetchgit ? pkgs.fetchgit
- }:
- {
- ${name} = (fetchgit {
- name = "mediawiki-${kebab-name}-source";
- url = "https://gerrit.wikimedia.org/r/mediawiki/extensions/${name}";
- rev = commit;
- inherit hash;
- }).overrideAttrs (_: {
- passthru = { inherit name kebab-name tracking-branch; };
- });
- };
+ mw-ext =
+ {
+ name,
+ commit,
+ hash,
+ tracking-branch ? "REL1_44",
+ kebab-name ? kebab-case-name name,
+ fetchgit ? pkgs.fetchgit,
+ }:
+ {
+ ${name} =
+ (fetchgit {
+ name = "mediawiki-${kebab-name}-source";
+ url = "https://gerrit.wikimedia.org/r/mediawiki/extensions/${name}";
+ rev = commit;
+ inherit hash;
+ }).overrideAttrs
+ (_: {
+ passthru = { inherit name kebab-name tracking-branch; };
+ });
+ };
in
# NOTE: to add another extension, you can add an mw-ext expression
# with an empty (or even wrong) commit and empty hash, and
diff --git a/packages/simplesamlphp/default.nix b/packages/simplesamlphp/default.nix
index 90415fb..d885fa4 100644
--- a/packages/simplesamlphp/default.nix
+++ b/packages/simplesamlphp/default.nix
@@ -1,8 +1,9 @@
-{ lib
-, php
-, writeText
-, fetchFromGitHub
-, extra_files ? { }
+{
+ lib,
+ php,
+ writeText,
+ fetchFromGitHub,
+ extra_files ? { },
}:
@@ -25,10 +26,12 @@ php.buildComposerProject rec {
# - https://simplesamlphp.org/docs/contrib_modules/metarefresh/simplesamlphp-automated_metadata.html
# - https://idp.pvv.ntnu.no/simplesaml/saml2/idp/metadata.php
postPatch = lib.pipe extra_files [
- (lib.mapAttrsToList (target_path: source_path: ''
- mkdir -p $(dirname "${target_path}")
- cp -r "${source_path}" "${target_path}"
- ''))
+ (lib.mapAttrsToList (
+ target_path: source_path: ''
+ mkdir -p $(dirname "${target_path}")
+ cp -r "${source_path}" "${target_path}"
+ ''
+ ))
lib.concatLines
];
diff --git a/shell.nix b/shell.nix
index 44c4e38..08ceb57 100644
--- a/shell.nix
+++ b/shell.nix
@@ -1,4 +1,6 @@
-{ pkgs ? import {} }:
+{
+ pkgs ? import { },
+}:
pkgs.mkShellNoCC {
packages = with pkgs; [
disko
diff --git a/topology/default.nix b/topology/default.nix
index 7611e63..6d44604 100644
--- a/topology/default.nix
+++ b/topology/default.nix
@@ -1,14 +1,21 @@
-{ config, pkgs, lib, values, ... }:
+{
+ config,
+ pkgs,
+ lib,
+ values,
+ ...
+}:
let
- inherit
- (config.lib.topology)
+ inherit (config.lib.topology)
mkInternet
mkRouter
mkSwitch
mkDevice
mkConnection
- mkConnectionRev;
-in {
+ mkConnectionRev
+ ;
+in
+{
imports = [
./non-nixos-machines.nix
];
@@ -41,7 +48,14 @@ in {
};
nodes.ntnu = mkRouter "NTNU" {
- interfaceGroups = [ ["wan1"] ["eth1" "eth2" "eth3"] ];
+ interfaceGroups = [
+ [ "wan1" ]
+ [
+ "eth1"
+ "eth2"
+ "eth3"
+ ]
+ ];
connections.eth1 = mkConnection "ntnu-pvv-router" "wan1";
connections.eth2 = mkConnection "ntnu-veggen" "wan1";
connections.eth3 = mkConnection "stackit" "*";
@@ -51,7 +65,10 @@ in {
### Brus
nodes.ntnu-pvv-router = mkRouter "NTNU PVV Gateway" {
- interfaceGroups = [ ["wan1"] ["eth1"] ];
+ interfaceGroups = [
+ [ "wan1" ]
+ [ "eth1" ]
+ ];
connections.eth1 = mkConnection "knutsen" "em1";
interfaces.eth1.network = "ntnu";
};
@@ -59,7 +76,11 @@ in {
nodes.knutsen = mkRouter "knutsen" {
deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/freebsd.svg";
- interfaceGroups = [ ["em0"] ["em1"] ["vpn1"] ];
+ interfaceGroups = [
+ [ "em0" ]
+ [ "em1" ]
+ [ "vpn1" ]
+ ];
connections.em0 = mkConnection "nintendo" "eth0";
@@ -73,36 +94,36 @@ in {
};
nodes.nintendo = mkSwitch "Nintendo (brus switch)" {
- interfaceGroups = [ (lib.genList (i: "eth${toString i}") 16) ];
+ interfaceGroups = [ (lib.genList (i: "eth${toString i}") 16) ];
- connections = let
- connections' = [
- (mkConnection "bekkalokk" "enp2s0")
- # (mkConnection "bicep" "enp6s0f0") # NOTE: physical machine is dead at the moment
- (mkConnection "buskerud" "eth1")
- # (mkConnection "knutsen" "eth1")
- (mkConnection "powerpuff-cluster" "eth1")
- (mkConnection "powerpuff-cluster" "eth2")
- (mkConnection "powerpuff-cluster" "eth3")
- (mkConnection "lupine-1" "enp0s31f6")
- (mkConnection "lupine-2" "enp0s31f6")
- (mkConnection "lupine-3" "enp0s31f6")
- (mkConnection "lupine-4" "enp0s31f6")
- (mkConnection "lupine-5" "enp0s31f6")
- (mkConnection "innovation" "em0")
- (mkConnection "microbel" "eth0")
- (mkConnection "isvegg" "eth0")
- (mkConnection "ameno" "eth0")
- (mkConnection "sleipner" "eno0")
- ];
- in
- assert (lib.length connections' <= 15);
- builtins.listToAttrs (
- lib.zipListsWith
- (a: b: lib.nameValuePair a b)
- (lib.genList (i: "eth${toString (i + 1)}") 15)
- connections'
- );
+ connections =
+ let
+ connections' = [
+ (mkConnection "bekkalokk" "enp2s0")
+ # (mkConnection "bicep" "enp6s0f0") # NOTE: physical machine is dead at the moment
+ (mkConnection "buskerud" "eth1")
+ # (mkConnection "knutsen" "eth1")
+ (mkConnection "powerpuff-cluster" "eth1")
+ (mkConnection "powerpuff-cluster" "eth2")
+ (mkConnection "powerpuff-cluster" "eth3")
+ (mkConnection "lupine-1" "enp0s31f6")
+ (mkConnection "lupine-2" "enp0s31f6")
+ (mkConnection "lupine-3" "enp0s31f6")
+ (mkConnection "lupine-4" "enp0s31f6")
+ (mkConnection "lupine-5" "enp0s31f6")
+ (mkConnection "innovation" "em0")
+ (mkConnection "microbel" "eth0")
+ (mkConnection "isvegg" "eth0")
+ (mkConnection "ameno" "eth0")
+ (mkConnection "sleipner" "eno0")
+ ];
+ in
+ assert (lib.length connections' <= 15);
+ builtins.listToAttrs (
+ lib.zipListsWith (a: b: lib.nameValuePair a b) (lib.genList (
+ i: "eth${toString (i + 1)}"
+ ) 15) connections'
+ );
};
nodes.bekkalokk.hardware.info = "Supermicro X9SCL/X9SCM";
@@ -141,7 +162,13 @@ in {
hardware.info = "Dell PowerEdge R730 x 3";
- interfaceGroups = [ [ "eth1" "eth2" "eth3" ] ];
+ interfaceGroups = [
+ [
+ "eth1"
+ "eth2"
+ "eth3"
+ ]
+ ];
services = {
proxmox = {
@@ -199,14 +226,21 @@ in {
### PVV
nodes.ntnu-veggen = mkRouter "NTNU-Veggen" {
- interfaceGroups = [ ["wan1"] ["eth1"] ];
+ interfaceGroups = [
+ [ "wan1" ]
+ [ "eth1" ]
+ ];
connections.eth1 = mkConnection "ludvigsen" "re0";
};
nodes.ludvigsen = mkRouter "ludvigsen" {
deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/freebsd.svg";
- interfaceGroups = [ [ "re0" ] [ "em0" ] [ "vpn1" ] ];
+ interfaceGroups = [
+ [ "re0" ]
+ [ "em0" ]
+ [ "vpn1" ]
+ ];
connections.em0 = mkConnection "pvv-switch" "eth0";
@@ -219,31 +253,30 @@ in {
};
nodes.pvv-switch = mkSwitch "PVV Switch (Terminalrommet)" {
- interfaceGroups = [ (lib.genList (i: "eth${toString i}") 16) ];
- connections = let
- connections' = [
- (mkConnection "brzeczyszczykiewicz" "eno1")
- (mkConnection "georg" "eno1")
- (mkConnection "wegonke" "enp4s0")
- (mkConnection "demiurgen" "eno1")
- (mkConnection "sanctuary" "ethernet_0")
- (mkConnection "torskas" "eth0")
- (mkConnection "skrott" "eth0")
- (mkConnection "homeassistant" "eth0")
- (mkConnection "orchid" "eth0")
- (mkConnection "principal" "em0")
- ];
- in
- assert (lib.length connections' <= 15);
- builtins.listToAttrs (
- lib.zipListsWith
- (a: b: lib.nameValuePair a b)
- (lib.genList (i: "eth${toString (i + 1)}") 15)
- connections'
- );
+ interfaceGroups = [ (lib.genList (i: "eth${toString i}") 16) ];
+ connections =
+ let
+ connections' = [
+ (mkConnection "brzeczyszczykiewicz" "eno1")
+ (mkConnection "georg" "eno1")
+ (mkConnection "wegonke" "enp4s0")
+ (mkConnection "demiurgen" "eno1")
+ (mkConnection "sanctuary" "ethernet_0")
+ (mkConnection "torskas" "eth0")
+ (mkConnection "skrott" "eth0")
+ (mkConnection "homeassistant" "eth0")
+ (mkConnection "orchid" "eth0")
+ (mkConnection "principal" "em0")
+ ];
+ in
+ assert (lib.length connections' <= 15);
+ builtins.listToAttrs (
+ lib.zipListsWith (a: b: lib.nameValuePair a b) (lib.genList (
+ i: "eth${toString (i + 1)}"
+ ) 15) connections'
+ );
};
-
### Openstack
nodes.stackit = mkDevice "stackit" {
diff --git a/topology/non-nixos-machines.nix b/topology/non-nixos-machines.nix
index 10b12e6..90f58fe 100644
--- a/topology/non-nixos-machines.nix
+++ b/topology/non-nixos-machines.nix
@@ -1,7 +1,14 @@
-{ config, pkgs, lib, values, ... }:
+{
+ config,
+ pkgs,
+ lib,
+ values,
+ ...
+}:
let
inherit (config.lib.topology) mkDevice;
-in {
+in
+{
nodes.balduzius = mkDevice "balduzius" {
guestType = "proxmox";
parent = config.nodes.powerpuff-cluster.id;
@@ -108,7 +115,12 @@ in {
hardware.info = "Supermicro X8ST3";
- interfaceGroups = [ [ "eth0" "eth1" ] ];
+ interfaceGroups = [
+ [
+ "eth0"
+ "eth1"
+ ]
+ ];
interfaces.eth0 = {
mac = "00:25:90:24:76:2c";
addresses = [
@@ -215,7 +227,12 @@ in {
nodes.sleipner = mkDevice "sleipner" {
deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/debian.svg";
- interfaceGroups = [ [ "eno0" "enp2s0" ] ];
+ interfaceGroups = [
+ [
+ "eno0"
+ "enp2s0"
+ ]
+ ];
interfaces.enp2s0 = {
mac = "00:25:90:57:35:8e";
addresses = [
diff --git a/topology/service-extractors/gitea-runners.nix b/topology/service-extractors/gitea-runners.nix
index 8310478..b160ece 100644
--- a/topology/service-extractors/gitea-runners.nix
+++ b/topology/service-extractors/gitea-runners.nix
@@ -1,4 +1,9 @@
-{ config, unstablePkgs, lib, ... }:
+{
+ config,
+ unstablePkgs,
+ lib,
+ ...
+}:
let
cfg = config.services.gitea-actions-runner;
in
diff --git a/topology/service-extractors/greg-ng.nix b/topology/service-extractors/greg-ng.nix
index ce81279..4f8d9f2 100644
--- a/topology/service-extractors/greg-ng.nix
+++ b/topology/service-extractors/greg-ng.nix
@@ -6,6 +6,8 @@ in
config.topology.self.services.greg-ng = lib.mkIf cfg.enable {
name = "Greg-ng";
icon = ../icons/greg-ng.png;
- details.listen = { text = "${cfg.settings.host}:${toString cfg.settings.port}"; };
+ details.listen = {
+ text = "${cfg.settings.host}:${toString cfg.settings.port}";
+ };
};
}
diff --git a/topology/service-extractors/mysql.nix b/topology/service-extractors/mysql.nix
index 5a1076e..e440acc 100644
--- a/topology/service-extractors/mysql.nix
+++ b/topology/service-extractors/mysql.nix
@@ -1,4 +1,9 @@
-{ config, unstablePkgs, lib, ... }:
+{
+ config,
+ unstablePkgs,
+ lib,
+ ...
+}:
let
cfg = config.services.mysql;
cfgBak = config.services.mysqlBackup;
@@ -8,7 +13,9 @@ in
name = "MySQL";
icon = "${unstablePkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/mysql.svg";
- details.listen.text = "${cfg.settings.mysqld.bind-address or "127.0.0.1"}:${toString (cfg.settings.mysqld.port or 3306)}";
+ details.listen.text = "${cfg.settings.mysqld.bind-address or "127.0.0.1"}:${
+ toString (cfg.settings.mysqld.port or 3306)
+ }";
details.socket.text = cfg.settings.mysqld.socket or "/run/mysqld/mysqld.sock";
details.type.text = cfg.package.pname;
details.dataDir.text = cfg.dataDir;
diff --git a/topology/service-extractors/postgresql.nix b/topology/service-extractors/postgresql.nix
index 364f484..2326c17 100644
--- a/topology/service-extractors/postgresql.nix
+++ b/topology/service-extractors/postgresql.nix
@@ -1,4 +1,9 @@
-{ config, unstablePkgs, lib, ... }:
+{
+ config,
+ unstablePkgs,
+ lib,
+ ...
+}:
let
cfg = config.services.postgresql;
cfgBak = config.services.postgresqlBackup;
diff --git a/users/albertba.nix b/users/albertba.nix
index 462554f..772fbbd 100644
--- a/users/albertba.nix
+++ b/users/albertba.nix
@@ -2,7 +2,11 @@
{
users.users.albertba = {
isNormalUser = true;
- extraGroups = [ "wheel" "drift" "nix-builder-users" ];
+ extraGroups = [
+ "wheel"
+ "drift"
+ "nix-builder-users"
+ ];
packages = with pkgs; [
fd
diff --git a/users/danio.nix b/users/danio.nix
index a0b99ab..bbb7788 100644
--- a/users/danio.nix
+++ b/users/danio.nix
@@ -3,7 +3,11 @@
{
users.users.danio = {
isNormalUser = true;
- extraGroups = [ "drift" "nix-builder-users" "wheel" ];
+ extraGroups = [
+ "drift"
+ "nix-builder-users"
+ "wheel"
+ ];
shell = if config.programs.zsh.enable then pkgs.zsh else pkgs.bash;
openssh.authorizedKeys.keys = [
diff --git a/users/default.nix b/users/default.nix
index eea1680..6f162e6 100644
--- a/users/default.nix
+++ b/users/default.nix
@@ -5,9 +5,12 @@ let
getDir = dir: builtins.readDir dir;
# find all files ending in ".nix" which are not this file, or directories, which may or may not contain a default.nix
- files = dir: filterAttrs
- (file: type: (type == "regular" && hasSuffix ".nix" file && file != "default.nix") || type == "directory")
- (getDir dir);
+ files =
+ dir:
+ filterAttrs (
+ file: type:
+ (type == "regular" && hasSuffix ".nix" file && file != "default.nix") || type == "directory"
+ ) (getDir dir);
# Turn the attrset into a list of the filenames
flatten = dir: mapAttrsToList (file: type: file) (files dir);
# Turn the filenames into absolute paths
diff --git a/users/felixalb.nix b/users/felixalb.nix
index 7d1278f..1716edf 100644
--- a/users/felixalb.nix
+++ b/users/felixalb.nix
@@ -1,10 +1,16 @@
-{ config, pkgs, lib, ... }:
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
{
users.users.felixalb = {
isNormalUser = true;
extraGroups = [
"wheel"
- ] ++ lib.optionals ( config.users.groups ? "libvirtd" ) [
+ ]
+ ++ lib.optionals (config.users.groups ? "libvirtd") [
"libvirtd"
];
shell = if config.programs.zsh.enable then pkgs.zsh else pkgs.bash;
diff --git a/users/frero.nix b/users/frero.nix
index 2ea8080..85f9f8f 100644
--- a/users/frero.nix
+++ b/users/frero.nix
@@ -2,7 +2,11 @@
{
users.users.frero = {
isNormalUser = true;
- extraGroups = [ "wheel" "drift" "nix-builder-users" ];
+ extraGroups = [
+ "wheel"
+ "drift"
+ "nix-builder-users"
+ ];
shell = if config.programs.zsh.enable then pkgs.zsh else pkgs.bash;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII09JbtSUMurvmHpJ7TmUQctXpNVhjFYhoJ3+1ZITmMx"
diff --git a/users/jonmro.nix b/users/jonmro.nix
index 1e5704d..82e760f 100644
--- a/users/jonmro.nix
+++ b/users/jonmro.nix
@@ -3,7 +3,11 @@
{
users.users.jonmro = {
isNormalUser = true;
- extraGroups = [ "wheel" "drift" "nix-builder-users" ];
+ extraGroups = [
+ "wheel"
+ "drift"
+ "nix-builder-users"
+ ];
shell = if config.programs.zsh.enable then pkgs.zsh else pkgs.bash;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEm5PfYmfl/0fnAP/3coVlvTw3/TYNLT6r/NwJHZbLAK jonrodtang@gmail.com"
diff --git a/values.nix b/values.nix
index 98edfe6..b926fa8 100644
--- a/values.nix
+++ b/values.nix
@@ -4,7 +4,8 @@ let
ntnu-ipv6 = suffix: "2001:700:300:${toString suffix}";
pvv-ipv4 = suffix: ntnu-ipv4 "210.${toString suffix}";
pvv-ipv6 = suffix: ntnu-ipv6 "1900::${toString suffix}";
-in rec {
+in
+rec {
ntnu.ipv4-space = ntnu-ipv4 "0.0/16"; # https://ipinfo.io/ips/129.241.0.0/16
ntnu.ipv6-space = ntnu-ipv6 ":/48"; # https://ipinfo.io/2001:700:300::
@@ -126,9 +127,20 @@ in rec {
};
defaultNetworkConfig = {
- dns = [ "129.241.0.200" "129.241.0.201" "2001:700:300:1900::200" "2001:700:300:1900::201" ];
- domains = [ "pvv.ntnu.no" "pvv.org" ];
- gateway = [ hosts.gateway hosts.gateway6 ];
+ dns = [
+ "129.241.0.200"
+ "129.241.0.201"
+ "2001:700:300:1900::200"
+ "2001:700:300:1900::201"
+ ];
+ domains = [
+ "pvv.ntnu.no"
+ "pvv.org"
+ ];
+ gateway = [
+ hosts.gateway
+ hosts.gateway6
+ ];
networkConfig.IPv6AcceptRA = "no";
DHCP = "no";