felixalb/pvv-nixos-config
1
0
Fork 0
mirror of https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git synced 2026-02-21 09:27:51 +01:00
Code Issues Projects Releases Wiki Activity

nixfmt

Browse Source
This commit is contained in:
Vegard Bieker Matthey
2026-02-20 18:12:39 +01:00
parent eedb94b998
commit 54a6b687dd
127 changed files with 3804 additions and 2402 deletions
Download Patch File Download Diff File Expand all files Collapse all files

271
modules/bluemap.nix
View File

@@ -1,4 +1,9 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.bluemap;
format = pkgs.formats.hocon { };
@@ -7,36 +12,48 @@ let
webappConfig = format.generate "webapp.conf" cfg.webappSettings;
webserverConfig = format.generate "webserver.conf" cfg.webserverSettings;
storageFolder = pkgs.linkFarm "storage"
(lib.attrsets.mapAttrs' (name: value:
lib.nameValuePair "${name}.conf"
(format.generate "${name}.conf" value))
cfg.storage);
storageFolder = pkgs.linkFarm "storage" (
lib.attrsets.mapAttrs' (
name: value: lib.nameValuePair "${name}.conf" (format.generate "${name}.conf" value)
) cfg.storage
);
generateMapConfigWithMarkerData = name: { extraHoconMarkersFile, settings, ... }:
generateMapConfigWithMarkerData =
name:
{ extraHoconMarkersFile, settings, ... }:
assert (extraHoconMarkersFile == null) != ((settings.marker-sets or { }) == { });
lib.pipe settings (
(lib.optionals (extraHoconMarkersFile != null) [
(settings: lib.recursiveUpdate settings {
marker-placeholder = "###ASDF###";
})
]) ++ [
(
settings:
lib.recursiveUpdate settings {
marker-placeholder = "###ASDF###";
}
)
])
++ [
(format.generate "${name}.conf")
] ++ (lib.optionals (extraHoconMarkersFile != null) [
(hoconFile: pkgs.runCommand "${name}-patched.conf" { } ''
mkdir -p "$(dirname "$out")"
cp '${hoconFile}' "$out"
substituteInPlace "$out" \
--replace-fail '"marker-placeholder" = "###ASDF###"' "\"marker-sets\" = $(cat '${extraHoconMarkersFile}')"
'')
]
++ (lib.optionals (extraHoconMarkersFile != null) [
(
hoconFile:
pkgs.runCommand "${name}-patched.conf" { } ''
mkdir -p "$(dirname "$out")"
cp '${hoconFile}' "$out"
substituteInPlace "$out" \
--replace-fail '"marker-placeholder" = "###ASDF###"' "\"marker-sets\" = $(cat '${extraHoconMarkersFile}')"
''
)
])
);
mapsFolder = lib.pipe cfg.maps [
(lib.attrsets.mapAttrs' (name: value: {
name = "${name}.conf";
value = generateMapConfigWithMarkerData name value;
}))
(lib.attrsets.mapAttrs' (
name: value: {
name = "${name}.conf";
value = generateMapConfigWithMarkerData name value;
}
))
(pkgs.linkFarm "maps")
];
@@ -49,19 +66,24 @@ let
"packs" = cfg.packs;
};
renderConfigFolder = name: value: pkgs.linkFarm "bluemap-${name}-config" {
"maps" = pkgs.linkFarm "maps" {
"${name}.conf" = generateMapConfigWithMarkerData name value;
renderConfigFolder =
name: value:
pkgs.linkFarm "bluemap-${name}-config" {
"maps" = pkgs.linkFarm "maps" {
"${name}.conf" = generateMapConfigWithMarkerData name value;
};
"storages" = storageFolder;
"core.conf" = coreConfig;
"webapp.conf" = format.generate "webapp.conf" (
cfg.webappSettings // { "update-settings-file" = false; }
);
"webserver.conf" = webserverConfig;
"packs" = value.packs;
};
"storages" = storageFolder;
"core.conf" = coreConfig;
"webapp.conf" = format.generate "webapp.conf" (cfg.webappSettings // { "update-settings-file" = false; });
"webserver.conf" = webserverConfig;
"packs" = value.packs;
};
inherit (lib) mkOption;
in {
in
{
options.services.bluemap = {
enable = lib.mkEnableOption "bluemap";
package = lib.mkPackageOption pkgs "bluemap" { };
@@ -173,70 +195,77 @@ in {
};
maps = mkOption {
type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
options = {
packs = mkOption {
type = lib.types.path;
default = cfg.packs;
defaultText = lib.literalExpression "config.services.bluemap.packs";
description = "A set of resourcepacks, datapacks, and mods to extract resources from, loaded in alphabetical order.";
};
extraHoconMarkersFile = mkOption {
type = lib.types.nullOr lib.types.path;
default = null;
description = ''
Path to a hocon file containing marker data.
The content of this file will be injected into the map config file in a separate derivation.
DO NOT SEND THIS TO NIXPKGS, IT'S AN UGLY HACK.
'';
};
settings = mkOption {
type = (lib.types.submodule {
freeformType = format.type;
options = {
world = mkOption {
type = lib.types.path;
description = "Path to world folder containing the dimension to render";
};
name = mkOption {
type = lib.types.str;
description = "The display name of this map (how this map will be named on the webapp)";
default = name;
defaultText = lib.literalExpression "<name>";
};
render-mask = mkOption {
type = with lib.types; listOf (attrsOf format.type);
description = "Limits for the map render";
default = [ ];
example = [
{
min-x = -4000;
max-x = 4000;
min-z = -4000;
max-z = 4000;
min-y = 50;
max-y = 100;
}
{
subtract = true;
min-y = 90;
max-y = 127;
}
];
};
type = lib.types.attrsOf (
lib.types.submodule (
{ name, ... }:
{
options = {
packs = mkOption {
type = lib.types.path;
default = cfg.packs;
defaultText = lib.literalExpression "config.services.bluemap.packs";
description = "A set of resourcepacks, datapacks, and mods to extract resources from, loaded in alphabetical order.";
};
});
description = ''
Settings for files in `maps/`.
See the default for an example with good options for the different world types.
For valid values [consult upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/common/src/main/resources/de/bluecolored/bluemap/config/maps/map.conf).
'';
};
};
}));
extraHoconMarkersFile = mkOption {
type = lib.types.nullOr lib.types.path;
default = null;
description = ''
Path to a hocon file containing marker data.
The content of this file will be injected into the map config file in a separate derivation.
DO NOT SEND THIS TO NIXPKGS, IT'S AN UGLY HACK.
'';
};
settings = mkOption {
type = (
lib.types.submodule {
freeformType = format.type;
options = {
world = mkOption {
type = lib.types.path;
description = "Path to world folder containing the dimension to render";
};
name = mkOption {
type = lib.types.str;
description = "The display name of this map (how this map will be named on the webapp)";
default = name;
defaultText = lib.literalExpression "<name>";
};
render-mask = mkOption {
type = with lib.types; listOf (attrsOf format.type);
description = "Limits for the map render";
default = [ ];
example = [
{
min-x = -4000;
max-x = 4000;
min-z = -4000;
max-z = 4000;
min-y = 50;
max-y = 100;
}
{
subtract = true;
min-y = 90;
max-y = 127;
}
];
};
};
}
);
description = ''
Settings for files in `maps/`.
See the default for an example with good options for the different world types.
For valid values [consult upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/common/src/main/resources/de/bluecolored/bluemap/config/maps/map.conf).
'';
};
};
}
)
);
default = {
"overworld".settings = {
world = cfg.defaultWorld;
@@ -320,16 +349,21 @@ in {
};
storage = mkOption {
type = lib.types.attrsOf (lib.types.submodule {
freeformType = format.type;
options = {
storage-type = mkOption {
type = lib.types.enum [ "FILE" "SQL" ];
description = "Type of storage config";
default = "FILE";
type = lib.types.attrsOf (
lib.types.submodule {
freeformType = format.type;
options = {
storage-type = mkOption {
type = lib.types.enum [
"FILE"
"SQL"
];
description = "Type of storage config";
default = "FILE";
};
};
};
});
}
);
description = ''
Where the rendered map will be stored.
Unless you are doing something advanced you should probably leave this alone and configure webRoot instead.
@@ -359,16 +393,16 @@ in {
};
};
config = lib.mkIf cfg.enable {
assertions =
[ { assertion = config.services.bluemap.eula;
message = ''
You have enabled bluemap but have not accepted minecraft's EULA.
You can achieve this through setting `services.bluemap.eula = true`
'';
}
];
assertions = [
{
assertion = config.services.bluemap.eula;
message = ''
You have enabled bluemap but have not accepted minecraft's EULA.
You can achieve this through setting `services.bluemap.eula = true`
'';
}
];
services.bluemap.coreSettings.accept-download = cfg.eula;
@@ -384,9 +418,9 @@ in {
]
++
# Render each minecraft map
lib.attrsets.mapAttrsToList
(name: value: "${lib.getExe cfg.package} -c ${renderConfigFolder name value} -r")
cfg.maps
lib.attrsets.mapAttrsToList (
name: value: "${lib.getExe cfg.package} -c ${renderConfigFolder name value} -r"
) cfg.maps
++ [
# Generate updated webapp
"${lib.getExe cfg.package} -c ${webappConfigFolder} -gs"
@@ -417,6 +451,9 @@ in {
};
meta = {
maintainers = with lib.maintainers; [ dandellion h7x4 ];
maintainers = with lib.maintainers; [
dandellion
h7x4
];
};
}

410
modules/gickup/default.nix
View File

@@ -1,4 +1,10 @@
{ config, pkgs, lib, utils, ... }:
{
config,
pkgs,
lib,
utils,
...
}:
let
cfg = config.services.gickup;
format = pkgs.formats.yaml { };
@@ -45,113 +51,125 @@ in
};
instances = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule (submoduleInputs@{ name, ... }: let
submoduleName = name;
type = lib.types.attrsOf (
lib.types.submodule (
submoduleInputs@{ name, ... }:
let
submoduleName = name;
nameParts = rec {
repoType = builtins.head (lib.splitString ":" submoduleName);
nameParts = rec {
repoType = builtins.head (lib.splitString ":" submoduleName);
owner = if repoType == "any"
then null
else lib.pipe submoduleName [
owner =
if repoType == "any" then
null
else
lib.pipe submoduleName [
(lib.removePrefix "${repoType}:")
(lib.splitString "/")
builtins.head
];
repo = if repoType == "any"
then null
else lib.pipe submoduleName [
repo =
if repoType == "any" then
null
else
lib.pipe submoduleName [
(lib.removePrefix "${repoType}:")
(lib.splitString "/")
lib.last
];
slug = if repoType == "any"
then lib.toLower (builtins.replaceStrings [ ":" "/" ] [ "-" "-" ] submoduleName)
else "${lib.toLower repoType}-${lib.toLower owner}-${lib.toLower repo}";
};
in {
options = {
interval = lib.mkOption {
type = lib.types.str;
default = "daily";
example = "weekly";
description = ''
Specification (in the format described by {manpage}`systemd.time(7)`) of the time
interval at which to run the service.
'';
};
type = lib.mkOption {
type = lib.types.enum [
"github"
"gitlab"
"gitea"
"gogs"
"bitbucket"
"onedev"
"sourcehut"
"any"
];
example = "github";
default = nameParts.repoType;
description = ''
The type of the repository to mirror.
'';
};
owner = lib.mkOption {
type = with lib.types; nullOr str;
example = "go-gitea";
default = nameParts.owner;
description = ''
The owner of the repository to mirror (if applicable)
'';
};
repo = lib.mkOption {
type = with lib.types; nullOr str;
example = "gitea";
default = nameParts.repo;
description = ''
The name of the repository to mirror (if applicable)
'';
};
slug = lib.mkOption {
type = lib.types.str;
default = nameParts.slug;
example = "github-go-gitea-gitea";
description = ''
The slug of the repository to mirror.
'';
};
description = lib.mkOption {
type = with lib.types; nullOr str;
example = "A project which does this and that";
description = ''
A description of the project. This isn't used directly by gickup for anything,
but can be useful if gickup is used together with cgit or similar.
'';
};
settings = lib.mkOption {
description = "Instance specific settings, see gickup configuration file";
type = lib.types.submodule {
freeformType = format.type;
slug =
if repoType == "any" then
lib.toLower (builtins.replaceStrings [ ":" "/" ] [ "-" "-" ] submoduleName)
else
"${lib.toLower repoType}-${lib.toLower owner}-${lib.toLower repo}";
};
default = { };
example = {
username = "gickup";
password = "hunter2";
wiki = true;
issues = true;
in
{
options = {
interval = lib.mkOption {
type = lib.types.str;
default = "daily";
example = "weekly";
description = ''
Specification (in the format described by {manpage}`systemd.time(7)`) of the time
interval at which to run the service.
'';
};
type = lib.mkOption {
type = lib.types.enum [
"github"
"gitlab"
"gitea"
"gogs"
"bitbucket"
"onedev"
"sourcehut"
"any"
];
example = "github";
default = nameParts.repoType;
description = ''
The type of the repository to mirror.
'';
};
owner = lib.mkOption {
type = with lib.types; nullOr str;
example = "go-gitea";
default = nameParts.owner;
description = ''
The owner of the repository to mirror (if applicable)
'';
};
repo = lib.mkOption {
type = with lib.types; nullOr str;
example = "gitea";
default = nameParts.repo;
description = ''
The name of the repository to mirror (if applicable)
'';
};
slug = lib.mkOption {
type = lib.types.str;
default = nameParts.slug;
example = "github-go-gitea-gitea";
description = ''
The slug of the repository to mirror.
'';
};
description = lib.mkOption {
type = with lib.types; nullOr str;
example = "A project which does this and that";
description = ''
A description of the project. This isn't used directly by gickup for anything,
but can be useful if gickup is used together with cgit or similar.
'';
};
settings = lib.mkOption {
description = "Instance specific settings, see gickup configuration file";
type = lib.types.submodule {
freeformType = format.type;
};
default = { };
example = {
username = "gickup";
password = "hunter2";
wiki = true;
issues = true;
};
};
};
};
};
}));
}
)
);
};
};
@@ -197,114 +215,122 @@ in
};
}
//
# Overrides for mirrors which are not "daily"
(lib.pipe cfg.instances [
builtins.attrValues
(builtins.filter (instance: instance.interval != "daily"))
(map ({ slug, interval, ... }: {
name = "gickup@${slug}";
value = {
overrideStrategy = "asDropin";
timerConfig.OnCalendar = interval;
};
}))
builtins.listToAttrs
]);
# Overrides for mirrors which are not "daily"
(lib.pipe cfg.instances [
builtins.attrValues
(builtins.filter (instance: instance.interval != "daily"))
(map (
{ slug, interval, ... }:
{
name = "gickup@${slug}";
value = {
overrideStrategy = "asDropin";
timerConfig.OnCalendar = interval;
};
}
))
builtins.listToAttrs
]);
systemd.targets.timers.wants = map ({ slug, ... }: "gickup@${slug}.timer") (lib.attrValues cfg.instances);
systemd.targets.timers.wants = map ({ slug, ... }: "gickup@${slug}.timer") (
lib.attrValues cfg.instances
);
systemd.services = {
"gickup@" = let
configDir = lib.pipe cfg.instances [
(lib.mapAttrsToList (name: instance: {
name = "${instance.slug}.yml";
path = format.generate "gickup-configuration-${name}.yml" {
destination.local = [ cfg.destinationSettings ];
source.${instance.type} = [
(
(lib.optionalAttrs (instance.type != "any") {
user = instance.owner;
includeorgs = [ instance.owner ];
include = [ instance.repo ];
})
//
instance.settings
)
];
};
}))
(pkgs.linkFarm "gickup-configuration-files")
];
in {
description = "Gickup git repository mirroring service for %i";
after = [ "network.target" ];
"gickup@" =
let
configDir = lib.pipe cfg.instances [
(lib.mapAttrsToList (
name: instance: {
name = "${instance.slug}.yml";
path = format.generate "gickup-configuration-${name}.yml" {
destination.local = [ cfg.destinationSettings ];
source.${instance.type} = [
(
(lib.optionalAttrs (instance.type != "any") {
user = instance.owner;
includeorgs = [ instance.owner ];
include = [ instance.repo ];
})
// instance.settings
)
];
};
}
))
(pkgs.linkFarm "gickup-configuration-files")
];
in
{
description = "Gickup git repository mirroring service for %i";
after = [ "network.target" ];
path = [
cfg.gitPackage
cfg.gitLfsPackage
];
restartIfChanged = false;
serviceConfig = {
Type = "oneshot";
ExecStart = "'${pkgs.gickup}/bin/gickup' '${configDir}/%i.yml'";
ExecStartPost = "";
User = "gickup";
Group = "gickup";
BindPaths = lib.optionals (cfg.dataDir != "/var/lib/gickup") [
"${cfg.dataDir}:/var/lib/gickup"
path = [
cfg.gitPackage
cfg.gitLfsPackage
];
Slice = "system-gickup.slice";
restartIfChanged = false;
SyslogIdentifier = "gickup-%i";
StateDirectory = "gickup";
# WorkingDirectory = "gickup";
# RuntimeDirectory = "gickup";
# RuntimeDirectoryMode = "0700";
serviceConfig = {
Type = "oneshot";
ExecStart = "'${pkgs.gickup}/bin/gickup' '${configDir}/%i.yml'";
ExecStartPost = "";
# https://discourse.nixos.org/t/how-to-prevent-custom-systemd-service-from-restarting-on-nixos-rebuild-switch/43431
RemainAfterExit = true;
User = "gickup";
Group = "gickup";
# Hardening options
AmbientCapabilities = [];
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
# ProtectProc = "invisible";
# ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
# SystemCallFilter = [
# "@system-service"
# "~@resources"
# "~@privileged"
# ];
UMask = "0002";
CapabilityBoundingSet = [];
BindPaths = lib.optionals (cfg.dataDir != "/var/lib/gickup") [
"${cfg.dataDir}:/var/lib/gickup"
];
Slice = "system-gickup.slice";
SyslogIdentifier = "gickup-%i";
StateDirectory = "gickup";
# WorkingDirectory = "gickup";
# RuntimeDirectory = "gickup";
# RuntimeDirectoryMode = "0700";
# https://discourse.nixos.org/t/how-to-prevent-custom-systemd-service-from-restarting-on-nixos-rebuild-switch/43431
RemainAfterExit = true;
# Hardening options
AmbientCapabilities = [ ];
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
# ProtectProc = "invisible";
# ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
# SystemCallFilter = [
# "@system-service"
# "~@resources"
# "~@privileged"
# ];
UMask = "0002";
CapabilityBoundingSet = [ ];
};
};
};
};
};
}

7
modules/gickup/hardlink-files.nix
View File

@@ -1,4 +1,9 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.gickup;
in

7
modules/gickup/import-from-toml.nix
View File

@@ -1,4 +1,9 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.gickup;

7
modules/gickup/set-description.nix
View File

@@ -1,4 +1,9 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.gickup;
in

79
modules/gickup/update-linktree.nix
View File

@@ -1,4 +1,9 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.gickup;
in
@@ -20,50 +25,52 @@ in
wantedBy = [ "gickup.target" ];
serviceConfig = {
Type = "oneshot";
ExecStart = let
script = pkgs.writeShellApplication {
name = "gickup-update-symlink-tree.sh";
runtimeInputs = [
pkgs.coreutils
pkgs.findutils
];
text = ''
shopt -s nullglob
ExecStart =
let
script = pkgs.writeShellApplication {
name = "gickup-update-symlink-tree.sh";
runtimeInputs = [
pkgs.coreutils
pkgs.findutils
];
text = ''
shopt -s nullglob
for repository in ./*/*/*; do
REPOSITORY_RELATIVE_DIRS=''${repository#"./"}
for repository in ./*/*/*; do
REPOSITORY_RELATIVE_DIRS=''${repository#"./"}
echo "Checking $REPOSITORY_RELATIVE_DIRS"
echo "Checking $REPOSITORY_RELATIVE_DIRS"
declare -a REVISIONS
readarray -t REVISIONS < <(find "$repository" -mindepth 1 -maxdepth 1 -printf "%f\n" | sort --numeric-sort --reverse)
declare -a REVISIONS
readarray -t REVISIONS < <(find "$repository" -mindepth 1 -maxdepth 1 -printf "%f\n" | sort --numeric-sort --reverse)
if [[ "''${#REVISIONS[@]}" == 0 ]]; then
echo "Found no revisions for $repository, continuing"
continue
fi
if [[ "''${#REVISIONS[@]}" == 0 ]]; then
echo "Found no revisions for $repository, continuing"
continue
fi
LAST_REVISION="''${REVISIONS[0]}"
SYMLINK_PATH="../linktree/''${REPOSITORY_RELATIVE_DIRS}"
LAST_REVISION="''${REVISIONS[0]}"
SYMLINK_PATH="../linktree/''${REPOSITORY_RELATIVE_DIRS}"
mkdir -p "$(dirname "$SYMLINK_PATH")"
mkdir -p "$(dirname "$SYMLINK_PATH")"
EXPECTED_SYMLINK_TARGET=$(realpath "''${repository}/''${LAST_REVISION}")
EXISTING_SYMLINK_TARGET=$(realpath "$SYMLINK_PATH" || echo "<none>")
EXPECTED_SYMLINK_TARGET=$(realpath "''${repository}/''${LAST_REVISION}")
EXISTING_SYMLINK_TARGET=$(realpath "$SYMLINK_PATH" || echo "<none>")
if [[ "$EXISTING_SYMLINK_TARGET" != "$EXPECTED_SYMLINK_TARGET" ]]; then
echo "Updating symlink for $REPOSITORY_RELATIVE_DIRS"
rm "$SYMLINK_PATH" ||:
ln -rs "$EXPECTED_SYMLINK_TARGET" "$SYMLINK_PATH"
else
echo "Symlink already up to date, continuing..."
fi
if [[ "$EXISTING_SYMLINK_TARGET" != "$EXPECTED_SYMLINK_TARGET" ]]; then
echo "Updating symlink for $REPOSITORY_RELATIVE_DIRS"
rm "$SYMLINK_PATH" ||:
ln -rs "$EXPECTED_SYMLINK_TARGET" "$SYMLINK_PATH"
else
echo "Symlink already up to date, continuing..."
fi
echo "---"
done
'';
};
in lib.getExe script;
echo "---"
done
'';
};
in
lib.getExe script;
User = "gickup";
Group = "gickup";

13
modules/grzegorz.nix
View File

@@ -1,10 +1,18 @@
{config, lib, pkgs, unstablePkgs, values, ...}:
{
config,
lib,
pkgs,
unstablePkgs,
values,
...
}:
let
grg = config.services.greg-ng;
grgw = config.services.grzegorz-webui;
machine = config.networking.hostName;
in {
in
{
services.greg-ng = {
enable = true;
settings.host = "localhost";
@@ -124,4 +132,3 @@ in {
};
};
}

6
modules/matrix-ooye.nix
View File

@@ -58,7 +58,8 @@ in
sender_localpart = "${cfg.namespace}bot";
rate_limited = false;
socket = cfg.socket; # Can either be a TCP port or a unix socket path
url = if (lib.hasPrefix "/" cfg.socket) then "unix:${cfg.socket}" else "http://localhost:${cfg.socket}";
url =
if (lib.hasPrefix "/" cfg.socket) then "unix:${cfg.socket}" else "http://localhost:${cfg.socket}";
ooye = {
server_name = cfg.homeserverName;
namespace_prefix = cfg.namespace;
@@ -66,7 +67,8 @@ in
content_length_workaround = false;
include_user_id_in_mxid = true;
server_origin = cfg.homeserver;
bridge_origin = if (cfg.bridgeOrigin == "") then "http://localhost:${cfg.socket}" else cfg.bridgeOrigin;
bridge_origin =
if (cfg.bridgeOrigin == "") then "http://localhost:${cfg.socket}" else cfg.bridgeOrigin;
};
}
);

208
modules/robots-txt.nix
View File

@@ -1,55 +1,81 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
let
cfg = config.environment.robots-txt;
robots-txt-format = {
type = let
coercedStrToNonEmptyListOfStr = lib.types.coercedTo lib.types.str lib.singleton (lib.types.nonEmptyListOf lib.types.str);
in lib.types.listOf (lib.types.submodule {
freeformType = lib.types.attrsOf coercedStrToNonEmptyListOfStr;
options = {
pre_comment = lib.mkOption {
description = "Comment to add before the rule";
type = lib.types.lines;
default = "";
};
post_comment = lib.mkOption {
description = "Comment to add after the rule";
type = lib.types.lines;
default = "";
};
};
});
type =
let
coercedStrToNonEmptyListOfStr = lib.types.coercedTo lib.types.str lib.singleton (
lib.types.nonEmptyListOf lib.types.str
);
in
lib.types.listOf (
lib.types.submodule {
freeformType = lib.types.attrsOf coercedStrToNonEmptyListOfStr;
options = {
pre_comment = lib.mkOption {
description = "Comment to add before the rule";
type = lib.types.lines;
default = "";
};
post_comment = lib.mkOption {
description = "Comment to add after the rule";
type = lib.types.lines;
default = "";
};
};
}
);
generate = name: value: let
makeComment = comment: lib.pipe comment [
(lib.splitString "\n")
(lib.map (line: if line == "" then "#" else "# ${line}"))
(lib.concatStringsSep "\n")
];
generate =
name: value:
let
makeComment =
comment:
lib.pipe comment [
(lib.splitString "\n")
(lib.map (line: if line == "" then "#" else "# ${line}"))
(lib.concatStringsSep "\n")
];
ruleToString = rule: let
user_agent = rule.User-agent or [];
pre_comment = rule.pre_comment;
post_comment = rule.post_comment;
rest = builtins.removeAttrs rule [ "User-agent" "pre_comment" "post_comment" ];
in lib.concatStringsSep "\n" (lib.filter (x: x != null) [
(if (pre_comment != "") then makeComment pre_comment else null)
(let
user-agents = lib.concatMapStringsSep "\n" (value: "User-agent: ${value}") user_agent;
in
if user_agent == [] then null else user-agents
)
(lib.pipe rest [
(lib.mapAttrsToList (ruleName: map (value: "${ruleName}: ${value}")))
lib.concatLists
(lib.concatStringsSep "\n")
])
(if (post_comment != "") then makeComment post_comment else null)
]);
ruleToString =
rule:
let
user_agent = rule.User-agent or [ ];
pre_comment = rule.pre_comment;
post_comment = rule.post_comment;
rest = builtins.removeAttrs rule [
"User-agent"
"pre_comment"
"post_comment"
];
in
lib.concatStringsSep "\n" (
lib.filter (x: x != null) [
(if (pre_comment != "") then makeComment pre_comment else null)
(
let
user-agents = lib.concatMapStringsSep "\n" (value: "User-agent: ${value}") user_agent;
in
if user_agent == [ ] then null else user-agents
)
(lib.pipe rest [
(lib.mapAttrsToList (ruleName: map (value: "${ruleName}: ${value}")))
lib.concatLists
(lib.concatStringsSep "\n")
])
(if (post_comment != "") then makeComment post_comment else null)
]
);
content = lib.concatMapStringsSep "\n\n" ruleToString value;
in pkgs.writeText name content;
content = lib.concatMapStringsSep "\n\n" ruleToString value;
in
pkgs.writeText name content;
};
in
{
@@ -58,36 +84,50 @@ in
description = ''
Different instances of robots.txt to use with web services.
'';
type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
options = {
enable = lib.mkEnableOption "this instance of robots.txt" // {
default = true;
};
type = lib.types.attrsOf (
lib.types.submodule (
{ name, ... }:
{
options = {
enable = lib.mkEnableOption "this instance of robots.txt" // {
default = true;
};
path = lib.mkOption {
description = "The resulting path of the dir containing the robots.txt file";
type = lib.types.path;
readOnly = true;
default = "/etc/robots-txt/${name}";
};
path = lib.mkOption {
description = "The resulting path of the dir containing the robots.txt file";
type = lib.types.path;
readOnly = true;
default = "/etc/robots-txt/${name}";
};
rules = lib.mkOption {
description = "Rules to include in robots.txt";
default = [ ];
example = [
{ User-agent = "Googlebot"; Disallow = "/no-googlebot"; }
{ User-agent = "Bingbot"; Disallow = [ "/no-bingbot" "/no-bingbot2" ]; }
];
type = robots-txt-format.type;
};
rules = lib.mkOption {
description = "Rules to include in robots.txt";
default = [ ];
example = [
{
User-agent = "Googlebot";
Disallow = "/no-googlebot";
}
{
User-agent = "Bingbot";
Disallow = [
"/no-bingbot"
"/no-bingbot2"
];
}
];
type = robots-txt-format.type;
};
virtualHost = lib.mkOption {
description = "An nginx virtual host to add the robots.txt to";
type = lib.types.nullOr lib.types.str;
default = null;
};
};
}));
virtualHost = lib.mkOption {
description = "An nginx virtual host to add the robots.txt to";
type = lib.types.nullOr lib.types.str;
default = null;
};
};
}
)
);
};
config = {
@@ -98,19 +138,21 @@ in
services.nginx.virtualHosts = lib.pipe cfg [
(lib.filterAttrs (_: value: value.virtualHost != null))
(lib.mapAttrs' (name: value: {
name = value.virtualHost;
value = {
locations = {
"= /robots.txt" = {
extraConfig = ''
add_header Content-Type text/plain;
'';
root = cfg.${name}.path;
(lib.mapAttrs' (
name: value: {
name = value.virtualHost;
value = {
locations = {
"= /robots.txt" = {
extraConfig = ''
add_header Content-Type text/plain;
'';
root = cfg.${name}.path;
};
};
};
};
}))
}
))
];
};
}

245
modules/rsync-pull-targets.nix
View File

@@ -1,4 +1,9 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.rsync-pull-targets;
in
@@ -9,116 +14,121 @@ in
rrsyncPackage = lib.mkPackageOption pkgs "rrsync" { };
locations = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule ({ name, ... }@submoduleArgs: {
options = {
enable = lib.mkEnableOption "" // {
default = true;
example = false;
};
type = lib.types.attrsOf (
lib.types.submodule (
{ name, ... }@submoduleArgs:
{
options = {
enable = lib.mkEnableOption "" // {
default = true;
example = false;
};
user = lib.mkOption {
type = lib.types.str;
description = "Which user to use as SSH login";
example = "root";
};
user = lib.mkOption {
type = lib.types.str;
description = "Which user to use as SSH login";
example = "root";
};
location = lib.mkOption {
type = lib.types.path;
default = name;
defaultText = lib.literalExpression "<name>";
example = "/path/to/rsyncable/item";
};
location = lib.mkOption {
type = lib.types.path;
default = name;
defaultText = lib.literalExpression "<name>";
example = "/path/to/rsyncable/item";
};
# TODO: handle autogeneration of keys
# autoGenerateSSHKeypair = lib.mkOption {
# type = lib.types.bool;
# default = config.publicKey == null;
# defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.publicKey != null";
# example = true;
# };
# TODO: handle autogeneration of keys
# autoGenerateSSHKeypair = lib.mkOption {
# type = lib.types.bool;
# default = config.publicKey == null;
# defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.publicKey != null";
# example = true;
# };
publicKey = lib.mkOption {
type = lib.types.str;
# type = lib.types.nullOr lib.types.str;
# default = null;
example = "ssh-ed25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA comment";
};
publicKey = lib.mkOption {
type = lib.types.str;
# type = lib.types.nullOr lib.types.str;
# default = null;
example = "ssh-ed25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA comment";
};
rrsyncPackage = lib.mkPackageOption pkgs "rrsync" { } // {
default = cfg.rrsyncPackage;
defaultText = lib.literalExpression "config.services.rsync-pull-targets.rrsyncPackage";
};
rrsyncPackage = lib.mkPackageOption pkgs "rrsync" { } // {
default = cfg.rrsyncPackage;
defaultText = lib.literalExpression "config.services.rsync-pull-targets.rrsyncPackage";
};
enableRecommendedHardening = lib.mkEnableOption "a commonly used security profile for authorizedKeys attributes and rrsync args";
enableRecommendedHardening = lib.mkEnableOption "a commonly used security profile for authorizedKeys attributes and rrsync args";
rrsyncArgs = {
ro = lib.mkEnableOption "" // {
description = "Allow only reading from the DIR. Implies -no-del and -no-lock.";
rrsyncArgs = {
ro = lib.mkEnableOption "" // {
description = "Allow only reading from the DIR. Implies -no-del and -no-lock.";
};
wo = lib.mkEnableOption "" // {
description = "Allow only writing to the DIR.";
};
munge = lib.mkEnableOption "" // {
description = "Enable rsync's --munge-links on the server side.";
# TODO: set a default?
};
no-del = lib.mkEnableOption "" // {
description = "Disable rsync's --delete* and --remove* options.";
default = submoduleArgs.config.enableRecommendedHardening;
defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.enableRecommendedHardening";
};
no-lock = lib.mkEnableOption "" // {
description = "Avoid the single-run (per-user) lock check.";
default = submoduleArgs.config.enableRecommendedHardening;
defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.enableRecommendedHardening";
};
no-overwrite = lib.mkEnableOption "" // {
description = "Prevent overwriting existing files by enforcing --ignore-existing";
default = submoduleArgs.config.enableRecommendedHardening;
defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.enableRecommendedHardening";
};
};
authorizedKeysAttrs = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = lib.optionals submoduleArgs.config.enableRecommendedHardening [
"restrict"
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
defaultText = lib.literalExpression ''
lib.optionals config.services.rsync-pull-targets.<name>.enableRecommendedHardening [
"restrict"
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
]
'';
example = [
"restrict"
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
};
};
wo = lib.mkEnableOption "" // {
description = "Allow only writing to the DIR.";
};
munge = lib.mkEnableOption "" // {
description = "Enable rsync's --munge-links on the server side.";
# TODO: set a default?
};
no-del = lib.mkEnableOption "" // {
description = "Disable rsync's --delete* and --remove* options.";
default = submoduleArgs.config.enableRecommendedHardening;
defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.enableRecommendedHardening";
};
no-lock = lib.mkEnableOption "" // {
description = "Avoid the single-run (per-user) lock check.";
default = submoduleArgs.config.enableRecommendedHardening;
defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.enableRecommendedHardening";
};
no-overwrite = lib.mkEnableOption "" // {
description = "Prevent overwriting existing files by enforcing --ignore-existing";
default = submoduleArgs.config.enableRecommendedHardening;
defaultText = lib.literalExpression "config.services.rsync-pull-targets.<name>.enableRecommendedHardening";
};
};
authorizedKeysAttrs = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = lib.optionals submoduleArgs.config.enableRecommendedHardening [
"restrict"
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
defaultText = lib.literalExpression ''
lib.optionals config.services.rsync-pull-targets.<name>.enableRecommendedHardening [
"restrict"
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
]
'';
example = [
"restrict"
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
};
};
}));
}
)
);
};
};
config = lib.mkIf cfg.enable {
# assertions = lib.pipe cfg.locations [
# (lib.filterAttrs (_: value: value.enable))
# TODO: assert that there are no duplicate (user, publicKey) pairs.
# if there are then ssh won't know which command to provide and might provide a random one, not sure.
# (lib.mapAttrsToList (_: { user, location, publicKey, ... }: {
# assertion =
# message = "";
# })
# TODO: assert that there are no duplicate (user, publicKey) pairs.
# if there are then ssh won't know which command to provide and might provide a random one, not sure.
# (lib.mapAttrsToList (_: { user, location, publicKey, ... }: {
# assertion =
# message = "";
# })
# ];
services.openssh.enable = true;
@@ -128,19 +138,36 @@ in
lib.attrValues
# Index locations by SSH user
(lib.foldl (acc: location: acc // {
${location.user} = (acc.${location.user} or [ ]) ++ [ location ];
}) { })
(lib.foldl (
acc: location:
acc
// {
${location.user} = (acc.${location.user} or [ ]) ++ [ location ];
}
) { })
(lib.mapAttrs (_name: locations: {
openssh.authorizedKeys.keys = map ({ user, location, rrsyncPackage, rrsyncArgs, authorizedKeysAttrs, publicKey, ... }: let
rrsyncArgString = lib.cli.toCommandLineShellGNU {
isLong = _: false;
} rrsyncArgs;
# TODO: handle " in location
in "command=\"${lib.getExe rrsyncPackage} ${rrsyncArgString} ${location}\",${lib.concatStringsSep "," authorizedKeysAttrs} ${publicKey}"
) locations;
}))
(lib.mapAttrs (
_name: locations: {
openssh.authorizedKeys.keys = map (
{
user,
location,
rrsyncPackage,
rrsyncArgs,
authorizedKeysAttrs,
publicKey,
...
}:
let
rrsyncArgString = lib.cli.toCommandLineShellGNU {
isLong = _: false;
} rrsyncArgs;
# TODO: handle " in location
in
"command=\"${lib.getExe rrsyncPackage} ${rrsyncArgString} ${location}\",${lib.concatStringsSep "," authorizedKeysAttrs} ${publicKey}"
) locations;
}
))
];
};
}

135
modules/snakeoil-certs.nix
View File

@@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
let
cfg = config.environment.snakeoil-certs;
in
@@ -6,72 +11,82 @@ in
options.environment.snakeoil-certs = lib.mkOption {
default = { };
description = "Self signed certs, which are rotated regularly";
type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
options = {
owner = lib.mkOption {
type = lib.types.str;
default = "root";
};
group = lib.mkOption {
type = lib.types.str;
default = "root";
};
mode = lib.mkOption {
type = lib.types.str;
default = "0660";
};
daysValid = lib.mkOption {
type = lib.types.str;
default = "90";
};
extraOpenSSLArgs = lib.mkOption {
type = with lib.types; listOf str;
default = [ ];
};
certificate = lib.mkOption {
type = lib.types.str;
default = "${name}.crt";
};
certificateKey = lib.mkOption {
type = lib.types.str;
default = "${name}.key";
};
subject = lib.mkOption {
type = lib.types.str;
default = "/C=NO/O=Programvareverkstedet/CN=*.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
};
};
}));
type = lib.types.attrsOf (
lib.types.submodule (
{ name, ... }:
{
options = {
owner = lib.mkOption {
type = lib.types.str;
default = "root";
};
group = lib.mkOption {
type = lib.types.str;
default = "root";
};
mode = lib.mkOption {
type = lib.types.str;
default = "0660";
};
daysValid = lib.mkOption {
type = lib.types.str;
default = "90";
};
extraOpenSSLArgs = lib.mkOption {
type = with lib.types; listOf str;
default = [ ];
};
certificate = lib.mkOption {
type = lib.types.str;
default = "${name}.crt";
};
certificateKey = lib.mkOption {
type = lib.types.str;
default = "${name}.key";
};
subject = lib.mkOption {
type = lib.types.str;
default = "/C=NO/O=Programvareverkstedet/CN=*.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
};
};
}
)
);
};
config = {
systemd.services."generate-snakeoil-certs" = {
enable = true;
serviceConfig.Type = "oneshot";
script = let
openssl = lib.getExe pkgs.openssl;
in lib.concatMapStringsSep "\n" ({ name, value }: ''
mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}")
if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate}
then
echo "Regenerating '${value.certificate}'"
${openssl} req \
-newkey rsa:4096 \
-new -x509 \
-days "${toString value.daysValid}" \
-nodes \
-subj "${value.subject}" \
-out "${value.certificate}" \
-keyout "${value.certificateKey}" \
${lib.escapeShellArgs value.extraOpenSSLArgs}
fi
chown "${value.owner}:${value.group}" "${value.certificate}"
chown "${value.owner}:${value.group}" "${value.certificateKey}"
chmod "${value.mode}" "${value.certificate}"
chmod "${value.mode}" "${value.certificateKey}"
script =
let
openssl = lib.getExe pkgs.openssl;
in
lib.concatMapStringsSep "\n" (
{ name, value }:
''
mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}")
if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate}
then
echo "Regenerating '${value.certificate}'"
${openssl} req \
-newkey rsa:4096 \
-new -x509 \
-days "${toString value.daysValid}" \
-nodes \
-subj "${value.subject}" \
-out "${value.certificate}" \
-keyout "${value.certificateKey}" \
${lib.escapeShellArgs value.extraOpenSSLArgs}
fi
chown "${value.owner}:${value.group}" "${value.certificate}"
chown "${value.owner}:${value.group}" "${value.certificateKey}"
chmod "${value.mode}" "${value.certificate}"
chmod "${value.mode}" "${value.certificateKey}"
echo "\n-----------------\n"
'') (lib.attrsToList cfg);
echo "\n-----------------\n"
''
) (lib.attrsToList cfg);
};
systemd.timers."generate-snakeoil-certs" = {
wantedBy = [ "timers.target" ];

38
modules/snappymail.nix
View File

@@ -1,11 +1,26 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
let
inherit (lib) mkDefault mkEnableOption mkForce mkIf mkOption mkPackageOption generators types;
inherit (lib)
mkDefault
mkEnableOption
mkForce
mkIf
mkOption
mkPackageOption
generators
types
;
cfg = config.services.snappymail;
maxUploadSize = "256M";
in {
in
{
options.services.snappymail = {
enable = mkEnableOption "Snappymail";
@@ -48,13 +63,13 @@ in {
};
users.groups = mkIf (cfg.group == "snappymail") {
snappymail = {};
snappymail = { };
};
services.phpfpm.pools.snappymail = {
user = cfg.user;
group = cfg.group;
phpOptions = generators.toKeyValue {} {
phpOptions = generators.toKeyValue { } {
upload_max_filesize = maxUploadSize;
post_max_size = maxUploadSize;
memory_limit = maxUploadSize;
@@ -91,13 +106,14 @@ in {
client_max_body_size ${maxUploadSize};
'';
root = if (cfg.package == pkgs.snappymail) then
pkgs.snappymail.override {
dataPath = cfg.dataDir;
}
else cfg.package;
root =
if (cfg.package == pkgs.snappymail) then
pkgs.snappymail.override {
dataPath = cfg.dataDir;
}
else
cfg.package;
};
};
};
}