From dc8a6c8c71cf2d1459ec7e71e226bf5e9b114b20 Mon Sep 17 00:00:00 2001 From: Vegard Bieker Matthey Date: Fri, 20 Feb 2026 18:18:09 +0100 Subject: [PATCH] nixfmt --- base/nix.nix | 24 +- base/services/auto-upgrade.nix | 40 +- base/services/irqbalance.nix | 2 +- base/services/journald-upload.nix | 7 +- base/services/logrotate.nix | 5 +- base/services/nginx.nix | 5 +- base/services/openssh.nix | 9 +- base/services/postfix.nix | 7 +- base/services/prometheus-node-exporter.nix | 7 +- base/services/prometheus-systemd-exporter.nix | 7 +- base/services/promtail.nix | 55 +- base/services/smartd.nix | 16 +- base/services/thermald.nix | 8 +- base/services/uptimed.nix | 76 +- base/sops.nix | 15 +- flake.nix | 701 ++++++++++-------- hosts/bakke/configuration.nix | 20 +- hosts/bakke/filesystems.nix | 2 +- hosts/bakke/hardware-configuration.nix | 68 +- hosts/bekkalokk/configuration.nix | 12 +- hosts/bekkalokk/hardware-configuration.nix | 44 +- hosts/bekkalokk/services/bluemap.nix | 153 ++-- .../services/idp-simplesamlphp/default.nix | 62 +- hosts/bekkalokk/services/kerberos.nix | 7 +- .../bekkalokk/services/mediawiki/default.nix | 116 +-- hosts/bekkalokk/services/phpfpm.nix | 74 +- hosts/bekkalokk/services/vaultwarden.nix | 11 +- hosts/bekkalokk/services/webmail/default.nix | 8 +- .../bekkalokk/services/webmail/roundcube.nix | 63 +- .../bekkalokk/services/webmail/snappymail.nix | 12 +- hosts/bekkalokk/services/website/default.nix | 106 +-- .../services/website/fetch-gallery.nix | 29 +- .../bekkalokk/services/well-known/default.nix | 45 +- hosts/bicep/configuration.nix | 19 +- hosts/bicep/hardware-configuration.nix | 51 +- hosts/bicep/services/calendar-bot.nix | 11 +- hosts/bicep/services/git-mirrors/default.nix | 135 ++-- hosts/bicep/services/matrix/coturn.nix | 47 +- hosts/bicep/services/matrix/discord.nix | 19 +- hosts/bicep/services/matrix/element.nix | 22 +- .../services/matrix/hookshot/default.nix | 52 +- hosts/bicep/services/matrix/livekit.nix | 24 +- hosts/bicep/services/matrix/mjolnir.nix | 7 +- .../services/matrix/out-of-your-element.nix | 9 +- .../matrix/smtp-authenticator/default.nix | 7 +- hosts/bicep/services/matrix/synapse-admin.nix | 8 +- .../matrix/synapse-auto-compressor.nix | 7 +- hosts/bicep/services/matrix/synapse.nix | 145 ++-- hosts/bicep/services/matrix/well-known.nix | 7 +- hosts/bicep/services/minecraft-heatmap.nix | 43 +- hosts/bicep/services/mysql/backup.nix | 44 +- hosts/bicep/services/mysql/default.nix | 22 +- hosts/bicep/services/postgresql/backup.nix | 44 +- hosts/bicep/services/postgresql/default.nix | 8 +- hosts/bikkje/configuration.nix | 96 ++- hosts/brzeczyszczykiewicz/configuration.nix | 23 +- .../hardware-configuration.nix | 46 +- hosts/georg/configuration.nix | 23 +- hosts/georg/hardware-configuration.nix | 45 +- hosts/ildkule/configuration.nix | 68 +- hosts/ildkule/hardware-configuration.nix | 7 +- hosts/ildkule/services/journald-remote.nix | 37 +- hosts/ildkule/services/monitoring/grafana.nix | 55 +- hosts/ildkule/services/monitoring/loki.nix | 3 +- .../monitoring/prometheus/default.nix | 6 +- .../services/monitoring/prometheus/exim.nix | 8 +- .../services/monitoring/prometheus/gitea.nix | 26 +- .../monitoring/prometheus/machines.nix | 119 ++- .../monitoring/prometheus/matrix-synapse.nix | 74 +- .../services/monitoring/prometheus/mysqld.nix | 52 +- .../monitoring/prometheus/postgres.nix | 52 +- .../services/monitoring/uptime-kuma.nix | 10 +- hosts/kommode/configuration.nix | 12 +- hosts/kommode/hardware-configuration.nix | 23 +- .../services/gitea/customization/default.nix | 97 +-- hosts/kommode/services/gitea/default.nix | 82 +- hosts/kommode/services/gitea/gpg.nix | 7 +- .../services/gitea/import-users/default.nix | 15 +- .../gitea/web-secret-provider/default.nix | 56 +- hosts/lupine/configuration.nix | 12 +- .../hardware-configuration/lupine-1.nix | 48 +- .../hardware-configuration/lupine-2.nix | 48 +- .../hardware-configuration/lupine-3.nix | 48 +- .../hardware-configuration/lupine-4.nix | 35 +- .../hardware-configuration/lupine-5.nix | 48 +- hosts/lupine/services/gitea-runner.nix | 5 +- hosts/shark/configuration.nix | 21 +- hosts/shark/hardware-configuration.nix | 45 +- hosts/skrot/hardware-configuration.nix | 21 +- hosts/skrott/configuration.nix | 31 +- hosts/temmie/configuration.nix | 13 +- hosts/temmie/hardware-configuration.nix | 44 +- hosts/temmie/services/nfs-mounts.nix | 14 +- hosts/temmie/services/userweb.nix | 303 ++++---- hosts/ustetind/configuration.nix | 14 +- hosts/ustetind/services/gitea-runners.nix | 15 +- hosts/wenche/configuration.nix | 22 +- hosts/wenche/hardware-configuration.nix | 43 +- modules/bluemap.nix | 271 ++++--- modules/gickup/default.nix | 410 +++++----- modules/gickup/hardlink-files.nix | 7 +- modules/gickup/import-from-toml.nix | 7 +- modules/gickup/set-description.nix | 7 +- modules/gickup/update-linktree.nix | 79 +- modules/grzegorz.nix | 13 +- modules/matrix-ooye.nix | 6 +- modules/robots-txt.nix | 208 +++--- modules/rsync-pull-targets.nix | 245 +++--- modules/snakeoil-certs.nix | 135 ++-- modules/snappymail.nix | 38 +- packages/bluemap.nix | 8 +- packages/mediawiki-extensions/default.nix | 52 +- packages/simplesamlphp/default.nix | 21 +- shell.nix | 4 +- topology/default.nix | 159 ++-- topology/non-nixos-machines.nix | 25 +- topology/service-extractors/gitea-runners.nix | 7 +- topology/service-extractors/greg-ng.nix | 4 +- topology/service-extractors/mysql.nix | 11 +- topology/service-extractors/postgresql.nix | 7 +- users/albertba.nix | 6 +- users/danio.nix | 6 +- users/default.nix | 9 +- users/felixalb.nix | 10 +- users/frero.nix | 6 +- users/jonmro.nix | 6 +- values.nix | 20 +- 127 files changed, 3804 insertions(+), 2402 deletions(-) diff --git a/base/nix.nix b/base/nix.nix index d5eae56..61b3e5d 100644 --- a/base/nix.nix +++ b/base/nix.nix @@ -1,4 +1,9 @@ -{ lib, config, inputs, ... }: +{ + lib, + config, + inputs, + ... +}: { nix = { gc = { @@ -11,16 +16,21 @@ allow-dirty = true; auto-allocate-uids = true; builders-use-substitutes = true; - experimental-features = [ "nix-command" "flakes" "auto-allocate-uids" ]; + experimental-features = [ + "nix-command" + "flakes" + "auto-allocate-uids" + ]; log-lines = 50; use-xdg-base-directories = true; }; - /* This makes commandline tools like - ** nix run nixpkgs#hello - ** and nix-shell -p hello - ** use the same channel the system - ** was built with + /* + This makes commandline tools like + ** nix run nixpkgs#hello + ** and nix-shell -p hello + ** use the same channel the system + ** was built with */ registry = lib.mkMerge [ { diff --git a/base/services/auto-upgrade.nix b/base/services/auto-upgrade.nix index 8b003e8..3586ce2 100644 --- a/base/services/auto-upgrade.nix +++ b/base/services/auto-upgrade.nix @@ -1,4 +1,10 @@ -{ config, inputs, pkgs, lib, ... }: +{ + config, + inputs, + pkgs, + lib, + ... +}: let inputUrls = lib.mapAttrs (input: value: value.url) (import "${inputs.self}/flake.nix").inputs; @@ -16,26 +22,34 @@ in # --update-input is deprecated since nix 2.22, and removed in lix 2.90 # as such we instead use --override-input combined with --refresh # https://git.lix.systems/lix-project/lix/issues/400 - ] ++ (lib.pipe inputUrls [ + ] + ++ (lib.pipe inputUrls [ (lib.intersectAttrs { nixpkgs = { }; nixpkgs-unstable = { }; }) - (lib.mapAttrsToList (input: url: ["--override-input" input url])) + (lib.mapAttrsToList ( + input: url: [ + "--override-input" + input + url + ] + )) lib.concatLists ]); }; # workaround for https://github.com/NixOS/nix/issues/6895 # via https://git.lix.systems/lix-project/lix/issues/400 - environment.etc = lib.mkIf (!config.virtualisation.isVmVariant && config.system.autoUpgrade.enable) { - "current-system-flake-inputs.json".source - = pkgs.writers.writeJSON "flake-inputs.json" ( - lib.flip lib.mapAttrs inputs (name: input: - # inputs.*.sourceInfo sans outPath, since writeJSON will otherwise serialize sourceInfo like a derivation - lib.removeAttrs (input.sourceInfo or {}) [ "outPath" ] - // { store-path = input.outPath; } # comment this line if you don't want to retain a store reference to the flake inputs - ) - ); - }; + environment.etc = + lib.mkIf (!config.virtualisation.isVmVariant && config.system.autoUpgrade.enable) + { + "current-system-flake-inputs.json".source = pkgs.writers.writeJSON "flake-inputs.json" ( + lib.flip lib.mapAttrs inputs ( + name: input: + # inputs.*.sourceInfo sans outPath, since writeJSON will otherwise serialize sourceInfo like a derivation + lib.removeAttrs (input.sourceInfo or { }) [ "outPath" ] // { store-path = input.outPath; } # comment this line if you don't want to retain a store reference to the flake inputs + ) + ); + }; } diff --git a/base/services/irqbalance.nix b/base/services/irqbalance.nix index 078e569..2fc96fe 100644 --- a/base/services/irqbalance.nix +++ b/base/services/irqbalance.nix @@ -1,4 +1,4 @@ { ... }: { services.irqbalance.enable = true; -} \ No newline at end of file +} diff --git a/base/services/journald-upload.nix b/base/services/journald-upload.nix index 1d84d98..17d13fe 100644 --- a/base/services/journald-upload.nix +++ b/base/services/journald-upload.nix @@ -1,4 +1,9 @@ -{ config, lib, values, ... }: +{ + config, + lib, + values, + ... +}: let cfg = config.services.journald.upload; in diff --git a/base/services/logrotate.nix b/base/services/logrotate.nix index fe61c03..f04a2a0 100644 --- a/base/services/logrotate.nix +++ b/base/services/logrotate.nix @@ -1,7 +1,10 @@ { ... }: { systemd.services.logrotate = { - documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ]; + documentation = [ + "man:logrotate(8)" + "man:logrotate.conf(5)" + ]; unitConfig.RequiresMountsFor = "/var/log"; serviceConfig.ReadWritePaths = [ "/var/log" ]; }; diff --git a/base/services/nginx.nix b/base/services/nginx.nix index 9053c09..9ff9fcc 100644 --- a/base/services/nginx.nix +++ b/base/services/nginx.nix @@ -11,7 +11,10 @@ }; }; - networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ]; + networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ + 80 + 443 + ]; services.nginx = { recommendedTlsSettings = true; diff --git a/base/services/openssh.nix b/base/services/openssh.nix index d61dd2e..dd1fff8 100644 --- a/base/services/openssh.nix +++ b/base/services/openssh.nix @@ -12,10 +12,9 @@ settings.PermitRootLogin = "yes"; }; - users.users."root".openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqVt4LCe0YIttr9swFxjkjn37ZDY9JxwVC+2gvfSINDJorOCtqPjDOTD2fTS1Gz08QCwpnLWq2kyvRchu6WgriAbSACpbZZBgxRaF/FVh3oiMVFGnNKGnv6/fdo/vZtu8mUVuqtmTrgLYpZdbR4oD3XiBlDKs7Cv5hPqt95lnP6MNFvE8mICCfd1PwhsABd2IQ5laz3u77/RXhNFJL0Kf2/+6gk9awcLuwHrPdvq7c3BxRHbc9UMRQENyjyQPa7aLe+uJBFLKP51I8VBuDpDacuibQx7nMt6N2UJ2KWI0JxRMHuJNq4S5jidR82aOw9gzGbTv30SKNLMqsZ0xj4LtdqCXDiZF6Lr09PsJYsvnBUFWa14HGcThKDtgwQwBryNViYmfv//0h9+RLZiU0ab+NEwSs7Zh5iAD+vhx64QqNX3tR7Le4SWXh8W0eShU9N78qYdSkiC3Ui7htxeqOocXM/P4AwbnHsLELIvkHdvgchCPvl8ygZa4WJTEWv16+ICskJcAKWGuqjvXAFuwjJJmPp9xLW9O0DFfQhMELiGamQR9wK07yYQVr34iah6qZO7cwhSKyEPFrVPIaNtfDhsjED639F7vmktf26SWNJHWfW0wOHILjI6TgqUvy0JDd8W8w0CHlAfz6Fs2l99NNgNF8dB3vBASbxS0hu/y0PVu/xQ== openstack-sleipner" + users.users."root".openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqVt4LCe0YIttr9swFxjkjn37ZDY9JxwVC+2gvfSINDJorOCtqPjDOTD2fTS1Gz08QCwpnLWq2kyvRchu6WgriAbSACpbZZBgxRaF/FVh3oiMVFGnNKGnv6/fdo/vZtu8mUVuqtmTrgLYpZdbR4oD3XiBlDKs7Cv5hPqt95lnP6MNFvE8mICCfd1PwhsABd2IQ5laz3u77/RXhNFJL0Kf2/+6gk9awcLuwHrPdvq7c3BxRHbc9UMRQENyjyQPa7aLe+uJBFLKP51I8VBuDpDacuibQx7nMt6N2UJ2KWI0JxRMHuJNq4S5jidR82aOw9gzGbTv30SKNLMqsZ0xj4LtdqCXDiZF6Lr09PsJYsvnBUFWa14HGcThKDtgwQwBryNViYmfv//0h9+RLZiU0ab+NEwSs7Zh5iAD+vhx64QqNX3tR7Le4SWXh8W0eShU9N78qYdSkiC3Ui7htxeqOocXM/P4AwbnHsLELIvkHdvgchCPvl8ygZa4WJTEWv16+ICskJcAKWGuqjvXAFuwjJJmPp9xLW9O0DFfQhMELiGamQR9wK07yYQVr34iah6qZO7cwhSKyEPFrVPIaNtfDhsjED639F7vmktf26SWNJHWfW0wOHILjI6TgqUvy0JDd8W8w0CHlAfz6Fs2l99NNgNF8dB3vBASbxS0hu/y0PVu/xQ== openstack-sleipner" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICCbgJ0Uwh9VSVhfId7l9i5/jk4CvAK5rbkiab8R+moF root@sleipner" - ]; + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICCbgJ0Uwh9VSVhfId7l9i5/jk4CvAK5rbkiab8R+moF root@sleipner" + ]; } - diff --git a/base/services/postfix.nix b/base/services/postfix.nix index e721faf..d869187 100644 --- a/base/services/postfix.nix +++ b/base/services/postfix.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let cfg = config.services.postfix; in diff --git a/base/services/prometheus-node-exporter.nix b/base/services/prometheus-node-exporter.nix index bdacdb1..1e17095 100644 --- a/base/services/prometheus-node-exporter.nix +++ b/base/services/prometheus-node-exporter.nix @@ -1,4 +1,9 @@ -{ config, lib, values, ... }: +{ + config, + lib, + values, + ... +}: let cfg = config.services.prometheus.exporters.node; in diff --git a/base/services/prometheus-systemd-exporter.nix b/base/services/prometheus-systemd-exporter.nix index 0599c04..4df7454 100644 --- a/base/services/prometheus-systemd-exporter.nix +++ b/base/services/prometheus-systemd-exporter.nix @@ -1,4 +1,9 @@ -{ config, lib, values, ... }: +{ + config, + lib, + values, + ... +}: let cfg = config.services.prometheus.exporters.systemd; in diff --git a/base/services/promtail.nix b/base/services/promtail.nix index f8f7b85..96c93a0 100644 --- a/base/services/promtail.nix +++ b/base/services/promtail.nix @@ -1,4 +1,9 @@ -{ config, lib, values, ... }: +{ + config, + lib, + values, + ... +}: let cfg = config.services.prometheus.exporters.node; in @@ -10,29 +15,33 @@ in http_listen_port = 28183; grpc_listen_port = 0; }; - clients = [{ - url = "http://ildkule.pvv.ntnu.no:3100/loki/api/v1/push"; - }]; - scrape_configs = [{ - job_name = "systemd-journal"; - journal = { - max_age = "12h"; - labels = { - job = "systemd-journal"; - host = config.networking.hostName; + clients = [ + { + url = "http://ildkule.pvv.ntnu.no:3100/loki/api/v1/push"; + } + ]; + scrape_configs = [ + { + job_name = "systemd-journal"; + journal = { + max_age = "12h"; + labels = { + job = "systemd-journal"; + host = config.networking.hostName; + }; }; - }; - relabel_configs = [ - { - source_labels = [ "__journal__systemd_unit" ]; - target_label = "unit"; - } - { - source_labels = [ "__journal_priority_keyword" ]; - target_label = "level"; - } - ]; - }]; + relabel_configs = [ + { + source_labels = [ "__journal__systemd_unit" ]; + target_label = "unit"; + } + { + source_labels = [ "__journal_priority_keyword" ]; + target_label = "level"; + } + ]; + } + ]; }; }; } diff --git a/base/services/smartd.nix b/base/services/smartd.nix index ff708a9..9edc82c 100644 --- a/base/services/smartd.nix +++ b/base/services/smartd.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: { services.smartd = { # NOTE: qemu guests tend not to have SMART-reporting disks. Please override for the @@ -14,9 +19,12 @@ }; }; - environment.systemPackages = lib.optionals config.services.smartd.enable (with pkgs; [ - smartmontools - ]); + environment.systemPackages = lib.optionals config.services.smartd.enable ( + with pkgs; + [ + smartmontools + ] + ); systemd.services.smartd.unitConfig.ConditionVirtualization = "no"; } diff --git a/base/services/thermald.nix b/base/services/thermald.nix index ced2dad..5fbeae9 100644 --- a/base/services/thermald.nix +++ b/base/services/thermald.nix @@ -2,7 +2,7 @@ { # Let's not thermal throttle services.thermald.enable = lib.mkIf (lib.all (x: x) [ - (config.nixpkgs.system == "x86_64-linux") - (!config.boot.isContainer or false) - ]) true; -} \ No newline at end of file + (config.nixpkgs.system == "x86_64-linux") + (!config.boot.isContainer or false) + ]) true; +} diff --git a/base/services/uptimed.nix b/base/services/uptimed.nix index 9bc192c..1a849bf 100644 --- a/base/services/uptimed.nix +++ b/base/services/uptimed.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let cfg = config.services.uptimed; in @@ -15,45 +20,48 @@ in services.uptimed = { enable = true; - settings = let - stateDir = "/var/lib/uptimed"; - in { - PIDFILE = "${stateDir}/pid"; - SENDMAIL = lib.mkDefault "${pkgs.system-sendmail}/bin/sendmail -t"; - }; + settings = + let + stateDir = "/var/lib/uptimed"; + in + { + PIDFILE = "${stateDir}/pid"; + SENDMAIL = lib.mkDefault "${pkgs.system-sendmail}/bin/sendmail -t"; + }; }; systemd.services.uptimed = lib.mkIf (cfg.enable) { - serviceConfig = let - uptimed = pkgs.uptimed.overrideAttrs (prev: { - postPatch = '' - substituteInPlace Makefile.am \ - --replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf' - substituteInPlace src/Makefile.am \ - --replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf' - ''; - }); + serviceConfig = + let + uptimed = pkgs.uptimed.overrideAttrs (prev: { + postPatch = '' + substituteInPlace Makefile.am \ + --replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf' + substituteInPlace src/Makefile.am \ + --replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf' + ''; + }); - in { - Type = "notify"; + in + { + Type = "notify"; - ExecStart = lib.mkForce "${uptimed}/sbin/uptimed -f"; + ExecStart = lib.mkForce "${uptimed}/sbin/uptimed -f"; - BindReadOnlyPaths = let - configFile = lib.pipe cfg.settings [ - (lib.mapAttrsToList - (k: v: - if builtins.isList v - then lib.mapConcatStringsSep "\n" (v': "${k}=${v'}") v - else "${k}=${v}") - ) - (lib.concatStringsSep "\n") - (pkgs.writeText "uptimed.conf") - ]; - in [ - "${configFile}:/var/lib/uptimed/uptimed.conf" - ]; - }; + BindReadOnlyPaths = + let + configFile = lib.pipe cfg.settings [ + (lib.mapAttrsToList ( + k: v: if builtins.isList v then lib.mapConcatStringsSep "\n" (v': "${k}=${v'}") v else "${k}=${v}" + )) + (lib.concatStringsSep "\n") + (pkgs.writeText "uptimed.conf") + ]; + in + [ + "${configFile}:/var/lib/uptimed/uptimed.conf" + ]; + }; }; }; } diff --git a/base/sops.nix b/base/sops.nix index a050f79..5d6c250 100644 --- a/base/sops.nix +++ b/base/sops.nix @@ -1,8 +1,15 @@ -{ config, fp, lib, ... }: { - sops.defaultSopsFile = let - secretsFilePath = fp /secrets/${config.networking.hostName}/${config.networking.hostName}.yaml; - in lib.mkIf (builtins.pathExists secretsFilePath) secretsFilePath; + config, + fp, + lib, + ... +}: +{ + sops.defaultSopsFile = + let + secretsFilePath = fp /secrets/${config.networking.hostName}/${config.networking.hostName}.yaml; + in + lib.mkIf (builtins.pathExists secretsFilePath) secretsFilePath; sops.age = lib.mkIf (config.sops.defaultSopsFile != null) { sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ]; diff --git a/flake.nix b/flake.nix index 6322b6b..feb88af 100644 --- a/flake.nix +++ b/flake.nix @@ -49,348 +49,403 @@ qotd.inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs: - let - inherit (nixpkgs) lib; - systems = [ - "x86_64-linux" - "aarch64-linux" - "aarch64-darwin" - ]; - forAllSystems = f: lib.genAttrs systems f; - allMachines = builtins.attrNames self.nixosConfigurations; - importantMachines = [ - "bekkalokk" - "bicep" - "brzeczyszczykiewicz" - "georg" - "ildkule" - ]; - in { - inputs = lib.mapAttrs (_: src: src.outPath) inputs; + outputs = + { + self, + nixpkgs, + nixpkgs-unstable, + sops-nix, + disko, + ... + }@inputs: + let + inherit (nixpkgs) lib; + systems = [ + "x86_64-linux" + "aarch64-linux" + "aarch64-darwin" + ]; + forAllSystems = f: lib.genAttrs systems f; + allMachines = builtins.attrNames self.nixosConfigurations; + importantMachines = [ + "bekkalokk" + "bicep" + "brzeczyszczykiewicz" + "georg" + "ildkule" + ]; + in + { + inputs = lib.mapAttrs (_: src: src.outPath) inputs; - pkgs = forAllSystems (system: import nixpkgs { - inherit system; - config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) - [ - "nvidia-x11" - "nvidia-settings" - ]; - }); - - nixosConfigurations = let - nixosConfig = - nixpkgs: - name: - configurationPath: - extraArgs@{ - localSystem ? "x86_64-linux", # buildPlatform - crossSystem ? "x86_64-linux", # hostPlatform - specialArgs ? { }, - modules ? [ ], - overlays ? [ ], - enableDefaults ? true, - ... - }: - let - commonPkgsConfig = { - inherit localSystem crossSystem; - config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) - [ - "nvidia-x11" - "nvidia-settings" - ]; - overlays = (lib.optionals enableDefaults [ - # Global overlays go here - inputs.roowho2.overlays.default - ]) ++ overlays; - }; - - pkgs = import nixpkgs commonPkgsConfig; - unstablePkgs = import nixpkgs-unstable commonPkgsConfig; - in - lib.nixosSystem (lib.recursiveUpdate - { - system = crossSystem; - - inherit pkgs; - - specialArgs = { - inherit inputs unstablePkgs; - values = import ./values.nix; - fp = path: ./${path}; - } // specialArgs; - - modules = [ - { - networking.hostName = lib.mkDefault name; - } - configurationPath - ] ++ (lib.optionals enableDefaults [ - sops-nix.nixosModules.sops - inputs.roowho2.nixosModules.default - self.nixosModules.rsync-pull-targets - ]) ++ modules; + pkgs = forAllSystems ( + system: + import nixpkgs { + inherit system; + config.allowUnfreePredicate = + pkg: + builtins.elem (lib.getName pkg) [ + "nvidia-x11" + "nvidia-settings" + ]; } - (builtins.removeAttrs extraArgs [ - "localSystem" - "crossSystem" - "modules" - "overlays" - "specialArgs" - "enableDefaults" - ]) ); - stableNixosConfig = name: extraArgs: - nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs; - in { - bakke = stableNixosConfig "bakke" { - modules = [ - inputs.disko.nixosModules.disko - ]; - }; - bicep = stableNixosConfig "bicep" { - modules = [ - inputs.matrix-next.nixosModules.default - inputs.pvv-calendar-bot.nixosModules.default - inputs.minecraft-heatmap.nixosModules.default - self.nixosModules.gickup - self.nixosModules.matrix-ooye - ]; - overlays = [ - inputs.pvv-calendar-bot.overlays.default - inputs.minecraft-heatmap.overlays.default - (final: prev: { - inherit (self.packages.${prev.stdenv.hostPlatform.system}) out-of-your-element; - }) - ]; - }; - bekkalokk = stableNixosConfig "bekkalokk" { - overlays = [ - (final: prev: { - mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { }; - simplesamlphp = final.callPackage ./packages/simplesamlphp { }; - bluemap = final.callPackage ./packages/bluemap.nix { }; - }) - inputs.pvv-nettsiden.overlays.default - inputs.qotd.overlays.default - ]; - modules = [ - inputs.pvv-nettsiden.nixosModules.default - self.nixosModules.bluemap - inputs.qotd.nixosModules.default - ]; - }; - ildkule = stableNixosConfig "ildkule" { }; - #ildkule-unstable = unstableNixosConfig "ildkule" { }; - skrot = stableNixosConfig "skrot" { - modules = [ - inputs.disko.nixosModules.disko - inputs.dibbler.nixosModules.default - ]; - overlays = [inputs.dibbler.overlays.default]; - }; - shark = stableNixosConfig "shark" { }; - wenche = stableNixosConfig "wenche" { }; - temmie = stableNixosConfig "temmie" { }; - gluttony = stableNixosConfig "gluttony" { }; + nixosConfigurations = + let + nixosConfig = + nixpkgs: name: configurationPath: + extraArgs@{ + localSystem ? "x86_64-linux", # buildPlatform + crossSystem ? "x86_64-linux", # hostPlatform + specialArgs ? { }, + modules ? [ ], + overlays ? [ ], + enableDefaults ? true, + ... + }: + let + commonPkgsConfig = { + inherit localSystem crossSystem; + config.allowUnfreePredicate = + pkg: + builtins.elem (lib.getName pkg) [ + "nvidia-x11" + "nvidia-settings" + ]; + overlays = + (lib.optionals enableDefaults [ + # Global overlays go here + inputs.roowho2.overlays.default + ]) + ++ overlays; + }; - kommode = stableNixosConfig "kommode" { - overlays = [ - inputs.nix-gitea-themes.overlays.default - ]; - modules = [ - inputs.nix-gitea-themes.nixosModules.default - inputs.disko.nixosModules.disko - ]; - }; + pkgs = import nixpkgs commonPkgsConfig; + unstablePkgs = import nixpkgs-unstable commonPkgsConfig; + in + lib.nixosSystem ( + lib.recursiveUpdate + { + system = crossSystem; - ustetind = stableNixosConfig "ustetind" { - modules = [ - "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" - ]; - }; + inherit pkgs; - brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" { - modules = [ - inputs.grzegorz-clients.nixosModules.grzegorz-webui - inputs.gergle.nixosModules.default - inputs.greg-ng.nixosModules.default - ]; - overlays = [ - inputs.greg-ng.overlays.default - inputs.gergle.overlays.default - ]; - }; - georg = stableNixosConfig "georg" { - modules = [ - inputs.grzegorz-clients.nixosModules.grzegorz-webui - inputs.gergle.nixosModules.default - inputs.greg-ng.nixosModules.default - ]; - overlays = [ - inputs.greg-ng.overlays.default - inputs.gergle.overlays.default - ]; - }; - } - // - (let - skrottConfig = { - modules = [ - (nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64.nix") - inputs.dibbler.nixosModules.default - ]; - overlays = [ - inputs.dibbler.overlays.default - (final: prev: { - # NOTE: Yeetus (these break crosscompile ¯\_(ツ)_/¯) - atool = prev.emptyDirectory; - micro = prev.emptyDirectory; - ncdu = prev.emptyDirectory; - }) - ]; - }; - in { - skrott = self.nixosConfigurations.skrott-native; - skrott-native = stableNixosConfig "skrott" (skrottConfig // { - localSystem = "aarch64-linux"; - crossSystem = "aarch64-linux"; - }); - skrott-cross = stableNixosConfig "skrott" (skrottConfig // { - localSystem = "x86_64-linux"; - crossSystem = "aarch64-linux"; - }); - skrott-x86_64 = stableNixosConfig "skrott" (skrottConfig // { - localSystem = "x86_64-linux"; - crossSystem = "x86_64-linux"; - }); - }) - // - (let - machineNames = map (i: "lupine-${toString i}") (lib.range 1 5); - stableLupineNixosConfig = name: extraArgs: - nixosConfig nixpkgs name ./hosts/lupine/configuration.nix extraArgs; - in lib.genAttrs machineNames (name: stableLupineNixosConfig name { - modules = [{ networking.hostName = name; }]; - specialArgs.lupineName = name; - })); + specialArgs = { + inherit inputs unstablePkgs; + values = import ./values.nix; + fp = path: ./${path}; + } + // specialArgs; - nixosModules = { - bluemap = ./modules/bluemap.nix; - gickup = ./modules/gickup; - matrix-ooye = ./modules/matrix-ooye.nix; - robots-txt = ./modules/robots-txt.nix; - rsync-pull-targets = ./modules/rsync-pull-targets.nix; - snakeoil-certs = ./modules/snakeoil-certs.nix; - snappymail = ./modules/snappymail.nix; - }; + modules = [ + { + networking.hostName = lib.mkDefault name; + } + configurationPath + ] + ++ (lib.optionals enableDefaults [ + sops-nix.nixosModules.sops + inputs.roowho2.nixosModules.default + self.nixosModules.rsync-pull-targets + ]) + ++ modules; + } + ( + builtins.removeAttrs extraArgs [ + "localSystem" + "crossSystem" + "modules" + "overlays" + "specialArgs" + "enableDefaults" + ] + ) + ); - devShells = forAllSystems (system: { - default = let - pkgs = import nixpkgs-unstable { - inherit system; - overlays = [ - (final: prev: { - inherit (inputs.disko.packages.${system}) disko; - }) - ]; - }; - in pkgs.callPackage ./shell.nix { }; - cuda = let - cuda-pkgs = import nixpkgs-unstable { - inherit system; - config = { - allowUnfree = true; - cudaSupport = true; + stableNixosConfig = + name: extraArgs: nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs; + in + { + bakke = stableNixosConfig "bakke" { + modules = [ + inputs.disko.nixosModules.disko + ]; }; - }; - in cuda-pkgs.callPackage ./shells/cuda.nix { }; - }); - - packages = { - "x86_64-linux" = let - system = "x86_64-linux"; - pkgs = nixpkgs.legacyPackages.${system}; - in rec { - default = important-machines; - important-machines = pkgs.linkFarm "important-machines" - (lib.getAttrs importantMachines self.packages.${system}); - all-machines = pkgs.linkFarm "all-machines" - (lib.getAttrs allMachines self.packages.${system}); - - simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { }; - - bluemap = pkgs.callPackage ./packages/bluemap.nix { }; - - out-of-your-element = pkgs.callPackage ./packages/ooye/package.nix { }; - } - // - # Mediawiki extensions - (lib.pipe null [ - (_: pkgs.callPackage ./packages/mediawiki-extensions { }) - (lib.flip builtins.removeAttrs ["override" "overrideDerivation"]) - (lib.mapAttrs' (name: lib.nameValuePair "mediawiki-${name}")) - ]) - // - # Machines - lib.genAttrs allMachines - (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel) - // - # Skrott is exception - { - skrott = self.packages.${system}.skrott-native-sd; - skrott-native = self.nixosConfigurations.skrott-native.config.system.build.toplevel; - skrott-native-sd = self.nixosConfigurations.skrott-native.config.system.build.sdImage; - skrott-cross = self.nixosConfigurations.skrott-cross.config.system.build.toplevel; - skrott-cross-sd = self.nixosConfigurations.skrott-cross.config.system.build.sdImage; - skrott-x86_64 = self.nixosConfigurations.skrott-x86_64.config.system.build.toplevel; - } - // - # Nix-topology - (let - topology' = import inputs.nix-topology { - pkgs = import nixpkgs { - inherit system; + bicep = stableNixosConfig "bicep" { + modules = [ + inputs.matrix-next.nixosModules.default + inputs.pvv-calendar-bot.nixosModules.default + inputs.minecraft-heatmap.nixosModules.default + self.nixosModules.gickup + self.nixosModules.matrix-ooye + ]; overlays = [ - inputs.nix-topology.overlays.default + inputs.pvv-calendar-bot.overlays.default + inputs.minecraft-heatmap.overlays.default (final: prev: { - inherit (nixpkgs-unstable.legacyPackages.${system}) super-tiny-icons; + inherit (self.packages.${prev.stdenv.hostPlatform.system}) out-of-your-element; }) ]; }; + bekkalokk = stableNixosConfig "bekkalokk" { + overlays = [ + (final: prev: { + mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { }; + simplesamlphp = final.callPackage ./packages/simplesamlphp { }; + bluemap = final.callPackage ./packages/bluemap.nix { }; + }) + inputs.pvv-nettsiden.overlays.default + inputs.qotd.overlays.default + ]; + modules = [ + inputs.pvv-nettsiden.nixosModules.default + self.nixosModules.bluemap + inputs.qotd.nixosModules.default + ]; + }; + ildkule = stableNixosConfig "ildkule" { }; + #ildkule-unstable = unstableNixosConfig "ildkule" { }; + skrot = stableNixosConfig "skrot" { + modules = [ + inputs.disko.nixosModules.disko + inputs.dibbler.nixosModules.default + ]; + overlays = [ inputs.dibbler.overlays.default ]; + }; + shark = stableNixosConfig "shark" { }; + wenche = stableNixosConfig "wenche" { }; + temmie = stableNixosConfig "temmie" { }; + gluttony = stableNixosConfig "gluttony" { }; - specialArgs = { - values = import ./values.nix; + kommode = stableNixosConfig "kommode" { + overlays = [ + inputs.nix-gitea-themes.overlays.default + ]; + modules = [ + inputs.nix-gitea-themes.nixosModules.default + inputs.disko.nixosModules.disko + ]; }; - modules = [ - ./topology - { - nixosConfigurations = lib.mapAttrs (_name: nixosCfg: nixosCfg.extendModules { - modules = [ - inputs.nix-topology.nixosModules.default - ./topology/service-extractors/greg-ng.nix - ./topology/service-extractors/postgresql.nix - ./topology/service-extractors/mysql.nix - ./topology/service-extractors/gitea-runners.nix - ]; - }) self.nixosConfigurations; + ustetind = stableNixosConfig "ustetind" { + modules = [ + "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" + ]; + }; + + brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" { + modules = [ + inputs.grzegorz-clients.nixosModules.grzegorz-webui + inputs.gergle.nixosModules.default + inputs.greg-ng.nixosModules.default + ]; + overlays = [ + inputs.greg-ng.overlays.default + inputs.gergle.overlays.default + ]; + }; + georg = stableNixosConfig "georg" { + modules = [ + inputs.grzegorz-clients.nixosModules.grzegorz-webui + inputs.gergle.nixosModules.default + inputs.greg-ng.nixosModules.default + ]; + overlays = [ + inputs.greg-ng.overlays.default + inputs.gergle.overlays.default + ]; + }; + } + // ( + let + skrottConfig = { + modules = [ + (nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64.nix") + inputs.dibbler.nixosModules.default + ]; + overlays = [ + inputs.dibbler.overlays.default + (final: prev: { + # NOTE: Yeetus (these break crosscompile ¯\_(ツ)_/¯) + atool = prev.emptyDirectory; + micro = prev.emptyDirectory; + ncdu = prev.emptyDirectory; + }) + ]; + }; + in + { + skrott = self.nixosConfigurations.skrott-native; + skrott-native = stableNixosConfig "skrott" ( + skrottConfig + // { + localSystem = "aarch64-linux"; + crossSystem = "aarch64-linux"; + } + ); + skrott-cross = stableNixosConfig "skrott" ( + skrottConfig + // { + localSystem = "x86_64-linux"; + crossSystem = "aarch64-linux"; + } + ); + skrott-x86_64 = stableNixosConfig "skrott" ( + skrottConfig + // { + localSystem = "x86_64-linux"; + crossSystem = "x86_64-linux"; + } + ); + } + ) + // ( + let + machineNames = map (i: "lupine-${toString i}") (lib.range 1 5); + stableLupineNixosConfig = + name: extraArgs: nixosConfig nixpkgs name ./hosts/lupine/configuration.nix extraArgs; + in + lib.genAttrs machineNames ( + name: + stableLupineNixosConfig name { + modules = [ { networking.hostName = name; } ]; + specialArgs.lupineName = name; } - ]; - }; - in { - topology = topology'.config.output; - topology-png = pkgs.runCommand "pvv-config-topology-png" { - nativeBuildInputs = [ pkgs.writableTmpDirAsHomeHook ]; - } '' - mkdir -p "$out" - for file in '${topology'.config.output}'/*.svg; do - ${lib.getExe pkgs.imagemagick} -density 300 -background none "$file" "$out"/"$(basename "''${file%.svg}.png")" - done - ''; + ) + ); + + nixosModules = { + bluemap = ./modules/bluemap.nix; + gickup = ./modules/gickup; + matrix-ooye = ./modules/matrix-ooye.nix; + robots-txt = ./modules/robots-txt.nix; + rsync-pull-targets = ./modules/rsync-pull-targets.nix; + snakeoil-certs = ./modules/snakeoil-certs.nix; + snappymail = ./modules/snappymail.nix; + }; + + devShells = forAllSystems (system: { + default = + let + pkgs = import nixpkgs-unstable { + inherit system; + overlays = [ + (final: prev: { + inherit (inputs.disko.packages.${system}) disko; + }) + ]; + }; + in + pkgs.callPackage ./shell.nix { }; + cuda = + let + cuda-pkgs = import nixpkgs-unstable { + inherit system; + config = { + allowUnfree = true; + cudaSupport = true; + }; + }; + in + cuda-pkgs.callPackage ./shells/cuda.nix { }; }); + + packages = { + "x86_64-linux" = + let + system = "x86_64-linux"; + pkgs = nixpkgs.legacyPackages.${system}; + in + rec { + default = important-machines; + important-machines = pkgs.linkFarm "important-machines" ( + lib.getAttrs importantMachines self.packages.${system} + ); + all-machines = pkgs.linkFarm "all-machines" (lib.getAttrs allMachines self.packages.${system}); + + simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { }; + + bluemap = pkgs.callPackage ./packages/bluemap.nix { }; + + out-of-your-element = pkgs.callPackage ./packages/ooye/package.nix { }; + } + // + # Mediawiki extensions + (lib.pipe null [ + (_: pkgs.callPackage ./packages/mediawiki-extensions { }) + (lib.flip builtins.removeAttrs [ + "override" + "overrideDerivation" + ]) + (lib.mapAttrs' (name: lib.nameValuePair "mediawiki-${name}")) + ]) + // + # Machines + lib.genAttrs allMachines (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel) + // + # Skrott is exception + { + skrott = self.packages.${system}.skrott-native-sd; + skrott-native = self.nixosConfigurations.skrott-native.config.system.build.toplevel; + skrott-native-sd = self.nixosConfigurations.skrott-native.config.system.build.sdImage; + skrott-cross = self.nixosConfigurations.skrott-cross.config.system.build.toplevel; + skrott-cross-sd = self.nixosConfigurations.skrott-cross.config.system.build.sdImage; + skrott-x86_64 = self.nixosConfigurations.skrott-x86_64.config.system.build.toplevel; + } + // + # Nix-topology + ( + let + topology' = import inputs.nix-topology { + pkgs = import nixpkgs { + inherit system; + overlays = [ + inputs.nix-topology.overlays.default + (final: prev: { + inherit (nixpkgs-unstable.legacyPackages.${system}) super-tiny-icons; + }) + ]; + }; + + specialArgs = { + values = import ./values.nix; + }; + + modules = [ + ./topology + { + nixosConfigurations = lib.mapAttrs ( + _name: nixosCfg: + nixosCfg.extendModules { + modules = [ + inputs.nix-topology.nixosModules.default + ./topology/service-extractors/greg-ng.nix + ./topology/service-extractors/postgresql.nix + ./topology/service-extractors/mysql.nix + ./topology/service-extractors/gitea-runners.nix + ]; + } + ) self.nixosConfigurations; + } + ]; + }; + in + { + topology = topology'.config.output; + topology-png = + pkgs.runCommand "pvv-config-topology-png" + { + nativeBuildInputs = [ pkgs.writableTmpDirAsHomeHook ]; + } + '' + mkdir -p "$out" + for file in '${topology'.config.output}'/*.svg; do + ${lib.getExe pkgs.imagemagick} -density 300 -background none "$file" "$out"/"$(basename "''${file%.svg}.png")" + done + ''; + } + ); + }; }; - }; } diff --git a/hosts/bakke/configuration.nix b/hosts/bakke/configuration.nix index 5478f9f..9dae903 100644 --- a/hosts/bakke/configuration.nix +++ b/hosts/bakke/configuration.nix @@ -1,15 +1,23 @@ -{ config, pkgs, values, ... }: +{ + config, + pkgs, + values, + ... +}: { imports = [ - ./hardware-configuration.nix - ../../base - ./filesystems.nix - ]; + ./hardware-configuration.nix + ../../base + ./filesystems.nix + ]; networking.hostId = "99609ffc"; systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // { matchConfig.Name = "enp2s0"; - address = with values.hosts.bakke; [ (ipv4 + "/25") (ipv6 + "/64") ]; + address = with values.hosts.bakke; [ + (ipv4 + "/25") + (ipv6 + "/64") + ]; }; # Don't change (even during upgrades) unless you know what you are doing. diff --git a/hosts/bakke/filesystems.nix b/hosts/bakke/filesystems.nix index c7cde6a..ca27a85 100644 --- a/hosts/bakke/filesystems.nix +++ b/hosts/bakke/filesystems.nix @@ -1,4 +1,4 @@ -{ pkgs,... }: +{ pkgs, ... }: { # Boot drives: boot.swraid.enable = true; diff --git a/hosts/bakke/hardware-configuration.nix b/hosts/bakke/hardware-configuration.nix index 2ad5b63..c88a8a8 100644 --- a/hosts/bakke/hardware-configuration.nix +++ b/hosts/bakke/hardware-configuration.nix @@ -1,41 +1,59 @@ # Do not modify this file! It was generated by 'nixos-generate-config' # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.availableKernelModules = [ + "ehci_pci" + "ahci" + "usbhid" + "usb_storage" + "sd_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571"; - fsType = "btrfs"; - options = [ "subvol=root" ]; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571"; + fsType = "btrfs"; + options = [ "subvol=root" ]; + }; - fileSystems."/home" = - { device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571"; - fsType = "btrfs"; - options = [ "subvol=home" ]; - }; + fileSystems."/home" = { + device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571"; + fsType = "btrfs"; + options = [ "subvol=home" ]; + }; - fileSystems."/nix" = - { device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571"; - fsType = "btrfs"; - options = [ "subvol=nix" "noatime" ]; - }; + fileSystems."/nix" = { + device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571"; + fsType = "btrfs"; + options = [ + "subvol=nix" + "noatime" + ]; + }; - fileSystems."/boot" = - { device = "/dev/sdc2"; - fsType = "vfat"; - options = [ "fmask=0022" "dmask=0022" ]; - }; + fileSystems."/boot" = { + device = "/dev/sdc2"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; swapDevices = [ ]; diff --git a/hosts/bekkalokk/configuration.nix b/hosts/bekkalokk/configuration.nix index f208a48..16b50fc 100644 --- a/hosts/bekkalokk/configuration.nix +++ b/hosts/bekkalokk/configuration.nix @@ -1,4 +1,9 @@ -{ fp, pkgs, values, ... }: +{ + fp, + pkgs, + values, + ... +}: { imports = [ ./hardware-configuration.nix @@ -21,7 +26,10 @@ systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // { matchConfig.Name = "enp2s0"; - address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ]; + address = with values.hosts.bekkalokk; [ + (ipv4 + "/25") + (ipv6 + "/64") + ]; }; services.btrfs.autoScrub.enable = true; diff --git a/hosts/bekkalokk/hardware-configuration.nix b/hosts/bekkalokk/hardware-configuration.nix index 9d84289..a3f6ac8 100644 --- a/hosts/bekkalokk/hardware-configuration.nix +++ b/hosts/bekkalokk/hardware-configuration.nix @@ -1,31 +1,43 @@ # Do not modify this file! It was generated by 'nixos-generate-config' # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.availableKernelModules = [ + "ehci_pci" + "ahci" + "usbhid" + "usb_storage" + "sd_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/sda1"; - fsType = "btrfs"; - }; + fileSystems."/" = { + device = "/dev/sda1"; + fsType = "btrfs"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/CE63-3B9B"; - fsType = "vfat"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/CE63-3B9B"; + fsType = "vfat"; + }; - swapDevices = - [ { device = "/dev/disk/by-uuid/2df10c7b-0dec-45c6-a728-533f7da7f4b9"; } - ]; + swapDevices = [ + { device = "/dev/disk/by-uuid/2df10c7b-0dec-45c6-a728-533f7da7f4b9"; } + ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/hosts/bekkalokk/services/bluemap.nix b/hosts/bekkalokk/services/bluemap.nix index bb14b70..eff2566 100644 --- a/hosts/bekkalokk/services/bluemap.nix +++ b/hosts/bekkalokk/services/bluemap.nix @@ -1,8 +1,15 @@ -{ config, lib, pkgs, inputs, ... }: +{ + config, + lib, + pkgs, + inputs, + ... +}: let vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world"; format = pkgs.formats.hocon { }; -in { +in +{ # NOTE: our versino of the module gets added in flake.nix disabledModules = [ "services/web-apps/bluemap.nix" ]; @@ -17,82 +24,88 @@ in { host = "minecraft.pvv.ntnu.no"; - maps = let - inherit (inputs.minecraft-kartverket.packages.${pkgs.stdenv.hostPlatform.system}) bluemap-export; - in { - "verden" = { - extraHoconMarkersFile = "${bluemap-export}/overworld.hocon"; - settings = { - world = vanillaSurvival; - dimension = "minecraft:overworld"; - name = "Verden"; - sorting = 0; - start-pos = { - x = 0; - z = 0; + maps = + let + inherit (inputs.minecraft-kartverket.packages.${pkgs.stdenv.hostPlatform.system}) bluemap-export; + in + { + "verden" = { + extraHoconMarkersFile = "${bluemap-export}/overworld.hocon"; + settings = { + world = vanillaSurvival; + dimension = "minecraft:overworld"; + name = "Verden"; + sorting = 0; + start-pos = { + x = 0; + z = 0; + }; + ambient-light = 0.1; + cave-detection-ocean-floor = -5; + }; + }; + "underverden" = { + extraHoconMarkersFile = "${bluemap-export}/nether.hocon"; + settings = { + world = vanillaSurvival; + dimension = "minecraft:the_nether"; + name = "Underverden"; + sorting = 100; + start-pos = { + x = 0; + z = 0; + }; + sky-color = "#290000"; + void-color = "#150000"; + sky-light = 1; + ambient-light = 0.6; + remove-caves-below-y = -10000; + cave-detection-ocean-floor = -5; + cave-detection-uses-block-light = true; + render-mask = [ + { + max-y = 90; + } + ]; + }; + }; + "enden" = { + extraHoconMarkersFile = "${bluemap-export}/the-end.hocon"; + settings = { + world = vanillaSurvival; + dimension = "minecraft:the_end"; + name = "Enden"; + sorting = 200; + start-pos = { + x = 0; + z = 0; + }; + sky-color = "#080010"; + void-color = "#080010"; + sky-light = 1; + ambient-light = 0.6; + remove-caves-below-y = -10000; + cave-detection-ocean-floor = -5; }; - ambient-light = 0.1; - cave-detection-ocean-floor = -5; }; }; - "underverden" = { - extraHoconMarkersFile = "${bluemap-export}/nether.hocon"; - settings = { - world = vanillaSurvival; - dimension = "minecraft:the_nether"; - name = "Underverden"; - sorting = 100; - start-pos = { - x = 0; - z = 0; - }; - sky-color = "#290000"; - void-color = "#150000"; - sky-light = 1; - ambient-light = 0.6; - remove-caves-below-y = -10000; - cave-detection-ocean-floor = -5; - cave-detection-uses-block-light = true; - render-mask = [{ - max-y = 90; - }]; - }; - }; - "enden" = { - extraHoconMarkersFile = "${bluemap-export}/the-end.hocon"; - settings = { - world = vanillaSurvival; - dimension = "minecraft:the_end"; - name = "Enden"; - sorting = 200; - start-pos = { - x = 0; - z = 0; - }; - sky-color = "#080010"; - void-color = "#080010"; - sky-light = 1; - ambient-light = 0.6; - remove-caves-below-y = -10000; - cave-detection-ocean-floor = -5; - }; - }; - }; }; systemd.services."render-bluemap-maps" = { serviceConfig = { StateDirectory = [ "bluemap/world" ]; - ExecStartPre = let - rsyncArgs = lib.cli.toCommandLineShellGNU { } { - archive = true; - compress = true; - verbose = true; - no-owner = true; - no-group = true; - rsh = "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey"; - }; - in "${lib.getExe pkgs.rsync} ${rsyncArgs} root@innovation.pvv.ntnu.no:/ ${vanillaSurvival}"; + ExecStartPre = + let + rsyncArgs = lib.cli.toCommandLineShellGNU { } { + archive = true; + compress = true; + verbose = true; + no-owner = true; + no-group = true; + rsh = "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey"; + }; + in + "${lib.getExe pkgs.rsync} ${rsyncArgs} root@innovation.pvv.ntnu.no:/ ${vanillaSurvival}"; LoadCredential = [ "sshkey:${config.sops.secrets."bluemap/ssh-key".path}" "ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}" diff --git a/hosts/bekkalokk/services/idp-simplesamlphp/default.nix b/hosts/bekkalokk/services/idp-simplesamlphp/default.nix index 1781f46..8e4392e 100644 --- a/hosts/bekkalokk/services/idp-simplesamlphp/default.nix +++ b/hosts/bekkalokk/services/idp-simplesamlphp/default.nix @@ -1,8 +1,16 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let pwAuthScript = pkgs.writeShellApplication { name = "pwauth"; - runtimeInputs = with pkgs; [ coreutils heimdal ]; + runtimeInputs = with pkgs; [ + coreutils + heimdal + ]; text = '' read -r user1 user2="$(echo -n "$user1" | tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz')" @@ -33,7 +41,7 @@ let "metadata/saml20-sp-remote.php" = pkgs.writeText "saml20-sp-remote.php" '' [ @@ -85,14 +93,20 @@ let substituteInPlace "$out" \ --replace-warn '$SAML_COOKIE_SECURE' 'true' \ - --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."idp/cookie_salt".path}")' \ + --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${ + config.sops.secrets."idp/cookie_salt".path + }")' \ --replace-warn '$SAML_ADMIN_NAME' '"Drift"' \ --replace-warn '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \ - --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \ + --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${ + config.sops.secrets."idp/admin_password".path + }")' \ --replace-warn '$SAML_TRUSTED_DOMAINS' 'array( "idp.pvv.ntnu.no" )' \ --replace-warn '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \ --replace-warn '$SAML_DATABASE_USERNAME' '"idp"' \ - --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \ + --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${ + config.sops.secrets."idp/postgres_password".path + }")' \ --replace-warn '$CACHE_DIRECTORY' '/var/cache/idp' ''; @@ -158,23 +172,25 @@ in services.phpfpm.pools.idp = { user = "idp"; group = "idp"; - settings = let - listenUser = config.services.nginx.user; - listenGroup = config.services.nginx.group; - in { - "pm" = "dynamic"; - "pm.max_children" = 32; - "pm.max_requests" = 500; - "pm.start_servers" = 2; - "pm.min_spare_servers" = 2; - "pm.max_spare_servers" = 4; - "listen.owner" = listenUser; - "listen.group" = listenGroup; + settings = + let + listenUser = config.services.nginx.user; + listenGroup = config.services.nginx.group; + in + { + "pm" = "dynamic"; + "pm.max_children" = 32; + "pm.max_requests" = 500; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 2; + "pm.max_spare_servers" = 4; + "listen.owner" = listenUser; + "listen.group" = listenGroup; - "catch_workers_output" = true; - "php_admin_flag[log_errors]" = true; - # "php_admin_value[error_log]" = "stderr"; - }; + "catch_workers_output" = true; + "php_admin_flag[log_errors]" = true; + # "php_admin_value[error_log]" = "stderr"; + }; }; services.nginx.virtualHosts."idp.pvv.ntnu.no" = { @@ -182,7 +198,7 @@ in enableACME = true; kTLS = true; root = "${package}/share/php/simplesamlphp/public"; - locations = { + locations = { # based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx "/" = { alias = "${package}/share/php/simplesamlphp/public/"; diff --git a/hosts/bekkalokk/services/kerberos.nix b/hosts/bekkalokk/services/kerberos.nix index 54d17e3..b9051d5 100644 --- a/hosts/bekkalokk/services/kerberos.nix +++ b/hosts/bekkalokk/services/kerberos.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: { security.krb5 = { enable = true; diff --git a/hosts/bekkalokk/services/mediawiki/default.nix b/hosts/bekkalokk/services/mediawiki/default.nix index ec37d89..aba855b 100644 --- a/hosts/bekkalokk/services/mediawiki/default.nix +++ b/hosts/bekkalokk/services/mediawiki/default.nix @@ -1,4 +1,12 @@ -{ pkgs, lib, fp, config, values, ... }: let +{ + pkgs, + lib, + fp, + config, + values, + ... +}: +let cfg = config.services.mediawiki; # "mediawiki" @@ -9,7 +17,9 @@ simplesamlphp = pkgs.simplesamlphp.override { extra_files = { - "metadata/saml20-idp-remote.php" = pkgs.writeText "mediawiki-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix); + "metadata/saml20-idp-remote.php" = pkgs.writeText "mediawiki-saml20-idp-remote.php" ( + import ../idp-simplesamlphp/metadata.php.nix + ); "config/authsources.php" = ./simplesaml-authsources.php; @@ -18,36 +28,49 @@ substituteInPlace "$out" \ --replace-warn '$SAML_COOKIE_SECURE' 'true' \ - --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path}")' \ + --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${ + config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path + }")' \ --replace-warn '$SAML_ADMIN_NAME' '"Drift"' \ --replace-warn '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \ - --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/admin_password".path}")' \ + --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${ + config.sops.secrets."mediawiki/simplesamlphp/admin_password".path + }")' \ --replace-warn '$SAML_TRUSTED_DOMAINS' 'array( "wiki.pvv.ntnu.no" )' \ --replace-warn '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=mediawiki_simplesamlphp"' \ --replace-warn '$SAML_DATABASE_USERNAME' '"mediawiki_simplesamlphp"' \ - --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path}")' \ + --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${ + config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path + }")' \ --replace-warn '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp' ''; }; }; -in { +in +{ services.idp.sp-remote-metadata = [ "https://wiki.pvv.ntnu.no/simplesaml/" ]; - sops.secrets = lib.pipe [ - "mediawiki/secret-key" - "mediawiki/password" - "mediawiki/postgres_password" - "mediawiki/simplesamlphp/postgres_password" - "mediawiki/simplesamlphp/cookie_salt" - "mediawiki/simplesamlphp/admin_password" - ] [ - (map (key: lib.nameValuePair key { - owner = user; - group = group; - restartUnits = [ "phpfpm-mediawiki.service" ]; - })) - lib.listToAttrs - ]; + sops.secrets = + lib.pipe + [ + "mediawiki/secret-key" + "mediawiki/password" + "mediawiki/postgres_password" + "mediawiki/simplesamlphp/postgres_password" + "mediawiki/simplesamlphp/cookie_salt" + "mediawiki/simplesamlphp/admin_password" + ] + [ + (map ( + key: + lib.nameValuePair key { + owner = user; + group = group; + restartUnits = [ "phpfpm-mediawiki.service" ]; + } + )) + lib.listToAttrs + ]; services.rsync-pull-targets = { enable = true; @@ -215,11 +238,13 @@ in { # Cache directory for simplesamlphp # systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp"; - systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = lib.mkIf cfg.enable { - user = "mediawiki"; - group = "mediawiki"; - mode = "0770"; - }; + systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = + lib.mkIf cfg.enable + { + user = "mediawiki"; + group = "mediawiki"; + mode = "0770"; + }; users.groups.mediawiki.members = lib.mkIf cfg.enable [ "nginx" ]; @@ -227,7 +252,7 @@ in { kTLS = true; forceSSL = true; enableACME = true; - locations = { + locations = { "= /wiki/Main_Page" = lib.mkForce { return = "301 /wiki/Programvareverkstedet"; }; @@ -253,19 +278,22 @@ in { "= /PNG/PVV-logo.svg".alias = fp /assets/logo_blue_regular.svg; "= /PNG/PVV-logo.png".alias = fp /assets/logo_blue_regular.png; - "= /favicon.ico".alias = pkgs.runCommandLocal "mediawiki-favicon.ico" { - buildInputs = with pkgs; [ imagemagick ]; - } '' - magick \ - ${fp /assets/logo_blue_regular.png} \ - -resize x64 \ - -gravity center \ - -crop 64x64+0+0 \ - -flatten \ - -colors 256 \ - -background transparent \ - $out - ''; + "= /favicon.ico".alias = + pkgs.runCommandLocal "mediawiki-favicon.ico" + { + buildInputs = with pkgs; [ imagemagick ]; + } + '' + magick \ + ${fp /assets/logo_blue_regular.png} \ + -resize x64 \ + -gravity center \ + -crop 64x64+0+0 \ + -flatten \ + -colors 256 \ + -background transparent \ + $out + ''; }; }; @@ -273,7 +301,9 @@ in { systemd.services.mediawiki-init = lib.mkIf cfg.enable { after = [ "sops-install-secrets.service" ]; serviceConfig = { - BindReadOnlyPaths = [ "/run/credentials/mediawiki-init.service/secret-key:/var/lib/mediawiki/secret.key" ]; + BindReadOnlyPaths = [ + "/run/credentials/mediawiki-init.service/secret-key:/var/lib/mediawiki/secret.key" + ]; LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ]; UMask = lib.mkForce "0007"; }; @@ -282,7 +312,9 @@ in { systemd.services.phpfpm-mediawiki = lib.mkIf cfg.enable { after = [ "sops-install-secrets.service" ]; serviceConfig = { - BindReadOnlyPaths = [ "/run/credentials/phpfpm-mediawiki.service/secret-key:/var/lib/mediawiki/secret.key" ]; + BindReadOnlyPaths = [ + "/run/credentials/phpfpm-mediawiki.service/secret-key:/var/lib/mediawiki/secret.key" + ]; LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ]; UMask = lib.mkForce "0007"; }; diff --git a/hosts/bekkalokk/services/phpfpm.nix b/hosts/bekkalokk/services/phpfpm.nix index d796ff7..3ed51b9 100644 --- a/hosts/bekkalokk/services/phpfpm.nix +++ b/hosts/bekkalokk/services/phpfpm.nix @@ -11,41 +11,43 @@ in { # Source: https://www.pierreblazquez.com/2023/06/17/how-to-harden-apache-php-fpm-daemons-using-systemd/ systemd.services = lib.genAttrs pools (_: { - serviceConfig = let - caps = [ - "CAP_NET_BIND_SERVICE" - "CAP_SETGID" - "CAP_SETUID" - "CAP_CHOWN" - "CAP_KILL" - "CAP_IPC_LOCK" - "CAP_DAC_OVERRIDE" - ]; - in { - AmbientCapabilities = caps; - CapabilityBoundingSet = caps; - DeviceAllow = [ "" ]; - LockPersonality = true; - MemoryDenyWriteExecute = false; - NoNewPrivileges = true; - PrivateMounts = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - RemoveIPC = true; - UMask = "0077"; - RestrictNamespaces = "~mnt"; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; - KeyringMode = "private"; - SystemCallFilter = [ - "@system-service" - ]; - }; + serviceConfig = + let + caps = [ + "CAP_NET_BIND_SERVICE" + "CAP_SETGID" + "CAP_SETUID" + "CAP_CHOWN" + "CAP_KILL" + "CAP_IPC_LOCK" + "CAP_DAC_OVERRIDE" + ]; + in + { + AmbientCapabilities = caps; + CapabilityBoundingSet = caps; + DeviceAllow = [ "" ]; + LockPersonality = true; + MemoryDenyWriteExecute = false; + NoNewPrivileges = true; + PrivateMounts = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RemoveIPC = true; + UMask = "0077"; + RestrictNamespaces = "~mnt"; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + KeyringMode = "private"; + SystemCallFilter = [ + "@system-service" + ]; + }; }); } diff --git a/hosts/bekkalokk/services/vaultwarden.nix b/hosts/bekkalokk/services/vaultwarden.nix index f552c69..bc1dd97 100644 --- a/hosts/bekkalokk/services/vaultwarden.nix +++ b/hosts/bekkalokk/services/vaultwarden.nix @@ -1,11 +1,18 @@ -{ config, pkgs, lib, values, ... }: +{ + config, + pkgs, + lib, + values, + ... +}: let cfg = config.services.vaultwarden; domain = "pw.pvv.ntnu.no"; address = "127.0.1.2"; port = 3011; wsPort = 3012; -in { +in +{ sops.secrets."vaultwarden/environ" = { owner = "vaultwarden"; group = "vaultwarden"; diff --git a/hosts/bekkalokk/services/webmail/default.nix b/hosts/bekkalokk/services/webmail/default.nix index 97bc502..28cf46e 100644 --- a/hosts/bekkalokk/services/webmail/default.nix +++ b/hosts/bekkalokk/services/webmail/default.nix @@ -1,4 +1,10 @@ -{ config, values, pkgs, lib, ... }: +{ + config, + values, + pkgs, + lib, + ... +}: { imports = [ ./roundcube.nix diff --git a/hosts/bekkalokk/services/webmail/roundcube.nix b/hosts/bekkalokk/services/webmail/roundcube.nix index 960fb67..bce1bc5 100644 --- a/hosts/bekkalokk/services/webmail/roundcube.nix +++ b/hosts/bekkalokk/services/webmail/roundcube.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: with lib; let @@ -14,14 +19,24 @@ in services.roundcube = { enable = true; - package = pkgs.roundcube.withPlugins (plugins: with plugins; [ - persistent_login - thunderbird_labels - contextmenu - custom_from - ]); + package = pkgs.roundcube.withPlugins ( + plugins: with plugins; [ + persistent_login + thunderbird_labels + contextmenu + custom_from + ] + ); - dicts = with pkgs.aspellDicts; [ en en-computers nb nn fr de it ]; + dicts = with pkgs.aspellDicts; [ + en + en-computers + nb + nn + fr + de + it + ]; maxAttachmentSize = 20; hostName = "roundcubeplaceholder.example.com"; @@ -54,21 +69,23 @@ in ln -s ${cfg.package} $out/roundcube ''; extraConfig = '' - location ~ ^/roundcube/(${builtins.concatStringsSep "|" [ - # https://wiki.archlinux.org/title/Roundcube - "README" - "INSTALL" - "LICENSE" - "CHANGELOG" - "UPGRADING" - "bin" - "SQL" - ".+\\.md" - "\\." - "config" - "temp" - "logs" - ]})/? { + location ~ ^/roundcube/(${ + builtins.concatStringsSep "|" [ + # https://wiki.archlinux.org/title/Roundcube + "README" + "INSTALL" + "LICENSE" + "CHANGELOG" + "UPGRADING" + "bin" + "SQL" + ".+\\.md" + "\\." + "config" + "temp" + "logs" + ] + })/? { deny all; } diff --git a/hosts/bekkalokk/services/webmail/snappymail.nix b/hosts/bekkalokk/services/webmail/snappymail.nix index 3b8e5b5..2ee366a 100644 --- a/hosts/bekkalokk/services/webmail/snappymail.nix +++ b/hosts/bekkalokk/services/webmail/snappymail.nix @@ -1,7 +1,15 @@ -{ config, lib, fp, pkgs, values, ... }: +{ + config, + lib, + fp, + pkgs, + values, + ... +}: let cfg = config.services.snappymail; -in { +in +{ imports = [ (fp /modules/snappymail.nix) ]; services.snappymail = { diff --git a/hosts/bekkalokk/services/website/default.nix b/hosts/bekkalokk/services/website/default.nix index 9a35cb6..2b77858 100644 --- a/hosts/bekkalokk/services/website/default.nix +++ b/hosts/bekkalokk/services/website/default.nix @@ -1,22 +1,31 @@ -{ pkgs, lib, config, ... }: +{ + pkgs, + lib, + config, + ... +}: let format = pkgs.formats.php { }; cfg = config.services.pvv-nettsiden; -in { +in +{ imports = [ ./fetch-gallery.nix ]; - sops.secrets = lib.genAttrs [ - "nettsiden/door_secret" - "nettsiden/mysql_password" - "nettsiden/simplesamlphp/admin_password" - "nettsiden/simplesamlphp/cookie_salt" - ] (_: { - owner = config.services.phpfpm.pools.pvv-nettsiden.user; - group = config.services.phpfpm.pools.pvv-nettsiden.group; - restartUnits = [ "phpfpm-pvv-nettsiden.service" ]; - }); + sops.secrets = + lib.genAttrs + [ + "nettsiden/door_secret" + "nettsiden/mysql_password" + "nettsiden/simplesamlphp/admin_password" + "nettsiden/simplesamlphp/cookie_salt" + ] + (_: { + owner = config.services.phpfpm.pools.pvv-nettsiden.user; + group = config.services.phpfpm.pools.pvv-nettsiden.group; + restartUnits = [ "phpfpm-pvv-nettsiden.service" ]; + }); security.acme.certs."www.pvv.ntnu.no" = { extraDomainNames = [ @@ -35,48 +44,53 @@ in { package = pkgs.pvv-nettsiden.override { extra_files = { - "${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/metadata/saml20-idp-remote.php" = pkgs.writeText "pvv-nettsiden-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix); - "${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/config/authsources.php" = pkgs.writeText "pvv-nettsiden-authsources.php" '' - array( - 'core:AdminPassword' - ), - 'default-sp' => array( - 'saml:SP', - 'entityID' => 'https://${cfg.domainName}/simplesaml/', - 'idp' => 'https://idp.pvv.ntnu.no/', - ), - ); - ''; + "${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/metadata/saml20-idp-remote.php" = + pkgs.writeText "pvv-nettsiden-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix); + "${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/config/authsources.php" = + pkgs.writeText "pvv-nettsiden-authsources.php" '' + array( + 'core:AdminPassword' + ), + 'default-sp' => array( + 'saml:SP', + 'entityID' => 'https://${cfg.domainName}/simplesaml/', + 'idp' => 'https://idp.pvv.ntnu.no/', + ), + ); + ''; }; }; domainName = "www.pvv.ntnu.no"; - settings = let - includeFromSops = path: format.lib.mkRaw "file_get_contents('${config.sops.secrets."nettsiden/${path}".path}')"; - in { - DOOR_SECRET = includeFromSops "door_secret"; + settings = + let + includeFromSops = + path: format.lib.mkRaw "file_get_contents('${config.sops.secrets."nettsiden/${path}".path}')"; + in + { + DOOR_SECRET = includeFromSops "door_secret"; - DB = { - DSN = "mysql:dbname=www-data_nettside;host=mysql.pvv.ntnu.no"; - USER = "www-data_nettsi"; - PASS = includeFromSops "mysql_password"; - }; + DB = { + DSN = "mysql:dbname=www-data_nettside;host=mysql.pvv.ntnu.no"; + USER = "www-data_nettsi"; + PASS = includeFromSops "mysql_password"; + }; - # TODO: set up postgres session for simplesamlphp - SAML = { - COOKIE_SALT = includeFromSops "simplesamlphp/cookie_salt"; - COOKIE_SECURE = true; - ADMIN_NAME = "PVV Drift"; - ADMIN_EMAIL = "drift@pvv.ntnu.no"; - ADMIN_PASSWORD = includeFromSops "simplesamlphp/admin_password"; - TRUSTED_DOMAINS = [ - "www.pvv.ntnu.no" - ]; + # TODO: set up postgres session for simplesamlphp + SAML = { + COOKIE_SALT = includeFromSops "simplesamlphp/cookie_salt"; + COOKIE_SECURE = true; + ADMIN_NAME = "PVV Drift"; + ADMIN_EMAIL = "drift@pvv.ntnu.no"; + ADMIN_PASSWORD = includeFromSops "simplesamlphp/admin_password"; + TRUSTED_DOMAINS = [ + "www.pvv.ntnu.no" + ]; + }; }; - }; }; services.phpfpm.pools."pvv-nettsiden".settings = { diff --git a/hosts/bekkalokk/services/website/fetch-gallery.nix b/hosts/bekkalokk/services/website/fetch-gallery.nix index 236bd41..e8ad9f9 100644 --- a/hosts/bekkalokk/services/website/fetch-gallery.nix +++ b/hosts/bekkalokk/services/website/fetch-gallery.nix @@ -1,8 +1,15 @@ -{ pkgs, lib, config, values, ... }: +{ + pkgs, + lib, + config, + values, + ... +}: let galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR; transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer"; -in { +in +{ users.users.${config.services.pvv-nettsiden.user} = { # NOTE: the user unfortunately needs a registered shell for rrsync to function... # is there anything we can do to remove this? @@ -37,14 +44,20 @@ in { }; systemd.services.pvv-nettsiden-gallery-update = { - path = with pkgs; [ imagemagick gnutar gzip ]; + path = with pkgs; [ + imagemagick + gnutar + gzip + ]; script = '' - tar ${lib.cli.toGNUCommandLineShell {} { - extract = true; - file = "${transferDir}/gallery.tar.gz"; - directory = "."; - }} + tar ${ + lib.cli.toGNUCommandLineShell { } { + extract = true; + file = "${transferDir}/gallery.tar.gz"; + directory = "."; + } + } # Delete files and directories that exists in the gallery that don't exist in the tarball filesToRemove=$(uniq -u <(sort <(find . -not -path "./.thumbnails*") <(tar -tf ${transferDir}/gallery.tar.gz | sed 's|/$||'))) diff --git a/hosts/bekkalokk/services/well-known/default.nix b/hosts/bekkalokk/services/well-known/default.nix index e78c406..f0db2b3 100644 --- a/hosts/bekkalokk/services/well-known/default.nix +++ b/hosts/bekkalokk/services/well-known/default.nix @@ -1,25 +1,28 @@ { lib, ... }: { - services.nginx.virtualHosts = lib.genAttrs [ - "pvv.ntnu.no" - "www.pvv.ntnu.no" - "pvv.org" - "www.pvv.org" - ] (_: { - locations = { - "^~ /.well-known/" = { - alias = (toString ./root) + "/"; - }; + services.nginx.virtualHosts = + lib.genAttrs + [ + "pvv.ntnu.no" + "www.pvv.ntnu.no" + "pvv.org" + "www.pvv.org" + ] + (_: { + locations = { + "^~ /.well-known/" = { + alias = (toString ./root) + "/"; + }; - # Proxy the matrix well-known files - # Host has be set before proxy_pass - # The header must be set so nginx on the other side routes it to the right place - "^~ /.well-known/matrix/" = { - extraConfig = '' - proxy_set_header Host matrix.pvv.ntnu.no; - proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/; - ''; - }; - }; - }); + # Proxy the matrix well-known files + # Host has be set before proxy_pass + # The header must be set so nginx on the other side routes it to the right place + "^~ /.well-known/matrix/" = { + extraConfig = '' + proxy_set_header Host matrix.pvv.ntnu.no; + proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/; + ''; + }; + }; + }); } diff --git a/hosts/bicep/configuration.nix b/hosts/bicep/configuration.nix index ecca68e..dc68f99 100644 --- a/hosts/bicep/configuration.nix +++ b/hosts/bicep/configuration.nix @@ -1,4 +1,9 @@ -{ fp, pkgs, values, ... }: +{ + fp, + pkgs, + values, + ... +}: { imports = [ ./hardware-configuration.nix @@ -19,8 +24,16 @@ systemd.network.networks."30-ens18" = values.defaultNetworkConfig // { #matchConfig.Name = "enp6s0f0"; matchConfig.Name = "ens18"; - address = with values.hosts.bicep; [ (ipv4 + "/25") (ipv6 + "/64") ] - ++ (with values.services.turn; [ (ipv4 + "/25") (ipv6 + "/64") ]); + address = + with values.hosts.bicep; + [ + (ipv4 + "/25") + (ipv6 + "/64") + ] + ++ (with values.services.turn; [ + (ipv4 + "/25") + (ipv6 + "/64") + ]); }; systemd.network.wait-online = { anyInterface = true; diff --git a/hosts/bicep/hardware-configuration.nix b/hosts/bicep/hardware-configuration.nix index a5fa9e9..88aad0f 100644 --- a/hosts/bicep/hardware-configuration.nix +++ b/hosts/bicep/hardware-configuration.nix @@ -1,34 +1,49 @@ # Do not modify this file! It was generated by 'nixos-generate-config' # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "ahci" "sd_mod" "sr_mod" ]; + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "ahci" + "sd_mod" + "sr_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/20e06202-7a09-47cc-8ef6-5e7afe19453a"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/20e06202-7a09-47cc-8ef6-5e7afe19453a"; + fsType = "ext4"; + }; # temp data disk, only 128gb not enough until we can add another disk to the system. - fileSystems."/data" = - { device = "/dev/disk/by-uuid/c81af266-0781-4084-b8eb-c2587cbcf1ba"; - fsType = "ext4"; - }; + fileSystems."/data" = { + device = "/dev/disk/by-uuid/c81af266-0781-4084-b8eb-c2587cbcf1ba"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/198B-E363"; - fsType = "vfat"; - options = [ "fmask=0022" "dmask=0022" ]; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/198B-E363"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; swapDevices = [ ]; diff --git a/hosts/bicep/services/calendar-bot.nix b/hosts/bicep/services/calendar-bot.nix index ad5bbe5..21c6416 100644 --- a/hosts/bicep/services/calendar-bot.nix +++ b/hosts/bicep/services/calendar-bot.nix @@ -1,7 +1,14 @@ -{ config, fp, lib, pkgs, ... }: +{ + config, + fp, + lib, + pkgs, + ... +}: let cfg = config.services.pvv-calendar-bot; -in { +in +{ sops.secrets = { "calendar-bot/matrix_token" = { sopsFile = fp /secrets/bicep/bicep.yaml; diff --git a/hosts/bicep/services/git-mirrors/default.nix b/hosts/bicep/services/git-mirrors/default.nix index 4f2f730..9ee7e9a 100644 --- a/hosts/bicep/services/git-mirrors/default.nix +++ b/hosts/bicep/services/git-mirrors/default.nix @@ -1,4 +1,10 @@ -{ config, pkgs, lib, fp, ... }: +{ + config, + pkgs, + lib, + fp, + ... +}: let cfg = config.services.gickup; in @@ -20,79 +26,88 @@ in lfs = false; }; - instances = let - defaultGithubConfig = { - settings.token_file = config.sops.secrets."gickup/github-token".path; - }; - defaultGitlabConfig = { - # settings.token_file = ... - }; - in { - "github:Git-Mediawiki/Git-Mediawiki" = defaultGithubConfig; - "github:NixOS/nixpkgs" = defaultGithubConfig; - "github:go-gitea/gitea" = defaultGithubConfig; - "github:heimdal/heimdal" = defaultGithubConfig; - "github:saltstack/salt" = defaultGithubConfig; - "github:typst/typst" = defaultGithubConfig; - "github:unmojang/FjordLauncher" = defaultGithubConfig; - "github:unmojang/drasl" = defaultGithubConfig; - "github:yushijinhun/authlib-injector" = defaultGithubConfig; + instances = + let + defaultGithubConfig = { + settings.token_file = config.sops.secrets."gickup/github-token".path; + }; + defaultGitlabConfig = { + # settings.token_file = ... + }; + in + { + "github:Git-Mediawiki/Git-Mediawiki" = defaultGithubConfig; + "github:NixOS/nixpkgs" = defaultGithubConfig; + "github:go-gitea/gitea" = defaultGithubConfig; + "github:heimdal/heimdal" = defaultGithubConfig; + "github:saltstack/salt" = defaultGithubConfig; + "github:typst/typst" = defaultGithubConfig; + "github:unmojang/FjordLauncher" = defaultGithubConfig; + "github:unmojang/drasl" = defaultGithubConfig; + "github:yushijinhun/authlib-injector" = defaultGithubConfig; - "gitlab:mx-puppet/discord/better-discord.js" = defaultGitlabConfig; - "gitlab:mx-puppet/discord/discord-markdown" = defaultGitlabConfig; - "gitlab:mx-puppet/discord/matrix-discord-parser" = defaultGitlabConfig; - "gitlab:mx-puppet/discord/mx-puppet-discord" = defaultGitlabConfig; - "gitlab:mx-puppet/mx-puppet-bridge" = defaultGitlabConfig; + "gitlab:mx-puppet/discord/better-discord.js" = defaultGitlabConfig; + "gitlab:mx-puppet/discord/discord-markdown" = defaultGitlabConfig; + "gitlab:mx-puppet/discord/matrix-discord-parser" = defaultGitlabConfig; + "gitlab:mx-puppet/discord/mx-puppet-discord" = defaultGitlabConfig; + "gitlab:mx-puppet/mx-puppet-bridge" = defaultGitlabConfig; - "any:glibc" = { - settings.url = "https://sourceware.org/git/glibc.git"; - }; + "any:glibc" = { + settings.url = "https://sourceware.org/git/glibc.git"; + }; - "any:out-of-your-element" = { - settings.url = "https://gitdab.com/cadence/out-of-your-element.git"; - }; + "any:out-of-your-element" = { + settings.url = "https://gitdab.com/cadence/out-of-your-element.git"; + }; - "any:out-of-your-element-module" = { - settings.url = "https://cgit.rory.gay/nix/OOYE-module.git"; + "any:out-of-your-element-module" = { + settings.url = "https://cgit.rory.gay/nix/OOYE-module.git"; + }; }; - }; }; - services.cgit = let - domain = "mirrors.pvv.ntnu.no"; - in { - ${domain} = { - enable = true; - package = pkgs.callPackage (fp /packages/cgit.nix) { }; - group = "gickup"; - scanPath = "${cfg.dataDir}/linktree"; - gitHttpBackend.checkExportOkFiles = false; - settings = { - enable-commit-graph = true; - enable-follow-links = true; - enable-http-clone = true; - enable-remote-branches = true; - clone-url = "https://${domain}/$CGIT_REPO_URL"; - remove-suffix = true; - root-title = "PVVSPPP"; - root-desc = "PVV Speiler Praktisk og Prominent Programvare"; - snapshots = "all"; - logo = "/PVV-logo.png"; + services.cgit = + let + domain = "mirrors.pvv.ntnu.no"; + in + { + ${domain} = { + enable = true; + package = pkgs.callPackage (fp /packages/cgit.nix) { }; + group = "gickup"; + scanPath = "${cfg.dataDir}/linktree"; + gitHttpBackend.checkExportOkFiles = false; + settings = { + enable-commit-graph = true; + enable-follow-links = true; + enable-http-clone = true; + enable-remote-branches = true; + clone-url = "https://${domain}/$CGIT_REPO_URL"; + remove-suffix = true; + root-title = "PVVSPPP"; + root-desc = "PVV Speiler Praktisk og Prominent Programvare"; + snapshots = "all"; + logo = "/PVV-logo.png"; + }; }; }; - }; services.nginx.virtualHosts."mirrors.pvv.ntnu.no" = { forceSSL = true; enableACME = true; - locations."= /PVV-logo.png".alias = let - small-pvv-logo = pkgs.runCommandLocal "pvv-logo-96x96" { - nativeBuildInputs = [ pkgs.imagemagick ]; - } '' - magick '${fp /assets/logo_blue_regular.svg}' -resize 96x96 PNG:"$out" - ''; - in toString small-pvv-logo; + locations."= /PVV-logo.png".alias = + let + small-pvv-logo = + pkgs.runCommandLocal "pvv-logo-96x96" + { + nativeBuildInputs = [ pkgs.imagemagick ]; + } + '' + magick '${fp /assets/logo_blue_regular.svg}' -resize 96x96 PNG:"$out" + ''; + in + toString small-pvv-logo; }; systemd.services."fcgiwrap-cgit-mirrors.pvv.ntnu.no" = { diff --git a/hosts/bicep/services/matrix/coturn.nix b/hosts/bicep/services/matrix/coturn.nix index c2f218f..99e12db 100644 --- a/hosts/bicep/services/matrix/coturn.nix +++ b/hosts/bicep/services/matrix/coturn.nix @@ -1,4 +1,12 @@ -{ config, lib, fp, pkgs, secrets, values, ... }: +{ + config, + lib, + fp, + pkgs, + secrets, + values, + ... +}: { sops.secrets."matrix/coturn/static-auth-secret" = { @@ -127,18 +135,31 @@ }; networking.firewall = { - interfaces.enp6s0f0 = let - range = with config.services.coturn; [ { - from = min-port; - to = max-port; - } ]; - in - { - allowedUDPPortRanges = range; - allowedUDPPorts = [ 443 3478 3479 5349 ]; - allowedTCPPortRanges = range; - allowedTCPPorts = [ 443 3478 3479 5349 ]; - }; + interfaces.enp6s0f0 = + let + range = with config.services.coturn; [ + { + from = min-port; + to = max-port; + } + ]; + in + { + allowedUDPPortRanges = range; + allowedUDPPorts = [ + 443 + 3478 + 3479 + 5349 + ]; + allowedTCPPortRanges = range; + allowedTCPPorts = [ + 443 + 3478 + 3479 + 5349 + ]; + }; }; } diff --git a/hosts/bicep/services/matrix/discord.nix b/hosts/bicep/services/matrix/discord.nix index 726f1ef..12954f3 100644 --- a/hosts/bicep/services/matrix/discord.nix +++ b/hosts/bicep/services/matrix/discord.nix @@ -1,4 +1,9 @@ -{ config, lib, fp, ... }: +{ + config, + lib, + fp, + ... +}: let cfg = config.services.mx-puppet-discord; @@ -44,7 +49,6 @@ in ]; }; - services.mx-puppet-discord.enable = false; services.mx-puppet-discord.settings = { bridge = { @@ -52,16 +56,21 @@ in domain = "pvv.ntnu.no"; homeserverUrl = "https://matrix.pvv.ntnu.no"; }; - provisioning.whitelist = [ "@dandellion:dodsorf\\.as" "@danio:pvv\\.ntnu\\.no"]; + provisioning.whitelist = [ + "@dandellion:dodsorf\\.as" + "@danio:pvv\\.ntnu\\.no" + ]; relay.whitelist = [ ".*" ]; - selfService.whitelist = [ "@danio:pvv\\.ntnu\\.no" "@dandellion:dodsorf\\.as" ]; + selfService.whitelist = [ + "@danio:pvv\\.ntnu\\.no" + "@dandellion:dodsorf\\.as" + ]; }; services.mx-puppet-discord.serviceDependencies = [ "matrix-synapse.target" "nginx.service" ]; - services.matrix-synapse-next.settings = { app_service_config_files = [ config.sops.templates."discord-registration.yaml".path diff --git a/hosts/bicep/services/matrix/element.nix b/hosts/bicep/services/matrix/element.nix index b6f3d38..13c7017 100644 --- a/hosts/bicep/services/matrix/element.nix +++ b/hosts/bicep/services/matrix/element.nix @@ -1,7 +1,13 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let synapse-cfg = config.services.matrix-synapse-next; -in { +in +{ services.pvv-matrix-well-known.client = { "m.homeserver" = { base_url = "https://matrix.pvv.ntnu.no"; @@ -21,12 +27,12 @@ in { default_server_config = config.services.pvv-matrix-well-known.client; disable_3pid_login = true; -# integrations_ui_url = "https://dimension.dodsorf.as/riot"; -# integrations_rest_url = "https://dimension.dodsorf.as/api/v1/scalar"; -# integrations_widgets_urls = [ -# "https://dimension.dodsorf.as/widgets" -# ]; -# integration_jitsi_widget_url = "https://dimension.dodsorf.as/widgets/jitsi"; + # integrations_ui_url = "https://dimension.dodsorf.as/riot"; + # integrations_rest_url = "https://dimension.dodsorf.as/api/v1/scalar"; + # integrations_widgets_urls = [ + # "https://dimension.dodsorf.as/widgets" + # ]; + # integration_jitsi_widget_url = "https://dimension.dodsorf.as/widgets/jitsi"; defaultCountryCode = "NO"; showLabsSettings = true; features = { diff --git a/hosts/bicep/services/matrix/hookshot/default.nix b/hosts/bicep/services/matrix/hookshot/default.nix index 8b89eec..5fcaae7 100644 --- a/hosts/bicep/services/matrix/hookshot/default.nix +++ b/hosts/bicep/services/matrix/hookshot/default.nix @@ -1,4 +1,11 @@ -{ config, lib, fp, unstablePkgs, inputs, ... }: +{ + config, + lib, + fp, + unstablePkgs, + inputs, + ... +}: let cfg = config.services.matrix-hookshot; @@ -100,7 +107,8 @@ in }; serviceBots = [ - { localpart = "bot_feeds"; + { + localpart = "bot_feeds"; displayname = "Aya"; avatar = ./feeds.png; prefix = "!aya"; @@ -115,20 +123,44 @@ in permissions = [ # Users of the PVV Server - { actor = "pvv.ntnu.no"; - services = [ { service = "*"; level = "commands"; } ]; + { + actor = "pvv.ntnu.no"; + services = [ + { + service = "*"; + level = "commands"; + } + ]; } # Members of Medlem space (for people with their own hs) - { actor = "!pZOTJQinWyyTWaeOgK:pvv.ntnu.no"; - services = [ { service = "*"; level = "commands"; } ]; + { + actor = "!pZOTJQinWyyTWaeOgK:pvv.ntnu.no"; + services = [ + { + service = "*"; + level = "commands"; + } + ]; } # Members of Drift - { actor = "!eYgeufLrninXxQpYml:pvv.ntnu.no"; - services = [ { service = "*"; level = "admin"; } ]; + { + actor = "!eYgeufLrninXxQpYml:pvv.ntnu.no"; + services = [ + { + service = "*"; + level = "admin"; + } + ]; } # Dan bootstrap - { actor = "@dandellion:dodsorf.as"; - services = [ { service = "*"; level = "admin"; } ]; + { + actor = "@dandellion:dodsorf.as"; + services = [ + { + service = "*"; + level = "admin"; + } + ]; } ]; }; diff --git a/hosts/bicep/services/matrix/livekit.nix b/hosts/bicep/services/matrix/livekit.nix index 3342404..b11eebb 100644 --- a/hosts/bicep/services/matrix/livekit.nix +++ b/hosts/bicep/services/matrix/livekit.nix @@ -1,4 +1,9 @@ -{ config, lib, fp, ... }: +{ + config, + lib, + fp, + ... +}: let synapseConfig = config.services.matrix-synapse-next; matrixDomain = "matrix.pvv.ntnu.no"; @@ -20,10 +25,12 @@ in }; services.pvv-matrix-well-known.client = lib.mkIf cfg.enable { - "org.matrix.msc4143.rtc_foci" = [{ - type = "livekit"; - livekit_service_url = "https://${matrixDomain}/livekit/jwt"; - }]; + "org.matrix.msc4143.rtc_foci" = [ + { + type = "livekit"; + livekit_service_url = "https://${matrixDomain}/livekit/jwt"; + } + ]; }; services.livekit = { @@ -43,7 +50,12 @@ in keyFile = config.sops.templates."matrix-livekit-keyfile".path; }; - systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = lib.mkIf cfg.enable (builtins.concatStringsSep "," [ "pvv.ntnu.no" "dodsorf.as" ]); + systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = lib.mkIf cfg.enable ( + builtins.concatStringsSep "," [ + "pvv.ntnu.no" + "dodsorf.as" + ] + ); services.nginx.virtualHosts.${matrixDomain} = lib.mkIf cfg.enable { locations."^~ /livekit/jwt/" = { diff --git a/hosts/bicep/services/matrix/mjolnir.nix b/hosts/bicep/services/matrix/mjolnir.nix index 6dbb83f..07e7d9b 100644 --- a/hosts/bicep/services/matrix/mjolnir.nix +++ b/hosts/bicep/services/matrix/mjolnir.nix @@ -1,4 +1,9 @@ -{ config, lib, fp, ... }: +{ + config, + lib, + fp, + ... +}: { sops.secrets."matrix/mjolnir/access_token" = { diff --git a/hosts/bicep/services/matrix/out-of-your-element.nix b/hosts/bicep/services/matrix/out-of-your-element.nix index 16ec794..4186413 100644 --- a/hosts/bicep/services/matrix/out-of-your-element.nix +++ b/hosts/bicep/services/matrix/out-of-your-element.nix @@ -1,4 +1,11 @@ -{ config, pkgs, lib, values, fp, ... }: +{ + config, + pkgs, + lib, + values, + fp, + ... +}: let cfg = config.services.matrix-ooye; in diff --git a/hosts/bicep/services/matrix/smtp-authenticator/default.nix b/hosts/bicep/services/matrix/smtp-authenticator/default.nix index d8a7000..bbdef03 100644 --- a/hosts/bicep/services/matrix/smtp-authenticator/default.nix +++ b/hosts/bicep/services/matrix/smtp-authenticator/default.nix @@ -1,4 +1,9 @@ -{ lib, buildPythonPackage, fetchFromGitHub, setuptools }: +{ + lib, + buildPythonPackage, + fetchFromGitHub, + setuptools, +}: buildPythonPackage rec { pname = "matrix-synapse-smtp-auth"; diff --git a/hosts/bicep/services/matrix/synapse-admin.nix b/hosts/bicep/services/matrix/synapse-admin.nix index b17c21e..d200100 100644 --- a/hosts/bicep/services/matrix/synapse-admin.nix +++ b/hosts/bicep/services/matrix/synapse-admin.nix @@ -1,5 +1,9 @@ -{ config, lib, pkgs, ... }: - +{ + config, + lib, + pkgs, + ... +}: # This service requires you to have access to endpoints not available over the internet # Use an ssh proxy or similar to access this dashboard. diff --git a/hosts/bicep/services/matrix/synapse-auto-compressor.nix b/hosts/bicep/services/matrix/synapse-auto-compressor.nix index 5f77092..e37c918 100644 --- a/hosts/bicep/services/matrix/synapse-auto-compressor.nix +++ b/hosts/bicep/services/matrix/synapse-auto-compressor.nix @@ -1,4 +1,9 @@ -{ config, lib, utils, ... }: +{ + config, + lib, + utils, + ... +}: let cfg = config.services.synapse-auto-compressor; in diff --git a/hosts/bicep/services/matrix/synapse.nix b/hosts/bicep/services/matrix/synapse.nix index c9a055d..33dfa90 100644 --- a/hosts/bicep/services/matrix/synapse.nix +++ b/hosts/bicep/services/matrix/synapse.nix @@ -1,13 +1,23 @@ -{ config, lib, fp, pkgs, values, inputs, ... }: +{ + config, + lib, + fp, + pkgs, + values, + inputs, + ... +}: let cfg = config.services.matrix-synapse-next; matrix-lib = inputs.matrix-next.lib; - imap0Attrs = with lib; f: set: - listToAttrs (imap0 (i: attr: nameValuePair attr (f i attr set.${attr})) (attrNames set)); -in { + imap0Attrs = + with lib; + f: set: listToAttrs (imap0 (i: attr: nameValuePair attr (f i attr set.${attr})) (attrNames set)); +in +{ sops.secrets."matrix/synapse/signing_key" = { key = "synapse/signing_key"; sopsFile = fp /secrets/bicep/matrix.yaml; @@ -23,7 +33,9 @@ in { owner = config.users.users.matrix-synapse.name; group = config.users.users.matrix-synapse.group; content = '' - registration_shared_secret: ${config.sops.placeholder."matrix/synapse/user_registration/registration_shared_secret"} + registration_shared_secret: ${ + config.sops.placeholder."matrix/synapse/user_registration/registration_shared_secret" + } ''; }; @@ -68,7 +80,7 @@ in { signing_key_path = config.sops.secrets."matrix/synapse/signing_key".path; - media_store_path = "${cfg.dataDir}/media"; + media_store_path = "${cfg.dataDir}/media"; database = { name = "psycopg2"; @@ -110,7 +122,8 @@ in { password_config.enabled = true; modules = [ - { module = "smtp_auth_provider.SMTPAuthProvider"; + { + module = "smtp_auth_provider.SMTPAuthProvider"; config = { smtp_host = "smtp.pvv.ntnu.no"; }; @@ -183,61 +196,79 @@ in { services.pvv-matrix-well-known.server."m.server" = "matrix.pvv.ntnu.no:443"; services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [ - { - kTLS = true; - } - { - locations."/_synapse/admin" = { - proxyPass = "http://$synapse_backend"; - extraConfig = '' - allow 127.0.0.1; - allow ::1; - allow ${values.hosts.bicep.ipv4}; - allow ${values.hosts.bicep.ipv6}; - deny all; - ''; - }; - } - { - locations = let - connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w; - socketAddress = w: let c = connectionInfo w; in "${c.host}:${toString c.port}"; + { + kTLS = true; + } + { + locations."/_synapse/admin" = { + proxyPass = "http://$synapse_backend"; + extraConfig = '' + allow 127.0.0.1; + allow ::1; + allow ${values.hosts.bicep.ipv4}; + allow ${values.hosts.bicep.ipv6}; + deny all; + ''; + }; + } + { + locations = + let + connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w; + socketAddress = + w: + let + c = connectionInfo w; + in + "${c.host}:${toString c.port}"; - metricsPath = w: "/metrics/${w.type}/${toString w.index}"; - proxyPath = w: "http://${socketAddress w}/_synapse/metrics"; - in lib.mapAttrs' (n: v: lib.nameValuePair - (metricsPath v) { - proxyPass = proxyPath v; + metricsPath = w: "/metrics/${w.type}/${toString w.index}"; + proxyPath = w: "http://${socketAddress w}/_synapse/metrics"; + in + lib.mapAttrs' ( + n: v: + lib.nameValuePair (metricsPath v) { + proxyPass = proxyPath v; + extraConfig = '' + allow ${values.hosts.ildkule.ipv4}; + allow ${values.hosts.ildkule.ipv6}; + deny all; + ''; + } + ) cfg.workers.instances; + } + { + locations."/metrics/master/1" = { + proxyPass = "http://127.0.0.1:9000/_synapse/metrics"; extraConfig = '' allow ${values.hosts.ildkule.ipv4}; allow ${values.hosts.ildkule.ipv6}; deny all; ''; - }) - cfg.workers.instances; - } - { - locations."/metrics/master/1" = { - proxyPass = "http://127.0.0.1:9000/_synapse/metrics"; - extraConfig = '' - allow ${values.hosts.ildkule.ipv4}; - allow ${values.hosts.ildkule.ipv6}; - deny all; - ''; - }; + }; - locations."/metrics/" = let - endpoints = lib.pipe cfg.workers.instances [ - (lib.mapAttrsToList (_: v: v)) - (map (w: "${w.type}/${toString w.index}")) - (map (w: "matrix.pvv.ntnu.no/metrics/${w}")) - ] ++ [ "matrix.pvv.ntnu.no/metrics/master/1" ]; - in { - alias = pkgs.writeTextDir "/config.json" - (builtins.toJSON [ - { targets = endpoints; - labels = { }; - }]) + "/"; - }; - }]; + locations."/metrics/" = + let + endpoints = + lib.pipe cfg.workers.instances [ + (lib.mapAttrsToList (_: v: v)) + (map (w: "${w.type}/${toString w.index}")) + (map (w: "matrix.pvv.ntnu.no/metrics/${w}")) + ] + ++ [ "matrix.pvv.ntnu.no/metrics/master/1" ]; + in + { + alias = + pkgs.writeTextDir "/config.json" ( + builtins.toJSON [ + { + targets = endpoints; + labels = { }; + } + ] + ) + + "/"; + }; + } + ]; } diff --git a/hosts/bicep/services/matrix/well-known.nix b/hosts/bicep/services/matrix/well-known.nix index 64eacfe..162827a 100644 --- a/hosts/bicep/services/matrix/well-known.nix +++ b/hosts/bicep/services/matrix/well-known.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let cfg = config.services.pvv-matrix-well-known; format = pkgs.formats.json { }; diff --git a/hosts/bicep/services/minecraft-heatmap.nix b/hosts/bicep/services/minecraft-heatmap.nix index 5917ab3..6fd8aa0 100644 --- a/hosts/bicep/services/minecraft-heatmap.nix +++ b/hosts/bicep/services/minecraft-heatmap.nix @@ -1,4 +1,9 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let cfg = config.services.minecraft-heatmap; in @@ -27,23 +32,25 @@ in "sshkey:${config.sops.secrets."minecraft-heatmap/ssh-key/private".path}" ]; - preStart = let - knownHostsFile = pkgs.writeText "minecraft-heatmap-known-hosts" '' - innovation.pvv.ntnu.no ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9O/y5uqcLKCodg2Q+XfZPH/AoUIyBlDhigImU+4+Kn - innovation.pvv.ntnu.no ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClR9GvWeVPZHudlnFXhGHUX5sGX9nscsOsotnlQ4uVuGsgvRifsVsuDULlAFXwoV1tYp4vnyXlsVtMddpLI5ANOIDcZ4fgDxpfSQmtHKssNpDcfMhFJbfRVyacipjA4osxTxvLox/yjtVt+URjTHUA1MWzEwc26KfiOvWO5tCBTan7doN/4KOyT05GwBxwzUAwUmoGTacIITck2Y9qp4+xFYqehbXqPdBb15hFyd38OCQhtU1hWV2Yi18+hJ4nyjc/g5pr6mW09ULlFghe/BaTUXrTisYC6bMcJZsTDwsvld9581KPvoNZOTQhZPTEQCZZ1h54fe0ZHuveVB3TIHovZyjoUuaf4uiFOjJVaKRB+Ig+Il6r7tMUn9CyHtus/Nd86E0TFBzoKxM0OFu88oaUlDtZVrUJL5En1lGoimajebb1JPxllFN5hqIT+gVyMY6nRzkcfS7ieny/U4rzXY2rfz98selftgh3LsBywwADv65i+mPw1A/1QdND1R6fV4U= - innovation.pvv.ntnu.no ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNjl3HfsDqmALWCL9uhz9k93RAD2565ndBqUh4N/rvI7MCwEJ6iRCdDev0YzB1Fpg24oriyYoxZRP24ifC2sQf8= + preStart = + let + knownHostsFile = pkgs.writeText "minecraft-heatmap-known-hosts" '' + innovation.pvv.ntnu.no ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9O/y5uqcLKCodg2Q+XfZPH/AoUIyBlDhigImU+4+Kn + innovation.pvv.ntnu.no ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClR9GvWeVPZHudlnFXhGHUX5sGX9nscsOsotnlQ4uVuGsgvRifsVsuDULlAFXwoV1tYp4vnyXlsVtMddpLI5ANOIDcZ4fgDxpfSQmtHKssNpDcfMhFJbfRVyacipjA4osxTxvLox/yjtVt+URjTHUA1MWzEwc26KfiOvWO5tCBTan7doN/4KOyT05GwBxwzUAwUmoGTacIITck2Y9qp4+xFYqehbXqPdBb15hFyd38OCQhtU1hWV2Yi18+hJ4nyjc/g5pr6mW09ULlFghe/BaTUXrTisYC6bMcJZsTDwsvld9581KPvoNZOTQhZPTEQCZZ1h54fe0ZHuveVB3TIHovZyjoUuaf4uiFOjJVaKRB+Ig+Il6r7tMUn9CyHtus/Nd86E0TFBzoKxM0OFu88oaUlDtZVrUJL5En1lGoimajebb1JPxllFN5hqIT+gVyMY6nRzkcfS7ieny/U4rzXY2rfz98selftgh3LsBywwADv65i+mPw1A/1QdND1R6fV4U= + innovation.pvv.ntnu.no ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNjl3HfsDqmALWCL9uhz9k93RAD2565ndBqUh4N/rvI7MCwEJ6iRCdDev0YzB1Fpg24oriyYoxZRP24ifC2sQf8= + ''; + in + '' + mkdir -p '${cfg.minecraftLogsDir}' + "${lib.getExe pkgs.rsync}" \ + --archive \ + --verbose \ + --progress \ + --no-owner \ + --no-group \ + --rsh="${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=\"${knownHostsFile}\" -i \"$CREDENTIALS_DIRECTORY\"/sshkey" \ + root@innovation.pvv.ntnu.no:/ \ + '${cfg.minecraftLogsDir}'/ ''; - in '' - mkdir -p '${cfg.minecraftLogsDir}' - "${lib.getExe pkgs.rsync}" \ - --archive \ - --verbose \ - --progress \ - --no-owner \ - --no-group \ - --rsh="${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=\"${knownHostsFile}\" -i \"$CREDENTIALS_DIRECTORY\"/sshkey" \ - root@innovation.pvv.ntnu.no:/ \ - '${cfg.minecraftLogsDir}'/ - ''; }; } diff --git a/hosts/bicep/services/mysql/backup.nix b/hosts/bicep/services/mysql/backup.nix index 2936a2a..d04d46b 100644 --- a/hosts/bicep/services/mysql/backup.nix +++ b/hosts/bicep/services/mysql/backup.nix @@ -1,4 +1,10 @@ -{ config, lib, pkgs, values, ... }: +{ + config, + lib, + pkgs, + values, + ... +}: let cfg = config.services.mysql; backupDir = "/data/mysql-backups"; @@ -10,10 +16,10 @@ in # }; systemd.tmpfiles.settings."10-mysql-backups".${backupDir}.d = { - user = "mysql"; - group = "mysql"; - mode = "700"; - }; + user = "mysql"; + group = "mysql"; + mode = "700"; + }; services.rsync-pull-targets = lib.mkIf cfg.enable { enable = true; @@ -44,23 +50,25 @@ in zstd ]; - script = let - rotations = 2; - in '' - set -euo pipefail + script = + let + rotations = 2; + in + '' + set -euo pipefail - OUT_FILE="$STATE_DIRECTORY/mysql-dump-$(date --iso-8601).sql.zst" + OUT_FILE="$STATE_DIRECTORY/mysql-dump-$(date --iso-8601).sql.zst" - mysqldump --all-databases | zstd --compress -9 --rsyncable -o "$OUT_FILE" + mysqldump --all-databases | zstd --compress -9 --rsyncable -o "$OUT_FILE" - # NOTE: this needs to be a hardlink for rrsync to allow sending it - rm "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ||: - ln -T "$OUT_FILE" "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" + # NOTE: this needs to be a hardlink for rrsync to allow sending it + rm "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ||: + ln -T "$OUT_FILE" "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" - while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do - rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)" - done - ''; + while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do + rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)" + done + ''; serviceConfig = { Type = "oneshot"; diff --git a/hosts/bicep/services/mysql/default.nix b/hosts/bicep/services/mysql/default.nix index 1e9e1bd..c82da9e 100644 --- a/hosts/bicep/services/mysql/default.nix +++ b/hosts/bicep/services/mysql/default.nix @@ -1,4 +1,10 @@ -{ config, pkgs, lib, values, ... }: +{ + config, + pkgs, + lib, + values, + ... +}: let cfg = config.services.mysql; dataDir = "/data/mysql"; @@ -36,12 +42,14 @@ in # a password which can be found in /secrets/ildkule/ildkule.yaml # We have also changed both the host and auth plugin of this user # to be 'ildkule.pvv.ntnu.no' and 'mysql_native_password' respectively. - ensureUsers = [{ - name = "prometheus_mysqld_exporter"; - ensurePermissions = { - "*.*" = "PROCESS, REPLICATION CLIENT, SELECT, SLAVE MONITOR"; - }; - }]; + ensureUsers = [ + { + name = "prometheus_mysqld_exporter"; + ensurePermissions = { + "*.*" = "PROCESS, REPLICATION CLIENT, SELECT, SLAVE MONITOR"; + }; + } + ]; }; networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 3306 ]; diff --git a/hosts/bicep/services/postgresql/backup.nix b/hosts/bicep/services/postgresql/backup.nix index ebb508a..0f79157 100644 --- a/hosts/bicep/services/postgresql/backup.nix +++ b/hosts/bicep/services/postgresql/backup.nix @@ -1,4 +1,10 @@ -{ config, lib, pkgs, values, ... }: +{ + config, + lib, + pkgs, + values, + ... +}: let cfg = config.services.postgresql; backupDir = "/data/postgresql-backups"; @@ -11,10 +17,10 @@ in # }; systemd.tmpfiles.settings."10-postgresql-backups".${backupDir}.d = { - user = "postgres"; - group = "postgres"; - mode = "700"; - }; + user = "postgres"; + group = "postgres"; + mode = "700"; + }; services.rsync-pull-targets = lib.mkIf cfg.enable { enable = true; @@ -45,23 +51,25 @@ in cfg.package ]; - script = let - rotations = 2; - in '' - set -euo pipefail + script = + let + rotations = 2; + in + '' + set -euo pipefail - OUT_FILE="$STATE_DIRECTORY/postgresql-dump-$(date --iso-8601).sql.zst" + OUT_FILE="$STATE_DIRECTORY/postgresql-dump-$(date --iso-8601).sql.zst" - pg_dumpall -U postgres | zstd --compress -9 --rsyncable -o "$OUT_FILE" + pg_dumpall -U postgres | zstd --compress -9 --rsyncable -o "$OUT_FILE" - # NOTE: this needs to be a hardlink for rrsync to allow sending it - rm "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ||: - ln -T "$OUT_FILE" "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" + # NOTE: this needs to be a hardlink for rrsync to allow sending it + rm "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ||: + ln -T "$OUT_FILE" "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" - while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do - rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)" - done - ''; + while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do + rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)" + done + ''; serviceConfig = { Type = "oneshot"; diff --git a/hosts/bicep/services/postgresql/default.nix b/hosts/bicep/services/postgresql/default.nix index 9e8ce45..c504d85 100644 --- a/hosts/bicep/services/postgresql/default.nix +++ b/hosts/bicep/services/postgresql/default.nix @@ -1,4 +1,10 @@ -{ config, lib, pkgs, values, ... }: +{ + config, + lib, + pkgs, + values, + ... +}: let cfg = config.services.postgresql; in diff --git a/hosts/bikkje/configuration.nix b/hosts/bikkje/configuration.nix index 3c98f79..64c0f70 100644 --- a/hosts/bikkje/configuration.nix +++ b/hosts/bikkje/configuration.nix @@ -1,8 +1,14 @@ -{ config, pkgs, values, ... }: +{ + lib, + config, + pkgs, + values, + ... +}: { networking.nat = { enable = true; - internalInterfaces = ["ve-+"]; + internalInterfaces = [ "ve-+" ]; externalInterface = "ens3"; # Lazy IPv6 connectivity for the container enableIPv6 = true; @@ -10,9 +16,11 @@ containers.bikkje = { autoStart = true; - config = { config, pkgs, ... }: { - #import packages - packages = with pkgs; [ + config = + { config, pkgs, ... }: + { + #import packages + packages = with pkgs; [ alpine mutt mutt-ics @@ -22,26 +30,66 @@ hexchat irssi pidgin - ]; + ]; - networking = { - hostName = "bikkje"; - firewall = { - enable = true; - # Allow SSH and HTTP and ports for email and irc - allowedTCPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ]; - allowedUDPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ]; + networking = { + hostName = "bikkje"; + firewall = { + enable = true; + # Allow SSH and HTTP and ports for email and irc + allowedTCPPorts = [ + 80 + 22 + 194 + 994 + 6665 + 6666 + 6667 + 6668 + 6669 + 6697 + 995 + 993 + 25 + 465 + 587 + 110 + 143 + 993 + 995 + ]; + allowedUDPPorts = [ + 80 + 22 + 194 + 994 + 6665 + 6666 + 6667 + 6668 + 6669 + 6697 + 995 + 993 + 25 + 465 + 587 + 110 + 143 + 993 + 995 + ]; + }; + # Use systemd-resolved inside the container + # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 + useHostResolvConf = lib.mkForce false; }; - # Use systemd-resolved inside the container - # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 - useHostResolvConf = mkForce false; + + services.resolved.enable = true; + + # Don't change (even during upgrades) unless you know what you are doing. + # See https://search.nixos.org/options?show=system.stateVersion + system.stateVersion = "23.11"; }; - - services.resolved.enable = true; - - # Don't change (even during upgrades) unless you know what you are doing. - # See https://search.nixos.org/options?show=system.stateVersion - system.stateVersion = "23.11"; - }; }; -}; +} diff --git a/hosts/brzeczyszczykiewicz/configuration.nix b/hosts/brzeczyszczykiewicz/configuration.nix index 4c637b1..a73210f 100644 --- a/hosts/brzeczyszczykiewicz/configuration.nix +++ b/hosts/brzeczyszczykiewicz/configuration.nix @@ -1,16 +1,25 @@ -{ config, fp, pkgs, values, ... }: +{ + config, + fp, + pkgs, + values, + ... +}: { imports = [ - # Include the results of the hardware scan. - ./hardware-configuration.nix - (fp /base) + # Include the results of the hardware scan. + ./hardware-configuration.nix + (fp /base) - ./services/grzegorz.nix - ]; + ./services/grzegorz.nix + ]; systemd.network.networks."30-eno1" = values.defaultNetworkConfig // { matchConfig.Name = "eno1"; - address = with values.hosts.brzeczyszczykiewicz; [ (ipv4 + "/25") (ipv6 + "/64") ]; + address = with values.hosts.brzeczyszczykiewicz; [ + (ipv4 + "/25") + (ipv6 + "/64") + ]; }; fonts.fontconfig.enable = true; diff --git a/hosts/brzeczyszczykiewicz/hardware-configuration.nix b/hosts/brzeczyszczykiewicz/hardware-configuration.nix index c9099c0..cd9b334 100644 --- a/hosts/brzeczyszczykiewicz/hardware-configuration.nix +++ b/hosts/brzeczyszczykiewicz/hardware-configuration.nix @@ -1,31 +1,45 @@ # Do not modify this file! It was generated by 'nixos-generate-config' # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ehci_pci" + "ahci" + "usbhid" + "usb_storage" + "sd_mod" + "sr_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/4e8667f8-55de-4103-8369-b94665f42204"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/4e8667f8-55de-4103-8369-b94665f42204"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/82E3-3D03"; - fsType = "vfat"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/82E3-3D03"; + fsType = "vfat"; + }; - swapDevices = - [ { device = "/dev/disk/by-uuid/d0bf9a21-44bc-44a3-ae55-8f0971875883"; } - ]; + swapDevices = [ + { device = "/dev/disk/by-uuid/d0bf9a21-44bc-44a3-ae55-8f0971875883"; } + ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/hosts/georg/configuration.nix b/hosts/georg/configuration.nix index 05082d4..b16dc64 100644 --- a/hosts/georg/configuration.nix +++ b/hosts/georg/configuration.nix @@ -1,16 +1,25 @@ -{ config, fp, pkgs, values, ... }: +{ + config, + fp, + pkgs, + values, + ... +}: { imports = [ - # Include the results of the hardware scan. - ./hardware-configuration.nix - (fp /base) + # Include the results of the hardware scan. + ./hardware-configuration.nix + (fp /base) - (fp /modules/grzegorz.nix) - ]; + (fp /modules/grzegorz.nix) + ]; systemd.network.networks."30-eno1" = values.defaultNetworkConfig // { matchConfig.Name = "eno1"; - address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ]; + address = with values.hosts.georg; [ + (ipv4 + "/25") + (ipv6 + "/64") + ]; }; services.spotifyd = { diff --git a/hosts/georg/hardware-configuration.nix b/hosts/georg/hardware-configuration.nix index 539ae37..4c84916 100644 --- a/hosts/georg/hardware-configuration.nix +++ b/hosts/georg/hardware-configuration.nix @@ -1,31 +1,44 @@ # Do not modify this file! It was generated by 'nixos-generate-config' # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ehci_pci" + "ahci" + "usb_storage" + "usbhid" + "sd_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/33825f0d-5a63-40fc-83db-bfa1ebb72ba0"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/33825f0d-5a63-40fc-83db-bfa1ebb72ba0"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/145E-7362"; - fsType = "vfat"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/145E-7362"; + fsType = "vfat"; + }; - swapDevices = - [ { device = "/dev/disk/by-uuid/7ed27e21-3247-44cd-8bcc-5d4a2efebf57"; } - ]; + swapDevices = [ + { device = "/dev/disk/by-uuid/7ed27e21-3247-44cd-8bcc-5d4a2efebf57"; } + ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/hosts/ildkule/configuration.nix b/hosts/ildkule/configuration.nix index 0a7192c..bd65cc1 100644 --- a/hosts/ildkule/configuration.nix +++ b/hosts/ildkule/configuration.nix @@ -1,14 +1,21 @@ -{ config, fp, pkgs, lib, values, ... }: +{ + config, + fp, + pkgs, + lib, + values, + ... +}: { imports = [ - # Include the results of the hardware scan. - ./hardware-configuration.nix - (fp /base) + # Include the results of the hardware scan. + ./hardware-configuration.nix + (fp /base) - ./services/monitoring - ./services/nginx - ./services/journald-remote.nix - ]; + ./services/monitoring + ./services/nginx + ./services/journald-remote.nix + ]; boot.loader.systemd-boot.enable = false; boot.loader.grub.device = "/dev/vda"; @@ -17,26 +24,37 @@ # Openstack Neutron and systemd-networkd are not best friends, use something else: systemd.network.enable = lib.mkForce false; - networking = let - hostConf = values.hosts.ildkule; - in { - tempAddresses = "disabled"; - useDHCP = lib.mkForce true; + networking = + let + hostConf = values.hosts.ildkule; + in + { + tempAddresses = "disabled"; + useDHCP = lib.mkForce true; - search = values.defaultNetworkConfig.domains; - nameservers = values.defaultNetworkConfig.dns; - defaultGateway.address = hostConf.ipv4_internal_gw; + search = values.defaultNetworkConfig.domains; + nameservers = values.defaultNetworkConfig.dns; + defaultGateway.address = hostConf.ipv4_internal_gw; - interfaces."ens4" = { - ipv4.addresses = [ - { address = hostConf.ipv4; prefixLength = 32; } - { address = hostConf.ipv4_internal; prefixLength = 24; } - ]; - ipv6.addresses = [ - { address = hostConf.ipv6; prefixLength = 64; } - ]; + interfaces."ens4" = { + ipv4.addresses = [ + { + address = hostConf.ipv4; + prefixLength = 32; + } + { + address = hostConf.ipv4_internal; + prefixLength = 24; + } + ]; + ipv6.addresses = [ + { + address = hostConf.ipv6; + prefixLength = 64; + } + ]; + }; }; - }; services.qemuGuest.enable = true; diff --git a/hosts/ildkule/hardware-configuration.nix b/hosts/ildkule/hardware-configuration.nix index ccc6737..7ce6ac6 100644 --- a/hosts/ildkule/hardware-configuration.nix +++ b/hosts/ildkule/hardware-configuration.nix @@ -1,7 +1,12 @@ { modulesPath, lib, ... }: { imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "xen_blkfront" + "vmw_pvscsi" + ]; boot.initrd.kernelModules = [ "nvme" ]; fileSystems."/" = { device = "/dev/disk/by-uuid/e35eb4ce-aac3-4f91-8383-6e7cd8bbf942"; diff --git a/hosts/ildkule/services/journald-remote.nix b/hosts/ildkule/services/journald-remote.nix index fe99c67..9611848 100644 --- a/hosts/ildkule/services/journald-remote.nix +++ b/hosts/ildkule/services/journald-remote.nix @@ -1,4 +1,9 @@ -{ config, lib, values, ... }: +{ + config, + lib, + values, + ... +}: let cfg = config.services.journald.remote; domainName = "journald.pvv.ntnu.no"; @@ -22,13 +27,15 @@ in services.journald.remote = { enable = true; - settings.Remote = let - inherit (config.security.acme.certs.${domainName}) directory; - in { - ServerKeyFile = "/run/credentials/systemd-journal-remote.service/key.pem"; - ServerCertificateFile = "/run/credentials/systemd-journal-remote.service/cert.pem"; - TrustedCertificateFile = "-"; - }; + settings.Remote = + let + inherit (config.security.acme.certs.${domainName}) directory; + in + { + ServerKeyFile = "/run/credentials/systemd-journal-remote.service/key.pem"; + ServerCertificateFile = "/run/credentials/systemd-journal-remote.service/cert.pem"; + TrustedCertificateFile = "-"; + }; }; systemd.sockets."systemd-journal-remote" = { @@ -47,12 +54,14 @@ in systemd.services."systemd-journal-remote" = { serviceConfig = { - LoadCredential = let - inherit (config.security.acme.certs.${domainName}) directory; - in [ - "key.pem:${directory}/key.pem" - "cert.pem:${directory}/cert.pem" - ]; + LoadCredential = + let + inherit (config.security.acme.certs.${domainName}) directory; + in + [ + "key.pem:${directory}/key.pem" + "cert.pem:${directory}/cert.pem" + ]; }; }; } diff --git a/hosts/ildkule/services/monitoring/grafana.nix b/hosts/ildkule/services/monitoring/grafana.nix index f5c251a..f4b05d1 100644 --- a/hosts/ildkule/services/monitoring/grafana.nix +++ b/hosts/ildkule/services/monitoring/grafana.nix @@ -1,32 +1,43 @@ -{ config, pkgs, values, ... }: let +{ + config, + pkgs, + values, + ... +}: +let cfg = config.services.grafana; -in { - sops.secrets = let - owner = "grafana"; - group = "grafana"; - in { - "keys/grafana/secret_key" = { inherit owner group; }; - "keys/grafana/admin_password" = { inherit owner group; }; - }; +in +{ + sops.secrets = + let + owner = "grafana"; + group = "grafana"; + in + { + "keys/grafana/secret_key" = { inherit owner group; }; + "keys/grafana/admin_password" = { inherit owner group; }; + }; services.grafana = { enable = true; - settings = let - # See https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider - secretFile = path: "$__file{${path}}"; - in { - server = { - domain = "grafana.pvv.ntnu.no"; - http_port = 2342; - http_addr = "127.0.0.1"; - }; + settings = + let + # See https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider + secretFile = path: "$__file{${path}}"; + in + { + server = { + domain = "grafana.pvv.ntnu.no"; + http_port = 2342; + http_addr = "127.0.0.1"; + }; - security = { - secret_key = secretFile config.sops.secrets."keys/grafana/secret_key".path; - admin_password = secretFile config.sops.secrets."keys/grafana/admin_password".path; + security = { + secret_key = secretFile config.sops.secrets."keys/grafana/secret_key".path; + admin_password = secretFile config.sops.secrets."keys/grafana/admin_password".path; + }; }; - }; provision = { enable = true; diff --git a/hosts/ildkule/services/monitoring/loki.nix b/hosts/ildkule/services/monitoring/loki.nix index 4eba3e6..2475aef 100644 --- a/hosts/ildkule/services/monitoring/loki.nix +++ b/hosts/ildkule/services/monitoring/loki.nix @@ -3,7 +3,8 @@ let cfg = config.services.loki; stateDir = "/data/monitoring/loki"; -in { +in +{ services.loki = { enable = true; configuration = { diff --git a/hosts/ildkule/services/monitoring/prometheus/default.nix b/hosts/ildkule/services/monitoring/prometheus/default.nix index 1b52007..f205db1 100644 --- a/hosts/ildkule/services/monitoring/prometheus/default.nix +++ b/hosts/ildkule/services/monitoring/prometheus/default.nix @@ -1,6 +1,8 @@ -{ config, ... }: let +{ config, ... }: +let stateDir = "/data/monitoring/prometheus"; -in { +in +{ imports = [ ./exim.nix ./gitea.nix diff --git a/hosts/ildkule/services/monitoring/prometheus/exim.nix b/hosts/ildkule/services/monitoring/prometheus/exim.nix index 65d97e9..df4d4d1 100644 --- a/hosts/ildkule/services/monitoring/prometheus/exim.nix +++ b/hosts/ildkule/services/monitoring/prometheus/exim.nix @@ -5,9 +5,11 @@ { job_name = "exim"; scrape_interval = "15s"; - static_configs = [{ - targets = [ "microbel.pvv.ntnu.no:9636" ]; - }]; + static_configs = [ + { + targets = [ "microbel.pvv.ntnu.no:9636" ]; + } + ]; } ]; }; diff --git a/hosts/ildkule/services/monitoring/prometheus/gitea.nix b/hosts/ildkule/services/monitoring/prometheus/gitea.nix index c7573e7..6325c90 100644 --- a/hosts/ildkule/services/monitoring/prometheus/gitea.nix +++ b/hosts/ildkule/services/monitoring/prometheus/gitea.nix @@ -1,16 +1,18 @@ { ... }: { - services.prometheus.scrapeConfigs = [{ - job_name = "gitea"; - scrape_interval = "60s"; - scheme = "https"; + services.prometheus.scrapeConfigs = [ + { + job_name = "gitea"; + scrape_interval = "60s"; + scheme = "https"; - static_configs = [ - { - targets = [ - "git.pvv.ntnu.no:443" - ]; - } - ]; - }]; + static_configs = [ + { + targets = [ + "git.pvv.ntnu.no:443" + ]; + } + ]; + } + ]; } diff --git a/hosts/ildkule/services/monitoring/prometheus/machines.nix b/hosts/ildkule/services/monitoring/prometheus/machines.nix index 4967bc2..daa38c3 100644 --- a/hosts/ildkule/services/monitoring/prometheus/machines.nix +++ b/hosts/ildkule/services/monitoring/prometheus/machines.nix @@ -1,4 +1,5 @@ -{ config, ... }: let +{ config, ... }: +let cfg = config.services.prometheus; mkHostScrapeConfig = name: ports: { @@ -9,32 +10,98 @@ defaultNodeExporterPort = 9100; defaultSystemdExporterPort = 9101; defaultNixosExporterPort = 9102; -in { - services.prometheus.scrapeConfigs = [{ - job_name = "base_info"; - static_configs = [ - (mkHostScrapeConfig "ildkule" [ cfg.exporters.node.port cfg.exporters.systemd.port defaultNixosExporterPort ]) +in +{ + services.prometheus.scrapeConfigs = [ + { + job_name = "base_info"; + static_configs = [ + (mkHostScrapeConfig "ildkule" [ + cfg.exporters.node.port + cfg.exporters.systemd.port + defaultNixosExporterPort + ]) - (mkHostScrapeConfig "bekkalokk" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ]) - (mkHostScrapeConfig "bicep" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ]) - (mkHostScrapeConfig "brzeczyszczykiewicz" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ]) - (mkHostScrapeConfig "georg" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ]) - (mkHostScrapeConfig "gluttony" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ]) - (mkHostScrapeConfig "kommode" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ]) - (mkHostScrapeConfig "lupine-1" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ]) - (mkHostScrapeConfig "lupine-2" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ]) - (mkHostScrapeConfig "lupine-3" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ]) - (mkHostScrapeConfig "lupine-4" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ]) - (mkHostScrapeConfig "lupine-5" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ]) - (mkHostScrapeConfig "temmie" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ]) - (mkHostScrapeConfig "ustetind" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ]) - (mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ]) + (mkHostScrapeConfig "bekkalokk" [ + defaultNodeExporterPort + defaultSystemdExporterPort + defaultNixosExporterPort + ]) + (mkHostScrapeConfig "bicep" [ + defaultNodeExporterPort + defaultSystemdExporterPort + defaultNixosExporterPort + ]) + (mkHostScrapeConfig "brzeczyszczykiewicz" [ + defaultNodeExporterPort + defaultSystemdExporterPort + defaultNixosExporterPort + ]) + (mkHostScrapeConfig "georg" [ + defaultNodeExporterPort + defaultSystemdExporterPort + defaultNixosExporterPort + ]) + (mkHostScrapeConfig "gluttony" [ + defaultNodeExporterPort + defaultSystemdExporterPort + defaultNixosExporterPort + ]) + (mkHostScrapeConfig "kommode" [ + defaultNodeExporterPort + defaultSystemdExporterPort + defaultNixosExporterPort + ]) + (mkHostScrapeConfig "lupine-1" [ + defaultNodeExporterPort + defaultSystemdExporterPort + defaultNixosExporterPort + ]) + (mkHostScrapeConfig "lupine-2" [ + defaultNodeExporterPort + defaultSystemdExporterPort + defaultNixosExporterPort + ]) + (mkHostScrapeConfig "lupine-3" [ + defaultNodeExporterPort + defaultSystemdExporterPort + defaultNixosExporterPort + ]) + (mkHostScrapeConfig "lupine-4" [ + defaultNodeExporterPort + defaultSystemdExporterPort + defaultNixosExporterPort + ]) + (mkHostScrapeConfig "lupine-5" [ + defaultNodeExporterPort + defaultSystemdExporterPort + defaultNixosExporterPort + ]) + (mkHostScrapeConfig "temmie" [ + defaultNodeExporterPort + defaultSystemdExporterPort + defaultNixosExporterPort + ]) + (mkHostScrapeConfig "ustetind" [ + defaultNodeExporterPort + defaultSystemdExporterPort + defaultNixosExporterPort + ]) + (mkHostScrapeConfig "wenche" [ + defaultNodeExporterPort + defaultSystemdExporterPort + defaultNixosExporterPort + ]) - (mkHostScrapeConfig "skrott" [ defaultNodeExporterPort defaultSystemdExporterPort ]) + (mkHostScrapeConfig "skrott" [ + defaultNodeExporterPort + defaultSystemdExporterPort + ]) - (mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ]) - (mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ]) - (mkHostScrapeConfig "microbel" [ defaultNodeExporterPort ]) - ]; - }]; + (mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ]) + (mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ]) + (mkHostScrapeConfig "microbel" [ defaultNodeExporterPort ]) + ]; + } + ]; } diff --git a/hosts/ildkule/services/monitoring/prometheus/matrix-synapse.nix b/hosts/ildkule/services/monitoring/prometheus/matrix-synapse.nix index 8a9f400..23c713d 100644 --- a/hosts/ildkule/services/monitoring/prometheus/matrix-synapse.nix +++ b/hosts/ildkule/services/monitoring/prometheus/matrix-synapse.nix @@ -1,40 +1,44 @@ { ... }: { - services.prometheus.scrapeConfigs = [{ - job_name = "synapse"; - scrape_interval = "15s"; - scheme = "https"; + services.prometheus.scrapeConfigs = [ + { + job_name = "synapse"; + scrape_interval = "15s"; + scheme = "https"; - http_sd_configs = [{ - url = "https://matrix.pvv.ntnu.no/metrics/config.json"; - }]; + http_sd_configs = [ + { + url = "https://matrix.pvv.ntnu.no/metrics/config.json"; + } + ]; - relabel_configs = [ - { - source_labels = [ "__address__" ]; - regex = "[^/]+(/.*)"; - target_label = "__metrics_path__"; - } - { - source_labels = [ "__address__" ]; - regex = "([^/]+)/.*"; - target_label = "instance"; - } - { - source_labels = [ "__address__" ]; - regex = "[^/]+\\/+[^/]+/(.*)/\\d+$"; - target_label = "job"; - } - { - source_labels = [ "__address__" ]; - regex = "[^/]+\\/+[^/]+/.*/(\\d+)$"; - target_label = "index"; - } - { - source_labels = [ "__address__" ]; - regex = "([^/]+)/.*"; - target_label = "__address__"; - } - ]; - }]; + relabel_configs = [ + { + source_labels = [ "__address__" ]; + regex = "[^/]+(/.*)"; + target_label = "__metrics_path__"; + } + { + source_labels = [ "__address__" ]; + regex = "([^/]+)/.*"; + target_label = "instance"; + } + { + source_labels = [ "__address__" ]; + regex = "[^/]+\\/+[^/]+/(.*)/\\d+$"; + target_label = "job"; + } + { + source_labels = [ "__address__" ]; + regex = "[^/]+\\/+[^/]+/.*/(\\d+)$"; + target_label = "index"; + } + { + source_labels = [ "__address__" ]; + regex = "([^/]+)/.*"; + target_label = "__address__"; + } + ]; + } + ]; } diff --git a/hosts/ildkule/services/monitoring/prometheus/mysqld.nix b/hosts/ildkule/services/monitoring/prometheus/mysqld.nix index 6ffa9d1..f4368f5 100644 --- a/hosts/ildkule/services/monitoring/prometheus/mysqld.nix +++ b/hosts/ildkule/services/monitoring/prometheus/mysqld.nix @@ -1,36 +1,42 @@ -{ config, ... }: let +{ config, ... }: +let cfg = config.services.prometheus; -in { +in +{ sops = { secrets."config/mysqld_exporter_password" = { }; templates."mysqld_exporter.conf" = { restartUnits = [ "prometheus-mysqld-exporter.service" ]; - content = let - inherit (config.sops) placeholder; - in '' - [client] - host = mysql.pvv.ntnu.no - port = 3306 - user = prometheus_mysqld_exporter - password = ${placeholder."config/mysqld_exporter_password"} - ''; + content = + let + inherit (config.sops) placeholder; + in + '' + [client] + host = mysql.pvv.ntnu.no + port = 3306 + user = prometheus_mysqld_exporter + password = ${placeholder."config/mysqld_exporter_password"} + ''; }; }; services.prometheus = { - scrapeConfigs = [{ - job_name = "mysql"; - scheme = "http"; - metrics_path = cfg.exporters.mysqld.telemetryPath; - static_configs = [ - { - targets = [ - "localhost:${toString cfg.exporters.mysqld.port}" - ]; - } - ]; - }]; + scrapeConfigs = [ + { + job_name = "mysql"; + scheme = "http"; + metrics_path = cfg.exporters.mysqld.telemetryPath; + static_configs = [ + { + targets = [ + "localhost:${toString cfg.exporters.mysqld.port}" + ]; + } + ]; + } + ]; exporters.mysqld = { enable = true; diff --git a/hosts/ildkule/services/monitoring/prometheus/postgres.nix b/hosts/ildkule/services/monitoring/prometheus/postgres.nix index 5cde1b2..cb341c4 100644 --- a/hosts/ildkule/services/monitoring/prometheus/postgres.nix +++ b/hosts/ildkule/services/monitoring/prometheus/postgres.nix @@ -1,9 +1,17 @@ -{ pkgs, lib, config, values, ... }: let +{ + pkgs, + lib, + config, + values, + ... +}: +let cfg = config.services.prometheus; -in { +in +{ sops.secrets = { - "keys/postgres/postgres_exporter_env" = {}; - "keys/postgres/postgres_exporter_knakelibrak_env" = {}; + "keys/postgres/postgres_exporter_env" = { }; + "keys/postgres/postgres_exporter_knakelibrak_env" = { }; }; services.prometheus = { @@ -11,22 +19,26 @@ in { { job_name = "postgres"; scrape_interval = "15s"; - static_configs = [{ - targets = [ "localhost:${toString cfg.exporters.postgres.port}" ]; - labels = { - server = "bicep"; - }; - }]; + static_configs = [ + { + targets = [ "localhost:${toString cfg.exporters.postgres.port}" ]; + labels = { + server = "bicep"; + }; + } + ]; } { job_name = "postgres-knakelibrak"; scrape_interval = "15s"; - static_configs = [{ - targets = [ "localhost:${toString (cfg.exporters.postgres.port + 1)}" ]; - labels = { - server = "knakelibrak"; - }; - }]; + static_configs = [ + { + targets = [ "localhost:${toString (cfg.exporters.postgres.port + 1)}" ]; + labels = { + server = "knakelibrak"; + }; + } + ]; } ]; @@ -37,9 +49,11 @@ in { }; }; - systemd.services.prometheus-postgres-exporter-knakelibrak.serviceConfig = let - localCfg = config.services.prometheus.exporters.postgres; - in lib.recursiveUpdate config.systemd.services.prometheus-postgres-exporter.serviceConfig { + systemd.services.prometheus-postgres-exporter-knakelibrak.serviceConfig = + let + localCfg = config.services.prometheus.exporters.postgres; + in + lib.recursiveUpdate config.systemd.services.prometheus-postgres-exporter.serviceConfig { EnvironmentFile = config.sops.secrets."keys/postgres/postgres_exporter_knakelibrak_env".path; ExecStart = '' ${pkgs.prometheus-postgres-exporter}/bin/postgres_exporter \ diff --git a/hosts/ildkule/services/monitoring/uptime-kuma.nix b/hosts/ildkule/services/monitoring/uptime-kuma.nix index 9b1c0fc..00d3b51 100644 --- a/hosts/ildkule/services/monitoring/uptime-kuma.nix +++ b/hosts/ildkule/services/monitoring/uptime-kuma.nix @@ -1,9 +1,15 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let cfg = config.services.uptime-kuma; domain = "status.pvv.ntnu.no"; stateDir = "/data/monitoring/uptime-kuma"; -in { +in +{ services.uptime-kuma = { enable = true; settings = { diff --git a/hosts/kommode/configuration.nix b/hosts/kommode/configuration.nix index a79a5b3..3610895 100644 --- a/hosts/kommode/configuration.nix +++ b/hosts/kommode/configuration.nix @@ -1,4 +1,9 @@ -{ pkgs, values, fp, ... }: +{ + pkgs, + values, + fp, + ... +}: { imports = [ # Include the results of the hardware scan. @@ -12,7 +17,10 @@ systemd.network.networks."30-ens18" = values.defaultNetworkConfig // { matchConfig.Name = "ens18"; - address = with values.hosts.kommode; [ (ipv4 + "/25") (ipv6 + "/64") ]; + address = with values.hosts.kommode; [ + (ipv4 + "/25") + (ipv6 + "/64") + ]; }; services.btrfs.autoScrub.enable = true; diff --git a/hosts/kommode/hardware-configuration.nix b/hosts/kommode/hardware-configuration.nix index caea79b..c74d530 100644 --- a/hosts/kommode/hardware-configuration.nix +++ b/hosts/kommode/hardware-configuration.nix @@ -1,14 +1,27 @@ # Do not modify this file! It was generated by 'nixos-generate-config' # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; diff --git a/hosts/kommode/services/gitea/customization/default.nix b/hosts/kommode/services/gitea/customization/default.nix index cfe28ea..3914102 100644 --- a/hosts/kommode/services/gitea/customization/default.nix +++ b/hosts/kommode/services/gitea/customization/default.nix @@ -1,4 +1,10 @@ -{ config, pkgs, lib, fp, ... }: +{ + config, + pkgs, + lib, + fp, + ... +}: let cfg = config.services.gitea; in @@ -68,54 +74,59 @@ in wantedBy = [ "gitea.service" ]; requiredBy = [ "gitea.service" ]; - serviceConfig = { + serviceConfig = { Type = "oneshot"; User = cfg.user; Group = cfg.group; }; - script = let - logo-svg = fp /assets/logo_blue_regular.svg; - logo-png = fp /assets/logo_blue_regular.png; + script = + let + logo-svg = fp /assets/logo_blue_regular.svg; + logo-png = fp /assets/logo_blue_regular.png; - extraLinks = pkgs.writeText "gitea-extra-links.tmpl" '' - Tokyo Drift Issues + extraLinks = pkgs.writeText "gitea-extra-links.tmpl" '' + Tokyo Drift Issues + ''; + + extraLinksFooter = pkgs.writeText "gitea-extra-links-footer.tmpl" '' + PVV + Wiki + PVV Gitea Howto + ''; + + project-labels = (pkgs.formats.yaml { }).generate "gitea-project-labels.yaml" { + labels = lib.importJSON ./labels/projects.json; + }; + + customTemplates = + pkgs.runCommandLocal "gitea-templates" + { + nativeBuildInputs = with pkgs; [ + coreutils + gnused + ]; + } + '' + # Bigger icons + install -Dm444 "${cfg.package.src}/templates/repo/icon.tmpl" "$out/repo/icon.tmpl" + sed -i -e 's/24/60/g' "$out/repo/icon.tmpl" + ''; + in + '' + install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg + install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png + install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png + install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl + install -Dm444 ${extraLinksFooter} ${cfg.customDir}/templates/custom/extra_links_footer.tmpl + install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml + + install -Dm644 ${./emotes/bruh.png} ${cfg.customDir}/public/assets/img/emoji/bruh.png + install -Dm644 ${./emotes/huh.gif} ${cfg.customDir}/public/assets/img/emoji/huh.png + install -Dm644 ${./emotes/grr.png} ${cfg.customDir}/public/assets/img/emoji/grr.png + install -Dm644 ${./emotes/okiedokie.jpg} ${cfg.customDir}/public/assets/img/emoji/okiedokie.png + + "${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/ ''; - - extraLinksFooter = pkgs.writeText "gitea-extra-links-footer.tmpl" '' - PVV - Wiki - PVV Gitea Howto - ''; - - project-labels = (pkgs.formats.yaml { }).generate "gitea-project-labels.yaml" { - labels = lib.importJSON ./labels/projects.json; - }; - - customTemplates = pkgs.runCommandLocal "gitea-templates" { - nativeBuildInputs = with pkgs; [ - coreutils - gnused - ]; - } '' - # Bigger icons - install -Dm444 "${cfg.package.src}/templates/repo/icon.tmpl" "$out/repo/icon.tmpl" - sed -i -e 's/24/60/g' "$out/repo/icon.tmpl" - ''; - in '' - install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg - install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png - install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png - install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl - install -Dm444 ${extraLinksFooter} ${cfg.customDir}/templates/custom/extra_links_footer.tmpl - install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml - - install -Dm644 ${./emotes/bruh.png} ${cfg.customDir}/public/assets/img/emoji/bruh.png - install -Dm644 ${./emotes/huh.gif} ${cfg.customDir}/public/assets/img/emoji/huh.png - install -Dm644 ${./emotes/grr.png} ${cfg.customDir}/public/assets/img/emoji/grr.png - install -Dm644 ${./emotes/okiedokie.jpg} ${cfg.customDir}/public/assets/img/emoji/okiedokie.png - - "${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/ - ''; }; } diff --git a/hosts/kommode/services/gitea/default.nix b/hosts/kommode/services/gitea/default.nix index 29a4aaf..6227c9c 100644 --- a/hosts/kommode/services/gitea/default.nix +++ b/hosts/kommode/services/gitea/default.nix @@ -1,9 +1,17 @@ -{ config, values, lib, pkgs, unstablePkgs, ... }: +{ + config, + values, + lib, + pkgs, + unstablePkgs, + ... +}: let cfg = config.services.gitea; domain = "git.pvv.ntnu.no"; - sshPort = 2222; -in { + sshPort = 2222; +in +{ imports = [ ./customization ./gpg.nix @@ -11,19 +19,21 @@ in { ./web-secret-provider ]; - sops.secrets = let - defaultConfig = { - owner = "gitea"; - group = "gitea"; - restartUnits = [ "gitea.service" ]; + sops.secrets = + let + defaultConfig = { + owner = "gitea"; + group = "gitea"; + restartUnits = [ "gitea.service" ]; + }; + in + { + "gitea/database" = defaultConfig; + "gitea/email-password" = defaultConfig; + "gitea/lfs-jwt-secret" = defaultConfig; + "gitea/oauth2-jwt-secret" = defaultConfig; + "gitea/secret-key" = defaultConfig; }; - in { - "gitea/database" = defaultConfig; - "gitea/email-password" = defaultConfig; - "gitea/lfs-jwt-secret" = defaultConfig; - "gitea/oauth2-jwt-secret" = defaultConfig; - "gitea/secret-key" = defaultConfig; - }; services.gitea = { enable = true; @@ -44,7 +54,7 @@ in { # https://docs.gitea.com/administration/config-cheat-sheet settings = { server = { - DOMAIN = domain; + DOMAIN = domain; ROOT_URL = "https://${domain}/"; PROTOCOL = "http+unix"; SSH_PORT = sshPort; @@ -215,29 +225,33 @@ in { }; systemd.services.gitea-dump = { - serviceConfig.ExecStart = let - args = lib.cli.toGNUCommandLineShell { } { - type = cfg.dump.type; + serviceConfig.ExecStart = + let + args = lib.cli.toGNUCommandLineShell { } { + type = cfg.dump.type; - # This should be declarative on nixos, no need to backup. - skip-custom-dir = true; + # This should be declarative on nixos, no need to backup. + skip-custom-dir = true; - # This can be regenerated, no need to backup - skip-index = true; + # This can be regenerated, no need to backup + skip-index = true; - # Logs are stored in the systemd journal - skip-log = true; - }; - in lib.mkForce "${lib.getExe cfg.package} ${args}"; + # Logs are stored in the systemd journal + skip-log = true; + }; + in + lib.mkForce "${lib.getExe cfg.package} ${args}"; # Only keep n backup files at a time - postStop = let - cu = prog: "'${lib.getExe' pkgs.coreutils prog}'"; - backupCount = 3; - in '' - for file in $(${cu "ls"} -t1 '${cfg.dump.backupDir}' | ${cu "sort"} --reverse | ${cu "tail"} -n+${toString (backupCount + 1)}); do - ${cu "rm"} "$file" - done + postStop = + let + cu = prog: "'${lib.getExe' pkgs.coreutils prog}'"; + backupCount = 3; + in + '' + for file in $(${cu "ls"} -t1 '${cfg.dump.backupDir}' | ${cu "sort"} --reverse | ${cu "tail"} -n+${toString (backupCount + 1)}); do + ${cu "rm"} "$file" + done ''; }; } diff --git a/hosts/kommode/services/gitea/gpg.nix b/hosts/kommode/services/gitea/gpg.nix index 06a36bd..71f022a 100644 --- a/hosts/kommode/services/gitea/gpg.nix +++ b/hosts/kommode/services/gitea/gpg.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let cfg = config.services.gitea; GNUPGHOME = "${config.users.users.gitea.home}/gnupg"; diff --git a/hosts/kommode/services/gitea/import-users/default.nix b/hosts/kommode/services/gitea/import-users/default.nix index 421227a..d68e369 100644 --- a/hosts/kommode/services/gitea/import-users/default.nix +++ b/hosts/kommode/services/gitea/import-users/default.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let cfg = config.services.gitea; in @@ -11,7 +16,7 @@ in systemd.services.gitea-import-users = lib.mkIf cfg.enable { enable = true; - preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /run/gitea-import-users/passwd''; + preStart = ''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /run/gitea-import-users/passwd''; environment.PASSWD_FILE_PATH = "/run/gitea-import-users/passwd"; serviceConfig = { ExecStart = pkgs.writers.writePython3 "gitea-import-users" { @@ -20,12 +25,12 @@ in ]; libraries = with pkgs.python3Packages; [ requests ]; } (builtins.readFile ./gitea-import-users.py); - LoadCredential=[ + LoadCredential = [ "sshkey:${config.sops.secrets."gitea/passwd-ssh-key".path}" "ssh-known-hosts:${config.sops.secrets."gitea/ssh-known-hosts".path}" ]; - DynamicUser="yes"; - EnvironmentFile=config.sops.secrets."gitea/import-user-env".path; + DynamicUser = "yes"; + EnvironmentFile = config.sops.secrets."gitea/import-user-env".path; RuntimeDirectory = "gitea-import-users"; }; }; diff --git a/hosts/kommode/services/gitea/web-secret-provider/default.nix b/hosts/kommode/services/gitea/web-secret-provider/default.nix index ba19c7e..ab7a4e2 100644 --- a/hosts/kommode/services/gitea/web-secret-provider/default.nix +++ b/hosts/kommode/services/gitea/web-secret-provider/default.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let organizations = [ "Drift" @@ -36,7 +41,8 @@ in group = "gitea-web"; restartUnits = [ "gitea-web-secret-provider@" - ] ++ (map (org: "gitea-web-secret-provider@${org}") organizations); + ] + ++ (map (org: "gitea-web-secret-provider@${org}") organizations); }; systemd.slices.system-giteaweb = { @@ -48,25 +54,30 @@ in # %d - secrets directory systemd.services."gitea-web-secret-provider@" = { description = "Ensure all repos in %i has an SSH key to push web content"; - requires = [ "gitea.service" "network.target" ]; + requires = [ + "gitea.service" + "network.target" + ]; serviceConfig = { Slice = "system-giteaweb.slice"; Type = "oneshot"; - ExecStart = let - args = lib.cli.toGNUCommandLineShell { } { - org = "%i"; - token-path = "%d/token"; - api-url = "${giteaCfg.settings.server.ROOT_URL}api/v1"; - key-dir = "/var/lib/gitea-web/keys/%i"; - authorized-keys-path = "/var/lib/gitea-web/authorized_keys.d/%i"; - rrsync-script = pkgs.writeShellScript "rrsync-chown" '' - mkdir -p "$1" - ${lib.getExe pkgs.rrsync} -wo "$1" - ${pkgs.coreutils}/bin/chown -R gitea-web:gitea-web "$1" - ''; - web-dir = "/var/lib/gitea-web/web"; - }; - in "${giteaWebSecretProviderScript} ${args}"; + ExecStart = + let + args = lib.cli.toGNUCommandLineShell { } { + org = "%i"; + token-path = "%d/token"; + api-url = "${giteaCfg.settings.server.ROOT_URL}api/v1"; + key-dir = "/var/lib/gitea-web/keys/%i"; + authorized-keys-path = "/var/lib/gitea-web/authorized_keys.d/%i"; + rrsync-script = pkgs.writeShellScript "rrsync-chown" '' + mkdir -p "$1" + ${lib.getExe pkgs.rrsync} -wo "$1" + ${pkgs.coreutils}/bin/chown -R gitea-web:gitea-web "$1" + ''; + web-dir = "/var/lib/gitea-web/web"; + }; + in + "${giteaWebSecretProviderScript} ${args}"; User = "gitea-web"; Group = "gitea-web"; @@ -85,7 +96,10 @@ in ProtectControlGroups = true; ProtectKernelModules = true; ProtectKernelTunables = true; - RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + ]; RestrictRealtime = true; RestrictSUIDSGID = true; MemoryDenyWriteExecute = true; @@ -105,7 +119,9 @@ in systemd.targets.timers.wants = map (org: "gitea-web-secret-provider@${org}.timer") organizations; - services.openssh.authorizedKeysFiles = map (org: "/var/lib/gitea-web/authorized_keys.d/${org}") organizations; + services.openssh.authorizedKeysFiles = map ( + org: "/var/lib/gitea-web/authorized_keys.d/${org}" + ) organizations; users.users.nginx.extraGroups = [ "gitea-web" ]; services.nginx.virtualHosts."pages.pvv.ntnu.no" = { diff --git a/hosts/lupine/configuration.nix b/hosts/lupine/configuration.nix index 43d35c1..a4dda67 100644 --- a/hosts/lupine/configuration.nix +++ b/hosts/lupine/configuration.nix @@ -1,4 +1,9 @@ -{ fp, values, lupineName, ... }: +{ + fp, + values, + lupineName, + ... +}: { imports = [ ./hardware-configuration/${lupineName}.nix @@ -12,7 +17,10 @@ systemd.network.networks."30-enp0s31f6" = values.defaultNetworkConfig // { matchConfig.Name = "enp0s31f6"; - address = with values.hosts.${lupineName}; [ (ipv4 + "/25") (ipv6 + "/64") ]; + address = with values.hosts.${lupineName}; [ + (ipv4 + "/25") + (ipv6 + "/64") + ]; networkConfig.LLDP = false; }; systemd.network.wait-online = { diff --git a/hosts/lupine/hardware-configuration/lupine-1.nix b/hosts/lupine/hardware-configuration/lupine-1.nix index d97536c..7cb4ae2 100644 --- a/hosts/lupine/hardware-configuration/lupine-1.nix +++ b/hosts/lupine/hardware-configuration/lupine-1.nix @@ -1,32 +1,46 @@ # Do not modify this file! It was generated by 'nixos-generate-config' # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "usbhid" + "sd_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/a949e2e8-d973-4925-83e4-bcd815e65af7"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/a949e2e8-d973-4925-83e4-bcd815e65af7"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/81D6-38D3"; - fsType = "vfat"; - options = [ "fmask=0077" "dmask=0077" ]; - }; - - swapDevices = - [ { device = "/dev/disk/by-uuid/82c2d7fa-7cd0-4398-8cf6-c892bc56264b"; } + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/81D6-38D3"; + fsType = "vfat"; + options = [ + "fmask=0077" + "dmask=0077" ]; + }; + + swapDevices = [ + { device = "/dev/disk/by-uuid/82c2d7fa-7cd0-4398-8cf6-c892bc56264b"; } + ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/hosts/lupine/hardware-configuration/lupine-2.nix b/hosts/lupine/hardware-configuration/lupine-2.nix index e1b480c..f123ac4 100644 --- a/hosts/lupine/hardware-configuration/lupine-2.nix +++ b/hosts/lupine/hardware-configuration/lupine-2.nix @@ -1,32 +1,46 @@ # Do not modify this file! It was generated by 'nixos-generate-config' # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "usbhid" + "sd_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/aa81d439-800b-403d-ac10-9d2aac3619d0"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/aa81d439-800b-403d-ac10-9d2aac3619d0"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/4A34-6AE5"; - fsType = "vfat"; - options = [ "fmask=0077" "dmask=0077" ]; - }; - - swapDevices = - [ { device = "/dev/disk/by-uuid/efb7cd0c-c1ae-4a86-8bc2-8e7fd0066650"; } + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/4A34-6AE5"; + fsType = "vfat"; + options = [ + "fmask=0077" + "dmask=0077" ]; + }; + + swapDevices = [ + { device = "/dev/disk/by-uuid/efb7cd0c-c1ae-4a86-8bc2-8e7fd0066650"; } + ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/hosts/lupine/hardware-configuration/lupine-3.nix b/hosts/lupine/hardware-configuration/lupine-3.nix index 3855e11..101943b 100644 --- a/hosts/lupine/hardware-configuration/lupine-3.nix +++ b/hosts/lupine/hardware-configuration/lupine-3.nix @@ -1,32 +1,46 @@ # Do not modify this file! It was generated by 'nixos-generate-config' # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "usbhid" + "sd_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/39ba059b-3205-4701-a832-e72c0122cb88"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/39ba059b-3205-4701-a832-e72c0122cb88"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/63FA-297B"; - fsType = "vfat"; - options = [ "fmask=0077" "dmask=0077" ]; - }; - - swapDevices = - [ { device = "/dev/disk/by-uuid/9c72eb54-ea8c-4b09-808a-8be9b9a33869"; } + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/63FA-297B"; + fsType = "vfat"; + options = [ + "fmask=0077" + "dmask=0077" ]; + }; + + swapDevices = [ + { device = "/dev/disk/by-uuid/9c72eb54-ea8c-4b09-808a-8be9b9a33869"; } + ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/hosts/lupine/hardware-configuration/lupine-4.nix b/hosts/lupine/hardware-configuration/lupine-4.nix index 803830a..a131eba 100644 --- a/hosts/lupine/hardware-configuration/lupine-4.nix +++ b/hosts/lupine/hardware-configuration/lupine-4.nix @@ -1,26 +1,37 @@ # Do not modify this file! It was generated by 'nixos-generate-config' # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "usbhid" + "sd_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/c7bbb293-a0a3-4995-8892-0ec63e8c67dd"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/c7bbb293-a0a3-4995-8892-0ec63e8c67dd"; + fsType = "ext4"; + }; - swapDevices = - [ { device = "/dev/disk/by-uuid/a86ffda8-8ecb-42a1-bf9f-926072e90ca5"; } - ]; + swapDevices = [ + { device = "/dev/disk/by-uuid/a86ffda8-8ecb-42a1-bf9f-926072e90ca5"; } + ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/hosts/lupine/hardware-configuration/lupine-5.nix b/hosts/lupine/hardware-configuration/lupine-5.nix index a47b892..436d774 100644 --- a/hosts/lupine/hardware-configuration/lupine-5.nix +++ b/hosts/lupine/hardware-configuration/lupine-5.nix @@ -1,32 +1,46 @@ # Do not modify this file! It was generated by 'nixos-generate-config' # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "usbhid" + "sd_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/5f8418ad-8ec1-4f9e-939e-f3a4c36ef343"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/5f8418ad-8ec1-4f9e-939e-f3a4c36ef343"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/F372-37DF"; - fsType = "vfat"; - options = [ "fmask=0077" "dmask=0077" ]; - }; - - swapDevices = - [ { device = "/dev/disk/by-uuid/27bf292d-bbb3-48c4-a86e-456e0f1f648f"; } + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/F372-37DF"; + fsType = "vfat"; + options = [ + "fmask=0077" + "dmask=0077" ]; + }; + + swapDevices = [ + { device = "/dev/disk/by-uuid/27bf292d-bbb3-48c4-a86e-456e0f1f648f"; } + ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/hosts/lupine/services/gitea-runner.nix b/hosts/lupine/services/gitea-runner.nix index 3245759..ae6bc8d 100644 --- a/hosts/lupine/services/gitea-runner.nix +++ b/hosts/lupine/services/gitea-runner.nix @@ -67,5 +67,8 @@ networking.dhcpcd.IPv6rs = false; - networking.firewall.interfaces."podman+".allowedUDPPorts = [53 5353]; + networking.firewall.interfaces."podman+".allowedUDPPorts = [ + 53 + 5353 + ]; } diff --git a/hosts/shark/configuration.nix b/hosts/shark/configuration.nix index c53a220..8cc8e5c 100644 --- a/hosts/shark/configuration.nix +++ b/hosts/shark/configuration.nix @@ -1,14 +1,23 @@ -{ config, fp, pkgs, values, ... }: +{ + config, + fp, + pkgs, + values, + ... +}: { imports = [ - # Include the results of the hardware scan. - ./hardware-configuration.nix - (fp /base) - ]; + # Include the results of the hardware scan. + ./hardware-configuration.nix + (fp /base) + ]; systemd.network.networks."30-ens18" = values.defaultNetworkConfig // { matchConfig.Name = "ens18"; - address = with values.hosts.shark; [ (ipv4 + "/25") (ipv6 + "/64") ]; + address = with values.hosts.shark; [ + (ipv4 + "/25") + (ipv6 + "/64") + ]; }; services.qemuGuest.enable = true; diff --git a/hosts/shark/hardware-configuration.nix b/hosts/shark/hardware-configuration.nix index 2536bab..b86512e 100644 --- a/hosts/shark/hardware-configuration.nix +++ b/hosts/shark/hardware-configuration.nix @@ -1,31 +1,44 @@ # Do not modify this file! It was generated by 'nixos-generate-config' # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/224c45db-9fdc-45d4-b3ad-aaf20b3efa8a"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/224c45db-9fdc-45d4-b3ad-aaf20b3efa8a"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/CC37-F5FE"; - fsType = "vfat"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/CC37-F5FE"; + fsType = "vfat"; + }; - swapDevices = - [ { device = "/dev/disk/by-uuid/a1ce3234-78b1-4565-9643-f4a05004424f"; } - ]; + swapDevices = [ + { device = "/dev/disk/by-uuid/a1ce3234-78b1-4565-9643-f4a05004424f"; } + ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/hosts/skrot/hardware-configuration.nix b/hosts/skrot/hardware-configuration.nix index cafc847..0edb290 100644 --- a/hosts/skrot/hardware-configuration.nix +++ b/hosts/skrot/hardware-configuration.nix @@ -1,11 +1,22 @@ -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "usbhid" + "sd_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-amd" ]; boot.extraModulePackages = [ ]; diff --git a/hosts/skrott/configuration.nix b/hosts/skrott/configuration.nix index b946e1f..2c8f27d 100644 --- a/hosts/skrott/configuration.nix +++ b/hosts/skrott/configuration.nix @@ -1,4 +1,13 @@ -{ config, pkgs, lib, modulesPath, fp, values, ... }: { +{ + config, + pkgs, + lib, + modulesPath, + fp, + values, + ... +}: +{ imports = [ (modulesPath + "/profiles/perlless.nix") @@ -64,14 +73,18 @@ defaultGateway6 = values.hosts.gateway6; interfaces.eth0 = { useDHCP = false; - ipv4.addresses = [{ - address = values.hosts.skrott.ipv4; - prefixLength = 25; - }]; - ipv6.addresses = [{ - address = values.hosts.skrott.ipv6; - prefixLength = 25; - }]; + ipv4.addresses = [ + { + address = values.hosts.skrott.ipv4; + prefixLength = 25; + } + ]; + ipv6.addresses = [ + { + address = values.hosts.skrott.ipv6; + prefixLength = 25; + } + ]; }; }; diff --git a/hosts/temmie/configuration.nix b/hosts/temmie/configuration.nix index a7e2b19..029368c 100644 --- a/hosts/temmie/configuration.nix +++ b/hosts/temmie/configuration.nix @@ -1,4 +1,10 @@ -{ config, fp, pkgs, values, ... }: +{ + config, + fp, + pkgs, + values, + ... +}: { imports = [ # Include the results of the hardware scan. @@ -11,7 +17,10 @@ systemd.network.networks."30-ens18" = values.defaultNetworkConfig // { matchConfig.Name = "ens18"; - address = with values.hosts.temmie; [ (ipv4 + "/25") (ipv6 + "/64") ]; + address = with values.hosts.temmie; [ + (ipv4 + "/25") + (ipv6 + "/64") + ]; }; services.nginx.enable = false; diff --git a/hosts/temmie/hardware-configuration.nix b/hosts/temmie/hardware-configuration.nix index a7a165e..8613a46 100644 --- a/hosts/temmie/hardware-configuration.nix +++ b/hosts/temmie/hardware-configuration.nix @@ -1,28 +1,44 @@ # Do not modify this file! It was generated by 'nixos-generate-config' # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/c3aed415-0054-4ac5-8d29-75a99cc26451"; - fsType = "btrfs"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/c3aed415-0054-4ac5-8d29-75a99cc26451"; + fsType = "btrfs"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/A367-83FD"; - fsType = "vfat"; - options = [ "fmask=0022" "dmask=0022" ]; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/A367-83FD"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; swapDevices = [ ]; diff --git a/hosts/temmie/services/nfs-mounts.nix b/hosts/temmie/services/nfs-mounts.nix index 35211e4..ae84ba2 100644 --- a/hosts/temmie/services/nfs-mounts.nix +++ b/hosts/temmie/services/nfs-mounts.nix @@ -1,7 +1,19 @@ { lib, values, ... }: let # See microbel:/etc/exports - letters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ]; + letters = [ + "a" + "b" + "c" + "d" + "h" + "i" + "j" + "k" + "l" + "m" + "z" + ]; in { systemd.targets."pvv-homedirs" = { diff --git a/hosts/temmie/services/userweb.nix b/hosts/temmie/services/userweb.nix index 2fb928e..52d492e 100644 --- a/hosts/temmie/services/userweb.nix +++ b/hosts/temmie/services/userweb.nix @@ -1,16 +1,36 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let cfg = config.services.httpd; - homeLetters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ]; + homeLetters = [ + "a" + "b" + "c" + "d" + "h" + "i" + "j" + "k" + "l" + "m" + "z" + ]; # https://nixos.org/manual/nixpkgs/stable/#ssec-php-user-guide-installing-with-extensions phpEnv = pkgs.php.buildEnv { - extensions = { all, ... }: with all; [ - imagick - opcache - protobuf - ]; + extensions = + { all, ... }: + with all; + [ + imagick + opcache + protobuf + ]; extraConfig = '' display_errors=0 @@ -19,45 +39,47 @@ let ''; }; - perlEnv = pkgs.perl.withPackages (ps: with ps; [ - pkgs.exiftool - pkgs.ikiwiki - pkgs.irssi - pkgs.nix.libs.nix-perl-bindings + perlEnv = pkgs.perl.withPackages ( + ps: with ps; [ + pkgs.exiftool + pkgs.ikiwiki + pkgs.irssi + pkgs.nix.libs.nix-perl-bindings - AlgorithmDiff - AnyEvent - AnyEventI3 - ArchiveZip - CGI - CPAN - CPANPLUS - DBDPg - DBDSQLite - DBI - EmailAddress - EmailSimple - Env - Git - HTMLMason - HTMLParser - HTMLTagset - HTTPDAV - HTTPDaemon - ImageMagick - JSON - LWP - MozillaCA - PathTiny - Switch - SysSyslog - TestPostgreSQL - TextPDF - TieFile - Tk - URI - XMLLibXML - ]); + AlgorithmDiff + AnyEvent + AnyEventI3 + ArchiveZip + CGI + CPAN + CPANPLUS + DBDPg + DBDSQLite + DBI + EmailAddress + EmailSimple + Env + Git + HTMLMason + HTMLParser + HTMLTagset + HTTPDAV + HTTPDaemon + ImageMagick + JSON + LWP + MozillaCA + PathTiny + Switch + SysSyslog + TestPostgreSQL + TextPDF + TieFile + Tk + URI + XMLLibXML + ] + ); # https://nixos.org/manual/nixpkgs/stable/#python.buildenv-function pythonEnv = pkgs.python3.buildEnv.override { @@ -73,100 +95,102 @@ let # https://nixos.org/manual/nixpkgs/stable/#sec-building-environment fhsEnv = pkgs.buildEnv { name = "userweb-env"; - paths = with pkgs; [ - bash + paths = + with pkgs; + [ + bash - perlEnv - pythonEnv + perlEnv + pythonEnv - phpEnv - ] - ++ (with phpEnv.packages; [ - # composer - ]) - ++ [ - acl - aspell - autoconf - autotrash - bazel - bintools - bison - bsd-finger - catdoc - ccache - clang - cmake - coreutils-full - curl - devcontainer - diffutils - emacs - # exiftags - exiftool - ffmpeg - file - findutils - gawk - gcc - glibc - gnugrep - gnumake - gnupg - gnuplot - gnused - gnutar - gzip - html-tidy - imagemagick - inetutils - iproute2 - jhead - less - libgcc - lndir - mailutils - man # TODO: does this one want a mandb instance? - meson - more - mpc - mpi - mplayer - ninja - nix - openssh - openssl - patchelf - pkg-config - ppp - procmail - procps - qemu - rc - rhash - rsync - ruby # TODO: does this one want systemwide packages? - salt - sccache - sourceHighlight - spamassassin - strace - subversion - system-sendmail - systemdMinimal - texliveMedium - tmux - unzip - util-linux - valgrind - vim - wget - which - wine - xdg-utils - zip - zstd - ]; + phpEnv + ] + ++ (with phpEnv.packages; [ + # composer + ]) + ++ [ + acl + aspell + autoconf + autotrash + bazel + bintools + bison + bsd-finger + catdoc + ccache + clang + cmake + coreutils-full + curl + devcontainer + diffutils + emacs + # exiftags + exiftool + ffmpeg + file + findutils + gawk + gcc + glibc + gnugrep + gnumake + gnupg + gnuplot + gnused + gnutar + gzip + html-tidy + imagemagick + inetutils + iproute2 + jhead + less + libgcc + lndir + mailutils + man # TODO: does this one want a mandb instance? + meson + more + mpc + mpi + mplayer + ninja + nix + openssh + openssl + patchelf + pkg-config + ppp + procmail + procps + qemu + rc + rhash + rsync + ruby # TODO: does this one want systemwide packages? + salt + sccache + sourceHighlight + spamassassin + strace + subversion + system-sendmail + systemdMinimal + texliveMedium + tmux + unzip + util-linux + valgrind + vim + wget + which + wine + xdg-utils + zip + zstd + ]; extraOutputsToInstall = [ "man" @@ -299,7 +323,7 @@ in ]; SystemCallArchitectures = "native"; SystemCallFilter = [ - "@system-service" + "@system-service" ]; UMask = "0077"; @@ -317,7 +341,8 @@ in "${fhsEnv}/sbin:/sbin" "${fhsEnv}/lib:/lib" "${fhsEnv}/share:/share" - ] ++ (lib.mapCartesianProduct ({ parent, child }: "${fhsEnv}${child}:${parent}${child}") { + ] + ++ (lib.mapCartesianProduct ({ parent, child }: "${fhsEnv}${child}:${parent}${child}") { parent = [ "/local" "/opt" diff --git a/hosts/ustetind/configuration.nix b/hosts/ustetind/configuration.nix index acbdcda..6ab0392 100644 --- a/hosts/ustetind/configuration.nix +++ b/hosts/ustetind/configuration.nix @@ -1,4 +1,11 @@ -{ config, fp, pkgs, lib, values, ... }: +{ + config, + fp, + pkgs, + lib, + values, + ... +}: { imports = [ @@ -20,7 +27,10 @@ "eth*" ]; }; - address = with values.hosts.ustetind; [ (ipv4 + "/25") (ipv6 + "/64") ]; + address = with values.hosts.ustetind; [ + (ipv4 + "/25") + (ipv6 + "/64") + ]; }; "40-podman-veth" = values.defaultNetworkConfig // { matchConfig = { diff --git a/hosts/ustetind/services/gitea-runners.nix b/hosts/ustetind/services/gitea-runners.nix index a3e8521..a77cc93 100644 --- a/hosts/ustetind/services/gitea-runners.nix +++ b/hosts/ustetind/services/gitea-runners.nix @@ -1,4 +1,9 @@ -{ config, lib, values, ... }: +{ + config, + lib, + values, + ... +}: let mkRunner = name: { # This is unfortunately state, and has to be generated one at a time :( @@ -13,7 +18,8 @@ let services.gitea-actions-runner.instances = { ${name} = { enable = true; - name = "git-runner-${name}"; url = "https://git.pvv.ntnu.no"; + name = "git-runner-${name}"; + url = "https://git.pvv.ntnu.no"; labels = [ "debian-latest:docker://node:current-bookworm" "ubuntu-latest:docker://node:current-bookworm" @@ -36,6 +42,9 @@ lib.mkMerge [ networking.dhcpcd.IPv6rs = false; - networking.firewall.interfaces."podman+".allowedUDPPorts = [53 5353]; + networking.firewall.interfaces."podman+".allowedUDPPorts = [ + 53 + 5353 + ]; } ] diff --git a/hosts/wenche/configuration.nix b/hosts/wenche/configuration.nix index 00b94a3..4ad379f 100644 --- a/hosts/wenche/configuration.nix +++ b/hosts/wenche/configuration.nix @@ -1,10 +1,17 @@ -{ config, fp, pkgs, values, lib, ... }: +{ + config, + fp, + pkgs, + values, + lib, + ... +}: { imports = [ - # Include the results of the hardware scan. - ./hardware-configuration.nix - (fp /base) - ]; + # Include the results of the hardware scan. + ./hardware-configuration.nix + (fp /base) + ]; nix.settings.trusted-users = [ "@nix-builder-users" ]; nix.daemonCPUSchedPolicy = "batch"; @@ -19,7 +26,10 @@ systemd.network.networks."30-ens18" = values.defaultNetworkConfig // { matchConfig.Name = "ens18"; - address = with values.hosts.wenche; [ (ipv4 + "/25") (ipv6 + "/64") ]; + address = with values.hosts.wenche; [ + (ipv4 + "/25") + (ipv6 + "/64") + ]; }; hardware.graphics.enable = true; diff --git a/hosts/wenche/hardware-configuration.nix b/hosts/wenche/hardware-configuration.nix index 51d8a1b..680fed0 100644 --- a/hosts/wenche/hardware-configuration.nix +++ b/hosts/wenche/hardware-configuration.nix @@ -1,24 +1,39 @@ -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "nvidia" ]; + boot.kernelModules = [ "nvidia" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/4e8ecdd2-d453-4fff-b952-f06da00f3b85"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/4e8ecdd2-d453-4fff-b952-f06da00f3b85"; + fsType = "ext4"; + }; - swapDevices = [ { - device = "/var/lib/swapfile"; - size = 16*1024; - } ]; + swapDevices = [ + { + device = "/var/lib/swapfile"; + size = 16 * 1024; + } + ]; networking.useDHCP = lib.mkDefault false; # networking.interfaces.ens18.useDHCP = lib.mkDefault true; diff --git a/modules/bluemap.nix b/modules/bluemap.nix index b9150fa..ac4847b 100644 --- a/modules/bluemap.nix +++ b/modules/bluemap.nix @@ -1,4 +1,9 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let cfg = config.services.bluemap; format = pkgs.formats.hocon { }; @@ -7,36 +12,48 @@ let webappConfig = format.generate "webapp.conf" cfg.webappSettings; webserverConfig = format.generate "webserver.conf" cfg.webserverSettings; - storageFolder = pkgs.linkFarm "storage" - (lib.attrsets.mapAttrs' (name: value: - lib.nameValuePair "${name}.conf" - (format.generate "${name}.conf" value)) - cfg.storage); + storageFolder = pkgs.linkFarm "storage" ( + lib.attrsets.mapAttrs' ( + name: value: lib.nameValuePair "${name}.conf" (format.generate "${name}.conf" value) + ) cfg.storage + ); - generateMapConfigWithMarkerData = name: { extraHoconMarkersFile, settings, ... }: + generateMapConfigWithMarkerData = + name: + { extraHoconMarkersFile, settings, ... }: assert (extraHoconMarkersFile == null) != ((settings.marker-sets or { }) == { }); lib.pipe settings ( (lib.optionals (extraHoconMarkersFile != null) [ - (settings: lib.recursiveUpdate settings { - marker-placeholder = "###ASDF###"; - }) - ]) ++ [ + ( + settings: + lib.recursiveUpdate settings { + marker-placeholder = "###ASDF###"; + } + ) + ]) + ++ [ (format.generate "${name}.conf") - ] ++ (lib.optionals (extraHoconMarkersFile != null) [ - (hoconFile: pkgs.runCommand "${name}-patched.conf" { } '' - mkdir -p "$(dirname "$out")" - cp '${hoconFile}' "$out" - substituteInPlace "$out" \ - --replace-fail '"marker-placeholder" = "###ASDF###"' "\"marker-sets\" = $(cat '${extraHoconMarkersFile}')" - '') + ] + ++ (lib.optionals (extraHoconMarkersFile != null) [ + ( + hoconFile: + pkgs.runCommand "${name}-patched.conf" { } '' + mkdir -p "$(dirname "$out")" + cp '${hoconFile}' "$out" + substituteInPlace "$out" \ + --replace-fail '"marker-placeholder" = "###ASDF###"' "\"marker-sets\" = $(cat '${extraHoconMarkersFile}')" + '' + ) ]) ); mapsFolder = lib.pipe cfg.maps [ - (lib.attrsets.mapAttrs' (name: value: { - name = "${name}.conf"; - value = generateMapConfigWithMarkerData name value; - })) + (lib.attrsets.mapAttrs' ( + name: value: { + name = "${name}.conf"; + value = generateMapConfigWithMarkerData name value; + } + )) (pkgs.linkFarm "maps") ]; @@ -49,19 +66,24 @@ let "packs" = cfg.packs; }; - renderConfigFolder = name: value: pkgs.linkFarm "bluemap-${name}-config" { - "maps" = pkgs.linkFarm "maps" { - "${name}.conf" = generateMapConfigWithMarkerData name value; + renderConfigFolder = + name: value: + pkgs.linkFarm "bluemap-${name}-config" { + "maps" = pkgs.linkFarm "maps" { + "${name}.conf" = generateMapConfigWithMarkerData name value; + }; + "storages" = storageFolder; + "core.conf" = coreConfig; + "webapp.conf" = format.generate "webapp.conf" ( + cfg.webappSettings // { "update-settings-file" = false; } + ); + "webserver.conf" = webserverConfig; + "packs" = value.packs; }; - "storages" = storageFolder; - "core.conf" = coreConfig; - "webapp.conf" = format.generate "webapp.conf" (cfg.webappSettings // { "update-settings-file" = false; }); - "webserver.conf" = webserverConfig; - "packs" = value.packs; - }; inherit (lib) mkOption; -in { +in +{ options.services.bluemap = { enable = lib.mkEnableOption "bluemap"; package = lib.mkPackageOption pkgs "bluemap" { }; @@ -173,70 +195,77 @@ in { }; maps = mkOption { - type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: { - options = { - packs = mkOption { - type = lib.types.path; - default = cfg.packs; - defaultText = lib.literalExpression "config.services.bluemap.packs"; - description = "A set of resourcepacks, datapacks, and mods to extract resources from, loaded in alphabetical order."; - }; - - extraHoconMarkersFile = mkOption { - type = lib.types.nullOr lib.types.path; - default = null; - description = '' - Path to a hocon file containing marker data. - The content of this file will be injected into the map config file in a separate derivation. - - DO NOT SEND THIS TO NIXPKGS, IT'S AN UGLY HACK. - ''; - }; - - settings = mkOption { - type = (lib.types.submodule { - freeformType = format.type; - options = { - world = mkOption { - type = lib.types.path; - description = "Path to world folder containing the dimension to render"; - }; - name = mkOption { - type = lib.types.str; - description = "The display name of this map (how this map will be named on the webapp)"; - default = name; - defaultText = lib.literalExpression ""; - }; - render-mask = mkOption { - type = with lib.types; listOf (attrsOf format.type); - description = "Limits for the map render"; - default = [ ]; - example = [ - { - min-x = -4000; - max-x = 4000; - min-z = -4000; - max-z = 4000; - min-y = 50; - max-y = 100; - } - { - subtract = true; - min-y = 90; - max-y = 127; - } - ]; - }; + type = lib.types.attrsOf ( + lib.types.submodule ( + { name, ... }: + { + options = { + packs = mkOption { + type = lib.types.path; + default = cfg.packs; + defaultText = lib.literalExpression "config.services.bluemap.packs"; + description = "A set of resourcepacks, datapacks, and mods to extract resources from, loaded in alphabetical order."; }; - }); - description = '' - Settings for files in `maps/`. - See the default for an example with good options for the different world types. - For valid values [consult upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/common/src/main/resources/de/bluecolored/bluemap/config/maps/map.conf). - ''; - }; - }; - })); + + extraHoconMarkersFile = mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + description = '' + Path to a hocon file containing marker data. + The content of this file will be injected into the map config file in a separate derivation. + + DO NOT SEND THIS TO NIXPKGS, IT'S AN UGLY HACK. + ''; + }; + + settings = mkOption { + type = ( + lib.types.submodule { + freeformType = format.type; + options = { + world = mkOption { + type = lib.types.path; + description = "Path to world folder containing the dimension to render"; + }; + name = mkOption { + type = lib.types.str; + description = "The display name of this map (how this map will be named on the webapp)"; + default = name; + defaultText = lib.literalExpression ""; + }; + render-mask = mkOption { + type = with lib.types; listOf (attrsOf format.type); + description = "Limits for the map render"; + default = [ ]; + example = [ + { + min-x = -4000; + max-x = 4000; + min-z = -4000; + max-z = 4000; + min-y = 50; + max-y = 100; + } + { + subtract = true; + min-y = 90; + max-y = 127; + } + ]; + }; + }; + } + ); + description = '' + Settings for files in `maps/`. + See the default for an example with good options for the different world types. + For valid values [consult upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/common/src/main/resources/de/bluecolored/bluemap/config/maps/map.conf). + ''; + }; + }; + } + ) + ); default = { "overworld".settings = { world = cfg.defaultWorld; @@ -320,16 +349,21 @@ in { }; storage = mkOption { - type = lib.types.attrsOf (lib.types.submodule { - freeformType = format.type; - options = { - storage-type = mkOption { - type = lib.types.enum [ "FILE" "SQL" ]; - description = "Type of storage config"; - default = "FILE"; + type = lib.types.attrsOf ( + lib.types.submodule { + freeformType = format.type; + options = { + storage-type = mkOption { + type = lib.types.enum [ + "FILE" + "SQL" + ]; + description = "Type of storage config"; + default = "FILE"; + }; }; - }; - }); + } + ); description = '' Where the rendered map will be stored. Unless you are doing something advanced you should probably leave this alone and configure webRoot instead. @@ -359,16 +393,16 @@ in { }; }; - config = lib.mkIf cfg.enable { - assertions = - [ { assertion = config.services.bluemap.eula; - message = '' - You have enabled bluemap but have not accepted minecraft's EULA. - You can achieve this through setting `services.bluemap.eula = true` - ''; - } - ]; + assertions = [ + { + assertion = config.services.bluemap.eula; + message = '' + You have enabled bluemap but have not accepted minecraft's EULA. + You can achieve this through setting `services.bluemap.eula = true` + ''; + } + ]; services.bluemap.coreSettings.accept-download = cfg.eula; @@ -384,9 +418,9 @@ in { ] ++ # Render each minecraft map - lib.attrsets.mapAttrsToList - (name: value: "${lib.getExe cfg.package} -c ${renderConfigFolder name value} -r") - cfg.maps + lib.attrsets.mapAttrsToList ( + name: value: "${lib.getExe cfg.package} -c ${renderConfigFolder name value} -r" + ) cfg.maps ++ [ # Generate updated webapp "${lib.getExe cfg.package} -c ${webappConfigFolder} -gs" @@ -417,6 +451,9 @@ in { }; meta = { - maintainers = with lib.maintainers; [ dandellion h7x4 ]; + maintainers = with lib.maintainers; [ + dandellion + h7x4 + ]; }; } diff --git a/modules/gickup/default.nix b/modules/gickup/default.nix index f3018f4..d48b1aa 100644 --- a/modules/gickup/default.nix +++ b/modules/gickup/default.nix @@ -1,4 +1,10 @@ -{ config, pkgs, lib, utils, ... }: +{ + config, + pkgs, + lib, + utils, + ... +}: let cfg = config.services.gickup; format = pkgs.formats.yaml { }; @@ -45,113 +51,125 @@ in }; instances = lib.mkOption { - type = lib.types.attrsOf (lib.types.submodule (submoduleInputs@{ name, ... }: let - submoduleName = name; + type = lib.types.attrsOf ( + lib.types.submodule ( + submoduleInputs@{ name, ... }: + let + submoduleName = name; - nameParts = rec { - repoType = builtins.head (lib.splitString ":" submoduleName); + nameParts = rec { + repoType = builtins.head (lib.splitString ":" submoduleName); - owner = if repoType == "any" - then null - else lib.pipe submoduleName [ + owner = + if repoType == "any" then + null + else + lib.pipe submoduleName [ (lib.removePrefix "${repoType}:") (lib.splitString "/") builtins.head ]; - repo = if repoType == "any" - then null - else lib.pipe submoduleName [ + repo = + if repoType == "any" then + null + else + lib.pipe submoduleName [ (lib.removePrefix "${repoType}:") (lib.splitString "/") lib.last ]; - slug = if repoType == "any" - then lib.toLower (builtins.replaceStrings [ ":" "/" ] [ "-" "-" ] submoduleName) - else "${lib.toLower repoType}-${lib.toLower owner}-${lib.toLower repo}"; - }; - in { - options = { - interval = lib.mkOption { - type = lib.types.str; - default = "daily"; - example = "weekly"; - description = '' - Specification (in the format described by {manpage}`systemd.time(7)`) of the time - interval at which to run the service. - ''; - }; - - type = lib.mkOption { - type = lib.types.enum [ - "github" - "gitlab" - "gitea" - "gogs" - "bitbucket" - "onedev" - "sourcehut" - "any" - ]; - example = "github"; - default = nameParts.repoType; - description = '' - The type of the repository to mirror. - ''; - }; - - owner = lib.mkOption { - type = with lib.types; nullOr str; - example = "go-gitea"; - default = nameParts.owner; - description = '' - The owner of the repository to mirror (if applicable) - ''; - }; - - repo = lib.mkOption { - type = with lib.types; nullOr str; - example = "gitea"; - default = nameParts.repo; - description = '' - The name of the repository to mirror (if applicable) - ''; - }; - - slug = lib.mkOption { - type = lib.types.str; - default = nameParts.slug; - example = "github-go-gitea-gitea"; - description = '' - The slug of the repository to mirror. - ''; - }; - - description = lib.mkOption { - type = with lib.types; nullOr str; - example = "A project which does this and that"; - description = '' - A description of the project. This isn't used directly by gickup for anything, - but can be useful if gickup is used together with cgit or similar. - ''; - }; - - settings = lib.mkOption { - description = "Instance specific settings, see gickup configuration file"; - type = lib.types.submodule { - freeformType = format.type; + slug = + if repoType == "any" then + lib.toLower (builtins.replaceStrings [ ":" "/" ] [ "-" "-" ] submoduleName) + else + "${lib.toLower repoType}-${lib.toLower owner}-${lib.toLower repo}"; }; - default = { }; - example = { - username = "gickup"; - password = "hunter2"; - wiki = true; - issues = true; + in + { + options = { + interval = lib.mkOption { + type = lib.types.str; + default = "daily"; + example = "weekly"; + description = '' + Specification (in the format described by {manpage}`systemd.time(7)`) of the time + interval at which to run the service. + ''; + }; + + type = lib.mkOption { + type = lib.types.enum [ + "github" + "gitlab" + "gitea" + "gogs" + "bitbucket" + "onedev" + "sourcehut" + "any" + ]; + example = "github"; + default = nameParts.repoType; + description = '' + The type of the repository to mirror. + ''; + }; + + owner = lib.mkOption { + type = with lib.types; nullOr str; + example = "go-gitea"; + default = nameParts.owner; + description = '' + The owner of the repository to mirror (if applicable) + ''; + }; + + repo = lib.mkOption { + type = with lib.types; nullOr str; + example = "gitea"; + default = nameParts.repo; + description = '' + The name of the repository to mirror (if applicable) + ''; + }; + + slug = lib.mkOption { + type = lib.types.str; + default = nameParts.slug; + example = "github-go-gitea-gitea"; + description = '' + The slug of the repository to mirror. + ''; + }; + + description = lib.mkOption { + type = with lib.types; nullOr str; + example = "A project which does this and that"; + description = '' + A description of the project. This isn't used directly by gickup for anything, + but can be useful if gickup is used together with cgit or similar. + ''; + }; + + settings = lib.mkOption { + description = "Instance specific settings, see gickup configuration file"; + type = lib.types.submodule { + freeformType = format.type; + }; + default = { }; + example = { + username = "gickup"; + password = "hunter2"; + wiki = true; + issues = true; + }; + }; }; - }; - }; - })); + } + ) + ); }; }; @@ -197,114 +215,122 @@ in }; } // - # Overrides for mirrors which are not "daily" - (lib.pipe cfg.instances [ - builtins.attrValues - (builtins.filter (instance: instance.interval != "daily")) - (map ({ slug, interval, ... }: { - name = "gickup@${slug}"; - value = { - overrideStrategy = "asDropin"; - timerConfig.OnCalendar = interval; - }; - })) - builtins.listToAttrs - ]); + # Overrides for mirrors which are not "daily" + (lib.pipe cfg.instances [ + builtins.attrValues + (builtins.filter (instance: instance.interval != "daily")) + (map ( + { slug, interval, ... }: + { + name = "gickup@${slug}"; + value = { + overrideStrategy = "asDropin"; + timerConfig.OnCalendar = interval; + }; + } + )) + builtins.listToAttrs + ]); - systemd.targets.timers.wants = map ({ slug, ... }: "gickup@${slug}.timer") (lib.attrValues cfg.instances); + systemd.targets.timers.wants = map ({ slug, ... }: "gickup@${slug}.timer") ( + lib.attrValues cfg.instances + ); systemd.services = { - "gickup@" = let - configDir = lib.pipe cfg.instances [ - (lib.mapAttrsToList (name: instance: { - name = "${instance.slug}.yml"; - path = format.generate "gickup-configuration-${name}.yml" { - destination.local = [ cfg.destinationSettings ]; - source.${instance.type} = [ - ( - (lib.optionalAttrs (instance.type != "any") { - user = instance.owner; - includeorgs = [ instance.owner ]; - include = [ instance.repo ]; - }) - // - instance.settings - ) - ]; - }; - })) - (pkgs.linkFarm "gickup-configuration-files") - ]; - in { - description = "Gickup git repository mirroring service for %i"; - after = [ "network.target" ]; + "gickup@" = + let + configDir = lib.pipe cfg.instances [ + (lib.mapAttrsToList ( + name: instance: { + name = "${instance.slug}.yml"; + path = format.generate "gickup-configuration-${name}.yml" { + destination.local = [ cfg.destinationSettings ]; + source.${instance.type} = [ + ( + (lib.optionalAttrs (instance.type != "any") { + user = instance.owner; + includeorgs = [ instance.owner ]; + include = [ instance.repo ]; + }) + // instance.settings + ) + ]; + }; + } + )) + (pkgs.linkFarm "gickup-configuration-files") + ]; + in + { + description = "Gickup git repository mirroring service for %i"; + after = [ "network.target" ]; - path = [ - cfg.gitPackage - cfg.gitLfsPackage - ]; - - restartIfChanged = false; - - serviceConfig = { - Type = "oneshot"; - ExecStart = "'${pkgs.gickup}/bin/gickup' '${configDir}/%i.yml'"; - ExecStartPost = ""; - - User = "gickup"; - Group = "gickup"; - - BindPaths = lib.optionals (cfg.dataDir != "/var/lib/gickup") [ - "${cfg.dataDir}:/var/lib/gickup" + path = [ + cfg.gitPackage + cfg.gitLfsPackage ]; - Slice = "system-gickup.slice"; + restartIfChanged = false; - SyslogIdentifier = "gickup-%i"; - StateDirectory = "gickup"; - # WorkingDirectory = "gickup"; - # RuntimeDirectory = "gickup"; - # RuntimeDirectoryMode = "0700"; + serviceConfig = { + Type = "oneshot"; + ExecStart = "'${pkgs.gickup}/bin/gickup' '${configDir}/%i.yml'"; + ExecStartPost = ""; - # https://discourse.nixos.org/t/how-to-prevent-custom-systemd-service-from-restarting-on-nixos-rebuild-switch/43431 - RemainAfterExit = true; + User = "gickup"; + Group = "gickup"; - # Hardening options - AmbientCapabilities = []; - LockPersonality = true; - NoNewPrivileges = true; - PrivateDevices = true; - PrivateMounts = true; - PrivateTmp = true; - PrivateUsers = true; - ProcSubset = "pid"; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - # ProtectProc = "invisible"; - # ProtectSystem = "strict"; - RemoveIPC = true; - RestrictAddressFamilies = [ - "AF_INET" - "AF_INET6" - ]; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; - # SystemCallFilter = [ - # "@system-service" - # "~@resources" - # "~@privileged" - # ]; - UMask = "0002"; - CapabilityBoundingSet = []; + BindPaths = lib.optionals (cfg.dataDir != "/var/lib/gickup") [ + "${cfg.dataDir}:/var/lib/gickup" + ]; + + Slice = "system-gickup.slice"; + + SyslogIdentifier = "gickup-%i"; + StateDirectory = "gickup"; + # WorkingDirectory = "gickup"; + # RuntimeDirectory = "gickup"; + # RuntimeDirectoryMode = "0700"; + + # https://discourse.nixos.org/t/how-to-prevent-custom-systemd-service-from-restarting-on-nixos-rebuild-switch/43431 + RemainAfterExit = true; + + # Hardening options + AmbientCapabilities = [ ]; + LockPersonality = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + # ProtectProc = "invisible"; + # ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + # SystemCallFilter = [ + # "@system-service" + # "~@resources" + # "~@privileged" + # ]; + UMask = "0002"; + CapabilityBoundingSet = [ ]; + }; }; - }; }; }; } diff --git a/modules/gickup/hardlink-files.nix b/modules/gickup/hardlink-files.nix index c16abf7..6407ca5 100644 --- a/modules/gickup/hardlink-files.nix +++ b/modules/gickup/hardlink-files.nix @@ -1,4 +1,9 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let cfg = config.services.gickup; in diff --git a/modules/gickup/import-from-toml.nix b/modules/gickup/import-from-toml.nix index 26b09ca..390c481 100644 --- a/modules/gickup/import-from-toml.nix +++ b/modules/gickup/import-from-toml.nix @@ -1,4 +1,9 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let cfg = config.services.gickup; diff --git a/modules/gickup/set-description.nix b/modules/gickup/set-description.nix index 745769b..fb79f06 100644 --- a/modules/gickup/set-description.nix +++ b/modules/gickup/set-description.nix @@ -1,4 +1,9 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let cfg = config.services.gickup; in diff --git a/modules/gickup/update-linktree.nix b/modules/gickup/update-linktree.nix index 18013ac..ddde283 100644 --- a/modules/gickup/update-linktree.nix +++ b/modules/gickup/update-linktree.nix @@ -1,4 +1,9 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let cfg = config.services.gickup; in @@ -20,50 +25,52 @@ in wantedBy = [ "gickup.target" ]; serviceConfig = { Type = "oneshot"; - ExecStart = let - script = pkgs.writeShellApplication { - name = "gickup-update-symlink-tree.sh"; - runtimeInputs = [ - pkgs.coreutils - pkgs.findutils - ]; - text = '' - shopt -s nullglob + ExecStart = + let + script = pkgs.writeShellApplication { + name = "gickup-update-symlink-tree.sh"; + runtimeInputs = [ + pkgs.coreutils + pkgs.findutils + ]; + text = '' + shopt -s nullglob - for repository in ./*/*/*; do - REPOSITORY_RELATIVE_DIRS=''${repository#"./"} + for repository in ./*/*/*; do + REPOSITORY_RELATIVE_DIRS=''${repository#"./"} - echo "Checking $REPOSITORY_RELATIVE_DIRS" + echo "Checking $REPOSITORY_RELATIVE_DIRS" - declare -a REVISIONS - readarray -t REVISIONS < <(find "$repository" -mindepth 1 -maxdepth 1 -printf "%f\n" | sort --numeric-sort --reverse) + declare -a REVISIONS + readarray -t REVISIONS < <(find "$repository" -mindepth 1 -maxdepth 1 -printf "%f\n" | sort --numeric-sort --reverse) - if [[ "''${#REVISIONS[@]}" == 0 ]]; then - echo "Found no revisions for $repository, continuing" - continue - fi + if [[ "''${#REVISIONS[@]}" == 0 ]]; then + echo "Found no revisions for $repository, continuing" + continue + fi - LAST_REVISION="''${REVISIONS[0]}" - SYMLINK_PATH="../linktree/''${REPOSITORY_RELATIVE_DIRS}" + LAST_REVISION="''${REVISIONS[0]}" + SYMLINK_PATH="../linktree/''${REPOSITORY_RELATIVE_DIRS}" - mkdir -p "$(dirname "$SYMLINK_PATH")" + mkdir -p "$(dirname "$SYMLINK_PATH")" - EXPECTED_SYMLINK_TARGET=$(realpath "''${repository}/''${LAST_REVISION}") - EXISTING_SYMLINK_TARGET=$(realpath "$SYMLINK_PATH" || echo "") + EXPECTED_SYMLINK_TARGET=$(realpath "''${repository}/''${LAST_REVISION}") + EXISTING_SYMLINK_TARGET=$(realpath "$SYMLINK_PATH" || echo "") - if [[ "$EXISTING_SYMLINK_TARGET" != "$EXPECTED_SYMLINK_TARGET" ]]; then - echo "Updating symlink for $REPOSITORY_RELATIVE_DIRS" - rm "$SYMLINK_PATH" ||: - ln -rs "$EXPECTED_SYMLINK_TARGET" "$SYMLINK_PATH" - else - echo "Symlink already up to date, continuing..." - fi + if [[ "$EXISTING_SYMLINK_TARGET" != "$EXPECTED_SYMLINK_TARGET" ]]; then + echo "Updating symlink for $REPOSITORY_RELATIVE_DIRS" + rm "$SYMLINK_PATH" ||: + ln -rs "$EXPECTED_SYMLINK_TARGET" "$SYMLINK_PATH" + else + echo "Symlink already up to date, continuing..." + fi - echo "---" - done - ''; - }; - in lib.getExe script; + echo "---" + done + ''; + }; + in + lib.getExe script; User = "gickup"; Group = "gickup"; diff --git a/modules/grzegorz.nix b/modules/grzegorz.nix index fb0eee9..64ba0dc 100644 --- a/modules/grzegorz.nix +++ b/modules/grzegorz.nix @@ -1,10 +1,18 @@ -{config, lib, pkgs, unstablePkgs, values, ...}: +{ + config, + lib, + pkgs, + unstablePkgs, + values, + ... +}: let grg = config.services.greg-ng; grgw = config.services.grzegorz-webui; machine = config.networking.hostName; -in { +in +{ services.greg-ng = { enable = true; settings.host = "localhost"; @@ -124,4 +132,3 @@ in { }; }; } - diff --git a/modules/matrix-ooye.nix b/modules/matrix-ooye.nix index 071e8f6..9f9d3c8 100644 --- a/modules/matrix-ooye.nix +++ b/modules/matrix-ooye.nix @@ -58,7 +58,8 @@ in sender_localpart = "${cfg.namespace}bot"; rate_limited = false; socket = cfg.socket; # Can either be a TCP port or a unix socket path - url = if (lib.hasPrefix "/" cfg.socket) then "unix:${cfg.socket}" else "http://localhost:${cfg.socket}"; + url = + if (lib.hasPrefix "/" cfg.socket) then "unix:${cfg.socket}" else "http://localhost:${cfg.socket}"; ooye = { server_name = cfg.homeserverName; namespace_prefix = cfg.namespace; @@ -66,7 +67,8 @@ in content_length_workaround = false; include_user_id_in_mxid = true; server_origin = cfg.homeserver; - bridge_origin = if (cfg.bridgeOrigin == "") then "http://localhost:${cfg.socket}" else cfg.bridgeOrigin; + bridge_origin = + if (cfg.bridgeOrigin == "") then "http://localhost:${cfg.socket}" else cfg.bridgeOrigin; }; } ); diff --git a/modules/robots-txt.nix b/modules/robots-txt.nix index 0363859..987d004 100644 --- a/modules/robots-txt.nix +++ b/modules/robots-txt.nix @@ -1,55 +1,81 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let cfg = config.environment.robots-txt; robots-txt-format = { - type = let - coercedStrToNonEmptyListOfStr = lib.types.coercedTo lib.types.str lib.singleton (lib.types.nonEmptyListOf lib.types.str); - in lib.types.listOf (lib.types.submodule { - freeformType = lib.types.attrsOf coercedStrToNonEmptyListOfStr; - options = { - pre_comment = lib.mkOption { - description = "Comment to add before the rule"; - type = lib.types.lines; - default = ""; - }; - post_comment = lib.mkOption { - description = "Comment to add after the rule"; - type = lib.types.lines; - default = ""; - }; - }; - }); + type = + let + coercedStrToNonEmptyListOfStr = lib.types.coercedTo lib.types.str lib.singleton ( + lib.types.nonEmptyListOf lib.types.str + ); + in + lib.types.listOf ( + lib.types.submodule { + freeformType = lib.types.attrsOf coercedStrToNonEmptyListOfStr; + options = { + pre_comment = lib.mkOption { + description = "Comment to add before the rule"; + type = lib.types.lines; + default = ""; + }; + post_comment = lib.mkOption { + description = "Comment to add after the rule"; + type = lib.types.lines; + default = ""; + }; + }; + } + ); - generate = name: value: let - makeComment = comment: lib.pipe comment [ - (lib.splitString "\n") - (lib.map (line: if line == "" then "#" else "# ${line}")) - (lib.concatStringsSep "\n") - ]; + generate = + name: value: + let + makeComment = + comment: + lib.pipe comment [ + (lib.splitString "\n") + (lib.map (line: if line == "" then "#" else "# ${line}")) + (lib.concatStringsSep "\n") + ]; - ruleToString = rule: let - user_agent = rule.User-agent or []; - pre_comment = rule.pre_comment; - post_comment = rule.post_comment; - rest = builtins.removeAttrs rule [ "User-agent" "pre_comment" "post_comment" ]; - in lib.concatStringsSep "\n" (lib.filter (x: x != null) [ - (if (pre_comment != "") then makeComment pre_comment else null) - (let - user-agents = lib.concatMapStringsSep "\n" (value: "User-agent: ${value}") user_agent; - in - if user_agent == [] then null else user-agents - ) - (lib.pipe rest [ - (lib.mapAttrsToList (ruleName: map (value: "${ruleName}: ${value}"))) - lib.concatLists - (lib.concatStringsSep "\n") - ]) - (if (post_comment != "") then makeComment post_comment else null) - ]); + ruleToString = + rule: + let + user_agent = rule.User-agent or [ ]; + pre_comment = rule.pre_comment; + post_comment = rule.post_comment; + rest = builtins.removeAttrs rule [ + "User-agent" + "pre_comment" + "post_comment" + ]; + in + lib.concatStringsSep "\n" ( + lib.filter (x: x != null) [ + (if (pre_comment != "") then makeComment pre_comment else null) + ( + let + user-agents = lib.concatMapStringsSep "\n" (value: "User-agent: ${value}") user_agent; + in + if user_agent == [ ] then null else user-agents + ) + (lib.pipe rest [ + (lib.mapAttrsToList (ruleName: map (value: "${ruleName}: ${value}"))) + lib.concatLists + (lib.concatStringsSep "\n") + ]) + (if (post_comment != "") then makeComment post_comment else null) + ] + ); - content = lib.concatMapStringsSep "\n\n" ruleToString value; - in pkgs.writeText name content; + content = lib.concatMapStringsSep "\n\n" ruleToString value; + in + pkgs.writeText name content; }; in { @@ -58,36 +84,50 @@ in description = '' Different instances of robots.txt to use with web services. ''; - type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: { - options = { - enable = lib.mkEnableOption "this instance of robots.txt" // { - default = true; - }; + type = lib.types.attrsOf ( + lib.types.submodule ( + { name, ... }: + { + options = { + enable = lib.mkEnableOption "this instance of robots.txt" // { + default = true; + }; - path = lib.mkOption { - description = "The resulting path of the dir containing the robots.txt file"; - type = lib.types.path; - readOnly = true; - default = "/etc/robots-txt/${name}"; - }; + path = lib.mkOption { + description = "The resulting path of the dir containing the robots.txt file"; + type = lib.types.path; + readOnly = true; + default = "/etc/robots-txt/${name}"; + }; - rules = lib.mkOption { - description = "Rules to include in robots.txt"; - default = [ ]; - example = [ - { User-agent = "Googlebot"; Disallow = "/no-googlebot"; } - { User-agent = "Bingbot"; Disallow = [ "/no-bingbot" "/no-bingbot2" ]; } - ]; - type = robots-txt-format.type; - }; + rules = lib.mkOption { + description = "Rules to include in robots.txt"; + default = [ ]; + example = [ + { + User-agent = "Googlebot"; + Disallow = "/no-googlebot"; + } + { + User-agent = "Bingbot"; + Disallow = [ + "/no-bingbot" + "/no-bingbot2" + ]; + } + ]; + type = robots-txt-format.type; + }; - virtualHost = lib.mkOption { - description = "An nginx virtual host to add the robots.txt to"; - type = lib.types.nullOr lib.types.str; - default = null; - }; - }; - })); + virtualHost = lib.mkOption { + description = "An nginx virtual host to add the robots.txt to"; + type = lib.types.nullOr lib.types.str; + default = null; + }; + }; + } + ) + ); }; config = { @@ -98,19 +138,21 @@ in services.nginx.virtualHosts = lib.pipe cfg [ (lib.filterAttrs (_: value: value.virtualHost != null)) - (lib.mapAttrs' (name: value: { - name = value.virtualHost; - value = { - locations = { - "= /robots.txt" = { - extraConfig = '' - add_header Content-Type text/plain; - ''; - root = cfg.${name}.path; + (lib.mapAttrs' ( + name: value: { + name = value.virtualHost; + value = { + locations = { + "= /robots.txt" = { + extraConfig = '' + add_header Content-Type text/plain; + ''; + root = cfg.${name}.path; + }; }; }; - }; - })) + } + )) ]; }; } diff --git a/modules/rsync-pull-targets.nix b/modules/rsync-pull-targets.nix index 79ce537..9fea167 100644 --- a/modules/rsync-pull-targets.nix +++ b/modules/rsync-pull-targets.nix @@ -1,4 +1,9 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let cfg = config.services.rsync-pull-targets; in @@ -9,116 +14,121 @@ in rrsyncPackage = lib.mkPackageOption pkgs "rrsync" { }; locations = lib.mkOption { - type = lib.types.attrsOf (lib.types.submodule ({ name, ... }@submoduleArgs: { - options = { - enable = lib.mkEnableOption "" // { - default = true; - example = false; - }; + type = lib.types.attrsOf ( + lib.types.submodule ( + { name, ... }@submoduleArgs: + { + options = { + enable = lib.mkEnableOption "" // { + default = true; + example = false; + }; - user = lib.mkOption { - type = lib.types.str; - description = "Which user to use as SSH login"; - example = "root"; - }; + user = lib.mkOption { + type = lib.types.str; + description = "Which user to use as SSH login"; + example = "root"; + }; - location = lib.mkOption { - type = lib.types.path; - default = name; - defaultText = lib.literalExpression ""; - example = "/path/to/rsyncable/item"; - }; + location = lib.mkOption { + type = lib.types.path; + default = name; + defaultText = lib.literalExpression ""; + example = "/path/to/rsyncable/item"; + }; - # TODO: handle autogeneration of keys - # autoGenerateSSHKeypair = lib.mkOption { - # type = lib.types.bool; - # default = config.publicKey == null; - # defaultText = lib.literalExpression "config.services.rsync-pull-targets..publicKey != null"; - # example = true; - # }; + # TODO: handle autogeneration of keys + # autoGenerateSSHKeypair = lib.mkOption { + # type = lib.types.bool; + # default = config.publicKey == null; + # defaultText = lib.literalExpression "config.services.rsync-pull-targets..publicKey != null"; + # example = true; + # }; - publicKey = lib.mkOption { - type = lib.types.str; - # type = lib.types.nullOr lib.types.str; - # default = null; - example = "ssh-ed25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA comment"; - }; + publicKey = lib.mkOption { + type = lib.types.str; + # type = lib.types.nullOr lib.types.str; + # default = null; + example = "ssh-ed25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA comment"; + }; - rrsyncPackage = lib.mkPackageOption pkgs "rrsync" { } // { - default = cfg.rrsyncPackage; - defaultText = lib.literalExpression "config.services.rsync-pull-targets.rrsyncPackage"; - }; + rrsyncPackage = lib.mkPackageOption pkgs "rrsync" { } // { + default = cfg.rrsyncPackage; + defaultText = lib.literalExpression "config.services.rsync-pull-targets.rrsyncPackage"; + }; - enableRecommendedHardening = lib.mkEnableOption "a commonly used security profile for authorizedKeys attributes and rrsync args"; + enableRecommendedHardening = lib.mkEnableOption "a commonly used security profile for authorizedKeys attributes and rrsync args"; - rrsyncArgs = { - ro = lib.mkEnableOption "" // { - description = "Allow only reading from the DIR. Implies -no-del and -no-lock."; + rrsyncArgs = { + ro = lib.mkEnableOption "" // { + description = "Allow only reading from the DIR. Implies -no-del and -no-lock."; + }; + wo = lib.mkEnableOption "" // { + description = "Allow only writing to the DIR."; + }; + munge = lib.mkEnableOption "" // { + description = "Enable rsync's --munge-links on the server side."; + # TODO: set a default? + }; + no-del = lib.mkEnableOption "" // { + description = "Disable rsync's --delete* and --remove* options."; + default = submoduleArgs.config.enableRecommendedHardening; + defaultText = lib.literalExpression "config.services.rsync-pull-targets..enableRecommendedHardening"; + }; + no-lock = lib.mkEnableOption "" // { + description = "Avoid the single-run (per-user) lock check."; + default = submoduleArgs.config.enableRecommendedHardening; + defaultText = lib.literalExpression "config.services.rsync-pull-targets..enableRecommendedHardening"; + }; + no-overwrite = lib.mkEnableOption "" // { + description = "Prevent overwriting existing files by enforcing --ignore-existing"; + default = submoduleArgs.config.enableRecommendedHardening; + defaultText = lib.literalExpression "config.services.rsync-pull-targets..enableRecommendedHardening"; + }; + }; + + authorizedKeysAttrs = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = lib.optionals submoduleArgs.config.enableRecommendedHardening [ + "restrict" + "no-agent-forwarding" + "no-port-forwarding" + "no-pty" + "no-X11-forwarding" + ]; + defaultText = lib.literalExpression '' + lib.optionals config.services.rsync-pull-targets..enableRecommendedHardening [ + "restrict" + "no-agent-forwarding" + "no-port-forwarding" + "no-pty" + "no-X11-forwarding" + ] + ''; + example = [ + "restrict" + "no-agent-forwarding" + "no-port-forwarding" + "no-pty" + "no-X11-forwarding" + ]; + }; }; - wo = lib.mkEnableOption "" // { - description = "Allow only writing to the DIR."; - }; - munge = lib.mkEnableOption "" // { - description = "Enable rsync's --munge-links on the server side."; - # TODO: set a default? - }; - no-del = lib.mkEnableOption "" // { - description = "Disable rsync's --delete* and --remove* options."; - default = submoduleArgs.config.enableRecommendedHardening; - defaultText = lib.literalExpression "config.services.rsync-pull-targets..enableRecommendedHardening"; - }; - no-lock = lib.mkEnableOption "" // { - description = "Avoid the single-run (per-user) lock check."; - default = submoduleArgs.config.enableRecommendedHardening; - defaultText = lib.literalExpression "config.services.rsync-pull-targets..enableRecommendedHardening"; - }; - no-overwrite = lib.mkEnableOption "" // { - description = "Prevent overwriting existing files by enforcing --ignore-existing"; - default = submoduleArgs.config.enableRecommendedHardening; - defaultText = lib.literalExpression "config.services.rsync-pull-targets..enableRecommendedHardening"; - }; - }; - - authorizedKeysAttrs = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = lib.optionals submoduleArgs.config.enableRecommendedHardening [ - "restrict" - "no-agent-forwarding" - "no-port-forwarding" - "no-pty" - "no-X11-forwarding" - ]; - defaultText = lib.literalExpression '' - lib.optionals config.services.rsync-pull-targets..enableRecommendedHardening [ - "restrict" - "no-agent-forwarding" - "no-port-forwarding" - "no-pty" - "no-X11-forwarding" - ] - ''; - example = [ - "restrict" - "no-agent-forwarding" - "no-port-forwarding" - "no-pty" - "no-X11-forwarding" - ]; - }; - }; - })); + } + ) + ); }; }; config = lib.mkIf cfg.enable { # assertions = lib.pipe cfg.locations [ # (lib.filterAttrs (_: value: value.enable)) - # TODO: assert that there are no duplicate (user, publicKey) pairs. - # if there are then ssh won't know which command to provide and might provide a random one, not sure. - # (lib.mapAttrsToList (_: { user, location, publicKey, ... }: { - # assertion = - # message = ""; - # }) + # TODO: assert that there are no duplicate (user, publicKey) pairs. + # if there are then ssh won't know which command to provide and might provide a random one, not sure. + # (lib.mapAttrsToList (_: { user, location, publicKey, ... }: { + # assertion = + # message = ""; + # }) # ]; services.openssh.enable = true; @@ -128,19 +138,36 @@ in lib.attrValues # Index locations by SSH user - (lib.foldl (acc: location: acc // { - ${location.user} = (acc.${location.user} or [ ]) ++ [ location ]; - }) { }) + (lib.foldl ( + acc: location: + acc + // { + ${location.user} = (acc.${location.user} or [ ]) ++ [ location ]; + } + ) { }) - (lib.mapAttrs (_name: locations: { - openssh.authorizedKeys.keys = map ({ user, location, rrsyncPackage, rrsyncArgs, authorizedKeysAttrs, publicKey, ... }: let - rrsyncArgString = lib.cli.toCommandLineShellGNU { - isLong = _: false; - } rrsyncArgs; - # TODO: handle " in location - in "command=\"${lib.getExe rrsyncPackage} ${rrsyncArgString} ${location}\",${lib.concatStringsSep "," authorizedKeysAttrs} ${publicKey}" - ) locations; - })) + (lib.mapAttrs ( + _name: locations: { + openssh.authorizedKeys.keys = map ( + { + user, + location, + rrsyncPackage, + rrsyncArgs, + authorizedKeysAttrs, + publicKey, + ... + }: + let + rrsyncArgString = lib.cli.toCommandLineShellGNU { + isLong = _: false; + } rrsyncArgs; + # TODO: handle " in location + in + "command=\"${lib.getExe rrsyncPackage} ${rrsyncArgString} ${location}\",${lib.concatStringsSep "," authorizedKeysAttrs} ${publicKey}" + ) locations; + } + )) ]; }; } diff --git a/modules/snakeoil-certs.nix b/modules/snakeoil-certs.nix index 61f086a..7a432ff 100644 --- a/modules/snakeoil-certs.nix +++ b/modules/snakeoil-certs.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let cfg = config.environment.snakeoil-certs; in @@ -6,72 +11,82 @@ in options.environment.snakeoil-certs = lib.mkOption { default = { }; description = "Self signed certs, which are rotated regularly"; - type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: { - options = { - owner = lib.mkOption { - type = lib.types.str; - default = "root"; - }; - group = lib.mkOption { - type = lib.types.str; - default = "root"; - }; - mode = lib.mkOption { - type = lib.types.str; - default = "0660"; - }; - daysValid = lib.mkOption { - type = lib.types.str; - default = "90"; - }; - extraOpenSSLArgs = lib.mkOption { - type = with lib.types; listOf str; - default = [ ]; - }; - certificate = lib.mkOption { - type = lib.types.str; - default = "${name}.crt"; - }; - certificateKey = lib.mkOption { - type = lib.types.str; - default = "${name}.key"; - }; - subject = lib.mkOption { - type = lib.types.str; - default = "/C=NO/O=Programvareverkstedet/CN=*.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no"; - }; - }; - })); + type = lib.types.attrsOf ( + lib.types.submodule ( + { name, ... }: + { + options = { + owner = lib.mkOption { + type = lib.types.str; + default = "root"; + }; + group = lib.mkOption { + type = lib.types.str; + default = "root"; + }; + mode = lib.mkOption { + type = lib.types.str; + default = "0660"; + }; + daysValid = lib.mkOption { + type = lib.types.str; + default = "90"; + }; + extraOpenSSLArgs = lib.mkOption { + type = with lib.types; listOf str; + default = [ ]; + }; + certificate = lib.mkOption { + type = lib.types.str; + default = "${name}.crt"; + }; + certificateKey = lib.mkOption { + type = lib.types.str; + default = "${name}.key"; + }; + subject = lib.mkOption { + type = lib.types.str; + default = "/C=NO/O=Programvareverkstedet/CN=*.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no"; + }; + }; + } + ) + ); }; config = { systemd.services."generate-snakeoil-certs" = { enable = true; serviceConfig.Type = "oneshot"; - script = let - openssl = lib.getExe pkgs.openssl; - in lib.concatMapStringsSep "\n" ({ name, value }: '' - mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}") - if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate} - then - echo "Regenerating '${value.certificate}'" - ${openssl} req \ - -newkey rsa:4096 \ - -new -x509 \ - -days "${toString value.daysValid}" \ - -nodes \ - -subj "${value.subject}" \ - -out "${value.certificate}" \ - -keyout "${value.certificateKey}" \ - ${lib.escapeShellArgs value.extraOpenSSLArgs} - fi - chown "${value.owner}:${value.group}" "${value.certificate}" - chown "${value.owner}:${value.group}" "${value.certificateKey}" - chmod "${value.mode}" "${value.certificate}" - chmod "${value.mode}" "${value.certificateKey}" + script = + let + openssl = lib.getExe pkgs.openssl; + in + lib.concatMapStringsSep "\n" ( + { name, value }: + '' + mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}") + if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate} + then + echo "Regenerating '${value.certificate}'" + ${openssl} req \ + -newkey rsa:4096 \ + -new -x509 \ + -days "${toString value.daysValid}" \ + -nodes \ + -subj "${value.subject}" \ + -out "${value.certificate}" \ + -keyout "${value.certificateKey}" \ + ${lib.escapeShellArgs value.extraOpenSSLArgs} + fi + chown "${value.owner}:${value.group}" "${value.certificate}" + chown "${value.owner}:${value.group}" "${value.certificateKey}" + chmod "${value.mode}" "${value.certificate}" + chmod "${value.mode}" "${value.certificateKey}" - echo "\n-----------------\n" - '') (lib.attrsToList cfg); + echo "\n-----------------\n" + '' + ) (lib.attrsToList cfg); }; systemd.timers."generate-snakeoil-certs" = { wantedBy = [ "timers.target" ]; diff --git a/modules/snappymail.nix b/modules/snappymail.nix index 33a8107..2aadcde 100644 --- a/modules/snappymail.nix +++ b/modules/snappymail.nix @@ -1,11 +1,26 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let - inherit (lib) mkDefault mkEnableOption mkForce mkIf mkOption mkPackageOption generators types; + inherit (lib) + mkDefault + mkEnableOption + mkForce + mkIf + mkOption + mkPackageOption + generators + types + ; cfg = config.services.snappymail; maxUploadSize = "256M"; -in { +in +{ options.services.snappymail = { enable = mkEnableOption "Snappymail"; @@ -48,13 +63,13 @@ in { }; users.groups = mkIf (cfg.group == "snappymail") { - snappymail = {}; + snappymail = { }; }; services.phpfpm.pools.snappymail = { user = cfg.user; group = cfg.group; - phpOptions = generators.toKeyValue {} { + phpOptions = generators.toKeyValue { } { upload_max_filesize = maxUploadSize; post_max_size = maxUploadSize; memory_limit = maxUploadSize; @@ -91,13 +106,14 @@ in { client_max_body_size ${maxUploadSize}; ''; - root = if (cfg.package == pkgs.snappymail) then - pkgs.snappymail.override { - dataPath = cfg.dataDir; - } - else cfg.package; + root = + if (cfg.package == pkgs.snappymail) then + pkgs.snappymail.override { + dataPath = cfg.dataDir; + } + else + cfg.package; }; }; }; } - diff --git a/packages/bluemap.nix b/packages/bluemap.nix index 41337e9..f11ab27 100644 --- a/packages/bluemap.nix +++ b/packages/bluemap.nix @@ -1,4 +1,10 @@ -{ lib, stdenvNoCC, fetchurl, makeWrapper, jre }: +{ + lib, + stdenvNoCC, + fetchurl, + makeWrapper, + jre, +}: stdenvNoCC.mkDerivation rec { pname = "bluemap"; diff --git a/packages/mediawiki-extensions/default.nix b/packages/mediawiki-extensions/default.nix index d5b4ca4..a7ec706 100644 --- a/packages/mediawiki-extensions/default.nix +++ b/packages/mediawiki-extensions/default.nix @@ -1,31 +1,33 @@ { pkgs, lib }: let - kebab-case-name = project-name: lib.pipe project-name [ - (builtins.replaceStrings - lib.upperChars - (map (x: "-${x}") lib.lowerChars) - ) - (lib.removePrefix "-") - ]; + kebab-case-name = + project-name: + lib.pipe project-name [ + (builtins.replaceStrings lib.upperChars (map (x: "-${x}") lib.lowerChars)) + (lib.removePrefix "-") + ]; - mw-ext = { - name - , commit - , hash - , tracking-branch ? "REL1_44" - , kebab-name ? kebab-case-name name - , fetchgit ? pkgs.fetchgit - }: - { - ${name} = (fetchgit { - name = "mediawiki-${kebab-name}-source"; - url = "https://gerrit.wikimedia.org/r/mediawiki/extensions/${name}"; - rev = commit; - inherit hash; - }).overrideAttrs (_: { - passthru = { inherit name kebab-name tracking-branch; }; - }); - }; + mw-ext = + { + name, + commit, + hash, + tracking-branch ? "REL1_44", + kebab-name ? kebab-case-name name, + fetchgit ? pkgs.fetchgit, + }: + { + ${name} = + (fetchgit { + name = "mediawiki-${kebab-name}-source"; + url = "https://gerrit.wikimedia.org/r/mediawiki/extensions/${name}"; + rev = commit; + inherit hash; + }).overrideAttrs + (_: { + passthru = { inherit name kebab-name tracking-branch; }; + }); + }; in # NOTE: to add another extension, you can add an mw-ext expression # with an empty (or even wrong) commit and empty hash, and diff --git a/packages/simplesamlphp/default.nix b/packages/simplesamlphp/default.nix index 90415fb..d885fa4 100644 --- a/packages/simplesamlphp/default.nix +++ b/packages/simplesamlphp/default.nix @@ -1,8 +1,9 @@ -{ lib -, php -, writeText -, fetchFromGitHub -, extra_files ? { } +{ + lib, + php, + writeText, + fetchFromGitHub, + extra_files ? { }, }: @@ -25,10 +26,12 @@ php.buildComposerProject rec { # - https://simplesamlphp.org/docs/contrib_modules/metarefresh/simplesamlphp-automated_metadata.html # - https://idp.pvv.ntnu.no/simplesaml/saml2/idp/metadata.php postPatch = lib.pipe extra_files [ - (lib.mapAttrsToList (target_path: source_path: '' - mkdir -p $(dirname "${target_path}") - cp -r "${source_path}" "${target_path}" - '')) + (lib.mapAttrsToList ( + target_path: source_path: '' + mkdir -p $(dirname "${target_path}") + cp -r "${source_path}" "${target_path}" + '' + )) lib.concatLines ]; diff --git a/shell.nix b/shell.nix index 44c4e38..08ceb57 100644 --- a/shell.nix +++ b/shell.nix @@ -1,4 +1,6 @@ -{ pkgs ? import {} }: +{ + pkgs ? import { }, +}: pkgs.mkShellNoCC { packages = with pkgs; [ disko diff --git a/topology/default.nix b/topology/default.nix index 7611e63..6d44604 100644 --- a/topology/default.nix +++ b/topology/default.nix @@ -1,14 +1,21 @@ -{ config, pkgs, lib, values, ... }: +{ + config, + pkgs, + lib, + values, + ... +}: let - inherit - (config.lib.topology) + inherit (config.lib.topology) mkInternet mkRouter mkSwitch mkDevice mkConnection - mkConnectionRev; -in { + mkConnectionRev + ; +in +{ imports = [ ./non-nixos-machines.nix ]; @@ -41,7 +48,14 @@ in { }; nodes.ntnu = mkRouter "NTNU" { - interfaceGroups = [ ["wan1"] ["eth1" "eth2" "eth3"] ]; + interfaceGroups = [ + [ "wan1" ] + [ + "eth1" + "eth2" + "eth3" + ] + ]; connections.eth1 = mkConnection "ntnu-pvv-router" "wan1"; connections.eth2 = mkConnection "ntnu-veggen" "wan1"; connections.eth3 = mkConnection "stackit" "*"; @@ -51,7 +65,10 @@ in { ### Brus nodes.ntnu-pvv-router = mkRouter "NTNU PVV Gateway" { - interfaceGroups = [ ["wan1"] ["eth1"] ]; + interfaceGroups = [ + [ "wan1" ] + [ "eth1" ] + ]; connections.eth1 = mkConnection "knutsen" "em1"; interfaces.eth1.network = "ntnu"; }; @@ -59,7 +76,11 @@ in { nodes.knutsen = mkRouter "knutsen" { deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/freebsd.svg"; - interfaceGroups = [ ["em0"] ["em1"] ["vpn1"] ]; + interfaceGroups = [ + [ "em0" ] + [ "em1" ] + [ "vpn1" ] + ]; connections.em0 = mkConnection "nintendo" "eth0"; @@ -73,36 +94,36 @@ in { }; nodes.nintendo = mkSwitch "Nintendo (brus switch)" { - interfaceGroups = [ (lib.genList (i: "eth${toString i}") 16) ]; + interfaceGroups = [ (lib.genList (i: "eth${toString i}") 16) ]; - connections = let - connections' = [ - (mkConnection "bekkalokk" "enp2s0") - # (mkConnection "bicep" "enp6s0f0") # NOTE: physical machine is dead at the moment - (mkConnection "buskerud" "eth1") - # (mkConnection "knutsen" "eth1") - (mkConnection "powerpuff-cluster" "eth1") - (mkConnection "powerpuff-cluster" "eth2") - (mkConnection "powerpuff-cluster" "eth3") - (mkConnection "lupine-1" "enp0s31f6") - (mkConnection "lupine-2" "enp0s31f6") - (mkConnection "lupine-3" "enp0s31f6") - (mkConnection "lupine-4" "enp0s31f6") - (mkConnection "lupine-5" "enp0s31f6") - (mkConnection "innovation" "em0") - (mkConnection "microbel" "eth0") - (mkConnection "isvegg" "eth0") - (mkConnection "ameno" "eth0") - (mkConnection "sleipner" "eno0") - ]; - in - assert (lib.length connections' <= 15); - builtins.listToAttrs ( - lib.zipListsWith - (a: b: lib.nameValuePair a b) - (lib.genList (i: "eth${toString (i + 1)}") 15) - connections' - ); + connections = + let + connections' = [ + (mkConnection "bekkalokk" "enp2s0") + # (mkConnection "bicep" "enp6s0f0") # NOTE: physical machine is dead at the moment + (mkConnection "buskerud" "eth1") + # (mkConnection "knutsen" "eth1") + (mkConnection "powerpuff-cluster" "eth1") + (mkConnection "powerpuff-cluster" "eth2") + (mkConnection "powerpuff-cluster" "eth3") + (mkConnection "lupine-1" "enp0s31f6") + (mkConnection "lupine-2" "enp0s31f6") + (mkConnection "lupine-3" "enp0s31f6") + (mkConnection "lupine-4" "enp0s31f6") + (mkConnection "lupine-5" "enp0s31f6") + (mkConnection "innovation" "em0") + (mkConnection "microbel" "eth0") + (mkConnection "isvegg" "eth0") + (mkConnection "ameno" "eth0") + (mkConnection "sleipner" "eno0") + ]; + in + assert (lib.length connections' <= 15); + builtins.listToAttrs ( + lib.zipListsWith (a: b: lib.nameValuePair a b) (lib.genList ( + i: "eth${toString (i + 1)}" + ) 15) connections' + ); }; nodes.bekkalokk.hardware.info = "Supermicro X9SCL/X9SCM"; @@ -141,7 +162,13 @@ in { hardware.info = "Dell PowerEdge R730 x 3"; - interfaceGroups = [ [ "eth1" "eth2" "eth3" ] ]; + interfaceGroups = [ + [ + "eth1" + "eth2" + "eth3" + ] + ]; services = { proxmox = { @@ -199,14 +226,21 @@ in { ### PVV nodes.ntnu-veggen = mkRouter "NTNU-Veggen" { - interfaceGroups = [ ["wan1"] ["eth1"] ]; + interfaceGroups = [ + [ "wan1" ] + [ "eth1" ] + ]; connections.eth1 = mkConnection "ludvigsen" "re0"; }; nodes.ludvigsen = mkRouter "ludvigsen" { deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/freebsd.svg"; - interfaceGroups = [ [ "re0" ] [ "em0" ] [ "vpn1" ] ]; + interfaceGroups = [ + [ "re0" ] + [ "em0" ] + [ "vpn1" ] + ]; connections.em0 = mkConnection "pvv-switch" "eth0"; @@ -219,31 +253,30 @@ in { }; nodes.pvv-switch = mkSwitch "PVV Switch (Terminalrommet)" { - interfaceGroups = [ (lib.genList (i: "eth${toString i}") 16) ]; - connections = let - connections' = [ - (mkConnection "brzeczyszczykiewicz" "eno1") - (mkConnection "georg" "eno1") - (mkConnection "wegonke" "enp4s0") - (mkConnection "demiurgen" "eno1") - (mkConnection "sanctuary" "ethernet_0") - (mkConnection "torskas" "eth0") - (mkConnection "skrott" "eth0") - (mkConnection "homeassistant" "eth0") - (mkConnection "orchid" "eth0") - (mkConnection "principal" "em0") - ]; - in - assert (lib.length connections' <= 15); - builtins.listToAttrs ( - lib.zipListsWith - (a: b: lib.nameValuePair a b) - (lib.genList (i: "eth${toString (i + 1)}") 15) - connections' - ); + interfaceGroups = [ (lib.genList (i: "eth${toString i}") 16) ]; + connections = + let + connections' = [ + (mkConnection "brzeczyszczykiewicz" "eno1") + (mkConnection "georg" "eno1") + (mkConnection "wegonke" "enp4s0") + (mkConnection "demiurgen" "eno1") + (mkConnection "sanctuary" "ethernet_0") + (mkConnection "torskas" "eth0") + (mkConnection "skrott" "eth0") + (mkConnection "homeassistant" "eth0") + (mkConnection "orchid" "eth0") + (mkConnection "principal" "em0") + ]; + in + assert (lib.length connections' <= 15); + builtins.listToAttrs ( + lib.zipListsWith (a: b: lib.nameValuePair a b) (lib.genList ( + i: "eth${toString (i + 1)}" + ) 15) connections' + ); }; - ### Openstack nodes.stackit = mkDevice "stackit" { diff --git a/topology/non-nixos-machines.nix b/topology/non-nixos-machines.nix index 10b12e6..90f58fe 100644 --- a/topology/non-nixos-machines.nix +++ b/topology/non-nixos-machines.nix @@ -1,7 +1,14 @@ -{ config, pkgs, lib, values, ... }: +{ + config, + pkgs, + lib, + values, + ... +}: let inherit (config.lib.topology) mkDevice; -in { +in +{ nodes.balduzius = mkDevice "balduzius" { guestType = "proxmox"; parent = config.nodes.powerpuff-cluster.id; @@ -108,7 +115,12 @@ in { hardware.info = "Supermicro X8ST3"; - interfaceGroups = [ [ "eth0" "eth1" ] ]; + interfaceGroups = [ + [ + "eth0" + "eth1" + ] + ]; interfaces.eth0 = { mac = "00:25:90:24:76:2c"; addresses = [ @@ -215,7 +227,12 @@ in { nodes.sleipner = mkDevice "sleipner" { deviceIcon = "${pkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/debian.svg"; - interfaceGroups = [ [ "eno0" "enp2s0" ] ]; + interfaceGroups = [ + [ + "eno0" + "enp2s0" + ] + ]; interfaces.enp2s0 = { mac = "00:25:90:57:35:8e"; addresses = [ diff --git a/topology/service-extractors/gitea-runners.nix b/topology/service-extractors/gitea-runners.nix index 8310478..b160ece 100644 --- a/topology/service-extractors/gitea-runners.nix +++ b/topology/service-extractors/gitea-runners.nix @@ -1,4 +1,9 @@ -{ config, unstablePkgs, lib, ... }: +{ + config, + unstablePkgs, + lib, + ... +}: let cfg = config.services.gitea-actions-runner; in diff --git a/topology/service-extractors/greg-ng.nix b/topology/service-extractors/greg-ng.nix index ce81279..4f8d9f2 100644 --- a/topology/service-extractors/greg-ng.nix +++ b/topology/service-extractors/greg-ng.nix @@ -6,6 +6,8 @@ in config.topology.self.services.greg-ng = lib.mkIf cfg.enable { name = "Greg-ng"; icon = ../icons/greg-ng.png; - details.listen = { text = "${cfg.settings.host}:${toString cfg.settings.port}"; }; + details.listen = { + text = "${cfg.settings.host}:${toString cfg.settings.port}"; + }; }; } diff --git a/topology/service-extractors/mysql.nix b/topology/service-extractors/mysql.nix index 5a1076e..e440acc 100644 --- a/topology/service-extractors/mysql.nix +++ b/topology/service-extractors/mysql.nix @@ -1,4 +1,9 @@ -{ config, unstablePkgs, lib, ... }: +{ + config, + unstablePkgs, + lib, + ... +}: let cfg = config.services.mysql; cfgBak = config.services.mysqlBackup; @@ -8,7 +13,9 @@ in name = "MySQL"; icon = "${unstablePkgs.super-tiny-icons}/share/icons/SuperTinyIcons/svg/mysql.svg"; - details.listen.text = "${cfg.settings.mysqld.bind-address or "127.0.0.1"}:${toString (cfg.settings.mysqld.port or 3306)}"; + details.listen.text = "${cfg.settings.mysqld.bind-address or "127.0.0.1"}:${ + toString (cfg.settings.mysqld.port or 3306) + }"; details.socket.text = cfg.settings.mysqld.socket or "/run/mysqld/mysqld.sock"; details.type.text = cfg.package.pname; details.dataDir.text = cfg.dataDir; diff --git a/topology/service-extractors/postgresql.nix b/topology/service-extractors/postgresql.nix index 364f484..2326c17 100644 --- a/topology/service-extractors/postgresql.nix +++ b/topology/service-extractors/postgresql.nix @@ -1,4 +1,9 @@ -{ config, unstablePkgs, lib, ... }: +{ + config, + unstablePkgs, + lib, + ... +}: let cfg = config.services.postgresql; cfgBak = config.services.postgresqlBackup; diff --git a/users/albertba.nix b/users/albertba.nix index 462554f..772fbbd 100644 --- a/users/albertba.nix +++ b/users/albertba.nix @@ -2,7 +2,11 @@ { users.users.albertba = { isNormalUser = true; - extraGroups = [ "wheel" "drift" "nix-builder-users" ]; + extraGroups = [ + "wheel" + "drift" + "nix-builder-users" + ]; packages = with pkgs; [ fd diff --git a/users/danio.nix b/users/danio.nix index a0b99ab..bbb7788 100644 --- a/users/danio.nix +++ b/users/danio.nix @@ -3,7 +3,11 @@ { users.users.danio = { isNormalUser = true; - extraGroups = [ "drift" "nix-builder-users" "wheel" ]; + extraGroups = [ + "drift" + "nix-builder-users" + "wheel" + ]; shell = if config.programs.zsh.enable then pkgs.zsh else pkgs.bash; openssh.authorizedKeys.keys = [ diff --git a/users/default.nix b/users/default.nix index eea1680..6f162e6 100644 --- a/users/default.nix +++ b/users/default.nix @@ -5,9 +5,12 @@ let getDir = dir: builtins.readDir dir; # find all files ending in ".nix" which are not this file, or directories, which may or may not contain a default.nix - files = dir: filterAttrs - (file: type: (type == "regular" && hasSuffix ".nix" file && file != "default.nix") || type == "directory") - (getDir dir); + files = + dir: + filterAttrs ( + file: type: + (type == "regular" && hasSuffix ".nix" file && file != "default.nix") || type == "directory" + ) (getDir dir); # Turn the attrset into a list of the filenames flatten = dir: mapAttrsToList (file: type: file) (files dir); # Turn the filenames into absolute paths diff --git a/users/felixalb.nix b/users/felixalb.nix index 7d1278f..1716edf 100644 --- a/users/felixalb.nix +++ b/users/felixalb.nix @@ -1,10 +1,16 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: { users.users.felixalb = { isNormalUser = true; extraGroups = [ "wheel" - ] ++ lib.optionals ( config.users.groups ? "libvirtd" ) [ + ] + ++ lib.optionals (config.users.groups ? "libvirtd") [ "libvirtd" ]; shell = if config.programs.zsh.enable then pkgs.zsh else pkgs.bash; diff --git a/users/frero.nix b/users/frero.nix index 2ea8080..85f9f8f 100644 --- a/users/frero.nix +++ b/users/frero.nix @@ -2,7 +2,11 @@ { users.users.frero = { isNormalUser = true; - extraGroups = [ "wheel" "drift" "nix-builder-users" ]; + extraGroups = [ + "wheel" + "drift" + "nix-builder-users" + ]; shell = if config.programs.zsh.enable then pkgs.zsh else pkgs.bash; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII09JbtSUMurvmHpJ7TmUQctXpNVhjFYhoJ3+1ZITmMx" diff --git a/users/jonmro.nix b/users/jonmro.nix index 1e5704d..82e760f 100644 --- a/users/jonmro.nix +++ b/users/jonmro.nix @@ -3,7 +3,11 @@ { users.users.jonmro = { isNormalUser = true; - extraGroups = [ "wheel" "drift" "nix-builder-users" ]; + extraGroups = [ + "wheel" + "drift" + "nix-builder-users" + ]; shell = if config.programs.zsh.enable then pkgs.zsh else pkgs.bash; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEm5PfYmfl/0fnAP/3coVlvTw3/TYNLT6r/NwJHZbLAK jonrodtang@gmail.com" diff --git a/values.nix b/values.nix index 98edfe6..b926fa8 100644 --- a/values.nix +++ b/values.nix @@ -4,7 +4,8 @@ let ntnu-ipv6 = suffix: "2001:700:300:${toString suffix}"; pvv-ipv4 = suffix: ntnu-ipv4 "210.${toString suffix}"; pvv-ipv6 = suffix: ntnu-ipv6 "1900::${toString suffix}"; -in rec { +in +rec { ntnu.ipv4-space = ntnu-ipv4 "0.0/16"; # https://ipinfo.io/ips/129.241.0.0/16 ntnu.ipv6-space = ntnu-ipv6 ":/48"; # https://ipinfo.io/2001:700:300:: @@ -126,9 +127,20 @@ in rec { }; defaultNetworkConfig = { - dns = [ "129.241.0.200" "129.241.0.201" "2001:700:300:1900::200" "2001:700:300:1900::201" ]; - domains = [ "pvv.ntnu.no" "pvv.org" ]; - gateway = [ hosts.gateway hosts.gateway6 ]; + dns = [ + "129.241.0.200" + "129.241.0.201" + "2001:700:300:1900::200" + "2001:700:300:1900::201" + ]; + domains = [ + "pvv.ntnu.no" + "pvv.org" + ]; + gateway = [ + hosts.gateway + hosts.gateway6 + ]; networkConfig.IPv6AcceptRA = "no"; DHCP = "no";