Price/NixOS
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

style: format with nixfmt

Browse Source
This commit is contained in:
Price Hiller 2024-03-14 03:51:03 -05:00
parent 3b890fc629
commit a6cdb184ab
Signed by: Price
GPG Key ID: C3FADDE7A8534BEB
34 changed files with 186 additions and 255 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
flake.nix
View File

@ -147,4 +147,4 @@
'';
};
});
}
}

5
hosts/luna/default.nix
View File

@ -1,5 +1,4 @@
{ config, lib, nixpkgs, ... }:
{
{ config, lib, nixpkgs, ... }: {
imports = (lib.recurseFilesInDirs [ ./os ./modules ] ".nix");
system.stateVersion = "24.05";
}
}

2
hosts/luna/modules/default.nix
View File

@ -5,4 +5,4 @@
systemd.extraConfig = ''
DefaultTimeoutStopSec=10s
'';
}
}

10
hosts/luna/modules/docker/default.nix
View File

@ -1,9 +1,5 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
docker
docker-compose
];
{ pkgs, ... }: {
environment.systemPackages = with pkgs; [ docker docker-compose ];
virtualisation = {
oci-containers.backend = "docker";
@ -14,4 +10,4 @@
package = pkgs.docker;
};
};
}
}

2
hosts/luna/modules/monitoring/auditd.nix
View File

@ -33,4 +33,4 @@
# Root command executions
"-a always,exit -F arch=b64 -F euid=0 -F auid>=1000 -F auid!=-1 -S execve -F key=rootcmd"
];
}
}

2
hosts/luna/modules/monitoring/grafana.nix
View File

@ -24,4 +24,4 @@ in {
};
};
};
}
}

2
hosts/luna/modules/monitoring/prometheus.nix
View File

@ -89,4 +89,4 @@ in {
user = "prometheus";
group = "prometheus";
}];
}
}

12
hosts/luna/modules/networking.nix
View File

@ -20,9 +20,9 @@ let
"2620:fe::9#dns.quad9.net"
"2001:4860:4860::8888#dns.google"
];
resolved_fallback_nameservers = [ "1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one" ];
in
{
resolved_fallback_nameservers =
[ "1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one" ];
in {
systemd.network = {
enable = true;
# HACK: Disable wait-online, check in on https://github.com/NixOS/nixpkgs/pull/258680 &
@ -89,11 +89,7 @@ in
nftables.enable = true;
firewall = {
enable = true;
allowedTCPPorts = [
80
443
2200
];
allowedTCPPorts = [ 80 443 2200 ];
};
hostName = "${hostname}";
};

5
hosts/luna/modules/services/fail2ban.nix
View File

@ -1,7 +1,6 @@
{ ... }:
{
{ ... }: {
services.fail2ban = {
enable = true;
maxretry = 10;
};
}
}

6
hosts/luna/modules/services/gitea.nix
View File

@ -59,9 +59,7 @@ in {
url = config.services.gitea.settings.server.ROOT_URL;
tokenFile = config.age.secrets.gitea-runner-token.path;
name = "Default";
settings = {
runner.capacity = 8;
};
settings = { runner.capacity = 8; };
labels = [
"default:docker://nixos/nix:latest"
"alpine:docker://alpine:latest"
@ -87,4 +85,4 @@ in {
user = config.services.gitea.user;
group = config.services.gitea.group;
}];
}
}

3
hosts/luna/modules/services/journald.nix
View File

@ -1,5 +1,4 @@
{ ... }:
{
{ ... }: {
services.journald = {
extraConfig = ''
SystemMaxUse=100G

5
hosts/luna/modules/services/nginx.nix
View File

@ -1,5 +1,4 @@
{ config, pkgs, blog, fqdn, ... }:
{
{ config, pkgs, blog, fqdn, ... }: {
services.nginx = {
enable = true;
recommendedProxySettings = true;
@ -18,4 +17,4 @@
root = blog.packages.${pkgs.system}.default;
locations."/".index = "home.html";
};
}
}

2
hosts/luna/modules/services/openssh.nix
View File

@ -36,4 +36,4 @@
'';
};
}
}

27
hosts/luna/modules/services/postgresql.nix
View File

@ -1,5 +1,4 @@
{ config, lib, pkgs, ... }:
{
{ config, lib, pkgs, ... }: {
services.postgresqlBackup = {
location = "/var/backup/postgresql";
backupAll = true;
@ -16,18 +15,24 @@
log_statement = "all";
log_destination = lib.mkForce "syslog,jsonlog";
};
ensureUsers = [
{
name = "root";
ensureClauses.superuser = true;
}
];
ensureUsers = [{
name = "root";
ensureClauses.superuser = true;
}];
};
environment.systemPackages = [ pkgs.pgloader ];
environment.persistence.save.directories = [
{ directory = config.services.postgresql.dataDir; user = "postgres"; group = "postgres"; }
{ directory = config.services.postgresqlBackup.location; user = "postgres"; group = "postgres"; }
{
directory = config.services.postgresql.dataDir;
user = "postgres";
group = "postgres";
}
{
directory = config.services.postgresqlBackup.location;
user = "postgres";
group = "postgres";
}
];
}
}

6
hosts/luna/modules/system.nix
View File

@ -7,11 +7,7 @@
dates = "05:00";
allowReboot = true;
flake = self.outPath;
flags = [
"--update-input"
"nixpkgs"
"-L"
];
flags = [ "--update-input" "nixpkgs" "-L" ];
};
};
}

7
hosts/luna/modules/users.nix
View File

@ -14,6 +14,9 @@
};
environment.persistence.ephemeral.users = {
price = { files = [ ".bash_history" ]; };
root = { home = "/root"; files = [ ".bash_history" ]; };
root = {
home = "/root";
files = [ ".bash_history" ];
};
};
}
}

10
hosts/luna/os/boot.nix
View File

@ -1,10 +1,6 @@
{ modulesPath, pkgs, ... }:
{
{ modulesPath, pkgs, ... }: {
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
tmp = {
@ -73,4 +69,4 @@
};
};
}
}

2
hosts/luna/os/default.nix
View File

@ -2,4 +2,4 @@
{
zramSwap.enable = true;
}
}

125
hosts/luna/os/fs.nix
View File

@ -1,14 +1,9 @@
{ lib, root-disk, persist-dir, ... }:
{
{ lib, root-disk, persist-dir, ... }: {
services = {
fstrim.enable = true;
btrfs.autoScrub = {
enable = true;
fileSystems = [
"/"
"/nix"
"/persist"
];
fileSystems = [ "/" "/nix" "/persist" ];
};
snapper = {
# NOTE: According to `snapper-config(5)` the default timeline count for all timelines is 10
@ -23,73 +18,61 @@
fileSystems."${persist-dir}".neededForBoot = true;
disko.devices =
{
disk.${lib.removePrefix "/dev/" root-disk} = {
type = "disk";
device = "${root-disk}";
content = {
type = "gpt";
partitions = {
esp =
let
label = "NixOS-Boot";
in
{
priority = 1;
size = "512M";
type = "EF00";
content = {
extraArgs = [ "-n ${label}" "-F 32" ];
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [
"umask=0077"
"defaults"
];
};
};
root =
let
label = "NixOS-Primary";
in
{
size = "100%";
content = {
type = "btrfs";
extraArgs = [ "-f" "--label ${label}" ];
postCreateHook = ''
MOUNT="$(mktemp -d)"
mount "/dev/disk/by-label/${label}" "$MOUNT" -o subvol=/
trap 'umount $MOUNT; rm -rf $MOUNT' EXIT
btrfs subvolume snapshot -r "$MOUNT/root" "$MOUNT/root-base"
'';
subvolumes = {
"/root" = {
mountpoint = "/";
};
"/var-log" = {
mountpoint = "/var/log";
mountOptions = [ "compress=zstd" "noatime" ];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [ "compress=zstd" "noatime" ];
};
"${persist-dir}" = {
mountpoint = "${persist-dir}";
mountOptions = [ "compress=zstd" "noatime" ];
};
"${persist-dir}/.snapshots" = {
mountpoint = "${persist-dir}/.snapshots";
mountOptions = [ "compress=zstd" "noatime" ];
};
};
disko.devices = {
disk.${lib.removePrefix "/dev/" root-disk} = {
type = "disk";
device = "${root-disk}";
content = {
type = "gpt";
partitions = {
esp = let label = "NixOS-Boot";
in {
priority = 1;
size = "512M";
type = "EF00";
content = {
extraArgs = [ "-n ${label}" "-F 32" ];
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" "defaults" ];
};
};
root = let label = "NixOS-Primary";
in {
size = "100%";
content = {
type = "btrfs";
extraArgs = [ "-f" "--label ${label}" ];
postCreateHook = ''
MOUNT="$(mktemp -d)"
mount "/dev/disk/by-label/${label}" "$MOUNT" -o subvol=/
trap 'umount $MOUNT; rm -rf $MOUNT' EXIT
btrfs subvolume snapshot -r "$MOUNT/root" "$MOUNT/root-base"
'';
subvolumes = {
"/root" = { mountpoint = "/"; };
"/var-log" = {
mountpoint = "/var/log";
mountOptions = [ "compress=zstd" "noatime" ];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [ "compress=zstd" "noatime" ];
};
"${persist-dir}" = {
mountpoint = "${persist-dir}";
mountOptions = [ "compress=zstd" "noatime" ];
};
"${persist-dir}/.snapshots" = {
mountpoint = "${persist-dir}/.snapshots";
mountOptions = [ "compress=zstd" "noatime" ];
};
};
};
};
};
};
};
}
};
}

6
hosts/luna/os/hardware.nix
View File

@ -1,6 +1,6 @@
{ lib, config, ... }:
{
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
{ lib, config, ... }: {
hardware.cpu.intel.updateMicrocode =
lib.mkDefault config.hardware.enableRedistributableFirmware;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
services.fstrim.enable = true;
}

2
hosts/luna/pubkey.nix
View File

@ -1 +1 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJZzZ6q/V7f8zbb9Xm0uZPn4zfdXAj3QgwGkGKzEV9Q5 luna"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJZzZ6q/V7f8zbb9Xm0uZPn4zfdXAj3QgwGkGKzEV9Q5 luna"

5
hosts/orion/default.nix
View File

@ -1,5 +1,4 @@
{ config, lib, nixpkgs, ... }:
{
{ config, lib, nixpkgs, ... }: {
imports = (lib.recurseFilesInDirs [ ./os ./modules ] ".nix");
system.stateVersion = "24.05";
}
}

4
hosts/orion/modules/bluetooth.nix
View File

@ -3,9 +3,7 @@
{
hardware.bluetooth.enable = true;
services.blueman.enable = true;
environment.systemPackages = with pkgs; [
bluez
];
environment.systemPackages = with pkgs; [ bluez ];
systemd.user.services.mpris-proxy = {
description = "Mpris proxy";

3
hosts/orion/modules/hardware.nix
View File

@ -16,6 +16,7 @@
# Remove NVIDIA VGA/3D controller devices
ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x03[0-9]*", ATTR{power/control}="auto", ATTR{remove}="1"
'';
boot.blacklistedKernelModules = [ "nouveau" "nvidia" "nvidia_drm" "nvidia_modeset" ];
boot.blacklistedKernelModules =
[ "nouveau" "nvidia" "nvidia_drm" "nvidia_modeset" ];
}

5
hosts/orion/modules/networking.nix
View File

@ -25,8 +25,7 @@ let
"2606:4700:4700::1111#cloudflare-dns.com"
"2606:4700:4700::1001#cloudflare-dns.com"
];
in
{
in {
systemd.network = {
enable = true;
networks = {
@ -89,4 +88,4 @@ in
useNetworkd = true;
};
}
}

2
hosts/orion/modules/nix.nix
View File

@ -5,7 +5,7 @@
settings = {
experimental-features = [ "nix-command" "flakes" ];
auto-optimise-store = true;
trusted-users = ["@wheel"];
trusted-users = [ "@wheel" ];
};
gc = {
automatic = true;

25
hosts/orion/modules/services/openssh.nix
View File

@ -1,19 +1,14 @@
{ config, ... }:
{
{ config, ... }: {
services.openssh = {
enable = true;
startWhenNeeded = true;
# We set the hostkeys manually so they persist through reboots
hostKeys = [
{
path = (config.environment.persistence.ephemeral.persistentStoragePath + "/etc/ssh/ssh_host_ed25519_key");
type = "ed25519";
}
];
sftpFlags = [
"-f AUTHPRIV"
"-l INFO"
];
hostKeys = [{
path = (config.environment.persistence.ephemeral.persistentStoragePath
+ "/etc/ssh/ssh_host_ed25519_key");
type = "ed25519";
}];
sftpFlags = [ "-f AUTHPRIV" "-l INFO" ];
extraConfig = ''
AllowUsers price
'';
@ -41,9 +36,7 @@
"umac-128-etm@openssh.com"
];
};
ports = [
2200
];
ports = [ 2200 ];
banner = ''
Orion Technologies - Security Notice
@ -59,4 +52,4 @@
'';
};
}
}

7
hosts/orion/modules/users.nix
View File

@ -14,6 +14,9 @@
};
environment.persistence.ephemeral.users = {
price = { files = [ ".bash_history" ]; };
root = { home = "/root"; files = [ ".bash_history" ]; };
root = {
home = "/root";
files = [ ".bash_history" ];
};
};
}
}

9
hosts/orion/os/boot.nix
View File

@ -1,9 +1,7 @@
{ modulesPath, pkgs, ... }: {
# imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot = {
loader = {
@ -14,7 +12,8 @@
kernelParams = [ "audit=1" ];
extraModulePackages = [ ];
initrd = {
availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
availableKernelModules =
[ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
# availableKernelModules =
# [ "xhci_pci" "thunderbolt" "vmd" "nvme" "usbhid" "rtsx_pci_sdmmc" ];
# kernelModules = [ ];
@ -70,4 +69,4 @@
};
};
}
}

2
hosts/orion/os/fs.nix
View File

@ -72,4 +72,4 @@
};
};
};
}
}

2
hosts/orion/pubkey.nix
View File

@ -1 +1 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKuypHJpFMaElzWO2QrPNF5o97LGJK/LckHuWvfwIFWI orion"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKuypHJpFMaElzWO2QrPNF5o97LGJK/LckHuWvfwIFWI orion"

58
lib/default.nix
View File

@ -1,31 +1,22 @@
# Some of these functions were taken from https://github.com/NixOS/nixpkgs/blob/master/lib/
{ lib ? (import <nixpkgs> { }).lib }:
rec {
hasSuffix =
suffix:
string:
{ lib ? (import <nixpkgs> { }).lib }: rec {
hasSuffix = suffix: string:
let
lenSuffix = builtins.stringLength suffix;
lenString = builtins.stringLength string;
in
(
lenString >= lenSuffix && (builtins.substring (lenString - lenSuffix) lenString string) == suffix
);
in (lenString >= lenSuffix
&& (builtins.substring (lenString - lenSuffix) lenString string)
== suffix);
recurseDir = dir:
let
dirContents = builtins.readDir dir;
in
(builtins.concatMap
(dirItem:
let
itemType = builtins.getAttr dirItem dirContents;
itemPath = dir + "/${dirItem}";
in
if itemType == "directory" then
(recurseDir itemPath)
else
[ itemPath ])
(builtins.attrNames dirContents));
let dirContents = builtins.readDir dir;
in (builtins.concatMap (dirItem:
let
itemType = builtins.getAttr dirItem dirContents;
itemPath = dir + "/${dirItem}";
in if itemType == "directory" then
(recurseDir itemPath)
else
[ itemPath ]) (builtins.attrNames dirContents));
recurseFilesInDir = dir: suffix:
(builtins.filter (file: hasSuffix "${suffix}" file) (recurseDir dir));
recurseFilesInDirs = dirs: suffix:
@ -35,14 +26,13 @@ rec {
let
f = attrPath:
lib.zipAttrsWith (n: values:
if lib.tail values == [ ]
then lib.head values
else if lib.all builtins.isList values
then lib.unique (lib.concatLists values)
else if lib.all builtins.isAttrs values
then f (attrPath ++ [ n ]) values
else lib.last values
);
in
f [ ] attrList;
}
if lib.tail values == [ ] then
lib.head values
else if lib.all builtins.isList values then
lib.unique (lib.concatLists values)
else if lib.all builtins.isAttrs values then
f (attrPath ++ [ n ]) values
else
lib.last values);
in f [ ] attrList;
}

74
secrets/default.nix
View File

@ -5,52 +5,32 @@ let
"age1ur2lr3z6d2eftgxcalc6s5x9840ew9x43upl9k23wg0ugacrn5as4zl6sj"
];
hosts = {
luna =
let
secrets = "luna";
in
{
users-root-pw = "${secrets}/users-root-pw.age";
users-price-pw = "${secrets}/users-price-pw.age";
gitea-db-pass = "${secrets}/gitea-db-pass.age";
gitea-runner-token = "${secrets}/gitea-runner-token.age";
};
orion =
let
secrets = "orion";
in
{
users-root-pw = "${secrets}/users-root-pw.age";
users-price-pw = "${secrets}/users-price-pw.age";
};
luna = let secrets = "luna";
in {
users-root-pw = "${secrets}/users-root-pw.age";
users-price-pw = "${secrets}/users-price-pw.age";
gitea-db-pass = "${secrets}/gitea-db-pass.age";
gitea-runner-token = "${secrets}/gitea-runner-token.age";
};
orion = let secrets = "orion";
in {
users-root-pw = "${secrets}/users-root-pw.age";
users-price-pw = "${secrets}/users-price-pw.age";
};
};
in
if agenix then
(builtins.listToAttrs
(builtins.concatMap
(host:
let
hostSecrets = (builtins.getAttr host hosts);
in
(builtins.map
(hostSecretName:
let
secret = (builtins.getAttr hostSecretName hostSecrets);
in
{
name = builtins.toString secret;
value = {
publicKeys = [ (import ./../hosts/${host}/pubkey.nix) ] ++ masterKeys;
};
})
(builtins.attrNames hostSecrets)))
(builtins.attrNames hosts)))
in if agenix then
(builtins.listToAttrs (builtins.concatMap (host:
let hostSecrets = (builtins.getAttr host hosts);
in (builtins.map (hostSecretName:
let secret = (builtins.getAttr hostSecretName hostSecrets);
in {
name = builtins.toString secret;
value = {
publicKeys = [ (import ./../hosts/${host}/pubkey.nix) ] ++ masterKeys;
};
}) (builtins.attrNames hostSecrets))) (builtins.attrNames hosts)))
else
(builtins.mapAttrs
(host: secrets:
(lib.recursiveMerge (builtins.map
(secretName: {
age.secrets.${secretName}.file = ./${secrets.${secretName}};
})
(builtins.attrNames hosts.${host}))))
hosts)
(builtins.mapAttrs (host: secrets:
(lib.recursiveMerge (builtins.map (secretName: {
age.secrets.${secretName}.file = ./${secrets.${secretName}};
}) (builtins.attrNames hosts.${host})))) hosts)

2
secrets/secrets.nix
View File

@ -1 +1 @@
import ./default.nix { agenix = true; }
import ./default.nix { agenix = true; }