style: format with nixfmt

hosts/luna/default.nix

@@ -1,5 +1,4 @@
-{ config, lib, nixpkgs, ... }:
+{ config, lib, nixpkgs, ... }: {
-{
   imports = (lib.recurseFilesInDirs [ ./os ./modules ] ".nix");
   system.stateVersion = "24.05";
 }

hosts/luna/modules/docker/default.nix

@@ -1,9 +1,5 @@
-{ pkgs, ... }:
+{ pkgs, ... }: {
-{
+  environment.systemPackages = with pkgs; [ docker docker-compose ];
-  environment.systemPackages =  with pkgs; [
-    docker
-    docker-compose
-  ];
 
   virtualisation = {
     oci-containers.backend = "docker";

hosts/luna/modules/networking.nix

@@ -20,9 +20,9 @@ let
     "2620:fe::9#dns.quad9.net"
     "2001:4860:4860::8888#dns.google"
   ];
-  resolved_fallback_nameservers = [ "1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one" ];
+  resolved_fallback_nameservers =
-in
+    [ "1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one" ];
-{
+in {
   systemd.network = {
     enable = true;
     # HACK: Disable wait-online, check in on https://github.com/NixOS/nixpkgs/pull/258680 &
@@ -89,11 +89,7 @@ in
     nftables.enable = true;
     firewall = {
       enable = true;
-      allowedTCPPorts = [
+      allowedTCPPorts = [ 80 443 2200 ];
-        80
-        443
-        2200
-      ];
     };
     hostName = "${hostname}";
   };

hosts/luna/modules/services/fail2ban.nix

@@ -1,5 +1,4 @@
-{ ... }:
+{ ... }: {
-{
   services.fail2ban = {
     enable = true;
     maxretry = 10;

hosts/luna/modules/services/gitea.nix

@@ -59,9 +59,7 @@ in {
         url = config.services.gitea.settings.server.ROOT_URL;
         tokenFile = config.age.secrets.gitea-runner-token.path;
         name = "Default";
-        settings = {
+        settings = { runner.capacity = 8; };
-          runner.capacity = 8;
-        };
         labels = [
           "default:docker://nixos/nix:latest"
           "alpine:docker://alpine:latest"

hosts/luna/modules/services/journald.nix

@@ -1,5 +1,4 @@
-{ ... }:
+{ ... }: {
-{
   services.journald = {
     extraConfig = ''
       SystemMaxUse=100G

hosts/luna/modules/services/nginx.nix

@@ -1,5 +1,4 @@
-{ config, pkgs, blog, fqdn, ... }:
+{ config, pkgs, blog, fqdn, ... }: {
-{
   services.nginx = {
     enable = true;
     recommendedProxySettings = true;

hosts/luna/modules/services/postgresql.nix

@@ -1,5 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, ... }: {
-{
   services.postgresqlBackup = {
     location = "/var/backup/postgresql";
     backupAll = true;
@@ -16,18 +15,24 @@
       log_statement = "all";
       log_destination = lib.mkForce "syslog,jsonlog";
     };
-    ensureUsers = [
+    ensureUsers = [{
-      {
       name = "root";
       ensureClauses.superuser = true;
-      }
+    }];
-    ];
   };
 
   environment.systemPackages = [ pkgs.pgloader ];
 
   environment.persistence.save.directories = [
-    { directory = config.services.postgresql.dataDir; user = "postgres"; group = "postgres"; }
+    {
-    { directory = config.services.postgresqlBackup.location; user = "postgres"; group = "postgres"; }
+      directory = config.services.postgresql.dataDir;
+      user = "postgres";
+      group = "postgres";
+    }
+    {
+      directory = config.services.postgresqlBackup.location;
+      user = "postgres";
+      group = "postgres";
+    }
   ];
 }

hosts/luna/modules/system.nix

@@ -7,11 +7,7 @@
       dates = "05:00";
       allowReboot = true;
       flake = self.outPath;
-      flags = [
+      flags = [ "--update-input" "nixpkgs" "-L" ];
-        "--update-input"
-        "nixpkgs"
-        "-L"
-      ];
     };
   };
 }

hosts/luna/modules/users.nix

@@ -14,6 +14,9 @@
   };
   environment.persistence.ephemeral.users = {
     price = { files = [ ".bash_history" ]; };
-    root = { home = "/root"; files = [ ".bash_history" ]; };
+    root = {
+      home = "/root";
+      files = [ ".bash_history" ];
+    };
   };
 }

hosts/luna/os/boot.nix

@@ -1,10 +1,6 @@
-{ modulesPath, pkgs, ... }:
+{ modulesPath, pkgs, ... }: {
-{
 
-  imports =
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
-    [
-      (modulesPath + "/installer/scan/not-detected.nix")
-    ];
 
   boot = {
     tmp = {

hosts/luna/os/fs.nix

@@ -1,14 +1,9 @@
-{ lib, root-disk, persist-dir, ... }:
+{ lib, root-disk, persist-dir, ... }: {
-{
   services = {
     fstrim.enable = true;
     btrfs.autoScrub = {
       enable = true;
-      fileSystems = [
+      fileSystems = [ "/" "/nix" "/persist" ];
-        "/"
-        "/nix"
-        "/persist"
-      ];
     };
     snapper = {
       # NOTE: According to `snapper-config(5)` the default timeline count for all timelines is 10
@@ -23,19 +18,15 @@
 
   fileSystems."${persist-dir}".neededForBoot = true;
 
-  disko.devices =
+  disko.devices = {
-    {
     disk.${lib.removePrefix "/dev/" root-disk} = {
       type = "disk";
       device = "${root-disk}";
       content = {
         type = "gpt";
         partitions = {
-            esp =
+          esp = let label = "NixOS-Boot";
-              let
+          in {
-                label = "NixOS-Boot";
-              in
-              {
             priority = 1;
             size = "512M";
             type = "EF00";
@@ -44,17 +35,11 @@
               type = "filesystem";
               format = "vfat";
               mountpoint = "/boot";
-                  mountOptions = [
+              mountOptions = [ "umask=0077" "defaults" ];
-                    "umask=0077"
-                    "defaults"
-                  ];
             };
           };
-            root =
+          root = let label = "NixOS-Primary";
-              let
+          in {
-                label = "NixOS-Primary";
-              in
-              {
             size = "100%";
             content = {
               type = "btrfs";
@@ -66,9 +51,7 @@
                 btrfs subvolume snapshot -r "$MOUNT/root" "$MOUNT/root-base"
               '';
               subvolumes = {
-                    "/root" = {
+                "/root" = { mountpoint = "/"; };
-                      mountpoint = "/";
-                    };
                 "/var-log" = {
                   mountpoint = "/var/log";
                   mountOptions = [ "compress=zstd" "noatime" ];

hosts/luna/os/hardware.nix

@@ -1,6 +1,6 @@
-{ lib, config, ... }:
+{ lib, config, ... }: {
-{
+  hardware.cpu.intel.updateMicrocode =
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+    lib.mkDefault config.hardware.enableRedistributableFirmware;
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   services.fstrim.enable = true;
 }

hosts/orion/default.nix

@@ -1,5 +1,4 @@
-{ config, lib, nixpkgs, ... }:
+{ config, lib, nixpkgs, ... }: {
-{
   imports = (lib.recurseFilesInDirs [ ./os ./modules ] ".nix");
   system.stateVersion = "24.05";
 }

hosts/orion/modules/bluetooth.nix

@@ -3,9 +3,7 @@
 {
   hardware.bluetooth.enable = true;
   services.blueman.enable = true;
-  environment.systemPackages = with pkgs; [
+  environment.systemPackages = with pkgs; [ bluez ];
-    bluez
-  ];
 
   systemd.user.services.mpris-proxy = {
     description = "Mpris proxy";

hosts/orion/modules/hardware.nix

@@ -16,6 +16,7 @@
     # Remove NVIDIA VGA/3D controller devices
     ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x03[0-9]*", ATTR{power/control}="auto", ATTR{remove}="1"
   '';
-  boot.blacklistedKernelModules = [ "nouveau" "nvidia" "nvidia_drm" "nvidia_modeset" ];
+  boot.blacklistedKernelModules =
+    [ "nouveau" "nvidia" "nvidia_drm" "nvidia_modeset" ];
 
 }

hosts/orion/modules/networking.nix

@@ -25,8 +25,7 @@ let
     "2606:4700:4700::1111#cloudflare-dns.com"
     "2606:4700:4700::1001#cloudflare-dns.com"
   ];
-in
+in {
-{
   systemd.network = {
     enable = true;
     networks = {

hosts/orion/modules/services/openssh.nix

@@ -1,19 +1,14 @@
-{ config, ... }:
+{ config, ... }: {
-{
   services.openssh = {
     enable = true;
     startWhenNeeded = true;
     # We set the hostkeys manually so they persist through reboots
-    hostKeys = [
+    hostKeys = [{
-      {
+      path = (config.environment.persistence.ephemeral.persistentStoragePath
-        path = (config.environment.persistence.ephemeral.persistentStoragePath + "/etc/ssh/ssh_host_ed25519_key");
+        + "/etc/ssh/ssh_host_ed25519_key");
       type = "ed25519";
-      }
+    }];
-    ];
+    sftpFlags = [ "-f AUTHPRIV" "-l INFO" ];
-    sftpFlags = [
-      "-f AUTHPRIV"
-      "-l INFO"
-    ];
     extraConfig = ''
       AllowUsers price
     '';
@@ -41,9 +36,7 @@
         "umac-128-etm@openssh.com"
       ];
     };
-    ports = [
+    ports = [ 2200 ];
-      2200
-    ];
     banner = ''
       ┌────────────────────────────────────────────────────┐
       │        Orion Technologies - Security Notice        │

hosts/orion/modules/users.nix

@@ -14,6 +14,9 @@
   };
   environment.persistence.ephemeral.users = {
     price = { files = [ ".bash_history" ]; };
-    root = { home = "/root"; files = [ ".bash_history" ]; };
+    root = {
+      home = "/root";
+      files = [ ".bash_history" ];
+    };
   };
 }

hosts/orion/os/boot.nix

@@ -1,9 +1,7 @@
 { modulesPath, pkgs, ... }: {
 
   # imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
- imports =
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
-    [ (modulesPath + "/profiles/qemu-guest.nix")
-    ];
 
   boot = {
     loader = {
@@ -14,7 +12,8 @@
     kernelParams = [ "audit=1" ];
     extraModulePackages = [ ];
     initrd = {
-      availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
+      availableKernelModules =
+        [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
       # availableKernelModules =
       #   [ "xhci_pci" "thunderbolt" "vmd" "nvme" "usbhid" "rtsx_pci_sdmmc" ];
       # kernelModules = [ ];

lib/default.nix

@@ -1,31 +1,22 @@
 # Some of these functions were taken from https://github.com/NixOS/nixpkgs/blob/master/lib/
-{ lib ? (import <nixpkgs> { }).lib }:
+{ lib ? (import <nixpkgs> { }).lib }: rec {
-rec {
+  hasSuffix = suffix: string:
-  hasSuffix =
-    suffix:
-    string:
     let
       lenSuffix = builtins.stringLength suffix;
       lenString = builtins.stringLength string;
-    in
+    in (lenString >= lenSuffix
-    (
+      && (builtins.substring (lenString - lenSuffix) lenString string)
-      lenString >= lenSuffix && (builtins.substring (lenString - lenSuffix) lenString string) == suffix
+      == suffix);
-    );
   recurseDir = dir:
-    let
+    let dirContents = builtins.readDir dir;
-      dirContents = builtins.readDir dir;
+    in (builtins.concatMap (dirItem:
-    in
-    (builtins.concatMap
-      (dirItem:
       let
         itemType = builtins.getAttr dirItem dirContents;
         itemPath = dir + "/${dirItem}";
-        in
+      in if itemType == "directory" then
-        if itemType == "directory" then
         (recurseDir itemPath)
       else
-          [ itemPath ])
+        [ itemPath ]) (builtins.attrNames dirContents));
-      (builtins.attrNames dirContents));
   recurseFilesInDir = dir: suffix:
     (builtins.filter (file: hasSuffix "${suffix}" file) (recurseDir dir));
   recurseFilesInDirs = dirs: suffix:
@@ -35,14 +26,13 @@ rec {
     let
       f = attrPath:
         lib.zipAttrsWith (n: values:
-          if lib.tail values == [ ]
+          if lib.tail values == [ ] then
-          then lib.head values
+            lib.head values
-          else if lib.all builtins.isList values
+          else if lib.all builtins.isList values then
-          then lib.unique (lib.concatLists values)
+            lib.unique (lib.concatLists values)
-          else if lib.all builtins.isAttrs values
+          else if lib.all builtins.isAttrs values then
-          then f (attrPath ++ [ n ]) values
+            f (attrPath ++ [ n ]) values
-          else lib.last values
+          else
-        );
+            lib.last values);
-    in
+    in f [ ] attrList;
-    f [ ] attrList;
 }

secrets/default.nix

@@ -5,52 +5,32 @@ let
     "age1ur2lr3z6d2eftgxcalc6s5x9840ew9x43upl9k23wg0ugacrn5as4zl6sj"
   ];
   hosts = {
-    luna =
+    luna = let secrets = "luna";
-      let
+    in {
-        secrets = "luna";
-      in
-      {
       users-root-pw = "${secrets}/users-root-pw.age";
       users-price-pw = "${secrets}/users-price-pw.age";
       gitea-db-pass = "${secrets}/gitea-db-pass.age";
       gitea-runner-token = "${secrets}/gitea-runner-token.age";
     };
-    orion =
+    orion = let secrets = "orion";
-      let
+    in {
-        secrets = "orion";
-      in
-      {
       users-root-pw = "${secrets}/users-root-pw.age";
       users-price-pw = "${secrets}/users-price-pw.age";
     };
   };
-in
+in if agenix then
-if agenix then
+  (builtins.listToAttrs (builtins.concatMap (host:
-  (builtins.listToAttrs
+    let hostSecrets = (builtins.getAttr host hosts);
-    (builtins.concatMap
+    in (builtins.map (hostSecretName:
-      (host:
+      let secret = (builtins.getAttr hostSecretName hostSecrets);
-      let
+      in {
-        hostSecrets = (builtins.getAttr host hosts);
-      in
-      (builtins.map
-        (hostSecretName:
-        let
-          secret = (builtins.getAttr hostSecretName hostSecrets);
-        in
-        {
         name = builtins.toString secret;
         value = {
           publicKeys = [ (import ./../hosts/${host}/pubkey.nix) ] ++ masterKeys;
         };
-        })
+      }) (builtins.attrNames hostSecrets))) (builtins.attrNames hosts)))
-        (builtins.attrNames hostSecrets)))
-      (builtins.attrNames hosts)))
 else
-  (builtins.mapAttrs
+  (builtins.mapAttrs (host: secrets:
-    (host: secrets:
+    (lib.recursiveMerge (builtins.map (secretName: {
-    (lib.recursiveMerge (builtins.map
-      (secretName: {
       age.secrets.${secretName}.file = ./${secrets.${secretName}};
-      })
+    }) (builtins.attrNames hosts.${host})))) hosts)
-      (builtins.attrNames hosts.${host}))))
-    hosts)