magic_rb/dotfiles
1
0
Fork 0
mirror of https://git.sr.ht/~magic_rb/dotfiles synced 2024-11-22 08:04:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Reformat the whole flake using alejandra

Browse source 
Signed-off-by: magic_rb <magic_rb@redalder.org>
This commit is contained in:
magic_rb 2024-03-02 22:05:30 +01:00
parent 97be6885a6
commit aff0158ef7
No known key found for this signature in database
GPG key ID: 08D5287CC5DDCA0E
176 changed files with 4982 additions and 4278 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
home-manager/modules/bash/default.nix
View file

@ -1,5 +1,4 @@
{ pkgs, ... }:
{
{pkgs, ...}: {
programs.direnv.enable = true;
programs.direnv.nix-direnv.enable = true;

4
home-manager/modules/default.nix
View file

@ -1,4 +1,2 @@
{ ... }:
{
{...}: {
}

9
home-manager/modules/dunst/default.nix
View file

@ -1,12 +1,11 @@
{ pkgs, ... }:
{
{pkgs, ...}: {
home.file.".config/dunstrc".source = ./dunstrc;
systemd.user.services.dunst = {
Unit = {
Description = "Dunst notification daemon";
After = [ "graphical-session-pre.target" ];
PartOf = [ "graphical-session.target" ];
After = ["graphical-session-pre.target"];
PartOf = ["graphical-session.target"];
};
Service = {
@ -15,6 +14,6 @@
ExecStart = "${pkgs.dunst}/bin/dunst -config ~/.config/dunstrc";
};
Install = { WantedBy = [ "graphical-session.target" ]; };
Install = {WantedBy = ["graphical-session.target"];};
};
}

46
home-manager/modules/emacs/default.nix
View file

@ -1,5 +1,11 @@
{ pkgs, config, lib, secret, inputs', ... }:
{
pkgs,
config,
lib,
secret,
inputs',
...
}: {
home.packages = with pkgs; [
(makeDesktopItem {
name = "Org-Protocol";
@ -13,14 +19,14 @@
(iosevka-bin.override {variant = "aile";})
(iosevka-bin.override {variant = "etoile";})
(iosevka-bin.override {variant = "";})
(nerdfonts.override { fonts = ["NerdFontsSymbolsOnly"]; })
(nerdfonts.override {fonts = ["NerdFontsSymbolsOnly"];})
];
systemd.user.services.emacs = {
Unit = {
Description = "Emacs, the extensible editor";
After = [ "graphical-session-pre.target" ];
PartOf = [ "graphical-session.target" ];
After = ["graphical-session-pre.target"];
PartOf = ["graphical-session.target"];
};
Service = {
@ -28,7 +34,7 @@
ExecStart = ''/bin/sh -l -c "emacs --fg-daemon"'';
};
Install = { WantedBy = [ "graphical-session.target" ]; };
Install = {WantedBy = ["graphical-session.target"];};
};
home.file = {
@ -45,18 +51,18 @@
".emacs.d/mu4e-contexts".source = secret.emacs.mu4eContexts or ./.;
".emacs.d/tree-sitter".source = pkgs.tree-sitter-grammars;
".emacs.d/vterm-module".source = pkgs.stdenv.mkDerivation {
name = "vterm-emacs";
src = inputs'.vtermModule;
buildInputs = with pkgs; [cmake libtool glib.dev libvterm-neovim];
cmakeFlags = [
"-DEMACS_SOURCE=${inputs'.emacs}"
"-DUSE_SYSTEM_LIBVTERM=ON"
];
installPhase = ''
mkdir -p $out/lib
install ../vterm-module.so $out/lib
'';
};
name = "vterm-emacs";
src = inputs'.vtermModule;
buildInputs = with pkgs; [cmake libtool glib.dev libvterm-neovim];
cmakeFlags = [
"-DEMACS_SOURCE=${inputs'.emacs}"
"-DUSE_SYSTEM_LIBVTERM=ON"
];
installPhase = ''
mkdir -p $out/lib
install ../vterm-module.so $out/lib
'';
};
".emacs.d/profile".source = pkgs.buildEnv {
name = "emacs-env";
paths = with pkgs; [
@ -72,13 +78,13 @@
imagemagick
texlive.combined.scheme-full
(hunspellWithDicts (with hunspellDicts; [
sk-sk
en-us
sk-sk
en-us
]))
ledger-compat
python311Packages.pygments
hledger
(rWrapper.override{ packages = with rPackages; [ ggplot2 ascii car ]; })
(rWrapper.override {packages = with rPackages; [ggplot2 ascii car];})
xclip
];
};

9
home-manager/modules/keynav/default.nix
View file

@ -1,12 +1,11 @@
{ pkgs, ... }:
{
{pkgs, ...}: {
home.file.".keynavrc".source = ./keynavrc;
systemd.user.services.keynav = {
Unit = {
Description = "keynav";
After = [ "graphical-session-pre.target" ];
PartOf = [ "graphical-session.target" ];
After = ["graphical-session-pre.target"];
PartOf = ["graphical-session.target"];
};
Service = {
@ -15,6 +14,6 @@
Restart = "always";
};
Install = { WantedBy = [ "graphical-session.target" ]; };
Install = {WantedBy = ["graphical-session.target"];};
};
}

34
home-manager/modules/pantalaimon.nix
View file

@ -1,25 +1,25 @@
{ inputs', pkgs, ... }:
{
inputs',
pkgs,
...
}: {
services.pantalaimon = {
enable = true;
# TODO switch to unstable when PR263669 is merged
package = inputs'.nixpkgs-stable.legacyPackages.${pkgs.stdenv.system}.pantalaimon;
settings =
{
Default =
{
LogLevel = "Info";
SSL = true;
};
local-matrix =
{
Homeserver = "https://matrix.redalder.org";
ListenAddress = "127.0.0.1";
ListenPort = 8008;
UseKeyring = false;
IgnoreVerification = true;
SSL = false;
};
settings = {
Default = {
LogLevel = "Info";
SSL = true;
};
local-matrix = {
Homeserver = "https://matrix.redalder.org";
ListenAddress = "127.0.0.1";
ListenPort = 8008;
UseKeyring = false;
IgnoreVerification = true;
SSL = false;
};
};
};
}

11
home-manager/modules/picom/default.nix
View file

@ -1,11 +1,14 @@
{ pkgs, lib, ... }:
{
pkgs,
lib,
...
}: {
home.file.".config/picom.conf".source = ./picom.conf;
systemd.user.services.picom = {
Unit = {
Description = "Picom compositor";
After = [ "graphical-session-pre.target" ];
PartOf = [ "graphical-session.target" ];
After = ["graphical-session-pre.target"];
PartOf = ["graphical-session.target"];
};
Service = {
@ -13,6 +16,6 @@
ExecStart = ''/bin/sh -l -c "${lib.getExe pkgs.picom} --config ~/.config/picom.conf"'';
};
Install = { WantedBy = [ "graphical-session.target" ]; };
Install = {WantedBy = ["graphical-session.target"];};
};
}

22
home-manager/modules/profiles/server.nix
View file

@ -1,13 +1,19 @@
{ config, pkgs, lib, ... }:
let
inherit (lib)
{
config,
pkgs,
lib,
...
}: let
inherit
(lib)
optional
;
in
{
home.packages = with pkgs; [
file
] ++ (optional (pkgs.stdenv.system != "armv6l-linux" && pkgs.stdenv.system != "armv7l-linux") git-annex);
in {
home.packages = with pkgs;
[
file
]
++ (optional (pkgs.stdenv.system != "armv6l-linux" && pkgs.stdenv.system != "armv7l-linux") git-annex);
imports = [
../bash

19
home-manager/modules/screenlocker/default.nix
View file

@ -1,12 +1,18 @@
{ config, pkgs, lib, ... }:
let
inherit (lib)
{
config,
pkgs,
lib,
...
}: let
inherit
(lib)
singleton
getExe
makeBinPath;
makeBinPath
;
locker = pkgs.writeShellScript "i3lock-dynamic-image" ''
export PATH=${makeBinPath (with pkgs; [ xorg.xrandr gnugrep coreutils imagemagick i3lock ])}:$PATH
export PATH=${makeBinPath (with pkgs; [xorg.xrandr gnugrep coreutils imagemagick i3lock])}:$PATH
WALLPAPER_CACHE="$HOME/.local/tmp/wallpaper_cache"
@ -41,8 +47,7 @@ let
wait
fi
'';
in
{
in {
services.screen-locker = {
enable = true;
inactiveInterval = 5;

3
home-manager/modules/ssh.nix
View file

@ -1,5 +1,4 @@
{ config, ... }:
{
{config, ...}: {
programs.ssh = {
enable = true;

16
home-manager/modules/wallpaper/default.nix
View file

@ -1,10 +1,14 @@
{ pkgs, lib, ... }:
let
inherit (lib)
singleton
getExe;
in
{
pkgs,
lib,
...
}: let
inherit
(lib)
singleton
getExe
;
in {
systemd.user.services.wallpaper = {
Unit = {
Description = "Applies wallpaper";

18
modules/lib_overlays.nix
View file

@ -1,14 +1,18 @@
{ lib, flake-parts-lib, ... }:
let
inherit (lib)
{
lib,
flake-parts-lib,
...
}: let
inherit
(lib)
mkOption
types
;
inherit (flake-parts-lib)
inherit
(flake-parts-lib)
mkSubmoduleOptions
;
in
{
in {
options = {
flake = mkSubmoduleOptions {
libOverlays = mkOption {
@ -17,7 +21,7 @@ in
type = types.lazyAttrsOf (types.uniq (types.functionTo (types.functionTo (types.lazyAttrsOf types.unspecified))));
# This eta expansion exists for the sole purpose of making nix flake check happy.
apply = lib.mapAttrs (_k: f: final: prev: f final prev);
default = { };
default = {};
example = lib.literalExpression or lib.literalExample ''
{
default = final: prev: {};

18
modules/nixngConfigurations.nix
View file

@ -1,21 +1,25 @@
# copied straight from https://github.com/hercules-ci/flake-parts/blob/main/modules/nixosConfigurations.nix
{ lib, flake-parts-lib, ... }:
let
inherit (lib)
{
lib,
flake-parts-lib,
...
}: let
inherit
(lib)
mkOption
types
literalExpression
;
inherit (flake-parts-lib)
inherit
(flake-parts-lib)
mkSubmoduleOptions
;
in
{
in {
options = {
flake = mkSubmoduleOptions {
nixngConfigurations = mkOption {
type = types.lazyAttrsOf types.raw;
default = { };
default = {};
description = ''
Instantiated NixNG configurations.
`nixngConfigurations` is for specific machines. If you want to expose

42
nixng/containers/ds3os/default.nix
View file

@ -1,31 +1,31 @@
{ inputs, config, ... }:
{
inputs,
config,
...
}: {
flake.nixngConfigurations.ds3os = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "ds3os";
inherit (inputs) nixpkgs;
config =
{ pkgs, ... }:
{
config = {
dumb-init = {
enable = true;
type.services = { };
};
config = {pkgs, ...}: {
config = {
dumb-init = {
enable = true;
type.services = {};
};
init.services.ds3os = {
enabled = true;
shutdownOnExit = true;
script =
let
pkgs' = pkgs.appendOverlays [ config.flake.overlays.ds3os ];
in
pkgs.writeShellScript "ds3os"
''
exec ${pkgs'.ds3os}/bin/ds3os
'';
};
init.services.ds3os = {
enabled = true;
shutdownOnExit = true;
script = let
pkgs' = pkgs.appendOverlays [config.flake.overlays.ds3os];
in
pkgs.writeShellScript "ds3os"
''
exec ${pkgs'.ds3os}/bin/ds3os
'';
};
};
};
};
}

135
nixng/containers/email/dovecot.nix
View file

@ -1,87 +1,84 @@
{ inputs, ... }:
{
{inputs, ...}: {
flake.nixngConfigurations.dovecot = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "ra-systems-dovecot";
inherit (inputs) nixpkgs;
config =
{ pkgs, ... }:
{
config = {
dumb-init = {
enable = true;
type.services = {};
};
config = {pkgs, ...}: {
config = {
dumb-init = {
enable = true;
type.services = {};
};
services.dovecot = {
enable = true;
package = pkgs.dovecot;
config = {
protocols = "imap lmtp";
services.dovecot = {
enable = true;
package = pkgs.dovecot;
config = {
protocols = "imap lmtp";
# auth
ssl = "no";
disable_plaintext_auth = "no";
auth_mechanisms = "plain login";
# auth
ssl = "no";
disable_plaintext_auth = "no";
auth_mechanisms = "plain login";
mail_location = "maildir:/maildir/%u";
mail_location = "maildir:/maildir/%u";
protocol."imap" = { };
protocol."lmtp" = {
mail_plugins = [ "sieve" ];
protocol."imap" = {};
protocol."lmtp" = {
mail_plugins = ["sieve"];
};
plugin."" = {
sieve = "/mail-configuration/entry.sieve";
};
mail_plugin_dir = pkgs.symlinkJoin {
name = "dovecot-modules";
paths = map (pkg: "${pkg}/lib/dovecot") [pkgs.dovecot pkgs.dovecot_pigeonhole];
};
# Optimizations:
# dotlock_use_excl = true;
maildir_copy_with_hardlinks = true;
lda_mailbox_autocreate = "yes";
lmtp_save_to_detail_mailbox = "yes";
service."lmtp" = {
inet_listener."lmtp" = {
address = ["127.0.0.1"];
port = 24;
};
};
service."imap-login" = {
inet_listener."imap" = {
port = 143;
};
plugin."" = {
sieve = "/mail-configuration/entry.sieve";
};
# inet_listener."imaps" = {
# port = 993;
# ssl = "yes";
# };
};
mail_plugin_dir = pkgs.symlinkJoin {
name = "dovecot-modules";
paths = map (pkg: "${pkg}/lib/dovecot") ([ pkgs.dovecot pkgs.dovecot_pigeonhole ]);
};
# Authentication configuration:
auth_debug = true;
log_path = "/proc/self/fd/1";
info_log_path = "/proc/self/fd/1";
debug_log_path = "/proc/self/fd/1";
# Optimizations:
# dotlock_use_excl = true;
maildir_copy_with_hardlinks = true;
lda_mailbox_autocreate = "yes";
lmtp_save_to_detail_mailbox = "yes";
service."lmtp" = {
inet_listener."lmtp" = {
address = [ "127.0.0.1" ];
port = 24;
};
};
service."imap-login" = {
inet_listener."imap" = {
port = 143;
};
# inet_listener."imaps" = {
# port = 993;
# ssl = "yes";
# };
};
# Authentication configuration:
auth_debug = true;
log_path = "/proc/self/fd/1";
info_log_path = "/proc/self/fd/1";
debug_log_path = "/proc/self/fd/1";
passdb."" = {
driver = "passwd-file";
args = "scheme=plain username_format=%u /secrets/passwd.dovecot";
};
userdb."" = {
driver = "passwd-file";
args = "username_format=%u /secrets/passwd.dovecot";
default_fields = "uid=vmail gid=vmail home=/maildir/%u";
};
passdb."" = {
driver = "passwd-file";
args = "scheme=plain username_format=%u /secrets/passwd.dovecot";
};
userdb."" = {
driver = "passwd-file";
args = "username_format=%u /secrets/passwd.dovecot";
default_fields = "uid=vmail gid=vmail home=/maildir/%u";
};
};
};
};
};
};
}

132
nixng/containers/email/getmail/default.nix
View file

@ -1,79 +1,85 @@
{ inputs, config, ... }:
let
config' = config;
in
{
inputs,
config,
...
}: let
config' = config;
in {
flake.nixngConfigurations.getmail = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "ra-systems-getmail";
inherit (inputs)
nixpkgs;
config =
{ pkgs, config, ... }:
{
config = {
dumb-init = {
enable = true;
type.services = {};
};
inherit
(inputs)
nixpkgs
;
config = {
pkgs,
config,
...
}: {
config = {
dumb-init = {
enable = true;
type.services = {};
};
users.users."vmail" = {
uid = config.ids.uids.vmail;
description = "vmail user.";
group = "vmail";
shell = "${pkgs.bash}/bin/bash";
};
users.groups."vmail" = {
gid = config.ids.gids.vmail;
};
users.users."vmail" = {
uid = config.ids.uids.vmail;
description = "vmail user.";
group = "vmail";
shell = "${pkgs.bash}/bin/bash";
};
users.groups."vmail" = {
gid = config.ids.gids.vmail;
};
init.services.getmail = {
shutdownOnExit = true;
script =
let
pkgs' = pkgs.appendOverlays (with config'.flake.overlays; [
courier-unicode
getmail6
maildrop
]);
PATH = with pkgs'; lib.makeBinPath [
jq
busybox
runit
bash
getmail6
maildrop
];
in
pkgs.writeShellScript "getmail-run" ''
export PATH=${PATH}:${pkgs.opensmtpd}/libexec/opensmtpd:$PATH
init.services.getmail = {
shutdownOnExit = true;
script = let
pkgs' = pkgs.appendOverlays (with config'.flake.overlays; [
courier-unicode
getmail6
maildrop
]);
PATH = with pkgs';
lib.makeBinPath [
jq
busybox
runit
bash
getmail6
maildrop
];
in
pkgs.writeShellScript "getmail-run" ''
export PATH=${PATH}:${pkgs.opensmtpd}/libexec/opensmtpd:$PATH
set -m
set -m
for rcfile in /mail-configuration/getmail.d/*.rc
for rcfile in /mail-configuration/getmail.d/*.rc
do
filename="$(basename "''${rcfile}")"
email="''${filename%".rc"}"
mkdir -p "/getmail.d/''${email}"
chown vmail:vmail -R "/getmail.d/''${email}"
(
while true
do
filename="$(basename "''${rcfile}")"
email="''${filename%".rc"}"
mkdir -p "/getmail.d/''${email}"
chown vmail:vmail -R "/getmail.d/''${email}"
(
while true
do
chpst -u vmail:vmail getmail -i INBOX -n -r "$rcfile" --getmaildir "/mail-configuration/getmail.d/''${email}"
sleep 10
done
) &
chpst -u vmail:vmail getmail -i INBOX -n -r "$rcfile" --getmaildir "/mail-configuration/getmail.d/''${email}"
sleep 10
done
) &
done
wait
'';
enabled = true;
};
wait
'';
enabled = true;
};
};
};
};
}
# /usr/lib/sendmail -i -oem -f %F %T
# /usr/lib/sendmail -i -oem -f %F %T

217
nixng/containers/email/postfix/default.nix
View file

@ -1,128 +1,131 @@
{ inputs, ... }:
{
{inputs, ...}: {
flake.nixngConfigurations.postfix = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "nixng-postfix";
inherit (inputs)
nixpkgs;
config =
{ pkgs, config, ... }:
{
config = {
dumb-init = {
enable = true;
type.services = {};
};
init.services.postfix = {
shutdownOnExit = true;
};
services.postfix = {
enable = true;
inherit
(inputs)
nixpkgs
;
config = {
pkgs,
config,
...
}: {
config = {
dumb-init = {
enable = true;
type.services = {};
};
init.services.postfix = {
shutdownOnExit = true;
};
services.postfix = {
enable = true;
masterConfig = import ./master_config.nix;
mainConfig = {
smptd_banner = [ "$myhostname" "ESMTP" "$mail_name" "(Ubuntu)" ];
biff = "no";
masterConfig = import ./master_config.nix;
mainConfig = {
smptd_banner = ["$myhostname" "ESMTP" "$mail_name" "(Ubuntu)"];
biff = "no";
# delay_warning_time = "4h";
# delay_warning_time = "4h";
append_dot_mydomain = "no";
append_dot_mydomain = "no";
readme_directory = "no";
readme_directory = "no";
compatibility_level = 2;
compatibility_level = 2;
smtpd_tls_cert_file = "/etc/letsencrypt/live/example.com/fullchain.pem";
smtpd_tls_key_file = "/etc/letsencrypt/live/example.com/privkey.pem";
smtpd_use_tls = "yes";
smtpd_tls_auth_only = "yes";
smtp_tls_security_level = "may";
smtpd_tls_security_level = "may";
smtpd_sasl_security_options = [ "noanonymous" "noplaintext" ];
smtpd_sasl_tls_security_options = "noanonymous";
smtpd_tls_cert_file = "/etc/letsencrypt/live/example.com/fullchain.pem";
smtpd_tls_key_file = "/etc/letsencrypt/live/example.com/privkey.pem";
smtpd_use_tls = "yes";
smtpd_tls_auth_only = "yes";
smtp_tls_security_level = "may";
smtpd_tls_security_level = "may";
smtpd_sasl_security_options = ["noanonymous" "noplaintext"];
smtpd_sasl_tls_security_options = "noanonymous";
smtpd_sasl_type = "dovecot";
smtpd_sasl_path = "private/auth";
smtpd_sals_auth_enable = "yes";
smtpd_sasl_type = "dovecot";
smtpd_sasl_path = "private/auth";
smtpd_sals_auth_enable = "yes";
smtpd_helo_restrictions = [
"permit_mynetworks"
"permit_sals_authenticated"
"reject_invalid_helo_hostname"
"reject_non_fqdn_helo_hostname"
];
smtpd_recipient_restrictions = [
"permit_mynetworks"
"permit_sasl_authenticated"
"reject_non_fqdn_recipient"
"reject_unknown_recipient_domain"
"reject_unlisted_recipient"
"reject_unauth_destination"
];
smtpd_sender_restrictions = [
"permit_mynetworks"
"permit_sasl_authenticated"
"reject_non_fqdn_sender"
"reject_unknown_sender_domain"
];
smtpd_relay_restrictions = [
"permit_mynetworks"
"permit_sasl_authenticated"
"defer_unauth_destination"
];
smtpd_helo_restrictions = [
"permit_mynetworks"
"permit_sals_authenticated"
"reject_invalid_helo_hostname"
"reject_non_fqdn_helo_hostname"
];
smtpd_recipient_restrictions = [
"permit_mynetworks"
"permit_sasl_authenticated"
"reject_non_fqdn_recipient"
"reject_unknown_recipient_domain"
"reject_unlisted_recipient"
"reject_unauth_destination"
];
smtpd_sender_restrictions = [
"permit_mynetworks"
"permit_sasl_authenticated"
"reject_non_fqdn_sender"
"reject_unknown_sender_domain"
];
smtpd_relay_restrictions = [
"permit_mynetworks"
"permit_sasl_authenticated"
"defer_unauth_destination"
];
myhostname = "example.org";
alias_maps = "hash:/etc/aliases";
alias_database = "hash:/etc/aliases";
mydoamin = "example.org";
myorigin = "$mydomain";
mydestination = "localhost";
relayhost = "";
mynetworks = [
"127.0.0.0/8"
"[::ffff:127.0.0.0]/104"
"[::1]/128"
];
mailbox_size_limit = 0;
recipient_delimiter = "+";
inet_interfaces = "all";
inet_protocols = "all";
myhostname = "example.org";
alias_maps = "hash:/etc/aliases";
alias_database = "hash:/etc/aliases";
mydoamin = "example.org";
myorigin = "$mydomain";
mydestination = "localhost";
relayhost = "";
mynetworks = [
"127.0.0.0/8"
"[::ffff:127.0.0.0]/104"
"[::1]/128"
];
mailbox_size_limit = 0;
recipient_delimiter = "+";
inet_interfaces = "all";
inet_protocols = "all";
virtual_transport = "lmtp:unix:private/dovecot-lmtp";
virtual_transport = "lmtp:unix:private/dovecot-lmtp";
virtual_mailbox_domains = "mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf";
virtual_mailbox_maps = "mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf";
virtual_alias_maps = [
"mysql:/etc/postfix/mysql-virtual-alias-maps.cf"
"mysql:/etc/postfix/mysql-virtual-email2email.cf"
];
virtual_mailbox_domains = "mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf";
virtual_mailbox_maps = "mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf";
virtual_alias_maps = [
"mysql:/etc/postfix/mysql-virtual-alias-maps.cf"
"mysql:/etc/postfix/mysql-virtual-email2email.cf"
];
disable_vrfy_command = "yes";
strict_rfc821_envelopes = "yes";
# smtpd_etrn_restrictions = "yes";
# smtpd_reject_unlisted_sender = "yes";
# smtpd_reject_unlisted_recipient = "yes";
smtpd_delay_reject = "yes";
smtpd_helo_required = "yes";
smtp_always_send_ehlo = "yes";
# smtpd_hard_error_limit = 1;
smtpd_timeout = "30s";
smtp_helo_timeout = "15s";
smtp_rcpt_timeout = "15s";
smtpd_recipient_limit = "15s";
minimal_backoff_time = "180s";
maximal_backoff_time = "3h";
disable_vrfy_command = "yes";
strict_rfc821_envelopes = "yes";
# smtpd_etrn_restrictions = "yes";
# smtpd_reject_unlisted_sender = "yes";
# smtpd_reject_unlisted_recipient = "yes";
smtpd_delay_reject = "yes";
smtpd_helo_required = "yes";
smtp_always_send_ehlo = "yes";
# smtpd_hard_error_limit = 1;
smtpd_timeout = "30s";
smtp_helo_timeout = "15s";
smtp_rcpt_timeout = "15s";
smtpd_recipient_limit = "15s";
minimal_backoff_time = "180s";
maximal_backoff_time = "3h";
invalid_hostname_reject_code = 550;
non_fqdn_reject_code = 550;
unknown_address_reject_code = 550;
unknown_client_reject_code = 550;
unknown_hostname_reject_code = 550;
unverified_recipent_reject_code = 550;
unverified_sender_reject_code = 550;
};
invalid_hostname_reject_code = 550;
non_fqdn_reject_code = 550;
unknown_address_reject_code = 550;
unknown_client_reject_code = 550;
unknown_hostname_reject_code = 550;
unverified_recipent_reject_code = 550;
unverified_sender_reject_code = 550;
};
};
};
};
};
}

176
nixng/containers/email/postfix/master_config.nix
View file

@ -1,27 +1,153 @@
{
pickup = { type = "unix"; private = "n"; chroot = "n"; wakeup = "60"; maxproc = 1; command = "pickup"; };
cleanup = { type = "unix"; private = "n"; chroot = "n"; maxproc = 0; command = "cleanup"; };
qmgr = { type = "unix"; private = "n"; chroot = "n"; wakeup = "300"; maxproc = 1; command = "qmgr"; };
tlsmgr = { type = "unix"; wakeup = "1000?"; maxproc = 1; command = "tlsmgr"; };
rewrite = { type = "unix"; chroot = "n"; command = "trivial-rewrite"; };
bounce = { type = "unix"; chroot = "n"; maxproc = 0; command = "bounce"; };
defer = { type = "unix"; chroot = "n"; maxproc = 0; command = "bounce"; };
trace = { type = "unix"; chroot = "n"; maxproc = 0; command = "bounce"; };
verify = { type = "unix"; chroot = "n"; maxproc = 1; command = "verify"; };
flush = { type = "unix"; chroot = "n"; wakeup = "1000?"; maxproc = 0; command = "flush"; };
proxymap = { type = "unix"; chroot = "n"; command = "proxymap"; };
proxywrite = { type = "unix"; chroot = "n"; maxproc = 1; command = "proxymap"; };
smtp = [ { type = "unix"; chroot = "n"; command = "smtp"; }
{ type = "inet"; private = "n"; chroot = "n"; command = "smtpd"; } ];
relay = { type = "unix"; chroot = "n"; command = "smtp -o syslog_name=postfix/$service_name"; }; # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq = { type = "unix"; private = "n"; chroot = "n"; command = "showq"; };
error = { type = "unix"; chroot = "n"; command = "error"; };
retry = { type = "unix"; chroot = "n"; command = "error"; };
discard = { type = "unix"; chroot = "n"; command = "discard"; };
local = { type = "unix"; unpriv = "n"; chroot = "n"; command = "local"; };
virtual = { type = "unix"; unpriv = "n"; chroot = "n"; command = "virtual"; };
lmtp = { type = "unix"; chroot = "n"; command = "lmtp"; };
anvil = { type = "unix"; chroot = "n"; maxproc = 1; command = "anvil"; };
scache = { type = "unix"; chroot = "n"; maxproc = 1; command = "scache"; };
postlog = { type = "unix-dgram"; private = "n"; chroot = "n"; maxproc = 1; command = "postlogd"; };
pickup = {
type = "unix";
private = "n";
chroot = "n";
wakeup = "60";
maxproc = 1;
command = "pickup";
};
cleanup = {
type = "unix";
private = "n";
chroot = "n";
maxproc = 0;
command = "cleanup";
};
qmgr = {
type = "unix";
private = "n";
chroot = "n";
wakeup = "300";
maxproc = 1;
command = "qmgr";
};
tlsmgr = {
type = "unix";
wakeup = "1000?";
maxproc = 1;
command = "tlsmgr";
};
rewrite = {
type = "unix";
chroot = "n";
command = "trivial-rewrite";
};
bounce = {
type = "unix";
chroot = "n";
maxproc = 0;
command = "bounce";
};
defer = {
type = "unix";
chroot = "n";
maxproc = 0;
command = "bounce";
};
trace = {
type = "unix";
chroot = "n";
maxproc = 0;
command = "bounce";
};
verify = {
type = "unix";
chroot = "n";
maxproc = 1;
command = "verify";
};
flush = {
type = "unix";
chroot = "n";
wakeup = "1000?";
maxproc = 0;
command = "flush";
};
proxymap = {
type = "unix";
chroot = "n";
command = "proxymap";
};
proxywrite = {
type = "unix";
chroot = "n";
maxproc = 1;
command = "proxymap";
};
smtp = [
{
type = "unix";
chroot = "n";
command = "smtp";
}
{
type = "inet";
private = "n";
chroot = "n";
command = "smtpd";
}
];
relay = {
type = "unix";
chroot = "n";
command = "smtp -o syslog_name=postfix/$service_name";
}; # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq = {
type = "unix";
private = "n";
chroot = "n";
command = "showq";
};
error = {
type = "unix";
chroot = "n";
command = "error";
};
retry = {
type = "unix";
chroot = "n";
command = "error";
};
discard = {
type = "unix";
chroot = "n";
command = "discard";
};
local = {
type = "unix";
unpriv = "n";
chroot = "n";
command = "local";
};
virtual = {
type = "unix";
unpriv = "n";
chroot = "n";
command = "virtual";
};
lmtp = {
type = "unix";
chroot = "n";
command = "lmtp";
};
anvil = {
type = "unix";
chroot = "n";
maxproc = 1;
command = "anvil";
};
scache = {
type = "unix";
chroot = "n";
maxproc = 1;
command = "scache";
};
postlog = {
type = "unix-dgram";
private = "n";
chroot = "n";
maxproc = 1;
command = "postlogd";
};
}

40
nixng/containers/filestash/default.nix
View file

@ -1,26 +1,22 @@
{ inputs, ... }:
{
flake.nixngConfigurations.fileStash =
inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "filestash";
inherit (inputs) nixpkgs;
config =
{ pkgs, ... }:
{
dumb-init = {
enable = true;
type.services = {};
};
{inputs, ...}: {
flake.nixngConfigurations.fileStash = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "filestash";
inherit (inputs) nixpkgs;
config = {pkgs, ...}: {
dumb-init = {
enable = true;
type.services = {};
};
nixpkgs.overlays = [
inputs.filestash-nix.overlays.default
];
nixpkgs.overlays = [
inputs.filestash-nix.overlays.default
];
services.filestash = {
enable = true;
package = pkgs.filestash;
};
};
services.filestash = {
enable = true;
package = pkgs.filestash;
};
};
};
}

74
nixng/containers/home-assistant/configs/automations/bathroom_light/brighten.nix
View file

@ -3,48 +3,56 @@
description = "";
id = "dff10ca7-a27c-469a-8015-bd6899458c8d";
action = [{
"else" = [{ stop = ""; }];
"if" = [{
condition = "trigger";
id = "brightness_down";
}];
"then" = [{
repeat = {
sequence = [
{
data = { brightness_step_pct = 10; };
service = "light.turn_on";
target = { entity_id = "light.bathroom_lights"; };
}
{
delay = {
hours = 0;
milliseconds = 200;
minutes = 0;
seconds = 0;
};
}
];
while = [{
condition = "not";
conditions = [ ];
}];
};
}];
}];
action = [
{
"else" = [{stop = "";}];
"if" = [
{
condition = "trigger";
id = "brightness_down";
}
];
"then" = [
{
repeat = {
sequence = [
{
data = {brightness_step_pct = 10;};
service = "light.turn_on";
target = {entity_id = "light.bathroom_lights";};
}
{
delay = {
hours = 0;
milliseconds = 200;
minutes = 0;
seconds = 0;
};
}
];
while = [
{
condition = "not";
conditions = [];
}
];
};
}
];
}
];
condition = [ ];
condition = [];
trigger = [
{
entity_id = [ "sensor.0x540f57fffe3c601d_action" ];
entity_id = ["sensor.0x540f57fffe3c601d_action"];
id = "brightness_down";
platform = "state";
to = "brightness_move_up";
}
{
entity_id = [ "sensor.0x540f57fffe3c601d_action" ];
entity_id = ["sensor.0x540f57fffe3c601d_action"];
platform = "state";
to = "brightness_stop";
}

74
nixng/containers/home-assistant/configs/automations/bathroom_light/dim.nix
View file

@ -5,50 +5,58 @@
trigger = [
{
entity_id = [ "sensor.0x540f57fffe3c601d_action" ];
entity_id = ["sensor.0x540f57fffe3c601d_action"];
id = "brightness_down";
platform = "state";
to = "brightness_move_down";
}
{
entity_id = [ "sensor.0x540f57fffe3c601d_action" ];
entity_id = ["sensor.0x540f57fffe3c601d_action"];
platform = "state";
to = "brightness_stop";
}
];
condition = [ ];
condition = [];
action = [{
"else" = [{ stop = ""; }];
"if" = [{
condition = "trigger";
id = "brightness_down";
}];
"then" = [{
repeat = {
sequence = [
{
data = { brightness_step_pct = -10; };
service = "light.turn_on";
target = { entity_id = "light.bathroom_lights"; };
}
{
delay = {
hours = 0;
milliseconds = 200;
minutes = 0;
seconds = 0;
};
}
];
while = [{
condition = "not";
conditions = [ ];
}];
};
}];
}];
action = [
{
"else" = [{stop = "";}];
"if" = [
{
condition = "trigger";
id = "brightness_down";
}
];
"then" = [
{
repeat = {
sequence = [
{
data = {brightness_step_pct = -10;};
service = "light.turn_on";
target = {entity_id = "light.bathroom_lights";};
}
{
delay = {
hours = 0;
milliseconds = 200;
minutes = 0;
seconds = 0;
};
}
];
while = [
{
condition = "not";
conditions = [];
}
];
};
}
];
}
];
mode = "restart";
}

32
nixng/containers/home-assistant/configs/automations/bathroom_light/off.nix
View file

@ -3,22 +3,26 @@
description = "";
id = "5f773a4d-5a52-4483-a49d-9c0944ea0b21";
trigger = [{
device_id = "bf6aed0be7735065cddf5a0c11629661";
discovery_id = "0x540f57fffe3c601d action_off";
domain = "mqtt";
platform = "device";
subtype = "off";
type = "action";
}];
trigger = [
{
device_id = "bf6aed0be7735065cddf5a0c11629661";
discovery_id = "0x540f57fffe3c601d action_off";
domain = "mqtt";
platform = "device";
subtype = "off";
type = "action";
}
];
condition = [ ];
condition = [];
action = [{
data = { };
service = "light.turn_off";
target = { entity_id = "light.bathroom_lights"; };
}];
action = [
{
data = {};
service = "light.turn_off";
target = {entity_id = "light.bathroom_lights";};
}
];
mode = "single";
}

32
nixng/containers/home-assistant/configs/automations/bathroom_light/on.nix
View file

@ -3,22 +3,26 @@
description = "";
id = "1330a1c7-3f3f-488e-8aba-aea8937236ce";
trigger = [{
device_id = "bf6aed0be7735065cddf5a0c11629661";
discovery_id = "0x540f57fffe3c601d action_on";
domain = "mqtt";
platform = "device";
subtype = "on";
type = "action";
}];
trigger = [
{
device_id = "bf6aed0be7735065cddf5a0c11629661";
discovery_id = "0x540f57fffe3c601d action_on";
domain = "mqtt";
platform = "device";
subtype = "on";
type = "action";
}
];
condition = [ ];
condition = [];
action = [{
data = { };
service = "light.turn_on";
target = { entity_id = "light.bathroom_lights"; };
}];
action = [
{
data = {};
service = "light.turn_on";
target = {entity_id = "light.bathroom_lights";};
}
];
mode = "single";
}

25
nixng/containers/home-assistant/default.nix
View file

@ -1,13 +1,20 @@
{ inputs, lib, ... }:
let
callPackage = lib.callPackageWith {
inherit (inputs)
nixpkgs nixng;
inherit (inputs.nixng.nglib)
makeSystem;
};
in
{
inputs,
lib,
...
}: let
callPackage = lib.callPackageWith {
inherit
(inputs)
nixpkgs
nixng
;
inherit
(inputs.nixng.nglib)
makeSystem
;
};
in {
flake.nixngConfigurations.homeAssistant = callPackage ./home-assistant.nix {};
flake.nixngConfigurations.homeAssistantPostgresql = callPackage ./postgresql.nix {};
flake.nixngConfigurations.zigbee2mqtt = callPackage ./zigbee2mqtt.nix {};

45
nixng/containers/home-assistant/mosquitto.nix
View file

@ -1,34 +1,33 @@
{ makeSystem
, nixpkgs
{
makeSystem,
nixpkgs,
}:
makeSystem {
system = "x86_64-linux";
name = "nixng-mosquitto";
inherit nixpkgs;
config =
{ pkgs, ... }:
{
config = {
dumb-init = {
enable = true;
type.services = {};
};
config = {pkgs, ...}: {
config = {
dumb-init = {
enable = true;
type.services = {};
};
init.services.mosquitto = {
shutdownOnExit = true;
};
init.services.mosquitto = {
shutdownOnExit = true;
};
services.mosquitto = {
enable = true;
config = {
listener = [
"1883 0.0.0.0"
{
password_file = "/secrets/mqtt_password";
}
];
};
services.mosquitto = {
enable = true;
config = {
listener = [
"1883 0.0.0.0"
{
password_file = "/secrets/mqtt_password";
}
];
};
};
};
};
}

66
nixng/containers/home-assistant/postgresql.nix
View file

@ -1,42 +1,46 @@
{ makeSystem
, nixpkgs
{
makeSystem,
nixpkgs,
}:
makeSystem {
system = "x86_64-linux";
name = "nixng-hass-postgresql";
inherit nixpkgs;
config =
{ pkgs, lib, ... }:
let
inherit (lib)
singleton;
in
{
config = {
dumb-init = {
enable = true;
type.services = {};
config = {
pkgs,
lib,
...
}: let
inherit
(lib)
singleton
;
in {
config = {
dumb-init = {
enable = true;
type.services = {};
};
services.postgresql = {
enable = true;
package = pkgs.postgresql_12;
initialScript = "/secrets/init.sql";
enableTCPIP = true;
authentication = "host all all all md5";
ensureDatabases = ["hass"];
ensureExtensions = {
"pg_trgm" = ["hass"];
};
services.postgresql = {
enable = true;
package = pkgs.postgresql_12;
initialScript = "/secrets/init.sql";
enableTCPIP = true;
authentication = "host all all all md5";
ensureDatabases = [ "hass" ];
ensureExtensions = {
"pg_trgm" = [ "hass" ];
};
ensureUsers = singleton {
name = "hass";
ensurePermissions = {
"DATABASE \"hass\"" = "ALL PRIVILEGES";
};
ensureUsers = singleton {
name = "hass";
ensurePermissions = {
"DATABASE \"hass\"" = "ALL PRIVILEGES";
};
};
};
};
};
}

81
nixng/containers/home-assistant/zigbee2mqtt.nix
View file

@ -1,54 +1,51 @@
{ makeSystem
, nixpkgs
{
makeSystem,
nixpkgs,
}:
makeSystem {
system = "x86_64-linux";
name = "nixng-zigbee2mqtt";
inherit nixpkgs;
config =
{ pkgs, ... }:
{
config = {
dumb-init = {
enable = true;
type.services = { };
};
config = {pkgs, ...}: {
config = {
dumb-init = {
enable = true;
type.services = {};
};
init.services.zigbee2mqtt = {
shutdownOnExit = true;
};
init.services.zigbee2mqtt = {
shutdownOnExit = true;
};
services.zigbee2mqtt = {
enable = true;
user = "root";
envsubst = true;
config = {
homeassistant = true;
permit_join = false;
mqtt = {
base_topic = "zigbee2mqtt";
server = "mqtt://127.0.0.1:1883";
user = "\${MQTT_USER}";
password = "\${MQTT_PASSWORD}";
};
frontend = {
port = 8456;
host = "0.0.0.0";
};
advanced.pan_id = 15408;
advanced.channel = 15;
serial.port = "/dev/ttyUSB0";
devices = "devices.yaml";
groups = "groups.yaml";
log_level = "debug";
services.zigbee2mqtt = {
enable = true;
user = "root";
envsubst = true;
config = {
homeassistant = true;
permit_join = false;
mqtt = {
base_topic = "zigbee2mqtt";
server = "mqtt://127.0.0.1:1883";
user = "\${MQTT_USER}";
password = "\${MQTT_PASSWORD}";
};
frontend = {
port = 8456;
host = "0.0.0.0";
};
advanced.pan_id = 15408;
advanced.channel = 15;
serial.port = "/dev/ttyUSB0";
devices = "devices.yaml";
groups = "groups.yaml";
log_level = "debug";
};
};
};
};
}

22
nixng/containers/hydra/default.nix
View file

@ -1,15 +1,21 @@
{ inputs, lib, ... }:
let
{
inputs,
lib,
...
}: let
callPackage = lib.callPackagesWith {
inherit (inputs.nixng.nglib)
makeSystem;
inherit (inputs)
inherit
(inputs.nixng.nglib)
makeSystem
;
inherit
(inputs)
hydra
nixpkgs
nix;
nix
;
};
in
{
in {
flake.nixngConfigurations.hydraPostgreSQL = callPackage ./postgresql.nix {};
flake.nixngConfigurations.hydra = callPackage ./hydra.nix {};
}

147
nixng/containers/ingress-blowhole/default.nix
View file

@ -1,91 +1,92 @@
{ inputs, ... }:
{
{inputs, ...}: {
flake.nixngConfigurations.ingressBlowhole = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "ingress-blowhole";
inherit (inputs) nixpkgs;
config =
{ pkgs, lib, ... }:
let
inherit (lib)
singleton;
in
{
dumb-init = {
enable = true;
sigell.entries = [
{
signal = "HUP";
action = {
type = "exec";
environment = {
PATH = "${pkgs.bash}/bin:${pkgs.busybox}/bin";
};
command =
[ "bash"
"-c"
"kill -s HUP \"$(cat /nginx.pid)\""
];
};
}
{
signal = "TERM";
action = {
type = "signal";
rewrite = "TERM";
selector = {
type = "child";
};
};
}
];
type.services = {};
config = {
pkgs,
lib,
...
}: let
inherit
(lib)
singleton
;
in {
dumb-init = {
enable = true;
sigell.entries = [
{
signal = "HUP";
action = {
type = "exec";
environment = {
PATH = "${pkgs.bash}/bin:${pkgs.busybox}/bin";
};
command = [
"bash"
"-c"
"kill -s HUP \"$(cat /nginx.pid)\""
];
};
}
{
signal = "TERM";
action = {
type = "signal";
rewrite = "TERM";
selector = {
type = "child";
};
};
}
];
type.services = {};
};
init.services.nginx.shutdownOnExit = true;
services.nginx = {
enable = true;
envsubst = true;
configuration = singleton {
daemon = "off";
worker_processes = 2;
user = "nginx";
events."" = {
use = "epoll";
worker_connections = 128;
};
init.services.nginx.shutdownOnExit = true;
error_log = ["/dev/stderr" "warn"];
services.nginx = {
enable = true;
envsubst = true;
configuration = singleton {
daemon = "off";
worker_processes = 2;
user = "nginx";
pid = "/nginx.pid";
events."" = {
use = "epoll";
worker_connections = 128;
};
stream."" = {
include = singleton ["/local/streams.conf"];
};
error_log = [ "/dev/stderr" "warn" ];
http."" = {
server_tokens = "off";
include = [
["${pkgs.nginx}/conf/mime.types"]
["/local/upstreams.conf"]
];
charset = "utf-8";
access_log = ["/dev/stdout" "combined"];
pid = "/nginx.pid";
server."" = {
listen = ["80" "default_server"];
server_name = singleton "blowhole.in.redalder.org";
stream."" = {
include = singleton [ "/local/streams.conf" ];
};
http."" = {
server_tokens = "off";
include = [
[ "${pkgs.nginx}/conf/mime.types" ]
[ "/local/upstreams.conf" ]
];
charset = "utf-8";
access_log = [ "/dev/stdout" "combined" ];
server."" = {
listen = [ "80" "default_server" ];
server_name = singleton "blowhole.in.redalder.org";
location."/" = {
return = [ "301" "https://$$host$$request_uri" ];
};
};
location."/" = {
return = ["301" "https://$$host$$request_uri"];
};
};
};
};
};
};
};
}

222
nixng/containers/ingress-toothpick/default.nix
View file

@ -1,128 +1,130 @@
{ inputs, ... }:
{
{inputs, ...}: {
flake.nixngConfigurations.ingressToothpick = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "ingress-toothpick";
inherit (inputs) nixpkgs;
config =
{ pkgs, lib, nglib, ... }:
let
inherit (lib)
singleton;
in
{
dumb-init = {
enable = true;
sigell.entries = [
{
signal = "HUP";
action = {
type = "exec";
environment = {
PATH = "${pkgs.bash}/bin:${pkgs.busybox}/bin";
};
command =
[ "bash"
"-c"
"kill -s HUP \"$(cat /nginx.pid)\""
];
};
}
{
signal = "TERM";
action = {
type = "signal";
rewrite = "TERM";
selector = {
type = "child";
};
};
}
];
type.services = {};
};
init.services.nginx.shutdownOnExit = true;
system.activation =
{ resolv-conf =
nglib.dag.dagEntryBefore [ "certbot" ]
''
export PATH=${pkgs.busybox}/bin
mkdir -p /etc
echo "nameserver 8.8.8.8" > /etc/resolv.conf
'';
config = {
pkgs,
lib,
nglib,
...
}: let
inherit
(lib)
singleton
;
in {
dumb-init = {
enable = true;
sigell.entries = [
{
signal = "HUP";
action = {
type = "exec";
environment = {
PATH = "${pkgs.bash}/bin:${pkgs.busybox}/bin";
};
command = [
"bash"
"-c"
"kill -s HUP \"$(cat /nginx.pid)\""
];
};
services.certbot = {
enable = true;
acceptTerms = true;
domains = {
"redalder.org" = {
extraDomains = [
"hydra.redalder.org"
"gitea.redalder.org"
"matrix.redalder.org"
"nixng.org"
];
webroot = "/var/www/certbot";
email = "admin@redalder.org";
extraOptions = "--expand --keep-until-expiring --renew-with-new-domains -v";
}
{
signal = "TERM";
action = {
type = "signal";
rewrite = "TERM";
selector = {
type = "child";
};
};
};
services.nginx = {
enable = true;
envsubst = true;
configuration = [
{
daemon = "off";
worker_processes = 2;
user = "nginx";
}
];
type.services = {};
};
init.services.nginx.shutdownOnExit = true;
events."" = {
use = "epoll";
worker_connections = 128;
};
system.activation = {
resolv-conf =
nglib.dag.dagEntryBefore ["certbot"]
''
export PATH=${pkgs.busybox}/bin
error_log = [ "/dev/stderr" "warn" ];
mkdir -p /etc
echo "nameserver 8.8.8.8" > /etc/resolv.conf
'';
};
pid = "/nginx.pid";
services.certbot = {
enable = true;
stream."" = {
include = [
[ "/local/streams.conf" ]
];
};
acceptTerms = true;
http."" = {
server_tokens = "off";
include = [
[ "${pkgs.nginx}/conf/mime.types" ]
[ "/local/upstreams.conf" ]
];
charset = "utf-8";
access_log = [ "/dev/stdout" "combined" ];
server."" = {
listen = [ "80" "default_server" ];
server_name = [
"redalder.org"
"nixng.org"
];
location."/" = {
return = [ "301" "https://$$host$$request_uri" ];
};
};
};
}
domains = {
"redalder.org" = {
extraDomains = [
"hydra.redalder.org"
"gitea.redalder.org"
"matrix.redalder.org"
"nixng.org"
];
webroot = "/var/www/certbot";
email = "admin@redalder.org";
extraOptions = "--expand --keep-until-expiring --renew-with-new-domains -v";
};
};
};
services.nginx = {
enable = true;
envsubst = true;
configuration = [
{
daemon = "off";
worker_processes = 2;
user = "nginx";
events."" = {
use = "epoll";
worker_connections = 128;
};
error_log = ["/dev/stderr" "warn"];
pid = "/nginx.pid";
stream."" = {
include = [
["/local/streams.conf"]
];
};
http."" = {
server_tokens = "off";
include = [
["${pkgs.nginx}/conf/mime.types"]
["/local/upstreams.conf"]
];
charset = "utf-8";
access_log = ["/dev/stdout" "combined"];
server."" = {
listen = ["80" "default_server"];
server_name = [
"redalder.org"
"nixng.org"
];
location."/" = {
return = ["301" "https://$$host$$request_uri"];
};
};
};
}
];
};
};
};
}

60
nixng/containers/matrix/heisenbridge/default.nix
View file

@ -1,36 +1,38 @@
{ inputs, ... }:
{
{inputs, ...}: {
flake.nixngConfigurations.heisenbridge = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "heisenbridge";
inherit (inputs) nixpkgs;
config =
{ pkgs, lib, ... }:
let
inherit (lib)
getExe';
in
{
dumb-init = {
enable = true;
type.services = { };
};
init.services.heisenbridge = {
enabled = true;
# heisenbridge needs to retry the connection and task restarting does not work currently
shutdownOnExit = false;
script = pkgs.writeShellScript "heisenbridge" ''
REGISTRATION_FILE="/var/lib/registrations/heisenbridge.yaml"
${getExe' pkgs.heisenbridge "heisenbridge"} 'https://matrix.redalder.org/' \
-c "$REGISTRATION_FILE" \
$([ -e "$REGISTRATION_FILE" ] || echo "--generate") \
-l 127.0.0.1 \
-p 9898 \
-o @magic_rb:matrix.redalder.org
'';
};
config = {
pkgs,
lib,
...
}: let
inherit
(lib)
getExe'
;
in {
dumb-init = {
enable = true;
type.services = {};
};
init.services.heisenbridge = {
enabled = true;
# heisenbridge needs to retry the connection and task restarting does not work currently
shutdownOnExit = false;
script = pkgs.writeShellScript "heisenbridge" ''
REGISTRATION_FILE="/var/lib/registrations/heisenbridge.yaml"
${getExe' pkgs.heisenbridge "heisenbridge"} 'https://matrix.redalder.org/' \
-c "$REGISTRATION_FILE" \
$([ -e "$REGISTRATION_FILE" ] || echo "--generate") \
-l 127.0.0.1 \
-p 9898 \
-o @magic_rb:matrix.redalder.org
'';
};
};
};
}

76
nixng/containers/matrix/mautrix-discord/default.nix
View file

@ -1,43 +1,49 @@
{ inputs, config, ... }:
{
inputs,
config,
...
}: {
flake.nixngConfigurations.mautrixDiscord = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "mautrix-discord";
inherit (inputs) nixpkgs;
config =
{ pkgs, lib, ... }:
{
dumb-init = {
enable = true;
type.services = { };
};
init.services.mautrix-discord = {
enabled = true;
shutdownOnExit = true;
script =
let
inherit (lib)
getExe'
makeBinPath;
mautrix-discord = (pkgs.appendOverlays [ config.flake.overlays.mautrix-discord ]).mautrix-discord;
in
pkgs.writeShellScript "mautrix-discord"
''
DATA_DIR="/var/lib/mautrix-discord"
CONFIG_FILE="$DATA_DIR/config.yaml"
REGISTRATION_FILE="/var/lib/registrations/mautrix-discord.yaml"
${getExe' pkgs.envsubst "envsubst"} < ${./mautrix-discord.yaml} > "$CONFIG_FILE"
chmod 755 "$CONFIG_FILE"
export PATH="$PATH:${makeBinPath [ pkgs.lottieconverter ]};"
[ -e "$REGISTRATION_FILE" ] || \
${getExe' mautrix-discord "mautrix-discord"} -c "$CONFIG_FILE" -r "$REGISTRATION_FILE" -g
${getExe' mautrix-discord "mautrix-discord"} -c "$CONFIG_FILE" -r "$REGISTRATION_FILE" -n
'';
};
config = {
pkgs,
lib,
...
}: {
dumb-init = {
enable = true;
type.services = {};
};
init.services.mautrix-discord = {
enabled = true;
shutdownOnExit = true;
script = let
inherit
(lib)
getExe'
makeBinPath
;
mautrix-discord = (pkgs.appendOverlays [config.flake.overlays.mautrix-discord]).mautrix-discord;
in
pkgs.writeShellScript "mautrix-discord"
''
DATA_DIR="/var/lib/mautrix-discord"
CONFIG_FILE="$DATA_DIR/config.yaml"
REGISTRATION_FILE="/var/lib/registrations/mautrix-discord.yaml"
${getExe' pkgs.envsubst "envsubst"} < ${./mautrix-discord.yaml} > "$CONFIG_FILE"
chmod 755 "$CONFIG_FILE"
export PATH="$PATH:${makeBinPath [pkgs.lottieconverter]};"
[ -e "$REGISTRATION_FILE" ] || \
${getExe' mautrix-discord "mautrix-discord"} -c "$CONFIG_FILE" -r "$REGISTRATION_FILE" -g
${getExe' mautrix-discord "mautrix-discord"} -c "$CONFIG_FILE" -r "$REGISTRATION_FILE" -n
'';
};
};
};
}

77
nixng/containers/matrix/mautrix-facebook/default.nix
View file

@ -1,45 +1,46 @@
{ inputs, ... }:
{
{inputs, ...}: {
flake.nixngConfigurations.mautrixFacebook = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "mautrix-facebook";
inherit (inputs) nixpkgs;
config =
{ pkgs, lib, ... }:
let
inherit (lib)
singleton;
in
{
dumb-init = {
enable = true;
type.services = { };
};
init.services.mautrix-facebook = {
enabled = true;
shutdownOnExit = true;
script =
let
mautrix-facebook = pkgs.mautrix-facebook.overridePythonAttrs (old: {
propagatedBuildInputs = singleton pkgs.python3.pkgs.aiosqlite ++ old.propagatedBuildInputs;
});
in
pkgs.writeShellScript "mautrix-facebook"
''
DATA_DIR="/var/lib/mautrix-facebook"
CONFIG_FILE="$DATA_DIR/config.yaml"
REGISTRATION_FILE="/var/lib/registrations/mautrix-facebook.yaml"
DB_FILE="$DATA_DIR/sqlite.db"
cp ${./mautrix-facebook.yaml} "$CONFIG_FILE" ; chmod 755 "$CONFIG_FILE"
${pkgs.sqlite}/bin/sqlite3 $DB_FILE '.databases ; .quit'
[ -e "$REGISTRATION_FILE" ] || \
${mautrix-facebook}/bin/mautrix-facebook -c "$CONFIG_FILE" -r "$REGISTRATION_FILE" -g
${mautrix-facebook}/bin/mautrix-facebook -c "$CONFIG_FILE" -r "$REGISTRATION_FILE" -n
'';
};
config = {
pkgs,
lib,
...
}: let
inherit
(lib)
singleton
;
in {
dumb-init = {
enable = true;
type.services = {};
};
init.services.mautrix-facebook = {
enabled = true;
shutdownOnExit = true;
script = let
mautrix-facebook = pkgs.mautrix-facebook.overridePythonAttrs (old: {
propagatedBuildInputs = singleton pkgs.python3.pkgs.aiosqlite ++ old.propagatedBuildInputs;
});
in
pkgs.writeShellScript "mautrix-facebook"
''
DATA_DIR="/var/lib/mautrix-facebook"
CONFIG_FILE="$DATA_DIR/config.yaml"
REGISTRATION_FILE="/var/lib/registrations/mautrix-facebook.yaml"
DB_FILE="$DATA_DIR/sqlite.db"
cp ${./mautrix-facebook.yaml} "$CONFIG_FILE" ; chmod 755 "$CONFIG_FILE"
${pkgs.sqlite}/bin/sqlite3 $DB_FILE '.databases ; .quit'
[ -e "$REGISTRATION_FILE" ] || \
${mautrix-facebook}/bin/mautrix-facebook -c "$CONFIG_FILE" -r "$REGISTRATION_FILE" -g
${mautrix-facebook}/bin/mautrix-facebook -c "$CONFIG_FILE" -r "$REGISTRATION_FILE" -n
'';
};
};
};
}

109
nixng/containers/matrix/mautrix-signal/default.nix
View file

@ -1,62 +1,61 @@
{ inputs, ... }:
{
{inputs, ...}: {
flake.nixngConfigurations.mautrixSignal = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "mautrix-signal";
inherit (inputs) nixpkgs;
config =
{ pkgs, lib, ... }:
{
dumb-init = {
enable = true;
type.services = { };
};
init.services.mautrix-signal = {
enabled = true;
shutdownOnExit = true;
script = pkgs.writeShellScript "mautrix-signal" ''
DATA_DIR="/var/lib/mautrix-signal"
CONFIG_FILE="$DATA_DIR/config.yaml"
REGISTRATION_FILE="/var/lib/registrations/mautrix-signal.yaml"
DB_FILE="$DATA_DIR/sqlite.db"
cp ${./mautrix-signal.yaml} "$CONFIG_FILE" ; chmod 755 "$CONFIG_FILE"
[ -e "$REGISTRATION_FILE" ] || \
${lib.getExe' pkgs.mautrix-signal "mautrix-signal"} -c "$CONFIG_FILE" -r "$REGISTRATION_FILE" -g
sed -i \
-e 's/@AS_TOKEN@/'"$(${lib.getExe pkgs.yq} -r '.as_token' "$REGISTRATION_FILE")/" \
-e 's/@HS_TOKEN@/'"$(${lib.getExe pkgs.yq} -r '.hs_token' "$REGISTRATION_FILE")/" \
"$CONFIG_FILE"
${lib.getExe' pkgs.mautrix-signal "mautrix-signal"} -c "$CONFIG_FILE" -r "$REGISTRATION_FILE" -n
'';
};
init.services.signald = {
enabled = true;
shutdownOnExit = true;
script =
let
locales =
[
"C.UTF-8"
"en_US.UTF-8"
];
i18n = pkgs.glibcLocales.override {
inherit locales;
};
in
pkgs.writeShellScript "signald" ''
DATA_DIR="/var/lib/signald"
SOCKET_PATH="/var/run/signald/signald.sock"
mkdir -p $(dirname $SOCKET_PATH)
export LANG=en_US.UTF-8
export LOCALE_ARCHIVE=${i18n}/lib/locale/locale-archive
${lib.getExe' pkgs.signald "signald"} -d $DATA_DIR -s $SOCKET_PATH
'';
};
config = {
pkgs,
lib,
...
}: {
dumb-init = {
enable = true;
type.services = {};
};
init.services.mautrix-signal = {
enabled = true;
shutdownOnExit = true;
script = pkgs.writeShellScript "mautrix-signal" ''
DATA_DIR="/var/lib/mautrix-signal"
CONFIG_FILE="$DATA_DIR/config.yaml"
REGISTRATION_FILE="/var/lib/registrations/mautrix-signal.yaml"
DB_FILE="$DATA_DIR/sqlite.db"
cp ${./mautrix-signal.yaml} "$CONFIG_FILE" ; chmod 755 "$CONFIG_FILE"
[ -e "$REGISTRATION_FILE" ] || \
${lib.getExe' pkgs.mautrix-signal "mautrix-signal"} -c "$CONFIG_FILE" -r "$REGISTRATION_FILE" -g
sed -i \
-e 's/@AS_TOKEN@/'"$(${lib.getExe pkgs.yq} -r '.as_token' "$REGISTRATION_FILE")/" \
-e 's/@HS_TOKEN@/'"$(${lib.getExe pkgs.yq} -r '.hs_token' "$REGISTRATION_FILE")/" \
"$CONFIG_FILE"
${lib.getExe' pkgs.mautrix-signal "mautrix-signal"} -c "$CONFIG_FILE" -r "$REGISTRATION_FILE" -n
'';
};
init.services.signald = {
enabled = true;
shutdownOnExit = true;
script = let
locales = [
"C.UTF-8"
"en_US.UTF-8"
];
i18n = pkgs.glibcLocales.override {
inherit locales;
};
in
pkgs.writeShellScript "signald" ''
DATA_DIR="/var/lib/signald"
SOCKET_PATH="/var/run/signald/signald.sock"
mkdir -p $(dirname $SOCKET_PATH)
export LANG=en_US.UTF-8
export LOCALE_ARCHIVE=${i18n}/lib/locale/locale-archive
${lib.getExe' pkgs.signald "signald"} -d $DATA_DIR -s $SOCKET_PATH
'';
};
};
};
}

76
nixng/containers/matrix/mautrix-slack/default.nix
View file

@ -1,43 +1,49 @@
{ inputs, config, ... }:
{
inputs,
config,
...
}: {
flake.nixngConfigurations.mautrixSlack = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "mautrix-slack";
inherit (inputs) nixpkgs;
config =
{ pkgs, lib, ... }:
{
dumb-init = {
enable = true;
type.services = { };
};
init.services.mautrix-slack = {
enabled = true;
shutdownOnExit = true;
script =
let
inherit (lib)
getExe'
makeBinPath;
mautrix-slack = (pkgs.appendOverlays [ config.flake.overlays.mautrix-slack ]).mautrix-slack;
in
pkgs.writeShellScript "mautrix-slack"
''
DATA_DIR="/var/lib/mautrix-slack"
CONFIG_FILE="$DATA_DIR/config.yaml"
REGISTRATION_FILE="/var/lib/registrations/mautrix-slack.yaml"
${getExe' pkgs.envsubst "envsubst"} < ${./mautrix-slack.yaml} > "$CONFIG_FILE"
chmod 755 "$CONFIG_FILE"
export PATH="$PATH:${makeBinPath [ pkgs.lottieconverter ]};"
[ -e "$REGISTRATION_FILE" ] || \
${getExe' mautrix-slack "mautrix-slack"} -c "$CONFIG_FILE" -r "$REGISTRATION_FILE" -g
${getExe' mautrix-slack "mautrix-slack"} -c "$CONFIG_FILE" -r "$REGISTRATION_FILE" -n
'';
};
config = {
pkgs,
lib,
...
}: {
dumb-init = {
enable = true;
type.services = {};
};
init.services.mautrix-slack = {
enabled = true;
shutdownOnExit = true;
script = let
inherit
(lib)
getExe'
makeBinPath
;
mautrix-slack = (pkgs.appendOverlays [config.flake.overlays.mautrix-slack]).mautrix-slack;
in
pkgs.writeShellScript "mautrix-slack"
''
DATA_DIR="/var/lib/mautrix-slack"
CONFIG_FILE="$DATA_DIR/config.yaml"
REGISTRATION_FILE="/var/lib/registrations/mautrix-slack.yaml"
${getExe' pkgs.envsubst "envsubst"} < ${./mautrix-slack.yaml} > "$CONFIG_FILE"
chmod 755 "$CONFIG_FILE"
export PATH="$PATH:${makeBinPath [pkgs.lottieconverter]};"
[ -e "$REGISTRATION_FILE" ] || \
${getExe' mautrix-slack "mautrix-slack"} -c "$CONFIG_FILE" -r "$REGISTRATION_FILE" -g
${getExe' mautrix-slack "mautrix-slack"} -c "$CONFIG_FILE" -r "$REGISTRATION_FILE" -n
'';
};
};
};
}

11
nixng/containers/matrix/synapse/common_config.nix
View file

@ -1,14 +1,15 @@
{ logConfig }:
{
{logConfig}: {
server_name = "matrix.redalder.org";
report_stats = "yes";
pid_file = "/homeserver.pid";
log_config = logConfig;
trusted_key_servers = [ {
server_name = "matrix.org";
} ];
trusted_key_servers = [
{
server_name = "matrix.org";
}
];
media_store_path = "/var/lib/synapse/media_store";
signing_key_path = "/var/lib/synapse/signing.key";

35
nixng/containers/matrix/synapse/default.nix
View file

@ -1,26 +1,35 @@
{ inputs, lib, ... }:
let
inherit (lib)
singleton;
{
inputs,
lib,
...
}: let
inherit
(lib)
singleton
;
commonConfig = pkgs:
(pkgs.formats.yaml {}).generate "common.yaml"
(import ./common_config.nix { logConfig = logConfig pkgs; });
(import ./common_config.nix {logConfig = logConfig pkgs;});
logConfig = pkgs:
(pkgs.formats.yaml {}).generate "log.yaml"
(import ./log_config.nix {});
(import ./log_config.nix {});
callPackage = lib.callPackageWith {
inherit (inputs)
nixpkgs;
inherit (inputs.nixng.nglib)
makeSystem;
inherit
(inputs)
nixpkgs
;
inherit
(inputs.nixng.nglib)
makeSystem
;
inherit
commonConfig
logConfig;
logConfig
;
};
in
{
in {
flake.nixngConfigurations.synapseFederationSender = callPackage ./generic_worker.nix {
name = "generic";
listener_resources = singleton "health";

108
nixng/containers/matrix/synapse/generic_worker.nix
View file

@ -1,63 +1,61 @@
{ makeSystem
, nixpkgs
, listener_resources
, name
, logConfig
, commonConfig
{
makeSystem,
nixpkgs,
listener_resources,
name,
logConfig,
commonConfig,
}:
makeSystem {
system = "x86_64-linux";
name = "synapse-worker-${name}";
inherit nixpkgs;
config = ({ pkgs, ... }:
{
dumb-init = {
enable = true;
type.services = { };
config = {pkgs, ...}: {
dumb-init = {
enable = true;
type.services = {};
};
environment.systemPackages = [pkgs.openssh];
services.synapse.workers.${name} = {
package = import ./synapse-package.nix pkgs;
settings = {
worker_app = "synapse.app.generic_worker";
worker_listeners = [
{
port = 6167;
tls = false;
type = "http";
x_forwarded = true;
bind_adrresses = ["0.0.0.0"];
resources = [
{
names = listener_resources;
compress = false;
}
];
}
# {
# port = 9000;
# bind_addresses = [ "127.0.0.1" ];
# type = "manhole";
# }
];
worker_log_config = logConfig pkgs;
};
environment.systemPackages = [ pkgs.openssh ];
services.synapse.workers.${name} = {
package = import ./synapse-package.nix pkgs;
settings = {
worker_app = "synapse.app.generic_worker";
worker_listeners = [
{
port = 6167;
tls = false;
type = "http";
x_forwarded = true;
bind_adrresses = [ "0.0.0.0" ];
resources =
[
{
names = listener_resources;
compress = false;
}
];
}
# {
# port = 9000;
# bind_addresses = [ "127.0.0.1" ];
# type = "manhole";
# }
];
worker_log_config = logConfig pkgs;
};
arguments = {
config-path = [
(commonConfig pkgs)
"/secrets/extra.yaml"
"/var/lib/registrations/extra.yaml"
];
keys-directory = [
"/var/lib/synapse/keys"
];
};
arguments = {
config-path = [
(commonConfig pkgs)
"/secrets/extra.yaml"
"/var/lib/registrations/extra.yaml"
];
keys-directory = [
"/var/lib/synapse/keys"
];
};
});
};
};
}

7
nixng/containers/matrix/synapse/log_config.nix
View file

@ -1,5 +1,4 @@
{ }:
{
{}: {
version = 1;
formatters.structured.class = "synapse.logging.TerseJsonFormatter";
@ -17,8 +16,8 @@
root = {
level = "INFO";
handlers = [ "console" ];
handlers = ["console"];
};
disable_existing_loggers = true;
}

159
nixng/containers/matrix/synapse/postgresql.nix
View file

@ -1,82 +1,103 @@
{ makeSystem
, nixpkgs
{
makeSystem,
nixpkgs,
}:
makeSystem {
system = "x86_64-linux";
name = "nixng-synapse-postgresql";
inherit nixpkgs;
config =
{ pkgs, config, ... }:
{
config = {
dumb-init = {
enable = true;
type.services = {};
config = {
pkgs,
config,
...
}: {
config = {
dumb-init = {
enable = true;
type.services = {};
};
services.postgresql = {
enable = true;
package = pkgs.postgresql_12;
initialScript = "/secrets/init.sql";
enableTCPIP = true;
authentication = "host all all all md5";
config = {
max_connections = 70;
shared_buffers = "384MB";
effective_cache_size = "1152MB";
maintenance_work_mem = "96MB";
checkpoint_completion_target = "0.9";
wal_buffers = "11796kB";
default_statistics_target = 100;
random_page_cost = 4;
effective_io_concurrency = 2;
work_mem = "1966kB";
min_wal_size = "1GB";
max_wal_size = "4GB";
max_worker_processes = 24;
max_parallel_workers_per_gather = 4;
max_parallel_workers = 24;
max_parallel_maintenance_workers = 4;
};
services.postgresql = {
enable = true;
package = pkgs.postgresql_12;
initialScript = "/secrets/init.sql";
enableTCPIP = true;
authentication = "host all all all md5";
config = {
max_connections = 70;
shared_buffers = "384MB";
effective_cache_size = "1152MB";
maintenance_work_mem = "96MB";
checkpoint_completion_target = "0.9";
wal_buffers = "11796kB";
default_statistics_target = 100;
random_page_cost = 4;
effective_io_concurrency = 2;
work_mem = "1966kB";
min_wal_size = "1GB";
max_wal_size = "4GB";
max_worker_processes = 24;
max_parallel_workers_per_gather = 4;
max_parallel_workers = 24;
max_parallel_maintenance_workers = 4;
ensureDatabases = {
"synapse" = {
ENCODING = "UTF8";
TEMPLATE = "template0";
};
ensureDatabases = {
"synapse" = { ENCODING = "UTF8"; TEMPLATE = "template0"; };
"mautrix-facebook" = { ENCODING = "UTF8"; TEMPLATE = "template0"; };
"mautrix-signal" = { ENCODING = "UTF8"; TEMPLATE = "template0"; };
"mautrix-whatsapp" = { ENCODING = "UTF8"; TEMPLATE = "template0"; };
"mautrix-discord" = { ENCODING = "UTF8"; TEMPLATE = "template0"; };
"mautrix-slack" = { ENCODING = "UTF8"; TEMPLATE = "template0"; };
"mautrix-facebook" = {
ENCODING = "UTF8";
TEMPLATE = "template0";
};
"mautrix-signal" = {
ENCODING = "UTF8";
TEMPLATE = "template0";
};
"mautrix-whatsapp" = {
ENCODING = "UTF8";
TEMPLATE = "template0";
};
"mautrix-discord" = {
ENCODING = "UTF8";
TEMPLATE = "template0";
};
"mautrix-slack" = {
ENCODING = "UTF8";
TEMPLATE = "template0";
};
ensureExtensions = {};
ensureUsers = [
{
name = "synapse";
ensurePermissions."DATABASE \"synapse\"" = "ALL PRIVILEGES";
}
{
name = "mautrix-facebook";
ensurePermissions."DATABASE \"mautrix-facebook\"" = "ALL PRIVILEGES";
}
{
name = "mautrix-signal";
ensurePermissions."DATABASE \"mautrix-signal\"" = "ALL PRIVILEGES";
}
{
name = "mautrix-whatsapp";
ensurePermissions."DATABASE \"mautrix-whatsapp\"" = "ALL PRIVILEGES";
}
{
name = "mautrix-discord";
ensurePermissions."DATABASE \"mautrix-discord\"" = "ALL PRIVILEGES";
}
{
name = "mautrix-slack";
ensurePermissions."DATABASE \"mautrix-slack\"" = "ALL PRIVILEGES";
}
];
};
ensureExtensions = {};
ensureUsers = [
{
name = "synapse";
ensurePermissions."DATABASE \"synapse\"" = "ALL PRIVILEGES";
}
{
name = "mautrix-facebook";
ensurePermissions."DATABASE \"mautrix-facebook\"" = "ALL PRIVILEGES";
}
{
name = "mautrix-signal";
ensurePermissions."DATABASE \"mautrix-signal\"" = "ALL PRIVILEGES";
}
{
name = "mautrix-whatsapp";
ensurePermissions."DATABASE \"mautrix-whatsapp\"" = "ALL PRIVILEGES";
}
{
name = "mautrix-discord";
ensurePermissions."DATABASE \"mautrix-discord\"" = "ALL PRIVILEGES";
}
{
name = "mautrix-slack";
ensurePermissions."DATABASE \"mautrix-slack\"" = "ALL PRIVILEGES";
}
];
};
};
};
}

77
nixng/containers/matrix/synapse/redis.nix
View file

@ -1,46 +1,45 @@
{ makeSystem
, nixpkgs
{
makeSystem,
nixpkgs,
}:
makeSystem {
system = "x86_64-linux";
name = "redis";
inherit nixpkgs;
config =
{ pkgs, ... }:
{
dumb-init = {
enable = true;
type.services = { };
};
users.users."redis" = {
home = "/var/empty";
uid = 9001;
group = "redis";
};
users.groups."redis" = {
gid = 9001;
};
init.services.redis = {
enabled = true;
shutdownOnExit = true;
script = pkgs.writeShellScript "redis-run" ''
cd /var/lib/redis
chpst -U redis:redis ${pkgs.redis}/bin/redis-server ${./redis.conf}
'';
};
init.services.redis-setup = {
enabled = true;
script = pkgs.writeShellScript "redis-run" ''
export PATH="${pkgs.redis}/bin:$PATH"
nc -z 127.0.0.1 6379 -w 10 -v || exit 1
redis-cli acl setuser default on '>'"$(cat /secrets/redis_password)" allcommands allkeys
sleep 86400
'';
};
config = {pkgs, ...}: {
dumb-init = {
enable = true;
type.services = {};
};
users.users."redis" = {
home = "/var/empty";
uid = 9001;
group = "redis";
};
users.groups."redis" = {
gid = 9001;
};
init.services.redis = {
enabled = true;
shutdownOnExit = true;
script = pkgs.writeShellScript "redis-run" ''
cd /var/lib/redis
chpst -U redis:redis ${pkgs.redis}/bin/redis-server ${./redis.conf}
'';
};
init.services.redis-setup = {
enabled = true;
script = pkgs.writeShellScript "redis-run" ''
export PATH="${pkgs.redis}/bin:$PATH"
nc -z 127.0.0.1 6379 -w 10 -v || exit 1
redis-cli acl setuser default on '>'"$(cat /secrets/redis_password)" allcommands allkeys
sleep 86400
'';
};
};
}

122
nixng/containers/matrix/synapse/synapse.nix
View file

@ -1,75 +1,77 @@
{ makeSystem
, nixpkgs
, commonConfig
{
makeSystem,
nixpkgs,
commonConfig,
}:
makeSystem {
system = "x86_64-linux";
name = "synapse";
inherit nixpkgs;
config =
{ pkgs, lib, ... }:
let
inherit (lib)
singleton
makeSearchPathOutput;
in
{
dumb-init = {
enable = true;
type.services = { };
};
config = {
pkgs,
lib,
...
}: let
inherit
(lib)
singleton
makeSearchPathOutput
;
in {
dumb-init = {
enable = true;
type.services = {};
};
environment.systemPackages = [ pkgs.openssh ];
environment.systemPackages = [pkgs.openssh];
services.synapse = {
enable = true;
package = import ./synapse-package.nix pkgs;
settings = {
listeners =
[
# The HTTP replication port
services.synapse = {
enable = true;
package = import ./synapse-package.nix pkgs;
settings = {
listeners = [
# The HTTP replication port
{
port = 9093;
bind_addresses = ["0.0.0.0"];
type = "http";
resources = [
{
port = 9093;
bind_addresses = [ "0.0.0.0" ];
type = "http";
resources = [
{
names = [ "replication" ];
}
];
names = ["replication"];
}
{
port = 6167;
tls = false;
type = "http";
x_forwarded = true;
bind_adrresses = [ "0.0.0.0" ];
resources = singleton {
names = [ "client" "federation" ];
compress = false;
};
}
# {
# port = 9000;
# bind_addresses = [ "127.0.0.1" ];
# type = "manhole";
# }
];
}
{
port = 6167;
tls = false;
type = "http";
x_forwarded = true;
bind_adrresses = ["0.0.0.0"];
resources = singleton {
names = ["client" "federation"];
compress = false;
};
}
# {
# port = 9000;
# bind_addresses = [ "127.0.0.1" ];
# type = "manhole";
# }
];
public_baseurl = "https://matrix.redalder.org/";
public_baseurl = "https://matrix.redalder.org/";
# Add a random shared secret to authenticate traffic.
worker_replication_secret = "";
};
arguments = {
"config-path" = [
(commonConfig pkgs)
"/secrets/extra.yaml"
"/var/lib/registrations/extra.yaml"
];
"keys-directory" = "/var/lib/synapse/keys";
};
# Add a random shared secret to authenticate traffic.
worker_replication_secret = "";
};
arguments = {
"config-path" = [
(commonConfig pkgs)
"/secrets/extra.yaml"
"/var/lib/registrations/extra.yaml"
];
"keys-directory" = "/var/lib/synapse/keys";
};
};
};
}

39
nixng/containers/minecraft/ftb-infinity/default.nix
View file

@ -1,28 +1,29 @@
{ inputs, ... }:
{
{inputs, ...}: {
flake.nixngConfigurations.minecraft-ftb-infinity = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "nixng-minecraft";
inherit (inputs) nixpkgs;
config =
{ pkgs, lib, ... }:
{
disabledModules = [ "${inputs.nixng}/modules/services/minecraft.nix" ];
imports = [ ../../../modules/minecraft-forge.nix ../../../modules/minecraft.nix ];
dumb-init = {
enable = true;
type.services = {};
};
config = {
pkgs,
lib,
...
}: {
disabledModules = ["${inputs.nixng}/modules/services/minecraft.nix"];
imports = [../../../modules/minecraft-forge.nix ../../../modules/minecraft.nix];
dumb-init = {
enable = true;
type.services = {};
};
services.minecraft.forge = {
enable = true;
services.minecraft.forge = {
enable = true;
modpackId = 23;
versionId = 99;
modpacksChHash = "sha256-wlOcy+Ju81WxJ/z14rslMy3WH+wQdcIZylT7Z3qqJpQ=";
modpackId = 23;
versionId = 99;
modpacksChHash = "sha256-wlOcy+Ju81WxJ/z14rslMy3WH+wQdcIZylT7Z3qqJpQ=";
eulaAccept = true;
};
};
eulaAccept = true;
};
};
};
}

41
nixng/containers/minecraft/ftb-integrations/default.nix
View file

@ -1,30 +1,31 @@
{ inputs, ... }:
{
{inputs, ...}: {
flake.nixngConfigurations.minecraft-ftb-integrations = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "nixng-minecraft";
inherit (inputs) nixpkgs;
config =
{ pkgs, lib, ... }:
{
disabledModules = [ "${inputs.nixng}/modules/services/minecraft.nix" ];
imports = [ ../../../modules/minecraft-forge.nix ../../../modules/minecraft.nix ];
dumb-init = {
enable = true;
type.services = {};
};
config = {
pkgs,
lib,
...
}: {
disabledModules = ["${inputs.nixng}/modules/services/minecraft.nix"];
imports = [../../../modules/minecraft-forge.nix ../../../modules/minecraft.nix];
dumb-init = {
enable = true;
type.services = {};
};
services.minecraft.forge = {
enable = true;
services.minecraft.forge = {
enable = true;
modpackId = 107;
versionId = 6572;
modpacksChHash = "sha256-LTr8yZ3hmKnO51VFABTx0PR8SCc1MqPEf1xvbZ9OL3A=";
modpackId = 107;
versionId = 6572;
modpacksChHash = "sha256-LTr8yZ3hmKnO51VFABTx0PR8SCc1MqPEf1xvbZ9OL3A=";
javaPackage = pkgs.jdk11;
javaPackage = pkgs.jdk11;
eulaAccept = true;
};
};
eulaAccept = true;
};
};
};
}

42
nixng/containers/minecraft/vanilla/default.nix
View file

@ -1,27 +1,29 @@
{ inputs, ... }:
{
{inputs, ...}: {
flake.nixngConfigurations.minecraft-vanilla = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "nixng-minecraft";
inherit (inputs) nixpkgs;
config =
{ pkgs, lib, nglib, ... }:
{
disabledModules = [ "${inputs.nixng}/modules/services/minecraft.nix" ];
imports = [ ../../../modules/minecraft-forge.nix ../../../modules/minecraft.nix ];
dumb-init = {
enable = true;
type.services = {};
};
config = {
pkgs,
lib,
nglib,
...
}: {
disabledModules = ["${inputs.nixng}/modules/services/minecraft.nix"];
imports = [../../../modules/minecraft-forge.nix ../../../modules/minecraft.nix];
dumb-init = {
enable = true;
type.services = {};
};
services.minecraft.vanilla = {
enable = true;
eulaAccept = true;
extraJavaArguments = [
"-Xmx1024M"
"-Xms1024M"
];
};
};
services.minecraft.vanilla = {
enable = true;
eulaAccept = true;
extraJavaArguments = [
"-Xmx1024M"
"-Xms1024M"
];
};
};
};
}

31
nixng/containers/syncthing/default.nix
View file

@ -1,24 +1,21 @@
{ inputs, ... }:
{
{inputs, ...}: {
flake.nixngConfigurations.syncthing = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "ra-systems-syncthing";
inherit (inputs) nixpkgs;
config =
{ pkgs, ... }:
{
dumb-init = {
enable = true;
type.services = {};
};
init.services.syncthing = {
shutdownOnExit = true;
};
services.syncthing = {
enable = true;
guiAddress = "http://0.0.0.0:8384/";
};
config = {pkgs, ...}: {
dumb-init = {
enable = true;
type.services = {};
};
init.services.syncthing = {
shutdownOnExit = true;
};
services.syncthing = {
enable = true;
guiAddress = "http://0.0.0.0:8384/";
};
};
};
}

164
nixng/containers/website/default.nix
View file

@ -1,88 +1,90 @@
{ inputs, ... }:
{
{inputs, ...}: {
flake.nixngConfigurations.website = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "nixng-website";
inherit (inputs) nixpkgs;
config =
{ pkgs, lib, ... }:
let
inherit (lib)
singleton;
in
{
dumb-init = {
enable = true;
type.services = {};
};
init.services.apache2 = {
ensureSomething.link."documentRoot" = {
src = "${inputs.website.packages."x86_64-linux".website}/redalder";
dst = "/var/www";
};
shutdownOnExit = true;
};
services.apache2 = {
enable = true;
configuration = [
{
LoadModule = [
[ "mpm_event_module" "modules/mod_mpm_event.so" ]
[ "log_config_module" "modules/mod_log_config.so" ]
[ "unixd_module" "modules/mod_unixd.so" ]
[ "authz_core_module" "modules/mod_authz_core.so" ]
[ "dir_module" "modules/mod_dir.so" ]
[ "mime_module" "modules/mod_mime.so" ]
];
}
{
Listen = "0.0.0.0:80";
ServerRoot = "/var/www";
ServerName = "blowhole";
PidFile = "/httpd.pid";
User = "www-data";
Group = "www-data";
DocumentRoot = "/var/www";
}
{
ErrorLog = "/dev/stderr";
TransferLog = "/dev/stdout";
LogLevel = "info";
}
{
AddType = singleton [
"image/svg+xml"
"svg"
"svgz"
];
AddEncoding = [
"gzip"
"svgz"
];
TypesConfig = "${pkgs.apacheHttpd}/conf/mime.types";
}
{
Directory."/" = {
Require = [ "all" "denied" ];
Options = "SymlinksIfOwnerMatch";
};
VirtualHost."*:80".Directory."/var/www" = {
Require = [ "all" "granted" ];
Options = [ "-Indexes" "+FollowSymlinks" ];
DirectoryIndex = "index.html";
};
}
];
};
config = {
pkgs,
lib,
...
}: let
inherit
(lib)
singleton
;
in {
dumb-init = {
enable = true;
type.services = {};
};
init.services.apache2 = {
ensureSomething.link."documentRoot" = {
src = "${inputs.website.packages."x86_64-linux".website}/redalder";
dst = "/var/www";
};
shutdownOnExit = true;
};
services.apache2 = {
enable = true;
configuration = [
{
LoadModule = [
["mpm_event_module" "modules/mod_mpm_event.so"]
["log_config_module" "modules/mod_log_config.so"]
["unixd_module" "modules/mod_unixd.so"]
["authz_core_module" "modules/mod_authz_core.so"]
["dir_module" "modules/mod_dir.so"]
["mime_module" "modules/mod_mime.so"]
];
}
{
Listen = "0.0.0.0:80";
ServerRoot = "/var/www";
ServerName = "blowhole";
PidFile = "/httpd.pid";
User = "www-data";
Group = "www-data";
DocumentRoot = "/var/www";
}
{
ErrorLog = "/dev/stderr";
TransferLog = "/dev/stdout";
LogLevel = "info";
}
{
AddType = singleton [
"image/svg+xml"
"svg"
"svgz"
];
AddEncoding = [
"gzip"
"svgz"
];
TypesConfig = "${pkgs.apacheHttpd}/conf/mime.types";
}
{
Directory."/" = {
Require = ["all" "denied"];
Options = "SymlinksIfOwnerMatch";
};
VirtualHost."*:80".Directory."/var/www" = {
Require = ["all" "granted"];
Options = ["-Indexes" "+FollowSymlinks"];
DirectoryIndex = "index.html";
};
}
];
};
};
};
}

193
nixng/modules/minecraft-forge.nix
View file

@ -1,9 +1,12 @@
{ pkgs, config, lib, ... }:
with lib;
let
cfg = config.services.minecraft.forge;
in
{
pkgs,
config,
lib,
...
}:
with lib; let
cfg = config.services.minecraft.forge;
in {
options.services.minecraft.forge = {
enable = mkEnableOption "Enable Minecraft server service.";
@ -49,119 +52,116 @@ in
};
config = mkIf cfg.enable {
services.minecraft.forge.serverPackage = let
forgeFod = pkgs.stdenv.mkDerivation {
pname = "minecraft";
version = "unknown";
services.minecraft.forge.serverPackage =
let
forgeFod =
pkgs.stdenv.mkDerivation {
pname = "minecraft";
version = "unknown";
outputHashMode = "recursive";
outputHashAlgo = "sha256";
outputHash = cfg.modpacksChHash;
outputHashMode = "recursive";
outputHashAlgo = "sha256";
outputHash = cfg.modpacksChHash;
buildInputs = with pkgs; [unzip curl which cacert];
buildInputs = with pkgs; [ unzip curl which cacert ];
phases = ["fetchPhase" "installPhase" "fixupPhase "];
phases = [ "fetchPhase" "installPhase" "fixupPhase "];
fetchPhase = ''
curl https://api.modpacks.ch/public/modpack/${toString cfg.modpackId}/${toString cfg.versionId}/server/linux -o modpacks.ch # fuck creeperhost
chmod +x modpacks.ch
'';
fetchPhase = ''
curl https://api.modpacks.ch/public/modpack/${toString cfg.modpackId}/${toString cfg.versionId}/server/linux -o modpacks.ch # fuck creeperhost
chmod +x modpacks.ch
'';
installPhase = ''
mkdir ebin $out
installPhase = ''
mkdir ebin $out
cat > ebin/java <<EOF
#!$(which sh)
cat > ebin/java <<EOF
#!$(which sh)
echo "cd \$PWD && java \$@" > install-forge
EOF
chmod +x ebin/java
export PATH=$PWD/ebin:$PATH
echo "cd \$PWD && java \$@" > install-forge
EOF
chmod +x ebin/java
export PATH=$PWD/ebin:$PATH
./modpacks.ch ${toString cfg.modpackId} ${toString cfg.versionId} --nojava --path $out --verbose
'';
./modpacks.ch ${toString cfg.modpackId} ${toString cfg.versionId} --nojava --path $out --verbose
'';
fixupPhase = ''
# delete useless non-reproducible data that we really don't need. A less "shotgun" cleaning is possible
rm $out/version.json
fixupPhase = ''
# delete useless non-reproducible data that we really don't need. A less "shotgun" cleaning is possible
rm $out/version.json
${cfg.extraFixup}
'';
};
in
pkgs.stdenv.mkDerivation {
pname = "minecraft";
version = "unknown";
${cfg.extraFixup}
'';
};
in
pkgs.stdenv.mkDerivation {
pname = "minecraft";
version = "unknown";
phases = ["installPhase"];
phases = [ "installPhase" ];
installPhase = ''
mkdir -p $out/bin
installPhase = ''
mkdir -p $out/bin
cp ${pkgs.writeShellScript "server.sh" ''
export PATH=${makeBinPath (with pkgs; [coreutils findutils bash cfg.javaPackage])}:$PATH
export _path=$PWD
echo $0
cp ${pkgs.writeShellScript "server.sh" ''
export PATH=${makeBinPath (with pkgs; [ coreutils findutils bash cfg.javaPackage ])}:$PATH
export _path=$PWD
echo $0
echo $rw_paths
function linkFile()
{
_rw_paths=${"( " + lib.concatMapStringsSep " " (x: ''"${x}"'') ["config" "modpack/gamemodes.json"] + " )"}
_ignore_paths=${"( " + lib.concatMapStringsSep " " (x: ''"${x}"'') ["start.sh"] + " )"}
echo $rw_paths
function linkFile()
{
_rw_paths=${"( " + lib.concatMapStringsSep " " (x: ''"${x}"'') [ "config" "modpack/gamemodes.json" ] + " )"}
_ignore_paths=${"( " + lib.concatMapStringsSep " " (x: ''"${x}"'') [ "start.sh" ] + " )"}
ignore=0
for ignore_path in ''${_ignore_paths[@]} ; do
if [ "''${1##ignore_path}" != "$1" ] || [ "$ignore_path" = "$1" ] ; then
ignore=1
break
fi
done
if [ -f "$1" ] || [ $ignore = 1 ] ; then
return
ignore=0
for ignore_path in ''${_ignore_paths[@]} ; do
if [ "''${1##ignore_path}" != "$1" ] || [ "$ignore_path" = "$1" ] ; then
ignore=1
break
fi
mkdir -p "$_path/$(dirname "$1")"
done
copy=0
for rw_path in ''${_rw_paths[@]} ; do
if [ "''${1##$rw_path}" != "$1" ] || [ "$rw_path" = "$1" ] ; then
copy=1
break
fi
done
if [ "$copy" = 1 ] ; then
cp --no-preserve=mode,ownership "${forgeFod}/$1" "$_path/$1"
else
ln -s "${forgeFod}/$1" "$_path/$1"
fi
}
export -f linkFile
echo $_path
if [ "$_path" = "" ] || ! [ -d "$_path" ] ; then
echo "invalid path"
exit 1
if [ -f "$1" ] || [ $ignore = 1 ] ; then
return
fi
mkdir -p "$_path/$(dirname "$1")"
find $_path -type l -lname '/nix/store/*' -delete
find $_path -type d -empty -delete
copy=0
for rw_path in ''${_rw_paths[@]} ; do
if [ "''${1##$rw_path}" != "$1" ] || [ "$rw_path" = "$1" ] ; then
copy=1
break
fi
done
find ${forgeFod} -type f -printf '%P\n' | tr '\n' '\0' | xargs -0 -I {} sh -c 'linkFile "$1"' sh {} # mkdir -p "$_path/$(dirname "$1")" ; ln -s "${forgeFod}/$1" "$_path/$1"
if [ "$copy" = 1 ] ; then
cp --no-preserve=mode,ownership "${forgeFod}/$1" "$_path/$1"
else
ln -s "${forgeFod}/$1" "$_path/$1"
fi
}
export -f linkFile
ln -s ${pkgs.writeShellScript "start.sh" ''
${lib.getExe cfg.javaPackage} $(cat ${forgeFod}/start.sh | grep -e "java" -e jar | sed 's/^"java" \(.*\) -jar .*$/\1/') "$@" -jar forge-*.jar
''} $_path/start.sh
echo $_path
if [ "$_path" = "" ] || ! [ -d "$_path" ] ; then
echo "invalid path"
exit 1
fi
# [ -f $_path/install-forge ] && bash install-forge
find $_path -type l -lname '/nix/store/*' -delete
find $_path -type d -empty -delete
$_path/start.sh
''} $out/bin/server
'';
};
find ${forgeFod} -type f -printf '%P\n' | tr '\n' '\0' | xargs -0 -I {} sh -c 'linkFile "$1"' sh {} # mkdir -p "$_path/$(dirname "$1")" ; ln -s "${forgeFod}/$1" "$_path/$1"
ln -s ${pkgs.writeShellScript "start.sh" ''
${lib.getExe cfg.javaPackage} $(cat ${forgeFod}/start.sh | grep -e "java" -e jar | sed 's/^"java" \(.*\) -jar .*$/\1/') "$@" -jar forge-*.jar
''} $_path/start.sh
# [ -f $_path/install-forge ] && bash install-forge
$_path/start.sh
''} $out/bin/server
'';
};
init.services.minecraft-forge = {
script = pkgs.writeShellScript "minecraft-run" ''
@ -176,7 +176,8 @@ in
};
assertions = [
{ assertion = cfg.eulaAccept;
{
assertion = cfg.eulaAccept;
message = "You must accept the EULA";
}
];

66
nixng/modules/minecraft.nix
View file

@ -1,9 +1,12 @@
{ pkgs, config, lib, ... }:
with lib;
let
cfg = config.services.minecraft.vanilla;
in
{
pkgs,
config,
lib,
...
}:
with lib; let
cfg = config.services.minecraft.vanilla;
in {
options.services.minecraft.vanilla = {
enable = mkEnableOption "Enable Minecraft server service.";
@ -27,35 +30,33 @@ in
};
config = mkIf cfg.enable {
services.minecraft.vanilla.serverPackage = pkgs.stdenv.mkDerivation {
pname = "minecraft";
version = "unknown";
services.minecraft.vanilla.serverPackage =
pkgs.stdenv.mkDerivation {
pname = "minecraft";
version = "unknown";
src = pkgs.fetchurl {
url = "https://piston-data.mojang.com/v1/objects/84194a2f286ef7c14ed7ce0090dba59902951553/server.jar";
hash = "sha256-RIsU/6VxKZ7Sk59dgG4dudHhRLcD+ki32Ab0wv00Tik=";
executable = true;
};
phases = [ "installPhase" ];
installPhase = ''
mkdir -p $out/bin
${lib.getExe pkgs.jdk17} -jar $src --initSettings
mkdir -p $out/share
cp server.properties $out/share/
cp ${pkgs.writeShellScript "server.sh" ''
[ -f server.properties ] || cp @out@/share/server.properties .
${lib.getExe pkgs.jdk17} "$@" -jar @src@
''} $out/bin/server
substituteInPlace $out/bin/server --subst-var src --subst-var out
'';
src = pkgs.fetchurl {
url = "https://piston-data.mojang.com/v1/objects/84194a2f286ef7c14ed7ce0090dba59902951553/server.jar";
hash = "sha256-RIsU/6VxKZ7Sk59dgG4dudHhRLcD+ki32Ab0wv00Tik=";
executable = true;
};
phases = ["installPhase"];
installPhase = ''
mkdir -p $out/bin
${lib.getExe pkgs.jdk17} -jar $src --initSettings
mkdir -p $out/share
cp server.properties $out/share/
cp ${pkgs.writeShellScript "server.sh" ''
[ -f server.properties ] || cp @out@/share/server.properties .
${lib.getExe pkgs.jdk17} "$@" -jar @src@
''} $out/bin/server
substituteInPlace $out/bin/server --subst-var src --subst-var out
'';
};
init.services.minecraft-vanilla = {
script = pkgs.writeShellScript "minecraft-run" ''
set -xe
@ -70,7 +71,8 @@ in
};
assertions = [
{ assertion = cfg.eulaAccept;
{
assertion = cfg.eulaAccept;
message = "You must accept the EULA";
}
];

24
nixos/common/nixpkgs.nix
View file

@ -1,15 +1,19 @@
{ inputs', lib, ... }:
let
inherit (lib)
flip
mapAttrs;
in
{
inputs',
lib,
...
}: let
inherit
(lib)
flip
mapAttrs
;
in {
nix.registry =
flip mapAttrs inputs'
(
n: flake: {inherit flake;}
);
(
n: flake: {inherit flake;}
);
nix.settings = {
substituters = [
"https://cache.nixos.org/"
@ -18,7 +22,7 @@ in
trusted-public-keys = [
"redalder-nix-cache-1:8t4zBJWgVtrfAOJ45iNHEqA/dDFV47Sr1sGa8ME9ru0="
];
experimental-features = [ "flakes" "nix-command" ];
experimental-features = ["flakes" "nix-command"];
};
nixpkgs.config.allowUnfree = true;
}

15
nixos/common/remote_access.nix
View file

@ -1,15 +1,12 @@
# SPDX-FileCopyrightText: 2022 Richard Brežák <richard@brezak.sk>
#
# SPDX-License-Identifier: LGPL-3.0-or-later
{
lib,
...
}:
let
inherit (lib)
singleton;
in
{
{lib, ...}: let
inherit
(lib)
singleton
;
in {
nix.settings.trusted-users = singleton "@wheel";
services.openssh = {

3
nixos/common/sound.nix
View file

@ -1,5 +1,4 @@
{ secret, ... }:
{
{secret, ...}: {
security.rtkit.enable = true;
services.pipewire = {
enable = true;

3
nixos/common/users.nix
View file

@ -1,5 +1,4 @@
{ secret, ... }:
{
{secret, ...}: {
users = {
mutableUsers = false;

117
nixos/modules/grafana.nix
View file

@ -1,6 +1,12 @@
{ options, config, lib, pkgs, ... }:
let
inherit (lib)
{
options,
config,
lib,
pkgs,
...
}: let
inherit
(lib)
mkEnableOption
mkOption
literalExpression
@ -46,55 +52,51 @@ in {
options = {
paths.provisioning = mkOption {
type = types.submodule {
options =
let
provisioningOption = name: cname:
mkOption {
type = types.submodule {
options = {
apiVersion = mkOption {
type = types.int;
default = 1;
};
options = let
provisioningOption = name: cname:
mkOption {
type = types.submodule {
options = {
apiVersion = mkOption {
type = types.int;
default = 1;
};
"delete${cname}" = mkOption {
type = provisioningSettingsFormat.type;
default = [];
};
"delete${cname}" = mkOption {
type = provisioningSettingsFormat.type;
default = [];
};
"${name}" = mkOption {
type = provisioningSettingsFormat.type;
default = [];
};
"${name}" = mkOption {
type = provisioningSettingsFormat.type;
default = [];
};
};
default = {};
};
in
{
datasources = provisioningOption "datasources" "Datasources";
plugins = provisioningOption "plugins" "Plugins";
dashboards = provisioningOption "dashboards" "Dashboards";
notifiers = provisioningOption "notifiers" "Notifiers";
alerting = provisioningOption "alerting" "Alerting";
default = {};
};
in {
datasources = provisioningOption "datasources" "Datasources";
plugins = provisioningOption "plugins" "Plugins";
dashboards = provisioningOption "dashboards" "Dashboards";
notifiers = provisioningOption "notifiers" "Notifiers";
alerting = provisioningOption "alerting" "Alerting";
};
};
default = {};
apply = x:
let
ln = name:
''
mkdir -p $out/${name}
ln -s ${provisioningSettingsFormat.generate "config.yaml" x.${name}} $out/${name}/config.yaml
'';
in
pkgs.runCommand "grafana-provisioning" {} ''
${ln "datasources"}
${ln "notifiers"}
${ln "alerting"}
${ln "plugins"}
${ln "dashboards"}
'';
apply = x: let
ln = name: ''
mkdir -p $out/${name}
ln -s ${provisioningSettingsFormat.generate "config.yaml" x.${name}} $out/${name}/config.yaml
'';
in
pkgs.runCommand "grafana-provisioning" {} ''
${ln "datasources"}
${ln "notifiers"}
${ln "alerting"}
${ln "plugins"}
${ln "dashboards"}
'';
};
};
};
@ -104,7 +106,7 @@ in {
};
config = mkIf cfg.enable {
environment.systemPackages = [ cfg.package ];
environment.systemPackages = [cfg.package];
services.grafana-magic.settings = {
server = {
@ -124,8 +126,8 @@ in {
systemd.services.grafana = {
description = "Grafana Service Daemon";
wantedBy = [ "multi-user.target" ];
after = [ "networking.target" ];
wantedBy = ["multi-user.target"];
after = ["networking.target"];
serviceConfig = {
ExecStart = "${cfg.package}/bin/grafana-server -homepath ${cfg.dataDir} -config ${settingsFile}";
WorkingDirectory = cfg.dataDir;
@ -133,9 +135,12 @@ in {
RuntimeDirectory = "grafana";
RuntimeDirectoryMode = "0755";
# Hardening
AmbientCapabilities = lib.mkIf (cfg.settings.server.http_port < 1024) [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = if (cfg.settings.server.http_port < 1024) then [ "CAP_NET_BIND_SERVICE" ] else [ "" ];
DeviceAllow = [ "" ];
AmbientCapabilities = lib.mkIf (cfg.settings.server.http_port < 1024) ["CAP_NET_BIND_SERVICE"];
CapabilityBoundingSet =
if (cfg.settings.server.http_port < 1024)
then ["CAP_NET_BIND_SERVICE"]
else [""];
DeviceAllow = [""];
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
@ -150,17 +155,19 @@ in {
ProtectProc = "invisible";
ProtectSystem = "full";
RemoveIPC = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
RestrictAddressFamilies = ["AF_INET" "AF_INET6" "AF_UNIX"];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
# Upstream grafana is not setting SystemCallFilter for compatibility
# reasons, see https://github.com/grafana/grafana/pull/40176
SystemCallFilter = [
"@system-service"
"~@privileged"
] ++ lib.optional (cfg.settings.server.protocol == "socket") [ "@chown" ];
SystemCallFilter =
[
"@system-service"
"~@privileged"
]
++ lib.optional (cfg.settings.server.protocol == "socket") ["@chown"];
UMask = "0027";
};
preStart = ''

188
nixos/modules/hashicorp-envoy.nix
View file

@ -1,93 +1,106 @@
{ config, lib, pkgs, ... }:
with lib;
let
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.services.hashicorp-envoy;
serviceFormat = pkgs.formats.json {};
serviceFile = name: value:
if value.type == "normal" then
serviceFormat.generate "${name}-service.json" { service = value.service; }
else
serviceFormat.generate "${name}-service.json" value.service;
in
{
if value.type == "normal"
then serviceFormat.generate "${name}-service.json" {service = value.service;}
else serviceFormat.generate "${name}-service.json" value.service;
in {
options.services.hashicorp-envoy = mkOption {
description = mdDoc ''
'';
description =
mdDoc ''
'';
type = types.attrsOf (types.submodule {
options = {
service = mkOption {
description = mdDoc ''
'';
type = with types; oneOf [ serviceFormat.type (listOf serviceFormat.type) ];
description =
mdDoc ''
'';
type = with types; oneOf [serviceFormat.type (listOf serviceFormat.type)];
};
type = mkOption {
description = mdDoc ''
'';
type = with types; enum [ "ingress" "terminating" "normal" ];
description =
mdDoc ''
'';
type = with types; enum ["ingress" "terminating" "normal"];
default = "normal";
};
environment = mkOption {
description = mdDoc ''
'';
description =
mdDoc ''
'';
type = with types; attrsOf str;
default = {};
};
adminBind = mkOption {
description = mdDoc ''
'';
description =
mdDoc ''
'';
type = types.str;
};
address = mkOption {
description = mdDoc ''
'';
description =
mdDoc ''
'';
type = types.str;
default = "0.0.0.0:19000";
};
drainTime = mkOption {
description = mdDoc ''
'';
description =
mdDoc ''
'';
type = types.int;
default = 15;
};
parentShutdownTime = mkOption {
description = mdDoc ''
'';
description =
mdDoc ''
'';
type = types.int;
default = 20;
};
hotRestart = mkOption {
description = mdDoc ''
'';
description =
mdDoc ''
'';
type = types.bool;
default = false;
};
consulPackage = mkOption {
description = mdDoc ''
'';
description =
mdDoc ''
'';
type = types.package;
default = pkgs.consul;
};
envoyPackage = mkOption {
description = mdDoc ''
'';
description =
mdDoc ''
'';
type = types.package;
default = pkgs.envoy;
};
extraConsulArgs = mkOption {
description = mdDoc ''
'';
description =
mdDoc ''
'';
type = with types; listOf str;
default = [];
};
@ -97,73 +110,74 @@ in
};
config = {
systemd.services = flip mapAttrs' cfg (name: value:
nameValuePair
systemd.services = flip mapAttrs' cfg (
name: value:
nameValuePair
"hashicorp-envoy-${name}"
{
description = name;
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
wantedBy = ["multi-user.target"];
wants = ["network-online.target"];
after = ["network-online.target"];
path = [ value.envoyPackage ];
path = [value.envoyPackage];
restartIfChanged = true;
preStart =
if value.type == "normal" then
''
${value.consulPackage}/bin/consul services register ${serviceFile name value}
''
else
''
${value.consulPackage}/bin/consul config write ${serviceFile name value}
'';
if value.type == "normal"
then ''
${value.consulPackage}/bin/consul services register ${serviceFile name value}
''
else ''
${value.consulPackage}/bin/consul config write ${serviceFile name value}
'';
postStop =
if value.type == "normal" then
if value.type == "normal"
then ''
${value.consulPackage}/bin/consul services deregister -id=${value.service.id}
''
else ''
${value.consulPackage}/bin/consul config delete -filename ${serviceFile name value}
'';
script = let
startEnvoy =
pkgs.writeShellScript "start_envoy_${name}.sh"
''
${value.consulPackage}/bin/consul services deregister -id=${value.service.id}
''
else
''
${value.consulPackage}/bin/consul config delete -filename ${serviceFile name value}
exec ${value.consulPackage}/bin/consul connect envoy \
${concatStringsSep " " value.extraConsulArgs} \
${optionalString (value.type == "normal") ''
-sidecar-for ${value.service.id} \
''} \
${optionalString (value.type == "ingress") ''
-gateway=ingress \
-register \
-service ${value.service.name} \
''} \
-admin-bind ${value.adminBind} \
-address ${value.address} \
${optionalString value.hotRestart ''
-- \
$([[ $RESTART_EPOCH == 0 ]] && printf -- "--use-dynamic-base-id --base-id-path $RUNTIME_DIRECTORY/id") \
$([[ $RESTART_EPOCH == 0 ]] || printf -- "--base-id $(cat $RUNTIME_DIRECTORY/id)") \
--restart-epoch $RESTART_EPOCH \
--drain-time-s ${toString value.drainTime} \
--parent-shutdown-time-s ${toString value.parentShutdownTime}
''}
'';
script =
let
startEnvoy = pkgs.writeShellScript "start_envoy_${name}.sh"
''
exec ${value.consulPackage}/bin/consul connect envoy \
${concatStringsSep " " value.extraConsulArgs} \
${optionalString (value.type == "normal") ''
-sidecar-for ${value.service.id} \
''} \
${optionalString (value.type == "ingress") ''
-gateway=ingress \
-register \
-service ${value.service.name} \
''} \
-admin-bind ${value.adminBind} \
-address ${value.address} \
${optionalString value.hotRestart ''
-- \
$([[ $RESTART_EPOCH == 0 ]] && printf -- "--use-dynamic-base-id --base-id-path $RUNTIME_DIRECTORY/id") \
$([[ $RESTART_EPOCH == 0 ]] || printf -- "--base-id $(cat $RUNTIME_DIRECTORY/id)") \
--restart-epoch $RESTART_EPOCH \
--drain-time-s ${toString value.drainTime} \
--parent-shutdown-time-s ${toString value.parentShutdownTime}
''}
'';
in
if value.hotRestart then
"exec ${pkgs.python3}/bin/python ${value.envoyPackage.src}/restarter/hot-restarter.py ${startEnvoy}"
else
"exec ${startEnvoy}";
in
if value.hotRestart
then "exec ${pkgs.python3}/bin/python ${value.envoyPackage.src}/restarter/hot-restarter.py ${startEnvoy}"
else "exec ${startEnvoy}";
environment = value.environment;
serviceConfig = {
ExecReload = if value.hotRestart then "${pkgs.coreutils}/bin/kill -HUP $MAINPID" else null;
ExecReload =
if value.hotRestart
then "${pkgs.coreutils}/bin/kill -HUP $MAINPID"
else null;
KillMode = "control-group";
KillSignal = "SIGINT";
LimitNOFILE = 65536;

261
nixos/modules/hashicorp.nix
View file

@ -1,174 +1,177 @@
{ config, pkgs, lib, ... }:
with lib;
let
format = pkgs.formats.json { };
{
config,
pkgs,
lib,
...
}:
with lib; let
format = pkgs.formats.json {};
hashiServiceModule =
{ config, ... }:
let
cfg' = config;
in
{
options = {
enable = mkEnableOption "Enable HashiCorp service";
hashiServiceModule = {config, ...}: let
cfg' = config;
in {
options = {
enable = mkEnableOption "Enable HashiCorp service";
package = mkOption {
type = with types;
package;
};
package = mkOption {
type = with types; package;
};
settings = mkOption {
type = format.type;
default = {};
};
settings = mkOption {
type = format.type;
default = {};
};
settingsFile = mkOption {
type = with types;
path;
default = format.generate "${cfg'.package.pname}.json" cfg'.settings;
};
settingsFile = mkOption {
type = with types; path;
default = format.generate "${cfg'.package.pname}.json" cfg'.settings;
};
command = mkOption {
type = with types;
str;
default =
let
switch =
{ "nomad" = "agent";
"vault" = "server";
"vault-bin" = "server";
"consul" = "agent";
};
in switch.${cfg'.package.pname} or "";
};
command = mkOption {
type = with types; str;
default = let
switch = {
"nomad" = "agent";
"vault" = "server";
"vault-bin" = "server";
"consul" = "agent";
};
in
switch.${cfg'.package.pname} or "";
};
extraSettingsPaths = mkOption {
type = with types;
listOf path;
default = [];
};
extraSettingsPaths = mkOption {
type = with types;
listOf path;
default = [];
};
extraPluginPaths = mkOption {
type = with types;
listOf path;
default = [];
};
extraPluginPaths = mkOption {
type = with types;
listOf path;
default = [];
};
extraArguments = mkOption {
type = with types;
listOf str;
default = [];
};
extraArguments = mkOption {
type = with types;
listOf str;
default = [];
};
extraPackages = mkOption {
type = with types;
listOf package;
default = with pkgs;
let
switch =
{ "nomad" = [ coreutils iproute2 iptables ];
"vault" = [ ];
"vault-bin" = [ ];
"consul" = [ ];
};
in
switch.${cfg'.package.pname} or [];
};
extraPackages = mkOption {
type = with types;
listOf package;
default = with pkgs; let
switch = {
"nomad" = [coreutils iproute2 iptables];
"vault" = [];
"vault-bin" = [];
"consul" = [];
};
in
switch.${cfg'.package.pname} or [];
};
dynamic = mkOption {
type = with types;
nullOr package;
default = null;
};
dynamic = mkOption {
type = with types;
nullOr package;
default = null;
};
};
};
cfg = config.services.hashicorp;
in
{
in {
options.services.hashicorp = mkOption {
type = with types;
attrsOf (submodule hashiServiceModule);
default = {};
};
config.environment.etc = flip mapAttrs' (filterAttrs (_: v: v.enable) cfg)
(name: value:
nameValuePair
config.environment.etc =
flip mapAttrs' (filterAttrs (_: v: v.enable) cfg)
(
name: value:
nameValuePair
"${name}.d/main.json"
{ source = value.settingsFile; }
{source = value.settingsFile;}
);
config.systemd.services = zipAttrsWith (const head)
[ (flip mapAttrs' (filterAttrs (_: v: v.enable) cfg)
(name: value:
let
configOpt =
let
switch =
{ "nomad" = "--config";
"consul" = "--config-file";
"vault" = "--config";
"vault-bin" = "--config";
};
config.systemd.services =
zipAttrsWith (const head)
[
(flip mapAttrs' (filterAttrs (_: v: v.enable) cfg)
(
name: value: let
configOpt = let
switch = {
"nomad" = "--config";
"consul" = "--config-file";
"vault" = "--config";
"vault-bin" = "--config";
};
in
switch.${value.package.pname} or "";
in
nameValuePair
in
nameValuePair
("hashicorp-" + name)
{ description = name;
{
description = name;
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
wantedBy = ["multi-user.target"];
wants = ["network-online.target"];
after = ["network-online.target"];
path = value.extraPackages;
restartIfChanged = false;
serviceConfig =
{ ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
ExecStart = "${value.package}/bin/${value.package.meta.mainProgram or value.package.pname} ${value.command} " +
(optionalString (value.package.pname != "vault" || value.command != "agent") "${configOpt}=/etc/${name}.d ") +
"${concatMapStringsSep " " (v: "${configOpt}=${v}") value.extraSettingsPaths} " +
"${concatMapStringsSep " " (v: "--plugin-dir=${v}/bin") value.extraPluginPaths} " +
(optionalString (value.package.pname == "vault" && value.command == "agent") "${configOpt}=/etc/${name}.d/main.json ") +
"${concatStringsSep " " value.extraArguments} ";
serviceConfig = {
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
ExecStart =
"${value.package}/bin/${value.package.meta.mainProgram or value.package.pname} ${value.command} "
+ (optionalString (value.package.pname != "vault" || value.command != "agent") "${configOpt}=/etc/${name}.d ")
+ "${concatMapStringsSep " " (v: "${configOpt}=${v}") value.extraSettingsPaths} "
+ "${concatMapStringsSep " " (v: "--plugin-dir=${v}/bin") value.extraPluginPaths} "
+ (optionalString (value.package.pname == "vault" && value.command == "agent") "${configOpt}=/etc/${name}.d/main.json ")
+ "${concatStringsSep " " value.extraArguments} ";
KillMode = "process";
KillSignal = "SIGINT";
LimitNOFILE = 65536;
LimitNPROC = "infinity";
OOMScoreAdjust = -1000;
Restart = "always";
RestartSec = 2;
TasksMax = "infinity";
KillMode = "process";
KillSignal = "SIGINT";
LimitNOFILE = 65536;
LimitNPROC = "infinity";
OOMScoreAdjust = -1000;
Restart = "always";
RestartSec = 2;
TasksMax = "infinity";
StateDirectory = value.package.pname;
};
StateDirectory = value.package.pname;
};
}
))
))
(flip mapAttrs' (filterAttrs (_: v: v.enable && v.dynamic != null) cfg)
(name: value:
nameValuePair
("hashicorp-${name}-dynamic")
{ description = name;
(
name: value:
nameValuePair
"hashicorp-${name}-dynamic"
{
description = name;
wantedBy = [ "hashicorp-${name}.service" ];
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
before = [ "hashicorp-${name}.service" ];
wantedBy = ["hashicorp-${name}.service"];
wants = ["network-online.target"];
after = ["network-online.target"];
before = ["hashicorp-${name}.service"];
path = value.extraPackages;
path = value.extraPackages;
restartIfChanged = true;
restartIfChanged = true;
serviceConfig =
{ ExecStart = value.dynamic;
serviceConfig = {
ExecStart = value.dynamic;
RemainAfterExit = true;
Type = "oneshot";
};
}
))
}
))
];
}

116
nixos/modules/influx-provisioning.nix
View file

@ -1,8 +1,13 @@
{ config, pkgs, lib, ... }:
let
{
config,
pkgs,
lib,
...
}: let
cfg = config.services.influxdb2.provision;
inherit (lib)
inherit
(lib)
mkEnableOption
mkOption
types
@ -10,55 +15,59 @@ let
flip
mapAttrsToList
getExe
mkIf;
mkIf
;
taskOptions =
{ ... }:
{
options = {
cron = mkOption {
type = with types; nullOr str;
default = null;
description = mdDoc ''
taskOptions = {...}: {
options = {
cron = mkOption {
type = with types; nullOr str;
default = null;
description =
mdDoc ''
'';
};
};
every = mkOption {
type = with types; nullOr str;
default = null;
description = mdDoc ''
every = mkOption {
type = with types; nullOr str;
default = null;
description =
mdDoc ''
'';
};
};
fluxFile = mkOption {
type = types.path;
description = mdDoc ''
fluxFile = mkOption {
type = types.path;
description =
mdDoc ''
'';
};
};
offset = mkOption {
type = types.str;
default = "0m";
description = mdDoc ''
offset = mkOption {
type = types.str;
default = "0m";
description =
mdDoc ''
'';
};
};
};
};
tasksFile =
(pkgs.formats.json {}).generate "tasks.json"
(flip mapAttrsToList cfg.tasks (name: value:
{
inherit name;
flux_file = value.fluxFile;
inherit (value)
every
cron
offset;
}
));
in
{
(flip mapAttrsToList cfg.tasks (
name: value: {
inherit name;
flux_file = value.fluxFile;
inherit
(value)
every
cron
offset
;
}
));
in {
options = {
services.influxdb2.provision-magic = {
enable = mkEnableOption "Enable InfluxDB2 provisioning";
@ -66,36 +75,40 @@ in
itpPackage = mkOption {
type = types.package;
default = pkgs.itp;
description = mdDoc ''
'';
description =
mdDoc ''
'';
};
stateFile = mkOption {
type = types.str;
description = mdDoc ''
'';
description =
mdDoc ''
'';
};
organization = mkOption {
type = types.str;
description = mdDoc ''
'';
description =
mdDoc ''
'';
};
tasks = mkOption {
type = with types; attrsOf (submodule taskOptions);
default = {};
description = mdDoc ''
'';
description =
mdDoc ''
'';
};
};
};
config = mkIf cfg.enable {
systemd.services.influxdb2-provision = {
after = [ "influxdb2.service" ];
wants = [ "influxdb2.service" ];
wantedBy = [ "multi-user.target" ];
after = ["influxdb2.service"];
wants = ["influxdb2.service"];
wantedBy = ["multi-user.target"];
restartIfChanged = true;
@ -110,7 +123,8 @@ in
};
};
assertions = flip mapAttrsToList cfg.tasks
assertions =
flip mapAttrsToList cfg.tasks
(n: v: {
assertion = (v.cron != null && v.every == null) || (v.cron == null && v.every != null);
message = "Exactly one of `services.influxdb2.provision.tasks.${n}.{cron, every}` must be non `null`";

173
nixos/modules/microvm-extras-host.nix
View file

@ -1,6 +1,11 @@
{ config, lib, notnft, ... }:
let
inherit (lib)
{
config,
lib,
notnft,
...
}: let
inherit
(lib)
mapAttrsToList
mkOption
hasAttr
@ -9,7 +14,8 @@ let
flip
mapAttrs'
mapAttrs
nameValuePair;
nameValuePair
;
# a = [
# [ (is.eq ip.protocol (f: with f; set [ tcp ])) (is.eq ip.daddr "10.80.1.2") (is.eq th.dport "22") accept ]
@ -30,7 +36,7 @@ let
};
protocol = mkOption {
type = types.listOf (types.enum [ "tcp" "udp" ]);
type = types.listOf (types.enum ["tcp" "udp"]);
};
};
@ -69,24 +75,23 @@ let
};
lookupService = name: type: context:
if hasAttr name cfg.services.${type} then
cfg.services.${type}.${name}
else
throw "Unknown ${type} service ${name} at ${context}";
if hasAttr name cfg.services.${type}
then cfg.services.${type}.${name}
else throw "Unknown ${type} service ${name} at ${context}";
lookupIds = hostName: context:
if hasAttr hostName subConfigurations then
{
inherit (subConfigurations.${hostName}.config.config.microvm)
groupId
taskId;
}
else
throw "Unknown hostName ${hostName} at ${context}";
if hasAttr hostName subConfigurations
then {
inherit
(subConfigurations.${hostName}.config.config.microvm)
groupId
taskId
;
}
else throw "Unknown hostName ${hostName} at ${context}";
subConfigurations = cfg.vms;
in
{
in {
options.microvm = {
services = {
tcpUdp = mkOption {
@ -126,86 +131,86 @@ in
};
};
config.microvm.services.tcpUdp = flip mapAttrs' cfg.services.http
(n: v:
nameValuePair
config.microvm.services.tcpUdp =
flip mapAttrs' cfg.services.http
(
n: v:
nameValuePair
(n + "@http")
{
inherit (v)
inherit
(v)
hostName
port;
protocol = [ "tcp" ];
port
;
protocol = ["tcp"];
}
);
config.microvm.connections.tcpUdp = flip map cfg.connections.http
(v:
{
config.microvm.connections.tcpUdp =
flip map cfg.connections.http
(
v: {
target = v.target + "@http";
}
);
config.networking.notnft.rules =
with notnft.dsl; with payload; ruleset {
bridge-t = add table { family = f: f.bridge; } {
config.networking.notnft.rules = with notnft.dsl;
with payload;
ruleset {
bridge-t = add table {family = f: f.bridge;} {
output-body = lib.foldl (acc: x: acc x) (add chain) ((flip mapAttrsToList subConfigurations
(n: v:
let
microvmConfig = v.config.config.microvm;
tcpUdpRules =
flip map microvmConfig.connections.tcpUdp (connection:
let
service = lookupService connection.target "tcpUdp" n;
ids = lookupIds service.hostName n;
in
[
(is.eq meta.oifname "mvm-${microvmConfig.hostName}")
(is.eq ip.protocol (f: with f; set (map (protocolEnumToNft f) service.protocol)))
(is.eq ip.saddr "10.80.${toString microvmConfig.groupId}.${toString microvmConfig.taskId}")
(is.eq ip.daddr "10.80.${toString ids.groupId}.${toString ids.taskId}")
(is.eq th.dport service.port)
accept
]);
icmpRules =
flip map microvmConfig.connections.icmp (connection:
let
service = lookupService connection.target "icmp" n;
ids = lookupIds service.hostName n;
in
[
(is.eq meta.oifname "mvm-${microvmConfig.hostName}")
(is.eq ip.protocol (f: with f; icmp))
(is.eq ip.saddr "10.80.${toString microvmConfig.groupId}.${toString microvmConfig.taskId}")
(is.eq ip.daddr "10.80.${toString ids.groupId}.${toString ids.taskId}")
accept
]);
in
tcpUdpRules ++ icmpRules
)) ++ (flip map cfg.connections.icmp (connection:
let
(
n: v: let
microvmConfig = v.config.config.microvm;
tcpUdpRules = flip map microvmConfig.connections.tcpUdp (connection: let
service = lookupService connection.target "tcpUdp" n;
ids = lookupIds service.hostName n;
in [
(is.eq meta.oifname "mvm-${microvmConfig.hostName}")
(is.eq ip.protocol (f: with f; set (map (protocolEnumToNft f) service.protocol)))
(is.eq ip.saddr "10.80.${toString microvmConfig.groupId}.${toString microvmConfig.taskId}")
(is.eq ip.daddr "10.80.${toString ids.groupId}.${toString ids.taskId}")
(is.eq th.dport service.port)
accept
]);
icmpRules = flip map microvmConfig.connections.icmp (connection: let
service = lookupService connection.target "icmp" n;
ids = lookupIds service.hostName n;
in [
(is.eq meta.oifname "mvm-${microvmConfig.hostName}")
(is.eq ip.protocol (f: with f; icmp))
(is.eq ip.saddr "10.80.${toString microvmConfig.groupId}.${toString microvmConfig.taskId}")
(is.eq ip.daddr "10.80.${toString ids.groupId}.${toString ids.taskId}")
accept
]);
in
tcpUdpRules ++ icmpRules
))
++ (flip map cfg.connections.icmp (
connection: let
service = lookupService connection.target "icmp" "host";
ids = lookupIds service.hostName "host";
in
[
(is.eq meta.oifname "mvm-${service.hostName}")
(is.eq ip.protocol (f: with f; icmp))
(is.eq ip.saddr "10.80.${toString ids.groupId}.1")
(is.eq ip.daddr "10.80.${toString ids.groupId}.${toString ids.taskId}")
accept
]
)) ++ (flip map cfg.connections.tcpUdp (connection:
let
in [
(is.eq meta.oifname "mvm-${service.hostName}")
(is.eq ip.protocol (f: with f; icmp))
(is.eq ip.saddr "10.80.${toString ids.groupId}.1")
(is.eq ip.daddr "10.80.${toString ids.groupId}.${toString ids.taskId}")
accept
]
))
++ (flip map cfg.connections.tcpUdp (
connection: let
service = lookupService connection.target "tcpUdp" "host";
ids = lookupIds service.hostName "host";
in
[
(is.eq meta.oifname "mvm-${service.hostName}")
(is.eq ip.protocol (f: with f; set (map (protocolEnumToNft f) service.protocol)))
(is.eq ip.saddr "10.80.${toString ids.groupId}.1")
(is.eq ip.daddr "10.80.${toString ids.groupId}.${toString ids.taskId}")
(is.eq th.dport service.port)
accept
]
in [
(is.eq meta.oifname "mvm-${service.hostName}")
(is.eq ip.protocol (f: with f; set (map (protocolEnumToNft f) service.protocol)))
(is.eq ip.saddr "10.80.${toString ids.groupId}.1")
(is.eq ip.daddr "10.80.${toString ids.groupId}.${toString ids.taskId}")
(is.eq th.dport service.port)
accept
]
)));
};
};

25
nixos/modules/microvm-extras.nix
View file

@ -1,9 +1,14 @@
{ config, lib, ... }:
let
inherit (lib)
{
config,
lib,
...
}: let
inherit
(lib)
mkOption
mkEnableOption
types;
types
;
cfg = config.microvm;
@ -265,7 +270,8 @@ let
"253" = "fd";
"254" = "fe";
"255" = "ff";
}.${toString int};
}
.${toString int};
groupIdOption = mkOption {
type = types.int;
@ -287,8 +293,7 @@ let
type = types.str;
};
};
in
{
in {
options.microvm = {
enableExtras = mkEnableOption "Extras";
groupId = mkOption {
@ -336,9 +341,9 @@ in
}
];
services.udev.extraRules = ''
ATTR{address}=="02:00:00:00:${intToHex cfg.groupId}:${intToHex cfg.taskId}", NAME="eth0"
'';
services.udev.extraRules = ''
ATTR{address}=="02:00:00:00:${intToHex cfg.groupId}:${intToHex cfg.taskId}", NAME="eth0"
'';
networking.interfaces."eth0" = {
ipv4.addresses = [

38
nixos/modules/telegraf.nix
View file

@ -1,6 +1,10 @@
{ config, lib, pkgs, ... }:
with lib;
let
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.services.telegraf-magic;
settingsFormat = pkgs.formats.toml {};
@ -45,20 +49,20 @@ in {
systemd.services.telegraf = mkMerge [
(cfg.systemd)
{
description = "Telegraf Agent";
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
serviceConfig = {
ExecStart="${cfg.package}/bin/telegraf -config ${configFile}";
ExecReload="${pkgs.coreutils}/bin/kill -HUP $MAINPID";
RuntimeDirectory = "telegraf";
User = "telegraf";
Group = "telegraf";
Restart = "on-failure";
# for ping probes
AmbientCapabilities = [ "CAP_NET_RAW" ];
};
}
description = "Telegraf Agent";
wantedBy = ["multi-user.target"];
after = ["network-online.target"];
serviceConfig = {
ExecStart = "${cfg.package}/bin/telegraf -config ${configFile}";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
RuntimeDirectory = "telegraf";
User = "telegraf";
Group = "telegraf";
Restart = "on-failure";
# for ping probes
AmbientCapabilities = ["CAP_NET_RAW"];
};
}
];
users.users.telegraf = {

19
nixos/systems/altra/consul.nix
View file

@ -1,10 +1,17 @@
{ inputs', lib, config, pkgs, secret, ... }:
let
inherit (lib)
mkForce
singleton;
in
{
inputs',
lib,
config,
pkgs,
secret,
...
}: let
inherit
(lib)
mkForce
singleton
;
in {
services.hashicorp.consul = {
enable = true;

123
nixos/systems/altra/default.nix
View file

@ -1,17 +1,22 @@
# SPDX-FileCopyrightText: 2022 Richard Brežák <richard@brezak.sk>
#
# SPDX-License-Identifier: LGPL-3.0-or-later
{ inputs, lib', config, ... }:
let
inherit (lib')
{
inputs,
lib',
config,
...
}: let
inherit
(lib')
flip
mapAttrs
singleton
mkForce;
mkForce
;
config' = config;
in
{
in {
flake.nixosConfigurations.altra = inputs.nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
@ -21,60 +26,64 @@ in
secret = lib'.loadSecrets inputs.secret;
};
modules = singleton
({ pkgs, config, ... }:
{
imports = [
# ./consul.nix
# ./nomad.nix
# ./vault-agent.nix
# ./u2t.nix
./grub.nix
./networking.nix
./nixpkgs.nix
./hardware.nix
./filesystems.nix
./users.nix
./http-synapse-proxy.nix
../../common/remote_access.nix
modules =
singleton
({
pkgs,
config,
...
}: {
imports = [
# ./consul.nix
# ./nomad.nix
# ./vault-agent.nix
# ./u2t.nix
./grub.nix
./networking.nix
./nixpkgs.nix
./hardware.nix
./filesystems.nix
./users.nix
./http-synapse-proxy.nix
../../common/remote_access.nix
inputs.serokell-nix.nixosModules.acme-sh
config'.flake.nixosModules.hashicorp
inputs.disko.nixosModules.disko
inputs.serokell-nix.nixosModules.acme-sh
config'.flake.nixosModules.hashicorp
inputs.disko.nixosModules.disko
];
environment.defaultPackages = mkForce [];
nix.settings.allowed-users = ["@wheel"];
security.sudo.execWheelOnly = true;
security.auditd.enable = true;
security.audit.enable = true;
security.audit.rules = [
"-a exit,always -F arch=b64 -S execve"
];
environment.etc."audit/auditd.conf".text = ''
write_logs = no
dispatcher = ${pkgs.audit}/bin/audispd
space_left = 1
'';
_module.args.nixinate = {
host = "altra.redalder.org";
sshUser = "main";
buildOn = "local";
substituteOnTarget = true;
hermetic = false;
nixOptions = [
"--override-input secret path://$HOME/dotfiles/secret"
];
};
environment.defaultPackages = mkForce [];
nix.settings.allowed-users = [ "@wheel" ];
security.sudo.execWheelOnly = true;
environment.systemPackages = [
pkgs.git
];
security.auditd.enable = true;
security.audit.enable = true;
security.audit.rules = [
"-a exit,always -F arch=b64 -S execve"
];
environment.etc."audit/auditd.conf".text = ''
write_logs = no
dispatcher = ${pkgs.audit}/bin/audispd
space_left = 1
'';
_module.args.nixinate = {
host = "altra.redalder.org";
sshUser = "main";
buildOn = "local";
substituteOnTarget = true;
hermetic = false;
nixOptions = [
"--override-input secret path://$HOME/dotfiles/secret"
];
};
environment.systemPackages = [
pkgs.git
];
time.timeZone = "Europe/Amsterdam";
system.stateVersion = "23.05";
});
time.timeZone = "Europe/Amsterdam";
system.stateVersion = "23.05";
});
};
}

21
nixos/systems/altra/filesystems.nix
View file

@ -1,5 +1,4 @@
{ ... }:
{
{...}: {
disko.devices = {
disk.boot = {
type = "disk";
@ -15,7 +14,7 @@
start = "0";
end = "1MiB";
part-type = "primary";
flags = [ "bios_grub" ];
flags = ["bios_grub"];
}
{
name = "ESP";
@ -80,35 +79,35 @@
type = "zfs_fs";
mountpoint = "/var/lib/nomad";
options.mountpoint = "legacy";
mountOptions = [ "defaults""noexec" ];
mountOptions = ["defaults" "noexec"];
};
"persist/consul" = {
type = "zfs_fs";
mountpoint = "/var/lib/consul";
options.mountpoint = "legacy";
mountOptions = [ "defaults" "noexec" ];
mountOptions = ["defaults" "noexec"];
};
"persist/log" = {
type = "zfs_fs";
mountpoint = "/var/log";
options.mountpoint = "legacy";
mountOptions = [ "defaults" "noexec" ];
mountOptions = ["defaults" "noexec"];
};
"persist/etc" = {
type = "zfs_fs";
mountpoint = "/nix/persist/etc";
options.mountpoint = "legacy";
mountOptions = [ "defaults" "noexec" ];
mountOptions = ["defaults" "noexec"];
};
"persist/secret" = {
type = "zfs_fs";
mountpoint = "/var/secrets";
options.mountpoint = "legacy";
mountOptions = [ "defaults" "noexec" ];
mountOptions = ["defaults" "noexec"];
};
"persist/var" = {
@ -125,7 +124,7 @@
type = "zfs_fs";
mountpoint = "/var/lib/nixos";
options.mountpoint = "legacy";
mountOptions = [ "defaults" "noexec" ];
mountOptions = ["defaults" "noexec"];
};
};
};
@ -133,11 +132,11 @@
nodev = {
"/" = {
fsType = "tmpfs";
mountOptions = [ "defaults" "size=512M" "mode=755" "noexec" ];
mountOptions = ["defaults" "size=512M" "mode=755" "noexec"];
};
"/tmp" = {
fsType = "tmpfs";
mountOptions = [ "defaults" "size=1024M" "mode=755" "exec" ];
mountOptions = ["defaults" "size=1024M" "mode=755" "exec"];
};
};
};

14
nixos/systems/altra/grub.nix
View file

@ -1,9 +1,13 @@
{ pkgs, lib, ... }:
let
inherit (lib)
singleton;
in
{
pkgs,
lib,
...
}: let
inherit
(lib)
singleton
;
in {
boot.loader.efi = {
canTouchEfiVariables = true;
};

380
nixos/systems/altra/http-synapse-proxy.nix
View file

@ -1,11 +1,17 @@
{ pkgs, inputs', lib, config, ... }:
let
inherit (lib)
singleton
mkForce;
certs = config.services.acme-sh.certs;
in
{
pkgs,
inputs',
lib,
config,
...
}: let
inherit
(lib)
singleton
mkForce
;
certs = config.services.acme-sh.certs;
in {
users.users.wwwrun = {
group = "wwwrun";
isSystemUser = true;
@ -16,190 +22,186 @@ in
gid = config.ids.gids.wwwrun;
};
systemd.services.apache-proxy =
let
apacheConfiguration = inputs'.nixng.nglib.generators.toApache [
{
LoadModule = [
[ "mpm_event_module" "modules/mod_mpm_event.so" ]
[ "log_config_module" "modules/mod_log_config.so" ]
[ "unixd_module" "modules/mod_unixd.so" ]
[ "authz_core_module" "modules/mod_authz_core.so" ]
[ "authn_core_module" "modules/mod_authn_core.so" ]
[ "dir_module" "modules/mod_dir.so" ]
[ "mime_module" "modules/mod_mime.so" ]
[ "proxy_module" "modules/mod_proxy.so" ]
[ "proxy_http_module" "modules/mod_proxy_http.so" ]
[ "access_compat_module" "modules/mod_access_compat.so" ]
[ "proxy_connect_module" "modules/mod_proxy_connect.so" ]
[ "authn_file_module" "modules/mod_authn_file.so" ]
[ "authz_user_module" "modules/mod_authz_user.so" ]
[ "authz_host_module" "modules/mod_authz_host.so" ]
[ "auth_basic_module" "modules/mod_auth_basic.so" ]
[ "ssl_module" "modules/mod_ssl.so" ]
];
}
{
Listen = "0.0.0.0:8883";
ServerRoot = "/var/empty";
ServerName = "altra";
PidFile = "/run/apache/apache.pid";
DocumentRoot = "/var/empty";
}
{
ErrorLog = "/var/log/apache/error.log";
TransferLog = "/var/log/apache/access.log";
}
{
MaxConnectionsPerChild = 1024;
MaxMemFree = 8192;
ThreadsPerChild = 64;
MaxRequestWorkers = 2048;
ServerLimit = 32;
AsyncRequestWorkerFactor = 8;
}
{
AddType = singleton [
"image/svg+xml"
"svg"
"svgz"
];
AddEncoding = [
"gzip"
"svgz"
];
TypesConfig = "${pkgs.apacheHttpd}/conf/mime.types";
}
{
Directory."/" = {
Require = [ "all" "denied" ];
Options = "SymlinksIfOwnerMatch";
};
VirtualHost."*:8883" = [
{
ProxyRequests = "on";
AddDefaultCharset = "off";
AllowCONNECT = [ "443" "8448" "8433" "8478" "3236" "8080" ];
}
{
ServerName = "synapse-proxy.in.redalder.org";
SSLEngine = "on";
SSLCertificateFile = certs.apache-proxy.certPath;
SSLCertificateKeyFile = certs.apache-proxy.keyPath;
SSLCipherSuite = "HIGH:!aNULL:!MD5";
}
{
Proxy."*" = {
Require = [ "all" "denied" ];
};
}
{
ProxyMatch."^([a-zA-Z\-_0-9]+\.)+[a-zA-Z\-_0-9]*:(443|8448|8443|8478|3236|8080).*$" = {
AuthType = "Basic";
AuthName = "\"Password Required\"";
AuthUserFile = "/var/secrets/htpasswd";
RequireAll."" = {
Require = [
[ "user synapse" ]
[ "method CONNECT" ]
];
RequireAny."" = {
Require = [
[ "ip 10.64.0.2" ]
];
};
};
};
}
{
ProxyMatch."^http:\/\/([a-zA-Z\-_0-9]+\.)+[a-zA-Z\-_0-9]*(|:(80|8080))$" = {
AuthType = "Basic";
AuthName = "\"Password Required\"";
AuthUserFile = "/var/secrets/htpasswd";
RequireAll."" = {
Require = [
[ "user synapse" ]
[ "not method CONNECT"]
];
RequireAny."" = {
Require = [
[ "ip 10.64.0.2" ]
];
};
};
};
}
];
}
];
in
systemd.services.apache-proxy = let
apacheConfiguration = inputs'.nixng.nglib.generators.toApache [
{
serviceConfig = {
Type = "forking";
Restart = "always";
RestartSec = "10s";
# User and group
User = "wwwrun";
Group = "wwwrun";
# Runtime directory and mode
RuntimeDirectory = "apache";
RuntimeDirectoryMode = "0750";
# Cache directory and mode
CacheDirectory = "apache";
CacheDirectoryMode = "0750";
# Logs directory and mode
LogsDirectory = "apache";
LogsDirectoryMode = "0750";
# Proc filesystem
ProcSubset = "pid";
ProtectProc = "invisible";
# New file permissions
UMask = "0027"; # 0640 / 0750
# Capabilities
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ];
# Security
NoNewPrivileges = true;
# Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html)
ProtectSystem = "strict";
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
RestrictNamespaces = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RemoveIPC = true;
PrivateMounts = true;
# System Call Filtering
SystemCallArchitectures = "native";
SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid ~@ipc" ];
LoadModule = [
["mpm_event_module" "modules/mod_mpm_event.so"]
["log_config_module" "modules/mod_log_config.so"]
["unixd_module" "modules/mod_unixd.so"]
["authz_core_module" "modules/mod_authz_core.so"]
["authn_core_module" "modules/mod_authn_core.so"]
["dir_module" "modules/mod_dir.so"]
["mime_module" "modules/mod_mime.so"]
["proxy_module" "modules/mod_proxy.so"]
["proxy_http_module" "modules/mod_proxy_http.so"]
["access_compat_module" "modules/mod_access_compat.so"]
["proxy_connect_module" "modules/mod_proxy_connect.so"]
["authn_file_module" "modules/mod_authn_file.so"]
["authz_user_module" "modules/mod_authz_user.so"]
["authz_host_module" "modules/mod_authz_host.so"]
["auth_basic_module" "modules/mod_auth_basic.so"]
["ssl_module" "modules/mod_ssl.so"]
];
}
{
Listen = "0.0.0.0:8883";
ServerRoot = "/var/empty";
ServerName = "altra";
PidFile = "/run/apache/apache.pid";
DocumentRoot = "/var/empty";
}
{
ErrorLog = "/var/log/apache/error.log";
TransferLog = "/var/log/apache/access.log";
}
{
MaxConnectionsPerChild = 1024;
MaxMemFree = 8192;
ThreadsPerChild = 64;
MaxRequestWorkers = 2048;
ServerLimit = 32;
AsyncRequestWorkerFactor = 8;
}
{
AddType = singleton [
"image/svg+xml"
"svg"
"svgz"
];
AddEncoding = [
"gzip"
"svgz"
];
TypesConfig = "${pkgs.apacheHttpd}/conf/mime.types";
}
{
Directory."/" = {
Require = ["all" "denied"];
Options = "SymlinksIfOwnerMatch";
};
wantedBy = [ "multi-user.target" ];
script = ''
ls /proc/self/fd /dev
${pkgs.apacheHttpd}/bin/httpd -f ${pkgs.writeText "apache.conf" apacheConfiguration}
'';
};
VirtualHost."*:8883" = [
{
ProxyRequests = "on";
AddDefaultCharset = "off";
AllowCONNECT = ["443" "8448" "8433" "8478" "3236" "8080"];
}
{
ServerName = "synapse-proxy.in.redalder.org";
SSLEngine = "on";
SSLCertificateFile = certs.apache-proxy.certPath;
SSLCertificateKeyFile = certs.apache-proxy.keyPath;
SSLCipherSuite = "HIGH:!aNULL:!MD5";
}
{
Proxy."*" = {
Require = ["all" "denied"];
};
}
{
ProxyMatch."^([a-zA-Z\-_0-9]+\.)+[a-zA-Z\-_0-9]*:(443|8448|8443|8478|3236|8080).*$" = {
AuthType = "Basic";
AuthName = "\"Password Required\"";
AuthUserFile = "/var/secrets/htpasswd";
RequireAll."" = {
Require = [
["user synapse"]
["method CONNECT"]
];
RequireAny."" = {
Require = [
["ip 10.64.0.2"]
];
};
};
};
}
{
ProxyMatch."^http:\/\/([a-zA-Z\-_0-9]+\.)+[a-zA-Z\-_0-9]*(|:(80|8080))$" = {
AuthType = "Basic";
AuthName = "\"Password Required\"";
AuthUserFile = "/var/secrets/htpasswd";
RequireAll."" = {
Require = [
["user synapse"]
["not method CONNECT"]
];
RequireAny."" = {
Require = [
["ip 10.64.0.2"]
];
};
};
};
}
];
}
];
in {
serviceConfig = {
Type = "forking";
Restart = "always";
RestartSec = "10s";
# User and group
User = "wwwrun";
Group = "wwwrun";
# Runtime directory and mode
RuntimeDirectory = "apache";
RuntimeDirectoryMode = "0750";
# Cache directory and mode
CacheDirectory = "apache";
CacheDirectoryMode = "0750";
# Logs directory and mode
LogsDirectory = "apache";
LogsDirectoryMode = "0750";
# Proc filesystem
ProcSubset = "pid";
ProtectProc = "invisible";
# New file permissions
UMask = "0027"; # 0640 / 0750
# Capabilities
AmbientCapabilities = ["CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE"];
CapabilityBoundingSet = ["CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE"];
# Security
NoNewPrivileges = true;
# Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html)
ProtectSystem = "strict";
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
RestrictNamespaces = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RemoveIPC = true;
PrivateMounts = true;
# System Call Filtering
SystemCallArchitectures = "native";
SystemCallFilter = ["~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid ~@ipc"];
};
wantedBy = ["multi-user.target"];
script = ''
ls /proc/self/fd /dev
${pkgs.apacheHttpd}/bin/httpd -f ${pkgs.writeText "apache.conf" apacheConfiguration}
'';
};
services.acme-sh.certs.apache-proxy = {
production = true;

97
nixos/systems/altra/networking.nix
View file

@ -1,15 +1,20 @@
{ pkgs, lib, secret, ... }:
let
inherit (lib)
getExe';
in
{
pkgs,
lib,
secret,
...
}: let
inherit
(lib)
getExe'
;
in {
# boot.kernel.sysctl = {"net.ipv4.ip_forward" = "1";};
# https://github.com/NixOS/nixpkgs/issues/76671
# the rpc.statd daemon is not running when not mounting any nfs filesystems on boot
# and can't be manually started...
boot.supportedFilesystems = [ "nfs" ];
boot.supportedFilesystems = ["nfs"];
services.rpcbind.enable = true;
networking = {
@ -37,7 +42,7 @@ in
${getExe' pkgs.iptables "iptables"} -D FORWARD -i wg0 -o wg0 -j ACCEPT
'';
}
// secret.wireguard."altra" or { privateKey = ""; };
// secret.wireguard."altra" or {privateKey = "";};
};
# defaultGateway = "64.225.96.1";
@ -52,55 +57,55 @@ in
'';
interfaces."eth0" = {
# allowedTCPPorts = [
# 80
# 443
# 6001
# ];
# allowedTCPPorts = [
# 80
# 443
# 6001
# ];
allowedUDPPorts = [
6666
];
};
# interfaces."nomad" = {
# allowedTCPPorts = [
# 8500
# ];
# };
# interfaces."nomad" = {
# allowedTCPPorts = [
# 8500
# ];
# };
interfaces."wg0" = {
allowedTCPPorts = [
8883
# ## Consul
# 8600 # DNS
# 8500 # HTTP
# 8502 # gRPC
# 8300 # server
# 8301 # LAN serf
# 8302 # WAN serf
# 4646 # Nomad
# 4647
# 4648
# 10000
# ## Consul
# 8600 # DNS
# 8500 # HTTP
# 8502 # gRPC
# 8300 # server
# 8301 # LAN serf
# 8302 # WAN serf
# 4646 # Nomad
# 4647
# 4648
# 10000
];
# allowedTCPPortRanges = [
# {
# from = 21000;
# to = 21255;
# }
# ];
# allowedUDPPorts = [
# ## Consul
# 8600 # DNS
# 8301 # LAN serf
# 8302 # WAN serf
# ];
# allowedUDPPortRanges = [
# {
# from = 21000;
# to = 21255;
# }
# ];
# allowedTCPPortRanges = [
# {
# from = 21000;
# to = 21255;
# }
# ];
# allowedUDPPorts = [
# ## Consul
# 8600 # DNS
# 8301 # LAN serf
# 8302 # WAN serf
# ];
# allowedUDPPortRanges = [
# {
# from = 21000;
# to = 21255;
# }
# ];
};
};

8
nixos/systems/altra/nixpkgs.nix
View file

@ -1,13 +1,15 @@
{ inputs', config', ... }:
{
inputs',
config',
...
}: {
imports = [
../../common/nixpkgs.nix
];
nixpkgs.overlays =
(with config'.flake.overlays; [])
++
(with inputs'.nixng.overlays; [
++ (with inputs'.nixng.overlays; [
default
]);
}

22
nixos/systems/altra/nomad.nix
View file

@ -1,5 +1,12 @@
{ lib, config, config', pkgs, inputs', secret, ... }:
{
lib,
config,
config',
pkgs,
inputs',
secret,
...
}: {
services.hashicorp.nomad = {
enable = true;
@ -15,13 +22,12 @@
extraSettingsPaths = [
"/run/secrets/nomad.json"
];
package = inputs'.nixpkgs-hashicorp.legacyPackages.${pkgs.stdenv.system}.nomad_1_5.overrideAttrs (old:
{
patches = with config'.flake.patches; [
hashicorp-nomad.revert-change-consul-si-tokens-to-be-local
hashicorp-nomad.add-nix-integration
];
});
package = inputs'.nixpkgs-hashicorp.legacyPackages.${pkgs.stdenv.system}.nomad_1_5.overrideAttrs (old: {
patches = with config'.flake.patches; [
hashicorp-nomad.revert-change-consul-si-tokens-to-be-local
hashicorp-nomad.add-nix-integration
];
});
settings = {
server.enabled = true;

9
nixos/systems/altra/u2t.nix
View file

@ -1,12 +1,11 @@
{ pkgs, ... }:
{
{pkgs, ...}: {
systemd.services.udp2tcp = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
wantedBy = ["multi-user.target"];
after = ["network.target"];
restartIfChanged = true;
path = with pkgs; [ dig.host ];
path = with pkgs; [dig.host];
script = ''
${pkgs.udp-over-tcp}/bin/tcp2udp\

8
nixos/systems/altra/users.nix
View file

@ -1,5 +1,9 @@
{ inputs', config', secret, ... }:
{
inputs',
config',
secret,
...
}: {
imports = [
inputs'.home-manager.nixosModules.default
../../common/users.nix
@ -12,7 +16,7 @@
secret = secret;
};
home-manager.users.main = {
imports = [ (inputs'.self + "/home-manager/modules/profiles/server.nix") ];
imports = [(inputs'.self + "/home-manager/modules/profiles/server.nix")];
home.stateVersion = "23.05";
};

138
nixos/systems/altra/vault-agent.nix
View file

@ -1,9 +1,16 @@
{ config, lib, pkgs, secret, inputs', ... }:
let
inherit (lib)
singleton;
in
{
config,
lib,
pkgs,
secret,
inputs',
...
}: let
inherit
(lib)
singleton
;
in {
services.hashicorp.vault-agent = {
enable = true;
package = inputs'.nixpkgs-hashicorp.legacyPackages.${pkgs.stdenv.system}.vault;
@ -21,72 +28,77 @@ in
retry.num_retries = 5;
};
auto_auth.method = singleton
{
"approle" = {
mount_path = "auth/approle";
config =
{
role_id_file_path = "/var/secrets/approle.roleid";
secret_id_file_path = "/var/secrets/approle.secretid";
remove_secret_id_file_after_reading = false;
};
auto_auth.method =
singleton
{
"approle" = {
mount_path = "auth/approle";
config = {
role_id_file_path = "/var/secrets/approle.roleid";
secret_id_file_path = "/var/secrets/approle.secretid";
remove_secret_id_file_after_reading = false;
};
};
};
sink = singleton
{
"file" = {
type = "file";
config.path = "/run/secrets/vault-token";
};
sink =
singleton
{
"file" = {
type = "file";
config.path = "/run/secrets/vault-token";
};
};
template = [
{
source = pkgs.writeText "consul.json.vtmpl"
''
{
"encrypt": "{{ with secret "kv/data/do-1/toothpick/consul/encryption_key" }}{{ or .Data.data.key "" }}{{ end }}",
"acl": {
"tokens": {
"agent": "{{ with secret "kv/data/do-1/toothpick/consul/agent_token" }}{{ or .Data.data.secret "" }}{{ end }}",
"replication": "{{ with secret "kv/data/do-1/toothpick/consul/replication_token" }}{{ or .Data.data.secret "" }}{{ end }}",
"default": "{{ with secret "kv/data/do-1/toothpick/consul/anonymous_token" }}{{ or .Data.data.secret "" }}{{ end }}"
}
template = [
{
source =
pkgs.writeText "consul.json.vtmpl"
''
{
"encrypt": "{{ with secret "kv/data/do-1/toothpick/consul/encryption_key" }}{{ or .Data.data.key "" }}{{ end }}",
"acl": {
"tokens": {
"agent": "{{ with secret "kv/data/do-1/toothpick/consul/agent_token" }}{{ or .Data.data.secret "" }}{{ end }}",
"replication": "{{ with secret "kv/data/do-1/toothpick/consul/replication_token" }}{{ or .Data.data.secret "" }}{{ end }}",
"default": "{{ with secret "kv/data/do-1/toothpick/consul/anonymous_token" }}{{ or .Data.data.secret "" }}{{ end }}"
}
}
'';
destination = "/run/secrets/consul.json";
command = pkgs.writeShellScript "consul-command"
''
sudo systemctl try-reload-or-restart hashicorp-consul.service
'';
}
{
source = pkgs.writeText "nomad.json.vtmpl"
''
{
"server": {
"encrypt": "{{ with secret "kv/data/do-1/toothpick/nomad/encryption_key" }}{{ or .Data.data.key "" }}{{ end }}"
},
"acl": {
"replication_token": "{{ with secret "kv/data/do-1/toothpick/nomad/replication_token" }}{{ or .Data.data.secret "" }}{{ end }}"
},
"vault": {
"token": "{{ with secret "kv/data/do-1/toothpick/nomad/vault_token" }}{{ or .Data.data.secret "" }}{{ end }}"
},
"consul": {
"token": "{{ with secret "kv/data/do-1/toothpick/nomad/consul_token" }}{{ or .Data.data.secret "" }}{{ end }}"
}
}
'';
destination = "/run/secrets/consul.json";
command =
pkgs.writeShellScript "consul-command"
''
sudo systemctl try-reload-or-restart hashicorp-consul.service
'';
}
{
source =
pkgs.writeText "nomad.json.vtmpl"
''
{
"server": {
"encrypt": "{{ with secret "kv/data/do-1/toothpick/nomad/encryption_key" }}{{ or .Data.data.key "" }}{{ end }}"
},
"acl": {
"replication_token": "{{ with secret "kv/data/do-1/toothpick/nomad/replication_token" }}{{ or .Data.data.secret "" }}{{ end }}"
},
"vault": {
"token": "{{ with secret "kv/data/do-1/toothpick/nomad/vault_token" }}{{ or .Data.data.secret "" }}{{ end }}"
},
"consul": {
"token": "{{ with secret "kv/data/do-1/toothpick/nomad/consul_token" }}{{ or .Data.data.secret "" }}{{ end }}"
}
'';
destination = "/run/secrets/nomad.json";
command = pkgs.writeShellScript "nomad-command"
''
sudo systemctl try-reload-or-restart hashicorp-nomad.service
'';
}
}
'';
destination = "/run/secrets/nomad.json";
command =
pkgs.writeShellScript "nomad-command"
''
sudo systemctl try-reload-or-restart hashicorp-nomad.service
'';
}
];
};
};

27
nixos/systems/blowhole/consul.nix
View file

@ -1,13 +1,22 @@
{inputs', lib, config, pkgs, pkgs-hashicorp, secret, ...}:
let
inherit (lib)
singleton
mkForce;
in
{
inputs',
lib,
config,
pkgs,
pkgs-hashicorp,
secret,
...
}: let
inherit
(lib)
singleton
mkForce
;
in {
services.hashicorp.vault-agent = {
settings.template = singleton {
source = pkgs.writeText "consul.json.vtmpl"
source =
pkgs.writeText "consul.json.vtmpl"
''
{
"encrypt": "{{ with secret "kv/data/homelab-1/blowhole/consul/encryption_key" }}{{ or .Data.data.key "" }}{{ end }}",
@ -27,8 +36,8 @@ in
};
systemd.services."hashicorp-consul" = {
requires = [ "vault-unsealed.service" ];
after = [ "vault-unsealed.service" ];
requires = ["vault-unsealed.service"];
after = ["vault-unsealed.service"];
};
services.hashicorp.consul = {

249
nixos/systems/blowhole/default.nix
View file

@ -1,16 +1,21 @@
# SPDX-FileCopyrightText: 2022 Richard Brežák <richard@brezak.sk>
#
# SPDX-License-Identifier: LGPL-3.0-or-later
{ inputs, lib', config, ... }:
let
inherit (lib')
{
inputs,
lib',
config,
...
}: let
inherit
(lib')
flip
mapAttrs
singleton;
singleton
;
config' = config;
in
{
in {
flake.nixosConfigurations.blowhole = inputs.nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
@ -20,137 +25,139 @@ in
secret = lib'.loadSecrets inputs.secret;
};
modules = singleton
({ secret, pkgs, config, ... }:
{
_module.args.pkgs-hashicorp = import inputs.nixpkgs-hashicorp {
system = pkgs.stdenv.system;
config.allowUnfreePredicate = pkg: builtins.elem (lib'.getName pkg) [
modules =
singleton
({
secret,
pkgs,
config,
...
}: {
_module.args.pkgs-hashicorp = import inputs.nixpkgs-hashicorp {
system = pkgs.stdenv.system;
config.allowUnfreePredicate = pkg:
builtins.elem (lib'.getName pkg) [
"consul"
"vault-bin"
"vault"
];
};
imports = [
./bind.nix
./consul.nix
./filesystems.nix
./firewall.nix
./grub.nix
./hardware.nix
# ./hostapd.nix
./ical2org.nix
./klipper.nix
# ./monitoring.nix
./nas.nix
./networking.nix
./nfs.nix
./nomad.nix
./uterranix.nix
./vault-agent.nix
./vault.nix
./watchdog.nix
./nixpkgs.nix
./users.nix
./disk_monitoring.nix
./sol.nix
../../common/remote_access.nix
./microvms.nix
./ssh-machine-access.nix
../../modules/notify-login.nix
./kubernetes.nix
inputs.serokell-nix.nixosModules.acme-sh
inputs.notnft.nixosModules.default
inputs.self.nixosModules.notnft
inputs.microvm.nixosModules.host
inputs.self.nixosModules.microvm-extras-host
config'.flake.nixosModules.hashicorp
config'.flake.nixosModules.hashicorp-envoy
config'.flake.nixosModules.telegraf
config'.flake.nixosModules.grafana
];
services.notify-login.ssh = {
enable = true;
method = "matrix";
settings = {
secretsFile = "/var/secrets/matrix-notify-login-ssh.json";
stateDirectory = "/var/lib/matrix-commander/notify-login-ssh";
markdown = true;
};
};
imports = [
./bind.nix
./consul.nix
./filesystems.nix
./firewall.nix
./grub.nix
./hardware.nix
# ./hostapd.nix
./ical2org.nix
./klipper.nix
# ./monitoring.nix
./nas.nix
./networking.nix
./nfs.nix
./nomad.nix
./uterranix.nix
./vault-agent.nix
./vault.nix
./watchdog.nix
./nixpkgs.nix
./users.nix
./disk_monitoring.nix
./sol.nix
../../common/remote_access.nix
./microvms.nix
./ssh-machine-access.nix
../../modules/notify-login.nix
./kubernetes.nix
inputs.serokell-nix.nixosModules.acme-sh
inputs.notnft.nixosModules.default
inputs.self.nixosModules.notnft
inputs.microvm.nixosModules.host
inputs.self.nixosModules.microvm-extras-host
config'.flake.nixosModules.hashicorp
config'.flake.nixosModules.hashicorp-envoy
config'.flake.nixosModules.telegraf
config'.flake.nixosModules.grafana
_module.args.nixinate = {
host = "blowhole.hosts.in.redalder.org";
sshUser = "main";
buildOn = "local";
substituteOnTarget = true;
hermetic = false;
nixOptions = [
"--override-input secret path://$HOME/dotfiles/secret"
];
};
services.notify-login.ssh = {
enable = true;
method = "matrix";
settings = {
secretsFile = "/var/secrets/matrix-notify-login-ssh.json";
stateDirectory = "/var/lib/matrix-commander/notify-login-ssh";
markdown = true;
};
systemd.services.vault-unsealed = {
description = "Check whether the local Vault instance is unsealed and fail if not.";
path = with pkgs; [getent vault];
unitConfig = {
StartLimitInterval = 0;
};
_module.args.nixinate = {
host = "blowhole.hosts.in.redalder.org";
sshUser = "main";
buildOn = "local";
substituteOnTarget = true;
hermetic = false;
nixOptions = [
"--override-input secret path://$HOME/dotfiles/secret"
];
serviceConfig = {
Restart = "always";
RestartSec = 30;
};
systemd.services.vault-unsealed = {
description = "Check whether the local Vault instance is unsealed and fail if not.";
path = with pkgs; [ getent vault ];
script = ''
export VAULT_ADDR="https://vault.in.redalder.org:8200/"
unitConfig = {
StartLimitInterval = 0;
};
while [ $( vault operator key-status |& grep -q "Vault is sealed" ; printf $? ) = 1 ]
do
sleep 30
done
exit 2
'';
};
serviceConfig = {
Restart = "always";
RestartSec = 30;
};
system.stateVersion = "21.05";
script = ''
export VAULT_ADDR="https://vault.in.redalder.org:8200/"
while [ $( vault operator key-status |& grep -q "Vault is sealed" ; printf $? ) = 1 ]
do
sleep 30
done
exit 2
'';
systemd.services.home-assistant-pyscript = {
wantedBy = ["multi-user.target"];
restartIfChanged = true;
path = [pkgs.rsync];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = "yes";
};
script = ''
mkdir -p /mnt/kyle/infrastructure/home-assistant/home-assistant/pyscript
rsync --chown 403:403 --chmod Du=rwx,Dgo=rx,Fu=rw,Fgo=r -arvc --delete ${secret.pyscript or ""}/. /mnt/kyle/infrastructure/home-assistant/home-assistant/pyscript/
'';
};
system.stateVersion = "21.05";
systemd.services.home-assistant-pyscript = {
wantedBy = ["multi-user.target"];
restartIfChanged = true;
path = [ pkgs.rsync ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = "yes";
};
script = ''
mkdir -p /mnt/kyle/infrastructure/home-assistant/home-assistant/pyscript
rsync --chown 403:403 --chmod Du=rwx,Dgo=rx,Fu=rw,Fgo=r -arvc --delete ${secret.pyscript or ""}/. /mnt/kyle/infrastructure/home-assistant/home-assistant/pyscript/
'';
};
boot.kernel.sysctl."fs.inotify.max_user_watches" = 524288;
boot.kernel.sysctl."fs.inotify.max_user_instances" = 512;
services.udev.extraRules =
let
devPath =
"/dev/serial/by-id/usb-ITead_Sonoff_Zigbee_3.0_USB_Dongle_Plus_4c004e9c53c9eb118a9f8b4f1d69213e-if00-port0";
zigbeeScript = pkgs.writeShellScript "zigbeeScript" ''
touch /dev/ttyZigbee
${pkgs.lib.getExe' pkgs.utillinux "mount"} --bind \
"$(${pkgs.lib.getExe' pkgs.coreutils "readlink"} -f "${devPath}")" \
/dev/ttyZigbee
'';
in
''
ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="10c4", ATTR{idProduct}=="ea60", RUN+="${zigbeeScript}"
'';
});
boot.kernel.sysctl."fs.inotify.max_user_watches" = 524288;
boot.kernel.sysctl."fs.inotify.max_user_instances" = 512;
services.udev.extraRules = let
devPath = "/dev/serial/by-id/usb-ITead_Sonoff_Zigbee_3.0_USB_Dongle_Plus_4c004e9c53c9eb118a9f8b4f1d69213e-if00-port0";
zigbeeScript = pkgs.writeShellScript "zigbeeScript" ''
touch /dev/ttyZigbee
${pkgs.lib.getExe' pkgs.utillinux "mount"} --bind \
"$(${pkgs.lib.getExe' pkgs.coreutils "readlink"} -f "${devPath}")" \
/dev/ttyZigbee
'';
in ''
ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="10c4", ATTR{idProduct}=="ea60", RUN+="${zigbeeScript}"
'';
});
};
}

17
nixos/systems/blowhole/filesystems.nix
View file

@ -1,10 +1,15 @@
{ pkgs, lib, secret, ... }:
let
inherit (lib)
singleton
concatStringsSep;
in
{
pkgs,
lib,
secret,
...
}: let
inherit
(lib)
singleton
concatStringsSep
;
in {
environment.systemPackages = with pkgs; [
sshfs
];

5
nixos/systems/blowhole/grub.nix
View file

@ -1,10 +1,9 @@
{ ... }:
{
{...}: {
boot.loader = {
systemd-boot.enable = false;
grub = {
enable = true;
devices = [ "/dev/disk/by-id/usb-Verbatim_STORE_N_GO_072124E3712B7287-0:0" ];
devices = ["/dev/disk/by-id/usb-Verbatim_STORE_N_GO_072124E3712B7287-0:0"];
};
};
}

7
nixos/systems/blowhole/hardware.nix
View file

@ -1,5 +1,8 @@
{ config, pkgs, ... }:
{
config,
pkgs,
...
}: {
boot = {
supportedFilesystems = ["zfs"];
kernelParams = [
@ -24,7 +27,7 @@
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
};
environment.systemPackages = [ pkgs.ipmitool ];
environment.systemPackages = [pkgs.ipmitool];
hardware.enableRedistributableFirmware = true;
}

39
nixos/systems/blowhole/hostapd.nix
View file

@ -1,7 +1,14 @@
{ pkgs, config, lib, config', ... }:
let
inherit (lib)
singleton;
{
pkgs,
config,
lib,
config',
...
}: let
inherit
(lib)
singleton
;
openwrtRepo = pkgs.fetchFromGitHub {
owner = "openwrt";
@ -9,8 +16,7 @@ let
rev = "67e8cc07f9bb95984624198ccf02123f348246df";
sha256 = "sha256-rBQDTUG9fqwSLrj+LZ6L1x55Y3gkfUubY5zwX9XK3+s=";
};
in
{
in {
# giturl="https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/"
# for patch in *.patch
# do
@ -32,8 +38,8 @@ in
};
systemd.services."hostapd" = {
requires = [ "vault-unsealed.service" ];
after = [ "vault-unsealed.service" ];
requires = ["vault-unsealed.service"];
after = ["vault-unsealed.service"];
};
services.hostapd = {
@ -98,14 +104,17 @@ in
'';
};
nixpkgs.overlays = singleton
(final: prev:
{
nixpkgs.overlays =
singleton
(
final: prev: {
hostapd = prev.hostapd.overrideAttrs (old: {
buildInputs = old.buildInputs ++ (with pkgs; [
libubox
ubus
]);
buildInputs =
old.buildInputs
++ (with pkgs; [
libubox
ubus
]);
src = pkgs.fetchgit {
url = "http://w1.fi/hostap.git";

5
nixos/systems/blowhole/ical2org.nix
View file

@ -1,5 +1,8 @@
{ pkgs, secret, ... }:
{
pkgs,
secret,
...
}: {
systemd.services.ical-vu-sync = {
serviceConfig.Type = "oneshot";
path = with pkgs; [

12
nixos/systems/blowhole/klipper.nix
View file

@ -1,5 +1,13 @@
{ inputs', lib, pkgs, pkgs-hashicorp, secret, config, config', ... }:
let
{
inputs',
lib,
pkgs,
pkgs-hashicorp,
secret,
config,
config',
...
}: let
inherit
(lib)
concatStringsSep

174
nixos/systems/blowhole/microvms.nix
View file

@ -1,85 +1,125 @@
# SPDX-FileCopyrightText: 2022 Richard Brežák <richard@brezak.sk>
#
# SPDX-License-Identifier: LGPL-3.0-or-later
{ notnft, inputs', lib, config, ... }:
let
inherit (lib)
{
notnft,
inputs',
lib,
config,
...
}: let
inherit
(lib)
mkBefore
flip
genAttrs;
in
{
genAttrs
;
in {
networking.notnft = {
enable = true;
flush = false;
};
networking.notnft.preRules = [
{ add.table = { family = "bridge"; name = "bridge-t"; }; }
{ flush.table = { family = "bridge"; name = "bridge-t"; }; }
{
add.table = {
family = "bridge";
name = "bridge-t";
};
}
{
flush.table = {
family = "bridge";
name = "bridge-t";
};
}
];
networking.notnft.rules =
let
interfaces = [ "mvm-test" "mvm0" ];
logRule = with notnft.dsl; with payload; prefix:
[
(log { prefix = "${prefix} dropped: "; flags = (f: [ f.all ]); } )
];
networking.notnft.rules = let
interfaces = ["mvm-test" "mvm0"];
logRule = with notnft.dsl;
with payload;
prefix: [
(log {
prefix = "${prefix} dropped: ";
flags = f: [f.all];
})
];
dropRule = with notnft.dsl; with payload;
[ drop ];
in
with notnft.dsl; with payload; ruleset {
bridge-t = add table { family = f: f.bridge; } {
dropRule = with notnft.dsl; with payload; [drop];
in
with notnft.dsl;
with payload;
ruleset {
bridge-t = add table {family = f: f.bridge;} {
input-body = add chain;
input-mvm = add chain
[ (vmap ct.state { established = accept; related = accept; invalid = drop; }) ]
[ (is.eq meta.protocol (f: f.arp)) accept ]
[ (mangle meta.nftrace 1) ]
[ (jump "input-body") ]
input-mvm =
add chain
[
(vmap ct.state {
established = accept;
related = accept;
invalid = drop;
})
]
[(is.eq meta.protocol (f: f.arp)) accept]
[(mangle meta.nftrace 1)]
[(jump "input-body")]
(logRule "Bridge input")
(dropRule);
dropRule;
input = add chain
{ type = f: f.filter; hook = f: f.input; prio = 0; policy = f: f.accept; }
[ (vmap meta.iifname (genAttrs interfaces (_: (goto "input-mvm")))) ]
[ (vmap meta.oifname (genAttrs interfaces (_: (goto "input-mvm")))) ];
input =
add chain
{
type = f: f.filter;
hook = f: f.input;
prio = 0;
policy = f: f.accept;
}
[(vmap meta.iifname (genAttrs interfaces (_: (goto "input-mvm"))))]
[(vmap meta.oifname (genAttrs interfaces (_: (goto "input-mvm"))))];
output-body = add chain;
output-mvm = add chain
[ (is.eq ether.type (f: f.arp)) accept ]
[ (mangle meta.nftrace 1) ]
[ (jump "output-body") ]
output-mvm =
add chain
[(is.eq ether.type (f: f.arp)) accept]
[(mangle meta.nftrace 1)]
[(jump "output-body")]
(logRule "Bridge output")
(dropRule);
output = add chain
{ type = f: f.filter; hook = f: f.output; prio = 0; policy = f: f.accept; }
[ (vmap meta.iifname (genAttrs interfaces (_: (goto "output-mvm")))) ]
[ (vmap meta.oifname (genAttrs interfaces (_: (goto "output-mvm")))) ];
dropRule;
output =
add chain
{
type = f: f.filter;
hook = f: f.output;
prio = 0;
policy = f: f.accept;
}
[(vmap meta.iifname (genAttrs interfaces (_: (goto "output-mvm"))))]
[(vmap meta.oifname (genAttrs interfaces (_: (goto "output-mvm"))))];
forward-body = add chain;
forward-mvm = add chain
[ (mangle meta.nftrace 1) ]
[ (jump "forward-body") ]
forward-mvm =
add chain
[(mangle meta.nftrace 1)]
[(jump "forward-body")]
(logRule "Bridge forward")
(dropRule);
dropRule;
forward = add chain
{ type = f: f.filter; hook = f: f.forward; prio = 0; policy = f: f.accept; }
[ (vmap meta.iifname (genAttrs interfaces (_: (goto "input-mvm")))) ]
[ (vmap meta.oifname (genAttrs interfaces (_: (goto "input-mvm")))) ];
forward =
add chain
{
type = f: f.filter;
hook = f: f.forward;
prio = 0;
policy = f: f.accept;
}
[(vmap meta.iifname (genAttrs interfaces (_: (goto "input-mvm"))))]
[(vmap meta.oifname (genAttrs interfaces (_: (goto "input-mvm"))))];
# prerouting = add chain
# { type = f: f.filter; hook = f: f.prerouting; prio = -300; policy = f: f.accept; }
@ -92,8 +132,8 @@ in
};
systemd.services.notnftables = {
requires = [ "nftables.service" ];
after = [ "nftables.service" ];
requires = ["nftables.service"];
after = ["nftables.service"];
};
networking.bridges.mvm0 = {
@ -113,13 +153,13 @@ in
microvm.services.tcpUdp.test-ssh = {
hostName = "test";
port = 22;
protocol = [ "tcp" ];
protocol = ["tcp"];
};
microvm.services.tcpUdp.test-http = {
hostName = "test";
port = 80;
protocol = [ "tcp" ];
protocol = ["tcp"];
};
microvm.services.icmp.test = {
@ -142,7 +182,7 @@ in
microvm.vms = {
test.config = {
imports = [ inputs'.self.nixosModules.microvm-extras ];
imports = [inputs'.self.nixosModules.microvm-extras];
microvm = {
hostName = "test";
@ -152,15 +192,17 @@ in
};
microvm.hypervisor = "cloud-hypervisor";
microvm.shares = [{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}];
microvm.shares = [
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}
];
microvm.storeOnDisk = false;
networking.firewall.allowedTCPPorts = [ 80 22 ];
networking.firewall.allowedTCPPorts = [80 22];
services.nginx = {
enable = true;

471
nixos/systems/blowhole/monitoring.nix
View file

@ -1,239 +1,244 @@
# SPDX-FileCopyrightText: 2023 Richard Brežák <richard@brezak.sk>
#
# SPDX-License-Identifier: LGPL-3.0-or-later
{ pkgs, roots, lib, inputs', config, secret, config', ... }:
let
inherit (lib)
{
pkgs,
roots,
lib,
inputs',
config,
secret,
config',
...
}: let
inherit
(lib)
singleton
nixosTests
concatStringsSep;
in
{
uterranix.config = { tflib, ... }:
let
inherit (tflib)
tf;
in
{
output."envoy_grafana".value = tf "vault_consul_secret_backend_role.envoy-grafana";
output."envoy_blowhole".value = tf "vault_consul_secret_backend_role.envoy-blowhole";
concatStringsSep
;
in {
uterranix.config = {tflib, ...}: let
inherit
(tflib)
tf
;
in {
output."envoy_grafana".value = tf "vault_consul_secret_backend_role.envoy-grafana";
output."envoy_blowhole".value = tf "vault_consul_secret_backend_role.envoy-blowhole";
data."influxdb-v2_organization"."redalder" = {
name = "redalder";
};
data."influxdb-v2_organization"."redalder" = {
name = "redalder";
};
resource."influxdb-v2_bucket"."metrics_bucket" = {
name = "metrics";
description = "Metrics bucket";
org_id = "\${data.influxdb-v2_organization.redalder.id}";
retention_rules = {
every_seconds = 30 * 24 * 60 * 60; # days * h/d * m/h * s/m
};
};
resource."influxdb-v2_bucket"."metrics_preprocessed_bucket" = {
name = "metrics-preprocessed";
description = "Preprocessed bucket";
org_id = "\${data.influxdb-v2_organization.redalder.id}";
retention_rules = {
every_seconds = 30 * 24 * 60 * 60; # days * h/d * m/h * s/m
};
};
resource."influxdb-v2_bucket"."logs_bucket" = {
org_id = "\${data.influxdb-v2_organization.redalder.id}";
name = "logs";
description = "Logs bucket";
retention_rules = {
every_seconds = 30 * 24 * 60 * 60; # days * h/d * m/h * s/m
};
};
resource."influxdb-v2_authorization"."telegraf_authorization" = {
org_id = "\${data.influxdb-v2_organization.redalder.id}";
description = "Token for telegraf ingestion";
status = "active";
permissions = [
{
action = "write";
resource = {
id = "\${influxdb-v2_bucket.logs_bucket.id}";
org_id = "\${data.influxdb-v2_organization.redalder.id}";
type = "buckets";
};
}
{
action = "write";
resource = {
id = "\${influxdb-v2_bucket.metrics_bucket.id}";
org_id = "\${data.influxdb-v2_organization.redalder.id}";
type = "buckets";
};
}
];
};
resource."influxdb-v2_authorization"."grafana_authorization" = {
org_id = "\${data.influxdb-v2_organization.redalder.id}";
description = "Token for Grafana";
status = "active";
permissions = [
{
action = "read";
resource = {
id = "\${influxdb-v2_bucket.logs_bucket.id}";
org_id = "\${data.influxdb-v2_organization.redalder.id}";
type = "buckets";
};
}
{
action = "read";
resource = {
id = "\${influxdb-v2_bucket.metrics_preprocessed_bucket.id}";
org_id = "\${data.influxdb-v2_organization.redalder.id}";
type = "buckets";
};
}
{
action = "read";
resource = {
id = "\${influxdb-v2_bucket.metrics_bucket.id}";
org_id = "\${data.influxdb-v2_organization.redalder.id}";
type = "buckets";
};
}
];
};
resource."vault_mount"."kv" = {
path = "kv";
type = "kv";
options = { version = 2; };
description = "KV Version 2 secret engine mount";
};
resource."vault_kv_secret_v2"."telegraf_secret" = {
mount = "\${vault_mount.kv.path}";
name = "homelab-1/blowhole/monitor/telegraf";
options = { version = 2; };
data_json = builtins.toJSON {
influxdb_token = "\${influxdb-v2_authorization.telegraf_authorization.token}";
};
};
resource."vault_kv_secret_v2"."grafana_secret" = {
mount = "\${vault_mount.kv.path}";
name = "homelab-1/blowhole/monitor/grafana";
options = { version = 2; };
data_json = builtins.toJSON {
influxdb_token = "\${influxdb-v2_authorization.grafana_authorization.token}";
};
};
resource."influxdb-v2_bucket"."metrics_bucket" = {
name = "metrics";
description = "Metrics bucket";
org_id = "\${data.influxdb-v2_organization.redalder.id}";
retention_rules = {
every_seconds = 30 * 24 * 60 * 60; # days * h/d * m/h * s/m
};
};
nixpkgs.overlays = singleton (_: _:
{
telegraf =
pkgs.buildGoModule rec {
pname = "telegraf";
version = "1.25.3";
resource."influxdb-v2_bucket"."metrics_preprocessed_bucket" = {
name = "metrics-preprocessed";
description = "Preprocessed bucket";
org_id = "\${data.influxdb-v2_organization.redalder.id}";
retention_rules = {
every_seconds = 30 * 24 * 60 * 60; # days * h/d * m/h * s/m
};
};
excludedPackages = "test";
doCheck = false;
resource."influxdb-v2_bucket"."logs_bucket" = {
org_id = "\${data.influxdb-v2_organization.redalder.id}";
name = "logs";
description = "Logs bucket";
retention_rules = {
every_seconds = 30 * 24 * 60 * 60; # days * h/d * m/h * s/m
};
};
subPackages = singleton "cmd/telegraf";
src = pkgs.fetchFromGitHub {
owner = "influxdata";
repo = "telegraf";
rev = "v${version}";
sha256 = "sha256-FUZDS4As9qP2Dn0NSBM/e8udDLMk5OZol4CQSI39T4s=";
resource."influxdb-v2_authorization"."telegraf_authorization" = {
org_id = "\${data.influxdb-v2_organization.redalder.id}";
description = "Token for telegraf ingestion";
status = "active";
permissions = [
{
action = "write";
resource = {
id = "\${influxdb-v2_bucket.logs_bucket.id}";
org_id = "\${data.influxdb-v2_organization.redalder.id}";
type = "buckets";
};
vendorHash = "sha256-uWoWvS9ZZzhpE+PiJv0fqblMLOAGIrhCdi0ugvF/lQI=";
proxyVendor = true;
ldflags = [
"-w" "-s" "-X main.version=${version}"
];
passthru.tests = { inherit (nixosTests) telegraf; };
meta = with lib; {
description = "The plugin-driven server agent for collecting & reporting metrics";
license = licenses.mit;
homepage = "https://www.influxdata.com/time-series-platform/telegraf/";
maintainers = with maintainers; [ mic92 roblabla timstott ];
}
{
action = "write";
resource = {
id = "\${influxdb-v2_bucket.metrics_bucket.id}";
org_id = "\${data.influxdb-v2_organization.redalder.id}";
type = "buckets";
};
};
});
services.hashicorp.vault-agent =
{
settings.template = [
{
source = pkgs.writeText "envoy-grafana.token.vtmpl" ''
{{ with secret "consul/creds/envoy-grafana" }}{{ .Data.token }}{{ end }}
'';
destination = "/run/secrets/monitor/envoy-grafana.token";
command =
let
serviceList =
[ "hashicorp-envoy-grafana" "hashicorp-envoy-influx" "hashicorp-envoy-telegraf" ];
in
pkgs.writeShellScript "envoy-grafana-reload.sh" ''
sudo systemd-run -P --machine monitor /run/current-system/sw/bin/bash -l -c \
'systemctl try-reload-or-restart ${concatStringsSep " " serviceList}' || true
'';
}
{
source = pkgs.writeText "envoy-blowhole.token.vtmpl" ''
{{ with secret "consul/creds/envoy-blowhole" }}{{ .Data.token }}{{ end }}
'';
destination = "/run/secrets/envoy-blowhole.token";
command = pkgs.writeShellScript "envoy-blowhole-reload.sh" ''
sudo systemctl try-reload-or-restart hashicorp-envoy-telegraf || true
'';
}
{
source = pkgs.writeText "telegraf.env.vtmpl" ''
INFLUXDB_TOKEN={{ with secret "kv/data/homelab-1/blowhole/monitor/telegraf" }}{{ .Data.data.influxdb_token }}{{ end }}
'';
destination = "/run/secrets/monitor/telegraf.env";
command = pkgs.writeShellScript "monitor-telegraf-reload.sh" ''
sudo systemd-run -P --machine monitor /run/current-system/sw/bin/bash -l -c \
'systemctl try-reload-or-restart telegraf' || true
'';
}
{
source = pkgs.writeText "grafana-influx.token.vtmpl" ''
{{ with secret "kv/data/homelab-1/blowhole/monitor/grafana" }}
{{ .Data.data.influxdb_token }}
{{ end }}
'';
destination = "/run/secrets/monitor/grafana-influx.token";
perms = "0644";
command = pkgs.writeShellScript "monitor-telegraf-reload.sh" ''
sudo systemd-run -P --machine monitor /run/current-system/sw/bin/bash -l -c \
'systemctl try-reload-or-restart grafana' || true
'';
}
{
source = pkgs.writeText "itp.env.vtmpl" ''
{{ with secret "kv/data/homelab-1/blowhole/monitor/itp" }}
INFLUX_HOST={{ .Data.data.host }}
INFLUX_TOKEN={{ .Data.data.token }}
{{ end }}
'';
destination = "/run/secrets/monitor/itp.env";
}
];
};
resource."influxdb-v2_authorization"."grafana_authorization" = {
org_id = "\${data.influxdb-v2_organization.redalder.id}";
description = "Token for Grafana";
status = "active";
permissions = [
{
action = "read";
resource = {
id = "\${influxdb-v2_bucket.logs_bucket.id}";
org_id = "\${data.influxdb-v2_organization.redalder.id}";
type = "buckets";
};
}
{
action = "read";
resource = {
id = "\${influxdb-v2_bucket.metrics_preprocessed_bucket.id}";
org_id = "\${data.influxdb-v2_organization.redalder.id}";
type = "buckets";
};
}
{
action = "read";
resource = {
id = "\${influxdb-v2_bucket.metrics_bucket.id}";
org_id = "\${data.influxdb-v2_organization.redalder.id}";
type = "buckets";
};
}
];
};
resource."vault_mount"."kv" = {
path = "kv";
type = "kv";
options = {version = 2;};
description = "KV Version 2 secret engine mount";
};
resource."vault_kv_secret_v2"."telegraf_secret" = {
mount = "\${vault_mount.kv.path}";
name = "homelab-1/blowhole/monitor/telegraf";
options = {version = 2;};
data_json = builtins.toJSON {
influxdb_token = "\${influxdb-v2_authorization.telegraf_authorization.token}";
};
};
resource."vault_kv_secret_v2"."grafana_secret" = {
mount = "\${vault_mount.kv.path}";
name = "homelab-1/blowhole/monitor/grafana";
options = {version = 2;};
data_json = builtins.toJSON {
influxdb_token = "\${influxdb-v2_authorization.grafana_authorization.token}";
};
};
};
nixpkgs.overlays = singleton (_: _: {
telegraf = pkgs.buildGoModule rec {
pname = "telegraf";
version = "1.25.3";
excludedPackages = "test";
doCheck = false;
subPackages = singleton "cmd/telegraf";
src = pkgs.fetchFromGitHub {
owner = "influxdata";
repo = "telegraf";
rev = "v${version}";
sha256 = "sha256-FUZDS4As9qP2Dn0NSBM/e8udDLMk5OZol4CQSI39T4s=";
};
vendorHash = "sha256-uWoWvS9ZZzhpE+PiJv0fqblMLOAGIrhCdi0ugvF/lQI=";
proxyVendor = true;
ldflags = [
"-w"
"-s"
"-X main.version=${version}"
];
passthru.tests = {inherit (nixosTests) telegraf;};
meta = with lib; {
description = "The plugin-driven server agent for collecting & reporting metrics";
license = licenses.mit;
homepage = "https://www.influxdata.com/time-series-platform/telegraf/";
maintainers = with maintainers; [mic92 roblabla timstott];
};
};
});
services.hashicorp.vault-agent = {
settings.template = [
{
source = pkgs.writeText "envoy-grafana.token.vtmpl" ''
{{ with secret "consul/creds/envoy-grafana" }}{{ .Data.token }}{{ end }}
'';
destination = "/run/secrets/monitor/envoy-grafana.token";
command = let
serviceList = ["hashicorp-envoy-grafana" "hashicorp-envoy-influx" "hashicorp-envoy-telegraf"];
in
pkgs.writeShellScript "envoy-grafana-reload.sh" ''
sudo systemd-run -P --machine monitor /run/current-system/sw/bin/bash -l -c \
'systemctl try-reload-or-restart ${concatStringsSep " " serviceList}' || true
'';
}
{
source = pkgs.writeText "envoy-blowhole.token.vtmpl" ''
{{ with secret "consul/creds/envoy-blowhole" }}{{ .Data.token }}{{ end }}
'';
destination = "/run/secrets/envoy-blowhole.token";
command = pkgs.writeShellScript "envoy-blowhole-reload.sh" ''
sudo systemctl try-reload-or-restart hashicorp-envoy-telegraf || true
'';
}
{
source = pkgs.writeText "telegraf.env.vtmpl" ''
INFLUXDB_TOKEN={{ with secret "kv/data/homelab-1/blowhole/monitor/telegraf" }}{{ .Data.data.influxdb_token }}{{ end }}
'';
destination = "/run/secrets/monitor/telegraf.env";
command = pkgs.writeShellScript "monitor-telegraf-reload.sh" ''
sudo systemd-run -P --machine monitor /run/current-system/sw/bin/bash -l -c \
'systemctl try-reload-or-restart telegraf' || true
'';
}
{
source = pkgs.writeText "grafana-influx.token.vtmpl" ''
{{ with secret "kv/data/homelab-1/blowhole/monitor/grafana" }}
{{ .Data.data.influxdb_token }}
{{ end }}
'';
destination = "/run/secrets/monitor/grafana-influx.token";
perms = "0644";
command = pkgs.writeShellScript "monitor-telegraf-reload.sh" ''
sudo systemd-run -P --machine monitor /run/current-system/sw/bin/bash -l -c \
'systemctl try-reload-or-restart grafana' || true
'';
}
{
source = pkgs.writeText "itp.env.vtmpl" ''
{{ with secret "kv/data/homelab-1/blowhole/monitor/itp" }}
INFLUX_HOST={{ .Data.data.host }}
INFLUX_TOKEN={{ .Data.data.token }}
{{ end }}
'';
destination = "/run/secrets/monitor/itp.env";
}
];
};
systemd.services."hashicorp-envoy-telegraf" = {
requires = [ "vault-unsealed.service" ];
after = [ "vault-unsealed.service" ];
requires = ["vault-unsealed.service"];
after = ["vault-unsealed.service"];
};
## There is no way to say, hey, listen on localhost. The listeners option is missing the `address` field
@ -263,12 +268,12 @@ in
adminBind = "127.0.0.1:19100";
hotRestart = false;
consulPackage = inputs'.nixpkgs-hashicorp.legacyPackages.${pkgs.stdenv.system}.consul;
extraConsulArgs = [ "-ignore-envoy-compatibility" ];
extraConsulArgs = ["-ignore-envoy-compatibility"];
};
systemd.services."telegraf-magic" = {
requires = [ "vault-unsealed.service" ];
after = [ "vault-unsealed.service" ];
requires = ["vault-unsealed.service"];
after = ["vault-unsealed.service"];
};
services.telegraf-magic = {
@ -329,19 +334,19 @@ in
processors.parser = [
{
parse_fields = [ "message" ];
parse_fields = ["message"];
merge = "override";
data_format = "grok";
grok_patterns = ["%{COMBINED_LOG_FORMAT}"];
tagpass = {
"grok_type" = [ "nginx" "apache" ];
"grok_type" = ["nginx" "apache"];
};
namepass = [ "docker_log" ];
namepass = ["docker_log"];
}
{
parse_fields = [ "message" ];
parse_fields = ["message"];
merge = "override";
data_format = "json_v2";
@ -368,9 +373,9 @@ in
];
tagpass = {
"grok_type" = [ "synapse" ];
"grok_type" = ["synapse"];
};
namepass = [ "docker_log" ];
namepass = ["docker_log"];
}
];
@ -389,7 +394,7 @@ in
};
systemd = {
serviceConfig.SupplementaryGroups = [ "docker" ];
serviceConfig.SupplementaryGroups = ["docker"];
};
};
@ -409,8 +414,8 @@ in
};
systemd.services."container@monitor" = {
requires = [ "vault-unsealed.service" ];
after = [ "vault-unsealed.service" ];
requires = ["vault-unsealed.service"];
after = ["vault-unsealed.service"];
serviceConfig.LimitNOFILE = "infinity";
};
@ -477,7 +482,7 @@ in
adminBind = "127.0.0.1:19100";
hotRestart = false;
consulPackage = inputs'.nixpkgs-hashicorp.legacyPackages.${pkgs.stdenv.system}.consul;
extraConsulArgs = [ "-ignore-envoy-compatibility" ];
extraConsulArgs = ["-ignore-envoy-compatibility"];
};
services.postgresql = {
@ -562,7 +567,7 @@ in
adminBind = "127.0.0.1:19101";
hotRestart = false;
consulPackage = inputs'.nixpkgs-hashicorp.legacyPackages.${pkgs.stdenv.system}.consul;
extraConsulArgs = [ "-ignore-envoy-compatibility" ];
extraConsulArgs = ["-ignore-envoy-compatibility"];
};
systemd.services."influxdb2-provision".serviceConfig.EnvironmentFile = [
@ -606,7 +611,7 @@ in
address = "10.64.99.2:19002";
adminBind = "127.0.0.1:19102";
hotRestart = false;
extraConsulArgs = [ "-ignore-envoy-compatibility" ];
extraConsulArgs = ["-ignore-envoy-compatibility"];
};
services.telegraf-magic = {
@ -627,7 +632,7 @@ in
};
outputs.influxdb_v2 = singleton {
urls = [ "http://127.0.0.1:8086" ];
urls = ["http://127.0.0.1:8086"];
token = "\${INFLUXDB_TOKEN}";
organization = "redalder";
bucket_tag = "bucket";

5
nixos/systems/blowhole/nas.nix
View file

@ -1,5 +1,4 @@
{ pkgs, ... }:
{
{pkgs, ...}: {
boot.zfs.extraPools = [
"storfa"
];
@ -10,7 +9,7 @@
OnCalendar = "03:00";
};
paths = [ "/run/restic/cartman" ];
paths = ["/run/restic/cartman"];
backupPrepareCommand = ''
snapshot="$(date +restic%+4Y_%U_%u)"
${pkgs.zfs-relmount}/bin/zfs-relmount snapshot storfa/ds1/cartman "''${snapshot}"

3
nixos/systems/blowhole/networking.nix
View file

@ -1,8 +1,7 @@
# SPDX-FileCopyrightText: 2023 Richard Brežák <richard@brezak.sk>
#
# SPDX-License-Identifier: LGPL-3.0-or-later
{ ... }:
{
{...}: {
networking = {
hostName = "blowhole";
useDHCP = false;

9
nixos/systems/blowhole/nfs.nix
View file

@ -1,12 +1,11 @@
# SPDX-FileCopyrightText: 2023 Richard Brežák <richard@brezak.sk>
#
# SPDX-License-Identifier: LGPL-3.0-or-later
{ lib, ... }:
let
inherit (lib)
{lib, ...}: let
inherit
(lib)
;
in
{
in {
systemd.services.nfs-mountd.serviceConfig = {
LimitNOFILE = 8192;
};

9
nixos/systems/blowhole/nixpkgs.nix
View file

@ -1,5 +1,9 @@
{ inputs', config', config, ... }:
{
inputs',
config',
config,
...
}: {
imports = [
../../common/nixpkgs.nix
];
@ -12,8 +16,7 @@
itp
virtiofsd-zfs
])
++
(with inputs'.nixng.overlays; [
++ (with inputs'.nixng.overlays; [
default
]);
}

60
nixos/systems/blowhole/nomad.nix
View file

@ -1,26 +1,35 @@
{inputs', lib, config, pkgs, pkgs-hashicorp, secret, config', ...}:
let
inherit (lib)
singleton;
in
{
environment.systemPackages = [ pkgs.git ];
inputs',
lib,
config,
pkgs,
pkgs-hashicorp,
secret,
config',
...
}: let
inherit
(lib)
singleton
;
in {
environment.systemPackages = [pkgs.git];
services.hashicorp.vault-agent = {
settings.template = singleton {
source = pkgs.writeText "nomad.json.vtmpl" ''
{
"server": {
"encrypt": "{{ with secret "kv/data/homelab-1/blowhole/nomad/encryption_key" }}{{ or .Data.data.key "" }}{{ end }}"
},
"vault": {
"token": "{{ with secret "kv/data/homelab-1/blowhole/nomad/vault_token" }}{{ or .Data.data.secret "" }}{{ end }}"
},
"consul": {
"token": "{{ with secret "kv/data/homelab-1/blowhole/nomad/consul_token" }}{{ or .Data.data.secret "" }}{{ end }}"
}
{
"server": {
"encrypt": "{{ with secret "kv/data/homelab-1/blowhole/nomad/encryption_key" }}{{ or .Data.data.key "" }}{{ end }}"
},
"vault": {
"token": "{{ with secret "kv/data/homelab-1/blowhole/nomad/vault_token" }}{{ or .Data.data.secret "" }}{{ end }}"
},
"consul": {
"token": "{{ with secret "kv/data/homelab-1/blowhole/nomad/consul_token" }}{{ or .Data.data.secret "" }}{{ end }}"
}
'';
}
'';
destination = "/run/secrets/nomad.json";
command = pkgs.writeShellScript "nomad-command" ''
sudo systemctl try-reload-or-restart hashicorp-nomad.service
@ -29,8 +38,8 @@ in
};
systemd.services."hashicorp-nomad" = {
requires = [ "vault-unsealed.service" ];
after = [ "vault-unsealed.service" ];
requires = ["vault-unsealed.service"];
after = ["vault-unsealed.service"];
};
services.hashicorp.nomad = {
@ -48,13 +57,12 @@ in
extraSettingsPaths = [
"/run/secrets/nomad.json"
];
package = pkgs-hashicorp.nomad_1_5.overrideAttrs (old:
{
patches = with config'.flake.patches; [
hashicorp-nomad.revert-change-consul-si-tokens-to-be-local
hashicorp-nomad.add-nix-integration
];
});
package = pkgs-hashicorp.nomad_1_5.overrideAttrs (old: {
patches = with config'.flake.patches; [
hashicorp-nomad.revert-change-consul-si-tokens-to-be-local
hashicorp-nomad.add-nix-integration
];
});
settings = {
bind_addr = secret.network.ips.blowhole.ip or "";

3
nixos/systems/blowhole/sol.nix
View file

@ -1,5 +1,4 @@
{ ... }:
{
{...}: {
boot.kernelParams = [
"console=ttyS1,115200"
"console=tty1"

8
nixos/systems/blowhole/users.nix
View file

@ -1,5 +1,9 @@
{ inputs', config', secret, ... }:
{
inputs',
config',
secret,
...
}: {
imports = [
inputs'.home-manager.nixosModules.default
../../common/users.nix
@ -12,7 +16,7 @@
secret = secret;
};
home-manager.users.main = {
imports = [ (inputs'.self + "/home-manager/modules/profiles/server.nix") ];
imports = [(inputs'.self + "/home-manager/modules/profiles/server.nix")];
home.stateVersion = "21.05";
};

107
nixos/systems/blowhole/uterranix.nix
View file

@ -1,66 +1,77 @@
{ config, inputs', lib, config', pkgs, ... }:
let
inherit (lib)
singleton;
in
{
imports = [ inputs'.uterranix.nixosModules.default ];
config,
inputs',
lib,
config',
pkgs,
...
}: let
inherit
(lib)
singleton
;
in {
imports = [inputs'.uterranix.nixosModules.default];
uterranix.config = { config, tflib, ... }:
let
inherit (tflib)
tf;
in
{
terraform.required_providers =
config'.flake.uterranix.config.${pkgs.stdenv.system}.terraform.required_providers;
uterranix.config = {
config,
tflib,
...
}: let
inherit
(tflib)
tf
;
in {
terraform.required_providers =
config'.flake.uterranix.config.${pkgs.stdenv.system}.terraform.required_providers;
imports = config'.uterranix.modules;
imports = config'.uterranix.modules;
resource."vault_consul_secret_backend_role"."envoy-grafana" = {
name = "envoy-grafana";
resource."vault_consul_secret_backend_role"."envoy-grafana" = {
name = "envoy-grafana";
backend = "consul";
backend = "consul";
service_identities = [
"grafana"
"influx"
"telegraf"
];
service_identities = [
"grafana"
"influx"
"telegraf"
];
node_identities = singleton "blowhole:homelab-1";
};
node_identities = singleton "blowhole:homelab-1";
};
resource."consul_acl_policy"."envoy-blowhole" = {
name = "envoy-blowhole";
datacenters = singleton "homelab-1";
resource."consul_acl_policy"."envoy-blowhole" = {
name = "envoy-blowhole";
datacenters = singleton "homelab-1";
rules = ''
mesh = "write"
'';
};
rules = ''
mesh = "write"
'';
};
resource."vault_consul_secret_backend_role"."envoy-blowhole" = {
name = "envoy-blowhole";
backend = "consul";
resource."vault_consul_secret_backend_role"."envoy-blowhole" = {
name = "envoy-blowhole";
backend = "consul";
consul_policies = singleton (tf "consul_acl_policy.envoy-blowhole.name");
consul_policies = singleton (tf "consul_acl_policy.envoy-blowhole.name");
service_identities = singleton "telegraf-blowhole";
service_identities = singleton "telegraf-blowhole";
node_identities = [
"blowhole:homelab-1"
];
};
node_identities = [
"blowhole:homelab-1"
];
};
resource."vault_consul_secret_backend_role"."envoy-klipper" = {
name = "envoy-klipper";
resource."vault_consul_secret_backend_role"."envoy-klipper" = {
name = "envoy-klipper";
backend = "consul";
backend = "consul";
service_identities = singleton "mainsail";
service_identities = singleton "mainsail";
node_identities = singleton "blowhole:homelab-1";
};
};
node_identities = singleton "blowhole:homelab-1";
};
};
}

48
nixos/systems/blowhole/vault-agent.nix
View file

@ -1,26 +1,32 @@
{ pkgs, lib, config, tf, inputs', pkgs-hashicorp, ... }:
let
inherit (lib)
singleton;
in
{
systemd.services.hashicorp-vault-agent =
let
config = pkgs.writeText "hashicorp-vault-agent-tmpfiles.d" ''
d /run/secrets 0750 root root 0
x /run/secrets/monitor 0755 root root -
d /run/secrets/monitor 0755 root root 0
x /run/secrets/klipper 0755 root root -
d /run/secrets/klipper 0755 root root 0
'';
in
{
preStart = "systemd-tmpfiles --create " + config;
postStop = "systemd-tmpfiles --clean " + config;
pkgs,
lib,
config,
tf,
inputs',
pkgs-hashicorp,
...
}: let
inherit
(lib)
singleton
;
in {
systemd.services.hashicorp-vault-agent = let
config = pkgs.writeText "hashicorp-vault-agent-tmpfiles.d" ''
d /run/secrets 0750 root root 0
x /run/secrets/monitor 0755 root root -
d /run/secrets/monitor 0755 root root 0
x /run/secrets/klipper 0755 root root -
d /run/secrets/klipper 0755 root root 0
'';
in {
preStart = "systemd-tmpfiles --create " + config;
postStop = "systemd-tmpfiles --clean " + config;
requires = [ "vault-unsealed.service" ];
after = [ "vault-unsealed.service" ];
};
requires = ["vault-unsealed.service"];
after = ["vault-unsealed.service"];
};
services.hashicorp.vault-agent = {
enable = true;

20
nixos/systems/blowhole/vault.nix
View file

@ -1,10 +1,18 @@
{lib, config, pkgs, pkgs-hashicorp, secret, inputs', ...}:
let
inherit (lib)
mkForce;
certs = config.services.acme-sh.certs;
in
{
lib,
config,
pkgs,
pkgs-hashicorp,
secret,
inputs',
...
}: let
inherit
(lib)
mkForce
;
certs = config.services.acme-sh.certs;
in {
services.hashicorp.vault = {
enable = true;

5
nixos/systems/blowhole/watchdog.nix
View file

@ -1,7 +1,6 @@
{ ... }:
{
{...}: {
systemd.watchdog.runtimeTime = "60s";
systemd.watchdog.rebootTime = "3m";
systemd.watchdog.rebootTime = "3m";
systemd.watchdog.kexecTime = "5m";
systemd.services."emergency".serviceConfig.ExecStartPre = "/bin/sh -c \"read -t 30 || /run/current-system/sw/bin/systemctl reboot\"";
}

5
nixos/systems/gooseberry/bootloader.nix
View file

@ -1,8 +1,11 @@
# SPDX-FileCopyrightText: 2022 Richard Brežák <richard@brezak.sk>
#
# SPDX-License-Identifier: LGPL-3.0-or-later
{ pkgs, lib, ... }:
{
pkgs,
lib,
...
}: {
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
}

55
nixos/systems/gooseberry/default.nix
View file

@ -1,17 +1,22 @@
# SPDX-FileCopyrightText: 2022 Richard Brežák <richard@brezak.sk>
#
# SPDX-License-Identifier: LGPL-3.0-or-later
{ inputs, lib', config, ... }:
let
inherit (lib')
{
inputs,
lib',
config,
...
}: let
inherit
(lib')
flip
mapAttrs
singleton
mkForce;
mkForce
;
config' = config;
in
{
in {
flake.nixosConfigurations.gooseberry = inputs.nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
@ -21,26 +26,30 @@ in
secret = lib'.loadSecrets inputs.secret;
};
modules = singleton
({ pkgs, config, ... }:
{
imports = [
./bootloader.nix
./filesystems.nix
./users.nix
./nixpkgs.nix
./networking.nix
../../common/remote_access.nix
modules =
singleton
({
pkgs,
config,
...
}: {
imports = [
./bootloader.nix
./filesystems.nix
./users.nix
./nixpkgs.nix
./networking.nix
../../common/remote_access.nix
inputs.disko.nixosModules.disko
];
inputs.disko.nixosModules.disko
];
environment.systemPackages = [ pkgs.ipmitool ];
environment.systemPackages = [pkgs.ipmitool];
boot.initrd.systemd.enable = true;
boot.initrd.systemd.enable = true;
time.timeZone = "Europe/Amsterdam";
system.stateVersion = "23.05";
});
time.timeZone = "Europe/Amsterdam";
system.stateVersion = "23.05";
});
};
}

22
nixos/systems/gooseberry/filesystems.nix
View file

@ -1,12 +1,12 @@
# SPDX-FileCopyrightText: 2022 Richard Brežák <richard@brezak.sk>
#
# SPDX-License-Identifier: LGPL-3.0-or-later
{ lib, ... }:
let
inherit (lib)
singleton;
in
{
{lib, ...}: let
inherit
(lib)
singleton
;
in {
disko.devices = {
disk.boot = {
type = "disk";
@ -52,7 +52,7 @@ in
nodev."/" = {
fsType = "tmpfs";
mountOptions = [ "defaults" "size=128M" "mode=755" "noexec" ];
mountOptions = ["defaults" "size=128M" "mode=755" "noexec"];
};
};
@ -60,24 +60,24 @@ in
"/root-partition".neededForBoot = true;
"/nix" = {
device = "/root-partition/nix";
options = [ "bind" ];
options = ["bind"];
neededForBoot = true;
};
"/home" = {
device = "/root-partition/home";
options = [ "bind" ];
options = ["bind"];
neededForBoot = true;
};
"/var/lib/nixos" = {
device = "/root-partition/var/lib/nixos";
options = [ "bind" ];
options = ["bind"];
};
"/var/log" = {
device = "/root-partition/var/log";
options = [ "bind" ];
options = ["bind"];
};
};

19
nixos/systems/gooseberry/networking.nix
View file

@ -1,17 +1,22 @@
{ pkgs, lib, secret, ... }:
let
in
{
pkgs,
lib,
secret,
...
}: let
in {
networking = {
hostName = "gooseberry";
useDHCP = false;
interfaces.eth0.useDHCP = true;
firewall.enable = true;
interfaces."eth1".ipv4.addresses = [{
address = secret.network.ips.gooseberry.ipmi or "";
prefixLength = 30;
}];
interfaces."eth1".ipv4.addresses = [
{
address = secret.network.ips.gooseberry.ipmi or "";
prefixLength = 30;
}
];
};
services.udev.extraRules = ''

8
nixos/systems/gooseberry/nixpkgs.nix
View file

@ -1,13 +1,15 @@
{ inputs', config', ... }:
{
inputs',
config',
...
}: {
imports = [
../../common/nixpkgs.nix
];
nixpkgs.overlays =
(with config'.flake.overlays; [])
++
(with inputs'.nixng.overlays; [
++ (with inputs'.nixng.overlays; [
default
]);
}

8
nixos/systems/gooseberry/users.nix
View file

@ -1,5 +1,9 @@
{ inputs', config', secret, ... }:
{
inputs',
config',
secret,
...
}: {
imports = [
inputs'.home-manager.nixosModules.default
../../common/users.nix
@ -12,7 +16,7 @@
secret = secret;
};
home-manager.users.main = {
imports = [ (inputs'.self + "/home-manager/modules/profiles/server.nix") ];
imports = [(inputs'.self + "/home-manager/modules/profiles/server.nix")];
home.stateVersion = "23.05";
};

5
nixos/systems/grasshopper/bootloader.nix
View file

@ -1,8 +1,11 @@
# SPDX-FileCopyrightText: 2022 Richard Brežák <richard@brezak.sk>
#
# SPDX-License-Identifier: LGPL-3.0-or-later
{ pkgs, lib, ... }:
{
pkgs,
lib,
...
}: {
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
}

8
nixos/systems/grasshopper/nixpkgs.nix
View file

@ -1,13 +1,15 @@
{ inputs', config', ... }:
{
inputs',
config',
...
}: {
imports = [
../../common/nixpkgs.nix
];
nixpkgs.overlays =
(with config'.flake.overlays; [])
++
(with inputs'.nixng.overlays; [
++ (with inputs'.nixng.overlays; [
default
]);
}

Some files were not shown because too many files have changed in this diff Show more