magic_rb/dotfiles
1
0
Fork 0
mirror of https://git.sr.ht/~magic_rb/dotfiles synced 2024-11-26 01:56:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

Reformat the whole flake using alejandra

Browse source 
Signed-off-by: magic_rb <magic_rb@redalder.org>
This commit is contained in:
magic_rb 2024-03-02 22:05:30 +01:00
parent 97be6885a6
commit aff0158ef7
No known key found for this signature in database
GPG key ID: 08D5287CC5DDCA0E
176 changed files with 4982 additions and 4278 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
home-manager/modules/bash/default.nix
View file

@ -1,5 +1,4 @@
{ pkgs, ... }:
{
{pkgs, ...}: {
programs.direnv.enable = true;
programs.direnv.nix-direnv.enable = true;

4
home-manager/modules/default.nix
View file

@ -1,4 +1,2 @@
{ ... }:
{
{...}: {
}

3
home-manager/modules/dunst/default.nix
View file

@ -1,5 +1,4 @@
{ pkgs, ... }:
{
{pkgs, ...}: {
home.file.".config/dunstrc".source = ./dunstrc;
systemd.user.services.dunst = {

8
home-manager/modules/emacs/default.nix
View file

@ -1,5 +1,11 @@
{ pkgs, config, lib, secret, inputs', ... }:
{
pkgs,
config,
lib,
secret,
inputs',
...
}: {
home.packages = with pkgs; [
(makeDesktopItem {
name = "Org-Protocol";

3
home-manager/modules/keynav/default.nix
View file

@ -1,5 +1,4 @@
{ pkgs, ... }:
{
{pkgs, ...}: {
home.file.".keynavrc".source = ./keynavrc;
systemd.user.services.keynav = {

14
home-manager/modules/pantalaimon.nix
View file

@ -1,18 +1,18 @@
{ inputs', pkgs, ... }:
{
inputs',
pkgs,
...
}: {
services.pantalaimon = {
enable = true;
# TODO switch to unstable when PR263669 is merged
package = inputs'.nixpkgs-stable.legacyPackages.${pkgs.stdenv.system}.pantalaimon;
settings =
{
Default =
{
settings = {
Default = {
LogLevel = "Info";
SSL = true;
};
local-matrix =
{
local-matrix = {
Homeserver = "https://matrix.redalder.org";
ListenAddress = "127.0.0.1";
ListenPort = 8008;

5
home-manager/modules/picom/default.nix
View file

@ -1,5 +1,8 @@
{ pkgs, lib, ... }:
{
pkgs,
lib,
...
}: {
home.file.".config/picom.conf".source = ./picom.conf;
systemd.user.services.picom = {
Unit = {

20
home-manager/modules/profiles/server.nix
View file

@ -1,13 +1,19 @@
{ config, pkgs, lib, ... }:
let
inherit (lib)
{
config,
pkgs,
lib,
...
}: let
inherit
(lib)
optional
;
in
{
home.packages = with pkgs; [
in {
home.packages = with pkgs;
[
file
] ++ (optional (pkgs.stdenv.system != "armv6l-linux" && pkgs.stdenv.system != "armv7l-linux") git-annex);
]
++ (optional (pkgs.stdenv.system != "armv6l-linux" && pkgs.stdenv.system != "armv7l-linux") git-annex);
imports = [
../bash

17
home-manager/modules/screenlocker/default.nix
View file

@ -1,9 +1,15 @@
{ config, pkgs, lib, ... }:
let
inherit (lib)
{
config,
pkgs,
lib,
...
}: let
inherit
(lib)
singleton
getExe
makeBinPath;
makeBinPath
;
locker = pkgs.writeShellScript "i3lock-dynamic-image" ''
export PATH=${makeBinPath (with pkgs; [xorg.xrandr gnugrep coreutils imagemagick i3lock])}:$PATH
@ -41,8 +47,7 @@ let
wait
fi
'';
in
{
in {
services.screen-locker = {
enable = true;
inactiveInterval = 5;

3
home-manager/modules/ssh.nix
View file

@ -1,5 +1,4 @@
{ config, ... }:
{
{config, ...}: {
programs.ssh = {
enable = true;

16
home-manager/modules/wallpaper/default.nix
View file

@ -1,10 +1,14 @@
{ pkgs, lib, ... }:
let
inherit (lib)
singleton
getExe;
in
{
pkgs,
lib,
...
}: let
inherit
(lib)
singleton
getExe
;
in {
systemd.user.services.wallpaper = {
Unit = {
Description = "Applies wallpaper";

16
modules/lib_overlays.nix
View file

@ -1,14 +1,18 @@
{ lib, flake-parts-lib, ... }:
let
inherit (lib)
{
lib,
flake-parts-lib,
...
}: let
inherit
(lib)
mkOption
types
;
inherit (flake-parts-lib)
inherit
(flake-parts-lib)
mkSubmoduleOptions
;
in
{
in {
options = {
flake = mkSubmoduleOptions {
libOverlays = mkOption {

16
modules/nixngConfigurations.nix
View file

@ -1,16 +1,20 @@
# copied straight from https://github.com/hercules-ci/flake-parts/blob/main/modules/nixosConfigurations.nix
{ lib, flake-parts-lib, ... }:
let
inherit (lib)
{
lib,
flake-parts-lib,
...
}: let
inherit
(lib)
mkOption
types
literalExpression
;
inherit (flake-parts-lib)
inherit
(flake-parts-lib)
mkSubmoduleOptions
;
in
{
in {
options = {
flake = mkSubmoduleOptions {
nixngConfigurations = mkOption {

12
nixng/containers/ds3os/default.nix
View file

@ -1,12 +1,13 @@
{ inputs, config, ... }:
{
inputs,
config,
...
}: {
flake.nixngConfigurations.ds3os = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "ds3os";
inherit (inputs) nixpkgs;
config =
{ pkgs, ... }:
{
config = {pkgs, ...}: {
config = {
dumb-init = {
enable = true;
@ -16,8 +17,7 @@
init.services.ds3os = {
enabled = true;
shutdownOnExit = true;
script =
let
script = let
pkgs' = pkgs.appendOverlays [config.flake.overlays.ds3os];
in
pkgs.writeShellScript "ds3os"

9
nixng/containers/email/dovecot.nix
View file

@ -1,12 +1,9 @@
{ inputs, ... }:
{
{inputs, ...}: {
flake.nixngConfigurations.dovecot = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "ra-systems-dovecot";
inherit (inputs) nixpkgs;
config =
{ pkgs, ... }:
{
config = {pkgs, ...}: {
config = {
dumb-init = {
enable = true;
@ -37,7 +34,7 @@
mail_plugin_dir = pkgs.symlinkJoin {
name = "dovecot-modules";
paths = map (pkg: "${pkg}/lib/dovecot") ([ pkgs.dovecot pkgs.dovecot_pigeonhole ]);
paths = map (pkg: "${pkg}/lib/dovecot") [pkgs.dovecot pkgs.dovecot_pigeonhole];
};
# Optimizations:

32
nixng/containers/email/getmail/default.nix
View file

@ -1,16 +1,22 @@
{ inputs, config, ... }:
let
config' = config;
in
{
inputs,
config,
...
}: let
config' = config;
in {
flake.nixngConfigurations.getmail = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "ra-systems-getmail";
inherit (inputs)
nixpkgs;
config =
{ pkgs, config, ... }:
{
inherit
(inputs)
nixpkgs
;
config = {
pkgs,
config,
...
}: {
config = {
dumb-init = {
enable = true;
@ -29,14 +35,14 @@ in
init.services.getmail = {
shutdownOnExit = true;
script =
let
script = let
pkgs' = pkgs.appendOverlays (with config'.flake.overlays; [
courier-unicode
getmail6
maildrop
]);
PATH = with pkgs'; lib.makeBinPath [
PATH = with pkgs';
lib.makeBinPath [
jq
busybox
runit
@ -75,5 +81,5 @@ in
};
};
}
# /usr/lib/sendmail -i -oem -f %F %T

17
nixng/containers/email/postfix/default.nix
View file

@ -1,13 +1,16 @@
{ inputs, ... }:
{
{inputs, ...}: {
flake.nixngConfigurations.postfix = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "nixng-postfix";
inherit (inputs)
nixpkgs;
config =
{ pkgs, config, ... }:
{
inherit
(inputs)
nixpkgs
;
config = {
pkgs,
config,
...
}: {
config = {
dumb-init = {
enable = true;

176
nixng/containers/email/postfix/master_config.nix
View file

@ -1,27 +1,153 @@
{
pickup = { type = "unix"; private = "n"; chroot = "n"; wakeup = "60"; maxproc = 1; command = "pickup"; };
cleanup = { type = "unix"; private = "n"; chroot = "n"; maxproc = 0; command = "cleanup"; };
qmgr = { type = "unix"; private = "n"; chroot = "n"; wakeup = "300"; maxproc = 1; command = "qmgr"; };
tlsmgr = { type = "unix"; wakeup = "1000?"; maxproc = 1; command = "tlsmgr"; };
rewrite = { type = "unix"; chroot = "n"; command = "trivial-rewrite"; };
bounce = { type = "unix"; chroot = "n"; maxproc = 0; command = "bounce"; };
defer = { type = "unix"; chroot = "n"; maxproc = 0; command = "bounce"; };
trace = { type = "unix"; chroot = "n"; maxproc = 0; command = "bounce"; };
verify = { type = "unix"; chroot = "n"; maxproc = 1; command = "verify"; };
flush = { type = "unix"; chroot = "n"; wakeup = "1000?"; maxproc = 0; command = "flush"; };
proxymap = { type = "unix"; chroot = "n"; command = "proxymap"; };
proxywrite = { type = "unix"; chroot = "n"; maxproc = 1; command = "proxymap"; };
smtp = [ { type = "unix"; chroot = "n"; command = "smtp"; }
{ type = "inet"; private = "n"; chroot = "n"; command = "smtpd"; } ];
relay = { type = "unix"; chroot = "n"; command = "smtp -o syslog_name=postfix/$service_name"; }; # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq = { type = "unix"; private = "n"; chroot = "n"; command = "showq"; };
error = { type = "unix"; chroot = "n"; command = "error"; };
retry = { type = "unix"; chroot = "n"; command = "error"; };
discard = { type = "unix"; chroot = "n"; command = "discard"; };
local = { type = "unix"; unpriv = "n"; chroot = "n"; command = "local"; };
virtual = { type = "unix"; unpriv = "n"; chroot = "n"; command = "virtual"; };
lmtp = { type = "unix"; chroot = "n"; command = "lmtp"; };
anvil = { type = "unix"; chroot = "n"; maxproc = 1; command = "anvil"; };
scache = { type = "unix"; chroot = "n"; maxproc = 1; command = "scache"; };
postlog = { type = "unix-dgram"; private = "n"; chroot = "n"; maxproc = 1; command = "postlogd"; };
pickup = {
type = "unix";
private = "n";
chroot = "n";
wakeup = "60";
maxproc = 1;
command = "pickup";
};
cleanup = {
type = "unix";
private = "n";
chroot = "n";
maxproc = 0;
command = "cleanup";
};
qmgr = {
type = "unix";
private = "n";
chroot = "n";
wakeup = "300";
maxproc = 1;
command = "qmgr";
};
tlsmgr = {
type = "unix";
wakeup = "1000?";
maxproc = 1;
command = "tlsmgr";
};
rewrite = {
type = "unix";
chroot = "n";
command = "trivial-rewrite";
};
bounce = {
type = "unix";
chroot = "n";
maxproc = 0;
command = "bounce";
};
defer = {
type = "unix";
chroot = "n";
maxproc = 0;
command = "bounce";
};
trace = {
type = "unix";
chroot = "n";
maxproc = 0;
command = "bounce";
};
verify = {
type = "unix";
chroot = "n";
maxproc = 1;
command = "verify";
};
flush = {
type = "unix";
chroot = "n";
wakeup = "1000?";
maxproc = 0;
command = "flush";
};
proxymap = {
type = "unix";
chroot = "n";
command = "proxymap";
};
proxywrite = {
type = "unix";
chroot = "n";
maxproc = 1;
command = "proxymap";
};
smtp = [
{
type = "unix";
chroot = "n";
command = "smtp";
}
{
type = "inet";
private = "n";
chroot = "n";
command = "smtpd";
}
];
relay = {
type = "unix";
chroot = "n";
command = "smtp -o syslog_name=postfix/$service_name";
}; # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq = {
type = "unix";
private = "n";
chroot = "n";
command = "showq";
};
error = {
type = "unix";
chroot = "n";
command = "error";
};
retry = {
type = "unix";
chroot = "n";
command = "error";
};
discard = {
type = "unix";
chroot = "n";
command = "discard";
};
local = {
type = "unix";
unpriv = "n";
chroot = "n";
command = "local";
};
virtual = {
type = "unix";
unpriv = "n";
chroot = "n";
command = "virtual";
};
lmtp = {
type = "unix";
chroot = "n";
command = "lmtp";
};
anvil = {
type = "unix";
chroot = "n";
maxproc = 1;
command = "anvil";
};
scache = {
type = "unix";
chroot = "n";
maxproc = 1;
command = "scache";
};
postlog = {
type = "unix-dgram";
private = "n";
chroot = "n";
maxproc = 1;
command = "postlogd";
};
}

10
nixng/containers/filestash/default.nix
View file

@ -1,13 +1,9 @@
{ inputs, ... }:
{
flake.nixngConfigurations.fileStash =
inputs.nixng.nglib.makeSystem {
{inputs, ...}: {
flake.nixngConfigurations.fileStash = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "filestash";
inherit (inputs) nixpkgs;
config =
{ pkgs, ... }:
{
config = {pkgs, ...}: {
dumb-init = {
enable = true;
type.services = {};

24
nixng/containers/home-assistant/configs/automations/bathroom_light/brighten.nix
View file

@ -3,13 +3,17 @@
description = "";
id = "dff10ca7-a27c-469a-8015-bd6899458c8d";
action = [{
action = [
{
"else" = [{stop = "";}];
"if" = [{
"if" = [
{
condition = "trigger";
id = "brightness_down";
}];
"then" = [{
}
];
"then" = [
{
repeat = {
sequence = [
{
@ -26,13 +30,17 @@
};
}
];
while = [{
while = [
{
condition = "not";
conditions = [];
}];
}
];
};
}];
}];
}
];
}
];
condition = [];

24
nixng/containers/home-assistant/configs/automations/bathroom_light/dim.nix
View file

@ -19,13 +19,17 @@
condition = [];
action = [{
action = [
{
"else" = [{stop = "";}];
"if" = [{
"if" = [
{
condition = "trigger";
id = "brightness_down";
}];
"then" = [{
}
];
"then" = [
{
repeat = {
sequence = [
{
@ -42,13 +46,17 @@
};
}
];
while = [{
while = [
{
condition = "not";
conditions = [];
}];
}
];
};
}];
}];
}
];
}
];
mode = "restart";
}

12
nixng/containers/home-assistant/configs/automations/bathroom_light/off.nix
View file

@ -3,22 +3,26 @@
description = "";
id = "5f773a4d-5a52-4483-a49d-9c0944ea0b21";
trigger = [{
trigger = [
{
device_id = "bf6aed0be7735065cddf5a0c11629661";
discovery_id = "0x540f57fffe3c601d action_off";
domain = "mqtt";
platform = "device";
subtype = "off";
type = "action";
}];
}
];
condition = [];
action = [{
action = [
{
data = {};
service = "light.turn_off";
target = {entity_id = "light.bathroom_lights";};
}];
}
];
mode = "single";
}

12
nixng/containers/home-assistant/configs/automations/bathroom_light/on.nix
View file

@ -3,22 +3,26 @@
description = "";
id = "1330a1c7-3f3f-488e-8aba-aea8937236ce";
trigger = [{
trigger = [
{
device_id = "bf6aed0be7735065cddf5a0c11629661";
discovery_id = "0x540f57fffe3c601d action_on";
domain = "mqtt";
platform = "device";
subtype = "on";
type = "action";
}];
}
];
condition = [];
action = [{
action = [
{
data = {};
service = "light.turn_on";
target = {entity_id = "light.bathroom_lights";};
}];
}
];
mode = "single";
}

25
nixng/containers/home-assistant/default.nix
View file

@ -1,13 +1,20 @@
{ inputs, lib, ... }:
let
callPackage = lib.callPackageWith {
inherit (inputs)
nixpkgs nixng;
inherit (inputs.nixng.nglib)
makeSystem;
};
in
{
inputs,
lib,
...
}: let
callPackage = lib.callPackageWith {
inherit
(inputs)
nixpkgs
nixng
;
inherit
(inputs.nixng.nglib)
makeSystem
;
};
in {
flake.nixngConfigurations.homeAssistant = callPackage ./home-assistant.nix {};
flake.nixngConfigurations.homeAssistantPostgresql = callPackage ./postgresql.nix {};
flake.nixngConfigurations.zigbee2mqtt = callPackage ./zigbee2mqtt.nix {};

9
nixng/containers/home-assistant/mosquitto.nix
View file

@ -1,13 +1,12 @@
{ makeSystem
, nixpkgs
{
makeSystem,
nixpkgs,
}:
makeSystem {
system = "x86_64-linux";
name = "nixng-mosquitto";
inherit nixpkgs;
config =
{ pkgs, ... }:
{
config = {pkgs, ...}: {
config = {
dumb-init = {
enable = true;

22
nixng/containers/home-assistant/postgresql.nix
View file

@ -1,17 +1,21 @@
{ makeSystem
, nixpkgs
{
makeSystem,
nixpkgs,
}:
makeSystem {
system = "x86_64-linux";
name = "nixng-hass-postgresql";
inherit nixpkgs;
config =
{ pkgs, lib, ... }:
let
inherit (lib)
singleton;
in
{
config = {
pkgs,
lib,
...
}: let
inherit
(lib)
singleton
;
in {
config = {
dumb-init = {
enable = true;

11
nixng/containers/home-assistant/zigbee2mqtt.nix
View file

@ -1,13 +1,12 @@
{ makeSystem
, nixpkgs
{
makeSystem,
nixpkgs,
}:
makeSystem {
system = "x86_64-linux";
name = "nixng-zigbee2mqtt";
inherit nixpkgs;
config =
{ pkgs, ... }:
{
config = {pkgs, ...}: {
config = {
dumb-init = {
enable = true;
@ -50,5 +49,3 @@ makeSystem {
};
};
}

22
nixng/containers/hydra/default.nix
View file

@ -1,15 +1,21 @@
{ inputs, lib, ... }:
let
{
inputs,
lib,
...
}: let
callPackage = lib.callPackagesWith {
inherit (inputs.nixng.nglib)
makeSystem;
inherit (inputs)
inherit
(inputs.nixng.nglib)
makeSystem
;
inherit
(inputs)
hydra
nixpkgs
nix;
nix
;
};
in
{
in {
flake.nixngConfigurations.hydraPostgreSQL = callPackage ./postgresql.nix {};
flake.nixngConfigurations.hydra = callPackage ./hydra.nix {};
}

25
nixng/containers/ingress-blowhole/default.nix
View file

@ -1,17 +1,19 @@
{ inputs, ... }:
{
{inputs, ...}: {
flake.nixngConfigurations.ingressBlowhole = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "ingress-blowhole";
inherit (inputs) nixpkgs;
config =
{ pkgs, lib, ... }:
let
inherit (lib)
singleton;
in
{
config = {
pkgs,
lib,
...
}: let
inherit
(lib)
singleton
;
in {
dumb-init = {
enable = true;
sigell.entries = [
@ -22,8 +24,8 @@
environment = {
PATH = "${pkgs.bash}/bin:${pkgs.busybox}/bin";
};
command =
[ "bash"
command = [
"bash"
"-c"
"kill -s HUP \"$(cat /nginx.pid)\""
];
@ -44,7 +46,6 @@
};
init.services.nginx.shutdownOnExit = true;
services.nginx = {
enable = true;
envsubst = true;

30
nixng/containers/ingress-toothpick/default.nix
View file

@ -1,17 +1,20 @@
{ inputs, ... }:
{
{inputs, ...}: {
flake.nixngConfigurations.ingressToothpick = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "ingress-toothpick";
inherit (inputs) nixpkgs;
config =
{ pkgs, lib, nglib, ... }:
let
inherit (lib)
singleton;
in
{
config = {
pkgs,
lib,
nglib,
...
}: let
inherit
(lib)
singleton
;
in {
dumb-init = {
enable = true;
sigell.entries = [
@ -22,8 +25,8 @@
environment = {
PATH = "${pkgs.bash}/bin:${pkgs.busybox}/bin";
};
command =
[ "bash"
command = [
"bash"
"-c"
"kill -s HUP \"$(cat /nginx.pid)\""
];
@ -44,9 +47,8 @@
};
init.services.nginx.shutdownOnExit = true;
system.activation =
{ resolv-conf =
system.activation = {
resolv-conf =
nglib.dag.dagEntryBefore ["certbot"]
''
export PATH=${pkgs.busybox}/bin

20
nixng/containers/matrix/heisenbridge/default.nix
View file

@ -1,16 +1,18 @@
{ inputs, ... }:
{
{inputs, ...}: {
flake.nixngConfigurations.heisenbridge = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "heisenbridge";
inherit (inputs) nixpkgs;
config =
{ pkgs, lib, ... }:
let
inherit (lib)
getExe';
in
{
config = {
pkgs,
lib,
...
}: let
inherit
(lib)
getExe'
;
in {
dumb-init = {
enable = true;
type.services = {};

22
nixng/containers/matrix/mautrix-discord/default.nix
View file

@ -1,12 +1,17 @@
{ inputs, config, ... }:
{
inputs,
config,
...
}: {
flake.nixngConfigurations.mautrixDiscord = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "mautrix-discord";
inherit (inputs) nixpkgs;
config =
{ pkgs, lib, ... }:
{
config = {
pkgs,
lib,
...
}: {
dumb-init = {
enable = true;
type.services = {};
@ -15,11 +20,12 @@
init.services.mautrix-discord = {
enabled = true;
shutdownOnExit = true;
script =
let
inherit (lib)
script = let
inherit
(lib)
getExe'
makeBinPath;
makeBinPath
;
mautrix-discord = (pkgs.appendOverlays [config.flake.overlays.mautrix-discord]).mautrix-discord;
in
pkgs.writeShellScript "mautrix-discord"

23
nixng/containers/matrix/mautrix-facebook/default.nix
View file

@ -1,16 +1,18 @@
{ inputs, ... }:
{
{inputs, ...}: {
flake.nixngConfigurations.mautrixFacebook = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "mautrix-facebook";
inherit (inputs) nixpkgs;
config =
{ pkgs, lib, ... }:
let
inherit (lib)
singleton;
in
{
config = {
pkgs,
lib,
...
}: let
inherit
(lib)
singleton
;
in {
dumb-init = {
enable = true;
type.services = {};
@ -19,8 +21,7 @@
init.services.mautrix-facebook = {
enabled = true;
shutdownOnExit = true;
script =
let
script = let
mautrix-facebook = pkgs.mautrix-facebook.overridePythonAttrs (old: {
propagatedBuildInputs = singleton pkgs.python3.pkgs.aiosqlite ++ old.propagatedBuildInputs;
});

17
nixng/containers/matrix/mautrix-signal/default.nix
View file

@ -1,12 +1,13 @@
{ inputs, ... }:
{
{inputs, ...}: {
flake.nixngConfigurations.mautrixSignal = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "mautrix-signal";
inherit (inputs) nixpkgs;
config =
{ pkgs, lib, ... }:
{
config = {
pkgs,
lib,
...
}: {
dumb-init = {
enable = true;
type.services = {};
@ -36,10 +37,8 @@
init.services.signald = {
enabled = true;
shutdownOnExit = true;
script =
let
locales =
[
script = let
locales = [
"C.UTF-8"
"en_US.UTF-8"
];

22
nixng/containers/matrix/mautrix-slack/default.nix
View file

@ -1,12 +1,17 @@
{ inputs, config, ... }:
{
inputs,
config,
...
}: {
flake.nixngConfigurations.mautrixSlack = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "mautrix-slack";
inherit (inputs) nixpkgs;
config =
{ pkgs, lib, ... }:
{
config = {
pkgs,
lib,
...
}: {
dumb-init = {
enable = true;
type.services = {};
@ -15,11 +20,12 @@
init.services.mautrix-slack = {
enabled = true;
shutdownOnExit = true;
script =
let
inherit (lib)
script = let
inherit
(lib)
getExe'
makeBinPath;
makeBinPath
;
mautrix-slack = (pkgs.appendOverlays [config.flake.overlays.mautrix-slack]).mautrix-slack;
in
pkgs.writeShellScript "mautrix-slack"

9
nixng/containers/matrix/synapse/common_config.nix
View file

@ -1,14 +1,15 @@
{ logConfig }:
{
{logConfig}: {
server_name = "matrix.redalder.org";
report_stats = "yes";
pid_file = "/homeserver.pid";
log_config = logConfig;
trusted_key_servers = [ {
trusted_key_servers = [
{
server_name = "matrix.org";
} ];
}
];
media_store_path = "/var/lib/synapse/media_store";
signing_key_path = "/var/lib/synapse/signing.key";

31
nixng/containers/matrix/synapse/default.nix
View file

@ -1,7 +1,12 @@
{ inputs, lib, ... }:
let
inherit (lib)
singleton;
{
inputs,
lib,
...
}: let
inherit
(lib)
singleton
;
commonConfig = pkgs:
(pkgs.formats.yaml {}).generate "common.yaml"
@ -11,16 +16,20 @@ let
(import ./log_config.nix {});
callPackage = lib.callPackageWith {
inherit (inputs)
nixpkgs;
inherit (inputs.nixng.nglib)
makeSystem;
inherit
(inputs)
nixpkgs
;
inherit
(inputs.nixng.nglib)
makeSystem
;
inherit
commonConfig
logConfig;
logConfig
;
};
in
{
in {
flake.nixngConfigurations.synapseFederationSender = callPackage ./generic_worker.nix {
name = "generic";
listener_resources = singleton "health";

22
nixng/containers/matrix/synapse/generic_worker.nix
View file

@ -1,17 +1,16 @@
{ makeSystem
, nixpkgs
, listener_resources
, name
, logConfig
, commonConfig
{
makeSystem,
nixpkgs,
listener_resources,
name,
logConfig,
commonConfig,
}:
makeSystem {
system = "x86_64-linux";
name = "synapse-worker-${name}";
inherit nixpkgs;
config = ({ pkgs, ... }:
{
config = {pkgs, ...}: {
dumb-init = {
enable = true;
type.services = {};
@ -31,8 +30,7 @@ makeSystem {
type = "http";
x_forwarded = true;
bind_adrresses = ["0.0.0.0"];
resources =
[
resources = [
{
names = listener_resources;
compress = false;
@ -59,5 +57,5 @@ makeSystem {
];
};
};
});
};
}

3
nixng/containers/matrix/synapse/log_config.nix
View file

@ -1,5 +1,4 @@
{ }:
{
{}: {
version = 1;
formatters.structured.class = "synapse.logging.TerseJsonFormatter";

43
nixng/containers/matrix/synapse/postgresql.nix
View file

@ -1,13 +1,16 @@
{ makeSystem
, nixpkgs
{
makeSystem,
nixpkgs,
}:
makeSystem {
system = "x86_64-linux";
name = "nixng-synapse-postgresql";
inherit nixpkgs;
config =
{ pkgs, config, ... }:
{
config = {
pkgs,
config,
...
}: {
config = {
dumb-init = {
enable = true;
@ -42,12 +45,30 @@ makeSystem {
};
ensureDatabases = {
"synapse" = { ENCODING = "UTF8"; TEMPLATE = "template0"; };
"mautrix-facebook" = { ENCODING = "UTF8"; TEMPLATE = "template0"; };
"mautrix-signal" = { ENCODING = "UTF8"; TEMPLATE = "template0"; };
"mautrix-whatsapp" = { ENCODING = "UTF8"; TEMPLATE = "template0"; };
"mautrix-discord" = { ENCODING = "UTF8"; TEMPLATE = "template0"; };
"mautrix-slack" = { ENCODING = "UTF8"; TEMPLATE = "template0"; };
"synapse" = {
ENCODING = "UTF8";
TEMPLATE = "template0";
};
"mautrix-facebook" = {
ENCODING = "UTF8";
TEMPLATE = "template0";
};
"mautrix-signal" = {
ENCODING = "UTF8";
TEMPLATE = "template0";
};
"mautrix-whatsapp" = {
ENCODING = "UTF8";
TEMPLATE = "template0";
};
"mautrix-discord" = {
ENCODING = "UTF8";
TEMPLATE = "template0";
};
"mautrix-slack" = {
ENCODING = "UTF8";
TEMPLATE = "template0";
};
};
ensureExtensions = {};
ensureUsers = [

9
nixng/containers/matrix/synapse/redis.nix
View file

@ -1,13 +1,12 @@
{ makeSystem
, nixpkgs
{
makeSystem,
nixpkgs,
}:
makeSystem {
system = "x86_64-linux";
name = "redis";
inherit nixpkgs;
config =
{ pkgs, ... }:
{
config = {pkgs, ...}: {
dumb-init = {
enable = true;
type.services = {};

28
nixng/containers/matrix/synapse/synapse.nix
View file

@ -1,20 +1,23 @@
{ makeSystem
, nixpkgs
, commonConfig
{
makeSystem,
nixpkgs,
commonConfig,
}:
makeSystem {
system = "x86_64-linux";
name = "synapse";
inherit nixpkgs;
config =
{ pkgs, lib, ... }:
let
inherit (lib)
config = {
pkgs,
lib,
...
}: let
inherit
(lib)
singleton
makeSearchPathOutput;
in
{
makeSearchPathOutput
;
in {
dumb-init = {
enable = true;
type.services = {};
@ -26,8 +29,7 @@ makeSystem {
enable = true;
package = import ./synapse-package.nix pkgs;
settings = {
listeners =
[
listeners = [
# The HTTP replication port
{
port = 9093;

11
nixng/containers/minecraft/ftb-infinity/default.nix
View file

@ -1,12 +1,13 @@
{ inputs, ... }:
{
{inputs, ...}: {
flake.nixngConfigurations.minecraft-ftb-infinity = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "nixng-minecraft";
inherit (inputs) nixpkgs;
config =
{ pkgs, lib, ... }:
{
config = {
pkgs,
lib,
...
}: {
disabledModules = ["${inputs.nixng}/modules/services/minecraft.nix"];
imports = [../../../modules/minecraft-forge.nix ../../../modules/minecraft.nix];
dumb-init = {

11
nixng/containers/minecraft/ftb-integrations/default.nix
View file

@ -1,12 +1,13 @@
{ inputs, ... }:
{
{inputs, ...}: {
flake.nixngConfigurations.minecraft-ftb-integrations = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "nixng-minecraft";
inherit (inputs) nixpkgs;
config =
{ pkgs, lib, ... }:
{
config = {
pkgs,
lib,
...
}: {
disabledModules = ["${inputs.nixng}/modules/services/minecraft.nix"];
imports = [../../../modules/minecraft-forge.nix ../../../modules/minecraft.nix];
dumb-init = {

12
nixng/containers/minecraft/vanilla/default.nix
View file

@ -1,12 +1,14 @@
{ inputs, ... }:
{
{inputs, ...}: {
flake.nixngConfigurations.minecraft-vanilla = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "nixng-minecraft";
inherit (inputs) nixpkgs;
config =
{ pkgs, lib, nglib, ... }:
{
config = {
pkgs,
lib,
nglib,
...
}: {
disabledModules = ["${inputs.nixng}/modules/services/minecraft.nix"];
imports = [../../../modules/minecraft-forge.nix ../../../modules/minecraft.nix];
dumb-init = {

7
nixng/containers/syncthing/default.nix
View file

@ -1,12 +1,9 @@
{ inputs, ... }:
{
{inputs, ...}: {
flake.nixngConfigurations.syncthing = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "ra-systems-syncthing";
inherit (inputs) nixpkgs;
config =
{ pkgs, ... }:
{
config = {pkgs, ...}: {
dumb-init = {
enable = true;
type.services = {};

20
nixng/containers/website/default.nix
View file

@ -1,16 +1,18 @@
{ inputs, ... }:
{
{inputs, ...}: {
flake.nixngConfigurations.website = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "nixng-website";
inherit (inputs) nixpkgs;
config =
{ pkgs, lib, ... }:
let
inherit (lib)
singleton;
in
{
config = {
pkgs,
lib,
...
}: let
inherit
(lib)
singleton
;
in {
dumb-init = {
enable = true;
type.services = {};

23
nixng/modules/minecraft-forge.nix
View file

@ -1,9 +1,12 @@
{ pkgs, config, lib, ... }:
with lib;
let
cfg = config.services.minecraft.forge;
in
{
pkgs,
config,
lib,
...
}:
with lib; let
cfg = config.services.minecraft.forge;
in {
options.services.minecraft.forge = {
enable = mkEnableOption "Enable Minecraft server service.";
@ -49,11 +52,8 @@ in
};
config = mkIf cfg.enable {
services.minecraft.forge.serverPackage =
let
forgeFod =
pkgs.stdenv.mkDerivation {
services.minecraft.forge.serverPackage = let
forgeFod = pkgs.stdenv.mkDerivation {
pname = "minecraft";
version = "unknown";
@ -176,7 +176,8 @@ in
};
assertions = [
{ assertion = cfg.eulaAccept;
{
assertion = cfg.eulaAccept;
message = "You must accept the EULA";
}
];

20
nixng/modules/minecraft.nix
View file

@ -1,9 +1,12 @@
{ pkgs, config, lib, ... }:
with lib;
let
cfg = config.services.minecraft.vanilla;
in
{
pkgs,
config,
lib,
...
}:
with lib; let
cfg = config.services.minecraft.vanilla;
in {
options.services.minecraft.vanilla = {
enable = mkEnableOption "Enable Minecraft server service.";
@ -27,9 +30,7 @@ in
};
config = mkIf cfg.enable {
services.minecraft.vanilla.serverPackage =
pkgs.stdenv.mkDerivation {
services.minecraft.vanilla.serverPackage = pkgs.stdenv.mkDerivation {
pname = "minecraft";
version = "unknown";
@ -70,7 +71,8 @@ in
};
assertions = [
{ assertion = cfg.eulaAccept;
{
assertion = cfg.eulaAccept;
message = "You must accept the EULA";
}
];

16
nixos/common/nixpkgs.nix
View file

@ -1,10 +1,14 @@
{ inputs', lib, ... }:
let
inherit (lib)
flip
mapAttrs;
in
{
inputs',
lib,
...
}: let
inherit
(lib)
flip
mapAttrs
;
in {
nix.registry =
flip mapAttrs inputs'
(

15
nixos/common/remote_access.nix
View file

@ -1,15 +1,12 @@
# SPDX-FileCopyrightText: 2022 Richard Brežák <richard@brezak.sk>
#
# SPDX-License-Identifier: LGPL-3.0-or-later
{
lib,
...
}:
let
inherit (lib)
singleton;
in
{
{lib, ...}: let
inherit
(lib)
singleton
;
in {
nix.settings.trusted-users = singleton "@wheel";
services.openssh = {

3
nixos/common/sound.nix
View file

@ -1,5 +1,4 @@
{ secret, ... }:
{
{secret, ...}: {
security.rtkit.enable = true;
services.pipewire = {
enable = true;

3
nixos/common/users.nix
View file

@ -1,5 +1,4 @@
{ secret, ... }:
{
{secret, ...}: {
users = {
mutableUsers = false;

35
nixos/modules/grafana.nix
View file

@ -1,6 +1,12 @@
{ options, config, lib, pkgs, ... }:
let
inherit (lib)
{
options,
config,
lib,
pkgs,
...
}: let
inherit
(lib)
mkEnableOption
mkOption
literalExpression
@ -46,8 +52,7 @@ in {
options = {
paths.provisioning = mkOption {
type = types.submodule {
options =
let
options = let
provisioningOption = name: cname:
mkOption {
type = types.submodule {
@ -70,8 +75,7 @@ in {
};
default = {};
};
in
{
in {
datasources = provisioningOption "datasources" "Datasources";
plugins = provisioningOption "plugins" "Plugins";
dashboards = provisioningOption "dashboards" "Dashboards";
@ -80,10 +84,8 @@ in {
};
};
default = {};
apply = x:
let
ln = name:
''
apply = x: let
ln = name: ''
mkdir -p $out/${name}
ln -s ${provisioningSettingsFormat.generate "config.yaml" x.${name}} $out/${name}/config.yaml
'';
@ -134,7 +136,10 @@ in {
RuntimeDirectoryMode = "0755";
# Hardening
AmbientCapabilities = lib.mkIf (cfg.settings.server.http_port < 1024) ["CAP_NET_BIND_SERVICE"];
CapabilityBoundingSet = if (cfg.settings.server.http_port < 1024) then [ "CAP_NET_BIND_SERVICE" ] else [ "" ];
CapabilityBoundingSet =
if (cfg.settings.server.http_port < 1024)
then ["CAP_NET_BIND_SERVICE"]
else [""];
DeviceAllow = [""];
LockPersonality = true;
NoNewPrivileges = true;
@ -157,10 +162,12 @@ in {
SystemCallArchitectures = "native";
# Upstream grafana is not setting SystemCallFilter for compatibility
# reasons, see https://github.com/grafana/grafana/pull/40176
SystemCallFilter = [
SystemCallFilter =
[
"@system-service"
"~@privileged"
] ++ lib.optional (cfg.settings.server.protocol == "socket") [ "@chown" ];
]
++ lib.optional (cfg.settings.server.protocol == "socket") ["@chown"];
UMask = "0027";
};
preStart = ''

92
nixos/modules/hashicorp-envoy.nix
View file

@ -1,92 +1,105 @@
{ config, lib, pkgs, ... }:
with lib;
let
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.services.hashicorp-envoy;
serviceFormat = pkgs.formats.json {};
serviceFile = name: value:
if value.type == "normal" then
serviceFormat.generate "${name}-service.json" { service = value.service; }
else
serviceFormat.generate "${name}-service.json" value.service;
in
{
if value.type == "normal"
then serviceFormat.generate "${name}-service.json" {service = value.service;}
else serviceFormat.generate "${name}-service.json" value.service;
in {
options.services.hashicorp-envoy = mkOption {
description = mdDoc ''
description =
mdDoc ''
'';
type = types.attrsOf (types.submodule {
options = {
service = mkOption {
description = mdDoc ''
description =
mdDoc ''
'';
type = with types; oneOf [serviceFormat.type (listOf serviceFormat.type)];
};
type = mkOption {
description = mdDoc ''
description =
mdDoc ''
'';
type = with types; enum ["ingress" "terminating" "normal"];
default = "normal";
};
environment = mkOption {
description = mdDoc ''
description =
mdDoc ''
'';
type = with types; attrsOf str;
default = {};
};
adminBind = mkOption {
description = mdDoc ''
description =
mdDoc ''
'';
type = types.str;
};
address = mkOption {
description = mdDoc ''
description =
mdDoc ''
'';
type = types.str;
default = "0.0.0.0:19000";
};
drainTime = mkOption {
description = mdDoc ''
description =
mdDoc ''
'';
type = types.int;
default = 15;
};
parentShutdownTime = mkOption {
description = mdDoc ''
description =
mdDoc ''
'';
type = types.int;
default = 20;
};
hotRestart = mkOption {
description = mdDoc ''
description =
mdDoc ''
'';
type = types.bool;
default = false;
};
consulPackage = mkOption {
description = mdDoc ''
description =
mdDoc ''
'';
type = types.package;
default = pkgs.consul;
};
envoyPackage = mkOption {
description = mdDoc ''
description =
mdDoc ''
'';
type = types.package;
default = pkgs.envoy;
};
extraConsulArgs = mkOption {
description = mdDoc ''
description =
mdDoc ''
'';
type = with types; listOf str;
default = [];
@ -97,7 +110,8 @@ in
};
config = {
systemd.services = flip mapAttrs' cfg (name: value:
systemd.services = flip mapAttrs' cfg (
name: value:
nameValuePair
"hashicorp-envoy-${name}"
{
@ -112,26 +126,24 @@ in
restartIfChanged = true;
preStart =
if value.type == "normal" then
''
if value.type == "normal"
then ''
${value.consulPackage}/bin/consul services register ${serviceFile name value}
''
else
''
else ''
${value.consulPackage}/bin/consul config write ${serviceFile name value}
'';
postStop =
if value.type == "normal" then
''
if value.type == "normal"
then ''
${value.consulPackage}/bin/consul services deregister -id=${value.service.id}
''
else
''
else ''
${value.consulPackage}/bin/consul config delete -filename ${serviceFile name value}
'';
script =
let
startEnvoy = pkgs.writeShellScript "start_envoy_${name}.sh"
script = let
startEnvoy =
pkgs.writeShellScript "start_envoy_${name}.sh"
''
exec ${value.consulPackage}/bin/consul connect envoy \
${concatStringsSep " " value.extraConsulArgs} \
@ -155,15 +167,17 @@ in
''}
'';
in
if value.hotRestart then
"exec ${pkgs.python3}/bin/python ${value.envoyPackage.src}/restarter/hot-restarter.py ${startEnvoy}"
else
"exec ${startEnvoy}";
if value.hotRestart
then "exec ${pkgs.python3}/bin/python ${value.envoyPackage.src}/restarter/hot-restarter.py ${startEnvoy}"
else "exec ${startEnvoy}";
environment = value.environment;
serviceConfig = {
ExecReload = if value.hotRestart then "${pkgs.coreutils}/bin/kill -HUP $MAINPID" else null;
ExecReload =
if value.hotRestart
then "${pkgs.coreutils}/bin/kill -HUP $MAINPID"
else null;
KillMode = "control-group";
KillSignal = "SIGINT";
LimitNOFILE = 65536;

101
nixos/modules/hashicorp.nix
View file

@ -1,20 +1,20 @@
{ config, pkgs, lib, ... }:
with lib;
let
{
config,
pkgs,
lib,
...
}:
with lib; let
format = pkgs.formats.json {};
hashiServiceModule =
{ config, ... }:
let
hashiServiceModule = {config, ...}: let
cfg' = config;
in
{
in {
options = {
enable = mkEnableOption "Enable HashiCorp service";
package = mkOption {
type = with types;
package;
type = with types; package;
};
settings = mkOption {
@ -23,23 +23,21 @@ let
};
settingsFile = mkOption {
type = with types;
path;
type = with types; path;
default = format.generate "${cfg'.package.pname}.json" cfg'.settings;
};
command = mkOption {
type = with types;
str;
default =
let
switch =
{ "nomad" = "agent";
type = with types; str;
default = let
switch = {
"nomad" = "agent";
"vault" = "server";
"vault-bin" = "server";
"consul" = "agent";
};
in switch.${cfg'.package.pname} or "";
in
switch.${cfg'.package.pname} or "";
};
extraSettingsPaths = mkOption {
@ -63,10 +61,9 @@ let
extraPackages = mkOption {
type = with types;
listOf package;
default = with pkgs;
let
switch =
{ "nomad" = [ coreutils iproute2 iptables ];
default = with pkgs; let
switch = {
"nomad" = [coreutils iproute2 iptables];
"vault" = [];
"vault-bin" = [];
"consul" = [];
@ -84,29 +81,31 @@ let
};
cfg = config.services.hashicorp;
in
{
in {
options.services.hashicorp = mkOption {
type = with types;
attrsOf (submodule hashiServiceModule);
default = {};
};
config.environment.etc = flip mapAttrs' (filterAttrs (_: v: v.enable) cfg)
(name: value:
config.environment.etc =
flip mapAttrs' (filterAttrs (_: v: v.enable) cfg)
(
name: value:
nameValuePair
"${name}.d/main.json"
{source = value.settingsFile;}
);
config.systemd.services = zipAttrsWith (const head)
[ (flip mapAttrs' (filterAttrs (_: v: v.enable) cfg)
(name: value:
let
configOpt =
let
switch =
{ "nomad" = "--config";
config.systemd.services =
zipAttrsWith (const head)
[
(flip mapAttrs' (filterAttrs (_: v: v.enable) cfg)
(
name: value: let
configOpt = let
switch = {
"nomad" = "--config";
"consul" = "--config-file";
"vault" = "--config";
"vault-bin" = "--config";
@ -116,7 +115,8 @@ in
in
nameValuePair
("hashicorp-" + name)
{ description = name;
{
description = name;
wantedBy = ["multi-user.target"];
wants = ["network-online.target"];
@ -126,14 +126,15 @@ in
restartIfChanged = false;
serviceConfig =
{ ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
ExecStart = "${value.package}/bin/${value.package.meta.mainProgram or value.package.pname} ${value.command} " +
(optionalString (value.package.pname != "vault" || value.command != "agent") "${configOpt}=/etc/${name}.d ") +
"${concatMapStringsSep " " (v: "${configOpt}=${v}") value.extraSettingsPaths} " +
"${concatMapStringsSep " " (v: "--plugin-dir=${v}/bin") value.extraPluginPaths} " +
(optionalString (value.package.pname == "vault" && value.command == "agent") "${configOpt}=/etc/${name}.d/main.json ") +
"${concatStringsSep " " value.extraArguments} ";
serviceConfig = {
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
ExecStart =
"${value.package}/bin/${value.package.meta.mainProgram or value.package.pname} ${value.command} "
+ (optionalString (value.package.pname != "vault" || value.command != "agent") "${configOpt}=/etc/${name}.d ")
+ "${concatMapStringsSep " " (v: "${configOpt}=${v}") value.extraSettingsPaths} "
+ "${concatMapStringsSep " " (v: "--plugin-dir=${v}/bin") value.extraPluginPaths} "
+ (optionalString (value.package.pname == "vault" && value.command == "agent") "${configOpt}=/etc/${name}.d/main.json ")
+ "${concatStringsSep " " value.extraArguments} ";
KillMode = "process";
KillSignal = "SIGINT";
@ -149,10 +150,12 @@ in
}
))
(flip mapAttrs' (filterAttrs (_: v: v.enable && v.dynamic != null) cfg)
(name: value:
(
name: value:
nameValuePair
("hashicorp-${name}-dynamic")
{ description = name;
"hashicorp-${name}-dynamic"
{
description = name;
wantedBy = ["hashicorp-${name}.service"];
wants = ["network-online.target"];
@ -163,8 +166,8 @@ in
restartIfChanged = true;
serviceConfig =
{ ExecStart = value.dynamic;
serviceConfig = {
ExecStart = value.dynamic;
RemainAfterExit = true;
Type = "oneshot";
};

58
nixos/modules/influx-provisioning.nix
View file

@ -1,8 +1,13 @@
{ config, pkgs, lib, ... }:
let
{
config,
pkgs,
lib,
...
}: let
cfg = config.services.influxdb2.provision;
inherit (lib)
inherit
(lib)
mkEnableOption
mkOption
types
@ -10,36 +15,39 @@ let
flip
mapAttrsToList
getExe
mkIf;
mkIf
;
taskOptions =
{ ... }:
{
taskOptions = {...}: {
options = {
cron = mkOption {
type = with types; nullOr str;
default = null;
description = mdDoc ''
description =
mdDoc ''
'';
};
every = mkOption {
type = with types; nullOr str;
default = null;
description = mdDoc ''
description =
mdDoc ''
'';
};
fluxFile = mkOption {
type = types.path;
description = mdDoc ''
description =
mdDoc ''
'';
};
offset = mkOption {
type = types.str;
default = "0m";
description = mdDoc ''
description =
mdDoc ''
'';
};
};
@ -47,18 +55,19 @@ let
tasksFile =
(pkgs.formats.json {}).generate "tasks.json"
(flip mapAttrsToList cfg.tasks (name: value:
{
(flip mapAttrsToList cfg.tasks (
name: value: {
inherit name;
flux_file = value.fluxFile;
inherit (value)
inherit
(value)
every
cron
offset;
offset
;
}
));
in
{
in {
options = {
services.influxdb2.provision-magic = {
enable = mkEnableOption "Enable InfluxDB2 provisioning";
@ -66,26 +75,30 @@ in
itpPackage = mkOption {
type = types.package;
default = pkgs.itp;
description = mdDoc ''
description =
mdDoc ''
'';
};
stateFile = mkOption {
type = types.str;
description = mdDoc ''
description =
mdDoc ''
'';
};
organization = mkOption {
type = types.str;
description = mdDoc ''
description =
mdDoc ''
'';
};
tasks = mkOption {
type = with types; attrsOf (submodule taskOptions);
default = {};
description = mdDoc ''
description =
mdDoc ''
'';
};
};
@ -110,7 +123,8 @@ in
};
};
assertions = flip mapAttrsToList cfg.tasks
assertions =
flip mapAttrsToList cfg.tasks
(n: v: {
assertion = (v.cron != null && v.every == null) || (v.cron == null && v.every != null);
message = "Exactly one of `services.influxdb2.provision.tasks.${n}.{cron, every}` must be non `null`";

95
nixos/modules/microvm-extras-host.nix
View file

@ -1,6 +1,11 @@
{ config, lib, notnft, ... }:
let
inherit (lib)
{
config,
lib,
notnft,
...
}: let
inherit
(lib)
mapAttrsToList
mkOption
hasAttr
@ -9,7 +14,8 @@ let
flip
mapAttrs'
mapAttrs
nameValuePair;
nameValuePair
;
# a = [
# [ (is.eq ip.protocol (f: with f; set [ tcp ])) (is.eq ip.daddr "10.80.1.2") (is.eq th.dport "22") accept ]
@ -69,24 +75,23 @@ let
};
lookupService = name: type: context:
if hasAttr name cfg.services.${type} then
cfg.services.${type}.${name}
else
throw "Unknown ${type} service ${name} at ${context}";
if hasAttr name cfg.services.${type}
then cfg.services.${type}.${name}
else throw "Unknown ${type} service ${name} at ${context}";
lookupIds = hostName: context:
if hasAttr hostName subConfigurations then
{
inherit (subConfigurations.${hostName}.config.config.microvm)
if hasAttr hostName subConfigurations
then {
inherit
(subConfigurations.${hostName}.config.config.microvm)
groupId
taskId;
taskId
;
}
else
throw "Unknown hostName ${hostName} at ${context}";
else throw "Unknown hostName ${hostName} at ${context}";
subConfigurations = cfg.vms;
in
{
in {
options.microvm = {
services = {
tcpUdp = mkOption {
@ -126,39 +131,42 @@ in
};
};
config.microvm.services.tcpUdp = flip mapAttrs' cfg.services.http
(n: v:
config.microvm.services.tcpUdp =
flip mapAttrs' cfg.services.http
(
n: v:
nameValuePair
(n + "@http")
{
inherit (v)
inherit
(v)
hostName
port;
port
;
protocol = ["tcp"];
}
);
config.microvm.connections.tcpUdp = flip map cfg.connections.http
(v:
{
config.microvm.connections.tcpUdp =
flip map cfg.connections.http
(
v: {
target = v.target + "@http";
}
);
config.networking.notnft.rules =
with notnft.dsl; with payload; ruleset {
config.networking.notnft.rules = with notnft.dsl;
with payload;
ruleset {
bridge-t = add table {family = f: f.bridge;} {
output-body = lib.foldl (acc: x: acc x) (add chain) ((flip mapAttrsToList subConfigurations
(n: v:
let
(
n: v: let
microvmConfig = v.config.config.microvm;
tcpUdpRules =
flip map microvmConfig.connections.tcpUdp (connection:
let
tcpUdpRules = flip map microvmConfig.connections.tcpUdp (connection: let
service = lookupService connection.target "tcpUdp" n;
ids = lookupIds service.hostName n;
in
[
in [
(is.eq meta.oifname "mvm-${microvmConfig.hostName}")
(is.eq ip.protocol (f: with f; set (map (protocolEnumToNft f) service.protocol)))
(is.eq ip.saddr "10.80.${toString microvmConfig.groupId}.${toString microvmConfig.taskId}")
@ -166,13 +174,10 @@ in
(is.eq th.dport service.port)
accept
]);
icmpRules =
flip map microvmConfig.connections.icmp (connection:
let
icmpRules = flip map microvmConfig.connections.icmp (connection: let
service = lookupService connection.target "icmp" n;
ids = lookupIds service.hostName n;
in
[
in [
(is.eq meta.oifname "mvm-${microvmConfig.hostName}")
(is.eq ip.protocol (f: with f; icmp))
(is.eq ip.saddr "10.80.${toString microvmConfig.groupId}.${toString microvmConfig.taskId}")
@ -181,24 +186,24 @@ in
]);
in
tcpUdpRules ++ icmpRules
)) ++ (flip map cfg.connections.icmp (connection:
let
))
++ (flip map cfg.connections.icmp (
connection: let
service = lookupService connection.target "icmp" "host";
ids = lookupIds service.hostName "host";
in
[
in [
(is.eq meta.oifname "mvm-${service.hostName}")
(is.eq ip.protocol (f: with f; icmp))
(is.eq ip.saddr "10.80.${toString ids.groupId}.1")
(is.eq ip.daddr "10.80.${toString ids.groupId}.${toString ids.taskId}")
accept
]
)) ++ (flip map cfg.connections.tcpUdp (connection:
let
))
++ (flip map cfg.connections.tcpUdp (
connection: let
service = lookupService connection.target "tcpUdp" "host";
ids = lookupIds service.hostName "host";
in
[
in [
(is.eq meta.oifname "mvm-${service.hostName}")
(is.eq ip.protocol (f: with f; set (map (protocolEnumToNft f) service.protocol)))
(is.eq ip.saddr "10.80.${toString ids.groupId}.1")

19
nixos/modules/microvm-extras.nix
View file

@ -1,9 +1,14 @@
{ config, lib, ... }:
let
inherit (lib)
{
config,
lib,
...
}: let
inherit
(lib)
mkOption
mkEnableOption
types;
types
;
cfg = config.microvm;
@ -265,7 +270,8 @@ let
"253" = "fd";
"254" = "fe";
"255" = "ff";
}.${toString int};
}
.${toString int};
groupIdOption = mkOption {
type = types.int;
@ -287,8 +293,7 @@ let
type = types.str;
};
};
in
{
in {
options.microvm = {
enableExtras = mkEnableOption "Extras";
groupId = mkOption {

10
nixos/modules/telegraf.nix
View file

@ -1,6 +1,10 @@
{ config, lib, pkgs, ... }:
with lib;
let
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.services.telegraf-magic;
settingsFormat = pkgs.formats.toml {};

19
nixos/systems/altra/consul.nix
View file

@ -1,10 +1,17 @@
{ inputs', lib, config, pkgs, secret, ... }:
let
inherit (lib)
mkForce
singleton;
in
{
inputs',
lib,
config,
pkgs,
secret,
...
}: let
inherit
(lib)
mkForce
singleton
;
in {
services.hashicorp.consul = {
enable = true;

27
nixos/systems/altra/default.nix
View file

@ -1,17 +1,22 @@
# SPDX-FileCopyrightText: 2022 Richard Brežák <richard@brezak.sk>
#
# SPDX-License-Identifier: LGPL-3.0-or-later
{ inputs, lib', config, ... }:
let
inherit (lib')
{
inputs,
lib',
config,
...
}: let
inherit
(lib')
flip
mapAttrs
singleton
mkForce;
mkForce
;
config' = config;
in
{
in {
flake.nixosConfigurations.altra = inputs.nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
@ -21,9 +26,13 @@ in
secret = lib'.loadSecrets inputs.secret;
};
modules = singleton
({ pkgs, config, ... }:
{
modules =
singleton
({
pkgs,
config,
...
}: {
imports = [
# ./consul.nix
# ./nomad.nix

3
nixos/systems/altra/filesystems.nix
View file

@ -1,5 +1,4 @@
{ ... }:
{
{...}: {
disko.devices = {
disk.boot = {
type = "disk";

14
nixos/systems/altra/grub.nix
View file

@ -1,9 +1,13 @@
{ pkgs, lib, ... }:
let
inherit (lib)
singleton;
in
{
pkgs,
lib,
...
}: let
inherit
(lib)
singleton
;
in {
boot.loader.efi = {
canTouchEfiVariables = true;
};

28
nixos/systems/altra/http-synapse-proxy.nix
View file

@ -1,11 +1,17 @@
{ pkgs, inputs', lib, config, ... }:
let
inherit (lib)
singleton
mkForce;
certs = config.services.acme-sh.certs;
in
{
pkgs,
inputs',
lib,
config,
...
}: let
inherit
(lib)
singleton
mkForce
;
certs = config.services.acme-sh.certs;
in {
users.users.wwwrun = {
group = "wwwrun";
isSystemUser = true;
@ -16,8 +22,7 @@ in
gid = config.ids.gids.wwwrun;
};
systemd.services.apache-proxy =
let
systemd.services.apache-proxy = let
apacheConfiguration = inputs'.nixng.nglib.generators.toApache [
{
LoadModule = [
@ -106,7 +111,6 @@ in
AuthName = "\"Password Required\"";
AuthUserFile = "/var/secrets/htpasswd";
RequireAll."" = {
Require = [
["user synapse"]
@ -126,7 +130,6 @@ in
AuthName = "\"Password Required\"";
AuthUserFile = "/var/secrets/htpasswd";
RequireAll."" = {
Require = [
["user synapse"]
@ -143,8 +146,7 @@ in
];
}
];
in
{
in {
serviceConfig = {
Type = "forking";
Restart = "always";

15
nixos/systems/altra/networking.nix
View file

@ -1,9 +1,14 @@
{ pkgs, lib, secret, ... }:
let
inherit (lib)
getExe';
in
{
pkgs,
lib,
secret,
...
}: let
inherit
(lib)
getExe'
;
in {
# boot.kernel.sysctl = {"net.ipv4.ip_forward" = "1";};
# https://github.com/NixOS/nixpkgs/issues/76671

8
nixos/systems/altra/nixpkgs.nix
View file

@ -1,13 +1,15 @@
{ inputs', config', ... }:
{
inputs',
config',
...
}: {
imports = [
../../common/nixpkgs.nix
];
nixpkgs.overlays =
(with config'.flake.overlays; [])
++
(with inputs'.nixng.overlays; [
++ (with inputs'.nixng.overlays; [
default
]);
}

12
nixos/systems/altra/nomad.nix
View file

@ -1,5 +1,12 @@
{ lib, config, config', pkgs, inputs', secret, ... }:
{
lib,
config,
config',
pkgs,
inputs',
secret,
...
}: {
services.hashicorp.nomad = {
enable = true;
@ -15,8 +22,7 @@
extraSettingsPaths = [
"/run/secrets/nomad.json"
];
package = inputs'.nixpkgs-hashicorp.legacyPackages.${pkgs.stdenv.system}.nomad_1_5.overrideAttrs (old:
{
package = inputs'.nixpkgs-hashicorp.legacyPackages.${pkgs.stdenv.system}.nomad_1_5.overrideAttrs (old: {
patches = with config'.flake.patches; [
hashicorp-nomad.revert-change-consul-si-tokens-to-be-local
hashicorp-nomad.add-nix-integration

3
nixos/systems/altra/u2t.nix
View file

@ -1,5 +1,4 @@
{ pkgs, ... }:
{
{pkgs, ...}: {
systemd.services.udp2tcp = {
wantedBy = ["multi-user.target"];
after = ["network.target"];

6
nixos/systems/altra/users.nix
View file

@ -1,5 +1,9 @@
{ inputs', config', secret, ... }:
{
inputs',
config',
secret,
...
}: {
imports = [
inputs'.home-manager.nixosModules.default
../../common/users.nix

38
nixos/systems/altra/vault-agent.nix
View file

@ -1,9 +1,16 @@
{ config, lib, pkgs, secret, inputs', ... }:
let
inherit (lib)
singleton;
in
{
config,
lib,
pkgs,
secret,
inputs',
...
}: let
inherit
(lib)
singleton
;
in {
services.hashicorp.vault-agent = {
enable = true;
package = inputs'.nixpkgs-hashicorp.legacyPackages.${pkgs.stdenv.system}.vault;
@ -21,12 +28,12 @@ in
retry.num_retries = 5;
};
auto_auth.method = singleton
auto_auth.method =
singleton
{
"approle" = {
mount_path = "auth/approle";
config =
{
config = {
role_id_file_path = "/var/secrets/approle.roleid";
secret_id_file_path = "/var/secrets/approle.secretid";
remove_secret_id_file_after_reading = false;
@ -34,7 +41,8 @@ in
};
};
sink = singleton
sink =
singleton
{
"file" = {
type = "file";
@ -44,7 +52,8 @@ in
template = [
{
source = pkgs.writeText "consul.json.vtmpl"
source =
pkgs.writeText "consul.json.vtmpl"
''
{
"encrypt": "{{ with secret "kv/data/do-1/toothpick/consul/encryption_key" }}{{ or .Data.data.key "" }}{{ end }}",
@ -58,13 +67,15 @@ in
}
'';
destination = "/run/secrets/consul.json";
command = pkgs.writeShellScript "consul-command"
command =
pkgs.writeShellScript "consul-command"
''
sudo systemctl try-reload-or-restart hashicorp-consul.service
'';
}
{
source = pkgs.writeText "nomad.json.vtmpl"
source =
pkgs.writeText "nomad.json.vtmpl"
''
{
"server": {
@ -82,7 +93,8 @@ in
}
'';
destination = "/run/secrets/nomad.json";
command = pkgs.writeShellScript "nomad-command"
command =
pkgs.writeShellScript "nomad-command"
''
sudo systemctl try-reload-or-restart hashicorp-nomad.service
'';

23
nixos/systems/blowhole/consul.nix
View file

@ -1,13 +1,22 @@
{inputs', lib, config, pkgs, pkgs-hashicorp, secret, ...}:
let
inherit (lib)
singleton
mkForce;
in
{
inputs',
lib,
config,
pkgs,
pkgs-hashicorp,
secret,
...
}: let
inherit
(lib)
singleton
mkForce
;
in {
services.hashicorp.vault-agent = {
settings.template = singleton {
source = pkgs.writeText "consul.json.vtmpl"
source =
pkgs.writeText "consul.json.vtmpl"
''
{
"encrypt": "{{ with secret "kv/data/homelab-1/blowhole/consul/encryption_key" }}{{ or .Data.data.key "" }}{{ end }}",

41
nixos/systems/blowhole/default.nix
View file

@ -1,16 +1,21 @@
# SPDX-FileCopyrightText: 2022 Richard Brežák <richard@brezak.sk>
#
# SPDX-License-Identifier: LGPL-3.0-or-later
{ inputs, lib', config, ... }:
let
inherit (lib')
{
inputs,
lib',
config,
...
}: let
inherit
(lib')
flip
mapAttrs
singleton;
singleton
;
config' = config;
in
{
in {
flake.nixosConfigurations.blowhole = inputs.nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
@ -20,19 +25,24 @@ in
secret = lib'.loadSecrets inputs.secret;
};
modules = singleton
({ secret, pkgs, config, ... }:
{
modules =
singleton
({
secret,
pkgs,
config,
...
}: {
_module.args.pkgs-hashicorp = import inputs.nixpkgs-hashicorp {
system = pkgs.stdenv.system;
config.allowUnfreePredicate = pkg: builtins.elem (lib'.getName pkg) [
config.allowUnfreePredicate = pkg:
builtins.elem (lib'.getName pkg) [
"consul"
"vault-bin"
"vault"
];
};
imports = [
./bind.nix
./consul.nix
@ -137,18 +147,15 @@ in
boot.kernel.sysctl."fs.inotify.max_user_watches" = 524288;
boot.kernel.sysctl."fs.inotify.max_user_instances" = 512;
services.udev.extraRules =
let
devPath =
"/dev/serial/by-id/usb-ITead_Sonoff_Zigbee_3.0_USB_Dongle_Plus_4c004e9c53c9eb118a9f8b4f1d69213e-if00-port0";
services.udev.extraRules = let
devPath = "/dev/serial/by-id/usb-ITead_Sonoff_Zigbee_3.0_USB_Dongle_Plus_4c004e9c53c9eb118a9f8b4f1d69213e-if00-port0";
zigbeeScript = pkgs.writeShellScript "zigbeeScript" ''
touch /dev/ttyZigbee
${pkgs.lib.getExe' pkgs.utillinux "mount"} --bind \
"$(${pkgs.lib.getExe' pkgs.coreutils "readlink"} -f "${devPath}")" \
/dev/ttyZigbee
'';
in
''
in ''
ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="10c4", ATTR{idProduct}=="ea60", RUN+="${zigbeeScript}"
'';
});

17
nixos/systems/blowhole/filesystems.nix
View file

@ -1,10 +1,15 @@
{ pkgs, lib, secret, ... }:
let
inherit (lib)
singleton
concatStringsSep;
in
{
pkgs,
lib,
secret,
...
}: let
inherit
(lib)
singleton
concatStringsSep
;
in {
environment.systemPackages = with pkgs; [
sshfs
];

3
nixos/systems/blowhole/grub.nix
View file

@ -1,5 +1,4 @@
{ ... }:
{
{...}: {
boot.loader = {
systemd-boot.enable = false;
grub = {

5
nixos/systems/blowhole/hardware.nix
View file

@ -1,5 +1,8 @@
{ config, pkgs, ... }:
{
config,
pkgs,
...
}: {
boot = {
supportedFilesystems = ["zfs"];
kernelParams = [

29
nixos/systems/blowhole/hostapd.nix
View file

@ -1,7 +1,14 @@
{ pkgs, config, lib, config', ... }:
let
inherit (lib)
singleton;
{
pkgs,
config,
lib,
config',
...
}: let
inherit
(lib)
singleton
;
openwrtRepo = pkgs.fetchFromGitHub {
owner = "openwrt";
@ -9,8 +16,7 @@ let
rev = "67e8cc07f9bb95984624198ccf02123f348246df";
sha256 = "sha256-rBQDTUG9fqwSLrj+LZ6L1x55Y3gkfUubY5zwX9XK3+s=";
};
in
{
in {
# giturl="https://raw.githubusercontent.com/openwrt/openwrt/75b83e94a395fedeb4d308f42013a72c6fee2df4/package/network/services/hostapd/patches/"
# for patch in *.patch
# do
@ -98,11 +104,14 @@ in
'';
};
nixpkgs.overlays = singleton
(final: prev:
{
nixpkgs.overlays =
singleton
(
final: prev: {
hostapd = prev.hostapd.overrideAttrs (old: {
buildInputs = old.buildInputs ++ (with pkgs; [
buildInputs =
old.buildInputs
++ (with pkgs; [
libubox
ubus
]);

5
nixos/systems/blowhole/ical2org.nix
View file

@ -1,5 +1,8 @@
{ pkgs, secret, ... }:
{
pkgs,
secret,
...
}: {
systemd.services.ical-vu-sync = {
serviceConfig.Type = "oneshot";
path = with pkgs; [

12
nixos/systems/blowhole/klipper.nix
View file

@ -1,5 +1,13 @@
{ inputs', lib, pkgs, pkgs-hashicorp, secret, config, config', ... }:
let
{
inputs',
lib,
pkgs,
pkgs-hashicorp,
secret,
config,
config',
...
}: let
inherit
(lib)
concatStringsSep

118
nixos/systems/blowhole/microvms.nix
View file

@ -1,83 +1,123 @@
# SPDX-FileCopyrightText: 2022 Richard Brežák <richard@brezak.sk>
#
# SPDX-License-Identifier: LGPL-3.0-or-later
{ notnft, inputs', lib, config, ... }:
let
inherit (lib)
{
notnft,
inputs',
lib,
config,
...
}: let
inherit
(lib)
mkBefore
flip
genAttrs;
in
{
genAttrs
;
in {
networking.notnft = {
enable = true;
flush = false;
};
networking.notnft.preRules = [
{ add.table = { family = "bridge"; name = "bridge-t"; }; }
{ flush.table = { family = "bridge"; name = "bridge-t"; }; }
{
add.table = {
family = "bridge";
name = "bridge-t";
};
}
{
flush.table = {
family = "bridge";
name = "bridge-t";
};
}
];
networking.notnft.rules =
let
networking.notnft.rules = let
interfaces = ["mvm-test" "mvm0"];
logRule = with notnft.dsl; with payload; prefix:
[
(log { prefix = "${prefix} dropped: "; flags = (f: [ f.all ]); } )
logRule = with notnft.dsl;
with payload;
prefix: [
(log {
prefix = "${prefix} dropped: ";
flags = f: [f.all];
})
];
dropRule = with notnft.dsl; with payload;
[ drop ];
dropRule = with notnft.dsl; with payload; [drop];
in
with notnft.dsl; with payload; ruleset {
with notnft.dsl;
with payload;
ruleset {
bridge-t = add table {family = f: f.bridge;} {
input-body = add chain;
input-mvm = add chain
[ (vmap ct.state { established = accept; related = accept; invalid = drop; }) ]
input-mvm =
add chain
[
(vmap ct.state {
established = accept;
related = accept;
invalid = drop;
})
]
[(is.eq meta.protocol (f: f.arp)) accept]
[(mangle meta.nftrace 1)]
[(jump "input-body")]
(logRule "Bridge input")
(dropRule);
dropRule;
input = add chain
{ type = f: f.filter; hook = f: f.input; prio = 0; policy = f: f.accept; }
input =
add chain
{
type = f: f.filter;
hook = f: f.input;
prio = 0;
policy = f: f.accept;
}
[(vmap meta.iifname (genAttrs interfaces (_: (goto "input-mvm"))))]
[(vmap meta.oifname (genAttrs interfaces (_: (goto "input-mvm"))))];
output-body = add chain;
output-mvm = add chain
output-mvm =
add chain
[(is.eq ether.type (f: f.arp)) accept]
[(mangle meta.nftrace 1)]
[(jump "output-body")]
(logRule "Bridge output")
(dropRule);
dropRule;
output = add chain
{ type = f: f.filter; hook = f: f.output; prio = 0; policy = f: f.accept; }
output =
add chain
{
type = f: f.filter;
hook = f: f.output;
prio = 0;
policy = f: f.accept;
}
[(vmap meta.iifname (genAttrs interfaces (_: (goto "output-mvm"))))]
[(vmap meta.oifname (genAttrs interfaces (_: (goto "output-mvm"))))];
forward-body = add chain;
forward-mvm = add chain
forward-mvm =
add chain
[(mangle meta.nftrace 1)]
[(jump "forward-body")]
(logRule "Bridge forward")
(dropRule);
dropRule;
forward = add chain
{ type = f: f.filter; hook = f: f.forward; prio = 0; policy = f: f.accept; }
forward =
add chain
{
type = f: f.filter;
hook = f: f.forward;
prio = 0;
policy = f: f.accept;
}
[(vmap meta.iifname (genAttrs interfaces (_: (goto "input-mvm"))))]
[(vmap meta.oifname (genAttrs interfaces (_: (goto "input-mvm"))))];
@ -152,12 +192,14 @@ in
};
microvm.hypervisor = "cloud-hypervisor";
microvm.shares = [{
microvm.shares = [
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}];
}
];
microvm.storeOnDisk = false;
networking.firewall.allowedTCPPorts = [80 22];

53
nixos/systems/blowhole/monitoring.nix
View file

@ -1,20 +1,29 @@
# SPDX-FileCopyrightText: 2023 Richard Brežák <richard@brezak.sk>
#
# SPDX-License-Identifier: LGPL-3.0-or-later
{ pkgs, roots, lib, inputs', config, secret, config', ... }:
let
inherit (lib)
{
pkgs,
roots,
lib,
inputs',
config,
secret,
config',
...
}: let
inherit
(lib)
singleton
nixosTests
concatStringsSep;
in
{
uterranix.config = { tflib, ... }:
let
inherit (tflib)
tf;
in
{
concatStringsSep
;
in {
uterranix.config = {tflib, ...}: let
inherit
(tflib)
tf
;
in {
output."envoy_grafana".value = tf "vault_consul_secret_backend_role.envoy-grafana";
output."envoy_blowhole".value = tf "vault_consul_secret_backend_role.envoy-blowhole";
@ -131,10 +140,8 @@ in
};
};
nixpkgs.overlays = singleton (_: _:
{
telegraf =
pkgs.buildGoModule rec {
nixpkgs.overlays = singleton (_: _: {
telegraf = pkgs.buildGoModule rec {
pname = "telegraf";
version = "1.25.3";
@ -154,7 +161,9 @@ in
proxyVendor = true;
ldflags = [
"-w" "-s" "-X main.version=${version}"
"-w"
"-s"
"-X main.version=${version}"
];
passthru.tests = {inherit (nixosTests) telegraf;};
@ -168,18 +177,15 @@ in
};
});
services.hashicorp.vault-agent =
{
services.hashicorp.vault-agent = {
settings.template = [
{
source = pkgs.writeText "envoy-grafana.token.vtmpl" ''
{{ with secret "consul/creds/envoy-grafana" }}{{ .Data.token }}{{ end }}
'';
destination = "/run/secrets/monitor/envoy-grafana.token";
command =
let
serviceList =
[ "hashicorp-envoy-grafana" "hashicorp-envoy-influx" "hashicorp-envoy-telegraf" ];
command = let
serviceList = ["hashicorp-envoy-grafana" "hashicorp-envoy-influx" "hashicorp-envoy-telegraf"];
in
pkgs.writeShellScript "envoy-grafana-reload.sh" ''
sudo systemd-run -P --machine monitor /run/current-system/sw/bin/bash -l -c \
@ -230,7 +236,6 @@ in
];
};
systemd.services."hashicorp-envoy-telegraf" = {
requires = ["vault-unsealed.service"];
after = ["vault-unsealed.service"];

3
nixos/systems/blowhole/nas.nix
View file

@ -1,5 +1,4 @@
{ pkgs, ... }:
{
{pkgs, ...}: {
boot.zfs.extraPools = [
"storfa"
];

3
nixos/systems/blowhole/networking.nix
View file

@ -1,8 +1,7 @@
# SPDX-FileCopyrightText: 2023 Richard Brežák <richard@brezak.sk>
#
# SPDX-License-Identifier: LGPL-3.0-or-later
{ ... }:
{
{...}: {
networking = {
hostName = "blowhole";
useDHCP = false;

9
nixos/systems/blowhole/nfs.nix
View file

@ -1,12 +1,11 @@
# SPDX-FileCopyrightText: 2023 Richard Brežák <richard@brezak.sk>
#
# SPDX-License-Identifier: LGPL-3.0-or-later
{ lib, ... }:
let
inherit (lib)
{lib, ...}: let
inherit
(lib)
;
in
{
in {
systemd.services.nfs-mountd.serviceConfig = {
LimitNOFILE = 8192;
};

9
nixos/systems/blowhole/nixpkgs.nix
View file

@ -1,5 +1,9 @@
{ inputs', config', config, ... }:
{
inputs',
config',
config,
...
}: {
imports = [
../../common/nixpkgs.nix
];
@ -12,8 +16,7 @@
itp
virtiofsd-zfs
])
++
(with inputs'.nixng.overlays; [
++ (with inputs'.nixng.overlays; [
default
]);
}

22
nixos/systems/blowhole/nomad.nix
View file

@ -1,9 +1,18 @@
{inputs', lib, config, pkgs, pkgs-hashicorp, secret, config', ...}:
let
inherit (lib)
singleton;
in
{
inputs',
lib,
config,
pkgs,
pkgs-hashicorp,
secret,
config',
...
}: let
inherit
(lib)
singleton
;
in {
environment.systemPackages = [pkgs.git];
services.hashicorp.vault-agent = {
@ -48,8 +57,7 @@ in
extraSettingsPaths = [
"/run/secrets/nomad.json"
];
package = pkgs-hashicorp.nomad_1_5.overrideAttrs (old:
{
package = pkgs-hashicorp.nomad_1_5.overrideAttrs (old: {
patches = with config'.flake.patches; [
hashicorp-nomad.revert-change-consul-si-tokens-to-be-local
hashicorp-nomad.add-nix-integration

3
nixos/systems/blowhole/sol.nix
View file

@ -1,5 +1,4 @@
{ ... }:
{
{...}: {
boot.kernelParams = [
"console=ttyS1,115200"
"console=tty1"

6
nixos/systems/blowhole/users.nix
View file

@ -1,5 +1,9 @@
{ inputs', config', secret, ... }:
{
inputs',
config',
secret,
...
}: {
imports = [
inputs'.home-manager.nixosModules.default
../../common/users.nix

33
nixos/systems/blowhole/uterranix.nix
View file

@ -1,17 +1,28 @@
{ config, inputs', lib, config', pkgs, ... }:
let
inherit (lib)
singleton;
in
{
config,
inputs',
lib,
config',
pkgs,
...
}: let
inherit
(lib)
singleton
;
in {
imports = [inputs'.uterranix.nixosModules.default];
uterranix.config = { config, tflib, ... }:
let
inherit (tflib)
tf;
in
{
uterranix.config = {
config,
tflib,
...
}: let
inherit
(tflib)
tf
;
in {
terraform.required_providers =
config'.flake.uterranix.config.${pkgs.stdenv.system}.terraform.required_providers;

24
nixos/systems/blowhole/vault-agent.nix
View file

@ -1,11 +1,18 @@
{ pkgs, lib, config, tf, inputs', pkgs-hashicorp, ... }:
let
inherit (lib)
singleton;
in
{
systemd.services.hashicorp-vault-agent =
let
pkgs,
lib,
config,
tf,
inputs',
pkgs-hashicorp,
...
}: let
inherit
(lib)
singleton
;
in {
systemd.services.hashicorp-vault-agent = let
config = pkgs.writeText "hashicorp-vault-agent-tmpfiles.d" ''
d /run/secrets 0750 root root 0
x /run/secrets/monitor 0755 root root -
@ -13,8 +20,7 @@ in
x /run/secrets/klipper 0755 root root -
d /run/secrets/klipper 0755 root root 0
'';
in
{
in {
preStart = "systemd-tmpfiles --create " + config;
postStop = "systemd-tmpfiles --clean " + config;

20
nixos/systems/blowhole/vault.nix
View file

@ -1,10 +1,18 @@
{lib, config, pkgs, pkgs-hashicorp, secret, inputs', ...}:
let
inherit (lib)
mkForce;
certs = config.services.acme-sh.certs;
in
{
lib,
config,
pkgs,
pkgs-hashicorp,
secret,
inputs',
...
}: let
inherit
(lib)
mkForce
;
certs = config.services.acme-sh.certs;
in {
services.hashicorp.vault = {
enable = true;

3
nixos/systems/blowhole/watchdog.nix
View file

@ -1,5 +1,4 @@
{ ... }:
{
{...}: {
systemd.watchdog.runtimeTime = "60s";
systemd.watchdog.rebootTime = "3m";
systemd.watchdog.kexecTime = "5m";

5
nixos/systems/gooseberry/bootloader.nix
View file

@ -1,8 +1,11 @@
# SPDX-FileCopyrightText: 2022 Richard Brežák <richard@brezak.sk>
#
# SPDX-License-Identifier: LGPL-3.0-or-later
{ pkgs, lib, ... }:
{
pkgs,
lib,
...
}: {
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
}

27
nixos/systems/gooseberry/default.nix
View file

@ -1,17 +1,22 @@
# SPDX-FileCopyrightText: 2022 Richard Brežák <richard@brezak.sk>
#
# SPDX-License-Identifier: LGPL-3.0-or-later
{ inputs, lib', config, ... }:
let
inherit (lib')
{
inputs,
lib',
config,
...
}: let
inherit
(lib')
flip
mapAttrs
singleton
mkForce;
mkForce
;
config' = config;
in
{
in {
flake.nixosConfigurations.gooseberry = inputs.nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
@ -21,9 +26,13 @@ in
secret = lib'.loadSecrets inputs.secret;
};
modules = singleton
({ pkgs, config, ... }:
{
modules =
singleton
({
pkgs,
config,
...
}: {
imports = [
./bootloader.nix
./filesystems.nix

12
nixos/systems/gooseberry/filesystems.nix
View file

@ -1,12 +1,12 @@
# SPDX-FileCopyrightText: 2022 Richard Brežák <richard@brezak.sk>
#
# SPDX-License-Identifier: LGPL-3.0-or-later
{ lib, ... }:
let
inherit (lib)
singleton;
in
{
{lib, ...}: let
inherit
(lib)
singleton
;
in {
disko.devices = {
disk.boot = {
type = "disk";

15
nixos/systems/gooseberry/networking.nix
View file

@ -1,17 +1,22 @@
{ pkgs, lib, secret, ... }:
let
in
{
pkgs,
lib,
secret,
...
}: let
in {
networking = {
hostName = "gooseberry";
useDHCP = false;
interfaces.eth0.useDHCP = true;
firewall.enable = true;
interfaces."eth1".ipv4.addresses = [{
interfaces."eth1".ipv4.addresses = [
{
address = secret.network.ips.gooseberry.ipmi or "";
prefixLength = 30;
}];
}
];
};
services.udev.extraRules = ''

8
nixos/systems/gooseberry/nixpkgs.nix
View file

@ -1,13 +1,15 @@
{ inputs', config', ... }:
{
inputs',
config',
...
}: {
imports = [
../../common/nixpkgs.nix
];
nixpkgs.overlays =
(with config'.flake.overlays; [])
++
(with inputs'.nixng.overlays; [
++ (with inputs'.nixng.overlays; [
default
]);
}

6
nixos/systems/gooseberry/users.nix
View file

@ -1,5 +1,9 @@
{ inputs', config', secret, ... }:
{
inputs',
config',
secret,
...
}: {
imports = [
inputs'.home-manager.nixosModules.default
../../common/users.nix

5
nixos/systems/grasshopper/bootloader.nix
View file

@ -1,8 +1,11 @@
# SPDX-FileCopyrightText: 2022 Richard Brežák <richard@brezak.sk>
#
# SPDX-License-Identifier: LGPL-3.0-or-later
{ pkgs, lib, ... }:
{
pkgs,
lib,
...
}: {
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
}

8
nixos/systems/grasshopper/nixpkgs.nix
View file

@ -1,13 +1,15 @@
{ inputs', config', ... }:
{
inputs',
config',
...
}: {
imports = [
../../common/nixpkgs.nix
];
nixpkgs.overlays =
(with config'.flake.overlays; [])
++
(with inputs'.nixng.overlays; [
++ (with inputs'.nixng.overlays; [
default
]);
}

Some files were not shown because too many files have changed in this diff Show more