From 25e8191177c62ef4421c62eb772cceb28d8a36a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Motiejus=20Jak=C5=A1tys?= Date: Sun, 1 Oct 2023 23:14:05 +0300 Subject: [PATCH] enable statx --- flake.nix | 9 ++-- hosts/fra1-a/configuration.nix | 3 +- hosts/fwminex/configuration.nix | 3 +- hosts/vm/configuration.nix | 3 +- hosts/vno1-oh2/configuration.nix | 2 +- hosts/vno3-rp3b/configuration.nix | 2 +- modules/base/sshd/default.nix | 2 +- modules/base/users/default.nix | 55 ++++++++++---------- modules/base/zfsborg/default.nix | 33 ++++++------ modules/services/deployerbot/default.nix | 14 +++--- modules/services/friendlyport/default.nix | 61 +++++++++++------------ modules/services/jakstpub/default.nix | 3 +- modules/services/syncthing/default.nix | 14 +++--- modules/services/tailscale/default.nix | 2 +- modules/services/zfsunlock/default.nix | 26 +++++----- 15 files changed, 110 insertions(+), 122 deletions(-) diff --git a/flake.nix b/flake.nix index 935e3ca..47fc00f 100644 --- a/flake.nix +++ b/flake.nix @@ -54,13 +54,14 @@ myData = import ./data.nix; mkDeployPkgs = system: import nixpkgs { - system = system; + inherit system; + overlays = [ deploy-rs.overlay (_self: super: { deploy-rs = { - inherit (import nixpkgs {system = system;}) deploy-rs; - lib = super.deploy-rs.lib; + inherit (import nixpkgs {inherit system;}) deploy-rs; + inherit (super.deploy-rs.lib); }; }) ]; @@ -234,7 +235,7 @@ hooks = { alejandra.enable = true; deadnix.enable = true; - #statix.enable = true; + statix.enable = true; }; }; } diff --git a/hosts/fra1-a/configuration.nix b/hosts/fra1-a/configuration.nix index 0534657..94e4719 100644 --- a/hosts/fra1-a/configuration.nix +++ b/hosts/fra1-a/configuration.nix @@ -56,10 +56,11 @@ deployerbot = { follower = { + inherit (myData.hosts."vno1-oh2.servers.jakst".publicKey); + enable = true; sshAllowSubnets = [myData.subnets.tailscale.sshPattern]; uidgid = myData.uidgid.updaterbot-deployee; - publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey; }; }; diff --git a/hosts/fwminex/configuration.nix b/hosts/fwminex/configuration.nix index e01a48e..37665fb 100644 --- a/hosts/fwminex/configuration.nix +++ b/hosts/fwminex/configuration.nix @@ -84,9 +84,10 @@ in { deployerbot = { follower = { + inherit (myData.hosts."vno1-oh2.servers.jakst".publicKey); + enable = true; uidgid = myData.uidgid.updaterbot-deployee; - publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey; sshAllowSubnets = with myData.subnets; [tailscale.sshPattern]; }; }; diff --git a/hosts/vm/configuration.nix b/hosts/vm/configuration.nix index 2380c69..5babde4 100644 --- a/hosts/vm/configuration.nix +++ b/hosts/vm/configuration.nix @@ -2,8 +2,7 @@ pkgs, myData, ... -}: let -in { +}: { mj = { stateVersion = "23.05"; timeZone = "UTC"; diff --git a/hosts/vno1-oh2/configuration.nix b/hosts/vno1-oh2/configuration.nix index e9ce9a7..236b539 100644 --- a/hosts/vno1-oh2/configuration.nix +++ b/hosts/vno1-oh2/configuration.nix @@ -199,7 +199,7 @@ enable = true; sshAllowSubnets = [myData.subnets.tailscale.sshPattern]; uidgid = myData.uidgid.updaterbot-deployee; - publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey; + inherit (myData.hosts."vno1-oh2.servers.jakst".publicKey); }; }; diff --git a/hosts/vno3-rp3b/configuration.nix b/hosts/vno3-rp3b/configuration.nix index d2868ef..659ac4f 100644 --- a/hosts/vno3-rp3b/configuration.nix +++ b/hosts/vno3-rp3b/configuration.nix @@ -97,7 +97,7 @@ enable = true; sshAllowSubnets = [myData.subnets.tailscale.sshPattern]; uidgid = myData.uidgid.updaterbot-deployee; - publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey; + inherit (myData.hosts."vno1-oh2.servers.jakst".publicKey); }; }; diff --git a/modules/base/sshd/default.nix b/modules/base/sshd/default.nix index 32fbef4..13e22e7 100644 --- a/modules/base/sshd/default.nix +++ b/modules/base/sshd/default.nix @@ -16,6 +16,6 @@ programs.ssh.knownHosts = let sshAttrs = lib.genAttrs ["extraHostNames" "publicKey"] (_: null); in - lib.mapAttrs (_name: cfg: builtins.intersectAttrs sshAttrs cfg) myData.hosts; + lib.mapAttrs (_name: builtins.intersectAttrs sshAttrs) myData.hosts; }; } diff --git a/modules/base/users/default.nix b/modules/base/users/default.nix index 3848571..03e1808 100644 --- a/modules/base/users/default.nix +++ b/modules/base/users/default.nix @@ -2,9 +2,10 @@ config, lib, myData, - #home-manager, ... -}: { +}: let + cfg = config.mj.base.users; +in { options.mj.base.users = with lib.types; { devEnvironment = lib.mkOption { type = bool; @@ -12,25 +13,23 @@ }; passwd = lib.mkOption { - type = attrsOf (submodule ( - {...}: { - options = { - passwordFile = lib.mkOption { - type = nullOr path; - default = null; - }; - initialPassword = lib.mkOption { - type = nullOr str; - default = null; - }; - - extraGroups = lib.mkOption { - type = listOf str; - default = []; - }; + type = attrsOf (submodule { + options = { + passwordFile = lib.mkOption { + type = nullOr path; + default = null; }; - } - )); + initialPassword = lib.mkOption { + type = nullOr str; + default = null; + }; + + extraGroups = lib.mkOption { + type = listOf str; + default = []; + }; + }; + }); }; }; @@ -38,13 +37,11 @@ users = { mutableUsers = false; - users = let - passwd = config.mj.base.users.passwd; - in { + users = { motiejus = { isNormalUser = true; - extraGroups = ["wheel"] ++ passwd.motiejus.extraGroups; + extraGroups = ["wheel"] ++ cfg.passwd.motiejus.extraGroups; uid = myData.uidgid.motiejus; openssh.authorizedKeys.keys = [myData.people_pubkeys.motiejus]; } @@ -52,17 +49,17 @@ n: v: (n == "passwordFile" || n == "initialPassword") && v != null ) - passwd.motiejus or {}; + cfg.passwd.motiejus or {}; - root = assert lib.assertMsg (passwd ? root) "root password needs to be defined"; - lib.filterAttrs (_: v: v != null) passwd.root; + root = assert lib.assertMsg (cfg.passwd ? root) "root password needs to be defined"; + lib.filterAttrs (_: v: v != null) cfg.passwd.root; }; }; home-manager.useGlobalPkgs = true; home-manager.users.motiejus = {pkgs, ...}: { home.stateVersion = config.mj.stateVersion; - home.packages = lib.mkIf config.mj.base.users.devEnvironment [pkgs.go]; + home.packages = lib.mkIf cfg.devEnvironment [pkgs.go]; programs.direnv.enable = true; @@ -71,7 +68,7 @@ vimAlias = true; vimdiffAlias = true; defaultEditor = true; - plugins = lib.mkIf config.mj.base.users.devEnvironment [ + plugins = lib.mkIf cfg.devEnvironment [ pkgs.vimPlugins.fugitive pkgs.vimPlugins.vim-go pkgs.vimPlugins.zig-vim diff --git a/modules/base/zfsborg/default.nix b/modules/base/zfsborg/default.nix index 1810101..35d367a 100644 --- a/modules/base/zfsborg/default.nix +++ b/modules/base/zfsborg/default.nix @@ -27,20 +27,18 @@ in { dirs = lib.mkOption { default = {}; - type = listOf (submodule ( - {...}: { - options = { - mountpoint = lib.mkOption {type = path;}; - repo = lib.mkOption {type = str;}; - paths = lib.mkOption {type = listOf str;}; - patterns = lib.mkOption { - type = listOf str; - default = []; - }; - backup_at = lib.mkOption {type = str;}; + type = listOf (submodule { + options = { + mountpoint = lib.mkOption {type = path;}; + repo = lib.mkOption {type = str;}; + paths = lib.mkOption {type = listOf str;}; + patterns = lib.mkOption { + type = listOf str; + default = []; }; - } - )); + backup_at = lib.mkOption {type = str;}; + }; + }); }; }; @@ -69,13 +67,14 @@ in { lib.nameValuePair "${lib.strings.sanitizeDerivationName mountpoint}-${toString i}" ({ + inherit (attrs.repo); + inherit (attrs.paths); + doInit = true; - repo = attrs.repo; encryption = { mode = "repokey-blake2"; passCommand = "cat ${config.mj.base.zfsborg.passwordPath}"; }; - paths = attrs.paths; extraArgs = "--remote-path=borg1"; compression = "auto,lzma"; startAt = attrs.backup_at; @@ -96,9 +95,7 @@ in { BORG_RSH = ''ssh -i "${config.mj.base.zfsborg.sshKeyPath}"''; }; } - // lib.optionalAttrs (attrs ? patterns) { - patterns = attrs.patterns; - }) + // lib.optionalAttrs (attrs ? patterns) {inherit (attrs.patterns);}) ) dirs ); diff --git a/modules/services/deployerbot/default.nix b/modules/services/deployerbot/default.nix index 4f49ddb..c9e71fa 100644 --- a/modules/services/deployerbot/default.nix +++ b/modules/services/deployerbot/default.nix @@ -22,14 +22,12 @@ in { enable = lib.mkEnableOption "Enable system updater orchestrator"; deployDerivations = lib.mkOption {type = listOf str;}; deployIfPresent = lib.mkOption { - type = listOf (submodule ( - {...}: { - options = { - derivationTarget = lib.mkOption {type = str;}; - pingTarget = lib.mkOption {type = str;}; - }; - } - )); + type = listOf (submodule { + options = { + derivationTarget = lib.mkOption {type = str;}; + pingTarget = lib.mkOption {type = str;}; + }; + }); default = []; }; uidgid = lib.mkOption {type = int;}; diff --git a/modules/services/friendlyport/default.nix b/modules/services/friendlyport/default.nix index 285dcc8..03bad89 100644 --- a/modules/services/friendlyport/default.nix +++ b/modules/services/friendlyport/default.nix @@ -5,50 +5,45 @@ }: { options.mj.services.friendlyport = with lib.types; { ports = lib.mkOption { - type = listOf (submodule ( - {...}: { - options = { - subnets = lib.mkOption {type = listOf str;}; - tcp = lib.mkOption { - type = listOf int; - default = []; - }; - udp = lib.mkOption { - type = listOf int; - default = []; - }; + type = listOf (submodule { + options = { + subnets = lib.mkOption {type = listOf str;}; + tcp = lib.mkOption { + type = listOf int; + default = []; }; - } - )); + udp = lib.mkOption { + type = listOf int; + default = []; + }; + }; + }); }; }; config = let - ports = config.mj.services.friendlyport.ports; - mkAdd = ( - proto: subnets: ints: let - subnetsS = builtins.concatStringsSep "," subnets; - intsS = builtins.concatStringsSep "," (map builtins.toString ints); - in - if builtins.length ints == 0 - then "" - else "iptables -A INPUT -p ${proto} --match multiport --dports ${intsS} --source ${subnetsS} -j ACCEPT" - ); + inherit (config.mj.services.friendlyport.ports); + + mkAdd = proto: subnets: ints: let + subnetsS = builtins.concatStringsSep "," subnets; + intsS = builtins.concatStringsSep "," (map builtins.toString ints); + in + if builtins.length ints == 0 + then "" + else "iptables -A INPUT -p ${proto} --match multiport --dports ${intsS} --source ${subnetsS} -j ACCEPT"; startTCP = map (attr: mkAdd "tcp" attr.subnets attr.tcp) ports; startUDP = map (attr: mkAdd "udp" attr.subnets attr.udp) ports; # TODO: when stopping the firewall, systemd uses the old ports. So this is a two-phase process. # How to stop the old one and start the new one? - mkDel = ( - proto: subnets: ints: let - subnetsS = builtins.concatStringsSep "," subnets; - intsS = builtins.concatStringsSep "," (map builtins.toString ints); - in - if builtins.length ints == 0 - then "" - else "iptables -D INPUT -p ${proto} --match multiport --dports ${intsS} --source ${subnetsS} -j ACCEPT || :" - ); + mkDel = proto: subnets: ints: let + subnetsS = builtins.concatStringsSep "," subnets; + intsS = builtins.concatStringsSep "," (map builtins.toString ints); + in + if builtins.length ints == 0 + then "" + else "iptables -D INPUT -p ${proto} --match multiport --dports ${intsS} --source ${subnetsS} -j ACCEPT || :"; stopTCP = map (attr: mkDel "tcp" attr.subnets attr.tcp) ports; stopUDP = map (attr: mkDel "udp" attr.subnets attr.udp) ports; diff --git a/modules/services/jakstpub/default.nix b/modules/services/jakstpub/default.nix index dfd0bd6..cb6567c 100644 --- a/modules/services/jakstpub/default.nix +++ b/modules/services/jakstpub/default.nix @@ -5,7 +5,6 @@ ... }: let cfg = config.mj.services.jakstpub; - subnets = myData.subnets; in { options.mj.services.jakstpub = with lib.types; { enable = lib.mkEnableOption "Enable jakstpub"; @@ -70,7 +69,7 @@ in { services.samba-wsdd = { enable = true; - hostname = cfg.hostname; + inherit (cfg.hostname); }; users.users.jakstpub = { diff --git a/modules/services/syncthing/default.nix b/modules/services/syncthing/default.nix index 0820065..dbb3e68 100644 --- a/modules/services/syncthing/default.nix +++ b/modules/services/syncthing/default.nix @@ -4,8 +4,9 @@ myData, ... }: let + cfg = config.mj.services.syncthing; + guiPort = 8384; - cfg = config.services.syncthing; devices = { "fwminex".id = "GKSUKZE-AOBQOWY-CNLZ2ZI-WNKATYE-MV4Y452-J3VCJ5C-EAANXRX-2P6EHA6"; "vno1-oh2".id = "W45ROUW-CHKI3I6-C4VCOCU-NJYQ3ZS-MJDHH23-YYCDXTI-HTJSBZJ-KZMWTAF"; @@ -95,7 +96,7 @@ in { dataDir = lib.mkOption {type = path;}; }; - config = lib.mkIf config.mj.services.syncthing.enable { + config = lib.mkIf cfg.enable { mj.services.friendlyport.ports = [ { subnets = myData.subnets.motiejus.cidrs; @@ -104,16 +105,17 @@ in { ]; services.syncthing = { - enable = config.mj.services.syncthing.enable; + inherit (cfg.enable); + inherit (cfg.user); + inherit (cfg.group); + inherit (cfg.dataDir); + openDefaultPorts = true; guiAddress = let fqdn = with config.networking; "${hostName}.${domain}"; jakstIP = lib.getAttrFromPath [fqdn "jakstIP"] myData.hosts; guiPortStr = builtins.toString guiPort; in "${jakstIP}:${guiPortStr}"; - user = config.mj.services.syncthing.user; - group = config.mj.services.syncthing.group; - dataDir = config.mj.services.syncthing.dataDir; extraOptions.gui.insecureAdminAccess = true; diff --git a/modules/services/tailscale/default.nix b/modules/services/tailscale/default.nix index 2f55c08..d946641 100644 --- a/modules/services/tailscale/default.nix +++ b/modules/services/tailscale/default.nix @@ -16,7 +16,7 @@ in { }; }; - config = mkIf (cfg.enable) (mkMerge [ + config = mkIf cfg.enable (mkMerge [ { services.tailscale.enable = true; networking.firewall.checkReversePath = "loose"; diff --git a/modules/services/zfsunlock/default.nix b/modules/services/zfsunlock/default.nix index d890177..a3dca4e 100644 --- a/modules/services/zfsunlock/default.nix +++ b/modules/services/zfsunlock/default.nix @@ -31,21 +31,19 @@ in { targets = lib.mkOption { default = {}; - type = attrsOf (submodule ( - {...}: { - options = { - sshEndpoint = lib.mkOption {type = str;}; - pingEndpoint = lib.mkOption {type = str;}; - pingTimeoutSec = lib.mkOption { - type = int; - default = 20; - }; - remotePubkey = lib.mkOption {type = str;}; - pwFile = lib.mkOption {type = path;}; - startAt = lib.mkOption {type = either str (listOf str);}; + type = attrsOf (submodule { + options = { + sshEndpoint = lib.mkOption {type = str;}; + pingEndpoint = lib.mkOption {type = str;}; + pingTimeoutSec = lib.mkOption { + type = int; + default = 20; }; - } - )); + remotePubkey = lib.mkOption {type = str;}; + pwFile = lib.mkOption {type = path;}; + startAt = lib.mkOption {type = either str (listOf str);}; + }; + }); }; };