enable statx
This commit is contained in:
parent
5c83f7407a
commit
25e8191177
@ -54,13 +54,14 @@
|
|||||||
myData = import ./data.nix;
|
myData = import ./data.nix;
|
||||||
mkDeployPkgs = system:
|
mkDeployPkgs = system:
|
||||||
import nixpkgs {
|
import nixpkgs {
|
||||||
system = system;
|
inherit system;
|
||||||
|
|
||||||
overlays = [
|
overlays = [
|
||||||
deploy-rs.overlay
|
deploy-rs.overlay
|
||||||
(_self: super: {
|
(_self: super: {
|
||||||
deploy-rs = {
|
deploy-rs = {
|
||||||
inherit (import nixpkgs {system = system;}) deploy-rs;
|
inherit (import nixpkgs {inherit system;}) deploy-rs;
|
||||||
lib = super.deploy-rs.lib;
|
inherit (super.deploy-rs.lib);
|
||||||
};
|
};
|
||||||
})
|
})
|
||||||
];
|
];
|
||||||
@ -234,7 +235,7 @@
|
|||||||
hooks = {
|
hooks = {
|
||||||
alejandra.enable = true;
|
alejandra.enable = true;
|
||||||
deadnix.enable = true;
|
deadnix.enable = true;
|
||||||
#statix.enable = true;
|
statix.enable = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -56,10 +56,11 @@
|
|||||||
|
|
||||||
deployerbot = {
|
deployerbot = {
|
||||||
follower = {
|
follower = {
|
||||||
|
inherit (myData.hosts."vno1-oh2.servers.jakst".publicKey);
|
||||||
|
|
||||||
enable = true;
|
enable = true;
|
||||||
sshAllowSubnets = [myData.subnets.tailscale.sshPattern];
|
sshAllowSubnets = [myData.subnets.tailscale.sshPattern];
|
||||||
uidgid = myData.uidgid.updaterbot-deployee;
|
uidgid = myData.uidgid.updaterbot-deployee;
|
||||||
publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey;
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -84,9 +84,10 @@ in {
|
|||||||
|
|
||||||
deployerbot = {
|
deployerbot = {
|
||||||
follower = {
|
follower = {
|
||||||
|
inherit (myData.hosts."vno1-oh2.servers.jakst".publicKey);
|
||||||
|
|
||||||
enable = true;
|
enable = true;
|
||||||
uidgid = myData.uidgid.updaterbot-deployee;
|
uidgid = myData.uidgid.updaterbot-deployee;
|
||||||
publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey;
|
|
||||||
sshAllowSubnets = with myData.subnets; [tailscale.sshPattern];
|
sshAllowSubnets = with myData.subnets; [tailscale.sshPattern];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -2,8 +2,7 @@
|
|||||||
pkgs,
|
pkgs,
|
||||||
myData,
|
myData,
|
||||||
...
|
...
|
||||||
}: let
|
}: {
|
||||||
in {
|
|
||||||
mj = {
|
mj = {
|
||||||
stateVersion = "23.05";
|
stateVersion = "23.05";
|
||||||
timeZone = "UTC";
|
timeZone = "UTC";
|
||||||
|
@ -199,7 +199,7 @@
|
|||||||
enable = true;
|
enable = true;
|
||||||
sshAllowSubnets = [myData.subnets.tailscale.sshPattern];
|
sshAllowSubnets = [myData.subnets.tailscale.sshPattern];
|
||||||
uidgid = myData.uidgid.updaterbot-deployee;
|
uidgid = myData.uidgid.updaterbot-deployee;
|
||||||
publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey;
|
inherit (myData.hosts."vno1-oh2.servers.jakst".publicKey);
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -97,7 +97,7 @@
|
|||||||
enable = true;
|
enable = true;
|
||||||
sshAllowSubnets = [myData.subnets.tailscale.sshPattern];
|
sshAllowSubnets = [myData.subnets.tailscale.sshPattern];
|
||||||
uidgid = myData.uidgid.updaterbot-deployee;
|
uidgid = myData.uidgid.updaterbot-deployee;
|
||||||
publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey;
|
inherit (myData.hosts."vno1-oh2.servers.jakst".publicKey);
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -16,6 +16,6 @@
|
|||||||
programs.ssh.knownHosts = let
|
programs.ssh.knownHosts = let
|
||||||
sshAttrs = lib.genAttrs ["extraHostNames" "publicKey"] (_: null);
|
sshAttrs = lib.genAttrs ["extraHostNames" "publicKey"] (_: null);
|
||||||
in
|
in
|
||||||
lib.mapAttrs (_name: cfg: builtins.intersectAttrs sshAttrs cfg) myData.hosts;
|
lib.mapAttrs (_name: builtins.intersectAttrs sshAttrs) myData.hosts;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -2,9 +2,10 @@
|
|||||||
config,
|
config,
|
||||||
lib,
|
lib,
|
||||||
myData,
|
myData,
|
||||||
#home-manager,
|
|
||||||
...
|
...
|
||||||
}: {
|
}: let
|
||||||
|
cfg = config.mj.base.users;
|
||||||
|
in {
|
||||||
options.mj.base.users = with lib.types; {
|
options.mj.base.users = with lib.types; {
|
||||||
devEnvironment = lib.mkOption {
|
devEnvironment = lib.mkOption {
|
||||||
type = bool;
|
type = bool;
|
||||||
@ -12,8 +13,7 @@
|
|||||||
};
|
};
|
||||||
|
|
||||||
passwd = lib.mkOption {
|
passwd = lib.mkOption {
|
||||||
type = attrsOf (submodule (
|
type = attrsOf (submodule {
|
||||||
{...}: {
|
|
||||||
options = {
|
options = {
|
||||||
passwordFile = lib.mkOption {
|
passwordFile = lib.mkOption {
|
||||||
type = nullOr path;
|
type = nullOr path;
|
||||||
@ -29,8 +29,7 @@
|
|||||||
default = [];
|
default = [];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
});
|
||||||
));
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -38,13 +37,11 @@
|
|||||||
users = {
|
users = {
|
||||||
mutableUsers = false;
|
mutableUsers = false;
|
||||||
|
|
||||||
users = let
|
users = {
|
||||||
passwd = config.mj.base.users.passwd;
|
|
||||||
in {
|
|
||||||
motiejus =
|
motiejus =
|
||||||
{
|
{
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
extraGroups = ["wheel"] ++ passwd.motiejus.extraGroups;
|
extraGroups = ["wheel"] ++ cfg.passwd.motiejus.extraGroups;
|
||||||
uid = myData.uidgid.motiejus;
|
uid = myData.uidgid.motiejus;
|
||||||
openssh.authorizedKeys.keys = [myData.people_pubkeys.motiejus];
|
openssh.authorizedKeys.keys = [myData.people_pubkeys.motiejus];
|
||||||
}
|
}
|
||||||
@ -52,17 +49,17 @@
|
|||||||
n: v:
|
n: v:
|
||||||
(n == "passwordFile" || n == "initialPassword") && v != null
|
(n == "passwordFile" || n == "initialPassword") && v != null
|
||||||
)
|
)
|
||||||
passwd.motiejus or {};
|
cfg.passwd.motiejus or {};
|
||||||
|
|
||||||
root = assert lib.assertMsg (passwd ? root) "root password needs to be defined";
|
root = assert lib.assertMsg (cfg.passwd ? root) "root password needs to be defined";
|
||||||
lib.filterAttrs (_: v: v != null) passwd.root;
|
lib.filterAttrs (_: v: v != null) cfg.passwd.root;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
home-manager.useGlobalPkgs = true;
|
home-manager.useGlobalPkgs = true;
|
||||||
home-manager.users.motiejus = {pkgs, ...}: {
|
home-manager.users.motiejus = {pkgs, ...}: {
|
||||||
home.stateVersion = config.mj.stateVersion;
|
home.stateVersion = config.mj.stateVersion;
|
||||||
home.packages = lib.mkIf config.mj.base.users.devEnvironment [pkgs.go];
|
home.packages = lib.mkIf cfg.devEnvironment [pkgs.go];
|
||||||
|
|
||||||
programs.direnv.enable = true;
|
programs.direnv.enable = true;
|
||||||
|
|
||||||
@ -71,7 +68,7 @@
|
|||||||
vimAlias = true;
|
vimAlias = true;
|
||||||
vimdiffAlias = true;
|
vimdiffAlias = true;
|
||||||
defaultEditor = true;
|
defaultEditor = true;
|
||||||
plugins = lib.mkIf config.mj.base.users.devEnvironment [
|
plugins = lib.mkIf cfg.devEnvironment [
|
||||||
pkgs.vimPlugins.fugitive
|
pkgs.vimPlugins.fugitive
|
||||||
pkgs.vimPlugins.vim-go
|
pkgs.vimPlugins.vim-go
|
||||||
pkgs.vimPlugins.zig-vim
|
pkgs.vimPlugins.zig-vim
|
||||||
|
@ -27,8 +27,7 @@ in {
|
|||||||
|
|
||||||
dirs = lib.mkOption {
|
dirs = lib.mkOption {
|
||||||
default = {};
|
default = {};
|
||||||
type = listOf (submodule (
|
type = listOf (submodule {
|
||||||
{...}: {
|
|
||||||
options = {
|
options = {
|
||||||
mountpoint = lib.mkOption {type = path;};
|
mountpoint = lib.mkOption {type = path;};
|
||||||
repo = lib.mkOption {type = str;};
|
repo = lib.mkOption {type = str;};
|
||||||
@ -39,8 +38,7 @@ in {
|
|||||||
};
|
};
|
||||||
backup_at = lib.mkOption {type = str;};
|
backup_at = lib.mkOption {type = str;};
|
||||||
};
|
};
|
||||||
}
|
});
|
||||||
));
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -69,13 +67,14 @@ in {
|
|||||||
lib.nameValuePair
|
lib.nameValuePair
|
||||||
"${lib.strings.sanitizeDerivationName mountpoint}-${toString i}"
|
"${lib.strings.sanitizeDerivationName mountpoint}-${toString i}"
|
||||||
({
|
({
|
||||||
|
inherit (attrs.repo);
|
||||||
|
inherit (attrs.paths);
|
||||||
|
|
||||||
doInit = true;
|
doInit = true;
|
||||||
repo = attrs.repo;
|
|
||||||
encryption = {
|
encryption = {
|
||||||
mode = "repokey-blake2";
|
mode = "repokey-blake2";
|
||||||
passCommand = "cat ${config.mj.base.zfsborg.passwordPath}";
|
passCommand = "cat ${config.mj.base.zfsborg.passwordPath}";
|
||||||
};
|
};
|
||||||
paths = attrs.paths;
|
|
||||||
extraArgs = "--remote-path=borg1";
|
extraArgs = "--remote-path=borg1";
|
||||||
compression = "auto,lzma";
|
compression = "auto,lzma";
|
||||||
startAt = attrs.backup_at;
|
startAt = attrs.backup_at;
|
||||||
@ -96,9 +95,7 @@ in {
|
|||||||
BORG_RSH = ''ssh -i "${config.mj.base.zfsborg.sshKeyPath}"'';
|
BORG_RSH = ''ssh -i "${config.mj.base.zfsborg.sshKeyPath}"'';
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
// lib.optionalAttrs (attrs ? patterns) {
|
// lib.optionalAttrs (attrs ? patterns) {inherit (attrs.patterns);})
|
||||||
patterns = attrs.patterns;
|
|
||||||
})
|
|
||||||
)
|
)
|
||||||
dirs
|
dirs
|
||||||
);
|
);
|
||||||
|
@ -22,14 +22,12 @@ in {
|
|||||||
enable = lib.mkEnableOption "Enable system updater orchestrator";
|
enable = lib.mkEnableOption "Enable system updater orchestrator";
|
||||||
deployDerivations = lib.mkOption {type = listOf str;};
|
deployDerivations = lib.mkOption {type = listOf str;};
|
||||||
deployIfPresent = lib.mkOption {
|
deployIfPresent = lib.mkOption {
|
||||||
type = listOf (submodule (
|
type = listOf (submodule {
|
||||||
{...}: {
|
|
||||||
options = {
|
options = {
|
||||||
derivationTarget = lib.mkOption {type = str;};
|
derivationTarget = lib.mkOption {type = str;};
|
||||||
pingTarget = lib.mkOption {type = str;};
|
pingTarget = lib.mkOption {type = str;};
|
||||||
};
|
};
|
||||||
}
|
});
|
||||||
));
|
|
||||||
default = [];
|
default = [];
|
||||||
};
|
};
|
||||||
uidgid = lib.mkOption {type = int;};
|
uidgid = lib.mkOption {type = int;};
|
||||||
|
@ -5,8 +5,7 @@
|
|||||||
}: {
|
}: {
|
||||||
options.mj.services.friendlyport = with lib.types; {
|
options.mj.services.friendlyport = with lib.types; {
|
||||||
ports = lib.mkOption {
|
ports = lib.mkOption {
|
||||||
type = listOf (submodule (
|
type = listOf (submodule {
|
||||||
{...}: {
|
|
||||||
options = {
|
options = {
|
||||||
subnets = lib.mkOption {type = listOf str;};
|
subnets = lib.mkOption {type = listOf str;};
|
||||||
tcp = lib.mkOption {
|
tcp = lib.mkOption {
|
||||||
@ -18,37 +17,33 @@
|
|||||||
default = [];
|
default = [];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
});
|
||||||
));
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = let
|
config = let
|
||||||
ports = config.mj.services.friendlyport.ports;
|
inherit (config.mj.services.friendlyport.ports);
|
||||||
mkAdd = (
|
|
||||||
proto: subnets: ints: let
|
mkAdd = proto: subnets: ints: let
|
||||||
subnetsS = builtins.concatStringsSep "," subnets;
|
subnetsS = builtins.concatStringsSep "," subnets;
|
||||||
intsS = builtins.concatStringsSep "," (map builtins.toString ints);
|
intsS = builtins.concatStringsSep "," (map builtins.toString ints);
|
||||||
in
|
in
|
||||||
if builtins.length ints == 0
|
if builtins.length ints == 0
|
||||||
then ""
|
then ""
|
||||||
else "iptables -A INPUT -p ${proto} --match multiport --dports ${intsS} --source ${subnetsS} -j ACCEPT"
|
else "iptables -A INPUT -p ${proto} --match multiport --dports ${intsS} --source ${subnetsS} -j ACCEPT";
|
||||||
);
|
|
||||||
|
|
||||||
startTCP = map (attr: mkAdd "tcp" attr.subnets attr.tcp) ports;
|
startTCP = map (attr: mkAdd "tcp" attr.subnets attr.tcp) ports;
|
||||||
startUDP = map (attr: mkAdd "udp" attr.subnets attr.udp) ports;
|
startUDP = map (attr: mkAdd "udp" attr.subnets attr.udp) ports;
|
||||||
|
|
||||||
# TODO: when stopping the firewall, systemd uses the old ports. So this is a two-phase process.
|
# TODO: when stopping the firewall, systemd uses the old ports. So this is a two-phase process.
|
||||||
# How to stop the old one and start the new one?
|
# How to stop the old one and start the new one?
|
||||||
mkDel = (
|
mkDel = proto: subnets: ints: let
|
||||||
proto: subnets: ints: let
|
|
||||||
subnetsS = builtins.concatStringsSep "," subnets;
|
subnetsS = builtins.concatStringsSep "," subnets;
|
||||||
intsS = builtins.concatStringsSep "," (map builtins.toString ints);
|
intsS = builtins.concatStringsSep "," (map builtins.toString ints);
|
||||||
in
|
in
|
||||||
if builtins.length ints == 0
|
if builtins.length ints == 0
|
||||||
then ""
|
then ""
|
||||||
else "iptables -D INPUT -p ${proto} --match multiport --dports ${intsS} --source ${subnetsS} -j ACCEPT || :"
|
else "iptables -D INPUT -p ${proto} --match multiport --dports ${intsS} --source ${subnetsS} -j ACCEPT || :";
|
||||||
);
|
|
||||||
|
|
||||||
stopTCP = map (attr: mkDel "tcp" attr.subnets attr.tcp) ports;
|
stopTCP = map (attr: mkDel "tcp" attr.subnets attr.tcp) ports;
|
||||||
stopUDP = map (attr: mkDel "udp" attr.subnets attr.udp) ports;
|
stopUDP = map (attr: mkDel "udp" attr.subnets attr.udp) ports;
|
||||||
|
@ -5,7 +5,6 @@
|
|||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
cfg = config.mj.services.jakstpub;
|
cfg = config.mj.services.jakstpub;
|
||||||
subnets = myData.subnets;
|
|
||||||
in {
|
in {
|
||||||
options.mj.services.jakstpub = with lib.types; {
|
options.mj.services.jakstpub = with lib.types; {
|
||||||
enable = lib.mkEnableOption "Enable jakstpub";
|
enable = lib.mkEnableOption "Enable jakstpub";
|
||||||
@ -70,7 +69,7 @@ in {
|
|||||||
|
|
||||||
services.samba-wsdd = {
|
services.samba-wsdd = {
|
||||||
enable = true;
|
enable = true;
|
||||||
hostname = cfg.hostname;
|
inherit (cfg.hostname);
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users.jakstpub = {
|
users.users.jakstpub = {
|
||||||
|
@ -4,8 +4,9 @@
|
|||||||
myData,
|
myData,
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
|
cfg = config.mj.services.syncthing;
|
||||||
|
|
||||||
guiPort = 8384;
|
guiPort = 8384;
|
||||||
cfg = config.services.syncthing;
|
|
||||||
devices = {
|
devices = {
|
||||||
"fwminex".id = "GKSUKZE-AOBQOWY-CNLZ2ZI-WNKATYE-MV4Y452-J3VCJ5C-EAANXRX-2P6EHA6";
|
"fwminex".id = "GKSUKZE-AOBQOWY-CNLZ2ZI-WNKATYE-MV4Y452-J3VCJ5C-EAANXRX-2P6EHA6";
|
||||||
"vno1-oh2".id = "W45ROUW-CHKI3I6-C4VCOCU-NJYQ3ZS-MJDHH23-YYCDXTI-HTJSBZJ-KZMWTAF";
|
"vno1-oh2".id = "W45ROUW-CHKI3I6-C4VCOCU-NJYQ3ZS-MJDHH23-YYCDXTI-HTJSBZJ-KZMWTAF";
|
||||||
@ -95,7 +96,7 @@ in {
|
|||||||
dataDir = lib.mkOption {type = path;};
|
dataDir = lib.mkOption {type = path;};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = lib.mkIf config.mj.services.syncthing.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
mj.services.friendlyport.ports = [
|
mj.services.friendlyport.ports = [
|
||||||
{
|
{
|
||||||
subnets = myData.subnets.motiejus.cidrs;
|
subnets = myData.subnets.motiejus.cidrs;
|
||||||
@ -104,16 +105,17 @@ in {
|
|||||||
];
|
];
|
||||||
|
|
||||||
services.syncthing = {
|
services.syncthing = {
|
||||||
enable = config.mj.services.syncthing.enable;
|
inherit (cfg.enable);
|
||||||
|
inherit (cfg.user);
|
||||||
|
inherit (cfg.group);
|
||||||
|
inherit (cfg.dataDir);
|
||||||
|
|
||||||
openDefaultPorts = true;
|
openDefaultPorts = true;
|
||||||
guiAddress = let
|
guiAddress = let
|
||||||
fqdn = with config.networking; "${hostName}.${domain}";
|
fqdn = with config.networking; "${hostName}.${domain}";
|
||||||
jakstIP = lib.getAttrFromPath [fqdn "jakstIP"] myData.hosts;
|
jakstIP = lib.getAttrFromPath [fqdn "jakstIP"] myData.hosts;
|
||||||
guiPortStr = builtins.toString guiPort;
|
guiPortStr = builtins.toString guiPort;
|
||||||
in "${jakstIP}:${guiPortStr}";
|
in "${jakstIP}:${guiPortStr}";
|
||||||
user = config.mj.services.syncthing.user;
|
|
||||||
group = config.mj.services.syncthing.group;
|
|
||||||
dataDir = config.mj.services.syncthing.dataDir;
|
|
||||||
|
|
||||||
extraOptions.gui.insecureAdminAccess = true;
|
extraOptions.gui.insecureAdminAccess = true;
|
||||||
|
|
||||||
|
@ -16,7 +16,7 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf (cfg.enable) (mkMerge [
|
config = mkIf cfg.enable (mkMerge [
|
||||||
{
|
{
|
||||||
services.tailscale.enable = true;
|
services.tailscale.enable = true;
|
||||||
networking.firewall.checkReversePath = "loose";
|
networking.firewall.checkReversePath = "loose";
|
||||||
|
@ -31,8 +31,7 @@ in {
|
|||||||
|
|
||||||
targets = lib.mkOption {
|
targets = lib.mkOption {
|
||||||
default = {};
|
default = {};
|
||||||
type = attrsOf (submodule (
|
type = attrsOf (submodule {
|
||||||
{...}: {
|
|
||||||
options = {
|
options = {
|
||||||
sshEndpoint = lib.mkOption {type = str;};
|
sshEndpoint = lib.mkOption {type = str;};
|
||||||
pingEndpoint = lib.mkOption {type = str;};
|
pingEndpoint = lib.mkOption {type = str;};
|
||||||
@ -44,8 +43,7 @@ in {
|
|||||||
pwFile = lib.mkOption {type = path;};
|
pwFile = lib.mkOption {type = path;};
|
||||||
startAt = lib.mkOption {type = either str (listOf str);};
|
startAt = lib.mkOption {type = either str (listOf str);};
|
||||||
};
|
};
|
||||||
}
|
});
|
||||||
));
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user