motiejus/config
1
Fork 0
Code Packages Releases Activity

enable statx

Browse Source
This commit is contained in:
Motiejus Jakštys 2023-10-01 23:14:05 +03:00
parent 5c83f7407a
commit 25e8191177
15 changed files with 110 additions and 122 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
flake.nix
View File

@ -54,13 +54,14 @@
myData = import ./data.nix; myData = import ./data.nix;
mkDeployPkgs = system: mkDeployPkgs = system:
import nixpkgs { import nixpkgs {
system = system; inherit system;
overlays = [ overlays = [
deploy-rs.overlay deploy-rs.overlay
(_self: super: { (_self: super: {
deploy-rs = { deploy-rs = {
inherit (import nixpkgs {system = system;}) deploy-rs; inherit (import nixpkgs {inherit system;}) deploy-rs;
lib = super.deploy-rs.lib; inherit (super.deploy-rs.lib);
}; };
}) })
]; ];
@ -234,7 +235,7 @@
hooks = { hooks = {
alejandra.enable = true; alejandra.enable = true;
deadnix.enable = true; deadnix.enable = true;
#statix.enable = true; statix.enable = true;
}; };
}; };
} }

3
hosts/fra1-a/configuration.nix
View File

@ -56,10 +56,11 @@
deployerbot = { deployerbot = {
follower = { follower = {
inherit (myData.hosts."vno1-oh2.servers.jakst".publicKey);
enable = true; enable = true;
sshAllowSubnets = [myData.subnets.tailscale.sshPattern]; sshAllowSubnets = [myData.subnets.tailscale.sshPattern];
uidgid = myData.uidgid.updaterbot-deployee; uidgid = myData.uidgid.updaterbot-deployee;
publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey;
}; };
}; };

3
hosts/fwminex/configuration.nix
View File

@ -84,9 +84,10 @@ in {
deployerbot = { deployerbot = {
follower = { follower = {
inherit (myData.hosts."vno1-oh2.servers.jakst".publicKey);
enable = true; enable = true;
uidgid = myData.uidgid.updaterbot-deployee; uidgid = myData.uidgid.updaterbot-deployee;
publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey;
sshAllowSubnets = with myData.subnets; [tailscale.sshPattern]; sshAllowSubnets = with myData.subnets; [tailscale.sshPattern];
}; };
}; };

3
hosts/vm/configuration.nix
View File

@ -2,8 +2,7 @@
pkgs, pkgs,
myData, myData,
... ...
}: let }: {
in {
mj = { mj = {
stateVersion = "23.05"; stateVersion = "23.05";
timeZone = "UTC"; timeZone = "UTC";

2
hosts/vno1-oh2/configuration.nix
View File

@ -199,7 +199,7 @@
enable = true; enable = true;
sshAllowSubnets = [myData.subnets.tailscale.sshPattern]; sshAllowSubnets = [myData.subnets.tailscale.sshPattern];
uidgid = myData.uidgid.updaterbot-deployee; uidgid = myData.uidgid.updaterbot-deployee;
publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey; inherit (myData.hosts."vno1-oh2.servers.jakst".publicKey);
}; };
}; };

2
hosts/vno3-rp3b/configuration.nix
View File

@ -97,7 +97,7 @@
enable = true; enable = true;
sshAllowSubnets = [myData.subnets.tailscale.sshPattern]; sshAllowSubnets = [myData.subnets.tailscale.sshPattern];
uidgid = myData.uidgid.updaterbot-deployee; uidgid = myData.uidgid.updaterbot-deployee;
publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey; inherit (myData.hosts."vno1-oh2.servers.jakst".publicKey);
}; };
}; };

2
modules/base/sshd/default.nix
View File

@ -16,6 +16,6 @@
programs.ssh.knownHosts = let programs.ssh.knownHosts = let
sshAttrs = lib.genAttrs ["extraHostNames" "publicKey"] (_: null); sshAttrs = lib.genAttrs ["extraHostNames" "publicKey"] (_: null);
in in
lib.mapAttrs (_name: cfg: builtins.intersectAttrs sshAttrs cfg) myData.hosts; lib.mapAttrs (_name: builtins.intersectAttrs sshAttrs) myData.hosts;
}; };
} }

55
modules/base/users/default.nix
View File

@ -2,9 +2,10 @@
config, config,
lib, lib,
myData, myData,
#home-manager,
... ...
}: { }: let
cfg = config.mj.base.users;
in {
options.mj.base.users = with lib.types; { options.mj.base.users = with lib.types; {
devEnvironment = lib.mkOption { devEnvironment = lib.mkOption {
type = bool; type = bool;
@ -12,25 +13,23 @@
}; };
passwd = lib.mkOption { passwd = lib.mkOption {
type = attrsOf (submodule ( type = attrsOf (submodule {
{...}: { options = {
options = { passwordFile = lib.mkOption {
passwordFile = lib.mkOption { type = nullOr path;
type = nullOr path; default = null;
default = null;
};
initialPassword = lib.mkOption {
type = nullOr str;
default = null;
};
extraGroups = lib.mkOption {
type = listOf str;
default = [];
};
}; };
} initialPassword = lib.mkOption {
)); type = nullOr str;
default = null;
};
extraGroups = lib.mkOption {
type = listOf str;
default = [];
};
};
});
}; };
}; };
@ -38,13 +37,11 @@
users = { users = {
mutableUsers = false; mutableUsers = false;
users = let users = {
passwd = config.mj.base.users.passwd;
in {
motiejus = motiejus =
{ {
isNormalUser = true; isNormalUser = true;
extraGroups = ["wheel"] ++ passwd.motiejus.extraGroups; extraGroups = ["wheel"] ++ cfg.passwd.motiejus.extraGroups;
uid = myData.uidgid.motiejus; uid = myData.uidgid.motiejus;
openssh.authorizedKeys.keys = [myData.people_pubkeys.motiejus]; openssh.authorizedKeys.keys = [myData.people_pubkeys.motiejus];
} }
@ -52,17 +49,17 @@
n: v: n: v:
(n == "passwordFile" || n == "initialPassword") && v != null (n == "passwordFile" || n == "initialPassword") && v != null
) )
passwd.motiejus or {}; cfg.passwd.motiejus or {};
root = assert lib.assertMsg (passwd ? root) "root password needs to be defined"; root = assert lib.assertMsg (cfg.passwd ? root) "root password needs to be defined";
lib.filterAttrs (_: v: v != null) passwd.root; lib.filterAttrs (_: v: v != null) cfg.passwd.root;
}; };
}; };
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
home-manager.users.motiejus = {pkgs, ...}: { home-manager.users.motiejus = {pkgs, ...}: {
home.stateVersion = config.mj.stateVersion; home.stateVersion = config.mj.stateVersion;
home.packages = lib.mkIf config.mj.base.users.devEnvironment [pkgs.go]; home.packages = lib.mkIf cfg.devEnvironment [pkgs.go];
programs.direnv.enable = true; programs.direnv.enable = true;
@ -71,7 +68,7 @@
vimAlias = true; vimAlias = true;
vimdiffAlias = true; vimdiffAlias = true;
defaultEditor = true; defaultEditor = true;
plugins = lib.mkIf config.mj.base.users.devEnvironment [ plugins = lib.mkIf cfg.devEnvironment [
pkgs.vimPlugins.fugitive pkgs.vimPlugins.fugitive
pkgs.vimPlugins.vim-go pkgs.vimPlugins.vim-go
pkgs.vimPlugins.zig-vim pkgs.vimPlugins.zig-vim

33
modules/base/zfsborg/default.nix
View File

@ -27,20 +27,18 @@ in {
dirs = lib.mkOption { dirs = lib.mkOption {
default = {}; default = {};
type = listOf (submodule ( type = listOf (submodule {
{...}: { options = {
options = { mountpoint = lib.mkOption {type = path;};
mountpoint = lib.mkOption {type = path;}; repo = lib.mkOption {type = str;};
repo = lib.mkOption {type = str;}; paths = lib.mkOption {type = listOf str;};
paths = lib.mkOption {type = listOf str;}; patterns = lib.mkOption {
patterns = lib.mkOption { type = listOf str;
type = listOf str; default = [];
default = [];
};
backup_at = lib.mkOption {type = str;};
}; };
} backup_at = lib.mkOption {type = str;};
)); };
});
}; };
}; };
@ -69,13 +67,14 @@ in {
lib.nameValuePair lib.nameValuePair
"${lib.strings.sanitizeDerivationName mountpoint}-${toString i}" "${lib.strings.sanitizeDerivationName mountpoint}-${toString i}"
({ ({
inherit (attrs.repo);
inherit (attrs.paths);
doInit = true; doInit = true;
repo = attrs.repo;
encryption = { encryption = {
mode = "repokey-blake2"; mode = "repokey-blake2";
passCommand = "cat ${config.mj.base.zfsborg.passwordPath}"; passCommand = "cat ${config.mj.base.zfsborg.passwordPath}";
}; };
paths = attrs.paths;
extraArgs = "--remote-path=borg1"; extraArgs = "--remote-path=borg1";
compression = "auto,lzma"; compression = "auto,lzma";
startAt = attrs.backup_at; startAt = attrs.backup_at;
@ -96,9 +95,7 @@ in {
BORG_RSH = ''ssh -i "${config.mj.base.zfsborg.sshKeyPath}"''; BORG_RSH = ''ssh -i "${config.mj.base.zfsborg.sshKeyPath}"'';
}; };
} }
// lib.optionalAttrs (attrs ? patterns) { // lib.optionalAttrs (attrs ? patterns) {inherit (attrs.patterns);})
patterns = attrs.patterns;
})
) )
dirs dirs
); );

14
modules/services/deployerbot/default.nix
View File

@ -22,14 +22,12 @@ in {
enable = lib.mkEnableOption "Enable system updater orchestrator"; enable = lib.mkEnableOption "Enable system updater orchestrator";
deployDerivations = lib.mkOption {type = listOf str;}; deployDerivations = lib.mkOption {type = listOf str;};
deployIfPresent = lib.mkOption { deployIfPresent = lib.mkOption {
type = listOf (submodule ( type = listOf (submodule {
{...}: { options = {
options = { derivationTarget = lib.mkOption {type = str;};
derivationTarget = lib.mkOption {type = str;}; pingTarget = lib.mkOption {type = str;};
pingTarget = lib.mkOption {type = str;}; };
}; });
}
));
default = []; default = [];
}; };
uidgid = lib.mkOption {type = int;}; uidgid = lib.mkOption {type = int;};

61
modules/services/friendlyport/default.nix
View File

@ -5,50 +5,45 @@
}: { }: {
options.mj.services.friendlyport = with lib.types; { options.mj.services.friendlyport = with lib.types; {
ports = lib.mkOption { ports = lib.mkOption {
type = listOf (submodule ( type = listOf (submodule {
{...}: { options = {
options = { subnets = lib.mkOption {type = listOf str;};
subnets = lib.mkOption {type = listOf str;}; tcp = lib.mkOption {
tcp = lib.mkOption { type = listOf int;
type = listOf int; default = [];
default = [];
};
udp = lib.mkOption {
type = listOf int;
default = [];
};
}; };
} udp = lib.mkOption {
)); type = listOf int;
default = [];
};
};
});
}; };
}; };
config = let config = let
ports = config.mj.services.friendlyport.ports; inherit (config.mj.services.friendlyport.ports);
mkAdd = (
proto: subnets: ints: let mkAdd = proto: subnets: ints: let
subnetsS = builtins.concatStringsSep "," subnets; subnetsS = builtins.concatStringsSep "," subnets;
intsS = builtins.concatStringsSep "," (map builtins.toString ints); intsS = builtins.concatStringsSep "," (map builtins.toString ints);
in in
if builtins.length ints == 0 if builtins.length ints == 0
then "" then ""
else "iptables -A INPUT -p ${proto} --match multiport --dports ${intsS} --source ${subnetsS} -j ACCEPT" else "iptables -A INPUT -p ${proto} --match multiport --dports ${intsS} --source ${subnetsS} -j ACCEPT";
);
startTCP = map (attr: mkAdd "tcp" attr.subnets attr.tcp) ports; startTCP = map (attr: mkAdd "tcp" attr.subnets attr.tcp) ports;
startUDP = map (attr: mkAdd "udp" attr.subnets attr.udp) ports; startUDP = map (attr: mkAdd "udp" attr.subnets attr.udp) ports;
# TODO: when stopping the firewall, systemd uses the old ports. So this is a two-phase process. # TODO: when stopping the firewall, systemd uses the old ports. So this is a two-phase process.
# How to stop the old one and start the new one? # How to stop the old one and start the new one?
mkDel = ( mkDel = proto: subnets: ints: let
proto: subnets: ints: let subnetsS = builtins.concatStringsSep "," subnets;
subnetsS = builtins.concatStringsSep "," subnets; intsS = builtins.concatStringsSep "," (map builtins.toString ints);
intsS = builtins.concatStringsSep "," (map builtins.toString ints); in
in if builtins.length ints == 0
if builtins.length ints == 0 then ""
then "" else "iptables -D INPUT -p ${proto} --match multiport --dports ${intsS} --source ${subnetsS} -j ACCEPT || :";
else "iptables -D INPUT -p ${proto} --match multiport --dports ${intsS} --source ${subnetsS} -j ACCEPT || :"
);
stopTCP = map (attr: mkDel "tcp" attr.subnets attr.tcp) ports; stopTCP = map (attr: mkDel "tcp" attr.subnets attr.tcp) ports;
stopUDP = map (attr: mkDel "udp" attr.subnets attr.udp) ports; stopUDP = map (attr: mkDel "udp" attr.subnets attr.udp) ports;

3
modules/services/jakstpub/default.nix
View File

@ -5,7 +5,6 @@
... ...
}: let }: let
cfg = config.mj.services.jakstpub; cfg = config.mj.services.jakstpub;
subnets = myData.subnets;
in { in {
options.mj.services.jakstpub = with lib.types; { options.mj.services.jakstpub = with lib.types; {
enable = lib.mkEnableOption "Enable jakstpub"; enable = lib.mkEnableOption "Enable jakstpub";
@ -70,7 +69,7 @@ in {
services.samba-wsdd = { services.samba-wsdd = {
enable = true; enable = true;
hostname = cfg.hostname; inherit (cfg.hostname);
}; };
users.users.jakstpub = { users.users.jakstpub = {

14
modules/services/syncthing/default.nix
View File

@ -4,8 +4,9 @@
myData, myData,
... ...
}: let }: let
cfg = config.mj.services.syncthing;
guiPort = 8384; guiPort = 8384;
cfg = config.services.syncthing;
devices = { devices = {
"fwminex".id = "GKSUKZE-AOBQOWY-CNLZ2ZI-WNKATYE-MV4Y452-J3VCJ5C-EAANXRX-2P6EHA6"; "fwminex".id = "GKSUKZE-AOBQOWY-CNLZ2ZI-WNKATYE-MV4Y452-J3VCJ5C-EAANXRX-2P6EHA6";
"vno1-oh2".id = "W45ROUW-CHKI3I6-C4VCOCU-NJYQ3ZS-MJDHH23-YYCDXTI-HTJSBZJ-KZMWTAF"; "vno1-oh2".id = "W45ROUW-CHKI3I6-C4VCOCU-NJYQ3ZS-MJDHH23-YYCDXTI-HTJSBZJ-KZMWTAF";
@ -95,7 +96,7 @@ in {
dataDir = lib.mkOption {type = path;}; dataDir = lib.mkOption {type = path;};
}; };
config = lib.mkIf config.mj.services.syncthing.enable { config = lib.mkIf cfg.enable {
mj.services.friendlyport.ports = [ mj.services.friendlyport.ports = [
{ {
subnets = myData.subnets.motiejus.cidrs; subnets = myData.subnets.motiejus.cidrs;
@ -104,16 +105,17 @@ in {
]; ];
services.syncthing = { services.syncthing = {
enable = config.mj.services.syncthing.enable; inherit (cfg.enable);
inherit (cfg.user);
inherit (cfg.group);
inherit (cfg.dataDir);
openDefaultPorts = true; openDefaultPorts = true;
guiAddress = let guiAddress = let
fqdn = with config.networking; "${hostName}.${domain}"; fqdn = with config.networking; "${hostName}.${domain}";
jakstIP = lib.getAttrFromPath [fqdn "jakstIP"] myData.hosts; jakstIP = lib.getAttrFromPath [fqdn "jakstIP"] myData.hosts;
guiPortStr = builtins.toString guiPort; guiPortStr = builtins.toString guiPort;
in "${jakstIP}:${guiPortStr}"; in "${jakstIP}:${guiPortStr}";
user = config.mj.services.syncthing.user;
group = config.mj.services.syncthing.group;
dataDir = config.mj.services.syncthing.dataDir;
extraOptions.gui.insecureAdminAccess = true; extraOptions.gui.insecureAdminAccess = true;

2
modules/services/tailscale/default.nix
View File

@ -16,7 +16,7 @@ in {
}; };
}; };
config = mkIf (cfg.enable) (mkMerge [ config = mkIf cfg.enable (mkMerge [
{ {
services.tailscale.enable = true; services.tailscale.enable = true;
networking.firewall.checkReversePath = "loose"; networking.firewall.checkReversePath = "loose";

26
modules/services/zfsunlock/default.nix
View File

@ -31,21 +31,19 @@ in {
targets = lib.mkOption { targets = lib.mkOption {
default = {}; default = {};
type = attrsOf (submodule ( type = attrsOf (submodule {
{...}: { options = {
options = { sshEndpoint = lib.mkOption {type = str;};
sshEndpoint = lib.mkOption {type = str;}; pingEndpoint = lib.mkOption {type = str;};
pingEndpoint = lib.mkOption {type = str;}; pingTimeoutSec = lib.mkOption {
pingTimeoutSec = lib.mkOption { type = int;
type = int; default = 20;
default = 20;
};
remotePubkey = lib.mkOption {type = str;};
pwFile = lib.mkOption {type = path;};
startAt = lib.mkOption {type = either str (listOf str);};
}; };
} remotePubkey = lib.mkOption {type = str;};
)); pwFile = lib.mkOption {type = path;};
startAt = lib.mkOption {type = either str (listOf str);};
};
});
}; };
}; };