motiejus/config
1
Fork 0
Code Packages Releases Activity

enable statx

Browse Source
This commit is contained in:
Motiejus Jakštys 2023-10-01 23:14:05 +03:00
parent 5c83f7407a
commit 25e8191177
15 changed files with 110 additions and 122 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
flake.nix
View File

@ -54,13 +54,14 @@
myData = import ./data.nix;
mkDeployPkgs = system:
import nixpkgs {
system = system;
inherit system;
overlays = [
deploy-rs.overlay
(_self: super: {
deploy-rs = {
inherit (import nixpkgs {system = system;}) deploy-rs;
lib = super.deploy-rs.lib;
inherit (import nixpkgs {inherit system;}) deploy-rs;
inherit (super.deploy-rs.lib);
};
})
];
@ -234,7 +235,7 @@
hooks = {
alejandra.enable = true;
deadnix.enable = true;
#statix.enable = true;
statix.enable = true;
};
};
}

3
hosts/fra1-a/configuration.nix
View File

@ -56,10 +56,11 @@
deployerbot = {
follower = {
inherit (myData.hosts."vno1-oh2.servers.jakst".publicKey);
enable = true;
sshAllowSubnets = [myData.subnets.tailscale.sshPattern];
uidgid = myData.uidgid.updaterbot-deployee;
publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey;
};
};

3
hosts/fwminex/configuration.nix
View File

@ -84,9 +84,10 @@ in {
deployerbot = {
follower = {
inherit (myData.hosts."vno1-oh2.servers.jakst".publicKey);
enable = true;
uidgid = myData.uidgid.updaterbot-deployee;
publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey;
sshAllowSubnets = with myData.subnets; [tailscale.sshPattern];
};
};

3
hosts/vm/configuration.nix
View File

@ -2,8 +2,7 @@
pkgs,
myData,
...
}: let
in {
}: {
mj = {
stateVersion = "23.05";
timeZone = "UTC";

2
hosts/vno1-oh2/configuration.nix
View File

@ -199,7 +199,7 @@
enable = true;
sshAllowSubnets = [myData.subnets.tailscale.sshPattern];
uidgid = myData.uidgid.updaterbot-deployee;
publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey;
inherit (myData.hosts."vno1-oh2.servers.jakst".publicKey);
};
};

2
hosts/vno3-rp3b/configuration.nix
View File

@ -97,7 +97,7 @@
enable = true;
sshAllowSubnets = [myData.subnets.tailscale.sshPattern];
uidgid = myData.uidgid.updaterbot-deployee;
publicKey = myData.hosts."vno1-oh2.servers.jakst".publicKey;
inherit (myData.hosts."vno1-oh2.servers.jakst".publicKey);
};
};

2
modules/base/sshd/default.nix
View File

@ -16,6 +16,6 @@
programs.ssh.knownHosts = let
sshAttrs = lib.genAttrs ["extraHostNames" "publicKey"] (_: null);
in
lib.mapAttrs (_name: cfg: builtins.intersectAttrs sshAttrs cfg) myData.hosts;
lib.mapAttrs (_name: builtins.intersectAttrs sshAttrs) myData.hosts;
};
}

55
modules/base/users/default.nix
View File

@ -2,9 +2,10 @@
config,
lib,
myData,
#home-manager,
...
}: {
}: let
cfg = config.mj.base.users;
in {
options.mj.base.users = with lib.types; {
devEnvironment = lib.mkOption {
type = bool;
@ -12,25 +13,23 @@
};
passwd = lib.mkOption {
type = attrsOf (submodule (
{...}: {
options = {
passwordFile = lib.mkOption {
type = nullOr path;
default = null;
};
initialPassword = lib.mkOption {
type = nullOr str;
default = null;
};
extraGroups = lib.mkOption {
type = listOf str;
default = [];
};
type = attrsOf (submodule {
options = {
passwordFile = lib.mkOption {
type = nullOr path;
default = null;
};
}
));
initialPassword = lib.mkOption {
type = nullOr str;
default = null;
};
extraGroups = lib.mkOption {
type = listOf str;
default = [];
};
};
});
};
};
@ -38,13 +37,11 @@
users = {
mutableUsers = false;
users = let
passwd = config.mj.base.users.passwd;
in {
users = {
motiejus =
{
isNormalUser = true;
extraGroups = ["wheel"] ++ passwd.motiejus.extraGroups;
extraGroups = ["wheel"] ++ cfg.passwd.motiejus.extraGroups;
uid = myData.uidgid.motiejus;
openssh.authorizedKeys.keys = [myData.people_pubkeys.motiejus];
}
@ -52,17 +49,17 @@
n: v:
(n == "passwordFile" || n == "initialPassword") && v != null
)
passwd.motiejus or {};
cfg.passwd.motiejus or {};
root = assert lib.assertMsg (passwd ? root) "root password needs to be defined";
lib.filterAttrs (_: v: v != null) passwd.root;
root = assert lib.assertMsg (cfg.passwd ? root) "root password needs to be defined";
lib.filterAttrs (_: v: v != null) cfg.passwd.root;
};
};
home-manager.useGlobalPkgs = true;
home-manager.users.motiejus = {pkgs, ...}: {
home.stateVersion = config.mj.stateVersion;
home.packages = lib.mkIf config.mj.base.users.devEnvironment [pkgs.go];
home.packages = lib.mkIf cfg.devEnvironment [pkgs.go];
programs.direnv.enable = true;
@ -71,7 +68,7 @@
vimAlias = true;
vimdiffAlias = true;
defaultEditor = true;
plugins = lib.mkIf config.mj.base.users.devEnvironment [
plugins = lib.mkIf cfg.devEnvironment [
pkgs.vimPlugins.fugitive
pkgs.vimPlugins.vim-go
pkgs.vimPlugins.zig-vim

33
modules/base/zfsborg/default.nix
View File

@ -27,20 +27,18 @@ in {
dirs = lib.mkOption {
default = {};
type = listOf (submodule (
{...}: {
options = {
mountpoint = lib.mkOption {type = path;};
repo = lib.mkOption {type = str;};
paths = lib.mkOption {type = listOf str;};
patterns = lib.mkOption {
type = listOf str;
default = [];
};
backup_at = lib.mkOption {type = str;};
type = listOf (submodule {
options = {
mountpoint = lib.mkOption {type = path;};
repo = lib.mkOption {type = str;};
paths = lib.mkOption {type = listOf str;};
patterns = lib.mkOption {
type = listOf str;
default = [];
};
}
));
backup_at = lib.mkOption {type = str;};
};
});
};
};
@ -69,13 +67,14 @@ in {
lib.nameValuePair
"${lib.strings.sanitizeDerivationName mountpoint}-${toString i}"
({
inherit (attrs.repo);
inherit (attrs.paths);
doInit = true;
repo = attrs.repo;
encryption = {
mode = "repokey-blake2";
passCommand = "cat ${config.mj.base.zfsborg.passwordPath}";
};
paths = attrs.paths;
extraArgs = "--remote-path=borg1";
compression = "auto,lzma";
startAt = attrs.backup_at;
@ -96,9 +95,7 @@ in {
BORG_RSH = ''ssh -i "${config.mj.base.zfsborg.sshKeyPath}"'';
};
}
// lib.optionalAttrs (attrs ? patterns) {
patterns = attrs.patterns;
})
// lib.optionalAttrs (attrs ? patterns) {inherit (attrs.patterns);})
)
dirs
);

14
modules/services/deployerbot/default.nix
View File

@ -22,14 +22,12 @@ in {
enable = lib.mkEnableOption "Enable system updater orchestrator";
deployDerivations = lib.mkOption {type = listOf str;};
deployIfPresent = lib.mkOption {
type = listOf (submodule (
{...}: {
options = {
derivationTarget = lib.mkOption {type = str;};
pingTarget = lib.mkOption {type = str;};
};
}
));
type = listOf (submodule {
options = {
derivationTarget = lib.mkOption {type = str;};
pingTarget = lib.mkOption {type = str;};
};
});
default = [];
};
uidgid = lib.mkOption {type = int;};

61
modules/services/friendlyport/default.nix
View File

@ -5,50 +5,45 @@
}: {
options.mj.services.friendlyport = with lib.types; {
ports = lib.mkOption {
type = listOf (submodule (
{...}: {
options = {
subnets = lib.mkOption {type = listOf str;};
tcp = lib.mkOption {
type = listOf int;
default = [];
};
udp = lib.mkOption {
type = listOf int;
default = [];
};
type = listOf (submodule {
options = {
subnets = lib.mkOption {type = listOf str;};
tcp = lib.mkOption {
type = listOf int;
default = [];
};
}
));
udp = lib.mkOption {
type = listOf int;
default = [];
};
};
});
};
};
config = let
ports = config.mj.services.friendlyport.ports;
mkAdd = (
proto: subnets: ints: let
subnetsS = builtins.concatStringsSep "," subnets;
intsS = builtins.concatStringsSep "," (map builtins.toString ints);
in
if builtins.length ints == 0
then ""
else "iptables -A INPUT -p ${proto} --match multiport --dports ${intsS} --source ${subnetsS} -j ACCEPT"
);
inherit (config.mj.services.friendlyport.ports);
mkAdd = proto: subnets: ints: let
subnetsS = builtins.concatStringsSep "," subnets;
intsS = builtins.concatStringsSep "," (map builtins.toString ints);
in
if builtins.length ints == 0
then ""
else "iptables -A INPUT -p ${proto} --match multiport --dports ${intsS} --source ${subnetsS} -j ACCEPT";
startTCP = map (attr: mkAdd "tcp" attr.subnets attr.tcp) ports;
startUDP = map (attr: mkAdd "udp" attr.subnets attr.udp) ports;
# TODO: when stopping the firewall, systemd uses the old ports. So this is a two-phase process.
# How to stop the old one and start the new one?
mkDel = (
proto: subnets: ints: let
subnetsS = builtins.concatStringsSep "," subnets;
intsS = builtins.concatStringsSep "," (map builtins.toString ints);
in
if builtins.length ints == 0
then ""
else "iptables -D INPUT -p ${proto} --match multiport --dports ${intsS} --source ${subnetsS} -j ACCEPT || :"
);
mkDel = proto: subnets: ints: let
subnetsS = builtins.concatStringsSep "," subnets;
intsS = builtins.concatStringsSep "," (map builtins.toString ints);
in
if builtins.length ints == 0
then ""
else "iptables -D INPUT -p ${proto} --match multiport --dports ${intsS} --source ${subnetsS} -j ACCEPT || :";
stopTCP = map (attr: mkDel "tcp" attr.subnets attr.tcp) ports;
stopUDP = map (attr: mkDel "udp" attr.subnets attr.udp) ports;

3
modules/services/jakstpub/default.nix
View File

@ -5,7 +5,6 @@
...
}: let
cfg = config.mj.services.jakstpub;
subnets = myData.subnets;
in {
options.mj.services.jakstpub = with lib.types; {
enable = lib.mkEnableOption "Enable jakstpub";
@ -70,7 +69,7 @@ in {
services.samba-wsdd = {
enable = true;
hostname = cfg.hostname;
inherit (cfg.hostname);
};
users.users.jakstpub = {

14
modules/services/syncthing/default.nix
View File

@ -4,8 +4,9 @@
myData,
...
}: let
cfg = config.mj.services.syncthing;
guiPort = 8384;
cfg = config.services.syncthing;
devices = {
"fwminex".id = "GKSUKZE-AOBQOWY-CNLZ2ZI-WNKATYE-MV4Y452-J3VCJ5C-EAANXRX-2P6EHA6";
"vno1-oh2".id = "W45ROUW-CHKI3I6-C4VCOCU-NJYQ3ZS-MJDHH23-YYCDXTI-HTJSBZJ-KZMWTAF";
@ -95,7 +96,7 @@ in {
dataDir = lib.mkOption {type = path;};
};
config = lib.mkIf config.mj.services.syncthing.enable {
config = lib.mkIf cfg.enable {
mj.services.friendlyport.ports = [
{
subnets = myData.subnets.motiejus.cidrs;
@ -104,16 +105,17 @@ in {
];
services.syncthing = {
enable = config.mj.services.syncthing.enable;
inherit (cfg.enable);
inherit (cfg.user);
inherit (cfg.group);
inherit (cfg.dataDir);
openDefaultPorts = true;
guiAddress = let
fqdn = with config.networking; "${hostName}.${domain}";
jakstIP = lib.getAttrFromPath [fqdn "jakstIP"] myData.hosts;
guiPortStr = builtins.toString guiPort;
in "${jakstIP}:${guiPortStr}";
user = config.mj.services.syncthing.user;
group = config.mj.services.syncthing.group;
dataDir = config.mj.services.syncthing.dataDir;
extraOptions.gui.insecureAdminAccess = true;

2
modules/services/tailscale/default.nix
View File

@ -16,7 +16,7 @@ in {
};
};
config = mkIf (cfg.enable) (mkMerge [
config = mkIf cfg.enable (mkMerge [
{
services.tailscale.enable = true;
networking.firewall.checkReversePath = "loose";

26
modules/services/zfsunlock/default.nix
View File

@ -31,21 +31,19 @@ in {
targets = lib.mkOption {
default = {};
type = attrsOf (submodule (
{...}: {
options = {
sshEndpoint = lib.mkOption {type = str;};
pingEndpoint = lib.mkOption {type = str;};
pingTimeoutSec = lib.mkOption {
type = int;
default = 20;
};
remotePubkey = lib.mkOption {type = str;};
pwFile = lib.mkOption {type = path;};
startAt = lib.mkOption {type = either str (listOf str);};
type = attrsOf (submodule {
options = {
sshEndpoint = lib.mkOption {type = str;};
pingEndpoint = lib.mkOption {type = str;};
pingTimeoutSec = lib.mkOption {
type = int;
default = 20;
};
}
));
remotePubkey = lib.mkOption {type = str;};
pwFile = lib.mkOption {type = path;};
startAt = lib.mkOption {type = either str (listOf str);};
};
});
};
};