motiejus
/
config
1
Fork 0
Code Packages Releases Activity

nix fmt

This commit is contained in:
Motiejus Jakštys 2024-07-29 15:39:54 +03:00
parent 3da42ead11
commit 9ea80639a3
51 changed files with 2040 additions and 1758 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
data.nix
View File

@ -70,16 +70,29 @@ rec {
jakstIP = "100.89.176.2";
};
"fra1-a.servers.jakst" = rec {
extraHostNames = ["fra1-a.jakstys.lt" publicIP jakstIP];
extraHostNames = [
"fra1-a.jakstys.lt"
publicIP
jakstIP
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFj9Ktw9SZQlHe/Pl5MI7PRUcCyTgZgZ0SsvWUmO0wBM";
initrdPubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGtYwVhfmdHRK8YcaRQ3JGSIOK55lEMNSPh33Z0iI+pO";
publicIP = "168.119.184.134";
jakstIP = "100.89.176.5";
system = "aarch64-linux";
supportedFeatures = ["nixos-test" "benchmark" "big-parallel" "kvm" "gccarch-armv8-a"];
supportedFeatures = [
"nixos-test"
"benchmark"
"big-parallel"
"kvm"
"gccarch-armv8-a"
];
};
"fwminex.motiejus.jakst" = rec {
extraHostNames = [jakstIP vno1IP];
extraHostNames = [
jakstIP
vno1IP
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHlWSZ/H6DR5i5aCrlrEQLVF9MXNvls/pjlLPLaav3f+";
jakstIP = "100.89.176.6";
vno1IP = "192.168.189.10";
@ -118,14 +131,13 @@ rec {
range = "100.89.176.0-100.89.191.255";
sshPattern = "100.89.176.*"; # until we have more hosts
};
motiejus.cidrs = let
mHosts =
attrVals [
motiejus.cidrs =
let
mHosts = attrVals [
"mxp10.motiejus.jakst"
"mtworx.motiejus.jakst"
"fwminex.motiejus.jakst"
]
hosts;
] hosts;
in
builtins.catAttrs "jakstIP" mHosts;
@ -136,10 +148,12 @@ rec {
vno3.cidr = "192.168.100.0/24";
};
e11syncZone = let
e11syncZone =
let
vno1 = hosts."vno1-oh2.servers.jakst".publicIP;
fra1a = hosts."fra1-a.servers.jakst".publicIP;
in ''
in
''
$ORIGIN 11sync.net.
$TTL 3600
@ SOA ns1.11sync.net. motiejus.11sync.net. (2024011500 86400 86400 86400 86400)
@ -167,10 +181,12 @@ rec {
_github-challenge-11sync-org TXT "ff5e813c58"
'';
jakstysLTZone = let
jakstysLTZone =
let
fra1a = hosts."fra1-a.servers.jakst".publicIP;
vno1 = hosts."vno1-oh2.servers.jakst".publicIP;
in ''
in
''
$ORIGIN jakstys.lt.
$TTL 86400
@ SOA ns1.jakstys.lt. motiejus.jakstys.lt. (2023100800 86400 86400 86400 86400)

85
flake.nix
View File

@ -61,7 +61,8 @@
extra-experimental-features = "nix-command flakes";
};
outputs = {
outputs =
{
self,
nixpkgs,
nixpkgs-unstable,
@ -75,7 +76,8 @@
nur,
nixgl,
...
} @ inputs: let
}@inputs:
let
myData = import ./data.nix;
overlays = [
@ -99,13 +101,12 @@
btrfs-auto-snapshot = super.callPackage ./pkgs/btrfs-auto-snapshot.nix { };
nicer = super.callPackage ./pkgs/nicer.nix { };
pkgs-unstable = import nixpkgs-unstable {
inherit (super) system;
};
pkgs-unstable = import nixpkgs-unstable { inherit (super) system; };
})
];
mkVM = system:
mkVM =
system:
nixpkgs.lib.nixosSystem {
inherit system;
modules = [
@ -117,7 +118,9 @@
home-manager.nixosModules.home-manager
];
specialArgs = {inherit myData;} // inputs;
specialArgs = {
inherit myData;
} // inputs;
};
in
{
@ -147,7 +150,9 @@
}
];
specialArgs = {inherit myData;} // inputs;
specialArgs = {
inherit myData;
} // inputs;
};
vno1-oh2 = nixpkgs.lib.nixosSystem {
@ -184,7 +189,9 @@
}
];
specialArgs = {inherit myData;} // inputs;
specialArgs = {
inherit myData;
} // inputs;
};
fwminex = nixpkgs.lib.nixosSystem {
@ -207,7 +214,9 @@
}
];
specialArgs = {inherit myData;} // inputs;
specialArgs = {
inherit myData;
} // inputs;
};
vno3-rp3b = nixpkgs.lib.nixosSystem {
@ -232,7 +241,9 @@
}
];
specialArgs = {inherit myData;} // inputs;
specialArgs = {
inherit myData;
} // inputs;
};
fra1-a = nixpkgs.lib.nixosSystem {
@ -256,7 +267,9 @@
}
];
specialArgs = {inherit myData;} // inputs;
specialArgs = {
inherit myData;
} // inputs;
};
};
@ -266,8 +279,7 @@
profiles = {
system = {
sshUser = "motiejus";
path =
self.nixosConfigurations.vno1-oh2.pkgs.deploy-rs.lib.activate.nixos self.nixosConfigurations.vno1-oh2;
path = self.nixosConfigurations.vno1-oh2.pkgs.deploy-rs.lib.activate.nixos self.nixosConfigurations.vno1-oh2;
user = "root";
};
};
@ -278,8 +290,7 @@
profiles = {
system = {
sshUser = "motiejus";
path =
self.nixosConfigurations.fwminex.pkgs.deploy-rs.lib.activate.nixos self.nixosConfigurations.fwminex;
path = self.nixosConfigurations.fwminex.pkgs.deploy-rs.lib.activate.nixos self.nixosConfigurations.fwminex;
user = "root";
};
};
@ -290,8 +301,7 @@
profiles = {
system = {
sshUser = "motiejus";
path =
self.nixosConfigurations.mtworx.pkgs.deploy-rs.lib.activate.nixos self.nixosConfigurations.mtworx;
path = self.nixosConfigurations.mtworx.pkgs.deploy-rs.lib.activate.nixos self.nixosConfigurations.mtworx;
user = "root";
};
};
@ -302,8 +312,7 @@
profiles = {
system = {
sshUser = "motiejus";
path =
self.nixosConfigurations.vno3-rp3b.pkgs.deploy-rs.lib.activate.nixos self.nixosConfigurations.vno3-rp3b;
path = self.nixosConfigurations.vno3-rp3b.pkgs.deploy-rs.lib.activate.nixos self.nixosConfigurations.vno3-rp3b;
user = "root";
};
};
@ -314,39 +323,42 @@
profiles = {
system = {
sshUser = "motiejus";
path =
self.nixosConfigurations.fra1-a.pkgs.deploy-rs.lib.activate.nixos self.nixosConfigurations.fra1-a;
path = self.nixosConfigurations.fra1-a.pkgs.deploy-rs.lib.activate.nixos self.nixosConfigurations.fra1-a;
user = "root";
};
};
};
};
checks =
builtins.mapAttrs (
checks = builtins.mapAttrs (
system: deployLib:
let
pkgs = import nixpkgs { inherit system overlays; };
in
deployLib.deployChecks self.deploy
// {
pre-commit-check = inputs.pre-commit-hooks.lib.${system}.run {
src = ./.;
hooks = {
alejandra.enable = true;
nixfmt = {
enable = true;
package = pkgs.nixfmt-rfc-style;
};
deadnix.enable = true;
statix.enable = true;
};
};
compress-drv-test = let
compress-drv-test = pkgs.callPackage ./pkgs/compress-drv/test.nix { };
}
) deploy-rs.lib;
}
// flake-utils.lib.eachDefaultSystem (
system:
let
pkgs = import nixpkgs { inherit system overlays; };
in
pkgs.callPackage ./pkgs/compress-drv/test.nix {};
}
)
deploy-rs.lib;
}
// flake-utils.lib.eachDefaultSystem (system: let
pkgs = import nixpkgs {inherit system overlays;};
in {
{
devShells.default = pkgs.mkShellNoCC {
GIT_AUTHOR_EMAIL = "motiejus@jakstys.lt";
packages = [
@ -359,6 +371,7 @@
inherit (self.checks.${system}.pre-commit-check) shellHook;
};
formatter = pkgs.alejandra;
});
formatter = pkgs.nixfmt-rfc-style;
}
);
}

39
hosts/fra1-a/configuration.nix
View File

@ -4,7 +4,8 @@
myData,
modulesPath,
...
}: {
}:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
zfs-root = {
@ -13,14 +14,19 @@
devNodes = "/dev/disk/by-id/";
bootDevices = [ "scsi-0QEMU_QEMU_HARDDISK_36151096" ];
immutable = false;
availableKernelModules = ["xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod" "virtio_gpu"];
availableKernelModules = [
"xhci_pci"
"virtio_pci"
"virtio_scsi"
"usbhid"
"sr_mod"
"virtio_gpu"
];
removableEfi = true;
kernelParams = [ "console=tty" ];
sshUnlock = {
enable = true;
authorizedKeys =
(builtins.attrValues myData.people_pubkeys)
++ [
authorizedKeys = (builtins.attrValues myData.people_pubkeys) ++ [
myData.hosts."vno1-oh2.servers.jakst".publicKey
];
};
@ -86,9 +92,11 @@
zfsunlock = {
enable = false;
targets."vno1-oh2.servers.jakst" = let
targets."vno1-oh2.servers.jakst" =
let
host = myData.hosts."vno1-oh2.servers.jakst";
in {
in
{
sshEndpoint = host.publicIP;
pingEndpoint = host.jakstIP;
remotePubkey = host.initrdPubKey;
@ -120,7 +128,10 @@
nsd = {
enable = true;
interfaces = ["0.0.0.0" "::"];
interfaces = [
"0.0.0.0"
"::"
];
zones = {
"jakstys.lt.".data = myData.jakstysLTZone;
"11sync.net.".data = myData.e11syncZone;
@ -134,8 +145,16 @@
domain = "servers.jakst";
useDHCP = true;
firewall = {
allowedUDPPorts = [53 443];
allowedTCPPorts = [22 53 80 443];
allowedUDPPorts = [
53
443
];
allowedTCPPorts = [
22
53
80
443
];
};
};

20
hosts/fwminex/configuration.nix
View File

@ -3,9 +3,11 @@
pkgs,
config,
...
}: let
}:
let
nvme = "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_2TB_S6P1NS0TA01331A_1";
in {
in
{
imports = [
../../modules
../../modules/profiles/btrfs
@ -16,7 +18,13 @@ in {
loader.systemd-boot.enable = true;
initrd = {
kernelModules = [ "usb_storage" ];
availableKernelModules = ["xhci_pci" "thunderbolt" "nvme" "usbhid" "tpm_tis"];
availableKernelModules = [
"xhci_pci"
"thunderbolt"
"nvme"
"usbhid"
"tpm_tis"
];
systemd.enableTpm2 = true;
luks.devices = {
luksroot = {
@ -86,9 +94,11 @@ in {
verboseLogs = false;
};
remote-builder.client = let
remote-builder.client =
let
host = myData.hosts."fra1-a.servers.jakst";
in {
in
{
enable = true;
inherit (host) system supportedFeatures;
hostName = host.jakstIP;

24
hosts/mtworx/configuration.nix
View File

@ -1,10 +1,8 @@
{
config,
myData,
...
}: let
{ config, myData, ... }:
let
nvme = "/dev/disk/by-id/nvme-WD_PC_SN810_SDCQNRY-1T00-1201_23234W800017";
in {
in
{
imports = [
../../shared/work
../../modules
@ -17,7 +15,13 @@ in {
kernelModules = [ "kvm-intel" ];
loader.systemd-boot.enable = true;
initrd = {
availableKernelModules = ["xhci_pci" "thunderbolt" "nvme" "usbhid" "tpm_tis"];
availableKernelModules = [
"xhci_pci"
"thunderbolt"
"nvme"
"usbhid"
"tpm_tis"
];
systemd = {
enableTpm2 = true;
emergencyAccess = true;
@ -81,9 +85,11 @@ in {
toUser = config.mj.username;
};
remote-builder.client = let
remote-builder.client =
let
host = myData.hosts."fra1-a.servers.jakst";
in {
in
{
enable = true;
inherit (host) system supportedFeatures;
hostName = host.jakstIP;

10
hosts/vm/configuration.nix
View File

@ -1,8 +1,5 @@
{ self, modulesPath, ... }:
{
self,
modulesPath,
...
}: {
imports = [
"${modulesPath}/profiles/all-hardware.nix"
"${modulesPath}/installer/cd-dvd/iso-image.nix"
@ -21,7 +18,10 @@
};
boot.loader.systemd-boot.enable = true;
boot.supportedFilesystems = ["zfs" "btrfs"];
boot.supportedFilesystems = [
"zfs"
"btrfs"
];
isoImage = {
isoName = "toolshed-${self.lastModifiedDate}.iso";

98
hosts/vno1-oh2/configuration.nix
View File

@ -4,7 +4,8 @@
pkgs,
myData,
...
}: {
}:
{
zfs-root = {
boot = {
enable = true;
@ -26,9 +27,9 @@
];
sshUnlock = {
enable = true;
authorizedKeys =
(builtins.attrValues myData.people_pubkeys)
++ [myData.hosts."fra1-a.servers.jakst".publicKey];
authorizedKeys = (builtins.attrValues myData.people_pubkeys) ++ [
myData.hosts."fra1-a.servers.jakst".publicKey
];
};
};
};
@ -50,7 +51,11 @@
snapshot = {
enable = true;
mountpoints = ["/home" "/var/lib" "/var/log"];
mountpoints = [
"/home"
"/var/lib"
"/var/log"
];
};
zfsborg = {
@ -73,9 +78,7 @@
"tailscale"
"private/soju"
];
patterns = [
"- gitea/data/repo-archive/"
];
patterns = [ "- gitea/data/repo-archive/" ];
backup_at = "*-*-* 01:00:00 UTC";
prune.keep = {
within = "1d";
@ -86,7 +89,9 @@
}
{
mountpoint = "/var/lib";
repo = "borgstor@${myData.hosts."vno3-rp3b.servers.jakst".jakstIP}:${config.networking.hostName}.${config.networking.domain}-var_lib";
repo = "borgstor@${
myData.hosts."vno3-rp3b.servers.jakst".jakstIP
}:${config.networking.hostName}.${config.networking.domain}-var_lib";
paths = [
"bitwarden_rs"
"caddy"
@ -98,9 +103,7 @@
"tailscale"
"private/soju"
];
patterns = [
"- gitea/data/repo-archive/"
];
patterns = [ "- gitea/data/repo-archive/" ];
backup_at = "*-*-* 01:00:00 UTC";
}
@ -117,7 +120,9 @@
}
{
mountpoint = "/var/log";
repo = "borgstor@${myData.hosts."vno3-rp3b.servers.jakst".jakstIP}:${config.networking.hostName}.${config.networking.domain}-var_log";
repo = "borgstor@${
myData.hosts."vno3-rp3b.servers.jakst".jakstIP
}:${config.networking.hostName}.${config.networking.domain}-var_log";
paths = [ "caddy" ];
patterns = [
"+ caddy/access-jakstys.lt.log-*.zst"
@ -138,7 +143,9 @@
}
{
mountpoint = "/home";
repo = "borgstor@${myData.hosts."vno3-rp3b.servers.jakst".jakstIP}:${config.networking.hostName}.${config.networking.domain}-home-motiejus-annex2";
repo = "borgstor@${
myData.hosts."vno3-rp3b.servers.jakst".jakstIP
}:${config.networking.hostName}.${config.networking.domain}-home-motiejus-annex2";
paths = [
"motiejus/annex2"
"motiejus/.config/syncthing"
@ -181,9 +188,11 @@
subnetCIDR = myData.subnets.tailscale.cidr;
};
nsd-acme = let
nsd-acme =
let
accountKey = config.age.secrets.letsencrypt-account-key.path;
in {
in
{
enable = true;
zones = {
"irc.jakstys.lt".accountKey = accountKey;
@ -228,9 +237,11 @@
zfsunlock = {
enable = true;
targets."fra1-a.servers.jakst" = let
targets."fra1-a.servers.jakst" =
let
host = myData.hosts."fra1-a.servers.jakst";
in {
in
{
sshEndpoint = host.publicIP;
pingEndpoint = host.jakstIP;
remotePubkey = host.initrdPubKey;
@ -239,9 +250,11 @@
};
};
remote-builder.client = let
remote-builder.client =
let
host = myData.hosts."fra1-a.servers.jakst";
in {
in
{
enable = true;
inherit (host) system supportedFeatures;
hostName = host.jakstIP;
@ -301,7 +314,8 @@
"www.jakstys.lt".extraConfig = ''
redir https://jakstys.lt
'';
"irc.jakstys.lt".extraConfig = let
"irc.jakstys.lt".extraConfig =
let
gamja = pkgs.compressDrvWeb (pkgs.gamja.override {
gamjaConfig = {
server = {
@ -310,7 +324,8 @@
};
};
}) { };
in ''
in
''
@denied not remote_ip ${myData.subnets.tailscale.cidr}
abort @denied
tls {$CREDENTIALS_DIRECTORY}/irc.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/irc.jakstys.lt-key.pem
@ -452,9 +467,11 @@
evaluation_interval = "1m";
};
scrapeConfigs = let
scrapeConfigs =
let
port = builtins.toString myData.ports.exporters.node;
in [
in
[
{
job_name = "prometheus";
static_configs = [ { targets = [ "127.0.0.1:${toString myData.ports.prometheus}" ]; } ];
@ -492,7 +509,10 @@
nsd = {
enable = true;
interfaces = ["0.0.0.0" "::"];
interfaces = [
"0.0.0.0"
"::"
];
zones = {
"jakstys.lt.".data = myData.jakstysLTZone;
"11sync.net.".data = myData.e11syncZone;
@ -557,12 +577,14 @@
};
systemd.services = {
caddy = let
caddy =
let
irc = config.mj.services.nsd-acme.zones."irc.jakstys.lt";
hass = config.mj.services.nsd-acme.zones."hass.jakstys.lt";
grafana = config.mj.services.nsd-acme.zones."grafana.jakstys.lt";
bitwarden = config.mj.services.nsd-acme.zones."bitwarden.jakstys.lt";
in {
in
{
serviceConfig.LoadCredential = [
"irc.jakstys.lt-cert.pem:${irc.certFile}"
"irc.jakstys.lt-key.pem:${irc.keyFile}"
@ -587,9 +609,11 @@
];
};
soju = let
soju =
let
acme = config.mj.services.nsd-acme.zones."irc.jakstys.lt";
in {
in
{
serviceConfig = {
RuntimeDirectory = "soju";
LoadCredential = [
@ -610,9 +634,7 @@
serviceConfig = {
EnvironmentFile = [ "-/run/vaultwarden/secrets.env" ];
RuntimeDirectory = "vaultwarden";
LoadCredential = [
"secrets.env:${config.age.secrets.vaultwarden-secrets-env.path}"
];
LoadCredential = [ "secrets.env:${config.age.secrets.vaultwarden-secrets-env.path}" ];
};
};
@ -672,9 +694,11 @@
};
};
users = let
users =
let
uidgid = myData.uidgid.photoprism;
in {
in
{
groups.photoprism.gid = uidgid;
users.photoprism = {
group = "photoprism";
@ -702,7 +726,11 @@
}
];
firewall = {
allowedUDPPorts = [53 80 443];
allowedUDPPorts = [
53
80
443
];
allowedTCPPorts = [
53
80

12
hosts/vno3-rp3b/configuration.nix
View File

@ -6,15 +6,17 @@
pkgs,
myData,
...
}: {
imports = [
../../modules/profiles/sdcard
];
}:
{
imports = [ ../../modules/profiles/sdcard ];
boot = {
initrd = {
availableKernelModules = [ "usbhid" ];
kernelModules = ["vc4" "bcm2835_dma"];
kernelModules = [
"vc4"
"bcm2835_dma"
];
};
loader = {
grub.enable = false;

66
modules/base/boot/default.nix
View File

@ -3,11 +3,25 @@
lib,
pkgs,
...
}: let
}:
let
cfg = config.zfs-root.boot;
inherit (lib) mkIf types mkDefault mkOption mkMerge strings;
inherit (builtins) head toString map tail;
in {
inherit (lib)
mkIf
types
mkDefault
mkOption
mkMerge
strings
;
inherit (builtins)
head
toString
map
tail
;
in
{
options.zfs-root.boot = {
enable = mkOption {
description = "Enable root on ZFS support";
@ -17,9 +31,10 @@ in {
devNodes = mkOption {
description = "Specify where to discover ZFS pools";
type = types.str;
apply = x:
assert (strings.hasSuffix "/" x
|| abort "devNodes '${x}' must have trailing slash!"); x;
apply =
x:
assert (strings.hasSuffix "/" x || abort "devNodes '${x}' must have trailing slash!");
x;
default = "/dev/disk/by-id/";
};
bootDevices = mkOption {
@ -28,7 +43,11 @@ in {
};
availableKernelModules = mkOption {
type = types.nonEmptyListOf types.str;
default = ["uas" "nvme" "ahci"];
default = [
"uas"
"nvme"
"ahci"
];
};
kernelParams = mkOption {
type = types.listOf types.str;
@ -77,7 +96,9 @@ in {
};
}
(mkIf (!cfg.immutable) {
zfs-root.fileSystems.datasets = {"rpool/nixos/root" = "/";};
zfs-root.fileSystems.datasets = {
"rpool/nixos/root" = "/";
};
})
(mkIf cfg.immutable {
zfs-root.fileSystems = {
@ -100,13 +121,12 @@ in {
})
{
zfs-root.fileSystems = {
efiSystemPartitions =
map (diskName: diskName + cfg.partitionScheme.efiBoot)
cfg.bootDevices;
efiSystemPartitions = map (diskName: diskName + cfg.partitionScheme.efiBoot) cfg.bootDevices;
swapPartitions =
if cfg.partitionScheme ? swap
then map (diskName: diskName + cfg.partitionScheme.swap) cfg.bootDevices
else [];
if cfg.partitionScheme ? swap then
map (diskName: diskName + cfg.partitionScheme.swap) cfg.bootDevices
else
[ ];
};
boot = {
initrd.availableKernelModules = cfg.availableKernelModules;
@ -118,14 +138,8 @@ in {
};
loader = {
efi = {
canTouchEfiVariables =
if cfg.removableEfi
then false
else true;
efiSysMountPoint =
"/boot/efis/"
+ (head cfg.bootDevices)
+ cfg.partitionScheme.efiBoot;
canTouchEfiVariables = if cfg.removableEfi then false else true;
efiSysMountPoint = "/boot/efis/" + (head cfg.bootDevices) + cfg.partitionScheme.efiBoot;
};
generationsDir.copyKernels = true;
grub = {
@ -135,11 +149,13 @@ in {
copyKernels = true;
efiSupport = true;
zfsSupport = true;
extraInstallCommands = toString (map (diskName: ''
extraInstallCommands = toString (
map (diskName: ''
set -x
${pkgs.coreutils-full}/bin/cp -r ${config.boot.loader.efi.efiSysMountPoint}/EFI /boot/efis/${diskName}${cfg.partitionScheme.efiBoot}
set +x
'') (tail cfg.bootDevices));
'') (tail cfg.bootDevices)
);
};
};
};

25
modules/base/btrfssnapshot/default.nix
View File

@ -3,15 +3,18 @@
lib,
pkgs,
...
}: let
}:
let
cfg = config.mj.base.btrfssnapshot;
in {
in
{
options.mj.base.btrfssnapshot = {
enable = lib.mkEnableOption "Enable btrfs snapshots";
subvolumes = lib.mkOption {
default = { };
type = with lib.types;
type =
with lib.types;
attrsOf (submodule {
options = {
label = lib.mkOption { type = str; };
@ -24,25 +27,17 @@ in {
config = lib.mkIf cfg.enable {
systemd = {
services =
lib.mapAttrs'
(
services = lib.mapAttrs' (
subvolume: params:
lib.nameValuePair
"btrfs-snapshot-${lib.strings.sanitizeDerivationName subvolume}"
{
lib.nameValuePair "btrfs-snapshot-${lib.strings.sanitizeDerivationName subvolume}" {
description = "${params.label} btrfs snapshot for ${subvolume} (keep ${params.keep}";
serviceConfig.ExecStart = "${pkgs.btrfs-auto-snapshot} --verbose --label=${params.label} --keep=${params.keep} ${subvolume}";
}
);
timers =
lib.mapAttrs'
(
timers = lib.mapAttrs' (
subvolume: params:
lib.nameValuePair
"btrfs-snapshot-${lib.strings.sanitizeDerivationName subvolume}"
{
lib.nameValuePair "btrfs-snapshot-${lib.strings.sanitizeDerivationName subvolume}" {
description = "${params.label} btrfs snapshot for ${subvolume}";
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = params.refreshInterval;

15
modules/base/default.nix
View File

@ -4,9 +4,11 @@
pkgs,
myData,
...
}: let
}:
let
cfg = config.mj;
in {
in
{
imports = [
./boot
./btrfssnapshot
@ -80,7 +82,10 @@ in {
options = "--delete-older-than 14d";
};
settings = {
experimental-features = ["nix-command" "flakes"];
experimental-features = [
"nix-command"
"flakes"
];
trusted-users = [ cfg.username ];
};
};
@ -95,7 +100,8 @@ in {
};
environment = {
systemPackages = with pkgs;
systemPackages =
with pkgs;
lib.mkMerge [
[
bc
@ -165,7 +171,6 @@ in {
smartmontools
unixtools.xxd
bcachefs-tools
nixfmt-rfc-style
sqlite-interactive
# networking

49
modules/base/fileSystems/default.nix
View File

@ -1,11 +1,15 @@
{
config,
lib,
...
}: let
{ config, lib, ... }:
let
cfg = config.zfs-root.fileSystems;
inherit (lib) types mkDefault mkOption mkMerge mapAttrsToList;
in {
inherit (lib)
types
mkDefault
mkOption
mkMerge
mapAttrsToList
;
in
{
options.zfs-root.fileSystems = {
datasets = mkOption {
description = "Set mountpoint for datasets";
@ -28,23 +32,29 @@ in {
default = [ ];
};
};
config.fileSystems = mkMerge (mapAttrsToList (dataset: mountpoint: {
config.fileSystems = mkMerge (
mapAttrsToList (dataset: mountpoint: {
"${mountpoint}" = {
device = "${dataset}";
fsType = "zfs";
options = ["X-mount.mkdir" "noatime"];
options = [
"X-mount.mkdir"
"noatime"
];
neededForBoot = true;
};
})
cfg.datasets
}) cfg.datasets
++ mapAttrsToList (bindsrc: mountpoint: {
"${mountpoint}" = {
device = "${bindsrc}";
fsType = "none";
options = ["bind" "X-mount.mkdir" "noatime"];
options = [
"bind"
"X-mount.mkdir"
"noatime"
];
};
})
cfg.bindmounts
}) cfg.bindmounts
++ map (esp: {
"/boot/efis/${esp}" = {
device = "${config.zfs-root.boot.devNodes}${esp}";
@ -58,15 +68,16 @@ in {
"X-mount.mkdir"
];
};
})
cfg.efiSystemPartitions);
config.swapDevices = mkDefault (map (swap: {
}) cfg.efiSystemPartitions
);
config.swapDevices = mkDefault (
map (swap: {
device = "${config.zfs-root.boot.devNodes}${swap}";
discardPolicy = mkDefault "both";
randomEncryption = {
enable = true;
allowDiscards = mkDefault true;
};
})
cfg.swapPartitions);
}) cfg.swapPartitions
);
}

27
modules/base/snapshot/default.nix
View File

@ -1,8 +1,5 @@
{ config, lib, ... }:
{
config,
lib,
...
}: {
options.mj.base.snapshot = {
enable = lib.mkEnableOption "Enable zfs snapshots";
@ -22,21 +19,21 @@
autoprune = true;
};
extraArgs = [ "--verbose" ];
datasets = let
datasets =
let
fs_zfs = lib.filterAttrs (_: v: v.fsType == "zfs") config.fileSystems;
mountpoint2fs =
builtins.listToAttrs
(map (mountpoint: {
mountpoint2fs = builtins.listToAttrs (
map (mountpoint: {
name = mountpoint;
value = builtins.getAttr mountpoint fs_zfs;
})
config.mj.base.snapshot.mountpoints);
s_datasets =
lib.mapAttrs' (_mountpoint: fs: {
}) config.mj.base.snapshot.mountpoints
);
s_datasets = lib.mapAttrs' (_mountpoint: fs: {
name = fs.device;
value = {use_template = ["prod"];};
})
mountpoint2fs;
value = {
use_template = [ "prod" ];
};
}) mountpoint2fs;
in
s_datasets;
};

11
modules/base/sshd/default.nix
View File

@ -3,7 +3,8 @@
lib,
myData,
...
}: {
}:
{
config = {
services.openssh = {
enable = true;
@ -13,8 +14,12 @@
};
};
programs.mosh.enable = true;
programs.ssh.knownHosts = let
sshAttrs = lib.genAttrs ["extraHostNames" "publicKey"] (_: null);
programs.ssh.knownHosts =
let
sshAttrs = lib.genAttrs [
"extraHostNames"
"publicKey"
] (_: null);
in
lib.mapAttrs (_name: builtins.intersectAttrs sshAttrs) myData.hosts;
};

19
modules/base/unitstatus/default.nix
View File

@ -3,7 +3,8 @@
lib,
pkgs,
...
}: {
}:
{
# TODO:
# - assert postfix is configured
options.mj.base.unitstatus = with lib.types; {
@ -18,7 +19,8 @@
config = lib.mkIf config.mj.base.unitstatus.enable {
systemd.services =
{
"unit-status-mail@" = let
"unit-status-mail@" =
let
# https://northernlightlabs.se/2014-07-05/systemd-status-mail-on-unit-failure.html
script = pkgs.writeShellScript "unit-status-mail" ''
set -e
@ -40,7 +42,8 @@
echo -e "Status mail sent to: $MAILTO for unit: $UNIT"
'';
in {
in
{
description = "Send an email on unit failure";
serviceConfig = {
Type = "simple";
@ -48,10 +51,10 @@
};
};
}
// lib.genAttrs config.mj.base.unitstatus.units (
unit: {
unitConfig = {OnFailure = "unit-status-mail@${unit}.service";};
}
);
// lib.genAttrs config.mj.base.unitstatus.units (unit: {
unitConfig = {
OnFailure = "unit-status-mail@${unit}.service";
};
});
};
}

26
modules/base/users/default.nix
View File

@ -3,7 +3,8 @@
lib,
myData,
...
}: let
}:
let
cfg = config.mj.base.users;
props = with lib.types; {
hashedPasswordFile = lib.mkOption {
@ -24,7 +25,8 @@
default = [ ];
};
};
in {
in
{
options.mj.base.users = with lib.types; {
enable = lib.mkEnableOption "enable motiejus and root";
devTools = lib.mkOption {
@ -44,12 +46,16 @@ in {
mutableUsers = false;
users = {
${config.mj.username} =
{
${config.mj.username} = {
isNormalUser = true;
extraGroups = ["wheel" "dialout" "video"] ++ cfg.user.extraGroups;
extraGroups = [
"wheel"
"dialout"
"video"
] ++ cfg.user.extraGroups;
uid = myData.uidgid.motiejus;
openssh.authorizedKeys.keys = let
openssh.authorizedKeys.keys =
let
fqdn = "${config.networking.hostName}.${config.networking.domain}";
in
lib.mkMerge [
@ -59,18 +65,18 @@ in {
]
(lib.mkIf (builtins.hasAttr fqdn myData.hosts) [
("from=\"127.0.0.1,::1\" " + myData.hosts.${fqdn}.publicKey)
(''from="127.0.0.1,::1" '' + myData.hosts.${fqdn}.publicKey)
])
];
}
// lib.filterAttrs (n: v: n != "extraGroups" && v != null) cfg.user or {};
} // lib.filterAttrs (n: v: n != "extraGroups" && v != null) cfg.user or { };
root = lib.filterAttrs (_: v: v != null) cfg.root;
};
};
home-manager.useGlobalPkgs = true;
home-manager.users.${config.mj.username} = {pkgs, ...}:
home-manager.users.${config.mj.username} =
{ pkgs, ... }:
import ../../../shared/home {
inherit lib;
inherit pkgs;

5
modules/base/zfs/default.nix
View File

@ -1,8 +1,5 @@
{ config, lib, ... }:
{
config,
lib,
...
}: {
options.mj.base.zfs = with lib.types; {
enable = lib.mkEnableOption "Enable common zfs options";
};

47
modules/base/zfsborg/default.nix
View File

@ -3,7 +3,8 @@
lib,
pkgs,
...
}: let
}:
let
mkPreHook = zfs_name: i: ''
set -x
sleep ${toString i}
@ -15,7 +16,8 @@
"$RUNTIME_DIRECTORY/snapshot"
cd "$RUNTIME_DIRECTORY/snapshot"
'';
in {
in
{
options.mj.base.zfsborg = with lib.types; {
enable = lib.mkEnableOption "backup zfs snapshots with borg";
@ -46,31 +48,31 @@ in {
};
};
config = with config.mj.base.zfsborg;
config =
with config.mj.base.zfsborg;
lib.mkIf enable {
systemd.services = lib.listToAttrs (lib.imap0 (
i: attr: let
systemd.services = lib.listToAttrs (
lib.imap0 (
i: attr:
let
svcName = "borgbackup-job-${lib.strings.sanitizeDerivationName attr.mountpoint}-${toString i}";
in
lib.nameValuePair svcName {
serviceConfig.RuntimeDirectory = svcName;
}
)
dirs);
lib.nameValuePair svcName { serviceConfig.RuntimeDirectory = svcName; }
) dirs
);
services.borgbackup.jobs = builtins.listToAttrs (
lib.imap0 (
i: attrs: let
i: attrs:
let
mountpoint = builtins.getAttr "mountpoint" attrs;
fs = builtins.getAttr mountpoint config.fileSystems;
in
assert fs.fsType == "zfs";
assert lib.assertMsg
config.mj.base.unitstatus.enable
assert lib.assertMsg config.mj.base.unitstatus.enable
"config.mj.base.unitstatus.enable must be true";
lib.nameValuePair
"${lib.strings.sanitizeDerivationName mountpoint}-${toString i}"
({
lib.nameValuePair "${lib.strings.sanitizeDerivationName mountpoint}-${toString i}" (
{
inherit (attrs) repo paths;
doInit = true;
@ -91,21 +93,24 @@ in {
};
environment =
{
BORG_HOST_ID = let
BORG_HOST_ID =
let
h = config.networking;
in "${h.hostName}.${h.domain}@${h.hostId}";
in
"${h.hostName}.${h.domain}@${h.hostId}";
}
// lib.optionalAttrs (sshKeyPath != null) {
BORG_RSH = ''ssh -i "${config.mj.base.zfsborg.sshKeyPath}"'';
};
}
// lib.optionalAttrs (attrs ? patterns) { inherit (attrs) patterns; }
// lib.optionalAttrs (attrs ? prune) {inherit (attrs) prune;})
// lib.optionalAttrs (attrs ? prune) { inherit (attrs) prune; }
)
dirs
) dirs
);
mj.base.unitstatus.units = let
mj.base.unitstatus.units =
let
sanitized = map lib.strings.sanitizeDerivationName (lib.catAttrs "mountpoint" dirs);
in
lib.imap0 (i: name: "borgbackup-job-${name}-${toString i}") sanitized;

3
modules/default.nix
View File

@ -1,4 +1,5 @@
{...}: {
{ ... }:
{
imports = [
./base
./services

6
modules/profiles/autorandr/default.nix
View File

@ -1,4 +1,5 @@
{config, ...}: let
{ config, ... }:
let
eDP-1 = {
mtworx = {
fingerprint = "00ffffffffffff000e6f041400000000001e0104a51e1378033784a5544d9a240e515500000001010101010101010101010101010101353c80a070b02340302036002ebd10000018000000fd00303c4a4a0f010a202020202020000000fe0043534f542054330a2020202020000000fe004d4e453030374a41312d310a2000b5";
@ -24,7 +25,8 @@
fingerprint = "00ffffffffffff0010ac5d424c32313804200104b54028783a94f5af4f47a4240e5054a54b00d100d1c0b300a94081808100714f0101e26800a0a0402e603020360081912100001a000000ff003934585a3548330a2020202020000000fc0044454c4c205533303233450a20000000fd00384c1e711c010a20202020202001ee020319f14c90040302011112131f20212223097f0783010000023a801871382d40582c450081912100001e7e3900a080381f4030203a0081912100001a011d007251d01e206e28550081912100001ebf1600a08038134030203a0081912100001a00000000000000000000000000000000000000000000000000000000000052";
mode = "2560x1600";
};
in {
in
{
services.autorandr = {
enable = true;
matchEdid = true;

3
modules/profiles/btrfs/default.nix
View File

@ -1,4 +1,5 @@
{pkgs, ...}: {
{ pkgs, ... }:
{
boot.supportedFilesystems = [ "btrfs" ];
environment.systemPackages = [ pkgs.btrfs-auto-snapshot ];

54
modules/profiles/desktop/default.nix
View File

@ -3,13 +3,13 @@
pkgs,
config,
...
}: let
}:
let
username = config.mj.username;
firefox =
if (pkgs.stdenv.hostPlatform.system == "x86_64-linux")
then pkgs.firefox-bin
else pkgs.firefox;
in {
if (pkgs.stdenv.hostPlatform.system == "x86_64-linux") then pkgs.firefox-bin else pkgs.firefox;
in
{
config = {
hardware.bluetooth = {
enable = true;
@ -27,7 +27,13 @@ in {
};
};
mj.base.users.user.extraGroups = ["adbusers" "networkmanager" "wireshark" "podman" "docker"];
mj.base.users.user.extraGroups = [
"adbusers"
"networkmanager"
"wireshark"
"podman"
"docker"
];
services = {
fwupd.enable = true;
@ -46,8 +52,9 @@ in {
enable = true;
drivers = [
pkgs.samsung-unified-linux-driver_4_01_17
(pkgs.writeTextDir "share/cups/model/HP_Color_Laser_15x_Series.ppd"
(builtins.readFile ../../../shared/HP_Color_Laser_15x_Series.ppd))
(pkgs.writeTextDir "share/cups/model/HP_Color_Laser_15x_Series.ppd" (
builtins.readFile ../../../shared/HP_Color_Laser_15x_Series.ppd
))
];
};
@ -127,7 +134,8 @@ in {
};
};
environment.systemPackages = with pkgs;
environment.systemPackages =
with pkgs;
lib.mkMerge [
[
# packages defined here
@ -225,8 +233,7 @@ in {
xorg.xinit
(texlive.combine {
inherit
(texlive)
inherit (texlive)
scheme-medium
dvisvgm
dvipng
@ -256,11 +263,9 @@ in {
# https://discourse.nixos.org/t/nixos-rebuild-switch-upgrade-networkmanager-wait-online-service-failure/30746
systemd.services.NetworkManager-wait-online.enable = false;
home-manager.users.${username} = {
pkgs,
config,
...
}: {
home-manager.users.${username} =
{ pkgs, config, ... }:
{
imports = [ ./plasma.nix ];
xdg.configFile."awesome/rc.lua".source = ./rc.lua;
@ -269,10 +274,12 @@ in {
neomutt.enable = true;
notmuch.enable = true;
tmux.extraConfig = let
tmux.extraConfig =
let
cmd = "${pkgs.extract_url}/bin/extract_url";
cfg = pkgs.writeText "urlviewrc" "COMMAND systemd-run --user --collect xdg-open %s";
in ''
in
''
bind-key u capture-pane -J \; \
save-buffer /tmp/tmux-buffer \; \
delete-buffer \; \
@ -311,13 +318,11 @@ in {
extraConfig = ''
set index_format="%4C %Z %{%F %H:%M} %-15.15L (%?l?%4l&%4c?) %s"
set mailcap_path = ${
pkgs.writeText "mailcaprc" ''
set mailcap_path = ${pkgs.writeText "mailcaprc" ''
text/html; ${pkgs.elinks}/bin/elinks -dump ; copiousoutput;
application/*; ${pkgs.xdg-utils}/bin/xdg-open %s &> /dev/null &;
image/*; ${pkgs.xdg-utils}/bin/xdg-open %s &> /dev/null &;
''
}
''}
auto_view text/html
unset record
set send_charset="utf-8"
@ -366,7 +371,10 @@ in {
pasystray = {
enable = true;
extraOptions = ["--key-grabbing" "--notify=all"];
extraOptions = [
"--key-grabbing"
"--notify=all"
];
};
gpg-agent = {

60
modules/profiles/desktop/plasma.nix
View File

@ -4,31 +4,31 @@
lib,
pkgs,
...
}: let
}:
let
cfg = config.mj.plasma;
setValue = v: let
setValue =
v:
let
setValueArgs = ty: vs: "--type ${ty} ${lib.escapeShellArg vs}";
in
if builtins.isBool v
then
setValueArgs "bool" (
if v
then "true"
else "false"
)
else setValueArgs "str" (builtins.toString v);
if builtins.isBool v then
setValueArgs "bool" (if v then "true" else "false")
else
setValueArgs "str" (builtins.toString v);
pathToArgs = path: let
pathToArgs =
path:
let
groupArg = item: "--group ${lib.escapeShellArg item}";
groupArgs = builtins.map groupArg path;
in
groupArgs;
entryToArgs = {
path,
value,
}: let
entryToArgs =
{ path, value }:
let
file = builtins.head path;
subpath = builtins.tail path;
groups = lib.lists.init subpath;
@ -38,25 +38,34 @@
pathArgs = pathToArgs groups;
keyArg = "--key ${lib.escapeShellArg name}";
valueArg = setValue value;
allArgs = pathArgs ++ [fileArg keyArg valueArg];
allArgs = pathArgs ++ [
fileArg
keyArg
valueArg
];
in
lib.strings.concatStringsSep " " allArgs;
flattenAttrs = attrs: pathSoFar:
lib.lists.flatten (lib.attrsets.mapAttrsToList (
flattenAttrs =
attrs: pathSoFar:
lib.lists.flatten (
lib.attrsets.mapAttrsToList (
name: value:
if builtins.isAttrs value
then flattenAttrs value (pathSoFar ++ [name])
else {
if builtins.isAttrs value then
flattenAttrs value (pathSoFar ++ [ name ])
else
{
path = pathSoFar ++ [ name ];
inherit value;
}
)
attrs);
) attrs
);
configToArgs = attrs: builtins.map entryToArgs (flattenAttrs attrs [ ]);
configToScript = attrs: let
configToScript =
attrs:
let
args = configToArgs attrs;
argToCommand = arg: "${pkgs.plasma5Packages.kconfig}/bin/kwriteconfig5 ${arg}";
commands = builtins.map argToCommand args;
@ -64,7 +73,8 @@
lib.strings.concatStringsSep "\n" commands;
writeConfig = attrs: pkgs.writeScript "kconfig-setup" (configToScript attrs);
in {
in
{
options.mj.plasma = {
kconfig = lib.mkOption {
type = lib.types.attrs;

4
modules/profiles/sdcard/default.nix
View File

@ -1,3 +1 @@
_: {
services.journald.extraConfig = "Storage=volatile";
}
_: { services.journald.extraConfig = "Storage=volatile"; }

14
modules/services/borgstor/default.nix
View File

@ -4,14 +4,16 @@
myData,
pkgs,
...
}: {
}:
{
options.mj.services.borgstor = with lib.types; {
enable = lib.mkEnableOption "Enable borg storage user";
dataDir = lib.mkOption { type = path; };
sshKeys = lib.mkOption { type = listOf str; };
};
config = with config.mj.services.borgstor;
config =
with config.mj.services.borgstor;
lib.mkIf enable {
users.users.borgstor = {
description = "Borg Storage";
@ -21,11 +23,9 @@
isSystemUser = true;
createHome = false;
uid = myData.uidgid.borgstor;
openssh.authorizedKeys.keys =
map (
k: "command=\"${pkgs.borgbackup}/bin/borg serve --restrict-to-path ${dataDir}\",restrict ${k}"
)
sshKeys;
openssh.authorizedKeys.keys = map (
k: ''command="${pkgs.borgbackup}/bin/borg serve --restrict-to-path ${dataDir}",restrict ${k}''
) sshKeys;
};
users.groups.borgstor.gid = myData.uidgid.borgstor;

3
modules/services/default.nix
View File

@ -1,4 +1,5 @@
{...}: {
{ ... }:
{
imports = [
./borgstor
./deployerbot

40
modules/services/deployerbot/default.nix
View File

@ -3,7 +3,8 @@
lib,
pkgs,
...
}: {
}:
{
options.mj.services.deployerbot.main = with lib.types; {
enable = lib.mkEnableOption "Enable system updater orchestrator";
deployDerivations = lib.mkOption { type = listOf str; };
@ -28,7 +29,8 @@
};
config = lib.mkMerge [
(let
(
let
cfg = config.mj.services.deployerbot.main;
in
lib.mkIf cfg.enable {
@ -46,8 +48,14 @@
systemd.services.deployerbot = {
description = "Update all known systems";
environment = {TZ = "UTC";};
path = [pkgs.git pkgs.openssh pkgs.nix];
environment = {
TZ = "UTC";
};
path = [
pkgs.git
pkgs.openssh
pkgs.nix
];
restartIfChanged = false;
serviceConfig = {
Type = "oneshot";
@ -55,9 +63,11 @@
WorkingDirectory = config.users.users.deployerbot-main.home;
LoadCredential = [ "ssh-key:/etc/ssh/ssh_host_ed25519_key" ];
};
script = let
script =
let
deployDerivationsStr = builtins.concatStringsSep " " cfg.deployDerivations;
in ''
in
''
set -xeuo pipefail
export GIT_SSH_COMMAND="ssh -i ''${CREDENTIALS_DIRECTORY}/ssh-key"
@ -98,8 +108,7 @@
--targets ${t.derivationTarget} -- \
--accept-flake-config || EXITCODE=1
fi
'')
cfg.deployIfPresent}
'') cfg.deployIfPresent}
exit $EXITCODE
'';
@ -114,9 +123,11 @@
mj.base.unitstatus.units = [ "deployerbot" ];
nix.settings.trusted-users = [ "deployerbot-main" ];
})
}
)
(let
(
let
cfg = config.mj.services.deployerbot.follower;
in
lib.mkIf cfg.enable {
@ -129,12 +140,13 @@
isSystemUser = true;
createHome = true;
uid = cfg.uidgid;
openssh.authorizedKeys.keys =
map (k: "from=\"${builtins.concatStringsSep "," cfg.sshAllowSubnets}\" " + k)
cfg.publicKeys;
openssh.authorizedKeys.keys = map (
k: ''from="${builtins.concatStringsSep "," cfg.sshAllowSubnets}" '' + k
) cfg.publicKeys;
};
users.groups.deployerbot-follower.gid = cfg.uidgid;
nix.settings.trusted-users = [ "deployerbot-follower" ];
})
}
)
];
}

33
modules/services/friendlyport/default.nix
View File

@ -1,8 +1,5 @@
{ config, lib, ... }:
{
config,
lib,
...
}: {
options.mj.services.friendlyport = with lib.types; {
ports = lib.mkOption {
type = listOf (submodule {
@ -21,33 +18,41 @@
};
};
config = let
config =
let
inherit (config.mj.services.friendlyport) ports;
mkAdd = proto: subnets: ints: let
mkAdd =
proto: subnets: ints:
let
subnetsS = builtins.concatStringsSep "," subnets;
intsS = builtins.concatStringsSep "," (map builtins.toString ints);
in
if builtins.length ints == 0
then ""
else "iptables -A INPUT -p ${proto} --match multiport --dports ${intsS} --source ${subnetsS} -j ACCEPT";
if builtins.length ints == 0 then
""
else
"iptables -A INPUT -p ${proto} --match multiport --dports ${intsS} --source ${subnetsS} -j ACCEPT";
startTCP = map (attr: mkAdd "tcp" attr.subnets attr.tcp) ports;
startUDP = map (attr: mkAdd "udp" attr.subnets attr.udp) ports;
# TODO: when stopping the firewall, systemd uses the old ports. So this is a two-phase process.
# How to stop the old one and start the new one?
mkDel = proto: subnets: ints: let
mkDel =
proto: subnets: ints:
let
subnetsS = builtins.concatStringsSep "," subnets;
intsS = builtins.concatStringsSep "," (map builtins.toString ints);
in
if builtins.length ints == 0
then ""
else "iptables -D INPUT -p ${proto} --match multiport --dports ${intsS} --source ${subnetsS} -j ACCEPT || :";
if builtins.length ints == 0 then
""
else
"iptables -D INPUT -p ${proto} --match multiport --dports ${intsS} --source ${subnetsS} -j ACCEPT || :";
stopTCP = map (attr: mkDel "tcp" attr.subnets attr.tcp) ports;
stopUDP = map (attr: mkDel "udp" attr.subnets attr.udp) ports;
in {
in
{
networking.firewall.extraCommands = lib.concatLines (startTCP ++ startUDP);
networking.firewall.extraStopCommands = lib.concatLines (stopTCP ++ stopUDP);
};

3
modules/services/gitea/default.nix
View File

@ -4,7 +4,8 @@
pkgs,
myData,
...
}: {
}:
{
options.mj.services.gitea = with lib.types; {
enable = lib.mkEnableOption "Enable gitea";
};

10
modules/services/hass/default.nix
View File

@ -3,9 +3,11 @@
lib,
myData,
...
}: let
}:
let
cfg = config.mj.services.hass;
in {
in
{
options.mj.services.hass = with lib.types; {
enable = lib.mkEnableOption "Enable home-assistant";
};
@ -67,7 +69,9 @@ in {
action = [
{
service = "wake_on_lan.send_magic_packet";
data = {mac = "74:e6:b8:4c:fb:b7";};
data = {
mac = "74:e6:b8:4c:fb:b7";
};
}
];
}

8
modules/services/headscale/default.nix
View File

@ -3,7 +3,8 @@
lib,
pkgs,
...
}: {
}:
{
options.mj.services.headscale = with lib.types; {
enable = lib.mkEnableOption "Enable headscale";
clientOidcPath = lib.mkOption { type = str; };
@ -24,7 +25,10 @@
ip_prefixes = [ config.mj.services.headscale.subnetCIDR ];
log.level = "warn";
dns_config = {
nameservers = ["1.1.1.1" "8.8.4.4"];
nameservers = [
"1.1.1.1"
"8.8.4.4"
];
magic_dns = false;
base_domain = "jakst";
};

26
modules/services/jakstpub/default.nix
View File

@ -3,9 +3,11 @@
lib,
myData,
...
}: let
}:
let
cfg = config.mj.services.jakstpub;
in {
in
{
options.mj.services.jakstpub = with lib.types; {
enable = lib.mkEnableOption "Enable jakstpub";
dataDir = lib.mkOption { type = path; };
@ -40,7 +42,8 @@ in {
guest account = jakstpub
server role = standalone server
'';
shares = let
shares =
let
defaults = {
"public" = "yes";
"mangled names" = "no";
@ -48,19 +51,16 @@ in {
"force user" = "jakstpub";
"force group" = "jakstpub";
};
in {
public =
defaults
// {
in
{
public = defaults // {
"path" = cfg.dataDir;
"writeable" = "yes";
"read only" = "no";
"create mask" = "0664";
"directory mask" = "0775";
};
snapshots =
defaults
// {
snapshots = defaults // {
"path" = cfg.dataDir + "/.zfs/snapshot";
"writeable" = "no";
"read only" = "yes";
@ -92,7 +92,11 @@ in {
mj.services.friendlyport.ports = [
{
subnets = with myData.subnets; [tailscale.cidr vno1.cidr vno3.cidr];
subnets = with myData.subnets; [
tailscale.cidr
vno1.cidr
vno3.cidr
];
tcp = [
80 # caddy above
139 # smbd

18
modules/services/matrix-synapse/default.nix
View File

@ -3,7 +3,8 @@
lib,
pkgs,
...
}: {
}:
{
options.mj.services.matrix-synapse = with lib.types; {
enable = lib.mkEnableOption "Enable matrix-synapse";
signingKeyPath = lib.mkOption { type = path; };
@ -95,12 +96,11 @@
};
};
systemd.tmpfiles.rules = [
"d /run/matrix-synapse 0700 matrix-synapse matrix-synapse -"
];
systemd.tmpfiles.rules = [ "d /run/matrix-synapse 0700 matrix-synapse matrix-synapse -" ];
systemd.services = {
matrix-synapse = let
matrix-synapse =
let
# I tried to move this to preStart, but it complains:
# Config is missing macaroon_secret_key
secretsScript = pkgs.writeShellScript "write-secrets" ''
@ -112,8 +112,12 @@
macaroon_secret_key: "$(cat ''${CREDENTIALS_DIRECTORY}/macaroon_secret_key)"
EOF
'';
in {
serviceConfig.ExecStartPre = ["" secretsScript];
in
{
serviceConfig.ExecStartPre = [
""
secretsScript
];
serviceConfig.LoadCredential = with config.mj.services.matrix-synapse; [
"jakstys_lt_signing_key:${signingKeyPath}"
"registration_shared_secret:${registrationSharedSecretPath}"

11
modules/services/node_exporter/default.nix
View File

@ -3,9 +3,11 @@
lib,
myData,
...
}: let
}:
let
cfg = config.mj.services.node_exporter;
in {
in
{
options.mj.services.node_exporter = with lib.types; {
enable = lib.mkEnableOption "Enable node_exporter";
extraSubnets = lib.mkOption {
@ -17,7 +19,10 @@ in {
config = lib.mkIf cfg.enable {
services.prometheus.exporters.node = {
enable = true;
enabledCollectors = ["systemd" "processes"];
enabledCollectors = [
"systemd"
"processes"
];
port = myData.ports.exporters.node;
user = "node_exporter";
group = "node_exporter";

64
modules/services/nsd-acme/default.nix
View File

@ -3,9 +3,12 @@
lib,
pkgs,
...
}: let
}:
let
cfg = config.mj.services.nsd-acme;
mkHook = zone: let
mkHook =
zone:
let
fullZone = "_acme-endpoint.${zone}";
in
pkgs.writeShellScript "nsd-acme-hook" ''
@ -48,14 +51,17 @@
;;
esac
'';
in {
in
{
options.mj.services.nsd-acme = with lib.types; {
enable = lib.mkEnableOption "enable acme certs via nsd";
zones = lib.mkOption {
default = { };
type = attrsOf (submodule (
{name, ...}: {
type = attrsOf (
submodule (
{ name, ... }:
{
options = {
accountKey = lib.mkOption { type = path; };
days = lib.mkOption {
@ -79,7 +85,8 @@ in {
};
};
}
));
)
);
};
};
@ -100,9 +107,11 @@ in {
nsd-control-setup = {
requiredBy = [ "nsd.service" ];
before = [ "nsd.service" ];
unitConfig.ConditionPathExists = let
unitConfig.ConditionPathExists =
let
rc = config.services.nsd.remoteControl;
in [
in
[
"|!${rc.controlKeyFile}"
"|!${rc.controlCertFile}"
"|!${rc.serverKeyFile}"
@ -110,7 +119,7 @@ in {
];
serviceConfig = {
Type = "oneshot";
UMask = 0077;
UMask = 77;
};
script = ''
${pkgs.nsd}/bin/nsd-control-setup
@ -119,22 +128,26 @@ in {
path = [ pkgs.openssl ];
};
}
// lib.mapAttrs'
(
// lib.mapAttrs' (
zone: cfg:
lib.nameValuePair "nsd-acme-${zone}" {
description = "dns-01 acme update for ${zone}";
path = [pkgs.openssh pkgs.nsd];
path = [
pkgs.openssh
pkgs.nsd
];
preStart = ''
mkdir -p "$STATE_DIRECTORY/private"
ln -sf "$CREDENTIALS_DIRECTORY/letsencrypt-account-key" \
"$STATE_DIRECTORY/private/key.pem"
'';
serviceConfig = {
ExecStart = let
ExecStart =
let
hook = mkHook zone;
days = builtins.toString cfg.days;
in "${pkgs.uacme}/bin/uacme -c \${STATE_DIRECTORY} --verbose --days ${days} --hook ${hook} ${lib.optionalString cfg.staging "--staging"} issue ${zone}";
in
"${pkgs.uacme}/bin/uacme -c \${STATE_DIRECTORY} --verbose --days ${days} --hook ${hook} ${lib.optionalString cfg.staging "--staging"} issue ${zone}";
UMask = "0022";
User = "nsd";
@ -142,7 +155,10 @@ in {
StateDirectory = "nsd-acme/${zone}";
LoadCredential = [ "letsencrypt-account-key:${cfg.accountKey}" ];
ReadWritePaths = [ "/var/lib/nsd/acmezones" ];
SuccessExitStatus = [0 1];
SuccessExitStatus = [
0
1
];
# from nixos/modules/security/acme/default.nix
ProtectSystem = "strict";
@ -182,12 +198,9 @@ in {
];
};
}
)
cfg.zones;
) cfg.zones;
timers =
lib.mapAttrs'
(
timers = lib.mapAttrs' (
zone: _:
lib.nameValuePair "nsd-acme-${zone}" {
description = "nsd-acme for zone ${zone}";
@ -198,16 +211,11 @@ in {
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
}
)
cfg.zones;
) cfg.zones;
};
mj.base.unitstatus.units =
lib.mkIf config.mj.base.unitstatus.enable
(
["nsd-control-setup"]
++ map (z: "nsd-acme-${z}")
(lib.attrNames cfg.zones)
mj.base.unitstatus.units = lib.mkIf config.mj.base.unitstatus.enable (
[ "nsd-control-setup" ] ++ map (z: "nsd-acme-${z}") (lib.attrNames cfg.zones)
);
};
}

3
modules/services/postfix/default.nix
View File

@ -4,7 +4,8 @@
myData,
pkgs,
...
}: {
}:
{
options.mj.services.postfix = with lib.types; {
enable = lib.mkEnableOption "Enable postfix";
saslPasswdPath = lib.mkOption { type = path; };

27
modules/services/remote-builder/default.nix
View File

@ -1,8 +1,5 @@
{ config, lib, ... }:
{
config,
lib,
...
}: {
options.mj.services.remote-builder = with lib.types; {
server = {
enable = lib.mkEnableOption "Enable remote builder server";
@ -12,7 +9,12 @@
};
client = {
enable = lib.mkEnableOption "Enable remote builder client";
system = lib.mkOption {type = enum ["aarch64-linux" "x86_64-linux"];};
system = lib.mkOption {
type = enum [
"aarch64-linux"
"x86_64-linux"
];
};
hostName = lib.mkOption { type = str; };
sshKey = lib.mkOption { type = path; };
supportedFeatures = lib.mkOption { type = listOf str; };
@ -33,11 +35,7 @@
isSystemUser = true;
createHome = true;
uid = cfg.uidgid;
openssh.authorizedKeys.keys =
map (
k: "from=\"${cfg.sshAllowSubnet}\" ${k}"
)
cfg.publicKeys;
openssh.authorizedKeys.keys = map (k: ''from="${cfg.sshAllowSubnet}" ${k}'') cfg.publicKeys;
};
users.groups.remote-builder.gid = cfg.uidgid;
nix.settings.trusted-users = [ "remote-builder" ];
@ -51,13 +49,18 @@
nix = {
buildMachines = [
{
inherit (cfg) hostName system sshKey supportedFeatures;
inherit (cfg)
hostName
system
sshKey
supportedFeatures
;
protocol = "ssh-ng";
sshUser = "remote-builder";
}
];
distributedBuilds = true;
extraOptions = ''builders-use-substitutes = true'';
extraOptions = "builders-use-substitutes = true";
};
}
)

10
modules/services/sshguard/default.nix
View File

@ -3,7 +3,8 @@
lib,
myData,
...
}: {
}:
{
options.mj.services.sshguard = with lib.types; {
enable = lib.mkOption {
type = bool;
@ -15,9 +16,10 @@
services.sshguard = {
enable = true;
blocktime = 900;
whitelist =
["192.168.0.0/16" myData.subnets.tailscale.cidr]
++ (lib.catAttrs "publicIP" (lib.attrValues myData.hosts));
whitelist = [
"192.168.0.0/16"
myData.subnets.tailscale.cidr
] ++ (lib.catAttrs "publicIP" (lib.attrValues myData.hosts));
};
};
}

138
modules/services/syncthing/default.nix
View File

@ -3,7 +3,8 @@
lib,
myData,
...
}: let
}:
let
cfg = config.mj.services.syncthing;
devices = {
@ -20,17 +21,29 @@
};
folders = {
Books = {
devices = ["fwminex" "vno1-oh2" "mxp10"];
devices = [
"fwminex"
"vno1-oh2"
"mxp10"
];
id = "8lk0n-mm63y";
label = "Books";
};
Mail = {
devices = ["fwminex" "vno1-oh2"];
devices = [
"fwminex"
"vno1-oh2"
];
id = "66fmz-x6f1a";
label = "Mail";
};
M-Active = {
devices = ["mxp10" "fwminex" "mtworx" "vno1-oh2"];
devices = [
"mxp10"
"fwminex"
"mtworx"
"vno1-oh2"
];
id = "f6fma-unkxq";
label = "M-Active";
versioning = {
@ -42,62 +55,115 @@
};
};
M-Documents = {
devices = ["fwminex" "vno1-oh2"];
devices = [
"fwminex"
"vno1-oh2"
];
id = "4fu7z-z6es2";
label = "M-Documents";
};
Vaikai = {
devices = ["vno1-vinc" "sqq1-desk" "fwminex" "mtworx" "vno1-oh2" "v-kfire" "rzj-744P2PE" "mxp10" "a-kfire"];
devices = [
"vno1-vinc"
"sqq1-desk"
"fwminex"
"mtworx"
"vno1-oh2"
"v-kfire"
"rzj-744P2PE"
"mxp10"
"a-kfire"
];
id = "xbrfr-mhszm";
label = "Vaikai";
};
M-Camera = {
devices = ["mxp10" "fwminex" "mtworx" "vno1-oh2"];
devices = [
"mxp10"
"fwminex"
"mtworx"
"vno1-oh2"
];
id = "pixel_xl_dtm3-photos";
label = "M-Camera";
};
R-Documents = {
devices = ["rzj-744P2PE" "vno1-oh2"];
devices = [
"rzj-744P2PE"
"vno1-oh2"
];
id = "nm23h-aog6k";
label = "R-Documents";
};
Pictures = {
devices = ["fwminex" "vno1-oh2"];
devices = [
"fwminex"
"vno1-oh2"
];
id = "d3hur-cbzyw";
label = "Pictures";
};
Music = {
devices = ["fwminex" "mtworx" "mxp10" "vno1-oh2"];
devices = [
"fwminex"
"mtworx"
"mxp10"
"vno1-oh2"
];
id = "tg94v-cqcwr";
label = "music";
};
video-shared = {
devices = ["mxp10" "mtworx" "fwminex" "vno1-oh2"];
devices = [
"mxp10"
"mtworx"
"fwminex"
"vno1-oh2"
];
id = "byzmw-f6zhg";
label = "video-shared";
};
stud-cache = {
devices = ["fwminex" "vno1-oh2"];
devices = [
"fwminex"
"vno1-oh2"
];
id = "2kq7n-jqzxj";
label = "stud-cache";
};
M-R = {
devices = ["fwminex" "rzj-744P2PE" "mxp10" "vno1-oh2" "mtworx"];
devices = [
"fwminex"
"rzj-744P2PE"
"mxp10"
"vno1-oh2"
"mtworx"
];
id = "evgn9-ahngz";
label = "M-R";
};
Irenos = {
devices = ["sqq1-desk" "vno1-oh2" "vno2-irena"];
devices = [
"sqq1-desk"
"vno1-oh2"
"vno2-irena"
];
id = "wuwai-qkcqj";
label = "Irenos";
};
www-fwminex = {
devices = ["fwminex" "vno1-oh2"];
devices = [
"fwminex"
"vno1-oh2"
];
id = "7z9sw-2nubh";
label = "www-fwminex";
};
www-mxp10 = {
devices = ["mxp10" "vno1-oh2"];
devices = [
"mxp10"
"vno1-oh2"
];
id = "gqrtz-prx9h";
label = "www-mxp10";
};
@ -107,7 +173,8 @@
label = "mykolo";
};
};
in {
in
{
options.mj.services.syncthing = with lib.types; {
enable = lib.mkEnableOption "Enable services syncthing settings";
user = lib.mkOption { type = str; };
@ -124,7 +191,12 @@ in {
];
services.syncthing = {
inherit (cfg) enable user group dataDir;
inherit (cfg)
enable
user
group
dataDir
;
openDefaultPorts = true;
key = config.age.secrets.syncthing-key.path;
cert = config.age.secrets.syncthing-cert.path;
@ -133,8 +205,7 @@ in {
devices =
{ }
// (lib.optionalAttrs (config.networking.hostName == "vno1-oh2") {
inherit
(devices)
inherit (devices)
fwminex
mtworx
vno1-oh2
@ -148,8 +219,7 @@ in {
;
})
// (lib.optionalAttrs (config.networking.hostName == "fwminex") {
inherit
(devices)
inherit (devices)
fwminex
mtworx
vno1-oh2
@ -162,8 +232,7 @@ in {
;
})
// (lib.optionalAttrs (config.networking.hostName == "mtworx") {
inherit
(devices)
inherit (devices)
mtworx
fwminex
vno1-oh2
@ -176,10 +245,10 @@ in {
;
})
// { };
folders = with folders;
folders =
with folders;
{ }
// (
lib.optionalAttrs (config.networking.hostName == "vno1-oh2") {
// (lib.optionalAttrs (config.networking.hostName == "vno1-oh2") {
"/var/www/dl/tel" = www-mxp10;
"/var/www/dl/fwminex" = www-fwminex;
"/var/www/dl/mykolo" = mykolo;
@ -196,20 +265,16 @@ in {
"${cfg.dataDir}/video/Vaikai" = Vaikai;
"${cfg.dataDir}/music" = Music;
"${cfg.dataDir}/irenos" = Irenos;
}
)
// (
lib.optionalAttrs (config.networking.hostName == "mtworx") {
})
// (lib.optionalAttrs (config.networking.hostName == "mtworx") {
"${cfg.dataDir}/M-Active" = M-Active;
"${cfg.dataDir}/M-Camera" = M-Camera;
"${cfg.dataDir}/M-R" = M-R;
"${cfg.dataDir}/Vaikai" = Vaikai;
"${cfg.dataDir}/Video" = video-shared;
"${cfg.dataDir}/music" = Music;
}
)
// (
lib.optionalAttrs (config.networking.hostName == "fwminex") {
})
// (lib.optionalAttrs (config.networking.hostName == "fwminex") {
"${cfg.dataDir}/.cache/evolution" = Mail;
"${cfg.dataDir}/Books" = Books;
"${cfg.dataDir}/M-Active" = M-Active;
@ -222,8 +287,7 @@ in {
"${cfg.dataDir}/Video" = video-shared;
"${cfg.dataDir}/stud-cache" = stud-cache;
"${cfg.dataDir}/www" = www-fwminex;
}
);
});
};
};
};

18
modules/services/tailscale/default.nix
View File

@ -3,10 +3,18 @@
lib,
myData,
...
}: let
}:
let
cfg = config.mj.services.tailscale;
inherit (lib) mkMerge types mkEnableOption mkOption mkIf;
in {
inherit (lib)
mkMerge
types
mkEnableOption
mkOption
mkIf
;
in
{
options.mj.services.tailscale = with types; {
enable = mkEnableOption "Enable tailscale";
# https://github.com/tailscale/tailscale/issues/1548
@ -25,8 +33,6 @@ in {
networking.firewall.checkReversePath = "loose";
networking.firewall.allowedUDPPorts = [ myData.ports.tailscale ];
}
(mkIf (!cfg.verboseLogs) {
systemd.services.tailscaled.serviceConfig.StandardOutput = "null";
})
(mkIf (!cfg.verboseLogs) { systemd.services.tailscaled.serviceConfig.StandardOutput = "null"; })
]);
}

17
modules/services/wifibackup/default.nix
View File

@ -3,7 +3,8 @@
config,
pkgs,
...
}: {
}:
{
options.mj.services.wifibackup = with lib.types; {
enable = lib.mkEnableOption "enable wifi code backups to M-Active";
fromPath = lib.mkOption {
@ -20,7 +21,8 @@
};
};
config = with config.mj.services.wifibackup;
config =
with config.mj.services.wifibackup;
lib.mkIf enable {
systemd.timers.wifibackup = {
description = "wifibackup to M-Active";
@ -32,14 +34,19 @@
serviceConfig = {
Type = "oneshot";
User = "root";
SuccessExitStatus = [0 1];
SuccessExitStatus = [
0
1
];
};
script = let
script =
let
knownHostsCmd = pkgs.writeShellScript "known-hosts-localhost" ''
echo -n "localhost "
exec ${pkgs.coreutils}/bin/cat /etc/ssh/ssh_host_ed25519_key.pub
'';
in ''
in
''
sed -i -E '/^(uuid|interface-name)=/d' ${fromPath}/*.nmconnection
exec ${pkgs.unison}/bin/unison \

35
modules/services/zfsunlock/default.nix
View File

@ -3,16 +3,20 @@
lib,
pkgs,
...
}: let
mkUnlock = {
}:
let
mkUnlock =
{
sshEndpoint,
pingEndpoint,
remotePubkey,
pwFile,
pingTimeoutSec,
}: let
}:
let
timeoutStr = builtins.toString pingTimeoutSec;
in ''
in
''
set -x
# if host is reachable via "pingEndpoint", which, we presume is
# VPN (which implies the rootfs has been unlocked for VPN to work),
@ -26,7 +30,8 @@
-o KnownHostsCommand="${pkgs.coreutils}/bin/echo ${sshEndpoint} ${remotePubkey}" \
root@${sshEndpoint} < "${pwFile}"
'';
in {
in
{
options.mj.services.zfsunlock = with lib.types; {
enable = lib.mkEnableOption "remotely unlock zfs-encrypted root volumes";
@ -49,9 +54,7 @@ in {
};
config = lib.mkIf config.mj.services.zfsunlock.enable {
systemd.services =
lib.mapAttrs'
(
systemd.services = lib.mapAttrs' (
name: cfg:
lib.nameValuePair "zfsunlock-${name}" {
description = "zfsunlock service for ${name}";
@ -61,12 +64,9 @@ in {
ProtectSystem = "strict";
};
}
)
config.mj.services.zfsunlock.targets;
) config.mj.services.zfsunlock.targets;
systemd.timers =
lib.mapAttrs'
(
systemd.timers = lib.mapAttrs' (
name: cfg:
lib.nameValuePair "zfsunlock-${name}" {
description = "zfsunlock timer for ${name}";
@ -77,11 +77,10 @@ in {
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
}
)
config.mj.services.zfsunlock.targets;
) config.mj.services.zfsunlock.targets;
mj.base.unitstatus.units =
map (name: "zfsunlock-${name}")
(builtins.attrNames config.mj.services.zfsunlock.targets);
mj.base.unitstatus.units = map (name: "zfsunlock-${name}") (
builtins.attrNames config.mj.services.zfsunlock.targets
);
};
}

3
pkgs/btrfs-auto-snapshot.nix
View File

@ -32,7 +32,8 @@ assert syslogSupport -> util-linux != null;
install -Dm755 btrfs-auto-snapshot $out/bin/btrfs-auto-snapshot
'';
wrapperPath = with lib;
wrapperPath =
with lib;
makeBinPath (
[
coreutils

31
pkgs/compress-drv/default.nix
View File

@ -34,19 +34,22 @@ Inputs:
lib,
xorg,
runCommand,
}: drv: {
formats,
compressors,
...
}: let
validProg = ext: prog: let
}:
drv:
{ formats, compressors, ... }:
let
validProg =
ext: prog:
let
matches = (builtins.length (builtins.split "\\{}" prog) - 1) / 2;
in
lib.assertMsg
(matches == 1)
"compressor ${ext} needs to have exactly one '{}', found ${builtins.toString matches}";
mkCmd = ext: prog:
assert validProg ext prog; ''
lib.assertMsg (
matches == 1
) "compressor ${ext} needs to have exactly one '{}', found ${builtins.toString matches}";
mkCmd =
ext: prog:
assert validProg ext prog;
''
find -L $out -type f -regextype posix-extended -iregex '.*\.(${formatsPipe})' -print0 \
| xargs -0 -P$NIX_BUILD_CORES -I{} ${prog}
'';
@ -56,9 +59,5 @@ in
mkdir $out
(cd $out; ${xorg.lndir}/bin/lndir ${drv})
${
lib.concatStringsSep
"\n\n"
(lib.mapAttrsToList mkCmd compressors)
}
${lib.concatStringsSep "\n\n" (lib.mapAttrsToList mkCmd compressors)}
''

3
pkgs/compress-drv/test.nix
View File

@ -2,7 +2,8 @@
gzip,
runCommand,
compressDrv,
}: let
}:
let
example = runCommand "sample-drv" { } ''
mkdir $out
echo 42 > $out/1.txt

19
pkgs/compress-drv/web.nix
View File

@ -34,7 +34,6 @@ the web server. For example, `pkgs.gamja` creates this derivation:
manifest.webmanifest.br
manifest.webmanifest.gz
When this `-compressed` directory is passed to a properly configured web
server, it will serve those pre-compressed files:
@ -75,8 +74,22 @@ Inputs:
zopfli,
brotli,
compressDrv,
}: drv: {
formats ? ["css" "js" "svg" "ttf" "eot" "txt" "xml" "map" "html" "json" "webmanifest"],
}:
drv:
{
formats ? [
"css"
"js"
"svg"
"ttf"
"eot"
"txt"
"xml"
"map"
"html"
"json"
"webmanifest"
],
extraFormats ? [ ],
compressors ? {
"gz" = "${zopfli}/bin/zopfli --keep {}";

5
pkgs/nicer.nix
View File

@ -1,7 +1,4 @@
{
coreutils,
writeShellApplication,
}:
{ coreutils, writeShellApplication }:
writeShellApplication {
name = "nicer";
text = ''

6
pkgs/tmuxbash.nix
View File

@ -1,8 +1,4 @@
{
tmux,
writeShellApplication,
...
}:
{ tmux, writeShellApplication, ... }:
writeShellApplication {
name = "tmuxbash";
text = ''

21
secrets.nix
View File

@ -11,15 +11,22 @@ let
fra1-a = (import ./data.nix).hosts."fra1-a.servers.jakst".publicKey;
vno1-oh2 = (import ./data.nix).hosts."vno1-oh2.servers.jakst".publicKey;
vno3-rp3b = (import ./data.nix).hosts."vno3-rp3b.servers.jakst".publicKey;
systems = [fra1-a vno1-oh2 vno3-rp3b fwminex];
systems = [
fra1-a
vno1-oh2
vno3-rp3b
fwminex
];
mk = auth: keyNames:
mk =
auth: keyNames:
builtins.listToAttrs (
map (keyName: {
name = keyName;
value = {publicKeys = auth;};
})
keyNames
value = {
publicKeys = auth;
};
}) keyNames
);
in
{ }
@ -43,9 +50,7 @@ in
"secrets/vno1-oh2/zfs-passphrase.age"
"secrets/fra1-a/borgbackup-password.age"
]
// mk ([vno3-rp3b] ++ motiejus) [
"secrets/vno3-rp3b/datapool-passphrase.age"
]
// mk ([ vno3-rp3b ] ++ motiejus) [ "secrets/vno3-rp3b/datapool-passphrase.age" ]
// mk ([ mtworx ] ++ motiejus) [
"secrets/motiejus_work_passwd_hash.age"
"secrets/root_work_passwd_hash.age"

51
shared/home/default.nix
View File

@ -7,19 +7,19 @@
hmOnly,
username,
...
}: let
}:
let
# from https://github.com/Gerg-L/demoninajar/blob/39964f198dbfa34c21f81c35370fab312b476051/homes/veritas_manjaro/nixGL.nix#L42
mkWrapped = wrap: orig-pkg: execName:
pkgs.makeOverridable
(
attrs: let
mkWrapped =
wrap: orig-pkg: execName:
pkgs.makeOverridable (
attrs:
let
pkg = orig-pkg.override attrs;
outs = pkg.meta.outputsToInstall;
paths = pkgs.lib.attrsets.attrVals outs pkg;
nonTrivialOuts = pkgs.lib.lists.remove "out" outs;
metaAttributes =
pkgs.lib.attrsets.getAttrs
(
metaAttributes = pkgs.lib.attrsets.getAttrs (
[
"name"
"pname"
@ -27,8 +27,7 @@
"meta"
]
++ nonTrivialOuts
)
pkg;
) pkg;
in
pkgs.symlinkJoin (
{
@ -43,15 +42,13 @@
}
// metaAttributes
)
)
{};
) { };
glintel = mkWrapped pkgs.nixgl.nixGLIntel;
firefox =
if (pkgs.stdenv.hostPlatform.system == "x86_64-linux")
then pkgs.firefox-bin
else pkgs.firefox;
if (pkgs.stdenv.hostPlatform.system == "x86_64-linux") then pkgs.firefox-bin else pkgs.firefox;
homeDirectory = "/home/${username}";
in {
in
{
home = {
inherit stateVersion username homeDirectory;
};
@ -61,11 +58,10 @@ in {
".parallel/will-cite".text = "";
};
home.sessionVariables = lib.mkIf devTools {
GOPATH = "${homeDirectory}/.go";
};
home.sessionVariables = lib.mkIf devTools { GOPATH = "${homeDirectory}/.go"; };
home.packages = with pkgs;
home.packages =
with pkgs;
lib.mkMerge [
[ extract_url ]
@ -113,10 +109,7 @@ in {
firefox = lib.mkIf devTools {
enable = true;
# firefox doesn't need the wrapper on the personal laptop
package =
if hmOnly
then (glintel firefox "firefox")
else firefox;
package = if hmOnly then (glintel firefox "firefox") else firefox;
policies.DisableAppUpdate = true;
profiles = {
xdefault = {
@ -165,8 +158,7 @@ in {
(pkgs.substituteAll {
src = ./dev.lua;
inherit (pkgs) ripgrep;
})
.outPath;
}).outPath;
})
];
@ -228,9 +220,7 @@ in {
'';
};
}
(
lib.mkIf (!hmOnly)
{
(lib.mkIf (!hmOnly) {
bash = {
enable = true;
shellAliases = {
@ -243,7 +233,6 @@ in {
source ${./gg.sh}
'';
};
}
)
})
];
}

5
shared/work/default.nix
View File

@ -1,8 +1,5 @@
{ config, pkgs, ... }:
{
config,
pkgs,
...
}: {
mj.base.users.email = null;
mj.base.users.user.extraGroups = [ "docker" ];