motiejus/config
1
Fork 0
Code Packages Releases Activity

nix fmt

Browse Source
This commit is contained in:
Motiejus Jakštys
2025-07-28 05:17:49 +00:00
parent 66568d814c
commit b30ef5392e
5 changed files with 215 additions and 215 deletions
Download Patch File Download Diff File Expand all files Collapse all files

169
hosts/fwminex/configuration.nix
View File

@@ -424,49 +424,49 @@ in
evaluation_interval = "1m";
};
scrapeConfigs =
[
(
let
port = toString config.services.prometheus.exporters.ping.port;
hosts = [
"fwminex.jakst.vpn"
"vno3-nk.jakst.vpn"
"fra1-c.jakst.vpn"
"vno1-gdrx.jakst.vpn"
];
in
scrapeConfigs = [
(
let
port = toString config.services.prometheus.exporters.ping.port;
hosts = [
"fwminex.jakst.vpn"
"vno3-nk.jakst.vpn"
"fra1-c.jakst.vpn"
"vno1-gdrx.jakst.vpn"
];
in
{
job_name = "ping";
static_configs = [ { targets = map (host: "${host}:${port}") hosts; } ];
}
)
{
job_name = "prometheus";
static_configs = [ { targets = [ "127.0.0.1:${toString myData.ports.prometheus}" ]; } ];
job_name = "ping";
static_configs = [ { targets = map (host: "${host}:${port}") hosts; } ];
}
{
job_name = "caddy";
static_configs = [ { targets = [ "127.0.0.1:${toString myData.ports.exporters.caddy}" ]; } ];
}
{
job_name = "hass_p7_50";
scrape_interval = "1m";
metrics_path = "/api/prometheus";
static_configs = [ { targets = [ "127.0.0.1:${toString myData.ports.hass}" ]; } ];
}
{
job_name = "weather";
scrape_interval = "10m";
static_configs = [ { targets = [ "127.0.0.1:${toString myData.ports.exporters.weather}" ]; } ];
}
{
job_name = "vno1-vinc.jakst.vpn";
static_configs = [ { targets = [ "vno1-vinc.jakst.vpn:9100" ]; } ];
}
]
++ map
)
{
job_name = "prometheus";
static_configs = [ { targets = [ "127.0.0.1:${toString myData.ports.prometheus}" ]; } ];
}
{
job_name = "caddy";
static_configs = [ { targets = [ "127.0.0.1:${toString myData.ports.exporters.caddy}" ]; } ];
}
{
job_name = "hass_p7_50";
scrape_interval = "1m";
metrics_path = "/api/prometheus";
static_configs = [ { targets = [ "127.0.0.1:${toString myData.ports.hass}" ]; } ];
}
{
job_name = "weather";
scrape_interval = "10m";
static_configs = [ { targets = [ "127.0.0.1:${toString myData.ports.exporters.weather}" ]; } ];
}
{
job_name = "vno1-vinc.jakst.vpn";
static_configs = [ { targets = [ "vno1-vinc.jakst.vpn:9100" ]; } ];
}
]
++
map
(
let
port = builtins.toString myData.ports.exporters.node;
@@ -601,55 +601,54 @@ in
enable = true;
passwordPath = config.age.secrets.borgbackup-password.path;
sshKeyPath = "/etc/ssh/ssh_host_ed25519_key";
dirs =
[
dirs = [
{
subvolume = "/var/lib";
repo = "${vno3-nk}:${this}-var_lib_lesser";
paths = [
"prometheus2"
"private/timelapse-r11"
];
backup_at = "*-*-* 02:01:00 UTC";
compression = "none";
}
]
++ (builtins.concatMap
(host: [
{
subvolume = "/var/lib";
repo = "${vno3-nk}:${this}-var_lib_lesser";
repo = "${host}:${this}-var_lib";
paths = [
"prometheus2"
"private/timelapse-r11"
];
backup_at = "*-*-* 02:01:00 UTC";
compression = "none";
}
]
++ (builtins.concatMap
(host: [
{
subvolume = "/var/lib";
repo = "${host}:${this}-var_lib";
paths = [
"hass"
"gitea"
"caddy"
"grafana"
"headscale"
"bitwarden_rs"
"matrix-synapse"
"private/soju"
"hass"
"gitea"
"caddy"
"grafana"
"headscale"
"bitwarden_rs"
"matrix-synapse"
"private/soju"
# https://immich.app/docs/administration/backup-and-restore/
"immich/library"
"immich/upload"
"immich/profile"
"postgresql"
];
patterns = [ "- gitea/data/repo-archive/" ];
backup_at = "*-*-* 01:00:01 UTC";
}
{
subvolume = "/home";
repo = "${host}:${this}-home-motiejus-annex2";
paths = [ "motiejus/annex2" ];
backup_at = "*-*-* 02:30:01 UTC";
}
])
[
rsync-net
vno3-nk
]
);
# https://immich.app/docs/administration/backup-and-restore/
"immich/library"
"immich/upload"
"immich/profile"
"postgresql"
];
patterns = [ "- gitea/data/repo-archive/" ];
backup_at = "*-*-* 01:00:01 UTC";
}
{
subvolume = "/home";
repo = "${host}:${this}-home-motiejus-annex2";
paths = [ "motiejus/annex2" ];
backup_at = "*-*-* 02:30:01 UTC";
}
])
[
rsync-net
vno3-nk
]
);
};
btrfssnapshot = {

67
modules/base/unitstatus/default.nix
View File

@@ -17,44 +17,43 @@
};
config = lib.mkIf config.mj.base.unitstatus.enable {
systemd.services =
{
"unit-status-mail@" =
let
# https://northernlightlabs.se/2014-07-05/systemd-status-mail-on-unit-failure.html
script = pkgs.writeShellScript "unit-status-mail" ''
set -e
MAILTO="${config.mj.base.unitstatus.email}"
UNIT=$1
EXTRA=""
for e in "''${@:2}"; do
EXTRA+="$e"$'\n'
done
UNITSTATUS=$(${pkgs.systemd}/bin/systemctl status -l -n 1000 "$UNIT" || :)
${pkgs.postfix}/bin/sendmail $MAILTO <<EOF
Subject:Status mail for unit: $UNIT
systemd.services = {
"unit-status-mail@" =
let
# https://northernlightlabs.se/2014-07-05/systemd-status-mail-on-unit-failure.html
script = pkgs.writeShellScript "unit-status-mail" ''
set -e
MAILTO="${config.mj.base.unitstatus.email}"
UNIT=$1
EXTRA=""
for e in "''${@:2}"; do
EXTRA+="$e"$'\n'
done
UNITSTATUS=$(${pkgs.systemd}/bin/systemctl status -l -n 1000 "$UNIT" || :)
${pkgs.postfix}/bin/sendmail $MAILTO <<EOF
Subject:Status mail for unit: $UNIT
Status report for unit: $UNIT
$EXTRA
Status report for unit: $UNIT
$EXTRA
$UNITSTATUS
EOF
$UNITSTATUS
EOF
echo -e "Status mail sent to: $MAILTO for unit: $UNIT"
'';
in
{
description = "Send an email on unit failure";
serviceConfig = {
Type = "simple";
ExecStart = ''${script} "%i" "Hostname: %H" "Machine ID: %m" "Boot ID: %b" '';
};
echo -e "Status mail sent to: $MAILTO for unit: $UNIT"
'';
in
{
description = "Send an email on unit failure";
serviceConfig = {
Type = "simple";
ExecStart = ''${script} "%i" "Hostname: %H" "Machine ID: %m" "Boot ID: %b" '';
};
}
// lib.genAttrs config.mj.base.unitstatus.units (unit: {
unitConfig = {
OnFailure = "unit-status-mail@${unit}.service";
};
});
}
// lib.genAttrs config.mj.base.unitstatus.units (unit: {
unitConfig = {
OnFailure = "unit-status-mail@${unit}.service";
};
});
};
}

6
modules/base/users/default.nix
View File

@@ -53,7 +53,8 @@ in
"dialout"
"video"
"audio"
] ++ cfg.user.extraGroups;
]
++ cfg.user.extraGroups;
uid = myData.uidgid.motiejus;
openssh.authorizedKeys.keys =
let
@@ -69,7 +70,8 @@ in
(''from="127.0.0.1,::1" '' + myData.hosts.${fqdn}.publicKey)
])
];
} // lib.filterAttrs (n: v: n != "extraGroups" && v != null) cfg.user or { };
}
// lib.filterAttrs (n: v: n != "extraGroups" && v != null) cfg.user or { };
root = lib.filterAttrs (_: v: v != null) cfg.root;
};

3
modules/services/btrfsborg/default.nix
View File

@@ -92,7 +92,8 @@ in
h = config.networking;
in
"${h.hostName}.${h.domain}@${h.hostId}";
} // lib.optionalAttrs (cfg.sshKeyPath != null) { BORG_RSH = ''ssh -i "${cfg.sshKeyPath}"''; };
}
// lib.optionalAttrs (cfg.sshKeyPath != null) { BORG_RSH = ''ssh -i "${cfg.sshKeyPath}"''; };
}
// lib.optionalAttrs (attrs ? patterns) { inherit (attrs) patterns; }
// lib.optionalAttrs (attrs ? prune) { inherit (attrs) prune; }

185
modules/services/nsd-acme/default.nix
View File

@@ -102,103 +102,102 @@ in
systemd = {
tmpfiles.rules = [ "d /var/lib/nsd/acmezones 0755 nsd nsd -" ];
services =
{
nsd-control-setup = {
requiredBy = [ "nsd.service" ];
before = [ "nsd.service" ];
unitConfig.ConditionPathExists =
services = {
nsd-control-setup = {
requiredBy = [ "nsd.service" ];
before = [ "nsd.service" ];
unitConfig.ConditionPathExists =
let
rc = config.services.nsd.remoteControl;
in
[
"|!${rc.controlKeyFile}"
"|!${rc.controlCertFile}"
"|!${rc.serverKeyFile}"
"|!${rc.serverCertFile}"
];
serviceConfig = {
Type = "oneshot";
UMask = 77;
};
script = ''
${pkgs.nsd}/bin/nsd-control-setup
chown nsd:nsd /etc/nsd/nsd_{control,server}.{key,pem}
'';
path = [ pkgs.openssl ];
};
}
// lib.mapAttrs' (
zone: cfg:
lib.nameValuePair "nsd-acme-${zone}" {
description = "dns-01 acme update for ${zone}";
path = [
pkgs.openssh
pkgs.nsd
];
preStart = ''
mkdir -p "$STATE_DIRECTORY/private"
ln -sf "$CREDENTIALS_DIRECTORY/letsencrypt-account-key" \
"$STATE_DIRECTORY/private/key.pem"
'';
serviceConfig = {
ExecStart =
let
rc = config.services.nsd.remoteControl;
hook = mkHook zone;
days = builtins.toString cfg.days;
in
[
"|!${rc.controlKeyFile}"
"|!${rc.controlCertFile}"
"|!${rc.serverKeyFile}"
"|!${rc.serverCertFile}"
];
serviceConfig = {
Type = "oneshot";
UMask = 77;
};
script = ''
${pkgs.nsd}/bin/nsd-control-setup
chown nsd:nsd /etc/nsd/nsd_{control,server}.{key,pem}
'';
path = [ pkgs.openssl ];
"${pkgs.uacme}/bin/uacme -c \${STATE_DIRECTORY} --verbose --days ${days} --hook ${hook} ${lib.optionalString cfg.staging "--staging"} issue ${zone}";
UMask = "0022";
User = "nsd";
Group = "nsd";
StateDirectory = "nsd-acme/${zone}";
LoadCredential = [ "letsencrypt-account-key:${cfg.accountKey}" ];
ReadWritePaths = [ "/var/lib/nsd/acmezones" ];
SuccessExitStatus = [
0
1
];
# from nixos/modules/security/acme/default.nix
ProtectSystem = "strict";
PrivateTmp = true;
CapabilityBoundingSet = [ "" ];
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
ProtectControlGroups = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProcSubset = "pid";
RemoveIPC = true;
# "cannot get devices"
#RestrictAddressFamilies = [
# "AF_INET"
# "AF_INET6"
#];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
# 1. allow a reasonable set of syscalls
"@system-service @resources"
# 2. and deny unreasonable ones
"~@privileged"
# 3. then allow the required subset within denied groups
"@chown"
];
};
}
// lib.mapAttrs' (
zone: cfg:
lib.nameValuePair "nsd-acme-${zone}" {
description = "dns-01 acme update for ${zone}";
path = [
pkgs.openssh
pkgs.nsd
];
preStart = ''
mkdir -p "$STATE_DIRECTORY/private"
ln -sf "$CREDENTIALS_DIRECTORY/letsencrypt-account-key" \
"$STATE_DIRECTORY/private/key.pem"
'';
serviceConfig = {
ExecStart =
let
hook = mkHook zone;
days = builtins.toString cfg.days;
in
"${pkgs.uacme}/bin/uacme -c \${STATE_DIRECTORY} --verbose --days ${days} --hook ${hook} ${lib.optionalString cfg.staging "--staging"} issue ${zone}";
UMask = "0022";
User = "nsd";
Group = "nsd";
StateDirectory = "nsd-acme/${zone}";
LoadCredential = [ "letsencrypt-account-key:${cfg.accountKey}" ];
ReadWritePaths = [ "/var/lib/nsd/acmezones" ];
SuccessExitStatus = [
0
1
];
# from nixos/modules/security/acme/default.nix
ProtectSystem = "strict";
PrivateTmp = true;
CapabilityBoundingSet = [ "" ];
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
ProtectControlGroups = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProcSubset = "pid";
RemoveIPC = true;
# "cannot get devices"
#RestrictAddressFamilies = [
# "AF_INET"
# "AF_INET6"
#];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
# 1. allow a reasonable set of syscalls
"@system-service @resources"
# 2. and deny unreasonable ones
"~@privileged"
# 3. then allow the required subset within denied groups
"@chown"
];
};
}
) cfg.zones;
) cfg.zones;
timers = lib.mapAttrs' (
zone: _: