From e0fcc5d28ef7c980b353dea64963085d011c7e85 Mon Sep 17 00:00:00 2001 From: Astrid Yu Date: Thu, 17 Oct 2024 17:42:16 -0700 Subject: [PATCH] nixfmt wew rfc style --- ca/default.nix | 22 +- k8s/talos/common.nix | 2 +- k8s/talos/controlplane.nix | 10 +- k8s/talos/worker.nix | 6 +- machines/__basePC/configuration.nix | 22 +- machines/__baseServer/configuration.nix | 23 +- machines/ajinomoto/boot.nix | 27 +- machines/ajinomoto/configuration.nix | 11 +- machines/ajinomoto/constants.nix | 4 +- machines/ajinomoto/fs.nix | 6 +- machines/amiya/configuration.nix | 46 +- machines/amiya/hardware-configuration.nix | 20 +- machines/banana/configuration.nix | 13 +- machines/banana/hardware-configuration.nix | 20 +- machines/bennett/configuration.nix | 20 +- machines/bennett/hardware-configuration.nix | 20 +- machines/bonney/configuration.nix | 18 +- machines/bonney/hardware-configuration.nix | 22 +- machines/boop/boot.nix | 22 +- machines/boop/configuration.nix | 11 +- machines/boop/constants.nix | 4 +- machines/boop/fs.nix | 6 +- machines/boop/net/bond.nix | 3 +- machines/boop/net/default.nix | 12 +- machines/boop/net/k8s.nix | 6 +- machines/boop/net/util.nix | 37 +- machines/chungus/configuration.nix | 19 +- machines/chungus/hardware-configuration.nix | 21 +- machines/constants.nix | 4 +- machines/default.nix | 41 +- machines/diluc/configuration.nix | 39 +- machines/diluc/hardware-configuration.nix | 20 +- machines/durin/configuration.nix | 13 +- machines/gfdesk/boot.nix | 16 +- machines/gfdesk/configuration.nix | 26 +- machines/gfdesk/deluge.nix | 3 +- machines/gfdesk/fs.nix | 6 +- machines/gfdesk/share.nix | 18 +- machines/ghoti/configuration.nix | 14 +- machines/inferno/configuration.nix | 17 +- machines/inferno/hardware-configuration.nix | 19 +- machines/inferno/net.nix | 30 +- machines/shai-hulud/configuration.nix | 17 +- .../shai-hulud/hardware-configuration.nix | 19 +- machines/squid/configuration.nix | 11 +- machines/thatcher/configuration.nix | 34 +- machines/thatcher/net.nix | 7 +- machines/twinkpaw/configuration.nix | 34 +- machines/twinkpaw/hardware-configuration.nix | 20 +- machines/yato/configuration.nix | 13 +- nix/ci.nix | 122 +++--- nix/home-manager/astral/cli/conda-hooks.nix | 24 +- nix/home-manager/astral/cli/default.nix | 306 +++++++------ nix/home-manager/astral/default.nix | 13 +- nix/home-manager/astral/gui/default.nix | 53 ++- .../astral/gui/i3-xfce/default.nix | 182 +++++--- .../astral/gui/xmonad/default.nix | 152 +++---- nix/home-manager/astral/macos/default.nix | 27 +- nix/home-manager/astral/vi/default.nix | 130 +++--- nix/lib/default.nix | 9 +- nix/lib/github-actions.nix | 403 ++++++++++-------- nix/nixos-modules/astral/acme.nix | 3 +- nix/nixos-modules/astral/backup/db.nix | 18 +- nix/nixos-modules/astral/backup/default.nix | 8 +- nix/nixos-modules/astral/backup/services.nix | 7 +- .../astral/backup/vault-secrets.nix | 13 +- nix/nixos-modules/astral/cachix.nix | 7 +- nix/nixos-modules/astral/ci.nix | 38 +- .../astral/custom-nginx-errors/default.nix | 40 +- .../astral/custom-tty/default.nix | 56 ++- nix/nixos-modules/astral/default.nix | 15 +- nix/nixos-modules/astral/flake-input.nix | 11 +- nix/nixos-modules/astral/hw/default.nix | 8 +- nix/nixos-modules/astral/hw/kb-flashing.nix | 15 +- .../astral/hw/logitech-unifying.nix | 10 +- nix/nixos-modules/astral/hw/surface.nix | 35 +- nix/nixos-modules/astral/infra-update.nix | 48 ++- .../astral/monitoring-node/default.nix | 9 +- .../astral/monitoring-node/options.nix | 37 +- .../astral/monitoring-node/prometheus.nix | 38 +- .../astral/monitoring-node/promtail.nix | 40 +- .../astral/monitoring-node/transport.nix | 18 +- .../astral/mount-root-to-home.nix | 6 +- nix/nixos-modules/astral/net/default.nix | 8 +- nix/nixos-modules/astral/net/sshd.nix | 39 +- nix/nixos-modules/astral/net/xrdp.nix | 25 +- nix/nixos-modules/astral/net/zerotier.nix | 29 +- nix/nixos-modules/astral/nix-utils.nix | 8 +- .../astral/program-sets/basics.nix | 102 ++--- .../astral/program-sets/browsers.nix | 10 +- nix/nixos-modules/astral/program-sets/cad.nix | 14 +- .../astral/program-sets/chat.nix | 26 +- .../astral/program-sets/default.nix | 28 +- nix/nixos-modules/astral/program-sets/dev.nix | 74 ++-- .../astral/program-sets/office.nix | 34 +- .../astral/program-sets/security.nix | 26 +- nix/nixos-modules/astral/program-sets/x11.nix | 30 +- nix/nixos-modules/astral/tailscale.nix | 29 +- nix/nixos-modules/astral/users/default.nix | 173 ++++---- nix/nixos-modules/astral/vfio.nix | 70 +-- nix/nixos-modules/astral/virt/default.nix | 8 +- nix/nixos-modules/astral/virt/docker.nix | 23 +- nix/nixos-modules/astral/virt/libvirt.nix | 49 ++- nix/nixos-modules/astral/virt/lxc.nix | 35 +- nix/nixos-modules/astral/xmonad/default.nix | 59 +-- nix/nixos-modules/astral/zfs-utils.nix | 3 +- nix/nixos-modules/roles/akkoma/default.nix | 209 ++++----- nix/nixos-modules/roles/armqr.nix | 36 +- nix/nixos-modules/roles/auth-dns/default.nix | 51 ++- nix/nixos-modules/roles/contabo-vps.nix | 8 +- nix/nixos-modules/roles/ejabberd.nix | 100 +++-- nix/nixos-modules/roles/iot-gw/default.nix | 38 +- nix/nixos-modules/roles/laptop.nix | 13 +- nix/nixos-modules/roles/loki-server.nix | 46 +- .../roles/media-server/default.nix | 19 +- .../roles/monitoring-center/default.nix | 8 +- .../roles/monitoring-center/grafana.nix | 29 +- .../prometheus-discovery.nix | 62 +-- .../roles/monitoring-center/prometheus.nix | 23 +- .../roles/monitoring-center/xmpp-alerts.nix | 18 +- nix/nixos-modules/roles/nextcloud.nix | 28 +- nix/nixos-modules/roles/oracle-cloud-vps.nix | 21 +- nix/nixos-modules/roles/pc.nix | 86 ++-- nix/nixos-modules/roles/piwigo/default.nix | 11 +- nix/nixos-modules/roles/server.nix | 14 +- .../roles/sso-provider/default.nix | 13 +- nix/nixos-modules/roles/vault/default.nix | 20 +- nix/outputs.nix | 79 ++-- nix/pkgs/authelia-bin.nix | 10 +- nix/pkgs/build-support/convertImage.nix | 20 +- nix/pkgs/build-support/default.nix | 3 +- nix/pkgs/build-support/lxdUtils.nix | 34 +- nix/pkgs/ci-import-and-tag-docker/default.nix | 3 +- nix/pkgs/default.nix | 34 +- .../images/installer-system/configuration.nix | 10 +- nix/pkgs/images/installer-system/default.nix | 59 ++- nix/pkgs/images/vendored/default.nix | 10 +- nix/pkgs/scan-ci-host-keys/default.nix | 23 +- nix/pkgs/update-ci-workflow/default.nix | 49 ++- nix/pkgs/vm-spawn.nix | 23 +- nix/shells.nix | 30 +- shell.nix | 15 +- ssh_keys/default.nix | 23 +- 143 files changed, 3077 insertions(+), 1878 deletions(-) diff --git a/ca/default.nix b/ca/default.nix index bf5e653c..92b22f64 100644 --- a/ca/default.nix +++ b/ca/default.nix @@ -1,15 +1,25 @@ { lib }: with builtins; -with lib; { +with lib; +{ root = readFile ./ifd3f.crt; - intermediates = concatMapAttrs (file: _: + intermediates = concatMapAttrs ( + file: _: let m = match "(.*)\\.(.*)" file; serial = elemAt m 0; ext = elemAt m 1; - in if m != null && elem ext [ "crt" "pem" ] then { - "${serial}" = readFile ./certs/${file}; - } else - { }) (builtins.readDir ./certs); + in + if + m != null + && elem ext [ + "crt" + "pem" + ] + then + { "${serial}" = readFile ./certs/${file}; } + else + { } + ) (builtins.readDir ./certs); } diff --git a/k8s/talos/common.nix b/k8s/talos/common.nix index 0d47183c..f96ecbff 100644 --- a/k8s/talos/common.nix +++ b/k8s/talos/common.nix @@ -21,6 +21,6 @@ rec { # All hosts only have one interface. This will pick the interface # https://www.talos.dev/v1.6/talos-guides/network/predictable-interface-names/#single-network-interface - network.interfaces = [{ deviceSelector.busPath = "0*"; }]; + network.interfaces = [ { deviceSelector.busPath = "0*"; } ]; }; } diff --git a/k8s/talos/controlplane.nix b/k8s/talos/controlplane.nix index 609869ce..d61d8b6c 100644 --- a/k8s/talos/controlplane.nix +++ b/k8s/talos/controlplane.nix @@ -1,7 +1,11 @@ -let common = import ./common.nix; -in { +let + common = import ./common.nix; +in +{ cluster = common.clusterBase // { - apiServer = { certSANs = [ common.controlPlaneVIP ]; }; + apiServer = { + certSANs = [ common.controlPlaneVIP ]; + }; clusterName = "ca7dc"; }; machine = common.machineBase; diff --git a/k8s/talos/worker.nix b/k8s/talos/worker.nix index 10e77f33..d1029821 100644 --- a/k8s/talos/worker.nix +++ b/k8s/talos/worker.nix @@ -1,5 +1,7 @@ -let common = import ./common.nix; -in { +let + common = import ./common.nix; +in +{ cluster = common.clusterBase; machine = common.machineBase; } diff --git a/machines/__basePC/configuration.nix b/machines/__basePC/configuration.nix index 42b06c19..884556ce 100644 --- a/machines/__basePC/configuration.nix +++ b/machines/__basePC/configuration.nix @@ -1,6 +1,13 @@ inputs: -{ config, pkgs, lib, modulesPath, ... }: -with lib; { +{ + config, + pkgs, + lib, + modulesPath, + ... +}: +with lib; +{ imports = [ (modulesPath + "/installer/scan/not-detected.nix") inputs.self.nixosModules.pc @@ -13,8 +20,14 @@ with lib; { tailscale.oneOffKey = "this isn't used ever lol"; }; - boot.initrd.availableKernelModules = - [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "nvme" + "usbhid" + "usb_storage" + "sd_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; @@ -71,4 +84,3 @@ with lib; { }; }; } - diff --git a/machines/__baseServer/configuration.nix b/machines/__baseServer/configuration.nix index cb00460f..288e76ab 100644 --- a/machines/__baseServer/configuration.nix +++ b/machines/__baseServer/configuration.nix @@ -1,6 +1,13 @@ inputs: -{ config, pkgs, lib, modulesPath, ... }: -with lib; { +{ + config, + pkgs, + lib, + modulesPath, + ... +}: +with lib; +{ imports = [ (modulesPath + "/profiles/qemu-guest.nix") inputs.self.nixosModules.server @@ -13,8 +20,13 @@ with lib; { tailscale.oneOffKey = "this isn't used ever lol"; }; - boot.initrd.availableKernelModules = - [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ]; + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + "sd_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; @@ -28,8 +40,7 @@ with lib; { networking.useDHCP = lib.mkDefault true; networking.domain = "h.astrid.tech"; - hardware.cpu.amd.updateMicrocode = - lib.mkDefault config.hardware.enableRedistributableFirmware; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; boot.cleanTmpDir = true; zramSwap.enable = true; diff --git a/machines/ajinomoto/boot.nix b/machines/ajinomoto/boot.nix index 542bfc5d..3aa0ba12 100644 --- a/machines/ajinomoto/boot.nix +++ b/machines/ajinomoto/boot.nix @@ -1,7 +1,14 @@ inputs: -{ config, lib, pkgs, ... }: -let constants = import ./constants.nix; -in { +{ + config, + lib, + pkgs, + ... +}: +let + constants = import ./constants.nix; +in +{ boot.initrd.availableKernelModules = [ "ehci_pci" "ata_piix" @@ -16,13 +23,10 @@ in { boot.extraModulePackages = [ ]; # legacy boot moment - boot.loader.grub.devices = [ - "/dev/disk/by-id/usb-Generic_Flash_Disk_5AF232B0-0:0" - ]; + boot.loader.grub.devices = [ "/dev/disk/by-id/usb-Generic_Flash_Disk_5AF232B0-0:0" ]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = - lib.mkDefault config.hardware.enableRedistributableFirmware; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; # because we want to be able to decrypt host keys over SSH boot.initrd.network = { @@ -44,13 +48,10 @@ in { enable = true; port = 2222; # because we are using a different host key hostKeys = [ - (pkgs.writeText "ssh_host_rsa_key" - (builtins.readFile ./initrd/ssh_host_rsa_key)) - (pkgs.writeText "ssh_host_ed25519_key" - (builtins.readFile ./initrd/ssh_host_ed25519_key)) + (pkgs.writeText "ssh_host_rsa_key" (builtins.readFile ./initrd/ssh_host_rsa_key)) + (pkgs.writeText "ssh_host_ed25519_key" (builtins.readFile ./initrd/ssh_host_ed25519_key)) ]; authorizedKeys = inputs.self.lib.sshKeyDatabase.users.astrid; }; }; } - diff --git a/machines/ajinomoto/configuration.nix b/machines/ajinomoto/configuration.nix index 4341ada6..b7e24d46 100644 --- a/machines/ajinomoto/configuration.nix +++ b/machines/ajinomoto/configuration.nix @@ -1,6 +1,13 @@ inputs: -{ config, lib, pkgs, modulesPath, ... }: -with lib; { +{ + config, + lib, + pkgs, + modulesPath, + ... +}: +with lib; +{ imports = [ (modulesPath + "/installer/scan/not-detected.nix") diff --git a/machines/ajinomoto/constants.nix b/machines/ajinomoto/constants.nix index 7110564d..96936ecb 100644 --- a/machines/ajinomoto/constants.nix +++ b/machines/ajinomoto/constants.nix @@ -1,6 +1,6 @@ { /** Interface on the management port - */ + */ mgmt_if = "enp3s0"; -} \ No newline at end of file +} diff --git a/machines/ajinomoto/fs.nix b/machines/ajinomoto/fs.nix index 18d7f257..9dbfe961 100644 --- a/machines/ajinomoto/fs.nix +++ b/machines/ajinomoto/fs.nix @@ -4,7 +4,11 @@ fileSystems."/" = { device = "rootfs"; fsType = "tmpfs"; - options = [ "defaults" "size=256M" "mode=755" ]; + options = [ + "defaults" + "size=256M" + "mode=755" + ]; }; fileSystems."/boot" = { diff --git a/machines/amiya/configuration.nix b/machines/amiya/configuration.nix index e5018482..70f6fe01 100644 --- a/machines/amiya/configuration.nix +++ b/machines/amiya/configuration.nix @@ -1,6 +1,12 @@ inputs: -{ config, pkgs, lib, ... }: -with lib; { +{ + config, + pkgs, + lib, + ... +}: +with lib; +{ imports = [ ./hardware-configuration.nix @@ -38,21 +44,29 @@ with lib; { }; interfaces.enp3s0 = { - ipv4.addresses = [{ - address = "208.87.130.175"; - prefixLength = 24; - }]; - ipv6.addresses = [{ - address = "2605:a141:2108:6306::1"; - prefixLength = 64; - }]; + ipv4.addresses = [ + { + address = "208.87.130.175"; + prefixLength = 24; + } + ]; + ipv6.addresses = [ + { + address = "2605:a141:2108:6306::1"; + prefixLength = 64; + } + ]; }; }; services.resolved = { enable = true; - domains = - [ "8.8.8.8" "8.8.4.4" "2001:4860:4860::8888" "2001:4860:4860::8844" ]; + domains = [ + "8.8.8.8" + "8.8.4.4" + "2001:4860:4860::8888" + "2001:4860:4860::8844" + ]; }; services.year-of-bot = { @@ -82,8 +96,12 @@ with lib; { boot = { loader.grub.device = "/dev/sda"; - initrd.availableKernelModules = - [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; + initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "xen_blkfront" + "vmw_pvscsi" + ]; initrd.kernelModules = [ "nvme" ]; }; diff --git a/machines/amiya/hardware-configuration.nix b/machines/amiya/hardware-configuration.nix index 5897c922..fcc60d1b 100644 --- a/machines/amiya/hardware-configuration.nix +++ b/machines/amiya/hardware-configuration.nix @@ -1,11 +1,22 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: { +{ + config, + lib, + pkgs, + modulesPath, + ... +}: +{ imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - boot.initrd.availableKernelModules = - [ "ahci" "xhci_pci" "virtio_pci" "sd_mod" ]; + boot.initrd.availableKernelModules = [ + "ahci" + "xhci_pci" + "virtio_pci" + "sd_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; @@ -24,6 +35,5 @@ networking.useDHCP = lib.mkDefault true; # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true; - hardware.cpu.intel.updateMicrocode = - lib.mkDefault config.hardware.enableRedistributableFirmware; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/machines/banana/configuration.nix b/machines/banana/configuration.nix index caf0f497..a90bb10b 100644 --- a/machines/banana/configuration.nix +++ b/machines/banana/configuration.nix @@ -1,6 +1,12 @@ inputs: -{ config, pkgs, lib, ... }: -with lib; { +{ + config, + pkgs, + lib, + ... +}: +with lib; +{ imports = [ ./hardware-configuration.nix inputs.self.nixosModules.pc @@ -15,8 +21,7 @@ with lib; { pci-devs = [ ]; }; - astral.tailscale.oneOffKey = - "tskey-auth-kQpYuB2CNTRL-krpVu4TaHhBfxV7SWg3LgBtPG8t3QKyh4"; + astral.tailscale.oneOffKey = "tskey-auth-kQpYuB2CNTRL-krpVu4TaHhBfxV7SWg3LgBtPG8t3QKyh4"; # so i can be a *gamer* programs.steam.enable = true; diff --git a/machines/banana/hardware-configuration.nix b/machines/banana/hardware-configuration.nix index 5112921d..2a9bd90d 100644 --- a/machines/banana/hardware-configuration.nix +++ b/machines/banana/hardware-configuration.nix @@ -1,13 +1,24 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = - [ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" ]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "nvme" + "usb_storage" + "sd_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; @@ -65,6 +76,5 @@ nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; - hardware.cpu.intel.updateMicrocode = - lib.mkDefault config.hardware.enableRedistributableFirmware; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/machines/bennett/configuration.nix b/machines/bennett/configuration.nix index 23108fd2..138a4198 100644 --- a/machines/bennett/configuration.nix +++ b/machines/bennett/configuration.nix @@ -1,6 +1,12 @@ inputs: -{ config, pkgs, lib, ... }: -with lib; { +{ + config, + pkgs, + lib, + ... +}: +with lib; +{ imports = [ ./hardware-configuration.nix @@ -17,10 +23,12 @@ with lib; { networking = { hostName = "bennett"; domain = "h.astrid.tech"; - interfaces.ens18.ipv6.addresses = [{ - address = "2605:a141:2108:6306::1"; - prefixLength = 64; - }]; + interfaces.ens18.ipv6.addresses = [ + { + address = "2605:a141:2108:6306::1"; + prefixLength = 64; + } + ]; }; time.timeZone = "US/Pacific"; diff --git a/machines/bennett/hardware-configuration.nix b/machines/bennett/hardware-configuration.nix index 50d8e603..6169e67f 100644 --- a/machines/bennett/hardware-configuration.nix +++ b/machines/bennett/hardware-configuration.nix @@ -1,13 +1,24 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - boot.initrd.availableKernelModules = - [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ]; + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + "sd_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; @@ -26,6 +37,5 @@ networking.useDHCP = lib.mkDefault true; # networking.interfaces.ens18.useDHCP = lib.mkDefault true; - hardware.cpu.amd.updateMicrocode = - lib.mkDefault config.hardware.enableRedistributableFirmware; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/machines/bonney/configuration.nix b/machines/bonney/configuration.nix index 47ea131e..8feb6b2d 100644 --- a/machines/bonney/configuration.nix +++ b/machines/bonney/configuration.nix @@ -1,6 +1,12 @@ inputs: -{ config, pkgs, lib, ... }: -with lib; { +{ + config, + pkgs, + lib, + ... +}: +with lib; +{ imports = [ ./hardware-configuration.nix inputs.nixos-hardware.nixosModules.common-cpu-intel @@ -19,8 +25,7 @@ with lib; { astral = { monitoring-node.scrapeTransport = "tailscale"; - tailscale.oneOffKey = - "tskey-auth-kkLCKn6CNTRL-tv1Pmix6CKCfrj9bX1U1JCFRJn7uFRgYd"; + tailscale.oneOffKey = "tskey-auth-kkLCKn6CNTRL-tv1Pmix6CKCfrj9bX1U1JCFRJn7uFRgYd"; }; networking = { @@ -29,7 +34,10 @@ with lib; { hostId = "f0097b23"; networkmanager.enable = true; - nameservers = [ "8.8.8.8" "8.8.4.4" ]; + nameservers = [ + "8.8.8.8" + "8.8.4.4" + ]; }; services.xserver.videoDrivers = [ "nvidia" ]; diff --git a/machines/bonney/hardware-configuration.nix b/machines/bonney/hardware-configuration.nix index 61daceae..048056c4 100644 --- a/machines/bonney/hardware-configuration.nix +++ b/machines/bonney/hardware-configuration.nix @@ -1,13 +1,26 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = - [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ehci_pci" + "ahci" + "usbhid" + "usb_storage" + "sd_mod" + "sr_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; @@ -37,6 +50,5 @@ # networking.interfaces.eno1.useDHCP = lib.mkDefault true; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = - lib.mkDefault config.hardware.enableRedistributableFirmware; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/machines/boop/boot.nix b/machines/boop/boot.nix index c5c1d762..7e421bb2 100644 --- a/machines/boop/boot.nix +++ b/machines/boop/boot.nix @@ -1,8 +1,15 @@ inputs: -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: with lib; -let constants = import ./constants.nix; -in { +let + constants = import ./constants.nix; +in +{ boot.loader = { efi = { efiSysMountPoint = "/boot"; @@ -51,16 +58,13 @@ in { enable = true; port = 2222; # because we are using a different host key hostKeys = [ - (pkgs.writeText "ssh_host_rsa_key" - (builtins.readFile ./initrd/ssh_host_rsa_key)) - (pkgs.writeText "ssh_host_ed25519_key" - (builtins.readFile ./initrd/ssh_host_ed25519_key)) + (pkgs.writeText "ssh_host_rsa_key" (builtins.readFile ./initrd/ssh_host_rsa_key)) + (pkgs.writeText "ssh_host_ed25519_key" (builtins.readFile ./initrd/ssh_host_ed25519_key)) ]; authorizedKeys = inputs.self.lib.sshKeyDatabase.users.astrid; }; }; nixpkgs.hostPlatform = "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = - mkDefault config.hardware.enableRedistributableFirmware; + hardware.cpu.intel.updateMicrocode = mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/machines/boop/configuration.nix b/machines/boop/configuration.nix index bb016df7..48dc5c23 100644 --- a/machines/boop/configuration.nix +++ b/machines/boop/configuration.nix @@ -1,6 +1,13 @@ inputs: -{ config, pkgs, lib, modulesPath, ... }: -with lib; { +{ + config, + pkgs, + lib, + modulesPath, + ... +}: +with lib; +{ imports = [ (modulesPath + "/installer/scan/not-detected.nix") diff --git a/machines/boop/constants.nix b/machines/boop/constants.nix index 551d0711..25242ccb 100644 --- a/machines/boop/constants.nix +++ b/machines/boop/constants.nix @@ -1,6 +1,6 @@ { /** Interface on the management port - */ + */ mgmt_if = "eno1"; -} \ No newline at end of file +} diff --git a/machines/boop/fs.nix b/machines/boop/fs.nix index 557bc805..3fcdb4b4 100644 --- a/machines/boop/fs.nix +++ b/machines/boop/fs.nix @@ -4,7 +4,11 @@ fileSystems."/" = { device = "rootfs"; fsType = "tmpfs"; - options = [ "defaults" "size=256M" "mode=755" ]; + options = [ + "defaults" + "size=256M" + "mode=755" + ]; }; fileSystems."/tmp" = { diff --git a/machines/boop/net/bond.nix b/machines/boop/net/bond.nix index 6b00b101..905d43df 100644 --- a/machines/boop/net/bond.nix +++ b/machines/boop/net/bond.nix @@ -6,7 +6,8 @@ let bondname = "bond007"; prodvlan = "bond007.100"; prodbr = "prodbr"; -in { +in +{ systemd.network = { networks."10-bond-enos" = { name = "eno2 eno3 eno4"; diff --git a/machines/boop/net/default.nix b/machines/boop/net/default.nix index 5086ad60..13942188 100644 --- a/machines/boop/net/default.nix +++ b/machines/boop/net/default.nix @@ -3,12 +3,18 @@ with lib; let constants = import ../constants.nix; unaddressedNetwork = (import ./util.nix).unaddressedNetwork; -in { - imports = [ ./bond.nix ./k8s.nix ]; +in +{ + imports = [ + ./bond.nix + ./k8s.nix + ]; networking.useDHCP = false; networking.interfaces.${constants.mgmt_if}.useDHCP = true; networking.firewall.enable = mkForce false; - systemd.network = { enable = true; }; + systemd.network = { + enable = true; + }; } diff --git a/machines/boop/net/k8s.nix b/machines/boop/net/k8s.nix index 1e218cf7..45281ec6 100644 --- a/machines/boop/net/k8s.nix +++ b/machines/boop/net/k8s.nix @@ -1,5 +1,7 @@ -let util = import ./util.nix; -in { +let + util = import ./util.nix; +in +{ imports = [ (util.unaddressedBridge { name = "brk8s-w"; diff --git a/machines/boop/net/util.nix b/machines/boop/net/util.nix index aacb9035..821d8aeb 100644 --- a/machines/boop/net/util.nix +++ b/machines/boop/net/util.nix @@ -1,4 +1,5 @@ -with builtins; rec { +with builtins; +rec { unaddressedNetwork = { DHCP = "no"; IPv6AcceptRA = "no"; @@ -8,21 +9,27 @@ with builtins; rec { LinkLocalAddressing = "no"; }; - unaddressedBridge = { order ? 40, name, description }: { - systemd.network.netdevs."${toString order}-${name}" = { - netdevConfig = { - Name = name; - Kind = "bridge"; - Description = description; + unaddressedBridge = + { + order ? 40, + name, + description, + }: + { + systemd.network.netdevs."${toString order}-${name}" = { + netdevConfig = { + Name = name; + Kind = "bridge"; + Description = description; + }; }; - }; - systemd.network.networks."${toString order}-${name}" = { - name = name; - matchConfig.Type = "bridge"; - networkConfig = unaddressedNetwork // { - Description = description; - ConfigureWithoutCarrier = "yes"; + systemd.network.networks."${toString order}-${name}" = { + name = name; + matchConfig.Type = "bridge"; + networkConfig = unaddressedNetwork // { + Description = description; + ConfigureWithoutCarrier = "yes"; + }; }; }; - }; } diff --git a/machines/chungus/configuration.nix b/machines/chungus/configuration.nix index 1f626214..14bd717c 100644 --- a/machines/chungus/configuration.nix +++ b/machines/chungus/configuration.nix @@ -1,6 +1,12 @@ inputs: -{ config, pkgs, lib, ... }: -with lib; { +{ + config, + pkgs, + lib, + ... +}: +with lib; +{ imports = [ ./hardware-configuration.nix "${inputs.nixos-hardware}/common/cpu/amd" @@ -9,8 +15,7 @@ with lib; { time.timeZone = "US/Pacific"; - astral.tailscale.oneOffKey = - "tskey-auth-kCDetm2CNTRL-3bYunP5bKyUL7q7gdE9DxUHjinjQuZPZ"; + astral.tailscale.oneOffKey = "tskey-auth-kCDetm2CNTRL-3bYunP5bKyUL7q7gdE9DxUHjinjQuZPZ"; astral.vfio = { enable = true; iommu-mode = "amd_iommu"; @@ -71,8 +76,10 @@ with lib; { # RGB stuff hardware.i2c.enable = true; - environment.systemPackages = with pkgs; [ openrgb win10hotplug ]; + environment.systemPackages = with pkgs; [ + openrgb + win10hotplug + ]; services.xserver.dpi = 224; } - diff --git a/machines/chungus/hardware-configuration.nix b/machines/chungus/hardware-configuration.nix index 943329e8..70a6ba12 100644 --- a/machines/chungus/hardware-configuration.nix +++ b/machines/chungus/hardware-configuration.nix @@ -1,13 +1,25 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = - [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.availableKernelModules = [ + "nvme" + "xhci_pci" + "ahci" + "usbhid" + "usb_storage" + "sd_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-amd" ]; boot.extraModulePackages = [ ]; @@ -48,6 +60,5 @@ # networking.interfaces.ztyxa6hkol.useDHCP = lib.mkDefault true; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.amd.updateMicrocode = - lib.mkDefault config.hardware.enableRedistributableFirmware; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/machines/constants.nix b/machines/constants.nix index 551d0711..25242ccb 100644 --- a/machines/constants.nix +++ b/machines/constants.nix @@ -1,6 +1,6 @@ { /** Interface on the management port - */ + */ mgmt_if = "eno1"; -} \ No newline at end of file +} diff --git a/machines/default.nix b/machines/default.nix index b26f997d..25c5a817 100644 --- a/machines/default.nix +++ b/machines/default.nix @@ -7,20 +7,31 @@ let configuration = import (path + "/configuration.nix") inputs; }; -in with nixpkgs-stable.lib; rec { - machines = let - dirs = (filterAttrs (name: type: - type == "directory" && pathExists (././${name}/machine-info.nix)) - (builtins.readDir ./.)); - in mapAttrs (hostname: _: mkMachine hostname (./. + "/${hostname}")) dirs; +in +with nixpkgs-stable.lib; +rec { + machines = + let + dirs = ( + filterAttrs (name: type: type == "directory" && pathExists (././${name}/machine-info.nix)) ( + builtins.readDir ./. + ) + ); + in + mapAttrs (hostname: _: mkMachine hostname (./. + "/${hostname}")) dirs; - nixosConfigurations = let - enabledMachines = - filterAttrs (_: m: m.machine-info.enabled or true) machines; - mkConfiguration = _: m: - nixpkgs-stable.lib.nixosSystem { - system = m.machine-info.arch; - modules = [ self.nixosModules.astral m.configuration ]; - }; - in mapAttrs mkConfiguration enabledMachines; + nixosConfigurations = + let + enabledMachines = filterAttrs (_: m: m.machine-info.enabled or true) machines; + mkConfiguration = + _: m: + nixpkgs-stable.lib.nixosSystem { + system = m.machine-info.arch; + modules = [ + self.nixosModules.astral + m.configuration + ]; + }; + in + mapAttrs mkConfiguration enabledMachines; } diff --git a/machines/diluc/configuration.nix b/machines/diluc/configuration.nix index dc1fc833..a7444998 100644 --- a/machines/diluc/configuration.nix +++ b/machines/diluc/configuration.nix @@ -1,6 +1,12 @@ inputs: -{ config, pkgs, lib, ... }: -with lib; { +{ + config, + pkgs, + lib, + ... +}: +with lib; +{ imports = [ inputs.self.nixosModules.contabo-vps inputs.self.nixosModules.server @@ -16,8 +22,7 @@ with lib; { astral = { ci.deploy-to = "173.212.242.107"; - tailscale.oneOffKey = - "tskey-auth-kZQrDU5CNTRL-nWmsZRQDWshXHtvTUvBvth6tnPmUpAkHg"; + tailscale.oneOffKey = "tskey-auth-kZQrDU5CNTRL-nWmsZRQDWshXHtvTUvBvth6tnPmUpAkHg"; monitoring-node.scrapeTransport = "https"; }; @@ -25,17 +30,25 @@ with lib; { hostName = "diluc"; domain = "h.astrid.tech"; - firewall.allowedTCPPorts = [ 80 443 5432 ]; - interfaces.ens18.ipv6.addresses = [{ - address = "2a02:c207:2087:999::1"; - prefixLength = 128; - }]; + firewall.allowedTCPPorts = [ + 80 + 443 + 5432 + ]; + interfaces.ens18.ipv6.addresses = [ + { + address = "2a02:c207:2087:999::1"; + prefixLength = 128; + } + ]; bridges.bripa.interfaces = [ ]; - interfaces.bripa.ipv6.addresses = [{ - address = "2a02:c207:2087:999:1::1"; - prefixLength = 112; - }]; + interfaces.bripa.ipv6.addresses = [ + { + address = "2a02:c207:2087:999:1::1"; + prefixLength = 112; + } + ]; }; time.timeZone = "Europe/Berlin"; diff --git a/machines/diluc/hardware-configuration.nix b/machines/diluc/hardware-configuration.nix index d74c4e8d..6e301d09 100644 --- a/machines/diluc/hardware-configuration.nix +++ b/machines/diluc/hardware-configuration.nix @@ -1,13 +1,24 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - boot.initrd.availableKernelModules = - [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ]; + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + "sd_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; @@ -26,6 +37,5 @@ networking.useDHCP = lib.mkDefault true; # networking.interfaces.ens18.useDHCP = lib.mkDefault true; - hardware.cpu.intel.updateMicrocode = - lib.mkDefault config.hardware.enableRedistributableFirmware; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/machines/durin/configuration.nix b/machines/durin/configuration.nix index cbcf98fb..ce4f7883 100644 --- a/machines/durin/configuration.nix +++ b/machines/durin/configuration.nix @@ -1,6 +1,12 @@ inputs: -{ config, pkgs, lib, ... }: -with lib; { +{ + config, + pkgs, + lib, + ... +}: +with lib; +{ imports = [ inputs.self.nixosModules.oracle-cloud-vps inputs.self.nixosModules.server @@ -10,8 +16,7 @@ with lib; { astral = { ci.deploy-to = "192.9.241.223"; - tailscale.oneOffKey = - "tskey-auth-kc9Bdo5CNTRL-mF1eQASE3L1p6CwLorXdJ1aZYCwBy8raR"; + tailscale.oneOffKey = "tskey-auth-kc9Bdo5CNTRL-mF1eQASE3L1p6CwLorXdJ1aZYCwBy8raR"; monitoring-node.scrapeTransport = "https"; }; diff --git a/machines/gfdesk/boot.nix b/machines/gfdesk/boot.nix index 9a9c808f..14a70e6c 100644 --- a/machines/gfdesk/boot.nix +++ b/machines/gfdesk/boot.nix @@ -1,5 +1,6 @@ { config, lib, ... }: -with lib; { +with lib; +{ # Use the GRUB boot loader in BIOS mode because tfw no EFI boot.loader.grub = { enable = true; @@ -8,13 +9,18 @@ with lib; { splashImage = ./homura.jpg; }; - boot.initrd.availableKernelModules = - [ "ehci_pci" "ata_piix" "uhci_hcd" "hpsa" "usb_storage" "sd_mod" ]; + boot.initrd.availableKernelModules = [ + "ehci_pci" + "ata_piix" + "uhci_hcd" + "hpsa" + "usb_storage" + "sd_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; nixpkgs.hostPlatform = "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = - mkDefault config.hardware.enableRedistributableFirmware; + hardware.cpu.intel.updateMicrocode = mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/machines/gfdesk/configuration.nix b/machines/gfdesk/configuration.nix index cc43fb5b..a96d96c6 100644 --- a/machines/gfdesk/configuration.nix +++ b/machines/gfdesk/configuration.nix @@ -1,6 +1,13 @@ inputs: -{ config, pkgs, lib, modulesPath, ... }: -with lib; { +{ + config, + pkgs, + lib, + modulesPath, + ... +}: +with lib; +{ imports = [ (modulesPath + "/installer/scan/not-detected.nix") @@ -26,8 +33,7 @@ with lib; { libvirt.enable = true; }; monitoring-node.scrapeTransport = "tailscale"; - tailscale.oneOffKey = - "tskey-auth-kw1UVH6CNTRL-SfhN6EEVv3A74NvnoJRA5Azutj6eJYwVc"; + tailscale.oneOffKey = "tskey-auth-kw1UVH6CNTRL-SfhN6EEVv3A74NvnoJRA5Azutj6eJYwVc"; backup.db.enable = false; }; @@ -46,10 +52,14 @@ with lib; { services.postgresql = { enable = true; ensureDatabases = [ "akkoma" ]; - ensureUsers = [{ - name = "akkoma"; - ensurePermissions = { "DATABASE \"akkoma\"" = "ALL PRIVILEGES"; }; - }]; + ensureUsers = [ + { + name = "akkoma"; + ensurePermissions = { + "DATABASE \"akkoma\"" = "ALL PRIVILEGES"; + }; + } + ]; settings = { listen_addresses = mkForce "*"; diff --git a/machines/gfdesk/deluge.nix b/machines/gfdesk/deluge.nix index 75179a78..b9176a9a 100644 --- a/machines/gfdesk/deluge.nix +++ b/machines/gfdesk/deluge.nix @@ -1,4 +1,5 @@ -{ config, ... }: { +{ config, ... }: +{ services.deluge = { enable = true; web.enable = true; diff --git a/machines/gfdesk/fs.nix b/machines/gfdesk/fs.nix index 71d74dbb..5666dcce 100644 --- a/machines/gfdesk/fs.nix +++ b/machines/gfdesk/fs.nix @@ -4,7 +4,11 @@ fileSystems."/" = { device = "rootfs"; fsType = "tmpfs"; - options = [ "defaults" "size=256M" "mode=755" ]; + options = [ + "defaults" + "size=256M" + "mode=755" + ]; }; fileSystems."/boot" = { diff --git a/machines/gfdesk/share.nix b/machines/gfdesk/share.nix index 9290b14d..65e8e482 100644 --- a/machines/gfdesk/share.nix +++ b/machines/gfdesk/share.nix @@ -2,15 +2,23 @@ let lan4 = "192.168.1.0/24"; lan6 = "2001:5a8:401a:f60a::/64"; - policyaddrs = addrs: policy: - lib.concatMapStringsSep " " (a: "${a}(${policy})") addrs; -in { + policyaddrs = addrs: policy: lib.concatMapStringsSep " " (a: "${a}(${policy})") addrs; +in +{ services.nfs.server = { enable = true; exports = '' - /export ${policyaddrs [ lan4 lan6 ] "ro,fsid=0,no_subtree_check"} + /export ${ + policyaddrs [ + lan4 + lan6 + ] "ro,fsid=0,no_subtree_check" + } /export/torrent ${ - policyaddrs [ lan4 lan6 ] "ro,insecure,no_root_squash,sync" + policyaddrs [ + lan4 + lan6 + ] "ro,insecure,no_root_squash,sync" } ''; }; diff --git a/machines/ghoti/configuration.nix b/machines/ghoti/configuration.nix index e2bae9bb..b8d8c1c2 100644 --- a/machines/ghoti/configuration.nix +++ b/machines/ghoti/configuration.nix @@ -1,6 +1,13 @@ inputs: -{ config, pkgs, lib, modulesPath, ... }: -with lib; { +{ + config, + pkgs, + lib, + modulesPath, + ... +}: +with lib; +{ imports = [ "${modulesPath}/installer/sd-card/sd-image-aarch64.nix" inputs.nixos-hardware.nixosModules.raspberry-pi-4 @@ -11,8 +18,7 @@ with lib; { astral = { monitoring-node.scrapeTransport = "tailscale"; - tailscale.oneOffKey = - "tskey-auth-kmaxKP6CNTRL-2367V3ZvY17oaxmkCUeEz6wpSaVDixp9K"; + tailscale.oneOffKey = "tskey-auth-kmaxKP6CNTRL-2367V3ZvY17oaxmkCUeEz6wpSaVDixp9K"; }; boot.loader.grub.enable = false; diff --git a/machines/inferno/configuration.nix b/machines/inferno/configuration.nix index 70a3ad87..d860741f 100644 --- a/machines/inferno/configuration.nix +++ b/machines/inferno/configuration.nix @@ -1,8 +1,17 @@ inputs: -{ config, pkgs, lib, ... }: -with lib; { - imports = - [ ./hardware-configuration.nix inputs.self.nixosModules.server ./net.nix ]; +{ + config, + pkgs, + lib, + ... +}: +with lib; +{ + imports = [ + ./hardware-configuration.nix + inputs.self.nixosModules.server + ./net.nix + ]; astral = { # Disable for now because it simply can't be reached diff --git a/machines/inferno/hardware-configuration.nix b/machines/inferno/hardware-configuration.nix index 18ece5e8..1ec2205a 100644 --- a/machines/inferno/hardware-configuration.nix +++ b/machines/inferno/hardware-configuration.nix @@ -1,13 +1,23 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = - [ "xhci_pci" "ahci" "usb_storage" "sd_mod" ]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "usb_storage" + "sd_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; @@ -45,6 +55,5 @@ nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; - hardware.cpu.intel.updateMicrocode = - lib.mkDefault config.hardware.enableRedistributableFirmware; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/machines/inferno/net.nix b/machines/inferno/net.nix index 2277b9a7..2b6224e9 100644 --- a/machines/inferno/net.nix +++ b/machines/inferno/net.nix @@ -1,5 +1,11 @@ -{ config, pkgs, lib, ... }: -with lib; { +{ + config, + pkgs, + lib, + ... +}: +with lib; +{ networking.firewall.enable = mkForce false; networking.useDHCP = false; @@ -13,20 +19,24 @@ with lib; { # Motherboard port, accessible for debugging purposes. networking.interfaces.enp0s31f6 = { useDHCP = true; - ipv4.addresses = [{ - address = "172.16.69.1"; - prefixLength = 24; - }]; + ipv4.addresses = [ + { + address = "172.16.69.1"; + prefixLength = 24; + } + ]; tempAddress = "enabled"; }; # This is connected to vlan 69, albeit indirectly. networking.bridges.mgmtlink.interfaces = [ ]; networking.interfaces.mgmtlink = { - ipv4.addresses = [{ - address = "192.168.69.10"; - prefixLength = 24; - }]; + ipv4.addresses = [ + { + address = "192.168.69.10"; + prefixLength = 24; + } + ]; tempAddress = "disabled"; }; diff --git a/machines/shai-hulud/configuration.nix b/machines/shai-hulud/configuration.nix index 8cf2d674..d37b4d5c 100644 --- a/machines/shai-hulud/configuration.nix +++ b/machines/shai-hulud/configuration.nix @@ -1,11 +1,19 @@ inputs: -{ config, pkgs, lib, ... }: -with lib; { - imports = [ ./hardware-configuration.nix ] +{ + config, + pkgs, + lib, + ... +}: +with lib; +{ + imports = + [ ./hardware-configuration.nix ] ++ (with inputs.nixos-hardware.nixosModules; [ common-pc-ssd microsoft-surface-common - ]) ++ [ + ]) + ++ [ inputs.self.nixosModules.laptop inputs.self.nixosModules.pc @@ -71,4 +79,3 @@ with lib; { services.xserver.dpi = 180; } - diff --git a/machines/shai-hulud/hardware-configuration.nix b/machines/shai-hulud/hardware-configuration.nix index 59fba0e5..954b6e43 100644 --- a/machines/shai-hulud/hardware-configuration.nix +++ b/machines/shai-hulud/hardware-configuration.nix @@ -1,13 +1,23 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = - [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "nvme" + "usb_storage" + "sd_mod" + ]; boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; @@ -21,6 +31,5 @@ nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; - hardware.cpu.intel.updateMicrocode = - lib.mkDefault config.hardware.enableRedistributableFirmware; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/machines/squid/configuration.nix b/machines/squid/configuration.nix index 636bbd1d..bb6e8c95 100644 --- a/machines/squid/configuration.nix +++ b/machines/squid/configuration.nix @@ -1,6 +1,13 @@ inputs: -{ config, pkgs, lib, modulesPath, ... }: -with lib; { +{ + config, + pkgs, + lib, + modulesPath, + ... +}: +with lib; +{ imports = [ "${modulesPath}/installer/sd-card/sd-image-aarch64.nix" inputs.self.nixosModules.server diff --git a/machines/thatcher/configuration.nix b/machines/thatcher/configuration.nix index da5dd0e4..182dd049 100644 --- a/machines/thatcher/configuration.nix +++ b/machines/thatcher/configuration.nix @@ -1,7 +1,16 @@ inputs: -{ config, pkgs, lib, modulesPath, ... }: -let rootFSUID = "5a713012-c18f-4b4f-b900-137c5739c854"; -in with lib; { +{ + config, + pkgs, + lib, + modulesPath, + ... +}: +let + rootFSUID = "5a713012-c18f-4b4f-b900-137c5739c854"; +in +with lib; +{ imports = [ (modulesPath + "/profiles/qemu-guest.nix") inputs.self.nixosModules.server @@ -29,20 +38,29 @@ in with lib; { boot = { growPartition = true; - kernelParams = [ "console=tty0" "boot.shell_on_fail" ]; + kernelParams = [ + "console=tty0" + "boot.shell_on_fail" + ]; loader.grub.device = "/dev/vda"; loader.timeout = 3; }; - system.build.raw = mkForce - (import "${toString modulesPath}/../lib/make-disk-image.nix" { - inherit lib config pkgs rootFSUID; + system.build.raw = mkForce ( + import "${toString modulesPath}/../lib/make-disk-image.nix" { + inherit + lib + config + pkgs + rootFSUID + ; name = "thatcher-disk-image"; label = "root"; diskSize = "auto"; format = "raw"; copyChannel = false; - }); + } + ); # This script reproduces, as close as possible, the conditions of the actual machine. # This is useful for testing if the wget -O- | dd of=/dev/vda will work. diff --git a/machines/thatcher/net.nix b/machines/thatcher/net.nix index b7615725..b6aaf6ca 100644 --- a/machines/thatcher/net.nix +++ b/machines/thatcher/net.nix @@ -1,5 +1,6 @@ { pkgs, lib, ... }: -with lib; { +with lib; +{ networking.useDHCP = false; systemd.network = { @@ -17,9 +18,9 @@ with lib; { { addressConfig.Address = "100.64.0.45/31"; } { addressConfig.Address = "2a11:f2c0:3:16::1/64"; } ]; - routes = [{ routeConfig.Gateway = "100.64.0.44"; }]; + routes = [ { routeConfig.Gateway = "100.64.0.44"; } ]; }; }; - environment.systemPackages = with pkgs; [dhcpcd]; + environment.systemPackages = with pkgs; [ dhcpcd ]; } diff --git a/machines/twinkpaw/configuration.nix b/machines/twinkpaw/configuration.nix index 5c835a77..95747131 100644 --- a/machines/twinkpaw/configuration.nix +++ b/machines/twinkpaw/configuration.nix @@ -1,6 +1,12 @@ inputs: -{ config, pkgs, lib, ... }: -with lib; { +{ + config, + pkgs, + lib, + ... +}: +with lib; +{ imports = [ ./hardware-configuration.nix inputs.self.nixosModules.pc @@ -9,13 +15,14 @@ with lib; { time.timeZone = "US/Pacific"; - astral.tailscale.oneOffKey = - "tskey-auth-kQpYuB2CNTRL-krpVu4TaHhBfxV7SWg3LgBtPG8t3QKyh4"; + astral.tailscale.oneOffKey = "tskey-auth-kQpYuB2CNTRL-krpVu4TaHhBfxV7SWg3LgBtPG8t3QKyh4"; # so i can be a *gamer* programs.steam.enable = true; - services = { blueman.enable = true; }; + services = { + blueman.enable = true; + }; virtualisation.lxd.enable = true; @@ -45,14 +52,15 @@ with lib; { efiSupport = true; enable = true; useOSProber = false; - splashImage = let - image = with pkgs; - runCommand "twinkpaw-bg.jpg" { } '' - ${imagemagick}/bin/convert -brightness-contrast -10 ${ - ./bg.jpg - } $out - ''; - in "${image}"; + splashImage = + let + image = + with pkgs; + runCommand "twinkpaw-bg.jpg" { } '' + ${imagemagick}/bin/convert -brightness-contrast -10 ${./bg.jpg} $out + ''; + in + "${image}"; }; }; }; diff --git a/machines/twinkpaw/hardware-configuration.nix b/machines/twinkpaw/hardware-configuration.nix index 5112921d..2a9bd90d 100644 --- a/machines/twinkpaw/hardware-configuration.nix +++ b/machines/twinkpaw/hardware-configuration.nix @@ -1,13 +1,24 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = - [ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" ]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "nvme" + "usb_storage" + "sd_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; @@ -65,6 +76,5 @@ nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; - hardware.cpu.intel.updateMicrocode = - lib.mkDefault config.hardware.enableRedistributableFirmware; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/machines/yato/configuration.nix b/machines/yato/configuration.nix index c68fab87..357ff6da 100644 --- a/machines/yato/configuration.nix +++ b/machines/yato/configuration.nix @@ -1,6 +1,12 @@ inputs: -{ config, pkgs, lib, ... }: -with lib; { +{ + config, + pkgs, + lib, + ... +}: +with lib; +{ imports = [ inputs.self.nixosModules.oracle-cloud-vps inputs.self.nixosModules.server @@ -10,8 +16,7 @@ with lib; { astral = { ci.deploy-to = "192.9.153.114"; - tailscale.oneOffKey = - "tskey-auth-kCfjRX3CNTRL-kx4uk1v9QCdsz6RMdS5wAd9J6czeFeuD"; + tailscale.oneOffKey = "tskey-auth-kCfjRX3CNTRL-kx4uk1v9QCdsz6RMdS5wAd9J6czeFeuD"; monitoring-node.scrapeTransport = "https"; }; diff --git a/nix/ci.nix b/nix/ci.nix index aa0df109..6f996387 100644 --- a/nix/ci.nix +++ b/nix/ci.nix @@ -2,81 +2,103 @@ with lib; let # Generate a node for each x86_64-linux NixOS system. - nixosNodesForSystem = system: - mapAttrs' (hostname: nixosSystem: - let cfg = nixosSystem.config.astral.ci; - in { - name = "nixos-system-${hostname}"; - value = { - inherit system; - inherit (cfg) needs prune-runner; + nixosNodesForSystem = + system: + mapAttrs' + ( + hostname: nixosSystem: + let + cfg = nixosSystem.config.astral.ci; + in + { + name = "nixos-system-${hostname}"; + value = { + inherit system; + inherit (cfg) needs prune-runner; - name = "NixOS sys. ${hostname}"; - build = - "nixosConfigurations.${hostname}.config.system.build.toplevel"; - run = mapNullable - (_: "nixosConfigurations.${hostname}.config.astral.ci.run-package") - cfg.run-package; - deploy = mapNullable (_: - "nixosConfigurations.${hostname}.config.astral.ci.deploy-package") - cfg.deploy-package; - }; - }) (filterAttrs (hostname: nixosSystem: - nixosSystem.pkgs.system == system - && nixosSystem.config.astral.ci.enable) self.nixosConfigurations); + name = "NixOS sys. ${hostname}"; + build = "nixosConfigurations.${hostname}.config.system.build.toplevel"; + run = mapNullable ( + _: "nixosConfigurations.${hostname}.config.astral.ci.run-package" + ) cfg.run-package; + deploy = mapNullable ( + _: "nixosConfigurations.${hostname}.config.astral.ci.deploy-package" + ) cfg.deploy-package; + }; + } + ) + ( + filterAttrs ( + hostname: nixosSystem: nixosSystem.pkgs.system == system && nixosSystem.config.astral.ci.enable + ) self.nixosConfigurations + ); homeManagerNodeForSystem = system: { inherit system; name = "Home cfgs. ${system}"; - build = - mapAttrsToList (key: _: "homeConfigurations.${key}.activationPackage") - (filterAttrs (_: home: home.pkgs.system == system) - self.homeConfigurations); + build = mapAttrsToList (key: _: "homeConfigurations.${key}.activationPackage") ( + filterAttrs (_: home: home.pkgs.system == system) self.homeConfigurations + ); }; devShellNodeForSystem = system: { inherit system; name = "DevShells ${system}"; - build = mapAttrsToList (key: _: "devShells.${system}.${key}") - self.devShells.${system}; + build = mapAttrsToList (key: _: "devShells.${system}.${key}") self.devShells.${system}; }; -in rec { +in +rec { known_hosts = builtins.readFile ./ci/known_hosts; - ssh-deploy-targets = sort lessThan (filter (x: x != null) - (mapAttrsToList (_: system: system.config.astral.ci.deploy-to) - self.nixosConfigurations)); + ssh-deploy-targets = sort lessThan ( + filter (x: x != null) ( + mapAttrsToList (_: system: system.config.astral.ci.deploy-to) self.nixosConfigurations + ) + ); cronSchedule = "0 6 * * 6"; cachix = "astralbijection"; - nodes = { - installer-iso = { - name = "x86 Installer ISO"; - system = "x86_64-linux"; - build = "packages.x86_64-linux.installer-iso"; + nodes = + { + installer-iso = { + name = "x86 Installer ISO"; + system = "x86_64-linux"; + build = "packages.x86_64-linux.installer-iso"; - needs = [ "home-manager-x86_64-linux" ]; - }; + needs = [ "home-manager-x86_64-linux" ]; + }; - surface-kernel = { - name = "Compile MS Surface kernel"; - system = "x86_64-linux"; - prune-runner = true; - build = - "nixosConfigurations.shai-hulud.config.boot.kernelPackages.kernel"; - }; - } // (foldAttrs mergeAttrs { } (builtins.map (system: { - "devShells-${system}" = devShellNodeForSystem system; - "home-manager-${system}" = homeManagerNodeForSystem system; - }) [ "x86_64-linux" "x86_64-darwin" ])) + surface-kernel = { + name = "Compile MS Surface kernel"; + system = "x86_64-linux"; + prune-runner = true; + build = "nixosConfigurations.shai-hulud.config.boot.kernelPackages.kernel"; + }; + } + // (foldAttrs mergeAttrs { } ( + builtins.map + (system: { + "devShells-${system}" = devShellNodeForSystem system; + "home-manager-${system}" = homeManagerNodeForSystem system; + }) + [ + "x86_64-linux" + "x86_64-darwin" + ] + )) // (nixosNodesForSystem "x86_64-linux"); workflow = self.lib.makeGithubWorkflow { - inherit cronSchedule cachix nodes known_hosts; + inherit + cronSchedule + cachix + nodes + known_hosts + ; }; } diff --git a/nix/home-manager/astral/cli/conda-hooks.nix b/nix/home-manager/astral/cli/conda-hooks.nix index a1b0098d..6fabf014 100644 --- a/nix/home-manager/astral/cli/conda-hooks.nix +++ b/nix/home-manager/astral/cli/conda-hooks.nix @@ -1,5 +1,6 @@ { config, lib, ... }: -with lib; { +with lib; +{ options.astral.cli.conda-hooks = { enable = mkOption { description = "Whether to add conda hooks to CLI."; @@ -14,14 +15,17 @@ with lib; { }; }; - config.programs = let cfg = config.astral.cli.conda-hooks; - in mkIf cfg.enable { - bash.profileExtra = '' - eval "$(${cfg.conda} shell.bash hook)" - ''; + config.programs = + let + cfg = config.astral.cli.conda-hooks; + in + mkIf cfg.enable { + bash.profileExtra = '' + eval "$(${cfg.conda} shell.bash hook)" + ''; - zsh.profileExtra = '' - eval "$(${cfg.conda} shell.zsh hook)" - ''; - }; + zsh.profileExtra = '' + eval "$(${cfg.conda} shell.zsh hook)" + ''; + }; } diff --git a/nix/home-manager/astral/cli/default.nix b/nix/home-manager/astral/cli/default.nix index a5c2ec00..6b6402dd 100644 --- a/nix/home-manager/astral/cli/default.nix +++ b/nix/home-manager/astral/cli/default.nix @@ -1,7 +1,15 @@ # CLI-only home manager settings -{ config, lib, pkgs, ... }: -let commonProfile = builtins.readFile ./profile.sh; -in with lib; { +{ + config, + lib, + pkgs, + ... +}: +let + commonProfile = builtins.readFile ./profile.sh; +in +with lib; +{ imports = [ ./conda-hooks.nix ]; options.astral.cli = { @@ -18,152 +26,170 @@ in with lib; { }; }; - config = let - cfg = config.astral.cli; - commonAliases = (mkIf cfg.enable (mkMerge [ + config = + let + cfg = config.astral.cli; + commonAliases = ( + mkIf cfg.enable (mkMerge [ + { + # Parent dirs + ".." = ".."; + "..." = "../.."; + "...." = "../../.."; + + # ls aliases + "la" = "ls -A"; + "l" = "ls -CF"; + + # Automatically use colors + "ls" = "ls --color=auto"; + "dir" = "dir --color=auto"; + "vdir" = "vdir --color=auto"; + "grep" = "grep --color=auto"; + "fgrep" = "fgrep --color=auto"; + "egrep" = "egrep --color=auto"; + + # Automatically set BW_SESSION + "bwlogin" = "export BW_SESSION=$(bw unlock --raw)"; + } + + (mkIf cfg.extended { "cal-poly-vpn" = "openconnect --protocol=gp cpvpn.calpoly.edu --user=myu27"; }) + ]) + ); + in + mkIf cfg.enable (mkMerge [ { - # Parent dirs - ".." = ".."; - "..." = "../.."; - "...." = "../../.."; - - # ls aliases - "la" = "ls -A"; - "l" = "ls -CF"; - - # Automatically use colors - "ls" = "ls --color=auto"; - "dir" = "dir --color=auto"; - "vdir" = "vdir --color=auto"; - "grep" = "grep --color=auto"; - "fgrep" = "fgrep --color=auto"; - "egrep" = "egrep --color=auto"; - - # Automatically set BW_SESSION - "bwlogin" = "export BW_SESSION=$(bw unlock --raw)"; - } - - (mkIf cfg.extended { - "cal-poly-vpn" = - "openconnect --protocol=gp cpvpn.calpoly.edu --user=myu27"; - }) - ])); - in mkIf cfg.enable (mkMerge [ - { - home = { - shellAliases = commonAliases; - sessionVariables = { EDITOR = "vi"; }; - packages = with pkgs; [ htop home-manager ]; - file = { - ".config/ranger/rc.conf" = { source = ./ranger.conf; }; - ".stack/config.yaml" = { source = ./stack-config.yaml; }; + home = { + shellAliases = commonAliases; + sessionVariables = { + EDITOR = "vi"; + }; + packages = with pkgs; [ + htop + home-manager + ]; + file = { + ".config/ranger/rc.conf" = { + source = ./ranger.conf; + }; + ".stack/config.yaml" = { + source = ./stack-config.yaml; + }; + }; }; - }; - - programs.git = { - enable = true; - lfs.enable = true; - userName = "Astrid Yu"; - userEmail = "astrid@astrid.tech"; - extraConfig = { - init.defaultBranch = "main"; - credential.helper = "store"; - core.autocrlf = "input"; + + programs.git = { + enable = true; + lfs.enable = true; + userName = "Astrid Yu"; + userEmail = "astrid@astrid.tech"; + extraConfig = { + init.defaultBranch = "main"; + credential.helper = "store"; + core.autocrlf = "input"; + }; }; - }; - - programs.tmux = { - enable = true; - clock24 = true; - keyMode = "vi"; - terminal = "screen-256color"; - historyLimit = 10000; - newSession = true; - }; - - programs.zsh = { - enable = true; - initExtra = commonProfile; - enableCompletion = true; - syntaxHighlighting.enable = true; - - autocd = true; - defaultKeymap = "emacs"; - - history = { - save = 1000000; - size = 1000000; - ignoreSpace = true; - extended = true; + + programs.tmux = { + enable = true; + clock24 = true; + keyMode = "vi"; + terminal = "screen-256color"; + historyLimit = 10000; + newSession = true; }; - oh-my-zsh = { + programs.zsh = { enable = true; + initExtra = commonProfile; + enableCompletion = true; + syntaxHighlighting.enable = true; + + autocd = true; + defaultKeymap = "emacs"; + + history = { + save = 1000000; + size = 1000000; + ignoreSpace = true; + extended = true; + }; + + oh-my-zsh = { + enable = true; + plugins = [ + "git" + "ssh-agent" # Auto-start a SSH agent + ]; + }; + + initExtraBeforeCompInit = '' + # Powerlevel10k configuration + source ${./p10k.zsh} + + # kubectl completion + type kubectl > /dev/null && source <(kubectl completion zsh) + + # Do not load identities on start + # See https://github.com/ohmyzsh/ohmyzsh/tree/master/plugins/ssh-agent#settings + zstyle :omz:plugins:ssh-agent lazy yes + + # Potentially needed on non-NixOS + export NIX_PATH=$HOME/.nix-defexpr/channels:/nix/var/nix/profiles/per-user/root/channels''${NIX_PATH:+:$NIX_PATH} + ''; + plugins = [ - "git" - "ssh-agent" # Auto-start a SSH agent + { + name = "powerlevel10k"; + file = "powerlevel10k.zsh-theme"; + src = "${pkgs.zsh-powerlevel10k}/share/zsh-powerlevel10k"; + } ]; }; - initExtraBeforeCompInit = '' - # Powerlevel10k configuration - source ${./p10k.zsh} - - # kubectl completion - type kubectl > /dev/null && source <(kubectl completion zsh) - - # Do not load identities on start - # See https://github.com/ohmyzsh/ohmyzsh/tree/master/plugins/ssh-agent#settings - zstyle :omz:plugins:ssh-agent lazy yes - - # Potentially needed on non-NixOS - export NIX_PATH=$HOME/.nix-defexpr/channels:/nix/var/nix/profiles/per-user/root/channels''${NIX_PATH:+:$NIX_PATH} - ''; - - plugins = [{ - name = "powerlevel10k"; - file = "powerlevel10k.zsh-theme"; - src = "${pkgs.zsh-powerlevel10k}/share/zsh-powerlevel10k"; - }]; - }; - - programs.bash = { - enable = true; - initExtra = commonProfile; - }; - - programs.ssh = { - enable = true; - extraConfig = '' - Host * - AddKeysToAgent yes - - Host *.astrid.tech - ForwardAgent yes - ''; - }; - } - - (mkIf cfg.extended { - programs.direnv = { - enable = true; - nix-direnv.enable = true; - }; - - programs.fzf = { - enable = true; - enableZshIntegration = true; - tmux.enableShellIntegration = true; - }; - - programs.gpg = { - enable = true; - mutableKeys = true; - scdaemonSettings = { disable-ccid = true; }; - }; - - home.packages = with pkgs; [ bitwarden-cli gh ranger ]; - }) - ]); + programs.bash = { + enable = true; + initExtra = commonProfile; + }; + + programs.ssh = { + enable = true; + extraConfig = '' + Host * + AddKeysToAgent yes + + Host *.astrid.tech + ForwardAgent yes + ''; + }; + } + + (mkIf cfg.extended { + programs.direnv = { + enable = true; + nix-direnv.enable = true; + }; + + programs.fzf = { + enable = true; + enableZshIntegration = true; + tmux.enableShellIntegration = true; + }; + + programs.gpg = { + enable = true; + mutableKeys = true; + scdaemonSettings = { + disable-ccid = true; + }; + }; + + home.packages = with pkgs; [ + bitwarden-cli + gh + ranger + ]; + }) + ]); # home.file."email" = { source = ./email; }; } diff --git a/nix/home-manager/astral/default.nix b/nix/home-manager/astral/default.nix index b4772871..6e2ef871 100644 --- a/nix/home-manager/astral/default.nix +++ b/nix/home-manager/astral/default.nix @@ -1,9 +1,14 @@ -{ pkgs, ... }: { - imports = [ ./cli ./macos ./vi ./gui ]; +{ pkgs, ... }: +{ + imports = [ + ./cli + ./macos + ./vi + ./gui + ]; home = { username = "astrid"; - homeDirectory = - if pkgs.stdenv.isLinux then "/home/astrid" else "/Users/astrid"; + homeDirectory = if pkgs.stdenv.isLinux then "/home/astrid" else "/Users/astrid"; stateVersion = "22.11"; }; } diff --git a/nix/home-manager/astral/gui/default.nix b/nix/home-manager/astral/gui/default.nix index bf533075..7f039117 100644 --- a/nix/home-manager/astral/gui/default.nix +++ b/nix/home-manager/astral/gui/default.nix @@ -1,7 +1,16 @@ # X11-enabled home manager settings -{ config, lib, pkgs, ... }: -with lib; { - imports = [ ./xmonad ./qtile ]; +{ + config, + lib, + pkgs, + ... +}: +with lib; +{ + imports = [ + ./xmonad + ./qtile + ]; options.astral.gui = { enable = mkOption { @@ -11,23 +20,31 @@ with lib; { }; }; - config = let cfg = config.astral.gui; - in (mkIf cfg.enable (mkMerge [{ - nixpkgs.config.allowUnfree = true; + config = + let + cfg = config.astral.gui; + in + (mkIf cfg.enable (mkMerge [ + { + nixpkgs.config.allowUnfree = true; - programs = { - firefox.enable = true; - chromium.enable = true; - autorandr.enable = true; - }; + programs = { + firefox.enable = true; + chromium.enable = true; + autorandr.enable = true; + }; - home.packages = with pkgs; [ xclip arandr ]; + home.packages = with pkgs; [ + xclip + arandr + ]; - home.shellAliases = { - # Pipe to/from clipboard - "c" = "xclip -selection clipboard"; - "v" = "xclip -o -selection clipboard"; - }; - }])); + home.shellAliases = { + # Pipe to/from clipboard + "c" = "xclip -selection clipboard"; + "v" = "xclip -o -selection clipboard"; + }; + } + ])); } diff --git a/nix/home-manager/astral/gui/i3-xfce/default.nix b/nix/home-manager/astral/gui/i3-xfce/default.nix index c470d551..66e30d77 100644 --- a/nix/home-manager/astral/gui/i3-xfce/default.nix +++ b/nix/home-manager/astral/gui/i3-xfce/default.nix @@ -4,76 +4,130 @@ let mod = "Mod4"; terminal = "alacritty"; - workspaces = [ "1" "2" "3" "4" "5" "6" "7" "8" "9" "0" "y" "u" "i" "o" "p" ]; - - forEachL = lib.forEach [ "h" "Left" ]; - forEachD = lib.forEach [ "j" "Down" ]; - forEachU = lib.forEach [ "k" "Up" ]; - forEachR = lib.forEach [ "l" "Right" ]; + workspaces = [ + "1" + "2" + "3" + "4" + "5" + "6" + "7" + "8" + "9" + "0" + "y" + "u" + "i" + "o" + "p" + ]; + + forEachL = lib.forEach [ + "h" + "Left" + ]; + forEachD = lib.forEach [ + "j" + "Down" + ]; + forEachU = lib.forEach [ + "k" + "Up" + ]; + forEachR = lib.forEach [ + "l" + "Right" + ]; # Usage: forEachDirKey (d: k: { "${mod}+${k}" = "focus ${d}"; }); - forEachDirKey = f: - (forEachL (f "left")) ++ (forEachD (f "down")) ++ (forEachU (f "up")) - ++ (forEachR (f "right")); + forEachDirKey = + f: (forEachL (f "left")) ++ (forEachD (f "down")) ++ (forEachU (f "up")) ++ (forEachR (f "right")); -in { +in +{ # Set up a XFCE/i3 thing xsession.windowManager.i3 = { enable = true; package = pkgs.i3-gaps; config = { - keybindings = (lib.mkMerge (let - focusDirBinds = forEachDirKey (d: k: { "${mod}+${k}" = "focus ${d}"; }); - moveDirBinds = - forEachDirKey (d: k: { "${mod}+Shift+${k}" = "move ${d}"; }); - workspaceBinds = (lib.imap1 (i: k: - let si = toString i; - in { - "${mod}+${k}" = "workspace number ${si}"; - "${mod}+Shift+${k}" = "move container to workspace number ${si}"; - }) workspaces); - miscBinds = [{ - "${mod}+Return" = "exec ${terminal}"; - "${mod}+Shift+q" = "kill"; - "${mod}+d" = "exec dmenu_run"; - - "${mod}+Shift+b" = "split h"; - "${mod}+Shift+v" = "split v"; - "${mod}+f" = "fullscreen toggle"; - - "${mod}+x" = "layout stacking"; - "${mod}+z" = "layout tabbed"; - "${mod}+c" = "layout toggle split"; - - "${mod}+Shift+space" = "floating toggle"; - "${mod}+space" = "focus mode_toggle"; - - "${mod}+a" = "focus parent"; - - "${mod}+Shift+minus" = "move scratchpad"; - "${mod}+minus" = "scratchpad show"; - - "${mod}+r" = "mode resize"; - - "${mod}+Shift+r" = "restart"; - "${mod}+Shift+e" = '' - exec "i3-nagbar -t warning -m 'You pressed the exit shortcut. Do you really want to exit i3? This will end your X session.' -b 'Yes, exit i3' 'i3-msg exit'" - ''; - }]; - in workspaceBinds ++ focusDirBinds ++ moveDirBinds ++ miscBinds)); - - modes.resize = let - resizeBinds = - (forEachL (k: { "${k}" = "resize shrink width 10 px or 10 ppt"; })) - ++ (forEachD (k: { "${k}" = "resize grow height 10 px or 10 ppt"; })) - ++ (forEachU - (k: { "${k}" = "resize shrink height 10 px or 10 ppt"; })) - ++ (forEachR (k: { "${k}" = "resize grow width 10 px or 10 ppt"; })); - in (lib.mkMerge (resizeBinds ++ [{ - "Return" = "mode default"; - "Escape" = "mode default"; - }])); + keybindings = ( + lib.mkMerge ( + let + focusDirBinds = forEachDirKey (d: k: { "${mod}+${k}" = "focus ${d}"; }); + moveDirBinds = forEachDirKey (d: k: { "${mod}+Shift+${k}" = "move ${d}"; }); + workspaceBinds = ( + lib.imap1 ( + i: k: + let + si = toString i; + in + { + "${mod}+${k}" = "workspace number ${si}"; + "${mod}+Shift+${k}" = "move container to workspace number ${si}"; + } + ) workspaces + ); + miscBinds = [ + { + "${mod}+Return" = "exec ${terminal}"; + "${mod}+Shift+q" = "kill"; + "${mod}+d" = "exec dmenu_run"; + + "${mod}+Shift+b" = "split h"; + "${mod}+Shift+v" = "split v"; + "${mod}+f" = "fullscreen toggle"; + + "${mod}+x" = "layout stacking"; + "${mod}+z" = "layout tabbed"; + "${mod}+c" = "layout toggle split"; + + "${mod}+Shift+space" = "floating toggle"; + "${mod}+space" = "focus mode_toggle"; + + "${mod}+a" = "focus parent"; + + "${mod}+Shift+minus" = "move scratchpad"; + "${mod}+minus" = "scratchpad show"; + + "${mod}+r" = "mode resize"; + + "${mod}+Shift+r" = "restart"; + "${mod}+Shift+e" = '' + exec "i3-nagbar -t warning -m 'You pressed the exit shortcut. Do you really want to exit i3? This will end your X session.' -b 'Yes, exit i3' 'i3-msg exit'" + ''; + } + ]; + in + workspaceBinds ++ focusDirBinds ++ moveDirBinds ++ miscBinds + ) + ); + + modes.resize = + let + resizeBinds = + (forEachL (k: { + "${k}" = "resize shrink width 10 px or 10 ppt"; + })) + ++ (forEachD (k: { + "${k}" = "resize grow height 10 px or 10 ppt"; + })) + ++ (forEachU (k: { + "${k}" = "resize shrink height 10 px or 10 ppt"; + })) + ++ (forEachR (k: { + "${k}" = "resize grow width 10 px or 10 ppt"; + })); + in + (lib.mkMerge ( + resizeBinds + ++ [ + { + "Return" = "mode default"; + "Escape" = "mode default"; + } + ] + )); }; extraConfig = builtins.readFile ./kde-include.conf; }; @@ -91,6 +145,10 @@ in { programs.alacritty = { enable = true; - settings = { font = { size = 9; }; }; + settings = { + font = { + size = 9; + }; + }; }; } diff --git a/nix/home-manager/astral/gui/xmonad/default.nix b/nix/home-manager/astral/gui/xmonad/default.nix index 597b6384..1d6893ba 100644 --- a/nix/home-manager/astral/gui/xmonad/default.nix +++ b/nix/home-manager/astral/gui/xmonad/default.nix @@ -1,4 +1,10 @@ -{ config, pkgs, lib, ... }: { +{ + config, + pkgs, + lib, + ... +}: +{ options.astral.gui.xmonad = { enable = lib.mkOption { description = "Enable window manager configuration for tablet."; @@ -7,89 +13,91 @@ }; }; - config = let cfg = config.astral.gui.xmonad; - in (lib.mkIf cfg.enable { - xsession.windowManager.xmonad = { - enable = true; - enableContribAndExtras = true; - config = ./xmonad.hs; - extraPackages = self: - with pkgs.haskellPackages; [ - containers - monad-logger - dbus - X11 - ]; - }; + config = + let + cfg = config.astral.gui.xmonad; + in + (lib.mkIf cfg.enable { + xsession.windowManager.xmonad = { + enable = true; + enableContribAndExtras = true; + config = ./xmonad.hs; + extraPackages = + self: with pkgs.haskellPackages; [ + containers + monad-logger + dbus + X11 + ]; + }; - programs.alacritty = { - enable = true; - settings = { - font = { - size = 8; - normal.family = "MesloLGS NF"; - }; - window = { - opacity = 0.9; - decorations = "none"; + programs.alacritty = { + enable = true; + settings = { + font = { + size = 8; + normal.family = "MesloLGS NF"; + }; + window = { + opacity = 0.9; + decorations = "none"; + }; }; }; - }; - programs.rofi = { - enable = true; - theme = "${pkgs.rofi}/share/rofi/themes/DarkBlue"; + programs.rofi = { + enable = true; + theme = "${pkgs.rofi}/share/rofi/themes/DarkBlue"; - extraConfig = { - modi = "combi"; - combi-modi = "drun,run,window"; - levenshtein-sort = true; - lines = 20; - sidebar-mode = true; + extraConfig = { + modi = "combi"; + combi-modi = "drun,run,window"; + levenshtein-sort = true; + lines = 20; + sidebar-mode = true; + }; }; - }; - services.picom = { - enable = true; - #blur = true; - }; + services.picom = { + enable = true; + #blur = true; + }; - services.polybar = { - enable = true; - config = ./polybar.ini; - script = '' - polybar top & - ''; - }; + services.polybar = { + enable = true; + config = ./polybar.ini; + script = '' + polybar top & + ''; + }; - services.dunst = { - enable = true; - settings.global = { - mouse_left_click = "do_action, close_current"; - mouse_middle_click = "close_current"; - mouse_right_click = "context"; + services.dunst = { + enable = true; + settings.global = { + mouse_left_click = "do_action, close_current"; + mouse_middle_click = "close_current"; + mouse_right_click = "context"; - dmenu = "${pkgs.dmenu}/bin/dmenu -p dunst:"; + dmenu = "${pkgs.dmenu}/bin/dmenu -p dunst:"; + }; }; - }; - services.gnome-keyring.enable = true; + services.gnome-keyring.enable = true; - home.packages = with pkgs; [ - feh - flameshot - lightlocker - onboard - pulseaudio - redshift - xfce.xfce4-panel - xfce.xfce4-panel-profiles - xorg.xmessage + home.packages = with pkgs; [ + feh + flameshot + lightlocker + onboard + pulseaudio + redshift + xfce.xfce4-panel + xfce.xfce4-panel-profiles + xorg.xmessage - meslo-lgs-nf - roboto - tamsyn - ]; - }); + meslo-lgs-nf + roboto + tamsyn + ]; + }); } - diff --git a/nix/home-manager/astral/macos/default.nix b/nix/home-manager/astral/macos/default.nix index 82735079..ca6cdb5b 100644 --- a/nix/home-manager/astral/macos/default.nix +++ b/nix/home-manager/astral/macos/default.nix @@ -1,6 +1,12 @@ # X11-enabled home manager settings -{ config, lib, pkgs, ... }: -with lib; { +{ + config, + lib, + pkgs, + ... +}: +with lib; +{ options.astral.macos = { enable = mkOption { description = "Enable MacOS-specific customizations."; @@ -9,16 +15,17 @@ with lib; { }; }; - config = let cfg = config.astral.macos; - in (mkIf cfg.enable { - nixpkgs.config.allowUnfree = true; - fonts.fontconfig.enable = true; + config = + let + cfg = config.astral.macos; + in + (mkIf cfg.enable { + nixpkgs.config.allowUnfree = true; + fonts.fontconfig.enable = true; - home.packages = with pkgs; - [ + home.packages = with pkgs; [ powerline-fonts # iterm2 # needs to be compiled, takes too long ]; - }); + }); } - diff --git a/nix/home-manager/astral/vi/default.nix b/nix/home-manager/astral/vi/default.nix index 24470b66..f37acd3a 100644 --- a/nix/home-manager/astral/vi/default.nix +++ b/nix/home-manager/astral/vi/default.nix @@ -1,5 +1,11 @@ -{ config, lib, pkgs, ... }: -with lib; { +{ + config, + lib, + pkgs, + ... +}: +with lib; +{ options.astral.vi = { enable = mkOption { description = "Enable neovim customizations."; @@ -19,68 +25,74 @@ with lib; { }; }; - config = let cfg = config.astral.vi; - in mkIf cfg.enable (mkMerge [ - { - programs.neovim = { - enable = true; - - # nvim is too much to type out - viAlias = true; - vimAlias = true; - vimdiffAlias = true; + config = + let + cfg = config.astral.vi; + in + mkIf cfg.enable (mkMerge [ + { + programs.neovim = { + enable = true; - plugins = with pkgs.vimPlugins; [ - fzf-vim - nerdtree - nerdtree-git-plugin - pkgs.vimPlugins.rainbow - vim-airline - vim-easymotion - vim-floaterm - vim-nix - vim-plug - vim-sleuth - ]; - extraConfig = '' - source ${pkgs.vimPlugins.vim-plug}/plug.vim + # nvim is too much to type out + viAlias = true; + vimAlias = true; + vimdiffAlias = true; - ${builtins.readFile ./init.nvim} - ''; - }; + plugins = with pkgs.vimPlugins; [ + fzf-vim + nerdtree + nerdtree-git-plugin + pkgs.vimPlugins.rainbow + vim-airline + vim-easymotion + vim-floaterm + vim-nix + vim-plug + vim-sleuth + ]; + extraConfig = '' + source ${pkgs.vimPlugins.vim-plug}/plug.vim - home.packages = with pkgs; [ ctags ]; - } - (mkIf cfg.ide { - programs.neovim = { - coc = { - enable = true; - settings = builtins.fromJSON (builtins.readFile ./coc-settings.json); + ${builtins.readFile ./init.nvim} + ''; }; - extraConfig = '' - ${builtins.readFile ./ide.nvim} - ''; + home.packages = with pkgs; [ ctags ]; + } + (mkIf cfg.ide { + programs.neovim = { + coc = { + enable = true; + settings = builtins.fromJSON (builtins.readFile ./coc-settings.json); + }; - plugins = with pkgs.vimPlugins; [ - coc-nvim - coc-rust-analyzer - coc-tsserver - coq_nvim - editorconfig-nvim - goyo-vim - limelight-vim - nerdcommenter - taglist-vim - vim-fugitive - vim-gitgutter - vim-terraform - vim-test - pkgs.vimPlugins.vimtex - ]; - }; + extraConfig = '' + ${builtins.readFile ./ide.nvim} + ''; + + plugins = with pkgs.vimPlugins; [ + coc-nvim + coc-rust-analyzer + coc-tsserver + coq_nvim + editorconfig-nvim + goyo-vim + limelight-vim + nerdcommenter + taglist-vim + vim-fugitive + vim-gitgutter + vim-terraform + vim-test + pkgs.vimPlugins.vimtex + ]; + }; - home.packages = with pkgs; [ nodejs nodePackages.npm ]; - }) - ]); + home.packages = with pkgs; [ + nodejs + nodePackages.npm + ]; + }) + ]); } diff --git a/nix/lib/default.nix b/nix/lib/default.nix index 9af68afb..cf32218c 100644 --- a/nix/lib/default.nix +++ b/nix/lib/default.nix @@ -1,8 +1,11 @@ { self, nixpkgs-stable, ... }@inputs: -let lib = nixpkgs-stable.lib; -in rec { +let + lib = nixpkgs-stable.lib; +in +rec { ifd3f-ca = import ../../ca { inherit lib; }; sshKeyDatabase = import ../../ssh_keys; ci = import ../ci.nix { inherit self lib; }; machines = import ../../machines inputs; -} // (import ./github-actions.nix { inherit lib; }) +} +// (import ./github-actions.nix { inherit lib; }) diff --git a/nix/lib/github-actions.nix b/nix/lib/github-actions.nix index 03d62c84..bc6db97e 100644 --- a/nix/lib/github-actions.nix +++ b/nix/lib/github-actions.nix @@ -1,208 +1,243 @@ { lib }: -let nixFlags = "--accept-flake-config --show-trace --log-lines 10000"; -in with lib; rec { +let + nixFlags = "--accept-flake-config --show-trace --log-lines 10000"; +in +with lib; +rec { ghexpr = v: "\${{ ${v} }}"; - makeGithubWorkflow = { nodes, cachix, cronSchedule, known_hosts }: { - name = "Build and deploy"; - run-name = "Build and deploy (${ghexpr "inputs.sha || github.sha"})"; - - on = { - schedule = [{ cron = cronSchedule; }]; - push = { }; - workflow_dispatch = { }; - workflow_call.inputs = { - sha = { - description = "SHA to run on"; - required = true; - type = "string"; + makeGithubWorkflow = + { + nodes, + cachix, + cronSchedule, + known_hosts, + }: + { + name = "Build and deploy"; + run-name = "Build and deploy (${ghexpr "inputs.sha || github.sha"})"; + + on = { + schedule = [ { cron = cronSchedule; } ]; + push = { }; + workflow_dispatch = { }; + workflow_call.inputs = { + sha = { + description = "SHA to run on"; + required = true; + type = "string"; + }; + deploy = { + description = "Whether to deploy or not"; + default = false; + type = "boolean"; + }; }; - deploy = { - description = "Whether to deploy or not"; - default = false; - type = "boolean"; + workflow_call.secrets.SSH_PRIVATE_KEY = { + description = "SSH key to use for deployment"; + required = true; }; }; - workflow_call.secrets.SSH_PRIVATE_KEY = { - description = "SSH key to use for deployment"; - required = true; + + env = { + KNOWN_HOSTS = known_hosts; + TARGET_FLAKE = + let + repo = ghexpr "github.repository"; + sha = ghexpr "inputs.sha || github.sha"; + p = ghexpr "inputs.sha || github.sha"; + in + "github:${repo}/${sha}"; }; - }; - env = { - KNOWN_HOSTS = known_hosts; - TARGET_FLAKE = let - repo = ghexpr "github.repository"; - sha = ghexpr "inputs.sha || github.sha"; - p = ghexpr "inputs.sha || github.sha"; - in "github:${repo}/${sha}"; + jobs = mapAttrs (makeJob { inherit nodes cachix; }) nodes; }; - jobs = mapAttrs (makeJob { inherit nodes cachix; }) nodes; - }; - - makeJob = envargs: key: - { name ? key, system, needs ? [ ], prune-runner ? false, build ? [ ] - , run ? null, deploy ? null }@spec: - let info = systems.elaborate system; - in if info.isx86_64 then + makeJob = + envargs: key: + { + name ? key, + system, + needs ? [ ], + prune-runner ? false, + build ? [ ], + run ? null, + deploy ? null, + }@spec: + let + info = systems.elaborate system; + in + if info.isx86_64 then makex86Job envargs key spec - else # TODO: support aarch64 jobs + # TODO: support aarch64 jobs + else abort "${key} requests unsupported system ${system}"; - makex86Job = { nodes, cachix }: + makex86Job = + { nodes, cachix }: key: - { name ? key, system, needs ? [ ], prune-runner ? false, build ? [ ] - , run ? null, deploy ? null, extraPreBuildSteps ? [ ] }: + { + name ? key, + system, + needs ? [ ], + prune-runner ? false, + build ? [ ], + run ? null, + deploy ? null, + extraPreBuildSteps ? [ ], + }: if build == [ ] && run == null && deploy == null then abort (toString "${key} did not specify a run, build, or deploy") - else { - inherit name; - strategy.fail-fast = false; - - runs-on = - if system == "x86_64-darwin" then "macos-latest" else "ubuntu-latest"; - - needs = let missingDeps = filter (d: !(hasAttr d nodes)) needs; - in if missingDeps != [ ] then - abort "${key} requests nodes that do not exist: ${toString missingDeps}" - else - needs; - - steps = let - rmFiles = lib.concatStringsSep " " [ - "/usr/bin/buildah" - "/usr/bin/containerd*" - "/usr/bin/ctr" - "/usr/bin/docker*" - "/usr/bin/gh" - "/usr/bin/git" - "/usr/bin/gpg" - "/usr/bin/grub*" - "/usr/bin/mono-sgen" - "/usr/bin/myisam*" - "/usr/bin/mysql*" - "/usr/bin/openssl" - "/usr/bin/pedump" - "/usr/bin/php*" - "/usr/bin/podman" - "/usr/bin/python3.10" - "/usr/bin/shellcheck" - "/usr/bin/skopeo" - "/usr/bin/snap" - "/usr/bin/tcpdump" - "/usr/bin/tmux" - "/usr/bin/x86_64-linux-gnu-*" - "/usr/bin/yq" - - "/opt" - "/usr/local" - "/usr/share" - "/var/lib" - "/var/log" - ]; - - pruneStep = { - name = "Remove unneccessary packages"; - run = '' - echo "=== Before pruning ===" - df -h - sudo rm -rf ${rmFiles} || true - echo - echo "=== After pruning ===" - df -h - ''; - }; - - setupSteps = [ - { - "uses" = "webfactory/ssh-agent@v0.8.0"; - "with".ssh-private-key = ghexpr "secrets.SSH_PRIVATE_KEY"; - } - { - name = "Append to known_hosts"; - run = '' - echo '\n' >> ~/.ssh/known_hosts - echo "$KNOWN_HOSTS" >> ~/.ssh/known_hosts - ''; - env.KNOWN_HOSTS = ghexpr "env.KNOWN_HOSTS"; - } - { - "uses" = "cachix/install-nix-action@v22"; - "with" = { - nix_path = "nixpkgs=channel:nixos-unstable"; - extra_nix_config = '' - experimental-features = nix-command flakes - access-tokens = github.com=${ghexpr "secrets.GITHUB_TOKEN"} + else + { + inherit name; + strategy.fail-fast = false; + + runs-on = if system == "x86_64-darwin" then "macos-latest" else "ubuntu-latest"; + + needs = + let + missingDeps = filter (d: !(hasAttr d nodes)) needs; + in + if missingDeps != [ ] then + abort "${key} requests nodes that do not exist: ${toString missingDeps}" + else + needs; + + steps = + let + rmFiles = lib.concatStringsSep " " [ + "/usr/bin/buildah" + "/usr/bin/containerd*" + "/usr/bin/ctr" + "/usr/bin/docker*" + "/usr/bin/gh" + "/usr/bin/git" + "/usr/bin/gpg" + "/usr/bin/grub*" + "/usr/bin/mono-sgen" + "/usr/bin/myisam*" + "/usr/bin/mysql*" + "/usr/bin/openssl" + "/usr/bin/pedump" + "/usr/bin/php*" + "/usr/bin/podman" + "/usr/bin/python3.10" + "/usr/bin/shellcheck" + "/usr/bin/skopeo" + "/usr/bin/snap" + "/usr/bin/tcpdump" + "/usr/bin/tmux" + "/usr/bin/x86_64-linux-gnu-*" + "/usr/bin/yq" + + "/opt" + "/usr/local" + "/usr/share" + "/var/lib" + "/var/log" + ]; + + pruneStep = { + name = "Remove unneccessary packages"; + run = '' + echo "=== Before pruning ===" + df -h + sudo rm -rf ${rmFiles} || true + echo + echo "=== After pruning ===" + df -h ''; }; - } - { - "uses" = "cachix/cachix-action@v12"; - "with" = { - name = cachix; - authToken = ghexpr "secrets.CACHIX_AUTH_TOKEN"; + + setupSteps = [ + { + "uses" = "webfactory/ssh-agent@v0.8.0"; + "with".ssh-private-key = ghexpr "secrets.SSH_PRIVATE_KEY"; + } + { + name = "Append to known_hosts"; + run = '' + echo '\n' >> ~/.ssh/known_hosts + echo "$KNOWN_HOSTS" >> ~/.ssh/known_hosts + ''; + env.KNOWN_HOSTS = ghexpr "env.KNOWN_HOSTS"; + } + { + "uses" = "cachix/install-nix-action@v22"; + "with" = { + nix_path = "nixpkgs=channel:nixos-unstable"; + extra_nix_config = '' + experimental-features = nix-command flakes + access-tokens = github.com=${ghexpr "secrets.GITHUB_TOKEN"} + ''; + }; + } + { + "uses" = "cachix/cachix-action@v12"; + "with" = { + name = cachix; + authToken = ghexpr "secrets.CACHIX_AUTH_TOKEN"; + }; + } + { + name = "Enable unfree packages"; + run = '' + mkdir -p ~/.config/nixpkgs + echo '{ allowUnfree = true; }' > ~/.config/nixpkgs/config.nix + ''; + } + ]; + + buildStep = { + name = "Build targets"; + run = + let + buildList = if isString build then [ build ] else build; + installables = map (attr: ''"$TARGET_FLAKE#"'' + escapeShellArg attr) buildList; + args = concatStringsSep " " installables; + in + "GC_DONT_GC=1 nix build ${nixFlags} --fallback ${args}"; + env.TARGET_FLAKE = ghexpr "env.TARGET_FLAKE"; }; - } - { - name = "Enable unfree packages"; - run = '' - mkdir -p ~/.config/nixpkgs - echo '{ allowUnfree = true; }' > ~/.config/nixpkgs/config.nix - ''; - } - ]; - - buildStep = { - name = "Build targets"; - run = let - buildList = if isString build then [ build ] else build; - installables = - map (attr: ''"$TARGET_FLAKE#"'' + escapeShellArg attr) buildList; - args = concatStringsSep " " installables; - in "GC_DONT_GC=1 nix build ${nixFlags} --fallback ${args}"; - env.TARGET_FLAKE = ghexpr "env.TARGET_FLAKE"; - }; - runStep = { - name = "Run ${run}"; - run = '' - GC_DONT_GC=1 nix run ${nixFlags} "$TARGET_FLAKE#$run_flake_attr"''; - env = { - run_flake_attr = run; - TARGET_FLAKE = ghexpr "env.TARGET_FLAKE"; - }; - }; + runStep = { + name = "Run ${run}"; + run = ''GC_DONT_GC=1 nix run ${nixFlags} "$TARGET_FLAKE#$run_flake_attr"''; + env = { + run_flake_attr = run; + TARGET_FLAKE = ghexpr "env.TARGET_FLAKE"; + }; + }; - deployStep = { - name = "Deploy with ${deploy}"; - run = '' - GC_DONT_GC=1 nix run ${nixFlags} "$TARGET_FLAKE#$deploy_flake_attr"''; - "if" = ghexpr - "github.event_name == 'push' && github.ref == 'refs/heads/main'"; - env = { - deploy_flake_attr = deploy; - TARGET_FLAKE = ghexpr "env.TARGET_FLAKE"; - }; - }; + deployStep = { + name = "Deploy with ${deploy}"; + run = ''GC_DONT_GC=1 nix run ${nixFlags} "$TARGET_FLAKE#$deploy_flake_attr"''; + "if" = ghexpr "github.event_name == 'push' && github.ref == 'refs/heads/main'"; + env = { + deploy_flake_attr = deploy; + TARGET_FLAKE = ghexpr "env.TARGET_FLAKE"; + }; + }; - logStep = { - name = "Log remaining space"; - "if" = ghexpr "always()"; - run = '' - echo "=== Space left after build ===" - df -h - ''; - }; - in flatten [ - setupSteps - (optional prune-runner pruneStep) - extraPreBuildSteps - (optional (build != [ ]) buildStep) - (optional (run != null) runStep) - (optional (deploy != null) deployStep) - logStep - ]; - }; + logStep = { + name = "Log remaining space"; + "if" = ghexpr "always()"; + run = '' + echo "=== Space left after build ===" + df -h + ''; + }; + in + flatten [ + setupSteps + (optional prune-runner pruneStep) + extraPreBuildSteps + (optional (build != [ ]) buildStep) + (optional (run != null) runStep) + (optional (deploy != null) deployStep) + logStep + ]; + }; } diff --git a/nix/nixos-modules/astral/acme.nix b/nix/nixos-modules/astral/acme.nix index 423e7761..d9c4b59c 100644 --- a/nix/nixos-modules/astral/acme.nix +++ b/nix/nixos-modules/astral/acme.nix @@ -1,5 +1,6 @@ { config, lib, ... }: -with lib; { +with lib; +{ options.astral.acme.enable = mkOption { description = "Enable to set up pre-customized ACME stuff."; default = false; diff --git a/nix/nixos-modules/astral/backup/db.nix b/nix/nixos-modules/astral/backup/db.nix index 1c953721..a3e131bf 100644 --- a/nix/nixos-modules/astral/backup/db.nix +++ b/nix/nixos-modules/astral/backup/db.nix @@ -7,15 +7,18 @@ let cfg = config.astral.backup; inputs = config.astral.inputs; -in with lib; { +in +with lib; +{ options.astral.backup.db = { enable = mkEnableOption "automated database backup"; }; config = mkMerge [ { - astral.backup.db.enable = mkDefault - (config.services.postgresql.enable || config.services.mysql.enable); + astral.backup.db.enable = mkDefault ( + config.services.postgresql.enable || config.services.mysql.enable + ); } (mkIf cfg.db.enable { @@ -32,8 +35,7 @@ in with lib; { "--keep-yearly 75" ]; - repository = - "s3:s3.us-west-000.backblazeb2.com/ifd3f-backup/hosts/${config.networking.fqdn}/db"; + repository = "s3:s3.us-west-000.backblazeb2.com/ifd3f-backup/hosts/${config.networking.fqdn}/db"; }; systemd.services.restic-backups-db = { @@ -48,8 +50,7 @@ in with lib; { backupAll = true; }; - services.restic.backups.db.paths = - [ config.services.postgresqlBackup.location ]; + services.restic.backups.db.paths = [ config.services.postgresqlBackup.location ]; # do not start automatically systemd.timers.postgresqlBackup.enable = false; @@ -66,8 +67,7 @@ in with lib; { singleTransaction = true; }; - services.restic.backups.db.paths = - [ config.services.mysqlBackup.location ]; + services.restic.backups.db.paths = [ config.services.mysqlBackup.location ]; # do not start automatically systemd.timers.mysql-backup.enable = false; diff --git a/nix/nixos-modules/astral/backup/default.nix b/nix/nixos-modules/astral/backup/default.nix index 7fe292ec..c238984c 100644 --- a/nix/nixos-modules/astral/backup/default.nix +++ b/nix/nixos-modules/astral/backup/default.nix @@ -1 +1,7 @@ -{ imports = [ ./db.nix ./services.nix ./vault-secrets.nix ]; } +{ + imports = [ + ./db.nix + ./services.nix + ./vault-secrets.nix + ]; +} diff --git a/nix/nixos-modules/astral/backup/services.nix b/nix/nixos-modules/astral/backup/services.nix index 10e25f81..9c250780 100644 --- a/nix/nixos-modules/astral/backup/services.nix +++ b/nix/nixos-modules/astral/backup/services.nix @@ -5,7 +5,9 @@ let cfg = config.astral.backup; inputs = config.astral.inputs; -in with lib; { +in +with lib; +{ options.astral.backup.services = { paths = mkOption { description = "Paths to add to backup. If empty, this will not be run."; @@ -29,8 +31,7 @@ in with lib; { ]; paths = cfg.services.paths; - repository = - "s3:s3.us-west-000.backblazeb2.com/ifd3f-backup/hosts/${config.networking.fqdn}/services"; + repository = "s3:s3.us-west-000.backblazeb2.com/ifd3f-backup/hosts/${config.networking.fqdn}/services"; }; systemd.services.restic-backups-services = { diff --git a/nix/nixos-modules/astral/backup/vault-secrets.nix b/nix/nixos-modules/astral/backup/vault-secrets.nix index 16080986..5ef611b3 100644 --- a/nix/nixos-modules/astral/backup/vault-secrets.nix +++ b/nix/nixos-modules/astral/backup/vault-secrets.nix @@ -7,17 +7,17 @@ let cfg = config.astral.backup; inputs = config.astral.inputs; -in with lib; { +in +with lib; +{ options.astral.backup = { vault-key = mkOption { - description = - "Vault secret name to use. By default, it will reference the Vault secret key backup-$fqdn."; + description = "Vault secret name to use. By default, it will reference the Vault secret key backup-$fqdn."; type = types.str; }; vault-secret = mkOption { - description = - "Vault secret to use. It is grabbed from the key listed in vault-key."; + description = "Vault secret to use. It is grabbed from the key listed in vault-key."; type = types.attrs; }; }; @@ -25,8 +25,7 @@ in with lib; { config = mkIf (cfg.db.enable || builtins.length cfg.services.paths > 0) { astral.backup = { vault-key = "backup-${config.networking.fqdn}"; - vault-secret = - config.vault-secrets.secrets."${config.astral.backup.vault-key}"; + vault-secret = config.vault-secrets.secrets."${config.astral.backup.vault-key}"; }; # vault kv put kv/backup-db-${fqdn}/secrets \ diff --git a/nix/nixos-modules/astral/cachix.nix b/nix/nixos-modules/astral/cachix.nix index 75227aae..7625ff26 100644 --- a/nix/nixos-modules/astral/cachix.nix +++ b/nix/nixos-modules/astral/cachix.nix @@ -1,10 +1,11 @@ { nix.settings = { - substituters = - [ "https://cache.nixos.org/" "https://astralbijection.cachix.org" ]; + substituters = [ + "https://cache.nixos.org/" + "https://astralbijection.cachix.org" + ]; trusted-public-keys = [ "astralbijection.cachix.org-1:Vt/mfnVfzonOeQEN6MzRQs2qlHuzFYkNg6EqxdUhjrs=" ]; }; } - diff --git a/nix/nixos-modules/astral/ci.nix b/nix/nixos-modules/astral/ci.nix index 81b40517..813798f5 100644 --- a/nix/nixos-modules/astral/ci.nix +++ b/nix/nixos-modules/astral/ci.nix @@ -1,11 +1,19 @@ -/* Regularly updates the system from this flake repo. - Wraps around system.autoUpdate and customized for - my stuff, but provides additional helper options. +/* + Regularly updates the system from this flake repo. + Wraps around system.autoUpdate and customized for + my stuff, but provides additional helper options. */ -{ pkgs, lib, config, ... }: +{ + pkgs, + lib, + config, + ... +}: with lib; -let cfg = config.astral.ci; -in { +let + cfg = config.astral.ci; +in +{ options.astral.ci = { enable = mkOption { description = "Whether this machine should be built during CI or not."; @@ -20,8 +28,7 @@ in { }; deploy-to = mkOption { - description = - "Host to upload this system to, after it successfully builds. If null, then this should not be deployed."; + description = "Host to upload this system to, after it successfully builds. If null, then this should not be deployed."; type = with types; nullOr str; default = null; }; @@ -54,10 +61,13 @@ in { }; }; - config.astral.ci.deploy-package = mkIf (cfg.deploy-to != null) (mkDefault - (with pkgs; - let inherit (config.networking) hostName; - in writeShellApplication { + config.astral.ci.deploy-package = mkIf (cfg.deploy-to != null) ( + mkDefault ( + with pkgs; + let + inherit (config.networking) hostName; + in + writeShellApplication { name = "upload-${hostName}"; runtimeInputs = [ nixos-rebuild ]; text = '' @@ -69,5 +79,7 @@ in { --use-remote-sudo \ --show-trace ''; - })); + } + ) + ); } diff --git a/nix/nixos-modules/astral/custom-nginx-errors/default.nix b/nix/nixos-modules/astral/custom-nginx-errors/default.nix index 6e0a5fd9..375ae65f 100644 --- a/nix/nixos-modules/astral/custom-nginx-errors/default.nix +++ b/nix/nixos-modules/astral/custom-nginx-errors/default.nix @@ -1,25 +1,35 @@ -{ pkgs, lib, config, ... }: -let cfg = config.astral.custom-nginx-errors; -in with lib; { +{ + pkgs, + lib, + config, + ... +}: +let + cfg = config.astral.custom-nginx-errors; +in +with lib; +{ options.astral.custom-nginx-errors.virtualHosts = mkOption { description = "List of hosts to add customized errors to."; type = with types; listOf str; default = [ ]; }; - config.services.nginx.virtualHosts = listToAttrs (map (host: { - name = host; - value = { - extraConfig = '' - error_page 502 /502.html; - ''; - - locations."= /502.html" = { - root = ./static; + config.services.nginx.virtualHosts = listToAttrs ( + map (host: { + name = host; + value = { extraConfig = '' - internal; + error_page 502 /502.html; ''; + + locations."= /502.html" = { + root = ./static; + extraConfig = '' + internal; + ''; + }; }; - }; - }) cfg.virtualHosts); + }) cfg.virtualHosts + ); } diff --git a/nix/nixos-modules/astral/custom-tty/default.nix b/nix/nixos-modules/astral/custom-tty/default.nix index 34c063ad..7e082656 100644 --- a/nix/nixos-modules/astral/custom-tty/default.nix +++ b/nix/nixos-modules/astral/custom-tty/default.nix @@ -1,7 +1,14 @@ -/* Customized /etc/issue file that updates with - this system's IP. +/* + Customized /etc/issue file that updates with + this system's IP. */ -{ lib, config, pkgs, ... }: { +{ + lib, + config, + pkgs, + ... +}: +{ options.astral.custom-tty = with lib; { enable = mkOption { description = "A custom /etc/issue generator to make a tty login prompt."; @@ -10,26 +17,33 @@ }; }; - config = let cfg = config.astral.custom-tty; - in lib.mkIf cfg.enable { - systemd.services.update-custom-tty = { - wantedBy = [ "multi-user.target" ]; + config = + let + cfg = config.astral.custom-tty; + in + lib.mkIf cfg.enable { + systemd.services.update-custom-tty = { + wantedBy = [ "multi-user.target" ]; - path = with pkgs; [ python3 iproute2 coreutils ]; - script = '' - ${./issue.py} > /var/issue - ''; - }; + path = with pkgs; [ + python3 + iproute2 + coreutils + ]; + script = '' + ${./issue.py} > /var/issue + ''; + }; - systemd.timers.update-custom-tty = { - wantedBy = [ "multi-user.target" ]; - timerConfig.OnCalendar = "*-*-* *:*:00"; - }; + systemd.timers.update-custom-tty = { + wantedBy = [ "multi-user.target" ]; + timerConfig.OnCalendar = "*-*-* *:*:00"; + }; - environment.etc."issue" = lib.mkOverride 10 { - source = pkgs.runCommand "var-issue-symlink" { } '' - ln -s /var/issue $out - ''; + environment.etc."issue" = lib.mkOverride 10 { + source = pkgs.runCommand "var-issue-symlink" { } '' + ln -s /var/issue $out + ''; + }; }; - }; } diff --git a/nix/nixos-modules/astral/default.nix b/nix/nixos-modules/astral/default.nix index a1919791..b070a3b6 100644 --- a/nix/nixos-modules/astral/default.nix +++ b/nix/nixos-modules/astral/default.nix @@ -9,12 +9,15 @@ inputs: { ./hw ./mount-root-to-home.nix - ({ pkgs, ... }: { - programs.zsh.enable = true; - users.defaultUserShell = pkgs.zsh; - nixpkgs.overlays = [ inputs.self.overlays.default ]; - astral.inputs = inputs; - }) + ( + { pkgs, ... }: + { + programs.zsh.enable = true; + users.defaultUserShell = pkgs.zsh; + nixpkgs.overlays = [ inputs.self.overlays.default ]; + astral.inputs = inputs; + } + ) ./acme.nix ./zfs-utils.nix diff --git a/nix/nixos-modules/astral/flake-input.nix b/nix/nixos-modules/astral/flake-input.nix index 1b8433f0..a212418f 100644 --- a/nix/nixos-modules/astral/flake-input.nix +++ b/nix/nixos-modules/astral/flake-input.nix @@ -1,5 +1,12 @@ -{ lib, config, pkgs, ... }: { - options.astral.inputs = with lib; +{ + lib, + config, + pkgs, + ... +}: +{ + options.astral.inputs = + with lib; mkOption { description = "The infra repo's flake input"; type = types.attrs; diff --git a/nix/nixos-modules/astral/hw/default.nix b/nix/nixos-modules/astral/hw/default.nix index 6a95d823..b80184ba 100644 --- a/nix/nixos-modules/astral/hw/default.nix +++ b/nix/nixos-modules/astral/hw/default.nix @@ -1 +1,7 @@ -{ imports = [ ./kb-flashing.nix ./surface.nix ./logitech-unifying.nix ]; } +{ + imports = [ + ./kb-flashing.nix + ./surface.nix + ./logitech-unifying.nix + ]; +} diff --git a/nix/nixos-modules/astral/hw/kb-flashing.nix b/nix/nixos-modules/astral/hw/kb-flashing.nix index 0d3d65b7..d432bbdf 100644 --- a/nix/nixos-modules/astral/hw/kb-flashing.nix +++ b/nix/nixos-modules/astral/hw/kb-flashing.nix @@ -1,5 +1,11 @@ -{ config, lib, pkgs, ... }: -with lib; { +{ + config, + lib, + pkgs, + ... +}: +with lib; +{ options.astral.hw.kb-flashing.enable = mkOption { description = '' Enable all keyboard flashing functionality for this machine. @@ -11,7 +17,10 @@ with lib; { }; config = mkIf config.astral.hw.kb-flashing.enable { - environment.systemPackages = with pkgs; [ usbutils wally-cli ]; + environment.systemPackages = with pkgs; [ + usbutils + wally-cli + ]; # QMK rules services.udev.packages = [ pkgs.qmk-udev-rules ]; diff --git a/nix/nixos-modules/astral/hw/logitech-unifying.nix b/nix/nixos-modules/astral/hw/logitech-unifying.nix index 135afe84..f58172e4 100644 --- a/nix/nixos-modules/astral/hw/logitech-unifying.nix +++ b/nix/nixos-modules/astral/hw/logitech-unifying.nix @@ -1,5 +1,11 @@ -{ config, lib, pkgs, ... }: -with lib; { +{ + config, + lib, + pkgs, + ... +}: +with lib; +{ options.astral.hw.logitech-unifying.enable = mkOption { description = '' Enable Logitech device stuff diff --git a/nix/nixos-modules/astral/hw/surface.nix b/nix/nixos-modules/astral/hw/surface.nix index f24a37ff..0e3b9fe6 100644 --- a/nix/nixos-modules/astral/hw/surface.nix +++ b/nix/nixos-modules/astral/hw/surface.nix @@ -1,5 +1,11 @@ -{ config, lib, pkgs, ... }: -with lib; { +{ + config, + lib, + pkgs, + ... +}: +with lib; +{ options.astral.hw.surface.enable = mkOption { description = '' Enable standard Surface Pro configs @@ -10,16 +16,19 @@ with lib; { type = types.bool; }; - config = let cfg = config.astral.hw.surface; - in mkIf cfg.enable { - environment.systemPackages = with pkgs; [ - iptsd - onboard - surface-control - xinput_calibrator - ]; + config = + let + cfg = config.astral.hw.surface; + in + mkIf cfg.enable { + environment.systemPackages = with pkgs; [ + iptsd + onboard + surface-control + xinput_calibrator + ]; - services.touchegg.enable = true; - services.xserver.libinput.enable = true; - }; + services.touchegg.enable = true; + services.xserver.libinput.enable = true; + }; } diff --git a/nix/nixos-modules/astral/infra-update.nix b/nix/nixos-modules/astral/infra-update.nix index 609b5751..f5905341 100644 --- a/nix/nixos-modules/astral/infra-update.nix +++ b/nix/nixos-modules/astral/infra-update.nix @@ -1,8 +1,15 @@ -/* Regularly updates the system from this flake repo. - Wraps around system.autoUpdate and customized for - my stuff, but provides additional helper options. +/* + Regularly updates the system from this flake repo. + Wraps around system.autoUpdate and customized for + my stuff, but provides additional helper options. */ -{ lib, config, pkgs, ... }: { +{ + lib, + config, + pkgs, + ... +}: +{ options.astral.infra-update = with lib; { enable = mkOption { description = "Enable to periodically update from the infra repo."; @@ -23,23 +30,28 @@ }; build-host = mkOption { - description = - "The remote host to compile the config on. If null, builds it on itself."; + description = "The remote host to compile the config on. If null, builds it on itself."; default = null; type = types.nullOr types.str; }; }; - config.system.autoUpgrade = let cfg = config.astral.infra-update; - in lib.mkIf cfg.enable { - enable = cfg.enable; - flake = "github:ifd3f/infra/${cfg.branch}"; - dates = "*-*-* *:00:00"; - flags = (if cfg.build-host == null then - [ ] - else [ - "--build-host" - cfg.build-host - ]); - }; + config.system.autoUpgrade = + let + cfg = config.astral.infra-update; + in + lib.mkIf cfg.enable { + enable = cfg.enable; + flake = "github:ifd3f/infra/${cfg.branch}"; + dates = "*-*-* *:00:00"; + flags = ( + if cfg.build-host == null then + [ ] + else + [ + "--build-host" + cfg.build-host + ] + ); + }; } diff --git a/nix/nixos-modules/astral/monitoring-node/default.nix b/nix/nixos-modules/astral/monitoring-node/default.nix index 5a6130c5..5717dde1 100644 --- a/nix/nixos-modules/astral/monitoring-node/default.nix +++ b/nix/nixos-modules/astral/monitoring-node/default.nix @@ -1 +1,8 @@ -{ imports = [ ./options.nix ./transport.nix ./prometheus.nix ./promtail.nix ]; } +{ + imports = [ + ./options.nix + ./transport.nix + ./prometheus.nix + ./promtail.nix + ]; +} diff --git a/nix/nixos-modules/astral/monitoring-node/options.nix b/nix/nixos-modules/astral/monitoring-node/options.nix index 6111e46d..0a5caf91 100644 --- a/nix/nixos-modules/astral/monitoring-node/options.nix +++ b/nix/nixos-modules/astral/monitoring-node/options.nix @@ -1,9 +1,15 @@ -{ pkgs, lib, config, ... }: +{ + pkgs, + lib, + config, + ... +}: with lib; let cfg = config.astral.monitoring-node; ecfg = config.services.prometheus.exporters; -in { +in +{ options.astral.monitoring-node = { enable = mkEnableOption "monitored node role"; @@ -13,9 +19,12 @@ in { }; scrapeTransport = mkOption { - description = - "What transport will Prometheus and Loki use to monitor this host?"; - type = types.enum [ "https" "tailscale" null ]; + description = "What transport will Prometheus and Loki use to monitor this host?"; + type = types.enum [ + "https" + "tailscale" + null + ]; default = null; }; @@ -30,16 +39,18 @@ in { }; config = mkIf cfg.enable { - assertions = [{ - assertion = cfg.scrapeTransport != null; - message = - "To enable `astral.monitoring-node`, you must specify a non-null `astral.monitoring-node.scrapeTransport`."; - }]; + assertions = [ + { + assertion = cfg.scrapeTransport != null; + message = "To enable `astral.monitoring-node`, you must specify a non-null `astral.monitoring-node.scrapeTransport`."; + } + ]; - astral.monitoring-node.vhost = mkDefault - (if cfg.scrapeTransport == "tailscale" then + astral.monitoring-node.vhost = mkDefault ( + if cfg.scrapeTransport == "tailscale" then "${config.networking.hostName}.hyrax-hops.ts.net" else - config.networking.fqdn); + config.networking.fqdn + ); }; } diff --git a/nix/nixos-modules/astral/monitoring-node/prometheus.nix b/nix/nixos-modules/astral/monitoring-node/prometheus.nix index 6602365c..5115067f 100644 --- a/nix/nixos-modules/astral/monitoring-node/prometheus.nix +++ b/nix/nixos-modules/astral/monitoring-node/prometheus.nix @@ -1,10 +1,22 @@ -{ pkgs, lib, config, ... }: +{ + pkgs, + lib, + config, + ... +}: with lib; let cfg = config.astral.monitoring-node; ecfg = config.services.prometheus.exporters; - supportedExporters = [ "node" "nginx" "systemd" "bind" "postgres" ]; -in { + supportedExporters = [ + "node" + "nginx" + "systemd" + "bind" + "postgres" + ]; +in +{ config = mkIf cfg.enable { services.prometheus.exporters = { node = { @@ -33,15 +45,19 @@ in { }; }; - services.nginx.virtualHosts."${cfg.vhost}".locations = mkMerge (map (name: - let thisCfg = ecfg.${name}; - in mkIf thisCfg.enable { - "/metrics/${name}".proxyPass = - "http://127.0.0.1:${toString thisCfg.port}/metrics"; - }) supportedExporters); + services.nginx.virtualHosts."${cfg.vhost}".locations = mkMerge ( + map ( + name: + let + thisCfg = ecfg.${name}; + in + mkIf thisCfg.enable { + "/metrics/${name}".proxyPass = "http://127.0.0.1:${toString thisCfg.port}/metrics"; + } + ) supportedExporters + ); - astral.monitoring-node.exporters = - filter (name: ecfg.${name}.enable) supportedExporters; + astral.monitoring-node.exporters = filter (name: ecfg.${name}.enable) supportedExporters; }; } diff --git a/nix/nixos-modules/astral/monitoring-node/promtail.nix b/nix/nixos-modules/astral/monitoring-node/promtail.nix index 1142cff6..967ce5a8 100644 --- a/nix/nixos-modules/astral/monitoring-node/promtail.nix +++ b/nix/nixos-modules/astral/monitoring-node/promtail.nix @@ -1,12 +1,19 @@ -{ pkgs, lib, config, ... }: +{ + pkgs, + lib, + config, + ... +}: with lib; -let cfg = config.astral.monitoring-node; -in { +let + cfg = config.astral.monitoring-node; +in +{ config = mkIf cfg.enable { services.promtail = { enable = true; configuration = { - clients = [{ url = "https://loki.astrid.tech/loki/api/v1/push"; }]; + clients = [ { url = "https://loki.astrid.tech/loki/api/v1/push"; } ]; scrape_configs = [ { job_name = "journal"; @@ -39,13 +46,15 @@ in { { job_name = "nginx"; - static_configs = [{ - labels = { - host = cfg.vhost; - job = "nginx"; - __path__ = "/var/log/nginx/*"; - }; - }]; + static_configs = [ + { + labels = { + host = cfg.vhost; + job = "nginx"; + __path__ = "/var/log/nginx/*"; + }; + } + ]; } ]; @@ -58,10 +67,11 @@ in { }; services.nginx.virtualHosts."${cfg.vhost}".locations = { - "/promtail".proxyPass = let - promtailPort = - config.services.promtail.configuration.server.http_listen_port; - in "http://127.0.0.1:${toString promtailPort}/metrics"; + "/promtail".proxyPass = + let + promtailPort = config.services.promtail.configuration.server.http_listen_port; + in + "http://127.0.0.1:${toString promtailPort}/metrics"; }; users.users.promtail.extraGroups = [ "nginx" ]; diff --git a/nix/nixos-modules/astral/monitoring-node/transport.nix b/nix/nixos-modules/astral/monitoring-node/transport.nix index 303f25a9..7b69f48f 100644 --- a/nix/nixos-modules/astral/monitoring-node/transport.nix +++ b/nix/nixos-modules/astral/monitoring-node/transport.nix @@ -1,13 +1,23 @@ -{ pkgs, lib, config, ... }: +{ + pkgs, + lib, + config, + ... +}: with lib; -let cfg = config.astral.monitoring-node; -in { +let + cfg = config.astral.monitoring-node; +in +{ config = mkIf cfg.enable { astral.acme.enable = mkIf (cfg.scrapeTransport == "https") true; networking.firewall = { enable = true; - allowedTCPPorts = [ 80 443 ]; + allowedTCPPorts = [ + 80 + 443 + ]; }; services.nginx = { diff --git a/nix/nixos-modules/astral/mount-root-to-home.nix b/nix/nixos-modules/astral/mount-root-to-home.nix index af11aa10..42d6281f 100644 --- a/nix/nixos-modules/astral/mount-root-to-home.nix +++ b/nix/nixos-modules/astral/mount-root-to-home.nix @@ -1,7 +1,7 @@ { config, lib, ... }: -with lib; { - options.astral.mount-root-to-home.enable = - mkEnableOption "mounting root to home"; +with lib; +{ + options.astral.mount-root-to-home.enable = mkEnableOption "mounting root to home"; config = mkIf config.astral.mount-root-to-home.enable { fileSystems."/root" = { diff --git a/nix/nixos-modules/astral/net/default.nix b/nix/nixos-modules/astral/net/default.nix index f7fe48c8..ee02173b 100644 --- a/nix/nixos-modules/astral/net/default.nix +++ b/nix/nixos-modules/astral/net/default.nix @@ -1 +1,7 @@ -{ imports = [ ./sshd.nix ./xrdp.nix ./zerotier.nix ]; } +{ + imports = [ + ./sshd.nix + ./xrdp.nix + ./zerotier.nix + ]; +} diff --git a/nix/nixos-modules/astral/net/sshd.nix b/nix/nixos-modules/astral/net/sshd.nix index 35310837..08da6801 100644 --- a/nix/nixos-modules/astral/net/sshd.nix +++ b/nix/nixos-modules/astral/net/sshd.nix @@ -1,25 +1,34 @@ -{ config, lib, pkgs, ... }: -with lib; { +{ + config, + lib, + pkgs, + ... +}: +with lib; +{ options.astral.net.sshd.enable = mkOption { description = "Enable to use customized sshd configs."; default = true; type = types.bool; }; - config = let cfg = config.astral.net.sshd; - in mkIf cfg.enable { - services.openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - PermitRootLogin = "no"; + config = + let + cfg = config.astral.net.sshd; + in + mkIf cfg.enable { + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "no"; + }; }; - }; - # Open ports in the firewall. - networking.firewall = { - enable = true; - allowedTCPPorts = [ 22 ]; + # Open ports in the firewall. + networking.firewall = { + enable = true; + allowedTCPPorts = [ 22 ]; + }; }; - }; } diff --git a/nix/nixos-modules/astral/net/xrdp.nix b/nix/nixos-modules/astral/net/xrdp.nix index 83f61589..982b9ab7 100644 --- a/nix/nixos-modules/astral/net/xrdp.nix +++ b/nix/nixos-modules/astral/net/xrdp.nix @@ -1,16 +1,25 @@ -{ config, lib, pkgs, ... }: -with lib; { +{ + config, + lib, + pkgs, + ... +}: +with lib; +{ options.astral.net.xrdp.enable = mkOption { description = "Enable to use customized xrdp configs."; default = false; type = types.bool; }; - config = let cfg = config.astral.net.xrdp; - in mkIf cfg.enable { - services.xrdp = { - enable = true; - openFirewall = true; + config = + let + cfg = config.astral.net.xrdp; + in + mkIf cfg.enable { + services.xrdp = { + enable = true; + openFirewall = true; + }; }; - }; } diff --git a/nix/nixos-modules/astral/net/zerotier.nix b/nix/nixos-modules/astral/net/zerotier.nix index bff1b459..07b0afa9 100644 --- a/nix/nixos-modules/astral/net/zerotier.nix +++ b/nix/nixos-modules/astral/net/zerotier.nix @@ -1,8 +1,10 @@ let internalNetwork = "b6079f73c67cda0d"; publicNetwork = "e5cd7a9e1c618388"; -in { config, lib, ... }: -with lib; { +in +{ config, lib, ... }: +with lib; +{ options.astral.net.zerotier = { internal = mkOption { description = "Whether to add to internal network."; @@ -17,16 +19,19 @@ with lib; { }; }; - config = let - cfg = config.astral.net.zerotier; - enable = cfg.internal || cfg.public; - in mkIf enable { - nixpkgs.config.allowUnfree = true; + config = + let + cfg = config.astral.net.zerotier; + enable = cfg.internal || cfg.public; + in + mkIf enable { + nixpkgs.config.allowUnfree = true; - services.zerotierone = { - #enable = true; - joinNetworks = (if cfg.internal then [ internalNetwork ] else [ ]) - ++ (if cfg.public then [ publicNetwork ] else [ ]); + services.zerotierone = { + #enable = true; + joinNetworks = + (if cfg.internal then [ internalNetwork ] else [ ]) + ++ (if cfg.public then [ publicNetwork ] else [ ]); + }; }; - }; } diff --git a/nix/nixos-modules/astral/nix-utils.nix b/nix/nixos-modules/astral/nix-utils.nix index a6901a61..7c031c61 100644 --- a/nix/nixos-modules/astral/nix-utils.nix +++ b/nix/nixos-modules/astral/nix-utils.nix @@ -1,5 +1,6 @@ # Enables Nix Unstable and Flakes. -{ pkgs, ... }: { +{ pkgs, ... }: +{ nix = { # Auto-optimize/GC store gc = { @@ -10,7 +11,10 @@ # Trusted users for remote config builds and uploads settings = { - trusted-users = [ "root" "@wheel" ]; + trusted-users = [ + "root" + "@wheel" + ]; auto-optimise-store = true; }; diff --git a/nix/nixos-modules/astral/program-sets/basics.nix b/nix/nixos-modules/astral/program-sets/basics.nix index 3d4be25c..1aa89c69 100644 --- a/nix/nixos-modules/astral/program-sets/basics.nix +++ b/nix/nixos-modules/astral/program-sets/basics.nix @@ -2,57 +2,59 @@ name = "basics"; description = "Useful utilities for terminal environments"; enableByDefault = true; - progFn = { pkgs }: { - programs = { - # Neovim is cool and good - neovim = { - enable = true; - viAlias = true; + progFn = + { pkgs }: + { + programs = { + # Neovim is cool and good + neovim = { + enable = true; + viAlias = true; + }; + + # Just in case the SSH connection is lost and I'm running something long + tmux.enable = true; }; - # Just in case the SSH connection is lost and I'm running something long - tmux.enable = true; + environment.systemPackages = with pkgs; [ + bind + curl + dnsutils + ed + elinks + envsubst + ethtool + file + gh + git + git-lfs + iftop + inetutils + iotop + iperf + iputils + jq + magic-wormhole + mktemp + neofetch + netcat + exfat + exfatprogs + nmap + p7zip + pciutils + psmisc + python3 + speedtest-rs + tcpdump + tree + unixtools.xxd + unzip + usbutils + uwufetch + wget + yq + zip + ]; }; - - environment.systemPackages = with pkgs; [ - bind - curl - dnsutils - ed - elinks - envsubst - ethtool - file - gh - git - git-lfs - iftop - inetutils - iotop - iperf - iputils - jq - magic-wormhole - mktemp - neofetch - netcat - exfat - exfatprogs - nmap - p7zip - pciutils - psmisc - python3 - speedtest-rs - tcpdump - tree - unixtools.xxd - unzip - usbutils - uwufetch - wget - yq - zip - ]; - }; } diff --git a/nix/nixos-modules/astral/program-sets/browsers.nix b/nix/nixos-modules/astral/program-sets/browsers.nix index fe952002..6752ab2f 100644 --- a/nix/nixos-modules/astral/program-sets/browsers.nix +++ b/nix/nixos-modules/astral/program-sets/browsers.nix @@ -1,8 +1,10 @@ { name = "browsers"; description = "Internet browsers"; - progFn = { pkgs }: { - programs.chromium.enable = true; - environment.systemPackages = with pkgs; [ firefox ]; - }; + progFn = + { pkgs }: + { + programs.chromium.enable = true; + environment.systemPackages = with pkgs; [ firefox ]; + }; } diff --git a/nix/nixos-modules/astral/program-sets/cad.nix b/nix/nixos-modules/astral/program-sets/cad.nix index d394a783..83cc10b8 100644 --- a/nix/nixos-modules/astral/program-sets/cad.nix +++ b/nix/nixos-modules/astral/program-sets/cad.nix @@ -1,10 +1,12 @@ { name = "cad"; description = "Computer-aided design"; - progFn = { pkgs }: { - environment.systemPackages = with pkgs; [ - kicad # openscad - freecad - ]; - }; + progFn = + { pkgs }: + { + environment.systemPackages = with pkgs; [ + kicad # openscad + freecad + ]; + }; } diff --git a/nix/nixos-modules/astral/program-sets/chat.nix b/nix/nixos-modules/astral/program-sets/chat.nix index 9f56e64c..49fba34d 100644 --- a/nix/nixos-modules/astral/program-sets/chat.nix +++ b/nix/nixos-modules/astral/program-sets/chat.nix @@ -1,17 +1,19 @@ { name = "chat"; description = "Chat and communication tools"; - progFn = { pkgs }: { - nixpkgs.config.allowUnfree = true; + progFn = + { pkgs }: + { + nixpkgs.config.allowUnfree = true; - environment.systemPackages = with pkgs; [ - slack - slack-term - discord - discord-canary - signal-desktop - element-desktop - zoom-us - ]; - }; + environment.systemPackages = with pkgs; [ + slack + slack-term + discord + discord-canary + signal-desktop + element-desktop + zoom-us + ]; + }; } diff --git a/nix/nixos-modules/astral/program-sets/default.nix b/nix/nixos-modules/astral/program-sets/default.nix index 4c657781..f702232e 100644 --- a/nix/nixos-modules/astral/program-sets/default.nix +++ b/nix/nixos-modules/astral/program-sets/default.nix @@ -1,18 +1,33 @@ # Standard program sets to enable or disable per-computer. let - wrapPS = { name, description, progFn, enableByDefault ? false }: - { pkgs, lib, config, ... }: { - options.astral.program-sets."${name}" = with lib; + wrapPS = + { + name, + description, + progFn, + enableByDefault ? false, + }: + { + pkgs, + lib, + config, + ... + }: + { + options.astral.program-sets."${name}" = + with lib; mkOption { inherit description; default = enableByDefault; type = types.bool; }; - config = lib.mkIf config.astral.program-sets."${name}" - (progFn { inherit pkgs; }); + config = lib.mkIf config.astral.program-sets."${name}" (progFn { + inherit pkgs; + }); }; -in { +in +{ imports = map wrapPS [ (import ./basics.nix) (import ./x11.nix) @@ -25,4 +40,3 @@ in { (import ./security.nix) ]; } - diff --git a/nix/nixos-modules/astral/program-sets/dev.nix b/nix/nixos-modules/astral/program-sets/dev.nix index 9b7e0410..fbfcd0c3 100644 --- a/nix/nixos-modules/astral/program-sets/dev.nix +++ b/nix/nixos-modules/astral/program-sets/dev.nix @@ -1,42 +1,46 @@ { name = "dev"; description = "Development tools"; - progFn = { pkgs }: { - astral.program-sets = { browsers = true; }; + progFn = + { pkgs }: + { + astral.program-sets = { + browsers = true; + }; - nixpkgs.config.allowUnfree = true; + nixpkgs.config.allowUnfree = true; - environment.systemPackages = with pkgs; [ - cachix - cargo - ckan - cmatrix - efibootmgr - gh - ghidra - hackrf - cabal-install - hping - imagemagick - lolcat - nixfmt-rfc-style - racket - refind - sdrpp - soapysdr-with-plugins - testdisk - vscode - wireshark + environment.systemPackages = with pkgs; [ + cachix + cargo + ckan + cmatrix + efibootmgr + gh + ghidra + hackrf + cabal-install + hping + imagemagick + lolcat + nixfmt-rfc-style + racket + refind + sdrpp + soapysdr-with-plugins + testdisk + vscode + wireshark - (gnuradio3_8.override { - extraPackages = with gnuradio3_8Packages; [ - rds - ais - grnet - osmosdr - limesdr - ]; - }) - ]; - }; + (gnuradio3_8.override { + extraPackages = with gnuradio3_8Packages; [ + rds + ais + grnet + osmosdr + limesdr + ]; + }) + ]; + }; } diff --git a/nix/nixos-modules/astral/program-sets/office.nix b/nix/nixos-modules/astral/program-sets/office.nix index 048bd1a6..081ccd38 100644 --- a/nix/nixos-modules/astral/program-sets/office.nix +++ b/nix/nixos-modules/astral/program-sets/office.nix @@ -1,20 +1,22 @@ { name = "office"; description = "Office tools"; - progFn = { pkgs }: { - environment.systemPackages = with pkgs; [ - darktable - gimp - inkscape - kdenlive - krita - libreoffice-fresh - lmms - musescore - okular - prismlauncher - thunderbird - xournalpp - ]; - }; + progFn = + { pkgs }: + { + environment.systemPackages = with pkgs; [ + darktable + gimp + inkscape + kdenlive + krita + libreoffice-fresh + lmms + musescore + okular + prismlauncher + thunderbird + xournalpp + ]; + }; } diff --git a/nix/nixos-modules/astral/program-sets/security.nix b/nix/nixos-modules/astral/program-sets/security.nix index 94122b79..6706b16c 100644 --- a/nix/nixos-modules/astral/program-sets/security.nix +++ b/nix/nixos-modules/astral/program-sets/security.nix @@ -1,17 +1,19 @@ { name = "security"; description = "Security/encryption tools"; - progFn = { pkgs }: { - programs.gnupg.agent = { - enable = true; - enableSSHSupport = true; - pinentryPackage = pkgs.pinentry-qt; - }; + progFn = + { pkgs }: + { + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + pinentryPackage = pkgs.pinentry-qt; + }; - environment.systemPackages = with pkgs; [ - pinentry - tor-browser-bundle-bin - (hashcat.override { cudaSupport = true; }) - ]; - }; + environment.systemPackages = with pkgs; [ + pinentry + tor-browser-bundle-bin + (hashcat.override { cudaSupport = true; }) + ]; + }; } diff --git a/nix/nixos-modules/astral/program-sets/x11.nix b/nix/nixos-modules/astral/program-sets/x11.nix index cfb521e4..b93e57c9 100644 --- a/nix/nixos-modules/astral/program-sets/x11.nix +++ b/nix/nixos-modules/astral/program-sets/x11.nix @@ -1,18 +1,20 @@ { name = "x11"; description = "Basic tools for working in X11 environments"; - progFn = { pkgs }: { - environment.systemPackages = with pkgs; [ - brightnessctl - flameshot - nomacs - obs-studio - pavucontrol - remmina - tenacity - vlc - xclip - xorg.xev - ]; - }; + progFn = + { pkgs }: + { + environment.systemPackages = with pkgs; [ + brightnessctl + flameshot + nomacs + obs-studio + pavucontrol + remmina + tenacity + vlc + xclip + xorg.xev + ]; + }; } diff --git a/nix/nixos-modules/astral/tailscale.nix b/nix/nixos-modules/astral/tailscale.nix index c8aed682..d11b9c56 100644 --- a/nix/nixos-modules/astral/tailscale.nix +++ b/nix/nixos-modules/astral/tailscale.nix @@ -1,6 +1,14 @@ -{ pkgs, lib, config, ... }: -let cfg = config.astral.tailscale; -in with lib; { +{ + pkgs, + lib, + config, + ... +}: +let + cfg = config.astral.tailscale; +in +with lib; +{ options.astral.tailscale = { enable = mkEnableOption "internal tailscale network"; oneOffKey = mkOption { @@ -20,14 +28,23 @@ in with lib; { description = "Automatic connection to Tailscale"; # make sure tailscale is running before trying to connect to tailscale - after = [ "network-pre.target" "tailscale.service" ]; - wants = [ "network-pre.target" "tailscale.service" ]; + after = [ + "network-pre.target" + "tailscale.service" + ]; + wants = [ + "network-pre.target" + "tailscale.service" + ]; wantedBy = [ "multi-user.target" ]; # set this service as a oneshot job serviceConfig.Type = "oneshot"; - path = with pkgs; [ jq tailscale ]; + path = with pkgs; [ + jq + tailscale + ]; environment.oneOffKey = cfg.oneOffKey; diff --git a/nix/nixos-modules/astral/users/default.nix b/nix/nixos-modules/astral/users/default.nix index 6bc8285e..13a22a46 100644 --- a/nix/nixos-modules/astral/users/default.nix +++ b/nix/nixos-modules/astral/users/default.nix @@ -1,92 +1,109 @@ # Normal user declarations. { config, ... }: -let inherit (config.astral.inputs.self.lib) sshKeyDatabase; -in { - imports = let - # Helper to create a user with the given name. - mkUserModule = name: - { description, isAutomationUser, sshKeys ? [ ], enableByDefault ? false - , defaultGroups ? [ ] }: - { pkgs, lib, config, ... }: - with lib; { - options.astral.users."${name}" = { - enable = mkOption { - description = "Enable ${ - if isAutomationUser then "system" else "normal" - } user ${user}"; - default = enableByDefault; - type = types.bool; - }; +let + inherit (config.astral.inputs.self.lib) sshKeyDatabase; +in +{ + imports = + let + # Helper to create a user with the given name. + mkUserModule = + name: + { + description, + isAutomationUser, + sshKeys ? [ ], + enableByDefault ? false, + defaultGroups ? [ ], + }: + { + pkgs, + lib, + config, + ... + }: + with lib; + { + options.astral.users."${name}" = { + enable = mkOption { + description = "Enable ${if isAutomationUser then "system" else "normal"} user ${user}"; + default = enableByDefault; + type = types.bool; + }; - extraGroups = mkOption { - description = "Extra groups for ${user}"; - default = [ ]; - type = types.listOf types.str; + extraGroups = mkOption { + description = "Extra groups for ${user}"; + default = [ ]; + type = types.listOf types.str; + }; }; - }; - config.users.users."${name}" = let cfg = config.astral.users."${name}"; - in mkIf cfg.enable { - inherit description; + config.users.users."${name}" = + let + cfg = config.astral.users."${name}"; + in + mkIf cfg.enable { + inherit description; - openssh.authorizedKeys.keys = sshKeys; - extraGroups = defaultGroups ++ cfg.extraGroups; + openssh.authorizedKeys.keys = sshKeys; + extraGroups = defaultGroups ++ cfg.extraGroups; - createHome = !isAutomationUser; - isNormalUser = !isAutomationUser; - isSystemUser = isAutomationUser; + createHome = !isAutomationUser; + isNormalUser = !isAutomationUser; + isSystemUser = isAutomationUser; - shell = mkIf isAutomationUser pkgs.bashInteractive; + shell = mkIf isAutomationUser pkgs.bashInteractive; - group = if isAutomationUser then "automaton" else "users"; + group = if isAutomationUser then "automaton" else "users"; + }; }; - }; - in [ - { - users.groups.automaton = { }; - users.groups.users = { }; - } + in + [ + { + users.groups.automaton = { }; + users.groups.users = { }; + } - (mkUserModule "astrid" { - description = "Astrid Yu"; - enableByDefault = true; - sshKeys = sshKeyDatabase.users.astrid; - isAutomationUser = false; - defaultGroups = [ - "dialout" - "dnsmasq-extra-hosts" - "docker" - "i2c" - "jackaudio" - "libvirtd" - "lpadmin" - "lxd" - "netdev" - "networkmanager" - "plugdev" - "vboxsf" - "vboxusers" - "wheel" - ]; - }) - (mkUserModule "alia" { - description = "Alia Lescoulie"; - sshKeys = sshKeyDatabase.users.alia; - isAutomationUser = false; - }) + (mkUserModule "astrid" { + description = "Astrid Yu"; + enableByDefault = true; + sshKeys = sshKeyDatabase.users.astrid; + isAutomationUser = false; + defaultGroups = [ + "dialout" + "dnsmasq-extra-hosts" + "docker" + "i2c" + "jackaudio" + "libvirtd" + "lpadmin" + "lxd" + "netdev" + "networkmanager" + "plugdev" + "vboxsf" + "vboxusers" + "wheel" + ]; + }) + (mkUserModule "alia" { + description = "Alia Lescoulie"; + sshKeys = sshKeyDatabase.users.alia; + isAutomationUser = false; + }) - (mkUserModule "terraform" { - description = "Terraform Cloud actor"; - sshKeys = sshKeyDatabase.users.terraform; - isAutomationUser = true; - defaultGroups = [ "wheel" ]; - }) - (mkUserModule "github" { - description = "Github Actions actor"; - sshKeys = sshKeyDatabase.users.github; - isAutomationUser = true; - defaultGroups = [ "wheel" ]; - }) - ]; + (mkUserModule "terraform" { + description = "Terraform Cloud actor"; + sshKeys = sshKeyDatabase.users.terraform; + isAutomationUser = true; + defaultGroups = [ "wheel" ]; + }) + (mkUserModule "github" { + description = "Github Actions actor"; + sshKeys = sshKeyDatabase.users.github; + isAutomationUser = true; + defaultGroups = [ "wheel" ]; + }) + ]; } diff --git a/nix/nixos-modules/astral/vfio.nix b/nix/nixos-modules/astral/vfio.nix index 76f076fa..f284d1c3 100644 --- a/nix/nixos-modules/astral/vfio.nix +++ b/nix/nixos-modules/astral/vfio.nix @@ -1,9 +1,20 @@ -{ pkgs, lib, config, ... }: { +{ + pkgs, + lib, + config, + ... +}: +{ options.astral.vfio = with lib; { enable = mkEnableOption "Configure the machine for Nvidia VFIO passthrough"; iommu-mode = mkOption { - type = with types; enum [ "amd_iommu" "intel_iommu" ]; + type = + with types; + enum [ + "amd_iommu" + "intel_iommu" + ]; description = '' Whether to use AMD or Intel iommu. ''; @@ -18,34 +29,39 @@ }; }; - config = let cfg = config.astral.vfio; - in lib.mkIf cfg.enable { - services.xserver.videoDrivers = [ "nvidia" ]; - virtualisation.spiceUSBRedirection.enable = true; + config = + let + cfg = config.astral.vfio; + in + lib.mkIf cfg.enable { + services.xserver.videoDrivers = [ "nvidia" ]; + virtualisation.spiceUSBRedirection.enable = true; - hardware.opengl.enable = true; + hardware.opengl.enable = true; - boot = { - kernelParams = [ - # enable IOMMU - "${cfg.iommu-mode}=on" - ] ++ - # isolate the GPU - lib.optional (builtins.length cfg.pci-devs > 0) - ("vfio-pci.ids=" + lib.concatStringsSep "," cfg.pci-devs); + boot = { + kernelParams = + [ + # enable IOMMU + "${cfg.iommu-mode}=on" + ] + ++ + # isolate the GPU + lib.optional (builtins.length cfg.pci-devs > 0) ( + "vfio-pci.ids=" + lib.concatStringsSep "," cfg.pci-devs + ); - initrd.kernelModules = [ - "vfio_pci" - "vfio" - "vfio_iommu_type1" - #"vfio_virqfd" + initrd.kernelModules = [ + "vfio_pci" + "vfio" + "vfio_iommu_type1" + #"vfio_virqfd" - #"nvidia" - #"nvidia_modeset" - #"nvidia_uvm" - #"nvidia_drm" - ]; + #"nvidia" + #"nvidia_modeset" + #"nvidia_uvm" + #"nvidia_drm" + ]; + }; }; - }; } - diff --git a/nix/nixos-modules/astral/virt/default.nix b/nix/nixos-modules/astral/virt/default.nix index a96d14df..60d9809b 100644 --- a/nix/nixos-modules/astral/virt/default.nix +++ b/nix/nixos-modules/astral/virt/default.nix @@ -1 +1,7 @@ -{ imports = [ ./docker.nix ./libvirt.nix ./lxc.nix ]; } +{ + imports = [ + ./docker.nix + ./libvirt.nix + ./lxc.nix + ]; +} diff --git a/nix/nixos-modules/astral/virt/docker.nix b/nix/nixos-modules/astral/virt/docker.nix index 6f1134a4..0e315cae 100644 --- a/nix/nixos-modules/astral/virt/docker.nix +++ b/nix/nixos-modules/astral/virt/docker.nix @@ -1,5 +1,11 @@ -{ config, lib, pkgs, ... }: -with lib; { +{ + config, + lib, + pkgs, + ... +}: +with lib; +{ options.astral.virt.docker = { enable = mkOption { description = "Use docker stuff"; @@ -8,9 +14,12 @@ with lib; { }; }; - config = let cfg = config.astral.virt.docker; - in mkIf cfg.enable { - virtualisation.podman.enable = true; - environment.systemPackages = with pkgs; [ podman-compose ]; - }; + config = + let + cfg = config.astral.virt.docker; + in + mkIf cfg.enable { + virtualisation.podman.enable = true; + environment.systemPackages = with pkgs; [ podman-compose ]; + }; } diff --git a/nix/nixos-modules/astral/virt/libvirt.nix b/nix/nixos-modules/astral/virt/libvirt.nix index 3a011ac5..d59b577b 100644 --- a/nix/nixos-modules/astral/virt/libvirt.nix +++ b/nix/nixos-modules/astral/virt/libvirt.nix @@ -1,5 +1,11 @@ -{ config, lib, pkgs, ... }: -with lib; { +{ + config, + lib, + pkgs, + ... +}: +with lib; +{ options.astral.virt.libvirt = { enable = mkOption { description = "Use libvirt stuff"; @@ -14,30 +20,35 @@ with lib; { }; }; - config = let cfg = config.astral.virt.libvirt; - in mkIf cfg.enable { - boot = { - kernelModules = [ "kvm-intel" ]; - binfmt.emulatedSystems = [ "aarch64-linux" ]; - }; + config = + let + cfg = config.astral.virt.libvirt; + in + mkIf cfg.enable { + boot = { + kernelModules = [ "kvm-intel" ]; + binfmt.emulatedSystems = [ "aarch64-linux" ]; + }; - virtualisation.libvirtd = { - enable = true; - qemu.ovmf = { + virtualisation.libvirtd = { enable = true; - packages = with pkgs; - [ + qemu.ovmf = { + enable = true; + packages = with pkgs; [ OVMFFull.fd # broken as of upgrade to 23.11 # pkgsCross.aarch64-multiplatform.OVMF.fd ]; + }; }; - }; - security.polkit.enable = true; + security.polkit.enable = true; - environment.systemPackages = with pkgs; - ([ netcat ] # netcat for qemu+ssh:// connections - ++ (if cfg.virt-manager.enable then [ virt-manager ] else [ ])); - }; + environment.systemPackages = + with pkgs; + ( + [ netcat ] # netcat for qemu+ssh:// connections + ++ (if cfg.virt-manager.enable then [ virt-manager ] else [ ]) + ); + }; } diff --git a/nix/nixos-modules/astral/virt/lxc.nix b/nix/nixos-modules/astral/virt/lxc.nix index cfb86759..ef804362 100644 --- a/nix/nixos-modules/astral/virt/lxc.nix +++ b/nix/nixos-modules/astral/virt/lxc.nix @@ -1,5 +1,11 @@ -{ config, lib, pkgs, ... }: -with lib; { +{ + config, + lib, + pkgs, + ... +}: +with lib; +{ options.astral.virt.lxc = { enable = mkOption { description = "Use LXC stuff"; @@ -8,16 +14,21 @@ with lib; { }; }; - config = let cfg = config.astral.virt.lxc; - in mkIf cfg.enable { - virtualisation = { - lxc = { enable = true; }; - lxd = { - enable = true; - package = pkgs.lxd.override { useQemu = true; }; - recommendedSysctlSettings = true; + config = + let + cfg = config.astral.virt.lxc; + in + mkIf cfg.enable { + virtualisation = { + lxc = { + enable = true; + }; + lxd = { + enable = true; + package = pkgs.lxd.override { useQemu = true; }; + recommendedSysctlSettings = true; + }; }; + boot.kernelModules = [ "vhost_vsock" ]; }; - boot.kernelModules = [ "vhost_vsock" ]; - }; } diff --git a/nix/nixos-modules/astral/xmonad/default.nix b/nix/nixos-modules/astral/xmonad/default.nix index a059e0a5..7e703b54 100644 --- a/nix/nixos-modules/astral/xmonad/default.nix +++ b/nix/nixos-modules/astral/xmonad/default.nix @@ -1,4 +1,10 @@ -{ config, lib, pkgs, ... }: { +{ + config, + lib, + pkgs, + ... +}: +{ options.astral.xmonad = { enable = lib.mkOption { description = "Use xmonad"; @@ -8,35 +14,38 @@ }; # https://gvolpe.com/blog/xmonad-polybar-nixos/#configuration - config = let cfg = config.astral.xmonad; - in lib.mkIf cfg.enable { - services = { - gnome.gnome-keyring.enable = true; - upower.enable = true; - - libinput = { - enable = true; - touchpad.disableWhileTyping = true; - }; - - defaultSession = "none+xmonad"; + config = + let + cfg = config.astral.xmonad; + in + lib.mkIf cfg.enable { + services = { + gnome.gnome-keyring.enable = true; + upower.enable = true; + + libinput = { + enable = true; + touchpad.disableWhileTyping = true; + }; - xserver = { - enable = true; + defaultSession = "none+xmonad"; - windowManager.xmonad = { + xserver = { enable = true; - enableContribAndExtras = true; - }; - xkb.layout = "us"; - xkb.options = "caps:ctrl_modifier"; + windowManager.xmonad = { + enable = true; + enableContribAndExtras = true; + }; + + xkb.layout = "us"; + xkb.options = "caps:ctrl_modifier"; + }; }; - }; - hardware.bluetooth.enable = true; - services.blueman.enable = true; + hardware.bluetooth.enable = true; + services.blueman.enable = true; - systemd.services.upower.enable = true; - }; + systemd.services.upower.enable = true; + }; } diff --git a/nix/nixos-modules/astral/zfs-utils.nix b/nix/nixos-modules/astral/zfs-utils.nix index 97022541..043cbc00 100644 --- a/nix/nixos-modules/astral/zfs-utils.nix +++ b/nix/nixos-modules/astral/zfs-utils.nix @@ -1,7 +1,8 @@ # See also: https://nixos.wiki/wiki/NixOS_on_ZFS { config, lib, ... }: -with lib; { +with lib; +{ options.astral.zfs-utils.enable = mkOption { description = "Enable to set up utils for ZFS."; default = false; diff --git a/nix/nixos-modules/roles/akkoma/default.nix b/nix/nixos-modules/roles/akkoma/default.nix index f09ed69e..d259b708 100644 --- a/nix/nixos-modules/roles/akkoma/default.nix +++ b/nix/nixos-modules/roles/akkoma/default.nix @@ -1,27 +1,35 @@ -{ pkgs, lib, config, ... }: +{ + pkgs, + lib, + config, + ... +}: with lib; let vs = config.vault-secrets.secrets; vhost = "fedi.astrid.tech"; - patched-akkoma-fe = pkgs.akkoma-frontends.akkoma-fe.overrideAttrs - (final: prev: { + patched-akkoma-fe = pkgs.akkoma-frontends.akkoma-fe.overrideAttrs ( + final: prev: { src = pkgs.runCommand "patched-akkoma-fe-src" { } '' cp -r ${prev.src} $out chmod -R +w $out cp ${./i18n_en.json} $out/src/i18n/en.json ''; - }); + } + ); blocklist = lib.importTOML ./blocklist.toml; # Wraps a file in a single-file derivation. - wrapFile = name: path: + wrapFile = + name: path: (pkgs.runCommand name { inherit path; } '' cp -r "$path" "$out" ''); -in { +in +{ # vault kv put kv/akkoma/secrets db_password=@ vault-secrets.secrets.akkoma = { user = "akkoma"; @@ -52,16 +60,16 @@ in { enable = true; initDb.enable = false; - extraStatic = { - "static/terms-of-service.html" = - wrapFile "terms-of-service.html" ./terms-of-service.html; - "favicon.png" = wrapFile "favicon.png" ./favicon.png; - "robots.txt" = wrapFile "robots.txt" ./robots.txt; - } // lib.mapAttrs' (name: value: { - name = "emoji/${name}"; - inherit value; - }) (lib.filterAttrs (name: _: name != "recurseForDerivations") - pkgs.akkoma-emoji); + extraStatic = + { + "static/terms-of-service.html" = wrapFile "terms-of-service.html" ./terms-of-service.html; + "favicon.png" = wrapFile "favicon.png" ./favicon.png; + "robots.txt" = wrapFile "robots.txt" ./robots.txt; + } + // lib.mapAttrs' (name: value: { + name = "emoji/${name}"; + inherit value; + }) (lib.filterAttrs (name: _: name != "recurseForDerivations") pkgs.akkoma-emoji); frontends = { primary = { @@ -76,71 +84,74 @@ in { }; }; - config = let inherit ((pkgs.formats.elixirConf { }).lib) mkRaw mkMap; - in { - ":pleroma"."Pleroma.Web.Endpoint".url.host = vhost; - ":pleroma".":media_proxy".enabled = false; - ":pleroma".":instance" = { - name = "da astrid z0ne"; - description = "astrid's akkoma server"; - email = "akkoma@astrid.tech"; - notify_email = "akkoma@astrid.tech"; - - registrations_open = false; - invites_enabled = true; - - limit = 69420; - remote_limit = 100000; - max_pinned_statuses = 10; - max_account_fields = 100; - - limit_to_local_content = mkRaw ":unauthenticated"; - healthcheck = true; - cleanup_attachments = true; - allow_relay = true; - - export_prometheus_metrics = true; + config = + let + inherit ((pkgs.formats.elixirConf { }).lib) mkRaw mkMap; + in + { + ":pleroma"."Pleroma.Web.Endpoint".url.host = vhost; + ":pleroma".":media_proxy".enabled = false; + ":pleroma".":instance" = { + name = "da astrid z0ne"; + description = "astrid's akkoma server"; + email = "akkoma@astrid.tech"; + notify_email = "akkoma@astrid.tech"; + + registrations_open = false; + invites_enabled = true; + + limit = 69420; + remote_limit = 100000; + max_pinned_statuses = 10; + max_account_fields = 100; + + limit_to_local_content = mkRaw ":unauthenticated"; + healthcheck = true; + cleanup_attachments = true; + allow_relay = true; + + export_prometheus_metrics = true; + }; + ":pleroma".":mrf" = { + policies = map mkRaw [ "Pleroma.Web.ActivityPub.MRF.SimplePolicy" ]; + transparency = false; + }; + + ":pleroma"."Pleroma.Repo" = { + adapter = mkRaw "Ecto.Adapters.Postgres"; + + hostname = "localhost"; + database = "akkoma"; + ssl = true; + + username = "akkoma"; + password._secret = "${vs.akkoma}/db_password"; + + prepare = mkRaw ":named"; + parameters.plan_cache_mode = "force_custom_plan"; + }; + + # S3 setup + ":pleroma"."Pleroma.Upload" = { + uploader = mkRaw "Pleroma.Uploaders.S3"; + base_url = "https://s3.us-west-000.backblazeb2.com"; + strip_exif = false; + }; + ":pleroma"."Pleroma.Uploaders.S3".bucket = "nyaabucket"; + ":ex_aws".":s3" = { + access_key_id._secret = "${vs.akkoma_b2}/b2_app_key_id"; + secret_access_key._secret = "${vs.akkoma_b2}/b2_app_key"; + host = "s3.us-west-000.backblazeb2.com"; + }; + + # Automated moderation settings + # Borrowed from https://github.com/chaossocial/about/blob/master/blocked_instances.md + ":pleroma".":mrf_simple" = { + media_nsfw = mkMap blocklist.media_nsfw; + reject = mkMap blocklist.reject; + followers_only = mkMap blocklist.followers_only; + }; }; - ":pleroma".":mrf" = { - policies = map mkRaw [ "Pleroma.Web.ActivityPub.MRF.SimplePolicy" ]; - transparency = false; - }; - - ":pleroma"."Pleroma.Repo" = { - adapter = mkRaw "Ecto.Adapters.Postgres"; - - hostname = "localhost"; - database = "akkoma"; - ssl = true; - - username = "akkoma"; - password._secret = "${vs.akkoma}/db_password"; - - prepare = mkRaw ":named"; - parameters.plan_cache_mode = "force_custom_plan"; - }; - - # S3 setup - ":pleroma"."Pleroma.Upload" = { - uploader = mkRaw "Pleroma.Uploaders.S3"; - base_url = "https://s3.us-west-000.backblazeb2.com"; - strip_exif = false; - }; - ":pleroma"."Pleroma.Uploaders.S3".bucket = "nyaabucket"; - ":ex_aws".":s3" = { - access_key_id._secret = "${vs.akkoma_b2}/b2_app_key_id"; - secret_access_key._secret = "${vs.akkoma_b2}/b2_app_key"; - host = "s3.us-west-000.backblazeb2.com"; - }; - - # Automated moderation settings - # Borrowed from https://github.com/chaossocial/about/blob/master/blocked_instances.md - ":pleroma".":mrf_simple" = { - media_nsfw = mkMap blocklist.media_nsfw; - reject = mkMap blocklist.reject; - followers_only = mkMap blocklist.followers_only; - }; - }; nginx = { enableACME = true; @@ -169,24 +180,26 @@ in { }; # Overriden settings for local testing - virtualisation.vmVariant.services.akkoma.nginx = let - tlsCert = pkgs.runCommand "akkoma-self-signed-cert" { - nativeBuildInputs = with pkgs; [ openssl ]; - } '' - mkdir -p $out - openssl req -x509 \ - -subj '/CN=${vhost}/' -days 49710 \ - -addext 'subjectAltName = DNS:${vhost}' \ - -keyout "$out/key.pem" -newkey rsa:2048 \ - -out "$out/cert.pem" -noenc - ''; - in { - enableACME = lib.mkForce false; - forceSSL = lib.mkForce false; - addSSL = true; - sslCertificate = "${tlsCert}/cert.pem"; - sslCertificateKey = "${tlsCert}/key.pem"; - }; + virtualisation.vmVariant.services.akkoma.nginx = + let + tlsCert = + pkgs.runCommand "akkoma-self-signed-cert" { nativeBuildInputs = with pkgs; [ openssl ]; } + '' + mkdir -p $out + openssl req -x509 \ + -subj '/CN=${vhost}/' -days 49710 \ + -addext 'subjectAltName = DNS:${vhost}' \ + -keyout "$out/key.pem" -newkey rsa:2048 \ + -out "$out/cert.pem" -noenc + ''; + in + { + enableACME = lib.mkForce false; + forceSSL = lib.mkForce false; + addSSL = true; + sslCertificate = "${tlsCert}/cert.pem"; + sslCertificateKey = "${tlsCert}/key.pem"; + }; # It seems to be running out of FDs. # By default it's 1024, which is a bit too small. diff --git a/nix/nixos-modules/roles/armqr.nix b/nix/nixos-modules/roles/armqr.nix index 5f4e7bf5..7d95d481 100644 --- a/nix/nixos-modules/roles/armqr.nix +++ b/nix/nixos-modules/roles/armqr.nix @@ -1,6 +1,13 @@ -{ config, pkgs, lib, ... }: -let inputs = config.astral.inputs; -in { +{ + config, + pkgs, + lib, + ... +}: +let + inputs = config.astral.inputs; +in +{ imports = [ inputs.armqr.nixosModules.default ]; services.armqr = { @@ -10,17 +17,18 @@ in { services.nginx = { enable = true; - virtualHosts = let - conf = { - enableACME = true; - addSSL = true; - forceSSL = false; - locations."/".proxyPass = - "http://127.0.0.1:${toString config.services.armqr.port}"; + virtualHosts = + let + conf = { + enableACME = true; + addSSL = true; + forceSSL = false; + locations."/".proxyPass = "http://127.0.0.1:${toString config.services.armqr.port}"; + }; + in + { + "qr.arm.astridyu.com" = conf; + "0q4.org" = conf; }; - in { - "qr.arm.astridyu.com" = conf; - "0q4.org" = conf; - }; }; } diff --git a/nix/nixos-modules/roles/auth-dns/default.nix b/nix/nixos-modules/roles/auth-dns/default.nix index a866018d..be2d6938 100644 --- a/nix/nixos-modules/roles/auth-dns/default.nix +++ b/nix/nixos-modules/roles/auth-dns/default.nix @@ -1,8 +1,15 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let vs = config.vault-secrets.secrets."ddns-key"; binddir = config.services.bind.directory; -in with lib; { +in +with lib; +{ # vault kv put kv/ddns-key/secrets \ # s03=@ vault-secrets.secrets."ddns-key" = { @@ -113,21 +120,35 @@ in with lib; { services.prometheus.exporters.bind = { enable = true; bindURI = "http://localhost:8053/"; - bindGroups = [ "server" "view" "tasks" ]; + bindGroups = [ + "server" + "view" + "tasks" + ]; }; # easter eggs services.nginx.virtualHosts = - let hosts = [ "charlie" "dee" "dennis" "frank" "mac" ]; - in listToAttrs (map (host: { - name = "${host}.astrid.tech"; - value = { - enableACME = true; - addSSL = true; - root = ./placeholder-site; - locations."/".index = "${host}.jpg"; - }; - }) hosts); + let + hosts = [ + "charlie" + "dee" + "dennis" + "frank" + "mac" + ]; + in + listToAttrs ( + map (host: { + name = "${host}.astrid.tech"; + value = { + enableACME = true; + addSSL = true; + root = ./placeholder-site; + locations."/".index = "${host}.jpg"; + }; + }) hosts + ); systemd.services.generate-bind-key-includes = { description = "Generate config includes for BIND keys"; @@ -160,7 +181,9 @@ in with lib; { cp -n ${./d.astrid.tech.zone} ${binddir}/d.astrid.tech.zone ''; - serviceConfig = { User = "named"; }; + serviceConfig = { + User = "named"; + }; }; networking.extraHosts = '' diff --git a/nix/nixos-modules/roles/contabo-vps.nix b/nix/nixos-modules/roles/contabo-vps.nix index a8154074..a33e0c3e 100644 --- a/nix/nixos-modules/roles/contabo-vps.nix +++ b/nix/nixos-modules/roles/contabo-vps.nix @@ -1,4 +1,10 @@ -{ modulesPath, config, lib, ... }: { +{ + modulesPath, + config, + lib, + ... +}: +{ imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; zramSwap.enable = true; diff --git a/nix/nixos-modules/roles/ejabberd.nix b/nix/nixos-modules/roles/ejabberd.nix index 9ad5050f..196cbc53 100644 --- a/nix/nixos-modules/roles/ejabberd.nix +++ b/nix/nixos-modules/roles/ejabberd.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: with lib; let httpPort = 5443; @@ -12,11 +17,13 @@ let ]; ejabberd-yml = { - hosts = [ "ejabberd.femboy.technology" "xmpp.femboy.technology" ]; - certfiles = forEach certDomains - (dn: config.security.acme.certs."${dn}".directory + "/*.pem"); + hosts = [ + "ejabberd.femboy.technology" + "xmpp.femboy.technology" + ]; + certfiles = forEach certDomains (dn: config.security.acme.certs."${dn}".directory + "/*.pem"); - acl.admin = [{ user = "ifd3f@xmpp.femboy.technology"; }]; + acl.admin = [ { user = "ifd3f@xmpp.femboy.technology"; } ]; access_rules = { configure.allow = "admin"; @@ -33,7 +40,9 @@ let mod_blocking = { }; mod_bosh = { }; mod_carboncopy = { }; - mod_disco = { name = "next-generation femboy technology"; }; + mod_disco = { + name = "next-generation femboy technology"; + }; mod_last = { }; mod_mam = { default = "always"; @@ -51,7 +60,9 @@ let mod_push = { }; mod_roster = { }; mod_time = { }; - mod_vcard = { search = true; }; + mod_vcard = { + search = true; + }; mod_vcard_xupdate = { }; mod_mqtt = { }; @@ -75,7 +86,9 @@ let ip = "127.0.0.1"; module = "ejabberd_http"; tls = false; # We will use a reverse proxy - request_handlers = { "/admin" = "ejabberd_web_admin"; }; + request_handlers = { + "/admin" = "ejabberd_web_admin"; + }; } { port = 8833; @@ -86,7 +99,8 @@ let ]; }; -in { +in +{ astral = { custom-nginx-errors.virtualHosts = [ "xmpp.femboy.technology" ]; backup.services.paths = [ config.services.ejabberd.spoolDir ]; @@ -97,40 +111,50 @@ in { configFile = pkgs.writeText "ejabberd.yml" (builtins.toJSON ejabberd-yml); }; - security.acme.certs = mkMerge (forEach certDomains (dn: { - "${dn}" = { - group = "xmppcerts"; - reloadServices = [ "ejabberd.service" ]; - }; - })); + security.acme.certs = mkMerge ( + forEach certDomains (dn: { + "${dn}" = { + group = "xmppcerts"; + reloadServices = [ "ejabberd.service" ]; + }; + }) + ); - services.nginx.virtualHosts = mkMerge (forEach certDomains (dn: { - "${dn}" = { - enableACME = true; - addSSL = true; + services.nginx.virtualHosts = mkMerge ( + forEach certDomains (dn: { + "${dn}" = { + enableACME = true; + addSSL = true; - locations."/".extraConfig = '' - rewrite ^/(.*)$ http://ejabberd.femboy.technology/$1 redirect; - ''; - }; - }) ++ [{ - "ejabberd.femboy.technology" = { - enableACME = true; - forceSSL = true; - - locations."/" = { - proxyPass = "http://127.0.0.1:${toString httpPort}"; - proxyWebsockets = true; - extraConfig = '' - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + locations."/".extraConfig = '' + rewrite ^/(.*)$ http://ejabberd.femboy.technology/$1 redirect; ''; }; - }; - }]); + }) + ++ [ + { + "ejabberd.femboy.technology" = { + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "http://127.0.0.1:${toString httpPort}"; + proxyWebsockets = true; + extraConfig = '' + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + ''; + }; + }; + } + ] + ); - networking.firewall.allowedTCPPorts = [ 5222 5269 ]; + networking.firewall.allowedTCPPorts = [ + 5222 + 5269 + ]; users = { users = { diff --git a/nix/nixos-modules/roles/iot-gw/default.nix b/nix/nixos-modules/roles/iot-gw/default.nix index cbe986bc..4e7e2cad 100644 --- a/nix/nixos-modules/roles/iot-gw/default.nix +++ b/nix/nixos-modules/roles/iot-gw/default.nix @@ -1,12 +1,18 @@ # IoT Gateway, running at home. -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let vs = config.vault-secrets.secrets.iot-gw-s02; - zigbeeDongle = - "/dev/serial/by-id/usb-ITead_Sonoff_Zigbee_3.0_USB_Dongle_Plus_6aa3627f3e98ec119bbbaad044d80d13-if00-port0"; + zigbeeDongle = "/dev/serial/by-id/usb-ITead_Sonoff_Zigbee_3.0_USB_Dongle_Plus_6aa3627f3e98ec119bbbaad044d80d13-if00-port0"; -in with lib; { +in +with lib; +{ # vault kv put kv/iot-gw-s02/environment \ # ZIGBEE2MQTT_CONFIG_MQTT_USER=@ \ # ZIGBEE2MQTT_CONFIG_MQTT_PASSWORD=@ @@ -22,7 +28,10 @@ in with lib; { }; }; - networking.firewall.allowedTCPPorts = [ 1883 8883 ]; + networking.firewall.allowedTCPPorts = [ + 1883 + 8883 + ]; services.zigbee2mqtt = { enable = true; @@ -66,8 +75,10 @@ in with lib; { # We trust connections from localhost, so the passwords are quite lax and in cleartext. { users.zigbee2mqtt = { - acl = - [ "readwrite s02/homeassistant/#" "readwrite s02/zigbee2mqtt/#" ]; + acl = [ + "readwrite s02/homeassistant/#" + "readwrite s02/zigbee2mqtt/#" + ]; password = config.services.zigbee2mqtt.settings.mqtt.password; }; @@ -106,11 +117,14 @@ in with lib; { }; "zigbee2mqtt.s02.astrid.tech" = { - locations."/" = let z2m = config.services.zigbee2mqtt; - in { - proxyWebsockets = true; - proxyPass = "http://localhost:${toString z2m.settings.frontend.port}"; - }; + locations."/" = + let + z2m = config.services.zigbee2mqtt; + in + { + proxyWebsockets = true; + proxyPass = "http://localhost:${toString z2m.settings.frontend.port}"; + }; }; }; } diff --git a/nix/nixos-modules/roles/laptop.nix b/nix/nixos-modules/roles/laptop.nix index 05c910ca..6eb7ce74 100644 --- a/nix/nixos-modules/roles/laptop.nix +++ b/nix/nixos-modules/roles/laptop.nix @@ -1,8 +1,15 @@ # A graphics-enabled laptop that I would directly use. # Excludes laptops repurposed as headless servers. -{ config, pkgs, lib, ... }: -let inputs = config.astral.inputs; -in { +{ + config, + pkgs, + lib, + ... +}: +let + inputs = config.astral.inputs; +in +{ # imports = [ inputs.self.nixosModules.pc ]; environment.systemPackages = with pkgs; [ diff --git a/nix/nixos-modules/roles/loki-server.nix b/nix/nixos-modules/roles/loki-server.nix index 9aa467ca..1189d9ca 100644 --- a/nix/nixos-modules/roles/loki-server.nix +++ b/nix/nixos-modules/roles/loki-server.nix @@ -1,11 +1,19 @@ -{ pkgs, lib, config, ... }: +{ + pkgs, + lib, + config, + ... +}: with lib; let vs = config.vault-secrets.secrets; lcfg = config.services.loki; -in { +in +{ # vault kv put kv/loki-server/environment S3_ACCESS=@ S3_SECRET=@ - vault-secrets.secrets.loki-server = { services = [ "loki.service" ]; }; + vault-secrets.secrets.loki-server = { + services = [ "loki.service" ]; + }; astral.custom-nginx-errors.virtualHosts = [ "loki.astrid.tech" ]; @@ -15,7 +23,9 @@ in { extraFlags = [ "-config.expand-env=true" ]; configuration = { - common = { ring.kvstore.store = "memberlist"; }; + common = { + ring.kvstore.store = "memberlist"; + }; auth_enabled = false; compactor = { compaction_interval = "5m"; @@ -43,16 +53,18 @@ in { min_join_backoff = "1s"; }; schema_config = { - configs = [{ - from = "2023-01-18"; - index = { - period = "24h"; - prefix = "index_"; - }; - object_store = "s3"; - schema = "v11"; - store = "boltdb-shipper"; - }]; + configs = [ + { + from = "2023-01-18"; + index = { + period = "24h"; + prefix = "index_"; + }; + object_store = "s3"; + schema = "v11"; + store = "boltdb-shipper"; + } + ]; }; server = { http_listen_address = "0.0.0.0"; @@ -74,8 +86,7 @@ in { }; }; - systemd.services.loki.serviceConfig.EnvironmentFile = - "${vs.loki-server}/environment"; + systemd.services.loki.serviceConfig.EnvironmentFile = "${vs.loki-server}/environment"; services.nginx.virtualHosts = { "loki.astrid.tech" = { @@ -100,8 +111,7 @@ in { ''; locations."/" = { - proxyPass = "http://127.0.0.1:" - + toString lcfg.configuration.server.http_listen_port; + proxyPass = "http://127.0.0.1:" + toString lcfg.configuration.server.http_listen_port; proxyWebsockets = true; }; }; diff --git a/nix/nixos-modules/roles/media-server/default.nix b/nix/nixos-modules/roles/media-server/default.nix index 62457ec2..67270411 100644 --- a/nix/nixos-modules/roles/media-server/default.nix +++ b/nix/nixos-modules/roles/media-server/default.nix @@ -1,7 +1,15 @@ # Home media server, hooked up directly to the TV. -{ config, pkgs, lib, ... }: -let vs = config.vault-secrets.secrets.media-server; -in with lib; { +{ + config, + pkgs, + lib, + ... +}: +let + vs = config.vault-secrets.secrets.media-server; +in +with lib; +{ services.xserver = { enable = true; @@ -22,7 +30,10 @@ in with lib; { users = { users.tv = { group = "tv"; - extraGroups = [ "wheel" "deluge" ]; + extraGroups = [ + "wheel" + "deluge" + ]; isNormalUser = true; }; users.astrid.extraGroups = [ "tv" ]; diff --git a/nix/nixos-modules/roles/monitoring-center/default.nix b/nix/nixos-modules/roles/monitoring-center/default.nix index 017fb75d..8b194383 100644 --- a/nix/nixos-modules/roles/monitoring-center/default.nix +++ b/nix/nixos-modules/roles/monitoring-center/default.nix @@ -1 +1,7 @@ -{ imports = [ ./grafana.nix ./prometheus.nix ./xmpp-alerts.nix ]; } +{ + imports = [ + ./grafana.nix + ./prometheus.nix + ./xmpp-alerts.nix + ]; +} diff --git a/nix/nixos-modules/roles/monitoring-center/grafana.nix b/nix/nixos-modules/roles/monitoring-center/grafana.nix index 0fbd1a86..fc8482cf 100644 --- a/nix/nixos-modules/roles/monitoring-center/grafana.nix +++ b/nix/nixos-modules/roles/monitoring-center/grafana.nix @@ -1,13 +1,21 @@ -{ pkgs, lib, config, ... }: +{ + pkgs, + lib, + config, + ... +}: with lib; let vs = config.vault-secrets.secrets; gcfg = config.services.grafana; -in { +in +{ astral.backup.services.paths = [ "/var/lib/grafana" ]; # vault kv put kv/grafana-sso-oauth/env GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=@ - vault-secrets.secrets.grafana-sso-oauth = { environmentKey = "env"; }; + vault-secrets.secrets.grafana-sso-oauth = { + environmentKey = "env"; + }; systemd.services.grafana = { requires = [ "grafana-sso-oauth-secrets.service" ]; @@ -34,17 +42,13 @@ in { client_secret = "SECRET THAT GETS OVERRIDEN"; scopes = "openid email profile offline_access roles"; - auth_url = - "https://sso.astrid.tech/realms/public-users/protocol/openid-connect/auth"; - token_url = - "https://sso.astrid.tech/realms/public-users/protocol/openid-connect/token"; - api_url = - "https://sso.astrid.tech/realms/public-users/protocol/openid-connect/userinfo"; + auth_url = "https://sso.astrid.tech/realms/public-users/protocol/openid-connect/auth"; + token_url = "https://sso.astrid.tech/realms/public-users/protocol/openid-connect/token"; + api_url = "https://sso.astrid.tech/realms/public-users/protocol/openid-connect/userinfo"; email_attribute_path = "email"; login_attribute_path = "username"; name_attribute_path = "full_name"; - role_attribute_path = - "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'"; + role_attribute_path = "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'"; allow_sign_up = true; }; }; @@ -56,8 +60,7 @@ in { forceSSL = true; locations."/" = { - proxyPass = - "http://127.0.0.1:${toString gcfg.settings.server.http_port}"; + proxyPass = "http://127.0.0.1:${toString gcfg.settings.server.http_port}"; proxyWebsockets = true; # needed to prevent 'Origin not allowed' diff --git a/nix/nixos-modules/roles/monitoring-center/prometheus-discovery.nix b/nix/nixos-modules/roles/monitoring-center/prometheus-discovery.nix index d545d265..577c4cfe 100644 --- a/nix/nixos-modules/roles/monitoring-center/prometheus-discovery.nix +++ b/nix/nixos-modules/roles/monitoring-center/prometheus-discovery.nix @@ -1,17 +1,26 @@ { config, lib, ... }: with lib; -let inherit (config.astral.inputs.self) nixosConfigurations; -in rec { - supportedExporters = [ "node" "nginx" "systemd" "bind" "postgres" ]; +let + inherit (config.astral.inputs.self) nixosConfigurations; +in +rec { + supportedExporters = [ + "node" + "nginx" + "systemd" + "bind" + "postgres" + ]; - nixosKeys = (filter (host: - !(hasPrefix "__" host) - && nixosConfigurations."${host}".config.astral.monitoring-node.enable) - (attrNames nixosConfigurations)); + nixosKeys = ( + filter ( + host: !(hasPrefix "__" host) && nixosConfigurations."${host}".config.astral.monitoring-node.enable + ) (attrNames nixosConfigurations) + ); - monitoredHosts = with builtins; - map (host: nixosConfigurations."${host}".config.astral.monitoring-node) - nixosKeys; + monitoredHosts = + with builtins; + map (host: nixosConfigurations."${host}".config.astral.monitoring-node) nixosKeys; # TODO: set up mTLS tls_config = { @@ -19,12 +28,11 @@ in rec { # cert_file = "${./prometheus.pem}"; # key_file = cfg.sslKeyFile; }; - brokenHosts = with builtins; - map (cfg: cfg.vhost) - (filter (cfg: cfg.scrapeTransport == null) monitoredHosts); + brokenHosts = + with builtins; + map (cfg: cfg.vhost) (filter (cfg: cfg.scrapeTransport == null) monitoredHosts); - tailscaleTargets = - filter (cfg: cfg.scrapeTransport == "tailscale") monitoredHosts; + tailscaleTargets = filter (cfg: cfg.scrapeTransport == "tailscale") monitoredHosts; httpsTargets = filter (cfg: cfg.scrapeTransport == "https") monitoredHosts; @@ -37,11 +45,13 @@ in rec { job_name = "${e}-tailscale"; scrape_interval = "15s"; metrics_path = "/metrics/${e}"; - static_configs = [{ - targets = with builtins; - concatMap (cfg: if elem e cfg.exporters then [ cfg.vhost ] else [ ]) - tailscaleTargets; - }]; + static_configs = [ + { + targets = + with builtins; + concatMap (cfg: if elem e cfg.exporters then [ cfg.vhost ] else [ ]) tailscaleTargets; + } + ]; }) ++ forEach supportedExporters (e: { @@ -51,10 +61,12 @@ in rec { job_name = "${e}-https"; scrape_interval = "15s"; metrics_path = "/metrics/${e}"; - static_configs = [{ - targets = with builtins; - concatMap (cfg: if elem e cfg.exporters then [ cfg.vhost ] else [ ]) - httpsTargets; - }]; + static_configs = [ + { + targets = + with builtins; + concatMap (cfg: if elem e cfg.exporters then [ cfg.vhost ] else [ ]) httpsTargets; + } + ]; }); } diff --git a/nix/nixos-modules/roles/monitoring-center/prometheus.nix b/nix/nixos-modules/roles/monitoring-center/prometheus.nix index 65ed402b..3979bb95 100644 --- a/nix/nixos-modules/roles/monitoring-center/prometheus.nix +++ b/nix/nixos-modules/roles/monitoring-center/prometheus.nix @@ -1,23 +1,28 @@ -{ pkgs, lib, config, ... }@args: +{ + pkgs, + lib, + config, + ... +}@args: with lib; let vs = config.vault-secrets.secrets; gcfg = config.services.grafana; discovery = import ./prometheus-discovery.nix args; -in { +in +{ options.astral.monitoring-center._discovery = mkOption { type = types.attrs; default = discovery; }; config = { - assertions = [{ - assertion = builtins.length discovery.brokenHosts == 0; - message = - "Some monitored nodes did not specify `astral.monitoring-node.scrapeTransport`. Offending hosts: ${ - toString discovery.brokenHosts - }"; - }]; + assertions = [ + { + assertion = builtins.length discovery.brokenHosts == 0; + message = "Some monitored nodes did not specify `astral.monitoring-node.scrapeTransport`. Offending hosts: ${toString discovery.brokenHosts}"; + } + ]; astral.backup.services.paths = [ "/var/lib/prometheus2" ]; diff --git a/nix/nixos-modules/roles/monitoring-center/xmpp-alerts.nix b/nix/nixos-modules/roles/monitoring-center/xmpp-alerts.nix index 1860fe92..4a23e0e0 100644 --- a/nix/nixos-modules/roles/monitoring-center/xmpp-alerts.nix +++ b/nix/nixos-modules/roles/monitoring-center/xmpp-alerts.nix @@ -1,10 +1,19 @@ -{ pkgs, lib, config, ... }: +{ + pkgs, + lib, + config, + ... +}: with lib; let vs = config.vault-secrets.secrets; gcfg = config.services.grafana; -in { - astral.backup.services.paths = [ "/var/lib/grafana" "/var/lib/prometheus2" ]; +in +{ + astral.backup.services.paths = [ + "/var/lib/grafana" + "/var/lib/prometheus2" + ]; # vault kv put kv/prometheus-xmpp-alerts/environment XMPP_USER_PASSWORD=@ vault-secrets.secrets.prometheus-xmpp-alerts = { @@ -13,8 +22,7 @@ in { users.groups.prometheus-xmpp-alerts-secrets = { }; - systemd.services.prometheus-xmpp-alerts.serviceConfig.EnvironmentFile = - "${vs.prometheus-xmpp-alerts}/environment"; + systemd.services.prometheus-xmpp-alerts.serviceConfig.EnvironmentFile = "${vs.prometheus-xmpp-alerts}/environment"; services.prometheus.xmpp-alerts = { enable = true; diff --git a/nix/nixos-modules/roles/nextcloud.nix b/nix/nixos-modules/roles/nextcloud.nix index 2787842f..5b5c91b7 100644 --- a/nix/nixos-modules/roles/nextcloud.nix +++ b/nix/nixos-modules/roles/nextcloud.nix @@ -1,7 +1,14 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: with lib; -let vs = config.vault-secrets.secrets; -in { +let + vs = config.vault-secrets.secrets; +in +{ astral.backup.services.paths = [ config.services.nextcloud.home ]; # vault kv put kv/nextcloud/secrets s3_secret=@ adminpass=@ @@ -48,8 +55,7 @@ in { oidc_login_client_id = "nextcloud"; oidc_login_provider_url = "https://sso.astrid.tech/realms/public-users"; oidc_login_end_session_redirect = false; - oidc_login_logout_url = - "https://nextcloud.astrid.tech/apps/oidc_login/oidc"; + oidc_login_logout_url = "https://nextcloud.astrid.tech/apps/oidc_login/oidc"; oidc_login_auto_redirect = false; oidc_login_redir_fallback = false; oidc_login_attributes = { @@ -115,9 +121,13 @@ in { services.postgresql = { enable = true; ensureDatabases = [ "nextcloud" ]; - ensureUsers = [{ - name = "nextcloud"; - ensurePermissions = { "DATABASE \"nextcloud\"" = "ALL PRIVILEGES"; }; - }]; + ensureUsers = [ + { + name = "nextcloud"; + ensurePermissions = { + "DATABASE \"nextcloud\"" = "ALL PRIVILEGES"; + }; + } + ]; }; } diff --git a/nix/nixos-modules/roles/oracle-cloud-vps.nix b/nix/nixos-modules/roles/oracle-cloud-vps.nix index 11e4999f..a66940e4 100644 --- a/nix/nixos-modules/roles/oracle-cloud-vps.nix +++ b/nix/nixos-modules/roles/oracle-cloud-vps.nix @@ -1,11 +1,17 @@ # A standard Oracle Cloud VPS. -{ config, lib, pkgs, modulesPath, ... }: { +{ + config, + lib, + pkgs, + modulesPath, + ... +}: +{ imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; zramSwap.enable = true; - hardware.cpu.amd.updateMicrocode = - lib.mkDefault config.hardware.enableRedistributableFirmware; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; boot = { cleanTmpDir = true; @@ -16,8 +22,13 @@ systemd-boot.enable = true; }; - initrd.availableKernelModules = - [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ]; + initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + "sd_mod" + ]; initrd.kernelModules = [ ]; kernelModules = [ "kvm-amd" ]; diff --git a/nix/nixos-modules/roles/pc.nix b/nix/nixos-modules/roles/pc.nix index ed8dbd66..61e77227 100644 --- a/nix/nixos-modules/roles/pc.nix +++ b/nix/nixos-modules/roles/pc.nix @@ -1,13 +1,18 @@ # A graphics-enabled PC I would directly use. -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: with lib; let extraHosts = "/var/extraHosts"; inputs = config.astral.inputs; -in { +in +{ # haskell.nix binary cache - nix.settings.trusted-public-keys = - [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ]; + nix.settings.trusted-public-keys = [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ]; nix.settings.substituters = [ "https://cache.iog.io" ]; # Enable SSH in initrd for debugging or disk key entry @@ -112,7 +117,10 @@ in { services.pcscd = { enable = true; - plugins = with pkgs; [ ccid libacr38u ]; + plugins = with pkgs; [ + ccid + libacr38u + ]; }; services.gvfs.enable = true; @@ -165,13 +173,18 @@ in { services.printing = { enable = true; - drivers = with pkgs; [ gutenprint gutenprintBin ]; + drivers = with pkgs; [ + gutenprint + gutenprintBin + ]; }; services.xserver = { enable = true; - displayManager = { lightdm.enable = true; }; + displayManager = { + lightdm.enable = true; + }; desktopManager = { xterm.enable = false; @@ -194,35 +207,36 @@ in { services.flatpak.enable = true; - /* # Use dnsmasq to allow live hosts editing in development - services.dnsmasq = { - enable = true; - settings = { - server = [ "1.1.1.1" "8.8.8.8" "8.8.4.4" ]; - listen-address = "127.0.0.1"; - addn-hosts = extraHosts; - }; - }; - - systemd.services.create-extra-hosts = { - description = "Make extraHosts"; - - wantedBy = [ "dnsmasq.service" ]; - before = [ "dnsmasq.service" ]; - - script = '' - touch ${extraHosts} - chmod 664 ${extraHosts} - chown dnsmasq:dnsmasq-extra-hosts ${extraHosts} - ''; - - serviceConfig.Type = "oneshot"; - }; - - users = { - users.dnsmasq.extraGroups = [ "dnsmasq-extra-hosts" ]; - groups.dnsmasq-extra-hosts = { }; - }; + /* + # Use dnsmasq to allow live hosts editing in development + services.dnsmasq = { + enable = true; + settings = { + server = [ "1.1.1.1" "8.8.8.8" "8.8.4.4" ]; + listen-address = "127.0.0.1"; + addn-hosts = extraHosts; + }; + }; + + systemd.services.create-extra-hosts = { + description = "Make extraHosts"; + + wantedBy = [ "dnsmasq.service" ]; + before = [ "dnsmasq.service" ]; + + script = '' + touch ${extraHosts} + chmod 664 ${extraHosts} + chown dnsmasq:dnsmasq-extra-hosts ${extraHosts} + ''; + + serviceConfig.Type = "oneshot"; + }; + + users = { + users.dnsmasq.extraGroups = [ "dnsmasq-extra-hosts" ]; + groups.dnsmasq-extra-hosts = { }; + }; */ i18n.inputMethod = { diff --git a/nix/nixos-modules/roles/piwigo/default.nix b/nix/nixos-modules/roles/piwigo/default.nix index 279a4a56..ff33292e 100644 --- a/nix/nixos-modules/roles/piwigo/default.nix +++ b/nix/nixos-modules/roles/piwigo/default.nix @@ -8,7 +8,8 @@ let }; webroot = "/var/www/photos"; -in { +in +{ systemd.services.piwigo-config = { description = "Copy Piwigo source code to directory"; after = [ "network-online.target" ]; @@ -52,11 +53,15 @@ in { ensureUsers = [ { name = "piwigo"; - ensurePermissions = { "piwigo.*" = "ALL PRIVILEGES"; }; + ensurePermissions = { + "piwigo.*" = "ALL PRIVILEGES"; + }; } { name = "backup"; - ensurePermissions = { "*.*" = "SELECT, LOCK TABLES"; }; + ensurePermissions = { + "*.*" = "SELECT, LOCK TABLES"; + }; } ]; }; diff --git a/nix/nixos-modules/roles/server.nix b/nix/nixos-modules/roles/server.nix index 8d5f37fd..fa2c7717 100644 --- a/nix/nixos-modules/roles/server.nix +++ b/nix/nixos-modules/roles/server.nix @@ -1,7 +1,15 @@ # Some headless server that likely runs 24/7 -{ config, lib, pkgs, ... }: -let inputs = config.astral.inputs; -in with lib; { +{ + config, + lib, + pkgs, + ... +}: +let + inputs = config.astral.inputs; +in +with lib; +{ # Auto-optimize/GC store on a much more frequent basis than the PC's. nix.gc = lib.mkForce { automatic = true; diff --git a/nix/nixos-modules/roles/sso-provider/default.nix b/nix/nixos-modules/roles/sso-provider/default.nix index 064baf9d..6510bfac 100644 --- a/nix/nixos-modules/roles/sso-provider/default.nix +++ b/nix/nixos-modules/roles/sso-provider/default.nix @@ -1,7 +1,14 @@ -{ pkgs, lib, config, ... }: +{ + pkgs, + lib, + config, + ... +}: with lib; -let kcfg = config.services.keycloak; -in { +let + kcfg = config.services.keycloak; +in +{ services.keycloak = { enable = true; settings = { diff --git a/nix/nixos-modules/roles/vault/default.nix b/nix/nixos-modules/roles/vault/default.nix index 76d7eb50..48cfc085 100644 --- a/nix/nixos-modules/roles/vault/default.nix +++ b/nix/nixos-modules/roles/vault/default.nix @@ -1,9 +1,15 @@ -{ pkgs, lib, config, ... }: +{ + pkgs, + lib, + config, + ... +}: with lib; let cfg = config.astral.roles.vault; vcfg = config.services.vault; -in { +in +{ services.vault = { enable = true; storageBackend = "file"; @@ -14,7 +20,9 @@ in { enableACME = true; forceSSL = true; - locations."/" = { proxyPass = "http://${vcfg.address}"; }; + locations."/" = { + proxyPass = "http://${vcfg.address}"; + }; }; # Expose a CLI for interacting with Vault (convenience) @@ -32,7 +40,11 @@ in { # We'll keep more frequent snapshots, but with less overall # retention time, for Security Reasons. - pruneOpts = [ "--keep-last 8" "--keep-hourly 48" "--keep-daily 7" ]; + pruneOpts = [ + "--keep-last 8" + "--keep-hourly 48" + "--keep-daily 7" + ]; paths = [ "/var/lib/vault" ]; repository = "s3:s3.us-west-000.backblazeb2.com/ifd3f-backup/vault"; diff --git a/nix/outputs.nix b/nix/outputs.nix index 5b0f3dc2..ab6887ea 100644 --- a/nix/outputs.nix +++ b/nix/outputs.nix @@ -1,13 +1,20 @@ -{ self, nixpkgs-stable, flake-utils, home-manager-stable, nur, ... }@inputs: +{ + self, + nixpkgs-stable, + flake-utils, + home-manager-stable, + nur, + ... +}@inputs: let nixpkgs = nixpkgs-stable; home-manager = home-manager-stable; lib = nixpkgs.lib; - vscode-server-home = - "${inputs.nixos-vscode-server}/modules/vscode-server/home.nix"; + vscode-server-home = "${inputs.nixos-vscode-server}/modules/vscode-server/home.nix"; -in { +in +{ lib = import ./lib inputs; overlays = { @@ -32,8 +39,7 @@ in { #inherit (nixpkgs-lxdvms.legacyPackages.${prev.system}) lxd; - inherit (self.packages.${prev.system}) - authelia-bin win10hotplug ifd3f-infra-scripts; + inherit (self.packages.${prev.system}) authelia-bin win10hotplug ifd3f-infra-scripts; # gmic is currently broken, use an older version of darktable # https://github.co.O.pkgs/pull/211600 @@ -58,7 +64,10 @@ in { "astrid@aliaconda" = home-manager.lib.homeManagerConfiguration { pkgs = import nixpkgs { system = "x86_64-linux"; }; - modules = [ self.homeModules.astral-scientific vscode-server-home ]; + modules = [ + self.homeModules.astral-scientific + vscode-server-home + ]; }; "astrid@banana" = home-manager.lib.homeManagerConfiguration { pkgs = import nixpkgs { system = "x86_64-linux"; }; @@ -70,7 +79,10 @@ in { }; "astrid@Discovery" = home-manager.lib.homeManagerConfiguration { pkgs = import nixpkgs { system = "x86_64-linux"; }; - modules = [ self.homeModules.astral-gui vscode-server-home ]; + modules = [ + self.homeModules.astral-gui + vscode-server-home + ]; }; "astrid@shai-hulud" = home-manager.lib.homeManagerConfiguration { pkgs = import nixpkgs { system = "x86_64-linux"; }; @@ -92,25 +104,32 @@ in { } // import ./nixos-modules/roles.nix; nixosConfigurations = self.lib.machines.nixosConfigurations; -} // flake-utils.lib.eachSystem [ - "x86_64-linux" - "aarch64-linux" - "x86_64-darwin" - "aarch64-darwin" -] (system: - let - pkgs = import nixpkgs { - inherit system; - overlays = [ self.overlays.default ]; - }; - in rec { - gh-ci-matrix = pkgs.callPackage ./pkgs/gh-ci-matrix { inherit self; }; - devShells = import ./shells.nix { - inherit self; - pkgs = import nixpkgs { - inherit system; - config.allowUnfree = true; - }; - }; - packages = import ./pkgs inputs pkgs; - }) +} +// + flake-utils.lib.eachSystem + [ + "x86_64-linux" + "aarch64-linux" + "x86_64-darwin" + "aarch64-darwin" + ] + ( + system: + let + pkgs = import nixpkgs { + inherit system; + overlays = [ self.overlays.default ]; + }; + in + rec { + gh-ci-matrix = pkgs.callPackage ./pkgs/gh-ci-matrix { inherit self; }; + devShells = import ./shells.nix { + inherit self; + pkgs = import nixpkgs { + inherit system; + config.allowUnfree = true; + }; + }; + packages = import ./pkgs inputs pkgs; + } + ) diff --git a/nix/pkgs/authelia-bin.nix b/nix/pkgs/authelia-bin.nix index adfd9b4f..19ad96a2 100644 --- a/nix/pkgs/authelia-bin.nix +++ b/nix/pkgs/authelia-bin.nix @@ -1,4 +1,9 @@ -{ stdenvNoCC, glibc, fetchzip, autoPatchelfHook }: +{ + stdenvNoCC, + glibc, + fetchzip, + autoPatchelfHook, +}: stdenvNoCC.mkDerivation { pname = "authelia-bin"; version = "4.37.5"; @@ -7,8 +12,7 @@ stdenvNoCC.mkDerivation { nativeBuildInputs = [ autoPatchelfHook ]; src = fetchzip { - url = - "https://github.com/authelia/authelia/releases/download/v4.37.5/authelia-v4.37.5-linux-amd64.tar.gz"; + url = "https://github.com/authelia/authelia/releases/download/v4.37.5/authelia-v4.37.5-linux-amd64.tar.gz"; sha256 = "sha256-2dkmzfkmM8QmnhrrALYVhRM943k07+ZSzZ8iHLYkhTU="; stripRoot = false; }; diff --git a/nix/pkgs/build-support/convertImage.nix b/nix/pkgs/build-support/convertImage.nix index 2fbc33e1..e05c71e5 100644 --- a/nix/pkgs/build-support/convertImage.nix +++ b/nix/pkgs/build-support/convertImage.nix @@ -1,9 +1,22 @@ # Converts image formats using qemu. -{ stdenv, pkgs, qemu, ... }: -{ name, src, inFmt, outFmt ? "qcow2" }: +{ + stdenv, + pkgs, + qemu, + ... +}: +{ + name, + src, + inFmt, + outFmt ? "qcow2", +}: stdenv.mkDerivation { inherit name src; - phases = [ "buildPhase" "installPhase" ]; + phases = [ + "buildPhase" + "installPhase" + ]; buildInputs = [ qemu ]; buildPhase = '' @@ -14,4 +27,3 @@ stdenv.mkDerivation { qemu-img convert -f '${inFmt}' -O ${outFmt} $src $out ''; } - diff --git a/nix/pkgs/build-support/default.nix b/nix/pkgs/build-support/default.nix index dcc4d97a..4f4f9744 100644 --- a/nix/pkgs/build-support/default.nix +++ b/nix/pkgs/build-support/default.nix @@ -1,4 +1,5 @@ -{ pkgs, nixos-generators }: { +{ pkgs, nixos-generators }: +{ convertImage = import ./convertImage.nix pkgs; lxdUtils = import ./lxdUtils.nix { inherit nixos-generators pkgs; }; } diff --git a/nix/pkgs/build-support/lxdUtils.nix b/nix/pkgs/build-support/lxdUtils.nix index e25c654b..bd4dd9b8 100644 --- a/nix/pkgs/build-support/lxdUtils.nix +++ b/nix/pkgs/build-support/lxdUtils.nix @@ -1,12 +1,17 @@ { nixos-generators, pkgs }: -with pkgs; rec { - writeVMMetaTar = { basename, metadata }: +with pkgs; +rec { + writeVMMetaTar = + { basename, metadata }: stdenvNoCC.mkDerivation { name = "${basename}.tar.xz"; src = writeText "metadata.json" (builtins.toJSON metadata); buildInputs = [ yq ]; - phases = [ "buildPhase" "installPhase" ]; + phases = [ + "buildPhase" + "installPhase" + ]; buildPhase = '' cd $TMPDIR @@ -19,18 +24,31 @@ with pkgs; rec { ''; }; - writeVMUploader = { name, disk, metadata, alias ? null }: + writeVMUploader = + { + name, + disk, + metadata, + alias ? null, + }: let meta = writeVMMetaTar { inherit metadata; basename = name; }; aliasFlag = if alias == null then "" else "--alias=${alias}"; - in writeScript "upload-${name}-to-lxd" '' + in + writeScript "upload-${name}-to-lxd" '' lxc image import ${meta} ${disk} ${aliasFlag} $@ ''; - writeNixOSUploader = { pkgs, name, modules, alias ? null }: + writeNixOSUploader = + { + pkgs, + name, + modules, + alias ? null, + }: let meta = nixos-generators.nixosGenerate { inherit pkgs modules; @@ -41,8 +59,8 @@ with pkgs; rec { format = "lxc"; }; aliasFlag = if alias == null then "" else "--alias=${alias}"; - in writeScript "upload-${name}-to-lxd" '' + in + writeScript "upload-${name}-to-lxd" '' lxc image import ${meta}/tarball/nixos-system-x86_64-linux.tar.xz ${rootfs}/tarball/nixos-system-x86_64-linux.tar.xz ${aliasFlag} $@ ''; } - diff --git a/nix/pkgs/ci-import-and-tag-docker/default.nix b/nix/pkgs/ci-import-and-tag-docker/default.nix index 2582595c..3c020ef0 100755 --- a/nix/pkgs/ci-import-and-tag-docker/default.nix +++ b/nix/pkgs/ci-import-and-tag-docker/default.nix @@ -1,3 +1,4 @@ { writeScriptBin }: let -in writeScriptBin "ci-import-and-tag-docker" (builtins.readFile ./script.sh) +in +writeScriptBin "ci-import-and-tag-docker" (builtins.readFile ./script.sh) diff --git a/nix/pkgs/default.nix b/nix/pkgs/default.nix index 430cf695..a13380ac 100644 --- a/nix/pkgs/default.nix +++ b/nix/pkgs/default.nix @@ -1,27 +1,35 @@ -{ self, nixos-generators, nixpkgs-stable, ... }: +{ + self, + nixos-generators, + nixpkgs-stable, + ... +}: pkgs: let nixpkgs = nixpkgs-stable; flakeTime = self.sourceInfo.lastModified; vendored-images = import ./images/vendored { inherit pkgs; }; build-support = import ./build-support { inherit nixos-generators pkgs; }; -in vendored-images // rec { +in +vendored-images +// rec { authelia-bin = pkgs.callPackage ./authelia-bin.nix { }; update-ci-workflow = pkgs.callPackage ./update-ci-workflow { inherit self; }; scan-ci-host-keys = pkgs.callPackage ./scan-ci-host-keys { inherit self; }; ci-import-and-tag-docker = pkgs.callPackage ./ci-import-and-tag-docker { }; - installer-system = - pkgs.callPackage ./images/installer-system { inherit self nixpkgs; }; + installer-system = pkgs.callPackage ./images/installer-system { inherit self nixpkgs; }; installer-iso = installer-system.isoImage; ifd3f-infra-scripts = pkgs.callPackage ./../../scripts { }; - internal-libvirt-images = pkgs.linkFarm "internal-libvirt-images" [{ - name = "centos-8.qcow2"; - path = vendored-images.vendored-centos-8-cloud; - }]; + internal-libvirt-images = pkgs.linkFarm "internal-libvirt-images" [ + { + name = "centos-8.qcow2"; + path = vendored-images.vendored-centos-8-cloud; + } + ]; win10hotplug = pkgs.callPackage ./win10hotplug { }; @@ -30,12 +38,14 @@ in vendored-images // rec { ln -s ${./surface-screen-rotate.py} $out/bin/surface-screen-rotate ''; - vault-push-approles = with pkgs; + vault-push-approles = + with pkgs; writeScriptBin "vault-push-approles" '' ${pkgs.vault-push-approles self}/bin/vault-push-approles ''; - vault-push-approle-envs = with pkgs; + vault-push-approle-envs = + with pkgs; let p = pkgs.vault-push-approle-envs self { hostNameOverrides = { @@ -44,7 +54,8 @@ in vendored-images // rec { "gfdesk" = "192.168.1.122"; }; }; - in writeScriptBin "vault-push-approle-envs" '' + in + writeScriptBin "vault-push-approle-envs" '' ${p}/bin/vault-push-approle-envs ''; @@ -54,4 +65,3 @@ in vendored-images // rec { vm-spawn = pkgs.callPackage ./vm-spawn.nix { }; } - diff --git a/nix/pkgs/images/installer-system/configuration.nix b/nix/pkgs/images/installer-system/configuration.nix index 4fdcf9dd..a6c9f78e 100644 --- a/nix/pkgs/images/installer-system/configuration.nix +++ b/nix/pkgs/images/installer-system/configuration.nix @@ -3,8 +3,14 @@ # You can drop in a /wpa_supplicant.conf to connect to wifi headlessly! self: -{ lib, pkgs, modulesPath, ... }: -with lib; { +{ + lib, + pkgs, + modulesPath, + ... +}: +with lib; +{ imports = [ self.nixosModules.astral ]; users.mutableUsers = false; diff --git a/nix/pkgs/images/installer-system/default.nix b/nix/pkgs/images/installer-system/default.nix index 6de29c78..c729246f 100644 --- a/nix/pkgs/images/installer-system/default.nix +++ b/nix/pkgs/images/installer-system/default.nix @@ -1,27 +1,40 @@ -{ self, nixpkgs, system ? "x86_64-linux" }: { - isoImage = (nixpkgs.lib.nixosSystem { - inherit system; - modules = [ - (import ./configuration.nix self) +{ + self, + nixpkgs, + system ? "x86_64-linux", +}: +{ + isoImage = + (nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + (import ./configuration.nix self) - ({ modulesPath, ... }: { - imports = [ - # https://nixos.wiki/wiki/Creating_a_NixOS_live_CD - "${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix" - "${modulesPath}/installer/cd-dvd/channel.nix" - ]; - }) - ]; - }).config.system.build.isoImage; + ( + { modulesPath, ... }: + { + imports = [ + # https://nixos.wiki/wiki/Creating_a_NixOS_live_CD + "${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix" + "${modulesPath}/installer/cd-dvd/channel.nix" + ]; + } + ) + ]; + }).config.system.build.isoImage; - netbootRamdisk = (nixpkgs.lib.nixosSystem { - inherit system; - modules = [ - (import ./configuration.nix self) + netbootRamdisk = + (nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + (import ./configuration.nix self) - ({ modulesPath, ... }: { - imports = [ "${modulesPath}/installer/netboot/netboot-minimal.nix" ]; - }) - ]; - }).config.system.build.netbootRamdisk; + ( + { modulesPath, ... }: + { + imports = [ "${modulesPath}/installer/netboot/netboot-minimal.nix" ]; + } + ) + ]; + }).config.system.build.netbootRamdisk; } diff --git a/nix/pkgs/images/vendored/default.nix b/nix/pkgs/images/vendored/default.nix index d2c09fd9..1a4378f0 100644 --- a/nix/pkgs/images/vendored/default.nix +++ b/nix/pkgs/images/vendored/default.nix @@ -1,15 +1,13 @@ # VM images from external sources -{ pkgs }: { +{ pkgs }: +{ vendored-centos-8-cloud = pkgs.fetchurl { - url = - "https://dl.rockylinux.org/pub/rocky/8.5/images/Rocky-8-GenericCloud-8.5-20211114.2.x86_64.qcow2"; + url = "https://dl.rockylinux.org/pub/rocky/8.5/images/Rocky-8-GenericCloud-8.5-20211114.2.x86_64.qcow2"; sha256 = "c23f58f26f73fb9ae92bfb4cf881993c23fdce1bbcfd2881a5831f90373ce0c8"; }; vendored-talos-os = pkgs.fetchurl { - url = - "https://github.com/siderolabs/talos/releases/download/v1.0.0/talos-amd64.iso"; + url = "https://github.com/siderolabs/talos/releases/download/v1.0.0/talos-amd64.iso"; sha256 = "sha256-UiyVJzhceKDtpebSoLVdr9tbh6OAxuG8QsBIDjJE8qg="; }; } - diff --git a/nix/pkgs/scan-ci-host-keys/default.nix b/nix/pkgs/scan-ci-host-keys/default.nix index 6e41d491..49c2896f 100644 --- a/nix/pkgs/scan-ci-host-keys/default.nix +++ b/nix/pkgs/scan-ci-host-keys/default.nix @@ -1,17 +1,30 @@ # This file generates a Github Actions runner from ci.nix. -{ self, lib, git, openssh, writeShellApplication }: +{ + self, + lib, + git, + openssh, + writeShellApplication, +}: with builtins; with lib; let - commands = map (sshTarget: + commands = map ( + sshTarget: let components = splitString "@" sshTarget; host = if length components == 2 then elemAt components 1 else sshTarget; - in "ssh-keyscan ${host}") self.lib.ci.ssh-deploy-targets; + in + "ssh-keyscan ${host}" + ) self.lib.ci.ssh-deploy-targets; -in writeShellApplication { +in +writeShellApplication { name = "scan-hostkeys"; - runtimeInputs = [ git openssh ]; + runtimeInputs = [ + git + openssh + ]; text = '' set -euxo pipefail diff --git a/nix/pkgs/update-ci-workflow/default.nix b/nix/pkgs/update-ci-workflow/default.nix index 968706d3..508631a8 100644 --- a/nix/pkgs/update-ci-workflow/default.nix +++ b/nix/pkgs/update-ci-workflow/default.nix @@ -1,25 +1,36 @@ # This file generates a Github Actions runner from ci.nix. -{ self, git, lib, writeText, writeScriptBin, runCommand, yq }: +{ + self, + git, + lib, + writeText, + writeScriptBin, + runCommand, + yq, +}: let - workflowJSON = - writeText "check-targets.json" (builtins.toJSON (self.lib.ci.workflow)); + workflowJSON = writeText "check-targets.json" (builtins.toJSON (self.lib.ci.workflow)); - workflowYAML = runCommand "check-targets.yml" { - buildInputs = [ yq ]; - json = workflowJSON; - } '' - ( - echo "# !!!!!!!! AUTO-GENERATED FILE, DO NOT MODIFY !!!!!!!!" - echo "#" - echo "# To modify CI behavior, you should edit /nix/ci.nix instead." - echo "#" - echo "# This file can be regenerated by the following command:" - echo "# $ nix run .#update-ci-workflow" - echo - yq -y -r --yml-out-ver 1.2 '.' "$json" - ) > "$out" - ''; -in writeScriptBin "update-ci-workflow" '' + workflowYAML = + runCommand "check-targets.yml" + { + buildInputs = [ yq ]; + json = workflowJSON; + } + '' + ( + echo "# !!!!!!!! AUTO-GENERATED FILE, DO NOT MODIFY !!!!!!!!" + echo "#" + echo "# To modify CI behavior, you should edit /nix/ci.nix instead." + echo "#" + echo "# This file can be regenerated by the following command:" + echo "# $ nix run .#update-ci-workflow" + echo + yq -y -r --yml-out-ver 1.2 '.' "$json" + ) > "$out" + ''; +in +writeScriptBin "update-ci-workflow" '' set -euxo pipefail root=$(git rev-parse --show-toplevel) diff --git a/nix/pkgs/vm-spawn.nix b/nix/pkgs/vm-spawn.nix index bc634fb7..14d60efe 100644 --- a/nix/pkgs/vm-spawn.nix +++ b/nix/pkgs/vm-spawn.nix @@ -1,14 +1,17 @@ -{ writeShellApplication, fetchurl, virt-manager, +{ + writeShellApplication, + fetchurl, + virt-manager, -vyos-iso ? fetchurl { - url = - "https://github.com/vyos/vyos-rolling-nightly-builds/releases/download/1.5-rolling-202404090019/vyos-1.5-rolling-202404090019-amd64.iso"; - hash = "sha256-pqjCay7m3bQSLhUBAfCEhuQ0Cef6rcbNLf3PqKUIl3c="; -}, talos-iso ? fetchurl { - url = - "https://github.com/siderolabs/talos/releases/download/v1.6.7/metal-amd64.iso"; - hash = "sha256-Dqw05mI9lpIn36jKkFuAmxnom5qIXSjEqQiQ6F7HC34="; -} }: + vyos-iso ? fetchurl { + url = "https://github.com/vyos/vyos-rolling-nightly-builds/releases/download/1.5-rolling-202404090019/vyos-1.5-rolling-202404090019-amd64.iso"; + hash = "sha256-pqjCay7m3bQSLhUBAfCEhuQ0Cef6rcbNLf3PqKUIl3c="; + }, + talos-iso ? fetchurl { + url = "https://github.com/siderolabs/talos/releases/download/v1.6.7/metal-amd64.iso"; + hash = "sha256-Dqw05mI9lpIn36jKkFuAmxnom5qIXSjEqQiQ6F7HC34="; + }, +}: { charon = writeShellApplication { name = "vm-spawn.charon"; diff --git a/nix/shells.nix b/nix/shells.nix index 2b349f04..732c9760 100644 --- a/nix/shells.nix +++ b/nix/shells.nix @@ -1,6 +1,7 @@ { self, pkgs }: let - packages = with pkgs; + packages = + with pkgs; with self.packages.${system}; [ ifd3f-infra-scripts @@ -33,20 +34,25 @@ let whois wireguard-tools yq - ] ++ (if pkgs.system != "x86_64-darwin" then [ - openldap - krb5 - ldapvi + ] + ++ ( + if pkgs.system != "x86_64-darwin" then + [ + openldap + krb5 + ldapvi - cdrkit - iputils - qemu - ] else - [ ]); -in { + cdrkit + iputils + qemu + ] + else + [ ] + ); +in +{ default = pkgs.mkShell { nativeBuildInputs = packages; VAULT_ADDR = "https://secrets.astrid.tech"; }; } - diff --git a/shell.nix b/shell.nix index fa2a56c7..493783d0 100644 --- a/shell.nix +++ b/shell.nix @@ -1,6 +1,9 @@ -(import (let lock = builtins.fromJSON (builtins.readFile ./flake.lock); -in fetchTarball { - url = - "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz"; - sha256 = lock.nodes.flake-compat.locked.narHash; -}) { src = ./.; }).shellNix +(import ( + let + lock = builtins.fromJSON (builtins.readFile ./flake.lock); + in + fetchTarball { + url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz"; + sha256 = lock.nodes.flake-compat.locked.narHash; + } +) { src = ./.; }).shellNix diff --git a/ssh_keys/default.nix b/ssh_keys/default.nix index 5b7c9af3..28b07824 100644 --- a/ssh_keys/default.nix +++ b/ssh_keys/default.nix @@ -1,14 +1,21 @@ with builtins; let - keysInDir = dirPath: - concatLists (attrValues (mapAttrs (file: _: - if match ".*\\.pub" file == null then - [ ] - else - [ (replaceStrings [ "\n" ] [ "" ] (readFile "${dirPath}/${file}")) ]) - (readDir dirPath))); + keysInDir = + dirPath: + concatLists ( + attrValues ( + mapAttrs ( + file: _: + if match ".*\\.pub" file == null then + [ ] + else + [ (replaceStrings [ "\n" ] [ "" ] (readFile "${dirPath}/${file}")) ] + ) (readDir dirPath) + ) + ); -in { +in +{ users = { alia = keysInDir ./users/alia; astrid = keysInDir ./users/astrid;