diff --git a/configuration/default.nix b/configuration/default.nix index 792a4c9..333488b 100644 --- a/configuration/default.nix +++ b/configuration/default.nix @@ -1,10 +1,12 @@ -{ config -, pkgs -, lib -, modulesPath -, flake-inputs -, ... -}: { +{ + config, + pkgs, + lib, + modulesPath, + flake-inputs, + ... +}: +{ imports = [ flake-inputs.disko.nixosModules.disko flake-inputs.sops-nix.nixosModules.sops @@ -51,7 +53,10 @@ # Optimization for minecraft servers, see: # https://bugs.mojang.com/browse/MC-183518 - boot.kernelParams = [ "highres=off" "nohz=off" ]; + boot.kernelParams = [ + "highres=off" + "nohz=off" + ]; networking = { usePredictableInterfaceNames = false; diff --git a/configuration/hardware-specific/hetzner/default.nix b/configuration/hardware-specific/hetzner/default.nix index 3106f19..6795377 100644 --- a/configuration/hardware-specific/hetzner/default.nix +++ b/configuration/hardware-specific/hetzner/default.nix @@ -25,9 +25,7 @@ }; } # IPv6 - { - addressConfig.Address = "2a01:4f8:10b:3c85::2/64"; - } + { addressConfig.Address = "2a01:4f8:10b:3c85::2/64"; } ]; networkConfig = { diff --git a/configuration/hardware-specific/hetzner/disko.nix b/configuration/hardware-specific/hetzner/disko.nix index a2ea764..cc15471 100644 --- a/configuration/hardware-specific/hetzner/disko.nix +++ b/configuration/hardware-specific/hetzner/disko.nix @@ -19,7 +19,10 @@ }; }; - mountOptions = [ "compress=zstd" "noatime" ]; + mountOptions = [ + "compress=zstd" + "noatime" + ]; in { sda = { @@ -54,7 +57,15 @@ type = "btrfs"; # Hack to get multi-device btrfs going # See https://github.com/nix-community/disko/issues/99 - extraArgs = [ "-d" "raid1" "-m" "raid1" "--runtime-features" "quota" "/dev/sda3" ]; + extraArgs = [ + "-d" + "raid1" + "-m" + "raid1" + "--runtime-features" + "quota" + "/dev/sda3" + ]; subvolumes = { "/volume" = { }; "/volume/root" = { diff --git a/configuration/hardware-specific/vm.nix b/configuration/hardware-specific/vm.nix index 86fcaed..1783956 100644 --- a/configuration/hardware-specific/vm.nix +++ b/configuration/hardware-specific/vm.nix @@ -1,4 +1,5 @@ -{ lib, ... }: { +{ lib, ... }: +{ users.users.tlater.password = "insecure"; # Disable graphical tty so -curses works diff --git a/configuration/nginx.nix b/configuration/nginx.nix index d696bba..b38118b 100644 --- a/configuration/nginx.nix +++ b/configuration/nginx.nix @@ -1,7 +1,5 @@ -{ config -, lib -, ... -}: { +{ config, lib, ... }: +{ services.nginx = { enable = true; recommendedTlsSettings = true; @@ -26,26 +24,23 @@ # Override the default, just keep fewer logs nginx.rotate = 6; } - // lib.mapAttrs' - (virtualHost: _: - lib.nameValuePair "/var/log/nginx/${virtualHost}/access.log" { - frequency = "daily"; - rotate = 2; - compress = true; - delaycompress = true; - su = "${config.services.nginx.user} ${config.services.nginx.group}"; - postrotate = "[ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid`"; - }) - config.services.nginx.virtualHosts; + // lib.mapAttrs' ( + virtualHost: _: + lib.nameValuePair "/var/log/nginx/${virtualHost}/access.log" { + frequency = "daily"; + rotate = 2; + compress = true; + delaycompress = true; + su = "${config.services.nginx.user} ${config.services.nginx.group}"; + postrotate = "[ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid`"; + } + ) config.services.nginx.virtualHosts; - systemd.tmpfiles.rules = - lib.mapAttrsToList - ( - virtualHost: _: - # - "d /var/log/nginx/${virtualHost} 0750 ${config.services.nginx.user} ${config.services.nginx.group}" - ) - config.services.nginx.virtualHosts; + systemd.tmpfiles.rules = lib.mapAttrsToList ( + virtualHost: _: + # + "d /var/log/nginx/${virtualHost} 0750 ${config.services.nginx.user} ${config.services.nginx.group}" + ) config.services.nginx.virtualHosts; security.acme = { defaults.email = "tm@tlater.net"; @@ -61,8 +56,8 @@ services.backups.acme = { user = "acme"; - paths = - lib.mapAttrsToList (virtualHost: _: "/var/lib/acme/${virtualHost}") - config.services.nginx.virtualHosts; + paths = lib.mapAttrsToList ( + virtualHost: _: "/var/lib/acme/${virtualHost}" + ) config.services.nginx.virtualHosts; }; } diff --git a/configuration/services/afvalcalendar.nix b/configuration/services/afvalcalendar.nix index 28e3a75..ec7d9f7 100644 --- a/configuration/services/afvalcalendar.nix +++ b/configuration/services/afvalcalendar.nix @@ -1,7 +1,5 @@ -{ pkgs -, config -, ... -}: { +{ pkgs, config, ... }: +{ systemd.services.afvalcalendar = { description = "Enschede afvalcalendar -> ical converter"; wantedBy = [ "multi-user.target" ]; @@ -25,16 +23,23 @@ ProtectKernelModules = true; ProtectKernelLogs = true; ProtectControlGroups = true; - RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + RestrictAddressFamilies = [ + "AF_UNIX" + "AF_INET" + "AF_INET6" + ]; RestrictNamespaces = true; LockPersonality = true; MemoryDenyWriteExecute = true; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; - SystemCallFilter = [ "@system-service" "~@privileged @resources @setuid @keyring" ]; + SystemCallFilter = [ + "@system-service" + "~@privileged @resources @setuid @keyring" + ]; - Umask = 0002; + Umask = 2; SupplementaryGroups = "afvalcalendar-hosting"; ReadWritePaths = "/srv/afvalcalendar"; diff --git a/configuration/services/backups.nix b/configuration/services/backups.nix index 7c77399..81e3554 100644 --- a/configuration/services/backups.nix +++ b/configuration/services/backups.nix @@ -1,29 +1,35 @@ -{ config -, pkgs -, lib -, ... +{ + config, + pkgs, + lib, + ... }: let inherit (lib) types optional singleton; - mkShutdownScript = service: + mkShutdownScript = + service: pkgs.writeShellScript "backup-${service}-shutdown" '' if systemctl is-active --quiet '${service}'; then touch '/tmp/${service}-was-active' systemctl stop '${service}' fi ''; - mkRestartScript = service: + mkRestartScript = + service: pkgs.writeShellScript "backup-${service}-restart" '' if [ -f '/tmp/${service}-was-active' ]; then rm '/tmp/${service}-was-active' systemctl start '${service}' fi ''; - writeScript = name: packages: text: - lib.getExe (pkgs.writeShellApplication { - inherit name text; - runtimeInputs = packages; - }); + writeScript = + name: packages: text: + lib.getExe ( + pkgs.writeShellApplication { + inherit name text; + runtimeInputs = packages; + } + ); # *NOT* a TOML file, for some reason quotes are interpreted # *literally @@ -49,85 +55,87 @@ in description = lib.mdDoc '' Configure restic backups with a specific tag. ''; - type = types.attrsOf (types.submodule ({ config - , name - , ... - }: { - options = { - user = lib.mkOption { - type = types.str; - description = '' - The user as which to run the backup. - ''; - }; - paths = lib.mkOption { - type = types.listOf types.str; - description = '' - The paths to back up. - ''; - }; - tag = lib.mkOption { - type = types.str; - description = '' - The restic tag to mark the backup with. - ''; - default = name; - }; - preparation = { - packages = lib.mkOption { - type = types.listOf types.package; - default = [ ]; - description = '' - The list of packages to make available in the - preparation script. - ''; - }; - text = lib.mkOption { - type = types.nullOr types.str; - default = null; - description = '' - The preparation script to run before the backup. + type = types.attrsOf ( + types.submodule ( + { config, name, ... }: + { + options = { + user = lib.mkOption { + type = types.str; + description = '' + The user as which to run the backup. + ''; + }; + paths = lib.mkOption { + type = types.listOf types.str; + description = '' + The paths to back up. + ''; + }; + tag = lib.mkOption { + type = types.str; + description = '' + The restic tag to mark the backup with. + ''; + default = name; + }; + preparation = { + packages = lib.mkOption { + type = types.listOf types.package; + default = [ ]; + description = '' + The list of packages to make available in the + preparation script. + ''; + }; + text = lib.mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The preparation script to run before the backup. - This should include things like database dumps and - enabling maintenance modes. If a service needs to be - shut down for backups, use `pauseServices` instead. - ''; - }; - }; - cleanup = { - packages = lib.mkOption { - type = types.listOf types.package; - default = [ ]; - description = '' - The list of packages to make available in the - cleanup script. - ''; - }; - text = lib.mkOption { - type = types.nullOr types.str; - default = null; - description = '' - The cleanup script to run after the backup. + This should include things like database dumps and + enabling maintenance modes. If a service needs to be + shut down for backups, use `pauseServices` instead. + ''; + }; + }; + cleanup = { + packages = lib.mkOption { + type = types.listOf types.package; + default = [ ]; + description = '' + The list of packages to make available in the + cleanup script. + ''; + }; + text = lib.mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The cleanup script to run after the backup. - This should do things like cleaning up database dumps - and disabling maintenance modes. - ''; - }; - }; - pauseServices = lib.mkOption { - type = types.listOf types.str; - default = [ ]; - description = '' - The systemd services that need to be shut down before - the backup can run. Services will be restarted after the - backup is complete. + This should do things like cleaning up database dumps + and disabling maintenance modes. + ''; + }; + }; + pauseServices = lib.mkOption { + type = types.listOf types.str; + default = [ ]; + description = '' + The systemd services that need to be shut down before + the backup can run. Services will be restarted after the + backup is complete. - This is intended to be used for services that do not - support hot backups. - ''; - }; - }; - })); + This is intended to be used for services that do not + support hot backups. + ''; + }; + }; + } + ) + ); }; }; @@ -164,58 +172,68 @@ in }; }; } - // lib.mapAttrs' - (name: backup: - lib.nameValuePair "backup-${name}" { - # Don't want to restart mid-backup - restartIfChanged = false; + // lib.mapAttrs' ( + name: backup: + lib.nameValuePair "backup-${name}" { + # Don't want to restart mid-backup + restartIfChanged = false; - environment = - resticEnv - // { - RESTIC_CACHE_DIR = "%C/backup-${name}"; - }; + environment = resticEnv // { + RESTIC_CACHE_DIR = "%C/backup-${name}"; + }; - path = with pkgs; [ - coreutils - openssh - rclone - restic + path = with pkgs; [ + coreutils + openssh + rclone + restic + ]; + + # TODO(tlater): If I ever add more than one repo, service + # shutdown/restarting will potentially break if multiple + # backups for the same service overlap. A more clever + # sentinel file with reference counts would probably solve + # this. + serviceConfig = { + User = backup.user; + Group = "backup"; + RuntimeDirectory = "backup-${name}"; + CacheDirectory = "backup-${name}"; + CacheDirectoryMode = "0700"; + PrivateTmp = true; + + ExecStart = [ + (lib.concatStringsSep " " ( + [ + "${pkgs.restic}/bin/restic" + "backup" + "--tag" + name + ] + ++ backup.paths + )) ]; - # TODO(tlater): If I ever add more than one repo, service - # shutdown/restarting will potentially break if multiple - # backups for the same service overlap. A more clever - # sentinel file with reference counts would probably solve - # this. - serviceConfig = { - User = backup.user; - Group = "backup"; - RuntimeDirectory = "backup-${name}"; - CacheDirectory = "backup-${name}"; - CacheDirectoryMode = "0700"; - PrivateTmp = true; - - ExecStart = [ - (lib.concatStringsSep " " ([ "${pkgs.restic}/bin/restic" "backup" "--tag" name ] ++ backup.paths)) - ]; - - ExecStartPre = - map (service: "+${mkShutdownScript service}") backup.pauseServices - ++ singleton (writeScript "backup-${name}-repo-init" [ ] '' + ExecStartPre = + map (service: "+${mkShutdownScript service}") backup.pauseServices + ++ singleton ( + writeScript "backup-${name}-repo-init" [ ] '' restic snapshots || restic init - '') - ++ optional (backup.preparation.text != null) - (writeScript "backup-${name}-prepare" backup.preparation.packages backup.preparation.text); + '' + ) + ++ optional (backup.preparation.text != null) ( + writeScript "backup-${name}-prepare" backup.preparation.packages backup.preparation.text + ); - # TODO(tlater): Add repo pruning/checking - ExecStopPost = - map (service: "+${mkRestartScript service}") backup.pauseServices - ++ optional (backup.cleanup.text != null) - (writeScript "backup-${name}-cleanup" backup.cleanup.packages backup.cleanup.text); - }; - }) - config.services.backups; + # TODO(tlater): Add repo pruning/checking + ExecStopPost = + map (service: "+${mkRestartScript service}") backup.pauseServices + ++ optional (backup.cleanup.text != null) ( + writeScript "backup-${name}-cleanup" backup.cleanup.packages backup.cleanup.text + ); + }; + } + ) config.services.backups; systemd.timers = { @@ -227,18 +245,18 @@ in # of the backup jobs. }; } - // lib.mapAttrs' - (name: backup: - lib.nameValuePair "backup-${name}" { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = "Wednesday 02:30:00 UTC"; - RandomizedDelaySec = "1h"; - FixedRandomDelay = true; - Persistent = true; - }; - }) - config.services.backups; + // lib.mapAttrs' ( + name: backup: + lib.nameValuePair "backup-${name}" { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = "Wednesday 02:30:00 UTC"; + RandomizedDelaySec = "1h"; + FixedRandomDelay = true; + Persistent = true; + }; + } + ) config.services.backups; users = { # This user is only used to own the ssh key, because apparently diff --git a/configuration/services/battery-manager.nix b/configuration/services/battery-manager.nix index 7783a3b..a16cca1 100644 --- a/configuration/services/battery-manager.nix +++ b/configuration/services/battery-manager.nix @@ -1,10 +1,6 @@ -{ config -, flake-inputs -, ... -}: { - imports = [ - flake-inputs.sonnenshift.nixosModules.default - ]; +{ config, flake-inputs, ... }: +{ + imports = [ flake-inputs.sonnenshift.nixosModules.default ]; services.batteryManager = { enable = true; diff --git a/configuration/services/conduit.nix b/configuration/services/conduit.nix index 8734785..4e53241 100644 --- a/configuration/services/conduit.nix +++ b/configuration/services/conduit.nix @@ -1,7 +1,8 @@ -{ pkgs -, config -, lib -, ... +{ + pkgs, + config, + lib, + ... }: let inherit (lib.strings) concatMapStringsSep; @@ -42,28 +43,30 @@ in systemd.services.heisenbridge = let replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret"; - registrationFile = builtins.toFile "heisenbridge-registration.yaml" (builtins.toJSON { - id = "heisenbridge"; - url = "http://127.0.0.1:9898"; - as_token = "@AS_TOKEN@"; - hs_token = "@HS_TOKEN@"; - rate_limited = false; - sender_localpart = "heisenbridge"; - namespaces = { - users = [ - { - regex = "@irc_.*"; - exclusive = true; - } - { - regex = "@heisenbridge:.*"; - exclusive = true; - } - ]; - aliases = [ ]; - rooms = [ ]; - }; - }); + registrationFile = builtins.toFile "heisenbridge-registration.yaml" ( + builtins.toJSON { + id = "heisenbridge"; + url = "http://127.0.0.1:9898"; + as_token = "@AS_TOKEN@"; + hs_token = "@HS_TOKEN@"; + rate_limited = false; + sender_localpart = "heisenbridge"; + namespaces = { + users = [ + { + regex = "@irc_.*"; + exclusive = true; + } + { + regex = "@heisenbridge:.*"; + exclusive = true; + } + ]; + aliases = [ ]; + rooms = [ ]; + }; + } + ); # TODO(tlater): Starting with systemd 253 it will become possible # to do the credential setup as part of ExecStartPre/preStart @@ -114,7 +117,7 @@ in RestrictRealtime = true; ProtectProc = "invisible"; ProcSubset = "pid"; - UMask = 0077; + UMask = 77; # For the identd port # CapabilityBoundingSet = ["CAP_NET_BIND_SERVICE"]; @@ -134,9 +137,7 @@ in use-auth-secret = true; static-auth-secret-file = config.sops.secrets."turn/secret".path; realm = turn-realm; - relay-ips = [ - "116.202.158.55" - ]; + relay-ips = [ "116.202.158.55" ]; # SSL config # @@ -245,9 +246,7 @@ in services.backups.conduit = { user = "root"; - paths = [ - "/var/lib/private/matrix-conduit/" - ]; + paths = [ "/var/lib/private/matrix-conduit/" ]; # Other services store their data in conduit, so no other services # need to be shut down currently. pauseServices = [ "conduit.service" ]; diff --git a/configuration/services/fail2ban.nix b/configuration/services/fail2ban.nix index 1811046..f09668c 100644 --- a/configuration/services/fail2ban.nix +++ b/configuration/services/fail2ban.nix @@ -1,4 +1,5 @@ -{ pkgs, ... }: { +{ pkgs, ... }: +{ services.fail2ban = { enable = true; extraPackages = [ pkgs.ipset ]; diff --git a/configuration/services/foundryvtt.nix b/configuration/services/foundryvtt.nix index 3383ab3..614b818 100644 --- a/configuration/services/foundryvtt.nix +++ b/configuration/services/foundryvtt.nix @@ -1,8 +1,9 @@ -{ lib -, config -, flake-inputs -, pkgs -, ... +{ + lib, + config, + flake-inputs, + pkgs, + ... }: let domain = "foundryvtt.${config.services.nginx.domain}"; @@ -40,9 +41,7 @@ in services.backups.foundryvtt = { user = "foundryvtt"; - paths = [ - config.services.foundryvtt.dataDir - ]; + paths = [ config.services.foundryvtt.dataDir ]; pauseServices = [ "foundryvtt.service" ]; }; } diff --git a/configuration/services/gitea.nix b/configuration/services/gitea.nix index 4ef6238..c88dd01 100644 --- a/configuration/services/gitea.nix +++ b/configuration/services/gitea.nix @@ -1,7 +1,8 @@ -{ pkgs -, config -, lib -, ... +{ + pkgs, + config, + lib, + ... }: let domain = "gitea.${config.services.nginx.domain}"; @@ -34,9 +35,7 @@ in secretPath = config.sops.secrets."forgejo/metrics-token".path; runConfig = "${config.services.forgejo.customDir}/conf/app.ini"; in - [ - "+${replaceSecretBin} '#metricstoken#' '${secretPath}' '${runConfig}'" - ]; + [ "+${replaceSecretBin} '#metricstoken#' '${secretPath}' '${runConfig}'" ]; # Set up SSL services.nginx.virtualHosts."${domain}" = diff --git a/configuration/services/metrics/exporters.nix b/configuration/services/metrics/exporters.nix index e17be8e..e16b945 100644 --- a/configuration/services/metrics/exporters.nix +++ b/configuration/services/metrics/exporters.nix @@ -1,7 +1,8 @@ -{ config -, pkgs -, lib -, ... +{ + config, + pkgs, + lib, + ... }: let yaml = pkgs.formats.yaml { }; @@ -20,9 +21,7 @@ in "tlater.com" ]; in - [ - "--config=${yaml.generate "domains.yml" conf}" - ]; + [ "--config=${yaml.generate "domains.yml" conf}" ]; }; # System statistics @@ -51,26 +50,21 @@ in listenAddress = "127.0.0.1"; group = "nginx"; - settings.namespaces = - lib.mapAttrsToList - (name: virtualHost: { - inherit name; - metrics_override.prefix = "nginxlog"; - namespace_label = "vhost"; + settings.namespaces = lib.mapAttrsToList (name: virtualHost: { + inherit name; + metrics_override.prefix = "nginxlog"; + namespace_label = "vhost"; - format = lib.concatStringsSep " " [ - "$remote_addr - $remote_user [$time_local]" - ''"$request" $status $body_bytes_sent'' - ''"$http_referer" "$http_user_agent"'' - ''rt=$request_time uct="$upstream_connect_time"'' - ''uht="$upstream_header_time" urt="$upstream_response_time"'' - ]; + format = lib.concatStringsSep " " [ + "$remote_addr - $remote_user [$time_local]" + ''"$request" $status $body_bytes_sent'' + ''"$http_referer" "$http_user_agent"'' + ''rt=$request_time uct="$upstream_connect_time"'' + ''uht="$upstream_header_time" urt="$upstream_response_time"'' + ]; - source.files = [ - "/var/log/nginx/${name}/access.log" - ]; - }) - config.services.nginx.virtualHosts; + source.files = [ "/var/log/nginx/${name}/access.log" ]; + }) config.services.nginx.virtualHosts; }; }; @@ -86,7 +80,11 @@ in requires = [ "fail2ban.service" ]; serviceConfig = { Group = "fail2ban"; - RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + RestrictAddressFamilies = [ + "AF_UNIX" + "AF_INET" + "AF_INET6" + ]; ExecStart = lib.concatStringsSep " " [ "${pkgs.local.prometheus-fail2ban-exporter}/bin/fail2ban-prometheus-exporter" "--collector.f2b.socket=/var/run/fail2ban/fail2ban.sock" diff --git a/configuration/services/metrics/options.nix b/configuration/services/metrics/options.nix index 552aec8..5dd17a3 100644 --- a/configuration/services/metrics/options.nix +++ b/configuration/services/metrics/options.nix @@ -1,7 +1,8 @@ -{ pkgs -, config -, lib -, ... +{ + pkgs, + config, + lib, + ... }: let inherit (lib) types mkOption mkDefault; @@ -11,87 +12,94 @@ in options = { services.prometheus = { extraExporters = mkOption { - type = types.attrsOf (types.submodule { - options = { - port = mkOption { - type = types.int; - description = "The port on which this exporter listens."; + type = types.attrsOf ( + types.submodule { + options = { + port = mkOption { + type = types.int; + description = "The port on which this exporter listens."; + }; + listenAddress = mkOption { + type = types.str; + default = "127.0.0.1"; + description = "Address to listen on."; + }; + serviceOpts = mkOption { + type = types.attrs; + description = "An attrset to be merged with the exporter's systemd service."; + }; }; - listenAddress = mkOption { - type = types.str; - default = "127.0.0.1"; - description = "Address to listen on."; - }; - serviceOpts = mkOption { - type = types.attrs; - description = "An attrset to be merged with the exporter's systemd service."; - }; - }; - }); + } + ); }; }; services.victoriametrics.scrapeConfigs = mkOption { - type = types.attrsOf (types.submodule ({ name - , self - , ... - }: { - options = { - job_name = mkOption { - type = types.str; - default = name; - }; - - extraSettings = mkOption { - type = types.anything; - description = '' - Other settings to set for this scrape config. - ''; - default = { }; - }; - - targets = mkOption { - type = types.listOf types.str; - description = lib.mdDoc '' - Addresses scrape targets for this config listen on. - - Shortcut for `static_configs = lib.singleton {targets = [];}` - ''; - default = [ ]; - }; - - static_configs = mkOption { - default = [ ]; - type = types.listOf (types.submodule { - options = { - targets = mkOption { - type = types.listOf types.str; - description = lib.mdDoc '' - The addresses scrape targets for this config listen on. - - Must in `listenAddress:port` format. - ''; - }; - labels = mkOption { - type = types.attrsOf types.str; - description = lib.mdDoc '' - Labels to apply to all targets defined for this static config. - ''; - default = { }; - }; + type = types.attrsOf ( + types.submodule ( + { name, self, ... }: + { + options = { + job_name = mkOption { + type = types.str; + default = name; }; - }); - }; - }; - })); + + extraSettings = mkOption { + type = types.anything; + description = '' + Other settings to set for this scrape config. + ''; + default = { }; + }; + + targets = mkOption { + type = types.listOf types.str; + description = lib.mdDoc '' + Addresses scrape targets for this config listen on. + + Shortcut for `static_configs = lib.singleton {targets = [];}` + ''; + default = [ ]; + }; + + static_configs = mkOption { + default = [ ]; + type = types.listOf ( + types.submodule { + options = { + targets = mkOption { + type = types.listOf types.str; + description = lib.mdDoc '' + The addresses scrape targets for this config listen on. + + Must in `listenAddress:port` format. + ''; + }; + labels = mkOption { + type = types.attrsOf types.str; + description = lib.mdDoc '' + Labels to apply to all targets defined for this static config. + ''; + default = { }; + }; + }; + } + ); + }; + }; + } + ) + ); }; }; config = { systemd.services = lib.mkMerge [ - (lib.mapAttrs' - (name: exporter: - lib.nameValuePair "prometheus-${name}-exporter" (lib.mkMerge [ + (lib.mapAttrs' ( + name: exporter: + lib.nameValuePair "prometheus-${name}-exporter" ( + lib.mkMerge [ { # Shamelessly copied from upstream because the upstream # module is an intractable mess @@ -117,7 +125,10 @@ in serviceConfig.ProtectKernelTunables = true; serviceConfig.ProtectSystem = mkDefault "strict"; serviceConfig.RemoveIPC = true; - serviceConfig.RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + serviceConfig.RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + ]; serviceConfig.RestrictNamespaces = true; serviceConfig.RestrictRealtime = true; serviceConfig.RestrictSUIDSGID = true; @@ -125,8 +136,9 @@ in serviceConfig.UMask = "0077"; } exporter.serviceOpts - ])) - config.services.prometheus.extraExporters) + ] + ) + ) config.services.prometheus.extraExporters) { vmagent-scrape-exporters = @@ -134,24 +146,25 @@ in listenAddress = config.services.victoriametrics.listenAddress; vmAddr = (lib.optionalString (lib.hasPrefix ":" listenAddress) "127.0.0.1") + listenAddress; promscrape = yaml.generate "prometheus.yml" { - scrape_configs = lib.mapAttrsToList - (_: scrape: - lib.recursiveUpdate - { - inherit (scrape) job_name; - static_configs = - scrape.static_configs - ++ lib.optional (scrape.targets != [ ]) { targets = scrape.targets; }; - } - scrape.extraSettings) - config.services.victoriametrics.scrapeConfigs; + scrape_configs = lib.mapAttrsToList ( + _: scrape: + lib.recursiveUpdate { + inherit (scrape) job_name; + static_configs = + scrape.static_configs + ++ lib.optional (scrape.targets != [ ]) { targets = scrape.targets; }; + } scrape.extraSettings + ) config.services.victoriametrics.scrapeConfigs; }; in { enable = true; path = [ pkgs.victoriametrics ]; wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "victoriametrics.service" ]; + after = [ + "network.target" + "victoriametrics.service" + ]; serviceConfig = { ExecStart = [ (lib.concatStringsSep " " [ @@ -180,7 +193,10 @@ in ProtectKernelTunables = true; ProtectSystem = "strict"; RemoveIPC = true; - RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; @@ -195,19 +211,15 @@ in services.victoriametrics.scrapeConfigs = let - allExporters = - lib.mapAttrs - (name: exporter: { - inherit (exporter) listenAddress port; - }) - ((lib.filterAttrs (_: exporter: builtins.isAttrs exporter && exporter.enable) - config.services.prometheus.exporters) - // config.services.prometheus.extraExporters); + allExporters = lib.mapAttrs (name: exporter: { inherit (exporter) listenAddress port; }) ( + (lib.filterAttrs ( + _: exporter: builtins.isAttrs exporter && exporter.enable + ) config.services.prometheus.exporters) + // config.services.prometheus.extraExporters + ); in - lib.mapAttrs - (_: exporter: { - targets = [ "${exporter.listenAddress}:${toString exporter.port}" ]; - }) - allExporters; + lib.mapAttrs (_: exporter: { + targets = [ "${exporter.listenAddress}:${toString exporter.port}" ]; + }) allExporters; }; } diff --git a/configuration/services/metrics/victoriametrics.nix b/configuration/services/metrics/victoriametrics.nix index 695b89e..710cf70 100644 --- a/configuration/services/metrics/victoriametrics.nix +++ b/configuration/services/metrics/victoriametrics.nix @@ -1,9 +1,8 @@ -{ config, ... }: { +{ config, ... }: +{ config.services.victoriametrics = { enable = true; - extraOptions = [ - "-storage.minFreeDiskSpaceBytes=5GB" - ]; + extraOptions = [ "-storage.minFreeDiskSpaceBytes=5GB" ]; scrapeConfigs = { forgejo = { diff --git a/configuration/services/nextcloud.nix b/configuration/services/nextcloud.nix index 30adf6e..63c7446 100644 --- a/configuration/services/nextcloud.nix +++ b/configuration/services/nextcloud.nix @@ -1,7 +1,8 @@ -{ pkgs -, config -, lib -, ... +{ + pkgs, + config, + lib, + ... }: let # Update pending on rewrite of nextcloud news, though there is an @@ -15,8 +16,8 @@ in inherit hostName; package = nextcloud; - phpPackage = lib.mkForce - (pkgs.php.override { + phpPackage = lib.mkForce ( + pkgs.php.override { packageOverrides = final: prev: { extensions = prev.extensions // { pgsql = prev.extensions.pgsql.overrideAttrs (old: { @@ -27,7 +28,8 @@ in }); }; }; - }); + } + ); enable = true; maxUploadSize = "2G"; https = true; @@ -52,7 +54,14 @@ in }; extraApps = { - inherit (pkgs.local) bookmarks calendar contacts cookbook news notes; + inherit (pkgs.local) + bookmarks + calendar + contacts + cookbook + news + notes + ; }; }; diff --git a/configuration/services/postgres.nix b/configuration/services/postgres.nix index 62dfb01..85a6843 100644 --- a/configuration/services/postgres.nix +++ b/configuration/services/postgres.nix @@ -1,4 +1,5 @@ -{ pkgs, ... }: { +{ pkgs, ... }: +{ services.postgresql = { package = pkgs.postgresql_14; enable = true; diff --git a/configuration/services/starbound.nix b/configuration/services/starbound.nix index 3b54ee9..f5b23c3 100644 --- a/configuration/services/starbound.nix +++ b/configuration/services/starbound.nix @@ -1,7 +1,4 @@ -{ pkgs -, lib -, ... -}: +{ pkgs, lib, ... }: let inherit (lib) concatStringsSep; in @@ -114,9 +111,7 @@ in services.backups.starbound = { user = "root"; - paths = [ - "/var/lib/private/starbound/storage/universe/" - ]; + paths = [ "/var/lib/private/starbound/storage/universe/" ]; pauseServices = [ "starbound.service" ]; }; } diff --git a/configuration/services/wireguard.nix b/configuration/services/wireguard.nix index 057a2e9..6f8f6a2 100644 --- a/configuration/services/wireguard.nix +++ b/configuration/services/wireguard.nix @@ -1,4 +1,5 @@ -{ config, ... }: { +{ config, ... }: +{ # iptables needs to permit forwarding from wg0 to wg0 networking.firewall.extraCommands = '' iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT diff --git a/flake.nix b/flake.nix index 56f3972..6dbbaa5 100644 --- a/flake.nix +++ b/flake.nix @@ -33,13 +33,14 @@ }; outputs = - { self - , nixpkgs - , sops-nix - , nvfetcher - , deploy-rs - , ... - } @ inputs: + { + self, + nixpkgs, + sops-nix, + nvfetcher, + deploy-rs, + ... + }@inputs: let system = "x86_64-linux"; pkgs = nixpkgs.legacyPackages.${system}; @@ -84,7 +85,12 @@ }; sshUser = "tlater"; - sshOpts = [ "-p" "2222" "-o" "ForwardAgent=yes" ]; + sshOpts = [ + "-p" + "2222" + "-o" + "ForwardAgent=yes" + ]; }; }; @@ -144,10 +150,11 @@ # Development environment # ########################### devShells.${system}.default = nixpkgs.legacyPackages.${system}.mkShell { - sopsPGPKeyDirs = [ "./keys/hosts/" "./keys/users/" ]; - nativeBuildInputs = [ - sops-nix.packages.${system}.sops-import-keys-hook + sopsPGPKeyDirs = [ + "./keys/hosts/" + "./keys/users/" ]; + nativeBuildInputs = [ sops-nix.packages.${system}.sops-import-keys-hook ]; packages = with pkgs; [ sops-nix.packages.${system}.sops-init-gpg-key diff --git a/modules/default.nix b/modules/default.nix index 9341a5a..e1db4cc 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,5 +1 @@ -{ - imports = [ - ./nginxExtensions.nix - ]; -} +{ imports = [ ./nginxExtensions.nix ]; } diff --git a/modules/nginxExtensions.nix b/modules/nginxExtensions.nix index 3603756..bd505d3 100644 --- a/modules/nginxExtensions.nix +++ b/modules/nginxExtensions.nix @@ -1,8 +1,10 @@ -{ config -, pkgs -, lib -, ... -}: { +{ + config, + pkgs, + lib, + ... +}: +{ options = { services.nginx.domain = lib.mkOption { type = lib.types.str; @@ -12,10 +14,8 @@ services.nginx.virtualHosts = let extraVirtualHostOptions = - { name - , config - , ... - }: { + { name, config, ... }: + { options = { enableHSTS = lib.mkEnableOption "Enable HSTS"; @@ -40,9 +40,7 @@ }; }; in - lib.mkOption { - type = lib.types.attrsOf (lib.types.submodule extraVirtualHostOptions); - }; + lib.mkOption { type = lib.types.attrsOf (lib.types.submodule extraVirtualHostOptions); }; }; config = { @@ -51,11 +49,11 @@ let confirm = ''[[ "tlater.net" = ${config.services.nginx.domain} ]]''; in - lib.mapAttrs' - (cert: _: - lib.nameValuePair "acme-${cert}" { - serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' ''; - }) - config.security.acme.certs; + lib.mapAttrs' ( + cert: _: + lib.nameValuePair "acme-${cert}" { + serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' ''; + } + ) config.security.acme.certs; }; } diff --git a/pkgs/afvalcalendar/default.nix b/pkgs/afvalcalendar/default.nix index 12b868c..6392220 100644 --- a/pkgs/afvalcalendar/default.nix +++ b/pkgs/afvalcalendar/default.nix @@ -1,19 +1,12 @@ -{ pkgs -, rustPlatform -, ... -}: +{ pkgs, rustPlatform, ... }: rustPlatform.buildRustPackage { pname = "afvalcalendar"; version = "0.1.0"; src = ./.; - nativeBuildInputs = with pkgs; [ - pkg-config - ]; + nativeBuildInputs = with pkgs; [ pkg-config ]; - buildInputs = with pkgs; [ - openssl - ]; + buildInputs = with pkgs; [ openssl ]; cargoHash = "sha256-JXx6aUKdKbUTBCwlBw5i1hZy8ofCfSrhLCwFzqdA8cI="; } diff --git a/pkgs/default.nix b/pkgs/default.nix index 132d0f5..a9d7aa1 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -1,7 +1,4 @@ -{ pkgs -, lib -, -}: +{ pkgs, lib }: let inherit (builtins) fromJSON mapAttrs readFile; inherit (pkgs) callPackage; @@ -13,7 +10,7 @@ in }; afvalcalendar = callPackage ./afvalcalendar { }; } - // ( +// ( # Add nextcloud apps let mkNextcloudApp = pkgs.callPackage ./mkNextcloudApp.nix { }; diff --git a/pkgs/mkNextcloudApp.nix b/pkgs/mkNextcloudApp.nix index 7453f44..095b0e8 100644 --- a/pkgs/mkNextcloudApp.nix +++ b/pkgs/mkNextcloudApp.nix @@ -1,7 +1,5 @@ -{ fetchNextcloudApp -, lib -, -}: source: +{ fetchNextcloudApp, lib }: +source: fetchNextcloudApp { url = source.src.url; sha256 = source.src.sha256; diff --git a/pkgs/prometheus/fail2ban-exporter.nix b/pkgs/prometheus/fail2ban-exporter.nix index b74e35d..dc22b6c 100644 --- a/pkgs/prometheus/fail2ban-exporter.nix +++ b/pkgs/prometheus/fail2ban-exporter.nix @@ -1,7 +1,4 @@ -{ buildGoModule -, sources -, -}: +{ buildGoModule, sources }: buildGoModule { inherit (sources.prometheus-fail2ban-exporter) pname src version; vendorHash = "sha256-5o8p5p0U/c0WAIV5dACnWA3ThzSh2tt5LIFMb59i9GY="; diff --git a/pkgs/starbound/default.nix b/pkgs/starbound/default.nix index a8689f3..26f2184 100644 --- a/pkgs/starbound/default.nix +++ b/pkgs/starbound/default.nix @@ -1,19 +1,21 @@ -{ stdenv -, lib -, makeWrapper -, patchelf -, steamPackages -, replace-secret -, +{ + stdenv, + lib, + makeWrapper, + patchelf, + steamPackages, + replace-secret, }: let # Use the directory in which starbound is installed so steamcmd # doesn't have to be reinstalled constantly (we're using DynamicUser # with StateDirectory to persist this). - steamcmd = steamPackages.steamcmd.override { - steamRoot = "/var/lib/starbound/.steamcmd"; - }; - wrapperPath = lib.makeBinPath [ patchelf steamcmd replace-secret ]; + steamcmd = steamPackages.steamcmd.override { steamRoot = "/var/lib/starbound/.steamcmd"; }; + wrapperPath = lib.makeBinPath [ + patchelf + steamcmd + replace-secret + ]; in stdenv.mkDerivation { name = "starbound-update-script";