tlaternet/tlaternet-server
1
0
Fork 0
Code Issues 10 Pull requests Activity

style: Apply new nixfmt formatting

Browse source
This commit is contained in:
Tristan Daniël Maat 2025-08-02 18:33:06 +08:00
parent 895afdce5a
commit f8167209eb
Signed by: tlater
GPG key ID: 49670FD774E43268
4 changed files with 126 additions and 129 deletions
Download patch file Download diff file Expand all files Collapse all files

29
configuration/nginx.nix
View file

@ -20,22 +20,21 @@
''; '';
}; };
logrotate.settings = logrotate.settings = {
{ # Override the default, just keep fewer logs
# Override the default, just keep fewer logs nginx.rotate = 6;
nginx.rotate = 6; }
// lib.mapAttrs' (
virtualHost: _:
lib.nameValuePair "/var/log/nginx/${virtualHost}/access.log" {
frequency = "daily";
rotate = 2;
compress = true;
delaycompress = true;
su = "${config.services.nginx.user} ${config.services.nginx.group}";
postrotate = "[ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid`";
} }
// lib.mapAttrs' ( ) config.services.nginx.virtualHosts;
virtualHost: _:
lib.nameValuePair "/var/log/nginx/${virtualHost}/access.log" {
frequency = "daily";
rotate = 2;
compress = true;
delaycompress = true;
su = "${config.services.nginx.user} ${config.services.nginx.group}";
postrotate = "[ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid`";
}
) config.services.nginx.virtualHosts;
backups.acme = { backups.acme = {
user = "acme"; user = "acme";

212
configuration/services/backups.nix
View file

@ -140,123 +140,121 @@ in
}; };
config = lib.mkIf (config.services.backups != { }) { config = lib.mkIf (config.services.backups != { }) {
systemd.services = systemd.services = {
{ restic-prune = {
restic-prune = { # Doesn't hurt to finish the ongoing prune
# Doesn't hurt to finish the ongoing prune restartIfChanged = false;
restartIfChanged = false;
environment = resticEnv; environment = resticEnv;
path = with pkgs; [ path = with pkgs; [
openssh openssh
rclone rclone
restic restic
];
script = ''
# TODO(tlater): In an append-only setup, we should be
# careful with this; an attacker could delete backups by
# simply appending ad infinitum:
# https://restic.readthedocs.io/en/stable/060_forget.html#security-considerations-in-append-only-mode
restic forget --keep-last 3 --prune
restic check
'';
serviceConfig = {
DynamicUser = true;
Group = "backup";
CacheDirectory = "restic-prune";
CacheDirectoryMode = "0700";
};
};
}
// lib.mapAttrs' (
name: backup:
lib.nameValuePair "backup-${name}" {
# Don't want to restart mid-backup
restartIfChanged = false;
environment = resticEnv // {
RESTIC_CACHE_DIR = "%C/backup-${name}";
};
path = with pkgs; [
coreutils
openssh
rclone
restic
];
# TODO(tlater): If I ever add more than one repo, service
# shutdown/restarting will potentially break if multiple
# backups for the same service overlap. A more clever
# sentinel file with reference counts would probably solve
# this.
serviceConfig = {
User = backup.user;
Group = "backup";
RuntimeDirectory = "backup-${name}";
CacheDirectory = "backup-${name}";
CacheDirectoryMode = "0700";
PrivateTmp = true;
ExecStart = [
(lib.concatStringsSep " " (
[
"${pkgs.restic}/bin/restic"
"backup"
"--tag"
name
]
++ backup.paths
))
]; ];
script = '' ExecStartPre =
# TODO(tlater): In an append-only setup, we should be map (service: "+${mkShutdownScript service}") backup.pauseServices
# careful with this; an attacker could delete backups by ++ singleton (
# simply appending ad infinitum: writeScript "backup-${name}-repo-init" [ ] ''
# https://restic.readthedocs.io/en/stable/060_forget.html#security-considerations-in-append-only-mode restic snapshots || restic init
restic forget --keep-last 3 --prune ''
restic check )
''; ++ optional (backup.preparation.text != null) (
writeScript "backup-${name}-prepare" backup.preparation.packages backup.preparation.text
);
serviceConfig = { # TODO(tlater): Add repo pruning/checking
DynamicUser = true; ExecStopPost =
Group = "backup"; map (service: "+${mkRestartScript service}") backup.pauseServices
++ optional (backup.cleanup.text != null) (
CacheDirectory = "restic-prune"; writeScript "backup-${name}-cleanup" backup.cleanup.packages backup.cleanup.text
CacheDirectoryMode = "0700"; );
};
}; };
} }
// lib.mapAttrs' ( ) config.services.backups;
name: backup:
lib.nameValuePair "backup-${name}" {
# Don't want to restart mid-backup
restartIfChanged = false;
environment = resticEnv // { systemd.timers = {
RESTIC_CACHE_DIR = "%C/backup-${name}"; restic-prune = {
}; wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "Thursday 03:00:00 UTC";
path = with pkgs; [ # Don't make this persistent, in case the server was offline
coreutils # for a while. This job cannot run at the same time as any
openssh # of the backup jobs.
rclone };
restic }
]; // lib.mapAttrs' (
name: _:
# TODO(tlater): If I ever add more than one repo, service lib.nameValuePair "backup-${name}" {
# shutdown/restarting will potentially break if multiple wantedBy = [ "timers.target" ];
# backups for the same service overlap. A more clever timerConfig = {
# sentinel file with reference counts would probably solve OnCalendar = "Wednesday 02:30:00 UTC";
# this. RandomizedDelaySec = "1h";
serviceConfig = { FixedRandomDelay = true;
User = backup.user; Persistent = true;
Group = "backup";
RuntimeDirectory = "backup-${name}";
CacheDirectory = "backup-${name}";
CacheDirectoryMode = "0700";
PrivateTmp = true;
ExecStart = [
(lib.concatStringsSep " " (
[
"${pkgs.restic}/bin/restic"
"backup"
"--tag"
name
]
++ backup.paths
))
];
ExecStartPre =
map (service: "+${mkShutdownScript service}") backup.pauseServices
++ singleton (
writeScript "backup-${name}-repo-init" [ ] ''
restic snapshots || restic init
''
)
++ optional (backup.preparation.text != null) (
writeScript "backup-${name}-prepare" backup.preparation.packages backup.preparation.text
);
# TODO(tlater): Add repo pruning/checking
ExecStopPost =
map (service: "+${mkRestartScript service}") backup.pauseServices
++ optional (backup.cleanup.text != null) (
writeScript "backup-${name}-cleanup" backup.cleanup.packages backup.cleanup.text
);
};
}
) config.services.backups;
systemd.timers =
{
restic-prune = {
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "Thursday 03:00:00 UTC";
# Don't make this persistent, in case the server was offline
# for a while. This job cannot run at the same time as any
# of the backup jobs.
}; };
} }
// lib.mapAttrs' ( ) config.services.backups;
name: _:
lib.nameValuePair "backup-${name}" {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "Wednesday 02:30:00 UTC";
RandomizedDelaySec = "1h";
FixedRandomDelay = true;
Persistent = true;
};
}
) config.services.backups;
users = { users = {
# This user is only used to own the ssh key, because apparently # This user is only used to own the ssh key, because apparently

11
configuration/services/crowdsec.nix
View file

@ -30,11 +30,12 @@
{ {
labels.type = "nginx"; labels.type = "nginx";
filenames = filenames = [
[ "/var/log/nginx/*.log" ] "/var/log/nginx/*.log"
++ lib.mapAttrsToList ( ]
vHost: _: "/var/log/nginx/${vHost}/access.log" ++ lib.mapAttrsToList (
) config.services.nginx.virtualHosts; vHost: _: "/var/log/nginx/${vHost}/access.log"
) config.services.nginx.virtualHosts;
} }
]; ];

3
configuration/services/metrics/options.nix
View file

@ -154,8 +154,7 @@ in
lib.recursiveUpdate { lib.recursiveUpdate {
inherit (scrape) job_name; inherit (scrape) job_name;
static_configs = static_configs =
scrape.static_configs scrape.static_configs ++ lib.optional (scrape.targets != [ ]) { inherit (scrape) targets; };
++ lib.optional (scrape.targets != [ ]) { inherit (scrape) targets; };
} scrape.extraSettings } scrape.extraSettings
) config.services.victoriametrics.scrapeConfigs; ) config.services.victoriametrics.scrapeConfigs;
}; };