diff --git a/.git-blame-ignore-revs b/.git-blame-ignore-revs
index cee878d..df9d62b 100644
--- a/.git-blame-ignore-revs
+++ b/.git-blame-ignore-revs
@@ -1,6 +1,9 @@
# Run this command to always ignore formatting commits in `git blame`
# git config blame.ignoreRevsFile .git-blame-ignore-revs
+# Switch to nixfmt formatting
+04f7a7ef1d38906163afc9cddfa8ce2b0ebf3b45
+
# Switch to nixpkgs-fmt formatting
fd138d45e6a2cad89fead6e9f246ba282070d6b7
diff --git a/configuration/default.nix b/configuration/default.nix
index 792a4c9..333488b 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -1,10 +1,12 @@
-{ config
-, pkgs
-, lib
-, modulesPath
-, flake-inputs
-, ...
-}: {
+{
+ config,
+ pkgs,
+ lib,
+ modulesPath,
+ flake-inputs,
+ ...
+}:
+{
imports = [
flake-inputs.disko.nixosModules.disko
flake-inputs.sops-nix.nixosModules.sops
@@ -51,7 +53,10 @@
# Optimization for minecraft servers, see:
# https://bugs.mojang.com/browse/MC-183518
- boot.kernelParams = [ "highres=off" "nohz=off" ];
+ boot.kernelParams = [
+ "highres=off"
+ "nohz=off"
+ ];
networking = {
usePredictableInterfaceNames = false;
diff --git a/configuration/hardware-specific/hetzner/default.nix b/configuration/hardware-specific/hetzner/default.nix
index 3106f19..6795377 100644
--- a/configuration/hardware-specific/hetzner/default.nix
+++ b/configuration/hardware-specific/hetzner/default.nix
@@ -25,9 +25,7 @@
};
}
# IPv6
- {
- addressConfig.Address = "2a01:4f8:10b:3c85::2/64";
- }
+ { addressConfig.Address = "2a01:4f8:10b:3c85::2/64"; }
];
networkConfig = {
diff --git a/configuration/hardware-specific/hetzner/disko.nix b/configuration/hardware-specific/hetzner/disko.nix
index a2ea764..cc15471 100644
--- a/configuration/hardware-specific/hetzner/disko.nix
+++ b/configuration/hardware-specific/hetzner/disko.nix
@@ -19,7 +19,10 @@
};
};
- mountOptions = [ "compress=zstd" "noatime" ];
+ mountOptions = [
+ "compress=zstd"
+ "noatime"
+ ];
in
{
sda = {
@@ -54,7 +57,15 @@
type = "btrfs";
# Hack to get multi-device btrfs going
# See https://github.com/nix-community/disko/issues/99
- extraArgs = [ "-d" "raid1" "-m" "raid1" "--runtime-features" "quota" "/dev/sda3" ];
+ extraArgs = [
+ "-d"
+ "raid1"
+ "-m"
+ "raid1"
+ "--runtime-features"
+ "quota"
+ "/dev/sda3"
+ ];
subvolumes = {
"/volume" = { };
"/volume/root" = {
diff --git a/configuration/hardware-specific/vm.nix b/configuration/hardware-specific/vm.nix
index 86fcaed..1783956 100644
--- a/configuration/hardware-specific/vm.nix
+++ b/configuration/hardware-specific/vm.nix
@@ -1,4 +1,5 @@
-{ lib, ... }: {
+{ lib, ... }:
+{
users.users.tlater.password = "insecure";
# Disable graphical tty so -curses works
diff --git a/configuration/nginx.nix b/configuration/nginx.nix
index d696bba..b38118b 100644
--- a/configuration/nginx.nix
+++ b/configuration/nginx.nix
@@ -1,7 +1,5 @@
-{ config
-, lib
-, ...
-}: {
+{ config, lib, ... }:
+{
services.nginx = {
enable = true;
recommendedTlsSettings = true;
@@ -26,26 +24,23 @@
# Override the default, just keep fewer logs
nginx.rotate = 6;
}
- // lib.mapAttrs'
- (virtualHost: _:
- lib.nameValuePair "/var/log/nginx/${virtualHost}/access.log" {
- frequency = "daily";
- rotate = 2;
- compress = true;
- delaycompress = true;
- su = "${config.services.nginx.user} ${config.services.nginx.group}";
- postrotate = "[ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid`";
- })
- config.services.nginx.virtualHosts;
+ // lib.mapAttrs' (
+ virtualHost: _:
+ lib.nameValuePair "/var/log/nginx/${virtualHost}/access.log" {
+ frequency = "daily";
+ rotate = 2;
+ compress = true;
+ delaycompress = true;
+ su = "${config.services.nginx.user} ${config.services.nginx.group}";
+ postrotate = "[ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid`";
+ }
+ ) config.services.nginx.virtualHosts;
- systemd.tmpfiles.rules =
- lib.mapAttrsToList
- (
- virtualHost: _:
- #
- "d /var/log/nginx/${virtualHost} 0750 ${config.services.nginx.user} ${config.services.nginx.group}"
- )
- config.services.nginx.virtualHosts;
+ systemd.tmpfiles.rules = lib.mapAttrsToList (
+ virtualHost: _:
+ #
+ "d /var/log/nginx/${virtualHost} 0750 ${config.services.nginx.user} ${config.services.nginx.group}"
+ ) config.services.nginx.virtualHosts;
security.acme = {
defaults.email = "tm@tlater.net";
@@ -61,8 +56,8 @@
services.backups.acme = {
user = "acme";
- paths =
- lib.mapAttrsToList (virtualHost: _: "/var/lib/acme/${virtualHost}")
- config.services.nginx.virtualHosts;
+ paths = lib.mapAttrsToList (
+ virtualHost: _: "/var/lib/acme/${virtualHost}"
+ ) config.services.nginx.virtualHosts;
};
}
diff --git a/configuration/services/afvalcalendar.nix b/configuration/services/afvalcalendar.nix
index 28e3a75..ec7d9f7 100644
--- a/configuration/services/afvalcalendar.nix
+++ b/configuration/services/afvalcalendar.nix
@@ -1,7 +1,5 @@
-{ pkgs
-, config
-, ...
-}: {
+{ pkgs, config, ... }:
+{
systemd.services.afvalcalendar = {
description = "Enschede afvalcalendar -> ical converter";
wantedBy = [ "multi-user.target" ];
@@ -25,16 +23,23 @@
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
- RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
+ RestrictAddressFamilies = [
+ "AF_UNIX"
+ "AF_INET"
+ "AF_INET6"
+ ];
RestrictNamespaces = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
- SystemCallFilter = [ "@system-service" "~@privileged @resources @setuid @keyring" ];
+ SystemCallFilter = [
+ "@system-service"
+ "~@privileged @resources @setuid @keyring"
+ ];
- Umask = 0002;
+ Umask = 2;
SupplementaryGroups = "afvalcalendar-hosting";
ReadWritePaths = "/srv/afvalcalendar";
diff --git a/configuration/services/backups.nix b/configuration/services/backups.nix
index 7c77399..81e3554 100644
--- a/configuration/services/backups.nix
+++ b/configuration/services/backups.nix
@@ -1,29 +1,35 @@
-{ config
-, pkgs
-, lib
-, ...
+{
+ config,
+ pkgs,
+ lib,
+ ...
}:
let
inherit (lib) types optional singleton;
- mkShutdownScript = service:
+ mkShutdownScript =
+ service:
pkgs.writeShellScript "backup-${service}-shutdown" ''
if systemctl is-active --quiet '${service}'; then
touch '/tmp/${service}-was-active'
systemctl stop '${service}'
fi
'';
- mkRestartScript = service:
+ mkRestartScript =
+ service:
pkgs.writeShellScript "backup-${service}-restart" ''
if [ -f '/tmp/${service}-was-active' ]; then
rm '/tmp/${service}-was-active'
systemctl start '${service}'
fi
'';
- writeScript = name: packages: text:
- lib.getExe (pkgs.writeShellApplication {
- inherit name text;
- runtimeInputs = packages;
- });
+ writeScript =
+ name: packages: text:
+ lib.getExe (
+ pkgs.writeShellApplication {
+ inherit name text;
+ runtimeInputs = packages;
+ }
+ );
# *NOT* a TOML file, for some reason quotes are interpreted
# *literally
@@ -49,85 +55,87 @@ in
description = lib.mdDoc ''
Configure restic backups with a specific tag.
'';
- type = types.attrsOf (types.submodule ({ config
- , name
- , ...
- }: {
- options = {
- user = lib.mkOption {
- type = types.str;
- description = ''
- The user as which to run the backup.
- '';
- };
- paths = lib.mkOption {
- type = types.listOf types.str;
- description = ''
- The paths to back up.
- '';
- };
- tag = lib.mkOption {
- type = types.str;
- description = ''
- The restic tag to mark the backup with.
- '';
- default = name;
- };
- preparation = {
- packages = lib.mkOption {
- type = types.listOf types.package;
- default = [ ];
- description = ''
- The list of packages to make available in the
- preparation script.
- '';
- };
- text = lib.mkOption {
- type = types.nullOr types.str;
- default = null;
- description = ''
- The preparation script to run before the backup.
+ type = types.attrsOf (
+ types.submodule (
+ { config, name, ... }:
+ {
+ options = {
+ user = lib.mkOption {
+ type = types.str;
+ description = ''
+ The user as which to run the backup.
+ '';
+ };
+ paths = lib.mkOption {
+ type = types.listOf types.str;
+ description = ''
+ The paths to back up.
+ '';
+ };
+ tag = lib.mkOption {
+ type = types.str;
+ description = ''
+ The restic tag to mark the backup with.
+ '';
+ default = name;
+ };
+ preparation = {
+ packages = lib.mkOption {
+ type = types.listOf types.package;
+ default = [ ];
+ description = ''
+ The list of packages to make available in the
+ preparation script.
+ '';
+ };
+ text = lib.mkOption {
+ type = types.nullOr types.str;
+ default = null;
+ description = ''
+ The preparation script to run before the backup.
- This should include things like database dumps and
- enabling maintenance modes. If a service needs to be
- shut down for backups, use `pauseServices` instead.
- '';
- };
- };
- cleanup = {
- packages = lib.mkOption {
- type = types.listOf types.package;
- default = [ ];
- description = ''
- The list of packages to make available in the
- cleanup script.
- '';
- };
- text = lib.mkOption {
- type = types.nullOr types.str;
- default = null;
- description = ''
- The cleanup script to run after the backup.
+ This should include things like database dumps and
+ enabling maintenance modes. If a service needs to be
+ shut down for backups, use `pauseServices` instead.
+ '';
+ };
+ };
+ cleanup = {
+ packages = lib.mkOption {
+ type = types.listOf types.package;
+ default = [ ];
+ description = ''
+ The list of packages to make available in the
+ cleanup script.
+ '';
+ };
+ text = lib.mkOption {
+ type = types.nullOr types.str;
+ default = null;
+ description = ''
+ The cleanup script to run after the backup.
- This should do things like cleaning up database dumps
- and disabling maintenance modes.
- '';
- };
- };
- pauseServices = lib.mkOption {
- type = types.listOf types.str;
- default = [ ];
- description = ''
- The systemd services that need to be shut down before
- the backup can run. Services will be restarted after the
- backup is complete.
+ This should do things like cleaning up database dumps
+ and disabling maintenance modes.
+ '';
+ };
+ };
+ pauseServices = lib.mkOption {
+ type = types.listOf types.str;
+ default = [ ];
+ description = ''
+ The systemd services that need to be shut down before
+ the backup can run. Services will be restarted after the
+ backup is complete.
- This is intended to be used for services that do not
- support hot backups.
- '';
- };
- };
- }));
+ This is intended to be used for services that do not
+ support hot backups.
+ '';
+ };
+ };
+ }
+ )
+ );
};
};
@@ -164,58 +172,68 @@ in
};
};
}
- // lib.mapAttrs'
- (name: backup:
- lib.nameValuePair "backup-${name}" {
- # Don't want to restart mid-backup
- restartIfChanged = false;
+ // lib.mapAttrs' (
+ name: backup:
+ lib.nameValuePair "backup-${name}" {
+ # Don't want to restart mid-backup
+ restartIfChanged = false;
- environment =
- resticEnv
- // {
- RESTIC_CACHE_DIR = "%C/backup-${name}";
- };
+ environment = resticEnv // {
+ RESTIC_CACHE_DIR = "%C/backup-${name}";
+ };
- path = with pkgs; [
- coreutils
- openssh
- rclone
- restic
+ path = with pkgs; [
+ coreutils
+ openssh
+ rclone
+ restic
+ ];
+
+ # TODO(tlater): If I ever add more than one repo, service
+ # shutdown/restarting will potentially break if multiple
+ # backups for the same service overlap. A more clever
+ # sentinel file with reference counts would probably solve
+ # this.
+ serviceConfig = {
+ User = backup.user;
+ Group = "backup";
+ RuntimeDirectory = "backup-${name}";
+ CacheDirectory = "backup-${name}";
+ CacheDirectoryMode = "0700";
+ PrivateTmp = true;
+
+ ExecStart = [
+ (lib.concatStringsSep " " (
+ [
+ "${pkgs.restic}/bin/restic"
+ "backup"
+ "--tag"
+ name
+ ]
+ ++ backup.paths
+ ))
];
- # TODO(tlater): If I ever add more than one repo, service
- # shutdown/restarting will potentially break if multiple
- # backups for the same service overlap. A more clever
- # sentinel file with reference counts would probably solve
- # this.
- serviceConfig = {
- User = backup.user;
- Group = "backup";
- RuntimeDirectory = "backup-${name}";
- CacheDirectory = "backup-${name}";
- CacheDirectoryMode = "0700";
- PrivateTmp = true;
-
- ExecStart = [
- (lib.concatStringsSep " " ([ "${pkgs.restic}/bin/restic" "backup" "--tag" name ] ++ backup.paths))
- ];
-
- ExecStartPre =
- map (service: "+${mkShutdownScript service}") backup.pauseServices
- ++ singleton (writeScript "backup-${name}-repo-init" [ ] ''
+ ExecStartPre =
+ map (service: "+${mkShutdownScript service}") backup.pauseServices
+ ++ singleton (
+ writeScript "backup-${name}-repo-init" [ ] ''
restic snapshots || restic init
- '')
- ++ optional (backup.preparation.text != null)
- (writeScript "backup-${name}-prepare" backup.preparation.packages backup.preparation.text);
+ ''
+ )
+ ++ optional (backup.preparation.text != null) (
+ writeScript "backup-${name}-prepare" backup.preparation.packages backup.preparation.text
+ );
- # TODO(tlater): Add repo pruning/checking
- ExecStopPost =
- map (service: "+${mkRestartScript service}") backup.pauseServices
- ++ optional (backup.cleanup.text != null)
- (writeScript "backup-${name}-cleanup" backup.cleanup.packages backup.cleanup.text);
- };
- })
- config.services.backups;
+ # TODO(tlater): Add repo pruning/checking
+ ExecStopPost =
+ map (service: "+${mkRestartScript service}") backup.pauseServices
+ ++ optional (backup.cleanup.text != null) (
+ writeScript "backup-${name}-cleanup" backup.cleanup.packages backup.cleanup.text
+ );
+ };
+ }
+ ) config.services.backups;
systemd.timers =
{
@@ -227,18 +245,18 @@ in
# of the backup jobs.
};
}
- // lib.mapAttrs'
- (name: backup:
- lib.nameValuePair "backup-${name}" {
- wantedBy = [ "timers.target" ];
- timerConfig = {
- OnCalendar = "Wednesday 02:30:00 UTC";
- RandomizedDelaySec = "1h";
- FixedRandomDelay = true;
- Persistent = true;
- };
- })
- config.services.backups;
+ // lib.mapAttrs' (
+ name: backup:
+ lib.nameValuePair "backup-${name}" {
+ wantedBy = [ "timers.target" ];
+ timerConfig = {
+ OnCalendar = "Wednesday 02:30:00 UTC";
+ RandomizedDelaySec = "1h";
+ FixedRandomDelay = true;
+ Persistent = true;
+ };
+ }
+ ) config.services.backups;
users = {
# This user is only used to own the ssh key, because apparently
diff --git a/configuration/services/battery-manager.nix b/configuration/services/battery-manager.nix
index 7783a3b..a16cca1 100644
--- a/configuration/services/battery-manager.nix
+++ b/configuration/services/battery-manager.nix
@@ -1,10 +1,6 @@
-{ config
-, flake-inputs
-, ...
-}: {
- imports = [
- flake-inputs.sonnenshift.nixosModules.default
- ];
+{ config, flake-inputs, ... }:
+{
+ imports = [ flake-inputs.sonnenshift.nixosModules.default ];
services.batteryManager = {
enable = true;
diff --git a/configuration/services/conduit.nix b/configuration/services/conduit.nix
index 8734785..4e53241 100644
--- a/configuration/services/conduit.nix
+++ b/configuration/services/conduit.nix
@@ -1,7 +1,8 @@
-{ pkgs
-, config
-, lib
-, ...
+{
+ pkgs,
+ config,
+ lib,
+ ...
}:
let
inherit (lib.strings) concatMapStringsSep;
@@ -42,28 +43,30 @@ in
systemd.services.heisenbridge =
let
replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
- registrationFile = builtins.toFile "heisenbridge-registration.yaml" (builtins.toJSON {
- id = "heisenbridge";
- url = "http://127.0.0.1:9898";
- as_token = "@AS_TOKEN@";
- hs_token = "@HS_TOKEN@";
- rate_limited = false;
- sender_localpart = "heisenbridge";
- namespaces = {
- users = [
- {
- regex = "@irc_.*";
- exclusive = true;
- }
- {
- regex = "@heisenbridge:.*";
- exclusive = true;
- }
- ];
- aliases = [ ];
- rooms = [ ];
- };
- });
+ registrationFile = builtins.toFile "heisenbridge-registration.yaml" (
+ builtins.toJSON {
+ id = "heisenbridge";
+ url = "http://127.0.0.1:9898";
+ as_token = "@AS_TOKEN@";
+ hs_token = "@HS_TOKEN@";
+ rate_limited = false;
+ sender_localpart = "heisenbridge";
+ namespaces = {
+ users = [
+ {
+ regex = "@irc_.*";
+ exclusive = true;
+ }
+ {
+ regex = "@heisenbridge:.*";
+ exclusive = true;
+ }
+ ];
+ aliases = [ ];
+ rooms = [ ];
+ };
+ }
+ );
# TODO(tlater): Starting with systemd 253 it will become possible
# to do the credential setup as part of ExecStartPre/preStart
@@ -114,7 +117,7 @@ in
RestrictRealtime = true;
ProtectProc = "invisible";
ProcSubset = "pid";
- UMask = 0077;
+ UMask = 77;
# For the identd port
# CapabilityBoundingSet = ["CAP_NET_BIND_SERVICE"];
@@ -134,9 +137,7 @@ in
use-auth-secret = true;
static-auth-secret-file = config.sops.secrets."turn/secret".path;
realm = turn-realm;
- relay-ips = [
- "116.202.158.55"
- ];
+ relay-ips = [ "116.202.158.55" ];
# SSL config
#
@@ -245,9 +246,7 @@ in
services.backups.conduit = {
user = "root";
- paths = [
- "/var/lib/private/matrix-conduit/"
- ];
+ paths = [ "/var/lib/private/matrix-conduit/" ];
# Other services store their data in conduit, so no other services
# need to be shut down currently.
pauseServices = [ "conduit.service" ];
diff --git a/configuration/services/fail2ban.nix b/configuration/services/fail2ban.nix
index 1811046..f09668c 100644
--- a/configuration/services/fail2ban.nix
+++ b/configuration/services/fail2ban.nix
@@ -1,4 +1,5 @@
-{ pkgs, ... }: {
+{ pkgs, ... }:
+{
services.fail2ban = {
enable = true;
extraPackages = [ pkgs.ipset ];
diff --git a/configuration/services/foundryvtt.nix b/configuration/services/foundryvtt.nix
index 3383ab3..614b818 100644
--- a/configuration/services/foundryvtt.nix
+++ b/configuration/services/foundryvtt.nix
@@ -1,8 +1,9 @@
-{ lib
-, config
-, flake-inputs
-, pkgs
-, ...
+{
+ lib,
+ config,
+ flake-inputs,
+ pkgs,
+ ...
}:
let
domain = "foundryvtt.${config.services.nginx.domain}";
@@ -40,9 +41,7 @@ in
services.backups.foundryvtt = {
user = "foundryvtt";
- paths = [
- config.services.foundryvtt.dataDir
- ];
+ paths = [ config.services.foundryvtt.dataDir ];
pauseServices = [ "foundryvtt.service" ];
};
}
diff --git a/configuration/services/gitea.nix b/configuration/services/gitea.nix
index 4ef6238..c88dd01 100644
--- a/configuration/services/gitea.nix
+++ b/configuration/services/gitea.nix
@@ -1,7 +1,8 @@
-{ pkgs
-, config
-, lib
-, ...
+{
+ pkgs,
+ config,
+ lib,
+ ...
}:
let
domain = "gitea.${config.services.nginx.domain}";
@@ -34,9 +35,7 @@ in
secretPath = config.sops.secrets."forgejo/metrics-token".path;
runConfig = "${config.services.forgejo.customDir}/conf/app.ini";
in
- [
- "+${replaceSecretBin} '#metricstoken#' '${secretPath}' '${runConfig}'"
- ];
+ [ "+${replaceSecretBin} '#metricstoken#' '${secretPath}' '${runConfig}'" ];
# Set up SSL
services.nginx.virtualHosts."${domain}" =
diff --git a/configuration/services/metrics/exporters.nix b/configuration/services/metrics/exporters.nix
index e17be8e..e16b945 100644
--- a/configuration/services/metrics/exporters.nix
+++ b/configuration/services/metrics/exporters.nix
@@ -1,7 +1,8 @@
-{ config
-, pkgs
-, lib
-, ...
+{
+ config,
+ pkgs,
+ lib,
+ ...
}:
let
yaml = pkgs.formats.yaml { };
@@ -20,9 +21,7 @@ in
"tlater.com"
];
in
- [
- "--config=${yaml.generate "domains.yml" conf}"
- ];
+ [ "--config=${yaml.generate "domains.yml" conf}" ];
};
# System statistics
@@ -51,26 +50,21 @@ in
listenAddress = "127.0.0.1";
group = "nginx";
- settings.namespaces =
- lib.mapAttrsToList
- (name: virtualHost: {
- inherit name;
- metrics_override.prefix = "nginxlog";
- namespace_label = "vhost";
+ settings.namespaces = lib.mapAttrsToList (name: virtualHost: {
+ inherit name;
+ metrics_override.prefix = "nginxlog";
+ namespace_label = "vhost";
- format = lib.concatStringsSep " " [
- "$remote_addr - $remote_user [$time_local]"
- ''"$request" $status $body_bytes_sent''
- ''"$http_referer" "$http_user_agent"''
- ''rt=$request_time uct="$upstream_connect_time"''
- ''uht="$upstream_header_time" urt="$upstream_response_time"''
- ];
+ format = lib.concatStringsSep " " [
+ "$remote_addr - $remote_user [$time_local]"
+ ''"$request" $status $body_bytes_sent''
+ ''"$http_referer" "$http_user_agent"''
+ ''rt=$request_time uct="$upstream_connect_time"''
+ ''uht="$upstream_header_time" urt="$upstream_response_time"''
+ ];
- source.files = [
- "/var/log/nginx/${name}/access.log"
- ];
- })
- config.services.nginx.virtualHosts;
+ source.files = [ "/var/log/nginx/${name}/access.log" ];
+ }) config.services.nginx.virtualHosts;
};
};
@@ -86,7 +80,11 @@ in
requires = [ "fail2ban.service" ];
serviceConfig = {
Group = "fail2ban";
- RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
+ RestrictAddressFamilies = [
+ "AF_UNIX"
+ "AF_INET"
+ "AF_INET6"
+ ];
ExecStart = lib.concatStringsSep " " [
"${pkgs.local.prometheus-fail2ban-exporter}/bin/fail2ban-prometheus-exporter"
"--collector.f2b.socket=/var/run/fail2ban/fail2ban.sock"
diff --git a/configuration/services/metrics/options.nix b/configuration/services/metrics/options.nix
index 552aec8..5dd17a3 100644
--- a/configuration/services/metrics/options.nix
+++ b/configuration/services/metrics/options.nix
@@ -1,7 +1,8 @@
-{ pkgs
-, config
-, lib
-, ...
+{
+ pkgs,
+ config,
+ lib,
+ ...
}:
let
inherit (lib) types mkOption mkDefault;
@@ -11,87 +12,94 @@ in
options = {
services.prometheus = {
extraExporters = mkOption {
- type = types.attrsOf (types.submodule {
- options = {
- port = mkOption {
- type = types.int;
- description = "The port on which this exporter listens.";
+ type = types.attrsOf (
+ types.submodule {
+ options = {
+ port = mkOption {
+ type = types.int;
+ description = "The port on which this exporter listens.";
+ };
+ listenAddress = mkOption {
+ type = types.str;
+ default = "127.0.0.1";
+ description = "Address to listen on.";
+ };
+ serviceOpts = mkOption {
+ type = types.attrs;
+ description = "An attrset to be merged with the exporter's systemd service.";
+ };
};
- listenAddress = mkOption {
- type = types.str;
- default = "127.0.0.1";
- description = "Address to listen on.";
- };
- serviceOpts = mkOption {
- type = types.attrs;
- description = "An attrset to be merged with the exporter's systemd service.";
- };
- };
- });
+ }
+ );
};
};
services.victoriametrics.scrapeConfigs = mkOption {
- type = types.attrsOf (types.submodule ({ name
- , self
- , ...
- }: {
- options = {
- job_name = mkOption {
- type = types.str;
- default = name;
- };
-
- extraSettings = mkOption {
- type = types.anything;
- description = ''
- Other settings to set for this scrape config.
- '';
- default = { };
- };
-
- targets = mkOption {
- type = types.listOf types.str;
- description = lib.mdDoc ''
- Addresses scrape targets for this config listen on.
-
- Shortcut for `static_configs = lib.singleton {targets = [<targets>];}`
- '';
- default = [ ];
- };
-
- static_configs = mkOption {
- default = [ ];
- type = types.listOf (types.submodule {
- options = {
- targets = mkOption {
- type = types.listOf types.str;
- description = lib.mdDoc ''
- The addresses scrape targets for this config listen on.
-
- Must in `listenAddress:port` format.
- '';
- };
- labels = mkOption {
- type = types.attrsOf types.str;
- description = lib.mdDoc ''
- Labels to apply to all targets defined for this static config.
- '';
- default = { };
- };
+ type = types.attrsOf (
+ types.submodule (
+ { name, self, ... }:
+ {
+ options = {
+ job_name = mkOption {
+ type = types.str;
+ default = name;
};
- });
- };
- };
- }));
+
+ extraSettings = mkOption {
+ type = types.anything;
+ description = ''
+ Other settings to set for this scrape config.
+ '';
+ default = { };
+ };
+
+ targets = mkOption {
+ type = types.listOf types.str;
+ description = lib.mdDoc ''
+ Addresses scrape targets for this config listen on.
+
+ Shortcut for `static_configs = lib.singleton {targets = [<targets>];}`
+ '';
+ default = [ ];
+ };
+
+ static_configs = mkOption {
+ default = [ ];
+ type = types.listOf (
+ types.submodule {
+ options = {
+ targets = mkOption {
+ type = types.listOf types.str;
+ description = lib.mdDoc ''
+ The addresses scrape targets for this config listen on.
+
+ Must in `listenAddress:port` format.
+ '';
+ };
+ labels = mkOption {
+ type = types.attrsOf types.str;
+ description = lib.mdDoc ''
+ Labels to apply to all targets defined for this static config.
+ '';
+ default = { };
+ };
+ };
+ }
+ );
+ };
+ };
+ }
+ )
+ );
};
};
config = {
systemd.services = lib.mkMerge [
- (lib.mapAttrs'
- (name: exporter:
- lib.nameValuePair "prometheus-${name}-exporter" (lib.mkMerge [
+ (lib.mapAttrs' (
+ name: exporter:
+ lib.nameValuePair "prometheus-${name}-exporter" (
+ lib.mkMerge [
{
# Shamelessly copied from upstream because the upstream
# module is an intractable mess
@@ -117,7 +125,10 @@ in
serviceConfig.ProtectKernelTunables = true;
serviceConfig.ProtectSystem = mkDefault "strict";
serviceConfig.RemoveIPC = true;
- serviceConfig.RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+ serviceConfig.RestrictAddressFamilies = [
+ "AF_INET"
+ "AF_INET6"
+ ];
serviceConfig.RestrictNamespaces = true;
serviceConfig.RestrictRealtime = true;
serviceConfig.RestrictSUIDSGID = true;
@@ -125,8 +136,9 @@ in
serviceConfig.UMask = "0077";
}
exporter.serviceOpts
- ]))
- config.services.prometheus.extraExporters)
+ ]
+ )
+ ) config.services.prometheus.extraExporters)
{
vmagent-scrape-exporters =
@@ -134,24 +146,25 @@ in
listenAddress = config.services.victoriametrics.listenAddress;
vmAddr = (lib.optionalString (lib.hasPrefix ":" listenAddress) "127.0.0.1") + listenAddress;
promscrape = yaml.generate "prometheus.yml" {
- scrape_configs = lib.mapAttrsToList
- (_: scrape:
- lib.recursiveUpdate
- {
- inherit (scrape) job_name;
- static_configs =
- scrape.static_configs
- ++ lib.optional (scrape.targets != [ ]) { targets = scrape.targets; };
- }
- scrape.extraSettings)
- config.services.victoriametrics.scrapeConfigs;
+ scrape_configs = lib.mapAttrsToList (
+ _: scrape:
+ lib.recursiveUpdate {
+ inherit (scrape) job_name;
+ static_configs =
+ scrape.static_configs
+ ++ lib.optional (scrape.targets != [ ]) { targets = scrape.targets; };
+ } scrape.extraSettings
+ ) config.services.victoriametrics.scrapeConfigs;
};
in
{
enable = true;
path = [ pkgs.victoriametrics ];
wantedBy = [ "multi-user.target" ];
- after = [ "network.target" "victoriametrics.service" ];
+ after = [
+ "network.target"
+ "victoriametrics.service"
+ ];
serviceConfig = {
ExecStart = [
(lib.concatStringsSep " " [
@@ -180,7 +193,10 @@ in
ProtectKernelTunables = true;
ProtectSystem = "strict";
RemoveIPC = true;
- RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+ RestrictAddressFamilies = [
+ "AF_INET"
+ "AF_INET6"
+ ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
@@ -195,19 +211,15 @@ in
services.victoriametrics.scrapeConfigs =
let
- allExporters =
- lib.mapAttrs
- (name: exporter: {
- inherit (exporter) listenAddress port;
- })
- ((lib.filterAttrs (_: exporter: builtins.isAttrs exporter && exporter.enable)
- config.services.prometheus.exporters)
- // config.services.prometheus.extraExporters);
+ allExporters = lib.mapAttrs (name: exporter: { inherit (exporter) listenAddress port; }) (
+ (lib.filterAttrs (
+ _: exporter: builtins.isAttrs exporter && exporter.enable
+ ) config.services.prometheus.exporters)
+ // config.services.prometheus.extraExporters
+ );
in
- lib.mapAttrs
- (_: exporter: {
- targets = [ "${exporter.listenAddress}:${toString exporter.port}" ];
- })
- allExporters;
+ lib.mapAttrs (_: exporter: {
+ targets = [ "${exporter.listenAddress}:${toString exporter.port}" ];
+ }) allExporters;
};
}
diff --git a/configuration/services/metrics/victoriametrics.nix b/configuration/services/metrics/victoriametrics.nix
index 695b89e..710cf70 100644
--- a/configuration/services/metrics/victoriametrics.nix
+++ b/configuration/services/metrics/victoriametrics.nix
@@ -1,9 +1,8 @@
-{ config, ... }: {
+{ config, ... }:
+{
config.services.victoriametrics = {
enable = true;
- extraOptions = [
- "-storage.minFreeDiskSpaceBytes=5GB"
- ];
+ extraOptions = [ "-storage.minFreeDiskSpaceBytes=5GB" ];
scrapeConfigs = {
forgejo = {
diff --git a/configuration/services/nextcloud.nix b/configuration/services/nextcloud.nix
index 30adf6e..63c7446 100644
--- a/configuration/services/nextcloud.nix
+++ b/configuration/services/nextcloud.nix
@@ -1,7 +1,8 @@
-{ pkgs
-, config
-, lib
-, ...
+{
+ pkgs,
+ config,
+ lib,
+ ...
}:
let
# Update pending on rewrite of nextcloud news, though there is an
@@ -15,8 +16,8 @@ in
inherit hostName;
package = nextcloud;
- phpPackage = lib.mkForce
- (pkgs.php.override {
+ phpPackage = lib.mkForce (
+ pkgs.php.override {
packageOverrides = final: prev: {
extensions = prev.extensions // {
pgsql = prev.extensions.pgsql.overrideAttrs (old: {
@@ -27,7 +28,8 @@ in
});
};
};
- });
+ }
+ );
enable = true;
maxUploadSize = "2G";
https = true;
@@ -52,7 +54,14 @@ in
};
extraApps = {
- inherit (pkgs.local) bookmarks calendar contacts cookbook news notes;
+ inherit (pkgs.local)
+ bookmarks
+ calendar
+ contacts
+ cookbook
+ news
+ notes
+ ;
};
};
diff --git a/configuration/services/postgres.nix b/configuration/services/postgres.nix
index 62dfb01..85a6843 100644
--- a/configuration/services/postgres.nix
+++ b/configuration/services/postgres.nix
@@ -1,4 +1,5 @@
-{ pkgs, ... }: {
+{ pkgs, ... }:
+{
services.postgresql = {
package = pkgs.postgresql_14;
enable = true;
diff --git a/configuration/services/starbound.nix b/configuration/services/starbound.nix
index 3b54ee9..f5b23c3 100644
--- a/configuration/services/starbound.nix
+++ b/configuration/services/starbound.nix
@@ -1,7 +1,4 @@
-{ pkgs
-, lib
-, ...
-}:
+{ pkgs, lib, ... }:
let
inherit (lib) concatStringsSep;
in
@@ -114,9 +111,7 @@ in
services.backups.starbound = {
user = "root";
- paths = [
- "/var/lib/private/starbound/storage/universe/"
- ];
+ paths = [ "/var/lib/private/starbound/storage/universe/" ];
pauseServices = [ "starbound.service" ];
};
}
diff --git a/configuration/services/wireguard.nix b/configuration/services/wireguard.nix
index 057a2e9..6f8f6a2 100644
--- a/configuration/services/wireguard.nix
+++ b/configuration/services/wireguard.nix
@@ -1,4 +1,5 @@
-{ config, ... }: {
+{ config, ... }:
+{
# iptables needs to permit forwarding from wg0 to wg0
networking.firewall.extraCommands = ''
iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT
diff --git a/flake.nix b/flake.nix
index 56f3972..6dbbaa5 100644
--- a/flake.nix
+++ b/flake.nix
@@ -33,13 +33,14 @@
};
outputs =
- { self
- , nixpkgs
- , sops-nix
- , nvfetcher
- , deploy-rs
- , ...
- } @ inputs:
+ {
+ self,
+ nixpkgs,
+ sops-nix,
+ nvfetcher,
+ deploy-rs,
+ ...
+ }@inputs:
let
system = "x86_64-linux";
pkgs = nixpkgs.legacyPackages.${system};
@@ -84,7 +85,12 @@
};
sshUser = "tlater";
- sshOpts = [ "-p" "2222" "-o" "ForwardAgent=yes" ];
+ sshOpts = [
+ "-p"
+ "2222"
+ "-o"
+ "ForwardAgent=yes"
+ ];
};
};
@@ -144,10 +150,11 @@
# Development environment #
###########################
devShells.${system}.default = nixpkgs.legacyPackages.${system}.mkShell {
- sopsPGPKeyDirs = [ "./keys/hosts/" "./keys/users/" ];
- nativeBuildInputs = [
- sops-nix.packages.${system}.sops-import-keys-hook
+ sopsPGPKeyDirs = [
+ "./keys/hosts/"
+ "./keys/users/"
];
+ nativeBuildInputs = [ sops-nix.packages.${system}.sops-import-keys-hook ];
packages = with pkgs; [
sops-nix.packages.${system}.sops-init-gpg-key
diff --git a/modules/default.nix b/modules/default.nix
index 9341a5a..e1db4cc 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -1,5 +1 @@
-{
- imports = [
- ./nginxExtensions.nix
- ];
-}
+{ imports = [ ./nginxExtensions.nix ]; }
diff --git a/modules/nginxExtensions.nix b/modules/nginxExtensions.nix
index 3603756..bd505d3 100644
--- a/modules/nginxExtensions.nix
+++ b/modules/nginxExtensions.nix
@@ -1,8 +1,10 @@
-{ config
-, pkgs
-, lib
-, ...
-}: {
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}:
+{
options = {
services.nginx.domain = lib.mkOption {
type = lib.types.str;
@@ -12,10 +14,8 @@
services.nginx.virtualHosts =
let
extraVirtualHostOptions =
- { name
- , config
- , ...
- }: {
+ { name, config, ... }:
+ {
options = {
enableHSTS = lib.mkEnableOption "Enable HSTS";
@@ -40,9 +40,7 @@
};
};
in
- lib.mkOption {
- type = lib.types.attrsOf (lib.types.submodule extraVirtualHostOptions);
- };
+ lib.mkOption { type = lib.types.attrsOf (lib.types.submodule extraVirtualHostOptions); };
};
config = {
@@ -51,11 +49,11 @@
let
confirm = ''[[ "tlater.net" = ${config.services.nginx.domain} ]]'';
in
- lib.mapAttrs'
- (cert: _:
- lib.nameValuePair "acme-${cert}" {
- serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' '';
- })
- config.security.acme.certs;
+ lib.mapAttrs' (
+ cert: _:
+ lib.nameValuePair "acme-${cert}" {
+ serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' '';
+ }
+ ) config.security.acme.certs;
};
}
diff --git a/pkgs/afvalcalendar/default.nix b/pkgs/afvalcalendar/default.nix
index 12b868c..6392220 100644
--- a/pkgs/afvalcalendar/default.nix
+++ b/pkgs/afvalcalendar/default.nix
@@ -1,19 +1,12 @@
-{ pkgs
-, rustPlatform
-, ...
-}:
+{ pkgs, rustPlatform, ... }:
rustPlatform.buildRustPackage {
pname = "afvalcalendar";
version = "0.1.0";
src = ./.;
- nativeBuildInputs = with pkgs; [
- pkg-config
- ];
+ nativeBuildInputs = with pkgs; [ pkg-config ];
- buildInputs = with pkgs; [
- openssl
- ];
+ buildInputs = with pkgs; [ openssl ];
cargoHash = "sha256-JXx6aUKdKbUTBCwlBw5i1hZy8ofCfSrhLCwFzqdA8cI=";
}
diff --git a/pkgs/default.nix b/pkgs/default.nix
index 132d0f5..a9d7aa1 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -1,7 +1,4 @@
-{ pkgs
-, lib
-,
-}:
+{ pkgs, lib }:
let
inherit (builtins) fromJSON mapAttrs readFile;
inherit (pkgs) callPackage;
@@ -13,7 +10,7 @@ in
};
afvalcalendar = callPackage ./afvalcalendar { };
}
- // (
+// (
# Add nextcloud apps
let
mkNextcloudApp = pkgs.callPackage ./mkNextcloudApp.nix { };
diff --git a/pkgs/mkNextcloudApp.nix b/pkgs/mkNextcloudApp.nix
index 7453f44..095b0e8 100644
--- a/pkgs/mkNextcloudApp.nix
+++ b/pkgs/mkNextcloudApp.nix
@@ -1,7 +1,5 @@
-{ fetchNextcloudApp
-, lib
-,
-}: source:
+{ fetchNextcloudApp, lib }:
+source:
fetchNextcloudApp {
url = source.src.url;
sha256 = source.src.sha256;
diff --git a/pkgs/prometheus/fail2ban-exporter.nix b/pkgs/prometheus/fail2ban-exporter.nix
index b74e35d..dc22b6c 100644
--- a/pkgs/prometheus/fail2ban-exporter.nix
+++ b/pkgs/prometheus/fail2ban-exporter.nix
@@ -1,7 +1,4 @@
-{ buildGoModule
-, sources
-,
-}:
+{ buildGoModule, sources }:
buildGoModule {
inherit (sources.prometheus-fail2ban-exporter) pname src version;
vendorHash = "sha256-5o8p5p0U/c0WAIV5dACnWA3ThzSh2tt5LIFMb59i9GY=";
diff --git a/pkgs/starbound/default.nix b/pkgs/starbound/default.nix
index a8689f3..26f2184 100644
--- a/pkgs/starbound/default.nix
+++ b/pkgs/starbound/default.nix
@@ -1,19 +1,21 @@
-{ stdenv
-, lib
-, makeWrapper
-, patchelf
-, steamPackages
-, replace-secret
-,
+{
+ stdenv,
+ lib,
+ makeWrapper,
+ patchelf,
+ steamPackages,
+ replace-secret,
}:
let
# Use the directory in which starbound is installed so steamcmd
# doesn't have to be reinstalled constantly (we're using DynamicUser
# with StateDirectory to persist this).
- steamcmd = steamPackages.steamcmd.override {
- steamRoot = "/var/lib/starbound/.steamcmd";
- };
- wrapperPath = lib.makeBinPath [ patchelf steamcmd replace-secret ];
+ steamcmd = steamPackages.steamcmd.override { steamRoot = "/var/lib/starbound/.steamcmd"; };
+ wrapperPath = lib.makeBinPath [
+ patchelf
+ steamcmd
+ replace-secret
+ ];
in
stdenv.mkDerivation {
name = "starbound-update-script";