diff --git a/checks/default.nix b/checks/default.nix deleted file mode 100644 index 80279ba..0000000 --- a/checks/default.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ - self, - nixpkgs, - deploy-rs, - system, - ... -}: -let - pkgs = nixpkgs.legacyPackages.${system}; - - runNuCheck = - { - name, - packages, - check, - }: - pkgs.stdenvNoCC.mkDerivation { - inherit name; - - src = nixpkgs.lib.cleanSourceWith { - src = self; - filter = nixpkgs.lib.cleanSourceFilter; - }; - - dontPatch = true; - dontConfigure = true; - dontBuild = true; - dontInstall = true; - dontFixup = true; - doCheck = true; - - checkInputs = nixpkgs.lib.singleton pkgs.nushell ++ packages; - - checkPhase = '' - nu ${check} - ''; - }; -in -nixpkgs.lib.recursiveUpdate { - lints = runNuCheck { - name = "lints"; - - packages = [ - pkgs.deadnix - pkgs.nixfmt-rfc-style - pkgs.shellcheck - pkgs.statix - ]; - - check = ./lints.nu; - }; -} (deploy-rs.lib.${system}.deployChecks self.deploy) diff --git a/checks/lints.nu b/checks/lints.nu deleted file mode 100644 index ffc2047..0000000 --- a/checks/lints.nu +++ /dev/null @@ -1,39 +0,0 @@ -#!/usr/bin/env nu - -let shell_files = ls **/*.sh | get name -let nix_files = ls **/*.nix | where name !~ "hardware-configuration.nix|_sources" | get name - -let linters = [ - ([shellcheck] ++ $shell_files) - ([nixfmt --check --strict] ++ $nix_files) - ([deadnix --fail] ++ $nix_files) - ([statix check] ++ $nix_files) -] - -mkdir $env.out - -def run-linter [linterArgs: list] { - print $'Running ($linterArgs.0)...' - - let exit_code = try { - ^$linterArgs.0 ...($linterArgs | skip 1) - $env.LAST_EXIT_CODE - } catch {|e| $e.exit_code} - - [$linterArgs.0, $exit_code] -} - -let results = $linters | each {|linter| run-linter $linter} - -print 'Linter results:' - -let success = $results | each {|result| - match $result.1 { - 0 => {print $'(ansi green)($result.0)(ansi reset)'} - _ => {print $'(ansi red)($result.0)(ansi reset)'} - } - - $result.1 -} | math sum - -exit $success diff --git a/configuration/default.nix b/configuration/default.nix index aebea7a..f874733 100644 --- a/configuration/default.nix +++ b/configuration/default.nix @@ -1,5 +1,7 @@ { config, + pkgs, + lib, modulesPath, flake-inputs, ... @@ -30,7 +32,13 @@ ./sops.nix ]; - nixpkgs.overlays = [ (_: prev: { local = import ../pkgs { pkgs = prev; }; }) ]; + nixpkgs.overlays = [ + (final: prev: { + local = import ../pkgs { + pkgs = prev; + }; + }) + ]; nix = { extraOptions = '' diff --git a/configuration/hardware-specific/vm.nix b/configuration/hardware-specific/vm.nix index 23969f0..db563fe 100644 --- a/configuration/hardware-specific/vm.nix +++ b/configuration/hardware-specific/vm.nix @@ -15,7 +15,9 @@ systemd.network.networks."10-eth0" = { matchConfig.Name = "eth0"; - gateway = [ "192.168.9.1" ]; + gateway = [ + "192.168.9.1" + ]; networkConfig = { Address = "192.168.9.2/24"; }; diff --git a/configuration/services/backups.nix b/configuration/services/backups.nix index baa61e3..81e3554 100644 --- a/configuration/services/backups.nix +++ b/configuration/services/backups.nix @@ -57,7 +57,7 @@ in ''; type = types.attrsOf ( types.submodule ( - { name, ... }: + { config, name, ... }: { options = { user = lib.mkOption { @@ -246,7 +246,7 @@ in }; } // lib.mapAttrs' ( - name: _: + name: backup: lib.nameValuePair "backup-${name}" { wantedBy = [ "timers.target" ]; timerConfig = { diff --git a/configuration/services/conduit/matrix-hookshot.nix b/configuration/services/conduit/matrix-hookshot.nix index 6846d99..c1f16dc 100644 --- a/configuration/services/conduit/matrix-hookshot.nix +++ b/configuration/services/conduit/matrix-hookshot.nix @@ -74,7 +74,9 @@ in services.matrix-hookshot = { enable = true; - serviceDependencies = [ "conduit.service" ]; + serviceDependencies = [ + "conduit.service" + ]; registrationFile = "/run/matrix-hookshot/registration.yaml"; @@ -124,11 +126,15 @@ in listeners = [ { port = 9000; - resources = [ "webhooks" ]; + resources = [ + "webhooks" + ]; } { port = 9001; - resources = [ "metrics" ]; + resources = [ + "metrics" + ]; } ]; diff --git a/configuration/services/crowdsec.nix b/configuration/services/crowdsec.nix index b736047..6e0f367 100644 --- a/configuration/services/crowdsec.nix +++ b/configuration/services/crowdsec.nix @@ -8,7 +8,9 @@ security.crowdsec = { enable = true; - parserWhitelist = [ "10.45.249.2" ]; + parserWhitelist = [ + "10.45.249.2" + ]; extraGroups = [ "systemd-journal" @@ -19,19 +21,25 @@ { source = "journalctl"; labels.type = "syslog"; - journalctl_filter = [ "SYSLOG_IDENTIFIER=Nextcloud" ]; + journalctl_filter = [ + "SYSLOG_IDENTIFIER=Nextcloud" + ]; } { source = "journalctl"; labels.type = "syslog"; - journalctl_filter = [ "SYSLOG_IDENTIFIER=sshd-session" ]; + journalctl_filter = [ + "SYSLOG_IDENTIFIER=sshd-session" + ]; } { labels.type = "nginx"; filenames = - [ "/var/log/nginx/*.log" ] + [ + "/var/log/nginx/*.log" + ] ++ lib.mapAttrsToList ( vHost: _: "/var/log/nginx/${vHost}/access.log" ) config.services.nginx.virtualHosts; diff --git a/configuration/services/metrics/exporters.nix b/configuration/services/metrics/exporters.nix index 52c2a46..80a3480 100644 --- a/configuration/services/metrics/exporters.nix +++ b/configuration/services/metrics/exporters.nix @@ -74,7 +74,7 @@ in listenAddress = "127.0.0.1"; group = "nginx"; - settings.namespaces = lib.mapAttrsToList (name: _: { + settings.namespaces = lib.mapAttrsToList (name: virtualHost: { inherit name; metrics_override.prefix = "nginxlog"; namespace_label = "vhost"; diff --git a/configuration/services/metrics/options.nix b/configuration/services/metrics/options.nix index a0c35b6..d69ecfb 100644 --- a/configuration/services/metrics/options.nix +++ b/configuration/services/metrics/options.nix @@ -38,7 +38,7 @@ in services.victoriametrics.scrapeConfigs = mkOption { type = types.attrsOf ( types.submodule ( - { name, ... }: + { name, self, ... }: { options = { job_name = mkOption { @@ -212,7 +212,7 @@ in services.victoriametrics.scrapeConfigs = let - allExporters = lib.mapAttrs (_: exporter: { inherit (exporter) listenAddress port; }) ( + allExporters = lib.mapAttrs (name: exporter: { inherit (exporter) listenAddress port; }) ( (lib.filterAttrs ( name: exporter: # A bunch of deprecated exporters that need to be ignored diff --git a/configuration/services/metrics/victorialogs.nix b/configuration/services/metrics/victorialogs.nix index 413659a..ae47c39 100644 --- a/configuration/services/metrics/victorialogs.nix +++ b/configuration/services/metrics/victorialogs.nix @@ -1,4 +1,8 @@ -{ config, lib, ... }: +{ + config, + lib, + ... +}: let cfg = config.services.victorialogs; in diff --git a/configuration/services/nextcloud.nix b/configuration/services/nextcloud.nix index 5790cdf..b5cb691 100644 --- a/configuration/services/nextcloud.nix +++ b/configuration/services/nextcloud.nix @@ -15,12 +15,12 @@ in package = nextcloud; phpPackage = lib.mkForce ( pkgs.php.override { - packageOverrides = _: prev: { + packageOverrides = final: prev: { extensions = prev.extensions // { - pgsql = prev.extensions.pgsql.overrideAttrs (_: { + pgsql = prev.extensions.pgsql.overrideAttrs (old: { configureFlags = [ "--with-pgsql=${lib.getDev config.services.postgresql.package}" ]; }); - pdo_pgsql = prev.extensions.pdo_pgsql.overrideAttrs (_: { + pdo_pgsql = prev.extensions.pdo_pgsql.overrideAttrs (old: { configureFlags = [ "--with-pdo-pgsql=${lib.getDev config.services.postgresql.package}" ]; }); }; diff --git a/flake.nix b/flake.nix index 6747c24..bdb60ed 100644 --- a/flake.nix +++ b/flake.nix @@ -96,7 +96,7 @@ ######### # Tests # ######### - checks.${system} = import ./checks (inputs // { inherit system; }); + checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; ########################### # Garbage collection root # diff --git a/modules/crowdsec/default.nix b/modules/crowdsec/default.nix index ac93c4a..c0003a5 100644 --- a/modules/crowdsec/default.nix +++ b/modules/crowdsec/default.nix @@ -267,7 +267,9 @@ in }; }; - systemd.packages = [ cfg.package ]; + systemd.packages = [ + cfg.package + ]; environment = { systemPackages = [ diff --git a/modules/crowdsec/remediations/cs-firewall-bouncer.nix b/modules/crowdsec/remediations/cs-firewall-bouncer.nix index 2769432..aa70552 100644 --- a/modules/crowdsec/remediations/cs-firewall-bouncer.nix +++ b/modules/crowdsec/remediations/cs-firewall-bouncer.nix @@ -31,7 +31,9 @@ in security.crowdsec.remediationComponents.firewallBouncer.settings = { mode = lib.mkDefault "${if config.networking.nftables.enable then "nftables" else "iptables"}"; log_mode = "stdout"; - iptables_chains = [ "nixos-fw" ]; + iptables_chains = [ + "nixos-fw" + ]; # Don't let users easily override this; unfortunately we need to # set up this key through substitution at runtime. @@ -76,7 +78,9 @@ in requiredBy = [ "crowdsec.service" ]; path = - lib.optionals (cfg.settings.mode == "ipset" || cfg.settings.mode == "iptables") [ pkgs.ipset ] + lib.optionals (cfg.settings.mode == "ipset" || cfg.settings.mode == "iptables") [ + pkgs.ipset + ] ++ lib.optional (cfg.settings.mode == "iptables") pkgs.iptables ++ lib.optional (cfg.settings.mode == "nftables") pkgs.nftables; }; diff --git a/modules/crowdsec/remediations/default.nix b/modules/crowdsec/remediations/default.nix index c3c0790..7df6ade 100644 --- a/modules/crowdsec/remediations/default.nix +++ b/modules/crowdsec/remediations/default.nix @@ -1 +1,5 @@ -{ imports = [ ./cs-firewall-bouncer.nix ]; } +{ + imports = [ + ./cs-firewall-bouncer.nix + ]; +} diff --git a/pkgs/crowdsec/hub.nix b/pkgs/crowdsec/hub.nix index 1b8c9b3..d057ca8 100644 --- a/pkgs/crowdsec/hub.nix +++ b/pkgs/crowdsec/hub.nix @@ -1 +1,4 @@ -{ sources }: sources.crowdsec-hub.src +{ + sources, +}: +sources.crowdsec-hub.src