Compare commits
2 commits
b4d4a247d2
...
3e9f6f2b23
Author | SHA1 | Date | |
---|---|---|---|
3e9f6f2b23 | |||
5192ec9633 |
16 changed files with 115 additions and 65 deletions
52
checks/default.nix
Normal file
52
checks/default.nix
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
{
|
||||||
|
self,
|
||||||
|
nixpkgs,
|
||||||
|
deploy-rs,
|
||||||
|
system,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
let
|
||||||
|
pkgs = nixpkgs.legacyPackages.${system};
|
||||||
|
|
||||||
|
runNuCheck =
|
||||||
|
{
|
||||||
|
name,
|
||||||
|
packages,
|
||||||
|
check,
|
||||||
|
}:
|
||||||
|
pkgs.stdenvNoCC.mkDerivation {
|
||||||
|
inherit name;
|
||||||
|
|
||||||
|
src = nixpkgs.lib.cleanSourceWith {
|
||||||
|
src = self;
|
||||||
|
filter = nixpkgs.lib.cleanSourceFilter;
|
||||||
|
};
|
||||||
|
|
||||||
|
dontPatch = true;
|
||||||
|
dontConfigure = true;
|
||||||
|
dontBuild = true;
|
||||||
|
dontInstall = true;
|
||||||
|
dontFixup = true;
|
||||||
|
doCheck = true;
|
||||||
|
|
||||||
|
checkInputs = nixpkgs.lib.singleton pkgs.nushell ++ packages;
|
||||||
|
|
||||||
|
checkPhase = ''
|
||||||
|
nu ${check}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
in
|
||||||
|
nixpkgs.lib.recursiveUpdate {
|
||||||
|
lints = runNuCheck {
|
||||||
|
name = "lints";
|
||||||
|
|
||||||
|
packages = [
|
||||||
|
pkgs.deadnix
|
||||||
|
pkgs.nixfmt-rfc-style
|
||||||
|
pkgs.shellcheck
|
||||||
|
pkgs.statix
|
||||||
|
];
|
||||||
|
|
||||||
|
check = ./lints.nu;
|
||||||
|
};
|
||||||
|
} (deploy-rs.lib.${system}.deployChecks self.deploy)
|
39
checks/lints.nu
Normal file
39
checks/lints.nu
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
#!/usr/bin/env nu
|
||||||
|
|
||||||
|
let shell_files = ls **/*.sh | get name
|
||||||
|
let nix_files = ls **/*.nix | where name !~ "hardware-configuration.nix|_sources" | get name
|
||||||
|
|
||||||
|
let linters = [
|
||||||
|
([shellcheck] ++ $shell_files)
|
||||||
|
([nixfmt --check --strict] ++ $nix_files)
|
||||||
|
([deadnix --fail] ++ $nix_files)
|
||||||
|
([statix check] ++ $nix_files)
|
||||||
|
]
|
||||||
|
|
||||||
|
mkdir $env.out
|
||||||
|
|
||||||
|
def run-linter [linterArgs: list<string>] {
|
||||||
|
print $'Running ($linterArgs.0)...'
|
||||||
|
|
||||||
|
let exit_code = try {
|
||||||
|
^$linterArgs.0 ...($linterArgs | skip 1)
|
||||||
|
$env.LAST_EXIT_CODE
|
||||||
|
} catch {|e| $e.exit_code}
|
||||||
|
|
||||||
|
[$linterArgs.0, $exit_code]
|
||||||
|
}
|
||||||
|
|
||||||
|
let results = $linters | each {|linter| run-linter $linter}
|
||||||
|
|
||||||
|
print 'Linter results:'
|
||||||
|
|
||||||
|
let success = $results | each {|result|
|
||||||
|
match $result.1 {
|
||||||
|
0 => {print $'(ansi green)($result.0)(ansi reset)'}
|
||||||
|
_ => {print $'(ansi red)($result.0)(ansi reset)'}
|
||||||
|
}
|
||||||
|
|
||||||
|
$result.1
|
||||||
|
} | math sum
|
||||||
|
|
||||||
|
exit $success
|
|
@ -1,7 +1,5 @@
|
||||||
{
|
{
|
||||||
config,
|
config,
|
||||||
pkgs,
|
|
||||||
lib,
|
|
||||||
modulesPath,
|
modulesPath,
|
||||||
flake-inputs,
|
flake-inputs,
|
||||||
...
|
...
|
||||||
|
@ -32,13 +30,7 @@
|
||||||
./sops.nix
|
./sops.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
nixpkgs.overlays = [
|
nixpkgs.overlays = [ (_: prev: { local = import ../pkgs { pkgs = prev; }; }) ];
|
||||||
(final: prev: {
|
|
||||||
local = import ../pkgs {
|
|
||||||
pkgs = prev;
|
|
||||||
};
|
|
||||||
})
|
|
||||||
];
|
|
||||||
|
|
||||||
nix = {
|
nix = {
|
||||||
extraOptions = ''
|
extraOptions = ''
|
||||||
|
|
|
@ -15,9 +15,7 @@
|
||||||
|
|
||||||
systemd.network.networks."10-eth0" = {
|
systemd.network.networks."10-eth0" = {
|
||||||
matchConfig.Name = "eth0";
|
matchConfig.Name = "eth0";
|
||||||
gateway = [
|
gateway = [ "192.168.9.1" ];
|
||||||
"192.168.9.1"
|
|
||||||
];
|
|
||||||
networkConfig = {
|
networkConfig = {
|
||||||
Address = "192.168.9.2/24";
|
Address = "192.168.9.2/24";
|
||||||
};
|
};
|
||||||
|
|
|
@ -57,7 +57,7 @@ in
|
||||||
'';
|
'';
|
||||||
type = types.attrsOf (
|
type = types.attrsOf (
|
||||||
types.submodule (
|
types.submodule (
|
||||||
{ config, name, ... }:
|
{ name, ... }:
|
||||||
{
|
{
|
||||||
options = {
|
options = {
|
||||||
user = lib.mkOption {
|
user = lib.mkOption {
|
||||||
|
@ -246,7 +246,7 @@ in
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
// lib.mapAttrs' (
|
// lib.mapAttrs' (
|
||||||
name: backup:
|
name: _:
|
||||||
lib.nameValuePair "backup-${name}" {
|
lib.nameValuePair "backup-${name}" {
|
||||||
wantedBy = [ "timers.target" ];
|
wantedBy = [ "timers.target" ];
|
||||||
timerConfig = {
|
timerConfig = {
|
||||||
|
|
|
@ -74,9 +74,7 @@ in
|
||||||
services.matrix-hookshot = {
|
services.matrix-hookshot = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
||||||
serviceDependencies = [
|
serviceDependencies = [ "conduit.service" ];
|
||||||
"conduit.service"
|
|
||||||
];
|
|
||||||
|
|
||||||
registrationFile = "/run/matrix-hookshot/registration.yaml";
|
registrationFile = "/run/matrix-hookshot/registration.yaml";
|
||||||
|
|
||||||
|
@ -126,15 +124,11 @@ in
|
||||||
listeners = [
|
listeners = [
|
||||||
{
|
{
|
||||||
port = 9000;
|
port = 9000;
|
||||||
resources = [
|
resources = [ "webhooks" ];
|
||||||
"webhooks"
|
|
||||||
];
|
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
port = 9001;
|
port = 9001;
|
||||||
resources = [
|
resources = [ "metrics" ];
|
||||||
"metrics"
|
|
||||||
];
|
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
|
|
|
@ -8,9 +8,7 @@
|
||||||
security.crowdsec = {
|
security.crowdsec = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
||||||
parserWhitelist = [
|
parserWhitelist = [ "10.45.249.2" ];
|
||||||
"10.45.249.2"
|
|
||||||
];
|
|
||||||
|
|
||||||
extraGroups = [
|
extraGroups = [
|
||||||
"systemd-journal"
|
"systemd-journal"
|
||||||
|
@ -21,25 +19,19 @@
|
||||||
{
|
{
|
||||||
source = "journalctl";
|
source = "journalctl";
|
||||||
labels.type = "syslog";
|
labels.type = "syslog";
|
||||||
journalctl_filter = [
|
journalctl_filter = [ "SYSLOG_IDENTIFIER=Nextcloud" ];
|
||||||
"SYSLOG_IDENTIFIER=Nextcloud"
|
|
||||||
];
|
|
||||||
}
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
source = "journalctl";
|
source = "journalctl";
|
||||||
labels.type = "syslog";
|
labels.type = "syslog";
|
||||||
journalctl_filter = [
|
journalctl_filter = [ "SYSLOG_IDENTIFIER=sshd-session" ];
|
||||||
"SYSLOG_IDENTIFIER=sshd-session"
|
|
||||||
];
|
|
||||||
}
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
labels.type = "nginx";
|
labels.type = "nginx";
|
||||||
filenames =
|
filenames =
|
||||||
[
|
[ "/var/log/nginx/*.log" ]
|
||||||
"/var/log/nginx/*.log"
|
|
||||||
]
|
|
||||||
++ lib.mapAttrsToList (
|
++ lib.mapAttrsToList (
|
||||||
vHost: _: "/var/log/nginx/${vHost}/access.log"
|
vHost: _: "/var/log/nginx/${vHost}/access.log"
|
||||||
) config.services.nginx.virtualHosts;
|
) config.services.nginx.virtualHosts;
|
||||||
|
|
|
@ -74,7 +74,7 @@ in
|
||||||
listenAddress = "127.0.0.1";
|
listenAddress = "127.0.0.1";
|
||||||
group = "nginx";
|
group = "nginx";
|
||||||
|
|
||||||
settings.namespaces = lib.mapAttrsToList (name: virtualHost: {
|
settings.namespaces = lib.mapAttrsToList (name: _: {
|
||||||
inherit name;
|
inherit name;
|
||||||
metrics_override.prefix = "nginxlog";
|
metrics_override.prefix = "nginxlog";
|
||||||
namespace_label = "vhost";
|
namespace_label = "vhost";
|
||||||
|
|
|
@ -38,7 +38,7 @@ in
|
||||||
services.victoriametrics.scrapeConfigs = mkOption {
|
services.victoriametrics.scrapeConfigs = mkOption {
|
||||||
type = types.attrsOf (
|
type = types.attrsOf (
|
||||||
types.submodule (
|
types.submodule (
|
||||||
{ name, self, ... }:
|
{ name, ... }:
|
||||||
{
|
{
|
||||||
options = {
|
options = {
|
||||||
job_name = mkOption {
|
job_name = mkOption {
|
||||||
|
@ -212,7 +212,7 @@ in
|
||||||
|
|
||||||
services.victoriametrics.scrapeConfigs =
|
services.victoriametrics.scrapeConfigs =
|
||||||
let
|
let
|
||||||
allExporters = lib.mapAttrs (name: exporter: { inherit (exporter) listenAddress port; }) (
|
allExporters = lib.mapAttrs (_: exporter: { inherit (exporter) listenAddress port; }) (
|
||||||
(lib.filterAttrs (
|
(lib.filterAttrs (
|
||||||
name: exporter:
|
name: exporter:
|
||||||
# A bunch of deprecated exporters that need to be ignored
|
# A bunch of deprecated exporters that need to be ignored
|
||||||
|
|
|
@ -1,8 +1,4 @@
|
||||||
{
|
{ config, lib, ... }:
|
||||||
config,
|
|
||||||
lib,
|
|
||||||
...
|
|
||||||
}:
|
|
||||||
let
|
let
|
||||||
cfg = config.services.victorialogs;
|
cfg = config.services.victorialogs;
|
||||||
in
|
in
|
||||||
|
|
|
@ -15,12 +15,12 @@ in
|
||||||
package = nextcloud;
|
package = nextcloud;
|
||||||
phpPackage = lib.mkForce (
|
phpPackage = lib.mkForce (
|
||||||
pkgs.php.override {
|
pkgs.php.override {
|
||||||
packageOverrides = final: prev: {
|
packageOverrides = _: prev: {
|
||||||
extensions = prev.extensions // {
|
extensions = prev.extensions // {
|
||||||
pgsql = prev.extensions.pgsql.overrideAttrs (old: {
|
pgsql = prev.extensions.pgsql.overrideAttrs (_: {
|
||||||
configureFlags = [ "--with-pgsql=${lib.getDev config.services.postgresql.package}" ];
|
configureFlags = [ "--with-pgsql=${lib.getDev config.services.postgresql.package}" ];
|
||||||
});
|
});
|
||||||
pdo_pgsql = prev.extensions.pdo_pgsql.overrideAttrs (old: {
|
pdo_pgsql = prev.extensions.pdo_pgsql.overrideAttrs (_: {
|
||||||
configureFlags = [ "--with-pdo-pgsql=${lib.getDev config.services.postgresql.package}" ];
|
configureFlags = [ "--with-pdo-pgsql=${lib.getDev config.services.postgresql.package}" ];
|
||||||
});
|
});
|
||||||
};
|
};
|
||||||
|
|
|
@ -96,7 +96,7 @@
|
||||||
#########
|
#########
|
||||||
# Tests #
|
# Tests #
|
||||||
#########
|
#########
|
||||||
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
|
checks.${system} = import ./checks (inputs // { inherit system; });
|
||||||
|
|
||||||
###########################
|
###########################
|
||||||
# Garbage collection root #
|
# Garbage collection root #
|
||||||
|
|
|
@ -267,9 +267,7 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.packages = [
|
systemd.packages = [ cfg.package ];
|
||||||
cfg.package
|
|
||||||
];
|
|
||||||
|
|
||||||
environment = {
|
environment = {
|
||||||
systemPackages = [
|
systemPackages = [
|
||||||
|
|
|
@ -31,9 +31,7 @@ in
|
||||||
security.crowdsec.remediationComponents.firewallBouncer.settings = {
|
security.crowdsec.remediationComponents.firewallBouncer.settings = {
|
||||||
mode = lib.mkDefault "${if config.networking.nftables.enable then "nftables" else "iptables"}";
|
mode = lib.mkDefault "${if config.networking.nftables.enable then "nftables" else "iptables"}";
|
||||||
log_mode = "stdout";
|
log_mode = "stdout";
|
||||||
iptables_chains = [
|
iptables_chains = [ "nixos-fw" ];
|
||||||
"nixos-fw"
|
|
||||||
];
|
|
||||||
|
|
||||||
# Don't let users easily override this; unfortunately we need to
|
# Don't let users easily override this; unfortunately we need to
|
||||||
# set up this key through substitution at runtime.
|
# set up this key through substitution at runtime.
|
||||||
|
@ -78,9 +76,7 @@ in
|
||||||
requiredBy = [ "crowdsec.service" ];
|
requiredBy = [ "crowdsec.service" ];
|
||||||
|
|
||||||
path =
|
path =
|
||||||
lib.optionals (cfg.settings.mode == "ipset" || cfg.settings.mode == "iptables") [
|
lib.optionals (cfg.settings.mode == "ipset" || cfg.settings.mode == "iptables") [ pkgs.ipset ]
|
||||||
pkgs.ipset
|
|
||||||
]
|
|
||||||
++ lib.optional (cfg.settings.mode == "iptables") pkgs.iptables
|
++ lib.optional (cfg.settings.mode == "iptables") pkgs.iptables
|
||||||
++ lib.optional (cfg.settings.mode == "nftables") pkgs.nftables;
|
++ lib.optional (cfg.settings.mode == "nftables") pkgs.nftables;
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,5 +1 @@
|
||||||
{
|
{ imports = [ ./cs-firewall-bouncer.nix ]; }
|
||||||
imports = [
|
|
||||||
./cs-firewall-bouncer.nix
|
|
||||||
];
|
|
||||||
}
|
|
||||||
|
|
|
@ -1,4 +1 @@
|
||||||
{
|
{ sources }: sources.crowdsec-hub.src
|
||||||
sources,
|
|
||||||
}:
|
|
||||||
sources.crowdsec-hub.src
|
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue