diff --git a/.git-blame-ignore-revs b/.git-blame-ignore-revs index df9d62b..cee878d 100644 --- a/.git-blame-ignore-revs +++ b/.git-blame-ignore-revs @@ -1,9 +1,6 @@ # Run this command to always ignore formatting commits in `git blame` # git config blame.ignoreRevsFile .git-blame-ignore-revs -# Switch to nixfmt formatting -04f7a7ef1d38906163afc9cddfa8ce2b0ebf3b45 - # Switch to nixpkgs-fmt formatting fd138d45e6a2cad89fead6e9f246ba282070d6b7 diff --git a/configuration/default.nix b/configuration/default.nix index 333488b..792a4c9 100644 --- a/configuration/default.nix +++ b/configuration/default.nix @@ -1,12 +1,10 @@ -{ - config, - pkgs, - lib, - modulesPath, - flake-inputs, - ... -}: -{ +{ config +, pkgs +, lib +, modulesPath +, flake-inputs +, ... +}: { imports = [ flake-inputs.disko.nixosModules.disko flake-inputs.sops-nix.nixosModules.sops @@ -53,10 +51,7 @@ # Optimization for minecraft servers, see: # https://bugs.mojang.com/browse/MC-183518 - boot.kernelParams = [ - "highres=off" - "nohz=off" - ]; + boot.kernelParams = [ "highres=off" "nohz=off" ]; networking = { usePredictableInterfaceNames = false; diff --git a/configuration/hardware-specific/hetzner/default.nix b/configuration/hardware-specific/hetzner/default.nix index 6795377..3106f19 100644 --- a/configuration/hardware-specific/hetzner/default.nix +++ b/configuration/hardware-specific/hetzner/default.nix @@ -25,7 +25,9 @@ }; } # IPv6 - { addressConfig.Address = "2a01:4f8:10b:3c85::2/64"; } + { + addressConfig.Address = "2a01:4f8:10b:3c85::2/64"; + } ]; networkConfig = { diff --git a/configuration/hardware-specific/hetzner/disko.nix b/configuration/hardware-specific/hetzner/disko.nix index cc15471..a2ea764 100644 --- a/configuration/hardware-specific/hetzner/disko.nix +++ b/configuration/hardware-specific/hetzner/disko.nix @@ -19,10 +19,7 @@ }; }; - mountOptions = [ - "compress=zstd" - "noatime" - ]; + mountOptions = [ "compress=zstd" "noatime" ]; in { sda = { @@ -57,15 +54,7 @@ type = "btrfs"; # Hack to get multi-device btrfs going # See https://github.com/nix-community/disko/issues/99 - extraArgs = [ - "-d" - "raid1" - "-m" - "raid1" - "--runtime-features" - "quota" - "/dev/sda3" - ]; + extraArgs = [ "-d" "raid1" "-m" "raid1" "--runtime-features" "quota" "/dev/sda3" ]; subvolumes = { "/volume" = { }; "/volume/root" = { diff --git a/configuration/hardware-specific/vm.nix b/configuration/hardware-specific/vm.nix index 1783956..86fcaed 100644 --- a/configuration/hardware-specific/vm.nix +++ b/configuration/hardware-specific/vm.nix @@ -1,5 +1,4 @@ -{ lib, ... }: -{ +{ lib, ... }: { users.users.tlater.password = "insecure"; # Disable graphical tty so -curses works diff --git a/configuration/nginx.nix b/configuration/nginx.nix index b38118b..d696bba 100644 --- a/configuration/nginx.nix +++ b/configuration/nginx.nix @@ -1,5 +1,7 @@ -{ config, lib, ... }: -{ +{ config +, lib +, ... +}: { services.nginx = { enable = true; recommendedTlsSettings = true; @@ -24,23 +26,26 @@ # Override the default, just keep fewer logs nginx.rotate = 6; } - // lib.mapAttrs' ( - virtualHost: _: - lib.nameValuePair "/var/log/nginx/${virtualHost}/access.log" { - frequency = "daily"; - rotate = 2; - compress = true; - delaycompress = true; - su = "${config.services.nginx.user} ${config.services.nginx.group}"; - postrotate = "[ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid`"; - } - ) config.services.nginx.virtualHosts; + // lib.mapAttrs' + (virtualHost: _: + lib.nameValuePair "/var/log/nginx/${virtualHost}/access.log" { + frequency = "daily"; + rotate = 2; + compress = true; + delaycompress = true; + su = "${config.services.nginx.user} ${config.services.nginx.group}"; + postrotate = "[ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid`"; + }) + config.services.nginx.virtualHosts; - systemd.tmpfiles.rules = lib.mapAttrsToList ( - virtualHost: _: - # - "d /var/log/nginx/${virtualHost} 0750 ${config.services.nginx.user} ${config.services.nginx.group}" - ) config.services.nginx.virtualHosts; + systemd.tmpfiles.rules = + lib.mapAttrsToList + ( + virtualHost: _: + # + "d /var/log/nginx/${virtualHost} 0750 ${config.services.nginx.user} ${config.services.nginx.group}" + ) + config.services.nginx.virtualHosts; security.acme = { defaults.email = "tm@tlater.net"; @@ -56,8 +61,8 @@ services.backups.acme = { user = "acme"; - paths = lib.mapAttrsToList ( - virtualHost: _: "/var/lib/acme/${virtualHost}" - ) config.services.nginx.virtualHosts; + paths = + lib.mapAttrsToList (virtualHost: _: "/var/lib/acme/${virtualHost}") + config.services.nginx.virtualHosts; }; } diff --git a/configuration/services/afvalcalendar.nix b/configuration/services/afvalcalendar.nix index ec7d9f7..28e3a75 100644 --- a/configuration/services/afvalcalendar.nix +++ b/configuration/services/afvalcalendar.nix @@ -1,5 +1,7 @@ -{ pkgs, config, ... }: -{ +{ pkgs +, config +, ... +}: { systemd.services.afvalcalendar = { description = "Enschede afvalcalendar -> ical converter"; wantedBy = [ "multi-user.target" ]; @@ -23,23 +25,16 @@ ProtectKernelModules = true; ProtectKernelLogs = true; ProtectControlGroups = true; - RestrictAddressFamilies = [ - "AF_UNIX" - "AF_INET" - "AF_INET6" - ]; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; RestrictNamespaces = true; LockPersonality = true; MemoryDenyWriteExecute = true; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; - SystemCallFilter = [ - "@system-service" - "~@privileged @resources @setuid @keyring" - ]; + SystemCallFilter = [ "@system-service" "~@privileged @resources @setuid @keyring" ]; - Umask = 2; + Umask = 0002; SupplementaryGroups = "afvalcalendar-hosting"; ReadWritePaths = "/srv/afvalcalendar"; diff --git a/configuration/services/backups.nix b/configuration/services/backups.nix index 81e3554..7c77399 100644 --- a/configuration/services/backups.nix +++ b/configuration/services/backups.nix @@ -1,35 +1,29 @@ -{ - config, - pkgs, - lib, - ... +{ config +, pkgs +, lib +, ... }: let inherit (lib) types optional singleton; - mkShutdownScript = - service: + mkShutdownScript = service: pkgs.writeShellScript "backup-${service}-shutdown" '' if systemctl is-active --quiet '${service}'; then touch '/tmp/${service}-was-active' systemctl stop '${service}' fi ''; - mkRestartScript = - service: + mkRestartScript = service: pkgs.writeShellScript "backup-${service}-restart" '' if [ -f '/tmp/${service}-was-active' ]; then rm '/tmp/${service}-was-active' systemctl start '${service}' fi ''; - writeScript = - name: packages: text: - lib.getExe ( - pkgs.writeShellApplication { - inherit name text; - runtimeInputs = packages; - } - ); + writeScript = name: packages: text: + lib.getExe (pkgs.writeShellApplication { + inherit name text; + runtimeInputs = packages; + }); # *NOT* a TOML file, for some reason quotes are interpreted # *literally @@ -55,87 +49,85 @@ in description = lib.mdDoc '' Configure restic backups with a specific tag. ''; - type = types.attrsOf ( - types.submodule ( - { config, name, ... }: - { - options = { - user = lib.mkOption { - type = types.str; - description = '' - The user as which to run the backup. - ''; - }; - paths = lib.mkOption { - type = types.listOf types.str; - description = '' - The paths to back up. - ''; - }; - tag = lib.mkOption { - type = types.str; - description = '' - The restic tag to mark the backup with. - ''; - default = name; - }; - preparation = { - packages = lib.mkOption { - type = types.listOf types.package; - default = [ ]; - description = '' - The list of packages to make available in the - preparation script. - ''; - }; - text = lib.mkOption { - type = types.nullOr types.str; - default = null; - description = '' - The preparation script to run before the backup. - - This should include things like database dumps and - enabling maintenance modes. If a service needs to be - shut down for backups, use `pauseServices` instead. - ''; - }; - }; - cleanup = { - packages = lib.mkOption { - type = types.listOf types.package; - default = [ ]; - description = '' - The list of packages to make available in the - cleanup script. - ''; - }; - text = lib.mkOption { - type = types.nullOr types.str; - default = null; - description = '' - The cleanup script to run after the backup. - - This should do things like cleaning up database dumps - and disabling maintenance modes. - ''; - }; - }; - pauseServices = lib.mkOption { - type = types.listOf types.str; - default = [ ]; - description = '' - The systemd services that need to be shut down before - the backup can run. Services will be restarted after the - backup is complete. - - This is intended to be used for services that do not - support hot backups. - ''; - }; + type = types.attrsOf (types.submodule ({ config + , name + , ... + }: { + options = { + user = lib.mkOption { + type = types.str; + description = '' + The user as which to run the backup. + ''; + }; + paths = lib.mkOption { + type = types.listOf types.str; + description = '' + The paths to back up. + ''; + }; + tag = lib.mkOption { + type = types.str; + description = '' + The restic tag to mark the backup with. + ''; + default = name; + }; + preparation = { + packages = lib.mkOption { + type = types.listOf types.package; + default = [ ]; + description = '' + The list of packages to make available in the + preparation script. + ''; }; - } - ) - ); + text = lib.mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The preparation script to run before the backup. + + This should include things like database dumps and + enabling maintenance modes. If a service needs to be + shut down for backups, use `pauseServices` instead. + ''; + }; + }; + cleanup = { + packages = lib.mkOption { + type = types.listOf types.package; + default = [ ]; + description = '' + The list of packages to make available in the + cleanup script. + ''; + }; + text = lib.mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The cleanup script to run after the backup. + + This should do things like cleaning up database dumps + and disabling maintenance modes. + ''; + }; + }; + pauseServices = lib.mkOption { + type = types.listOf types.str; + default = [ ]; + description = '' + The systemd services that need to be shut down before + the backup can run. Services will be restarted after the + backup is complete. + + This is intended to be used for services that do not + support hot backups. + ''; + }; + }; + })); }; }; @@ -172,68 +164,58 @@ in }; }; } - // lib.mapAttrs' ( - name: backup: - lib.nameValuePair "backup-${name}" { - # Don't want to restart mid-backup - restartIfChanged = false; + // lib.mapAttrs' + (name: backup: + lib.nameValuePair "backup-${name}" { + # Don't want to restart mid-backup + restartIfChanged = false; - environment = resticEnv // { - RESTIC_CACHE_DIR = "%C/backup-${name}"; - }; + environment = + resticEnv + // { + RESTIC_CACHE_DIR = "%C/backup-${name}"; + }; - path = with pkgs; [ - coreutils - openssh - rclone - restic - ]; - - # TODO(tlater): If I ever add more than one repo, service - # shutdown/restarting will potentially break if multiple - # backups for the same service overlap. A more clever - # sentinel file with reference counts would probably solve - # this. - serviceConfig = { - User = backup.user; - Group = "backup"; - RuntimeDirectory = "backup-${name}"; - CacheDirectory = "backup-${name}"; - CacheDirectoryMode = "0700"; - PrivateTmp = true; - - ExecStart = [ - (lib.concatStringsSep " " ( - [ - "${pkgs.restic}/bin/restic" - "backup" - "--tag" - name - ] - ++ backup.paths - )) + path = with pkgs; [ + coreutils + openssh + rclone + restic ]; - ExecStartPre = - map (service: "+${mkShutdownScript service}") backup.pauseServices - ++ singleton ( - writeScript "backup-${name}-repo-init" [ ] '' - restic snapshots || restic init - '' - ) - ++ optional (backup.preparation.text != null) ( - writeScript "backup-${name}-prepare" backup.preparation.packages backup.preparation.text - ); + # TODO(tlater): If I ever add more than one repo, service + # shutdown/restarting will potentially break if multiple + # backups for the same service overlap. A more clever + # sentinel file with reference counts would probably solve + # this. + serviceConfig = { + User = backup.user; + Group = "backup"; + RuntimeDirectory = "backup-${name}"; + CacheDirectory = "backup-${name}"; + CacheDirectoryMode = "0700"; + PrivateTmp = true; - # TODO(tlater): Add repo pruning/checking - ExecStopPost = - map (service: "+${mkRestartScript service}") backup.pauseServices - ++ optional (backup.cleanup.text != null) ( - writeScript "backup-${name}-cleanup" backup.cleanup.packages backup.cleanup.text - ); - }; - } - ) config.services.backups; + ExecStart = [ + (lib.concatStringsSep " " ([ "${pkgs.restic}/bin/restic" "backup" "--tag" name ] ++ backup.paths)) + ]; + + ExecStartPre = + map (service: "+${mkShutdownScript service}") backup.pauseServices + ++ singleton (writeScript "backup-${name}-repo-init" [ ] '' + restic snapshots || restic init + '') + ++ optional (backup.preparation.text != null) + (writeScript "backup-${name}-prepare" backup.preparation.packages backup.preparation.text); + + # TODO(tlater): Add repo pruning/checking + ExecStopPost = + map (service: "+${mkRestartScript service}") backup.pauseServices + ++ optional (backup.cleanup.text != null) + (writeScript "backup-${name}-cleanup" backup.cleanup.packages backup.cleanup.text); + }; + }) + config.services.backups; systemd.timers = { @@ -245,18 +227,18 @@ in # of the backup jobs. }; } - // lib.mapAttrs' ( - name: backup: - lib.nameValuePair "backup-${name}" { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = "Wednesday 02:30:00 UTC"; - RandomizedDelaySec = "1h"; - FixedRandomDelay = true; - Persistent = true; - }; - } - ) config.services.backups; + // lib.mapAttrs' + (name: backup: + lib.nameValuePair "backup-${name}" { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = "Wednesday 02:30:00 UTC"; + RandomizedDelaySec = "1h"; + FixedRandomDelay = true; + Persistent = true; + }; + }) + config.services.backups; users = { # This user is only used to own the ssh key, because apparently diff --git a/configuration/services/battery-manager.nix b/configuration/services/battery-manager.nix index a16cca1..7783a3b 100644 --- a/configuration/services/battery-manager.nix +++ b/configuration/services/battery-manager.nix @@ -1,6 +1,10 @@ -{ config, flake-inputs, ... }: -{ - imports = [ flake-inputs.sonnenshift.nixosModules.default ]; +{ config +, flake-inputs +, ... +}: { + imports = [ + flake-inputs.sonnenshift.nixosModules.default + ]; services.batteryManager = { enable = true; diff --git a/configuration/services/conduit.nix b/configuration/services/conduit.nix index 4e53241..8734785 100644 --- a/configuration/services/conduit.nix +++ b/configuration/services/conduit.nix @@ -1,8 +1,7 @@ -{ - pkgs, - config, - lib, - ... +{ pkgs +, config +, lib +, ... }: let inherit (lib.strings) concatMapStringsSep; @@ -43,30 +42,28 @@ in systemd.services.heisenbridge = let replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret"; - registrationFile = builtins.toFile "heisenbridge-registration.yaml" ( - builtins.toJSON { - id = "heisenbridge"; - url = "http://127.0.0.1:9898"; - as_token = "@AS_TOKEN@"; - hs_token = "@HS_TOKEN@"; - rate_limited = false; - sender_localpart = "heisenbridge"; - namespaces = { - users = [ - { - regex = "@irc_.*"; - exclusive = true; - } - { - regex = "@heisenbridge:.*"; - exclusive = true; - } - ]; - aliases = [ ]; - rooms = [ ]; - }; - } - ); + registrationFile = builtins.toFile "heisenbridge-registration.yaml" (builtins.toJSON { + id = "heisenbridge"; + url = "http://127.0.0.1:9898"; + as_token = "@AS_TOKEN@"; + hs_token = "@HS_TOKEN@"; + rate_limited = false; + sender_localpart = "heisenbridge"; + namespaces = { + users = [ + { + regex = "@irc_.*"; + exclusive = true; + } + { + regex = "@heisenbridge:.*"; + exclusive = true; + } + ]; + aliases = [ ]; + rooms = [ ]; + }; + }); # TODO(tlater): Starting with systemd 253 it will become possible # to do the credential setup as part of ExecStartPre/preStart @@ -117,7 +114,7 @@ in RestrictRealtime = true; ProtectProc = "invisible"; ProcSubset = "pid"; - UMask = 77; + UMask = 0077; # For the identd port # CapabilityBoundingSet = ["CAP_NET_BIND_SERVICE"]; @@ -137,7 +134,9 @@ in use-auth-secret = true; static-auth-secret-file = config.sops.secrets."turn/secret".path; realm = turn-realm; - relay-ips = [ "116.202.158.55" ]; + relay-ips = [ + "116.202.158.55" + ]; # SSL config # @@ -246,7 +245,9 @@ in services.backups.conduit = { user = "root"; - paths = [ "/var/lib/private/matrix-conduit/" ]; + paths = [ + "/var/lib/private/matrix-conduit/" + ]; # Other services store their data in conduit, so no other services # need to be shut down currently. pauseServices = [ "conduit.service" ]; diff --git a/configuration/services/fail2ban.nix b/configuration/services/fail2ban.nix index f09668c..1811046 100644 --- a/configuration/services/fail2ban.nix +++ b/configuration/services/fail2ban.nix @@ -1,5 +1,4 @@ -{ pkgs, ... }: -{ +{ pkgs, ... }: { services.fail2ban = { enable = true; extraPackages = [ pkgs.ipset ]; diff --git a/configuration/services/foundryvtt.nix b/configuration/services/foundryvtt.nix index 614b818..3383ab3 100644 --- a/configuration/services/foundryvtt.nix +++ b/configuration/services/foundryvtt.nix @@ -1,9 +1,8 @@ -{ - lib, - config, - flake-inputs, - pkgs, - ... +{ lib +, config +, flake-inputs +, pkgs +, ... }: let domain = "foundryvtt.${config.services.nginx.domain}"; @@ -41,7 +40,9 @@ in services.backups.foundryvtt = { user = "foundryvtt"; - paths = [ config.services.foundryvtt.dataDir ]; + paths = [ + config.services.foundryvtt.dataDir + ]; pauseServices = [ "foundryvtt.service" ]; }; } diff --git a/configuration/services/gitea.nix b/configuration/services/gitea.nix index c88dd01..4ef6238 100644 --- a/configuration/services/gitea.nix +++ b/configuration/services/gitea.nix @@ -1,8 +1,7 @@ -{ - pkgs, - config, - lib, - ... +{ pkgs +, config +, lib +, ... }: let domain = "gitea.${config.services.nginx.domain}"; @@ -35,7 +34,9 @@ in secretPath = config.sops.secrets."forgejo/metrics-token".path; runConfig = "${config.services.forgejo.customDir}/conf/app.ini"; in - [ "+${replaceSecretBin} '#metricstoken#' '${secretPath}' '${runConfig}'" ]; + [ + "+${replaceSecretBin} '#metricstoken#' '${secretPath}' '${runConfig}'" + ]; # Set up SSL services.nginx.virtualHosts."${domain}" = diff --git a/configuration/services/metrics/exporters.nix b/configuration/services/metrics/exporters.nix index e16b945..e17be8e 100644 --- a/configuration/services/metrics/exporters.nix +++ b/configuration/services/metrics/exporters.nix @@ -1,8 +1,7 @@ -{ - config, - pkgs, - lib, - ... +{ config +, pkgs +, lib +, ... }: let yaml = pkgs.formats.yaml { }; @@ -21,7 +20,9 @@ in "tlater.com" ]; in - [ "--config=${yaml.generate "domains.yml" conf}" ]; + [ + "--config=${yaml.generate "domains.yml" conf}" + ]; }; # System statistics @@ -50,21 +51,26 @@ in listenAddress = "127.0.0.1"; group = "nginx"; - settings.namespaces = lib.mapAttrsToList (name: virtualHost: { - inherit name; - metrics_override.prefix = "nginxlog"; - namespace_label = "vhost"; + settings.namespaces = + lib.mapAttrsToList + (name: virtualHost: { + inherit name; + metrics_override.prefix = "nginxlog"; + namespace_label = "vhost"; - format = lib.concatStringsSep " " [ - "$remote_addr - $remote_user [$time_local]" - ''"$request" $status $body_bytes_sent'' - ''"$http_referer" "$http_user_agent"'' - ''rt=$request_time uct="$upstream_connect_time"'' - ''uht="$upstream_header_time" urt="$upstream_response_time"'' - ]; + format = lib.concatStringsSep " " [ + "$remote_addr - $remote_user [$time_local]" + ''"$request" $status $body_bytes_sent'' + ''"$http_referer" "$http_user_agent"'' + ''rt=$request_time uct="$upstream_connect_time"'' + ''uht="$upstream_header_time" urt="$upstream_response_time"'' + ]; - source.files = [ "/var/log/nginx/${name}/access.log" ]; - }) config.services.nginx.virtualHosts; + source.files = [ + "/var/log/nginx/${name}/access.log" + ]; + }) + config.services.nginx.virtualHosts; }; }; @@ -80,11 +86,7 @@ in requires = [ "fail2ban.service" ]; serviceConfig = { Group = "fail2ban"; - RestrictAddressFamilies = [ - "AF_UNIX" - "AF_INET" - "AF_INET6" - ]; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; ExecStart = lib.concatStringsSep " " [ "${pkgs.local.prometheus-fail2ban-exporter}/bin/fail2ban-prometheus-exporter" "--collector.f2b.socket=/var/run/fail2ban/fail2ban.sock" diff --git a/configuration/services/metrics/options.nix b/configuration/services/metrics/options.nix index 5dd17a3..552aec8 100644 --- a/configuration/services/metrics/options.nix +++ b/configuration/services/metrics/options.nix @@ -1,8 +1,7 @@ -{ - pkgs, - config, - lib, - ... +{ pkgs +, config +, lib +, ... }: let inherit (lib) types mkOption mkDefault; @@ -12,94 +11,87 @@ in options = { services.prometheus = { extraExporters = mkOption { - type = types.attrsOf ( - types.submodule { - options = { - port = mkOption { - type = types.int; - description = "The port on which this exporter listens."; - }; - listenAddress = mkOption { - type = types.str; - default = "127.0.0.1"; - description = "Address to listen on."; - }; - serviceOpts = mkOption { - type = types.attrs; - description = "An attrset to be merged with the exporter's systemd service."; - }; + type = types.attrsOf (types.submodule { + options = { + port = mkOption { + type = types.int; + description = "The port on which this exporter listens."; }; - } - ); + listenAddress = mkOption { + type = types.str; + default = "127.0.0.1"; + description = "Address to listen on."; + }; + serviceOpts = mkOption { + type = types.attrs; + description = "An attrset to be merged with the exporter's systemd service."; + }; + }; + }); }; }; services.victoriametrics.scrapeConfigs = mkOption { - type = types.attrsOf ( - types.submodule ( - { name, self, ... }: - { - options = { - job_name = mkOption { - type = types.str; - default = name; + type = types.attrsOf (types.submodule ({ name + , self + , ... + }: { + options = { + job_name = mkOption { + type = types.str; + default = name; + }; + + extraSettings = mkOption { + type = types.anything; + description = '' + Other settings to set for this scrape config. + ''; + default = { }; + }; + + targets = mkOption { + type = types.listOf types.str; + description = lib.mdDoc '' + Addresses scrape targets for this config listen on. + + Shortcut for `static_configs = lib.singleton {targets = [<targets>];}` + ''; + default = [ ]; + }; + + static_configs = mkOption { + default = [ ]; + type = types.listOf (types.submodule { + options = { + targets = mkOption { + type = types.listOf types.str; + description = lib.mdDoc '' + The addresses scrape targets for this config listen on. + + Must in `listenAddress:port` format. + ''; + }; + labels = mkOption { + type = types.attrsOf types.str; + description = lib.mdDoc '' + Labels to apply to all targets defined for this static config. + ''; + default = { }; + }; }; - - extraSettings = mkOption { - type = types.anything; - description = '' - Other settings to set for this scrape config. - ''; - default = { }; - }; - - targets = mkOption { - type = types.listOf types.str; - description = lib.mdDoc '' - Addresses scrape targets for this config listen on. - - Shortcut for `static_configs = lib.singleton {targets = [<targets>];}` - ''; - default = [ ]; - }; - - static_configs = mkOption { - default = [ ]; - type = types.listOf ( - types.submodule { - options = { - targets = mkOption { - type = types.listOf types.str; - description = lib.mdDoc '' - The addresses scrape targets for this config listen on. - - Must in `listenAddress:port` format. - ''; - }; - labels = mkOption { - type = types.attrsOf types.str; - description = lib.mdDoc '' - Labels to apply to all targets defined for this static config. - ''; - default = { }; - }; - }; - } - ); - }; - }; - } - ) - ); + }); + }; + }; + })); }; }; config = { systemd.services = lib.mkMerge [ - (lib.mapAttrs' ( - name: exporter: - lib.nameValuePair "prometheus-${name}-exporter" ( - lib.mkMerge [ + (lib.mapAttrs' + (name: exporter: + lib.nameValuePair "prometheus-${name}-exporter" (lib.mkMerge [ { # Shamelessly copied from upstream because the upstream # module is an intractable mess @@ -125,10 +117,7 @@ in serviceConfig.ProtectKernelTunables = true; serviceConfig.ProtectSystem = mkDefault "strict"; serviceConfig.RemoveIPC = true; - serviceConfig.RestrictAddressFamilies = [ - "AF_INET" - "AF_INET6" - ]; + serviceConfig.RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; serviceConfig.RestrictNamespaces = true; serviceConfig.RestrictRealtime = true; serviceConfig.RestrictSUIDSGID = true; @@ -136,9 +125,8 @@ in serviceConfig.UMask = "0077"; } exporter.serviceOpts - ] - ) - ) config.services.prometheus.extraExporters) + ])) + config.services.prometheus.extraExporters) { vmagent-scrape-exporters = @@ -146,25 +134,24 @@ in listenAddress = config.services.victoriametrics.listenAddress; vmAddr = (lib.optionalString (lib.hasPrefix ":" listenAddress) "127.0.0.1") + listenAddress; promscrape = yaml.generate "prometheus.yml" { - scrape_configs = lib.mapAttrsToList ( - _: scrape: - lib.recursiveUpdate { - inherit (scrape) job_name; - static_configs = - scrape.static_configs - ++ lib.optional (scrape.targets != [ ]) { targets = scrape.targets; }; - } scrape.extraSettings - ) config.services.victoriametrics.scrapeConfigs; + scrape_configs = lib.mapAttrsToList + (_: scrape: + lib.recursiveUpdate + { + inherit (scrape) job_name; + static_configs = + scrape.static_configs + ++ lib.optional (scrape.targets != [ ]) { targets = scrape.targets; }; + } + scrape.extraSettings) + config.services.victoriametrics.scrapeConfigs; }; in { enable = true; path = [ pkgs.victoriametrics ]; wantedBy = [ "multi-user.target" ]; - after = [ - "network.target" - "victoriametrics.service" - ]; + after = [ "network.target" "victoriametrics.service" ]; serviceConfig = { ExecStart = [ (lib.concatStringsSep " " [ @@ -193,10 +180,7 @@ in ProtectKernelTunables = true; ProtectSystem = "strict"; RemoveIPC = true; - RestrictAddressFamilies = [ - "AF_INET" - "AF_INET6" - ]; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; @@ -211,15 +195,19 @@ in services.victoriametrics.scrapeConfigs = let - allExporters = lib.mapAttrs (name: exporter: { inherit (exporter) listenAddress port; }) ( - (lib.filterAttrs ( - _: exporter: builtins.isAttrs exporter && exporter.enable - ) config.services.prometheus.exporters) - // config.services.prometheus.extraExporters - ); + allExporters = + lib.mapAttrs + (name: exporter: { + inherit (exporter) listenAddress port; + }) + ((lib.filterAttrs (_: exporter: builtins.isAttrs exporter && exporter.enable) + config.services.prometheus.exporters) + // config.services.prometheus.extraExporters); in - lib.mapAttrs (_: exporter: { - targets = [ "${exporter.listenAddress}:${toString exporter.port}" ]; - }) allExporters; + lib.mapAttrs + (_: exporter: { + targets = [ "${exporter.listenAddress}:${toString exporter.port}" ]; + }) + allExporters; }; } diff --git a/configuration/services/metrics/victoriametrics.nix b/configuration/services/metrics/victoriametrics.nix index 710cf70..695b89e 100644 --- a/configuration/services/metrics/victoriametrics.nix +++ b/configuration/services/metrics/victoriametrics.nix @@ -1,8 +1,9 @@ -{ config, ... }: -{ +{ config, ... }: { config.services.victoriametrics = { enable = true; - extraOptions = [ "-storage.minFreeDiskSpaceBytes=5GB" ]; + extraOptions = [ + "-storage.minFreeDiskSpaceBytes=5GB" + ]; scrapeConfigs = { forgejo = { diff --git a/configuration/services/nextcloud.nix b/configuration/services/nextcloud.nix index 63c7446..30adf6e 100644 --- a/configuration/services/nextcloud.nix +++ b/configuration/services/nextcloud.nix @@ -1,8 +1,7 @@ -{ - pkgs, - config, - lib, - ... +{ pkgs +, config +, lib +, ... }: let # Update pending on rewrite of nextcloud news, though there is an @@ -16,8 +15,8 @@ in inherit hostName; package = nextcloud; - phpPackage = lib.mkForce ( - pkgs.php.override { + phpPackage = lib.mkForce + (pkgs.php.override { packageOverrides = final: prev: { extensions = prev.extensions // { pgsql = prev.extensions.pgsql.overrideAttrs (old: { @@ -28,8 +27,7 @@ in }); }; }; - } - ); + }); enable = true; maxUploadSize = "2G"; https = true; @@ -54,14 +52,7 @@ in }; extraApps = { - inherit (pkgs.local) - bookmarks - calendar - contacts - cookbook - news - notes - ; + inherit (pkgs.local) bookmarks calendar contacts cookbook news notes; }; }; diff --git a/configuration/services/postgres.nix b/configuration/services/postgres.nix index 85a6843..62dfb01 100644 --- a/configuration/services/postgres.nix +++ b/configuration/services/postgres.nix @@ -1,5 +1,4 @@ -{ pkgs, ... }: -{ +{ pkgs, ... }: { services.postgresql = { package = pkgs.postgresql_14; enable = true; diff --git a/configuration/services/starbound.nix b/configuration/services/starbound.nix index f5b23c3..3b54ee9 100644 --- a/configuration/services/starbound.nix +++ b/configuration/services/starbound.nix @@ -1,4 +1,7 @@ -{ pkgs, lib, ... }: +{ pkgs +, lib +, ... +}: let inherit (lib) concatStringsSep; in @@ -111,7 +114,9 @@ in services.backups.starbound = { user = "root"; - paths = [ "/var/lib/private/starbound/storage/universe/" ]; + paths = [ + "/var/lib/private/starbound/storage/universe/" + ]; pauseServices = [ "starbound.service" ]; }; } diff --git a/configuration/services/wireguard.nix b/configuration/services/wireguard.nix index 6f8f6a2..057a2e9 100644 --- a/configuration/services/wireguard.nix +++ b/configuration/services/wireguard.nix @@ -1,5 +1,4 @@ -{ config, ... }: -{ +{ config, ... }: { # iptables needs to permit forwarding from wg0 to wg0 networking.firewall.extraCommands = '' iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT diff --git a/flake.nix b/flake.nix index 6dbbaa5..56f3972 100644 --- a/flake.nix +++ b/flake.nix @@ -33,14 +33,13 @@ }; outputs = - { - self, - nixpkgs, - sops-nix, - nvfetcher, - deploy-rs, - ... - }@inputs: + { self + , nixpkgs + , sops-nix + , nvfetcher + , deploy-rs + , ... + } @ inputs: let system = "x86_64-linux"; pkgs = nixpkgs.legacyPackages.${system}; @@ -85,12 +84,7 @@ }; sshUser = "tlater"; - sshOpts = [ - "-p" - "2222" - "-o" - "ForwardAgent=yes" - ]; + sshOpts = [ "-p" "2222" "-o" "ForwardAgent=yes" ]; }; }; @@ -150,11 +144,10 @@ # Development environment # ########################### devShells.${system}.default = nixpkgs.legacyPackages.${system}.mkShell { - sopsPGPKeyDirs = [ - "./keys/hosts/" - "./keys/users/" + sopsPGPKeyDirs = [ "./keys/hosts/" "./keys/users/" ]; + nativeBuildInputs = [ + sops-nix.packages.${system}.sops-import-keys-hook ]; - nativeBuildInputs = [ sops-nix.packages.${system}.sops-import-keys-hook ]; packages = with pkgs; [ sops-nix.packages.${system}.sops-init-gpg-key diff --git a/modules/default.nix b/modules/default.nix index e1db4cc..9341a5a 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1 +1,5 @@ -{ imports = [ ./nginxExtensions.nix ]; } +{ + imports = [ + ./nginxExtensions.nix + ]; +} diff --git a/modules/nginxExtensions.nix b/modules/nginxExtensions.nix index bd505d3..3603756 100644 --- a/modules/nginxExtensions.nix +++ b/modules/nginxExtensions.nix @@ -1,10 +1,8 @@ -{ - config, - pkgs, - lib, - ... -}: -{ +{ config +, pkgs +, lib +, ... +}: { options = { services.nginx.domain = lib.mkOption { type = lib.types.str; @@ -14,8 +12,10 @@ services.nginx.virtualHosts = let extraVirtualHostOptions = - { name, config, ... }: - { + { name + , config + , ... + }: { options = { enableHSTS = lib.mkEnableOption "Enable HSTS"; @@ -40,7 +40,9 @@ }; }; in - lib.mkOption { type = lib.types.attrsOf (lib.types.submodule extraVirtualHostOptions); }; + lib.mkOption { + type = lib.types.attrsOf (lib.types.submodule extraVirtualHostOptions); + }; }; config = { @@ -49,11 +51,11 @@ let confirm = ''[[ "tlater.net" = ${config.services.nginx.domain} ]]''; in - lib.mapAttrs' ( - cert: _: - lib.nameValuePair "acme-${cert}" { - serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' ''; - } - ) config.security.acme.certs; + lib.mapAttrs' + (cert: _: + lib.nameValuePair "acme-${cert}" { + serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' ''; + }) + config.security.acme.certs; }; } diff --git a/pkgs/afvalcalendar/default.nix b/pkgs/afvalcalendar/default.nix index 6392220..12b868c 100644 --- a/pkgs/afvalcalendar/default.nix +++ b/pkgs/afvalcalendar/default.nix @@ -1,12 +1,19 @@ -{ pkgs, rustPlatform, ... }: +{ pkgs +, rustPlatform +, ... +}: rustPlatform.buildRustPackage { pname = "afvalcalendar"; version = "0.1.0"; src = ./.; - nativeBuildInputs = with pkgs; [ pkg-config ]; + nativeBuildInputs = with pkgs; [ + pkg-config + ]; - buildInputs = with pkgs; [ openssl ]; + buildInputs = with pkgs; [ + openssl + ]; cargoHash = "sha256-JXx6aUKdKbUTBCwlBw5i1hZy8ofCfSrhLCwFzqdA8cI="; } diff --git a/pkgs/default.nix b/pkgs/default.nix index a9d7aa1..132d0f5 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -1,4 +1,7 @@ -{ pkgs, lib }: +{ pkgs +, lib +, +}: let inherit (builtins) fromJSON mapAttrs readFile; inherit (pkgs) callPackage; @@ -10,7 +13,7 @@ in }; afvalcalendar = callPackage ./afvalcalendar { }; } -// ( + // ( # Add nextcloud apps let mkNextcloudApp = pkgs.callPackage ./mkNextcloudApp.nix { }; diff --git a/pkgs/mkNextcloudApp.nix b/pkgs/mkNextcloudApp.nix index 095b0e8..7453f44 100644 --- a/pkgs/mkNextcloudApp.nix +++ b/pkgs/mkNextcloudApp.nix @@ -1,5 +1,7 @@ -{ fetchNextcloudApp, lib }: -source: +{ fetchNextcloudApp +, lib +, +}: source: fetchNextcloudApp { url = source.src.url; sha256 = source.src.sha256; diff --git a/pkgs/prometheus/fail2ban-exporter.nix b/pkgs/prometheus/fail2ban-exporter.nix index dc22b6c..b74e35d 100644 --- a/pkgs/prometheus/fail2ban-exporter.nix +++ b/pkgs/prometheus/fail2ban-exporter.nix @@ -1,4 +1,7 @@ -{ buildGoModule, sources }: +{ buildGoModule +, sources +, +}: buildGoModule { inherit (sources.prometheus-fail2ban-exporter) pname src version; vendorHash = "sha256-5o8p5p0U/c0WAIV5dACnWA3ThzSh2tt5LIFMb59i9GY="; diff --git a/pkgs/starbound/default.nix b/pkgs/starbound/default.nix index 26f2184..a8689f3 100644 --- a/pkgs/starbound/default.nix +++ b/pkgs/starbound/default.nix @@ -1,21 +1,19 @@ -{ - stdenv, - lib, - makeWrapper, - patchelf, - steamPackages, - replace-secret, +{ stdenv +, lib +, makeWrapper +, patchelf +, steamPackages +, replace-secret +, }: let # Use the directory in which starbound is installed so steamcmd # doesn't have to be reinstalled constantly (we're using DynamicUser # with StateDirectory to persist this). - steamcmd = steamPackages.steamcmd.override { steamRoot = "/var/lib/starbound/.steamcmd"; }; - wrapperPath = lib.makeBinPath [ - patchelf - steamcmd - replace-secret - ]; + steamcmd = steamPackages.steamcmd.override { + steamRoot = "/var/lib/starbound/.steamcmd"; + }; + wrapperPath = lib.makeBinPath [ patchelf steamcmd replace-secret ]; in stdenv.mkDerivation { name = "starbound-update-script";