2025-08-02 11:35:01 +01:00
5 changed files with 138 additions and 141 deletions
--- a/configuration/nginx.nix
+++ b/configuration/nginx.nix
@ -20,22 +20,21 @@
      '';
    };

-    logrotate.settings =
-      {
-        # Override the default, just keep fewer logs
-        nginx.rotate = 6;
+    logrotate.settings = {
+      # Override the default, just keep fewer logs
+      nginx.rotate = 6;
+    }
+    // lib.mapAttrs' (
+      virtualHost: _:
+      lib.nameValuePair "/var/log/nginx/${virtualHost}/access.log" {
+        frequency = "daily";
+        rotate = 2;
+        compress = true;
+        delaycompress = true;
+        su = "${config.services.nginx.user} ${config.services.nginx.group}";
+        postrotate = "[ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid`";
      }
-      // lib.mapAttrs' (
-        virtualHost: _:
-        lib.nameValuePair "/var/log/nginx/${virtualHost}/access.log" {
-          frequency = "daily";
-          rotate = 2;
-          compress = true;
-          delaycompress = true;
-          su = "${config.services.nginx.user} ${config.services.nginx.group}";
-          postrotate = "[ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid`";
-        }
-      ) config.services.nginx.virtualHosts;
+    ) config.services.nginx.virtualHosts;

    backups.acme = {
      user = "acme";
--- a/configuration/services/backups.nix
+++ b/configuration/services/backups.nix
@ -140,123 +140,121 @@ in
  };

  config = lib.mkIf (config.services.backups != { }) {
-    systemd.services =
-      {
-        restic-prune = {
-          # Doesn't hurt to finish the ongoing prune
-          restartIfChanged = false;
+    systemd.services = {
+      restic-prune = {
+        # Doesn't hurt to finish the ongoing prune
+        restartIfChanged = false;

-          environment = resticEnv;
+        environment = resticEnv;

-          path = with pkgs; [
-            openssh
-            rclone
-            restic
+        path = with pkgs; [
+          openssh
+          rclone
+          restic
+        ];
+
+        script = ''
+          # TODO(tlater): In an append-only setup, we should be
+          # careful with this; an attacker could delete backups by
+          # simply appending ad infinitum:
+          # https://restic.readthedocs.io/en/stable/060_forget.html#security-considerations-in-append-only-mode
+          restic forget --keep-last 3 --prune
+          restic check
+        '';
+
+        serviceConfig = {
+          DynamicUser = true;
+          Group = "backup";
+
+          CacheDirectory = "restic-prune";
+          CacheDirectoryMode = "0700";
+        };
+      };
+    }
+    // lib.mapAttrs' (
+      name: backup:
+      lib.nameValuePair "backup-${name}" {
+        # Don't want to restart mid-backup
+        restartIfChanged = false;
+
+        environment = resticEnv // {
+          RESTIC_CACHE_DIR = "%C/backup-${name}";
+        };
+
+        path = with pkgs; [
+          coreutils
+          openssh
+          rclone
+          restic
+        ];
+
+        # TODO(tlater): If I ever add more than one repo, service
+        # shutdown/restarting will potentially break if multiple
+        # backups for the same service overlap. A more clever
+        # sentinel file with reference counts would probably solve
+        # this.
+        serviceConfig = {
+          User = backup.user;
+          Group = "backup";
+          RuntimeDirectory = "backup-${name}";
+          CacheDirectory = "backup-${name}";
+          CacheDirectoryMode = "0700";
+          PrivateTmp = true;
+
+          ExecStart = [
+            (lib.concatStringsSep " " (
+              [
+                "${pkgs.restic}/bin/restic"
+                "backup"
+                "--tag"
+                name
+              ]
+              ++ backup.paths
+            ))
          ];

-          script = ''
-            # TODO(tlater): In an append-only setup, we should be
-            # careful with this; an attacker could delete backups by
-            # simply appending ad infinitum:
-            # https://restic.readthedocs.io/en/stable/060_forget.html#security-considerations-in-append-only-mode
-            restic forget --keep-last 3 --prune
-            restic check
-          '';
+          ExecStartPre =
+            map (service: "+${mkShutdownScript service}") backup.pauseServices
+            ++ singleton (
+              writeScript "backup-${name}-repo-init" [ ] ''
+                restic snapshots || restic init
+              ''
+            )
+            ++ optional (backup.preparation.text != null) (
+              writeScript "backup-${name}-prepare" backup.preparation.packages backup.preparation.text
+            );

-          serviceConfig = {
-            DynamicUser = true;
-            Group = "backup";
-
-            CacheDirectory = "restic-prune";
-            CacheDirectoryMode = "0700";
-          };
+          # TODO(tlater): Add repo pruning/checking
+          ExecStopPost =
+            map (service: "+${mkRestartScript service}") backup.pauseServices
+            ++ optional (backup.cleanup.text != null) (
+              writeScript "backup-${name}-cleanup" backup.cleanup.packages backup.cleanup.text
+            );
        };
      }
-      // lib.mapAttrs' (
-        name: backup:
-        lib.nameValuePair "backup-${name}" {
-          # Don't want to restart mid-backup
-          restartIfChanged = false;
+    ) config.services.backups;

-          environment = resticEnv // {
-            RESTIC_CACHE_DIR = "%C/backup-${name}";
-          };
-
-          path = with pkgs; [
-            coreutils
-            openssh
-            rclone
-            restic
-          ];
-
-          # TODO(tlater): If I ever add more than one repo, service
-          # shutdown/restarting will potentially break if multiple
-          # backups for the same service overlap. A more clever
-          # sentinel file with reference counts would probably solve
-          # this.
-          serviceConfig = {
-            User = backup.user;
-            Group = "backup";
-            RuntimeDirectory = "backup-${name}";
-            CacheDirectory = "backup-${name}";
-            CacheDirectoryMode = "0700";
-            PrivateTmp = true;
-
-            ExecStart = [
-              (lib.concatStringsSep " " (
-                [
-                  "${pkgs.restic}/bin/restic"
-                  "backup"
-                  "--tag"
-                  name
-                ]
-                ++ backup.paths
-              ))
-            ];
-
-            ExecStartPre =
-              map (service: "+${mkShutdownScript service}") backup.pauseServices
-              ++ singleton (
-                writeScript "backup-${name}-repo-init" [ ] ''
-                  restic snapshots || restic init
-                ''
-              )
-              ++ optional (backup.preparation.text != null) (
-                writeScript "backup-${name}-prepare" backup.preparation.packages backup.preparation.text
-              );
-
-            # TODO(tlater): Add repo pruning/checking
-            ExecStopPost =
-              map (service: "+${mkRestartScript service}") backup.pauseServices
-              ++ optional (backup.cleanup.text != null) (
-                writeScript "backup-${name}-cleanup" backup.cleanup.packages backup.cleanup.text
-              );
-          };
-        }
-      ) config.services.backups;
-
-    systemd.timers =
-      {
-        restic-prune = {
-          wantedBy = [ "timers.target" ];
-          timerConfig.OnCalendar = "Thursday 03:00:00 UTC";
-          # Don't make this persistent, in case the server was offline
-          # for a while. This job cannot run at the same time as any
-          # of the backup jobs.
+    systemd.timers = {
+      restic-prune = {
+        wantedBy = [ "timers.target" ];
+        timerConfig.OnCalendar = "Thursday 03:00:00 UTC";
+        # Don't make this persistent, in case the server was offline
+        # for a while. This job cannot run at the same time as any
+        # of the backup jobs.
+      };
+    }
+    // lib.mapAttrs' (
+      name: _:
+      lib.nameValuePair "backup-${name}" {
+        wantedBy = [ "timers.target" ];
+        timerConfig = {
+          OnCalendar = "Wednesday 02:30:00 UTC";
+          RandomizedDelaySec = "1h";
+          FixedRandomDelay = true;
+          Persistent = true;
        };
      }
-      // lib.mapAttrs' (
-        name: _:
-        lib.nameValuePair "backup-${name}" {
-          wantedBy = [ "timers.target" ];
-          timerConfig = {
-            OnCalendar = "Wednesday 02:30:00 UTC";
-            RandomizedDelaySec = "1h";
-            FixedRandomDelay = true;
-            Persistent = true;
-          };
-        }
-      ) config.services.backups;
+    ) config.services.backups;

    users = {
      # This user is only used to own the ssh key, because apparently
--- a/configuration/services/crowdsec.nix
+++ b/configuration/services/crowdsec.nix
@ -30,11 +30,12 @@

      {
        labels.type = "nginx";
-        filenames =
-          [ "/var/log/nginx/*.log" ]
-          ++ lib.mapAttrsToList (
-            vHost: _: "/var/log/nginx/${vHost}/access.log"
-          ) config.services.nginx.virtualHosts;
+        filenames = [
+          "/var/log/nginx/*.log"
+        ]
+        ++ lib.mapAttrsToList (
+          vHost: _: "/var/log/nginx/${vHost}/access.log"
+        ) config.services.nginx.virtualHosts;
      }
    ];

--- a/configuration/services/metrics/options.nix
+++ b/configuration/services/metrics/options.nix
@ -154,8 +154,7 @@ in
                lib.recursiveUpdate {
                  inherit (scrape) job_name;
                  static_configs =
-                    scrape.static_configs
-                    ++ lib.optional (scrape.targets != [ ]) { inherit (scrape) targets; };
+                    scrape.static_configs ++ lib.optional (scrape.targets != [ ]) { inherit (scrape) targets; };
                } scrape.extraSettings
              ) config.services.victoriametrics.scrapeConfigs;
            };
--- a/flake.lock
+++ b/flake.lock
@ -300,11 +300,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1750903843,
-        "narHash": "sha256-Ng9+f0H5/dW+mq/XOKvB9uwvGbsuiiO6HrPdAcVglCs=",
+        "lastModified": 1753140376,
+        "narHash": "sha256-7lrVrE0jSvZHrxEzvnfHFE/Wkk9DDqb+mYCodI5uuB8=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "83c4da299c1d7d300f8c6fd3a72ac46cb0d59aae",
+        "rev": "545aba02960caa78a31bd9a8709a0ad4b6320a5c",
        "type": "github"
      },
      "original": {
@ -595,11 +595,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1748450994,
-        "narHash": "sha256-BWdJ+3lPmK99kjWfBlppKSRIH0sBlT1fpUkSvlgmvoA=",
+        "lastModified": 1752975459,
+        "narHash": "sha256-nOr9FfazId66oneIeeH6e5eALWcu0/zPn19DqbeFGME=",
        "owner": "reckenrode",
        "repo": "nix-foundryvtt",
-        "rev": "d5fe29ab69176aa0c7727fa7c57889a2aa577355",
+        "rev": "924f814523ea8c8792178ec5171ea055abaae0e4",
        "type": "github"
      },
      "original": {
@ -746,11 +746,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1751230698,
-        "narHash": "sha256-ANWE9dHPeACz3SIbUhbWZforTgfAvOS5Tg1l4yYa/B0=",
+        "lastModified": 1754108423,
+        "narHash": "sha256-0AhuEljFdqvY4894RArZH+mzd1Y0Wojmfq8znh0ireg=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "e410afb41ba16a2ceeaeff85c536d35f10bbbdcf",
+        "rev": "a41340f34fa59485a7c2017af3506b2ee1b216d8",
        "type": "github"
      },
      "original": {
@ -1079,11 +1079,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1750119275,
-        "narHash": "sha256-Rr7Pooz9zQbhdVxux16h7URa6mA80Pb/G07T4lHvh0M=",
+        "lastModified": 1752544651,
+        "narHash": "sha256-GllP7cmQu7zLZTs9z0J2gIL42IZHa9CBEXwBY9szT0U=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "77c423a03b9b2b79709ea2cb63336312e78b72e2",
+        "rev": "2c8def626f54708a9c38a5861866660395bb3461",
        "type": "github"
      },
      "original": {