lint: lint nix files with alejandra

This commit is contained in:
b12f 2024-08-19 00:22:59 +02:00
parent d67d75eda3
commit a1670dcb3d
Signed by: b12f
GPG key ID: 729956E1124F8F26
70 changed files with 1445 additions and 1170 deletions

View file

@ -48,8 +48,8 @@
invoiceplane-template.inputs.nixpkgs.follows = "nixpkgs";
};
outputs = inputs@{ self, ... }:
inputs.flake-parts.lib.mkFlake { inherit inputs; } {
outputs = inputs @ {self, ...}:
inputs.flake-parts.lib.mkFlake {inherit inputs;} {
systems = [
"x86_64-linux"
"aarch64-linux"
@ -65,7 +65,13 @@
./overlays
];
perSystem = args@{ system, pkgs, lib, config, ... }: {
perSystem = args @ {
system,
pkgs,
lib,
config,
...
}: {
_module.args = {
inherit inputs;
pkgs = import inputs.nixpkgs {
@ -98,12 +104,11 @@
deploy-rs
terraform-ls
terraform-ls
opentofu
terraform-backend-git
deno
denols
];
shellHook = ''

View file

@ -1,4 +1,4 @@
{ ... }: {
{...}: {
imports = [
./configuration.nix
./hardware-configuration.nix

View file

@ -39,6 +39,6 @@ in {
];
};
networking.firewall.allowedUDPPorts = [ 34197 ];
networking.firewall.allowedTCPPorts = [ 34197 ];
networking.firewall.allowedUDPPorts = [34197];
networking.firewall.allowedTCPPorts = [34197];
}

View file

@ -1,5 +1,9 @@
{ withSystem, self, inputs, ...}:
{
withSystem,
self,
inputs,
...
}: {
flake = {
nixosConfigurations = {
stroopwafel = self.nixos-flake.lib.mkLinuxSystem {
@ -137,7 +141,7 @@
self.nixosModules.graphical
self.nixosModules.audio
self.nixosModules.bluetooth
({ ... }: { pub-solar.graphical.wayland.software-renderer.enable = true; })
({...}: {pub-solar.graphical.wayland.software-renderer.enable = true;})
];
};
};

View file

@ -23,7 +23,7 @@ in {
# Hack so that network is considered up by boot.initrd.network and postCommands gets executed.
"ip=127.0.0.1:::::lo:none"
];
boot.initrd.availableKernelModules = [ "tg3" ];
boot.initrd.availableKernelModules = ["tg3"];
boot.initrd.network = {
enable = true;
ssh = {

View file

@ -1,17 +1,21 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ehci_pci" "usbhid" "usb_storage" "uas" "sd_mod" ];
boot.initrd.kernelModules = [ "dm-snapshot" "amdgpu" ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "ehci_pci" "usbhid" "usb_storage" "uas" "sd_mod"];
boot.initrd.kernelModules = ["dm-snapshot" "amdgpu"];
boot.kernelModules = ["kvm-amd"];
boot.extraModulePackages = [];
boot.initrd.luks.devices = {
"cryptroot" = {
@ -21,42 +25,42 @@
"cryptdata".device = "/dev/sda1";
};
fileSystems."/" =
{ device = "none";
fsType = "tmpfs";
};
fileSystems."/" = {
device = "none";
fsType = "tmpfs";
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/837cc93f-6d9a-4bfd-b089-29ac6d68127c";
fsType = "ext4";
neededForBoot = true;
};
fileSystems."/nix" = {
device = "/dev/disk/by-uuid/837cc93f-6d9a-4bfd-b089-29ac6d68127c";
fsType = "ext4";
neededForBoot = true;
};
fileSystems."/persist" =
{ device = "/dev/disk/by-uuid/a7711118-51b0-4d84-8f18-ef2e06084e05";
fsType = "ext4";
neededForBoot = true;
};
fileSystems."/persist" = {
device = "/dev/disk/by-uuid/a7711118-51b0-4d84-8f18-ef2e06084e05";
fsType = "ext4";
neededForBoot = true;
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/0965d496-ffad-4a8d-9de7-28af903baf16";
fsType = "ext4";
};
fileSystems."/home" = {
device = "/dev/disk/by-uuid/0965d496-ffad-4a8d-9de7-28af903baf16";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/991E-79C1";
fsType = "vfat";
neededForBoot = true;
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/991E-79C1";
fsType = "vfat";
neededForBoot = true;
};
fileSystems."/data" =
{ device = "/dev/disk/by-uuid/5fc34ef4-207b-45fb-b846-dbb01080d9fe";
fsType = "ext4";
};
fileSystems."/data" = {
device = "/dev/disk/by-uuid/5fc34ef4-207b-45fb-b846-dbb01080d9fe";
fsType = "ext4";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/0ef8dbbd-2832-4fb2-8a52-86682822f769"; }
];
swapDevices = [
{device = "/dev/disk/by-uuid/0ef8dbbd-2832-4fb2-8a52-86682822f769";}
];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;

View file

@ -17,7 +17,7 @@
};
# from https://jellyfin.org/docs/general/networking/index.html
networking.firewall.allowedUDPPorts = [ 1900 7359 ];
networking.firewall.allowedUDPPorts = [1900 7359];
security.acme.certs = {
"media.b12f.io" = {};

View file

@ -10,7 +10,12 @@
networking.interfaces.enp2s0f1.useDHCP = true;
networking.interfaces.enp2s0f0 = {
ipv6.addresses = [ { address = "2a02:908:5b1:e3c0:3::"; prefixLength = 64; } ];
ipv6.addresses = [
{
address = "2a02:908:5b1:e3c0:3::";
prefixLength = 64;
}
];
};
# Allow pub.solar restic backups

View file

@ -9,7 +9,6 @@ with lib; let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in {
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
@ -20,13 +19,13 @@ in {
"ip=127.0.0.1:::::lo:none"
];
boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_net" ];
boot.initrd.availableKernelModules = ["virtio_pci" "virtio_net"];
boot.initrd.network = {
enable = true;
ssh = {
enable = true;
port = 2222;
hostKeys = [ /boot/initrd-ssh-key ];
hostKeys = [/boot/initrd-ssh-key];
authorizedKeys = flake.self.publicKeys;
shell = "/bin/cryptsetup-askpass";
};
@ -44,7 +43,7 @@ in {
'';
};
boot.supportedFilesystems = [ "zfs" ];
boot.supportedFilesystems = ["zfs"];
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you

View file

@ -5,15 +5,15 @@
lib,
...
}: let
hzDomain = lib.concatStrings [ "hw" "dz" "z." "net" ];
hzDomain = lib.concatStrings ["hw" "dz" "z." "net"];
dkimDNSb12fio = ''
default._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyla9hW3TvoXvZQxwzaJ4SZ9ict1HU3E6+FWlwNIgE6tIpTCyRJtiSIUDqB8TLTIBoxIs+QQBXZi+QUi3Agu6OSY2RiV0EwO8+oOOqOD9pERftc/aqe51cXuv4kPqwvpXEBwrXFWVM+VxivEubUJ7eKkFyXJpelv0LslXv/MmYbUyed6dF+reOGZCsvnbiRv74qdxbAL/25j62E8WrnxzJwhUtx/JhdBOjsHBvuw9hy6rZsVJL9eXayWyGRV6qmsLRzsRSBs+mDrgmKk4dugADd11+A03ics3i8hplRoWDkqnNKz1qy4f5TsV6v9283IANrAzRfHwX8EvNiFsBz+ZCQIDAQAB" ) ;
default._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyla9hW3TvoXvZQxwzaJ4SZ9ict1HU3E6+FWlwNIgE6tIpTCyRJtiSIUDqB8TLTIBoxIs+QQBXZi+QUi3Agu6OSY2RiV0EwO8+oOOqOD9pERftc/aqe51cXuv4kPqwvpXEBwrXFWVM+VxivEubUJ7eKkFyXJpelv0LslXv/MmYbUyed6dF+reOGZCsvnbiRv74qdxbAL/25j62E8WrnxzJwhUtx/JhdBOjsHBvuw9hy6rZsVJL9eXayWyGRV6qmsLRzsRSBs+mDrgmKk4dugADd11+A03ics3i8hplRoWDkqnNKz1qy4f5TsV6v9283IANrAzRfHwX8EvNiFsBz+ZCQIDAQAB" ) ;
'';
dkimDNSmezzabiz = ''
default._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDG8iuDq0eon2k7QlBJWGxwDiEv53iJQu2uqxOjr7Ul/nfQjuR6kVKs6oOVopnyFTGRpffrpSHHW1YUN5nF76p0fJphk4l+QmJP36/xweajsNU27PAkb88xG6yRKl28MCfPdMR96+Jobpei8S0UhqcskYs1aZybm7ci9ZuAMidziwIDAQAB" ) ;
default._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDG8iuDq0eon2k7QlBJWGxwDiEv53iJQu2uqxOjr7Ul/nfQjuR6kVKs6oOVopnyFTGRpffrpSHHW1YUN5nF76p0fJphk4l+QmJP36/xweajsNU27PAkb88xG6yRKl28MCfPdMR96+Jobpei8S0UhqcskYs1aZybm7ci9ZuAMidziwIDAQAB" ) ;
'';
dkimDNShzDomain = ''
default._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDvVA2XZno6g6qBdmxoLgX2Qmd883M6yV4YkE/VaNH6xcR0AcTo4hEYoAOPryfKn4FE/TYvyk/k2cyBKpMBn2qbVhwUavYQh/e9bweS2FKQvdzCUUoqXk04o2MqSXb2ZFwkUCtfrPcckBgpF754PDL4HMZGPnkMSdDX7bmYe37CWQIDAQAB") ;
default._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDvVA2XZno6g6qBdmxoLgX2Qmd883M6yV4YkE/VaNH6xcR0AcTo4hEYoAOPryfKn4FE/TYvyk/k2cyBKpMBn2qbVhwUavYQh/e9bweS2FKQvdzCUUoqXk04o2MqSXb2ZFwkUCtfrPcckBgpF754PDL4HMZGPnkMSdDX7bmYe37CWQIDAQAB") ;
'';
in {
age.secrets."b12f.io-dkim-private-rsa" = {
@ -55,21 +55,23 @@ in {
owner = "maddy";
};
users.users.maddy.extraGroups = [ "nginx" ];
users.users.maddy.extraGroups = ["nginx"];
security.acme.certs = {
"mail.b12f.io".reloadServices = [ "maddy" ];
"b12f.io".reloadServices = [ "maddy" ];
"mail.b12f.io".reloadServices = ["maddy"];
"b12f.io".reloadServices = ["maddy"];
"mta-sts.b12f.io" = {};
"mail.mezza.biz".reloadServices = [ "maddy" ];
"mezza.biz".reloadServices = [ "maddy" ];
"mail.mezza.biz".reloadServices = ["maddy"];
"mezza.biz".reloadServices = ["maddy"];
"mta-sts.mezza.biz" = {};
"mail.${hzDomain}".reloadServices = [ "maddy" ];
"${hzDomain}".reloadServices = [ "maddy" ];
"mail.${hzDomain}".reloadServices = ["maddy"];
"${hzDomain}".reloadServices = ["maddy"];
"mta-sts.${hzDomain}" = {};
};
services.nginx.virtualHosts = builtins.foldl' (hosts: hostName: hosts // {
services.nginx.virtualHosts = builtins.foldl' (hosts: hostName:
hosts
// {
"mta-sts.${hostName}" = {
forceSSL = true;
useACMEHost = "mta-sts.${hostName}";
@ -86,13 +88,13 @@ in {
tryFiles = "$uri $uri/ =404";
};
};
}) {} [ "b12f.io" "mezza.biz" hzDomain ];
}) {} ["b12f.io" "mezza.biz" hzDomain];
systemd.tmpfiles.rules = [
"d '/run/maddy' 0750 maddy maddy - -"
];
system.activationScripts.makeMaddyDKIMDNS = lib.stringAfter [ "var" ] ''
system.activationScripts.makeMaddyDKIMDNS = lib.stringAfter ["var"] ''
mkdir -p /var/lib/maddy/dkim_keys
echo '${dkimDNSb12fio}' >> /var/lib/maddy/dkim_keys/b12f.io_default.dns
@ -101,8 +103,8 @@ in {
chown -R maddy:maddy /var/lib/maddy
'';
networking.firewall.allowedTCPPorts = [ 25 ];
networking.firewall.interfaces.wg-private.allowedTCPPorts = [ 465 587 993 ];
networking.firewall.allowedTCPPorts = [25];
networking.firewall.interfaces.wg-private.allowedTCPPorts = [465 587 993];
services.maddy = {
enable = true;
@ -311,7 +313,7 @@ in {
'';
};
systemd.services.rspamd.serviceConfig.SupplementaryGroups = [ "maddy" ];
systemd.services.rspamd.serviceConfig.SupplementaryGroups = ["maddy"];
age.secrets."rclone-pubsolar.conf" = {
file = "${flake.self}/secrets/rclone-pubsolar.conf.age";
@ -325,7 +327,7 @@ in {
services.restic.backups = {
maddy = {
paths = [ "/var/lib/maddy" ];
paths = ["/var/lib/maddy"];
initialize = true;
passwordFile = config.age.secrets."restic-password".path;
# See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/

View file

@ -1,16 +1,21 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot.initrd.availableKernelModules = ["ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
boot.initrd.luks.devices = {
cryptroot = {
@ -19,19 +24,19 @@
};
};
fileSystems."/" =
{ device = "zroot/root";
fsType = "zfs";
};
fileSystems."/" = {
device = "zroot/root";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/684A-5884";
fsType = "vfat";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/684A-5884";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/a7d1cbb8-7c9e-4c3d-841a-add867f47389"; }
];
swapDevices = [
{device = "/dev/disk/by-uuid/a7d1cbb8-7c9e-4c3d-841a-add867f47389";}
];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

View file

@ -17,8 +17,18 @@
# Network configuration (Hetzner uses static IP assignments, and we don't use DHCP here)
networking.useDHCP = false;
networking.interfaces.enp1s0 = {
ipv4.addresses = [{ address = "128.140.109.213"; prefixLength = 32; }];
ipv6.addresses = [{ address = "2a01:4f8:c2c:b60::"; prefixLength = 64; }];
ipv4.addresses = [
{
address = "128.140.109.213";
prefixLength = 32;
}
];
ipv6.addresses = [
{
address = "2a01:4f8:c2c:b60::";
prefixLength = 64;
}
];
};
networking.defaultGateway = {
address = "172.31.1.1";
@ -29,5 +39,5 @@
interface = "enp1s0";
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedTCPPorts = [80 443];
}

View file

@ -29,8 +29,8 @@
owner = "unbound";
};
networking.firewall.interfaces.wg-private.allowedUDPPorts = [ 53 ];
networking.firewall.interfaces.wg-private.allowedTCPPorts = [ 53 ];
networking.firewall.interfaces.wg-private.allowedUDPPorts = [53];
networking.firewall.interfaces.wg-private.allowedTCPPorts = [53];
services.resolved.enable = false;
services.unbound = {
@ -102,10 +102,10 @@
"\"mail.mezza.biz. 10800 IN A 10.13.12.7\""
"\"mail.mezza.biz. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
"\"h${"w"+"dz"+"z.n"}et. 10800 IN A 10.13.12.7\""
"\"h${"w"+"dz"+"z.n"}et. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
"\"mail.h${"w"+"dz"+"z.n"}et. 10800 IN A 10.13.12.7\""
"\"mail.h${"w"+"dz"+"z.n"}et. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
"\"h${"w" + "dz" + "z.n"}et. 10800 IN A 10.13.12.7\""
"\"h${"w" + "dz" + "z.n"}et. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
"\"mail.h${"w" + "dz" + "z.n"}et. 10800 IN A 10.13.12.7\""
"\"mail.h${"w" + "dz" + "z.n"}et. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
];
tls-cert-bundle = "/etc/ssl/certs/ca-certificates.crt";
@ -133,5 +133,4 @@
};
};
};
}

View file

@ -4,7 +4,8 @@
pkgs,
lib,
...
}: with lib; {
}:
with lib; {
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
"net.ipv6.conf.wg-private.forwarding" = 1;
@ -16,10 +17,10 @@
enable = true;
enableIPv6 = true;
externalInterface = "enp1s0";
internalInterfaces = [ "wg-private" ];
internalInterfaces = ["wg-private"];
};
networking.firewall.allowedUDPPorts = [ 51899 ];
networking.firewall.allowedUDPPorts = [51899];
networking.firewall.extraForwardRules = [
"iifname { != wg-private } reject"
@ -57,7 +58,8 @@
];
privateKeyFile = config.age.secrets.wg-private-key.path;
peers = [
{ # pie
{
# pie
publicKey = "hPTXEqQ2GYEywdPNdZBacwB9KKcoFZ/heClxnqmizyw=";
allowedIPs = [
"10.13.12.2/32"
@ -66,7 +68,8 @@
persistentKeepalive = 30;
dynamicEndpointRefreshSeconds = 30;
}
{ # droppie
{
# droppie
publicKey = "qsnBMoj9Z16D8PJ5ummRtIfT5AiMpoF3SoOCo4sbyiw=";
allowedIPs = [
"10.13.12.3/32"
@ -75,7 +78,8 @@
persistentKeepalive = 30;
dynamicEndpointRefreshSeconds = 30;
}
{ # chocolatebar
{
# chocolatebar
publicKey = "nk8EtGE/QsnSEm1lhLS3/w83nOBD2OGYhODIf92G91A=";
allowedIPs = [
"10.13.12.5/32"
@ -84,7 +88,8 @@
persistentKeepalive = 30;
dynamicEndpointRefreshSeconds = 30;
}
{ # biolimo
{
# biolimo
publicKey = "4ymN7wwBuhF+h+5fFN0TqXmVyOe1AsWiTqRL0jJ3CDc=";
allowedIPs = [
"10.13.12.6/32"
@ -93,7 +98,8 @@
persistentKeepalive = 30;
dynamicEndpointRefreshSeconds = 30;
}
{ # stroopwafel
{
# stroopwafel
publicKey = "5iNRg13utOJ30pX2Z8SjwPNUFwfH2zonlbeYW2mKFkU=";
allowedIPs = [
"10.13.12.8/32"
@ -102,7 +108,8 @@
persistentKeepalive = 30;
dynamicEndpointRefreshSeconds = 30;
}
{ # fp3
{
# fp3
publicKey = "wQJXFibxhWkyUbRPrPt5y/YfDnH3gDQ5a/PWoyxDfDI=";
allowedIPs = [
"10.13.12.9/32"

View file

@ -4,7 +4,7 @@
...
}: {
isoImage.squashfsCompression = "gzip -Xcompression-level 1";
systemd.services.sshd.wantedBy = lib.mkForce [ "multi-user.target" ];
systemd.services.sshd.wantedBy = lib.mkForce ["multi-user.target"];
networking.networkmanager.enable = false;
services.openssh.openFirewall = lib.mkForce true;
}

View file

@ -1,8 +1,12 @@
{ flake, pkgs, ... }: {
{
flake,
pkgs,
...
}: {
imports = [
./configuration.nix
./hardware-configuration.nix
((import "${flake.inputs.mobile-nixos}/lib/configuration.nix") { device = "pine64-pinephone"; })
((import "${flake.inputs.mobile-nixos}/lib/configuration.nix") {device = "pine64-pinephone";})
"${flake.inputs.mobile-nixos}/examples/phosh/phosh.nix"
];
}

View file

@ -1,6 +1,10 @@
# NOTE: this file was generated by the Mobile NixOS installer.
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}: {
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/51a668b8-fa2e-4d3e-ac3f-73ca002d0004";

View file

@ -81,7 +81,7 @@ in {
};
authentication_backend = {
refresh_interval = "disable";
password_reset = { disable = true; };
password_reset = {disable = true;};
file = {
path = config.age.secrets."authelia-users-file".path;
watch = false;
@ -93,7 +93,10 @@ in {
storage.local.path = "/var/lib/authelia-b12f/db.sqlite3";
access_control.default_policy = "two_factor";
session.cookies = [
{ domain = "b12f.io"; authelia_url = "https://auth.b12f.io"; }
{
domain = "b12f.io";
authelia_url = "https://auth.b12f.io";
}
];
notifier.smtp = {
host = "mail.b12f.io";
@ -110,7 +113,7 @@ in {
services.restic.backups = {
authelia = {
paths = [ "/var/lib/authelia-b12f" ];
paths = ["/var/lib/authelia-b12f"];
initialize = true;
passwordFile = config.age.secrets."restic-password".path;
# See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/

View file

@ -20,7 +20,7 @@ in {
boot.loader.systemd-boot.enable = false;
boot.loader.generic-extlinux-compatible.enable = false;
boot.supportedFilesystems = [ "zfs" ];
boot.supportedFilesystems = ["zfs"];
boot.kernelParams = [
"boot.shell_on_fail=1"
@ -28,7 +28,7 @@ in {
"ip=127.0.0.1:::::lo:none"
];
# See https://discourse.nixos.org/t/ssh-and-network-in-initrd-on-raspberry-pi-4/6289/3
boot.initrd.availableKernelModules = [ "genet" ];
boot.initrd.availableKernelModules = ["genet"];
boot.initrd.network = {
enable = true;
ssh = {

View file

@ -1,6 +1,9 @@
{ pkgs, adblock-unbound, ... }:
{
networking.firewall.allowedUDPPorts = [ 67 547 ];
pkgs,
adblock-unbound,
...
}: {
networking.firewall.allowedUDPPorts = [67 547];
networking.firewall.extraInputRules = ''
ip6 daddr ff02::1:2/128 udp dport 547 accept comment "DHCPv6 server"
'';
@ -30,7 +33,7 @@
{
subnet = "192.168.178.0/24";
pools = [
{ pool = "192.168.178.2 - 192.168.178.255"; }
{pool = "192.168.178.2 - 192.168.178.255";}
];
option-data = [
@ -100,19 +103,19 @@
subnet = "2a02:908:5b1:e3c0::/64";
pools = [
{ pool = "2a02:908:5b1:e3c0::/72"; }
{pool = "2a02:908:5b1:e3c0::/72";}
];
ddns-qualifying-suffix = "local.";
option-data = [
{
name = "dns-servers";
data = "2a02:908:5b1:e3c0:2::";
name = "dns-servers";
data = "2a02:908:5b1:e3c0:2::";
}
{
name = "domain-search";
data = "local";
name = "domain-search";
data = "local";
}
];

View file

@ -80,14 +80,14 @@ in {
volumes = [
"/var/lib/firefly/upload:/var/www/html/storage/upload"
];
extraOptions = [ "--network=firefly" ];
extraOptions = ["--network=firefly"];
environmentFiles = [
./.env.firefly
config.age.secrets."firefly-secrets.env".path
config.age.secrets."firefly-cron-secrets.env".path
];
ports = [ "127.0.0.1:8080:8080" ];
dependsOn = [ "firefly-db" ];
ports = ["127.0.0.1:8080:8080"];
dependsOn = ["firefly-db"];
};
containers."firefly-db" = {
@ -96,7 +96,7 @@ in {
volumes = [
"/var/lib/firefly/db:/var/lib/postgresql/data"
];
extraOptions = [ "--network=firefly" ];
extraOptions = ["--network=firefly"];
environmentFiles = [
config.age.secrets."firefly-db-secrets.env".path
];
@ -105,8 +105,8 @@ in {
containers."firefly-importer" = {
image = "fireflyiii/data-importer:latest";
autoStart = true;
extraOptions = [ "--network=firefly" ];
ports = [ "127.0.0.1:8081:8080" ];
extraOptions = ["--network=firefly"];
ports = ["127.0.0.1:8081:8080"];
environment = {
FIREFLY_III_URL = "https://firefly.b12f.io";
};
@ -114,7 +114,7 @@ in {
./.env.firefly-importer
config.age.secrets."firefly-importer-secrets.env".path
];
dependsOn = [ "firefly" ];
dependsOn = ["firefly"];
};
containers."firefly-cron" = {
@ -128,7 +128,7 @@ in {
environmentFiles = [
config.age.secrets."firefly-cron-secrets.env".path
];
extraOptions = [ "--network=firefly" ];
extraOptions = ["--network=firefly"];
};
};
};

View file

@ -1,18 +1,22 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" "uas" "usb_storage" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot.supportedFilesystems = [ "zfs" ];
boot.initrd.availableKernelModules = ["xhci_pci" "usbhid" "uas" "usb_storage"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
boot.supportedFilesystems = ["zfs"];
boot.initrd.luks.devices = {
cryptroot = {
@ -21,20 +25,19 @@
};
};
fileSystems."/" =
{ device = "zroot/root";
fsType = "zfs";
};
fileSystems."/" = {
device = "zroot/root";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/0D5D-B809";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/af71e930-42ce-4174-a098-4ea5753b1ea9"; }
];
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/0D5D-B809";
fsType = "vfat";
};
swapDevices = [
{device = "/dev/disk/by-uuid/af71e930-42ce-4174-a098-4ea5753b1ea9";}
];
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";

View file

@ -44,7 +44,7 @@ in {
createLocally = false;
};
invoiceTemplates = [ pkgs.invoiceplane-template ];
invoiceTemplates = [pkgs.invoiceplane-template];
extraConfig = ''
SETUP_COMPLETED=true
@ -72,7 +72,7 @@ in {
containers."invoiceplane-db" = {
image = "mariadb:11";
autoStart = true;
ports = [ "127.0.0.1:3306:3306" ];
ports = ["127.0.0.1:3306:3306"];
volumes = [
"/var/lib/invoiceplane/db:/var/lib/mysql"
];

View file

@ -15,16 +15,25 @@
networking.interfaces.enabcm6e4ei0 = {
ipv4.addresses = [
{ address = "192.168.178.2"; prefixLength = 32; }
{
address = "192.168.178.2";
prefixLength = 32;
}
];
ipv6.addresses = [
{ address = "2a02:908:5b1:e3c0:2::"; prefixLength = 128; }
{ address = "fe80:b12f:acab:1312:acab:2::"; prefixLength = 128; }
{
address = "2a02:908:5b1:e3c0:2::";
prefixLength = 128;
}
{
address = "fe80:b12f:acab:1312:acab:2::";
prefixLength = 128;
}
];
};
networking.hosts = {
"192.168.178.3" = [ "droppie-initrd.b12f.io" ];
"192.168.178.3" = ["droppie-initrd.b12f.io"];
};
services.openssh.allowSFTP = true;

View file

@ -13,33 +13,34 @@ with lib; let
backupDir = "/var/lib/PaperlessBackup";
consumptionDir = "/var/lib/scandir";
scan2paperless = with pkgs; writeShellScriptBin "scan2paperless" ''
DEVICE=$1
NUM_PAGES=$2
NAME=$3
scan2paperless = with pkgs;
writeShellScriptBin "scan2paperless" ''
DEVICE=$1
NUM_PAGES=$2
NAME=$3
if [ -z "''${DEVICE}" ] || [ -z "''${NUM_PAGES}" ] || [ -z "''${NAME}" ]; then
echo "Usage: scan2paperless <device> <num_pages> <name>"
exit 1
fi
if [ -z "''${DEVICE}" ] || [ -z "''${NUM_PAGES}" ] || [ -z "''${NAME}" ]; then
echo "Usage: scan2paperless <device> <num_pages> <name>"
exit 1
fi
tmpDir=$(${coreutils}/bin/mktemp -d)
files=()
tmpDir=$(${coreutils}/bin/mktemp -d)
files=()
for i in $(seq 1 $NUM_PAGES); do
fileName=$(${openssl}/bin/openssl rand -hex 12)
file="$tmpDir/$fileName.jpg"
echo "Start scanning page $i/$NUM_PAGES";
${sane-backends}/bin/scanimage -d $DEVICE --format=jpeg --resolution 300 --progress -o $file
echo "Finished scanning page $i";
files+=($file)
done
for i in $(seq 1 $NUM_PAGES); do
fileName=$(${openssl}/bin/openssl rand -hex 12)
file="$tmpDir/$fileName.jpg"
echo "Start scanning page $i/$NUM_PAGES";
${sane-backends}/bin/scanimage -d $DEVICE --format=jpeg --resolution 300 --progress -o $file
echo "Finished scanning page $i";
files+=($file)
done
pdf="${consumptionDir}/$NAME.pdf"
${python3Packages.img2pdf}/bin/img2pdf --output $pdf ''${files[@]}
pdf="${consumptionDir}/$NAME.pdf"
${python3Packages.img2pdf}/bin/img2pdf --output $pdf ''${files[@]}
echo "PDF written to $pdf"
'';
echo "PDF written to $pdf"
'';
in {
age.secrets."paperless.env" = {
file = "${flake.self}/secrets/paperless.env.age";
@ -82,7 +83,7 @@ in {
};
};
systemd.services.paperless-web.serviceConfig.EnvironmentFile = [ config.age.secrets."paperless.env".path ];
systemd.services.paperless-web.serviceConfig.EnvironmentFile = [config.age.secrets."paperless.env".path];
#################################
# Scanning
@ -147,7 +148,7 @@ in {
services.restic.backups = {
paperless = {
paths = [ backupDir ];
paths = [backupDir];
initialize = true;
passwordFile = config.age.secrets."restic-password".path;
# See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/

View file

@ -29,8 +29,8 @@
owner = "unbound";
};
networking.firewall.allowedUDPPorts = [ 53 ];
networking.firewall.allowedTCPPorts = [ 53 ];
networking.firewall.allowedUDPPorts = [53];
networking.firewall.allowedTCPPorts = [53];
services.resolved.enable = false;
services.unbound = {
@ -94,5 +94,4 @@
};
};
};
}

View file

@ -1,5 +1,4 @@
{ pkgs, ... }:
{
{pkgs, ...}: {
services.cron = {
enable = true;
systemCronJobs = [

View file

@ -17,9 +17,9 @@ in {
boot.initrd.preLVMCommands = "udevadm trigger --settle";
boot.swraid.enable = true;
boot.swraid.mdadmConf = ''
DEVICE /dev/nvme0n1p2 /dev/nvme1n1p2
ARRAY /dev/md/nixos:root metadata=1.2 name=nixos:root UUID=67d1aa81:1b348887:c17a75e8:f2edf2bd
MAILADDR ${psCfg.user.email}
DEVICE /dev/nvme0n1p2 /dev/nvme1n1p2
ARRAY /dev/md/nixos:root metadata=1.2 name=nixos:root UUID=67d1aa81:1b348887:c17a75e8:f2edf2bd
MAILADDR ${psCfg.user.email}
'';
pub-solar.core.hibernation.enable = true;