forked from pub-solar/infra
Merge pull request 'feat: format with nixpkgs-fmt' (#103) from feat/nixpkgs-fmt into main
Reviewed-on: pub-solar/infra#103 Reviewed-by: Akshay Mankar <axeman@noreply.git.pub.solar>
This commit is contained in:
commit
9e80c52965
2
.git-blame-ignore-revs
Normal file
2
.git-blame-ignore-revs
Normal file
|
@ -0,0 +1,2 @@
|
|||
# Apply treewide formatting with nixpkgs-fmt
|
||||
815033c764660e1468b1564a02570bad0f84f77a
|
|
@ -80,7 +80,8 @@
|
|||
flake =
|
||||
let
|
||||
username = "barkeeper";
|
||||
in {
|
||||
in
|
||||
{
|
||||
inherit username;
|
||||
|
||||
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
{ self, ... }:
|
||||
{
|
||||
{ self, ... }:
|
||||
{
|
||||
flake = {
|
||||
nixosConfigurations = {
|
||||
nachtigall = self.nixos-flake.lib.mkLinuxSystem {
|
||||
|
@ -25,4 +25,4 @@
|
|||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,9 +1,8 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
flake,
|
||||
...
|
||||
{ config
|
||||
, lib
|
||||
, pkgs
|
||||
, flake
|
||||
, ...
|
||||
}:
|
||||
{
|
||||
systemd.tmpfiles.rules = [
|
||||
|
@ -56,5 +55,5 @@
|
|||
};
|
||||
};
|
||||
};
|
||||
networking.firewall.allowedTCPPorts = [80 443];
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
}
|
||||
|
|
|
@ -1,9 +1,8 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
flake,
|
||||
...
|
||||
{ config
|
||||
, lib
|
||||
, pkgs
|
||||
, flake
|
||||
, ...
|
||||
}: {
|
||||
age.secrets.drone-secrets = {
|
||||
file = "${flake.self}/secrets/drone-secrets.age";
|
||||
|
@ -25,18 +24,20 @@
|
|||
isSystemUser = true;
|
||||
};
|
||||
|
||||
users.groups.drone = {};
|
||||
users.groups.drone = { };
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d '/var/lib/drone-db' 0750 drone drone - -"
|
||||
];
|
||||
|
||||
systemd.services."docker-network-drone" = let
|
||||
systemd.services."docker-network-drone" =
|
||||
let
|
||||
docker = config.virtualisation.oci-containers.backend;
|
||||
dockerBin = "${pkgs.${docker}}/bin/${docker}";
|
||||
in {
|
||||
in
|
||||
{
|
||||
serviceConfig.Type = "oneshot";
|
||||
before = ["docker-drone-server.service"];
|
||||
before = [ "docker-drone-server.service" ];
|
||||
script = ''
|
||||
${dockerBin} network inspect drone-net >/dev/null 2>&1 || ${dockerBin} network create drone-net --subnet 172.20.0.0/24
|
||||
'';
|
||||
|
@ -73,7 +74,7 @@
|
|||
ports = [
|
||||
"4000:80"
|
||||
];
|
||||
dependsOn = ["drone-db"];
|
||||
dependsOn = [ "drone-db" ];
|
||||
extraOptions = [
|
||||
"--network=drone-net"
|
||||
"--pull=always"
|
||||
|
@ -96,7 +97,7 @@
|
|||
volumes = [
|
||||
"/var/run/docker.sock:/var/run/docker.sock"
|
||||
];
|
||||
dependsOn = ["drone-db"];
|
||||
dependsOn = [ "drone-db" ];
|
||||
extraOptions = [
|
||||
"--network=drone-net"
|
||||
"--pull=always"
|
||||
|
|
|
@ -1,9 +1,8 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
flake,
|
||||
...
|
||||
{ config
|
||||
, lib
|
||||
, pkgs
|
||||
, flake
|
||||
, ...
|
||||
}: {
|
||||
age.secrets.forgejo-actions-runner-token = {
|
||||
file = "${flake.self}/secrets/forgejo-actions-runner-token.age";
|
||||
|
|
|
@ -1,9 +1,8 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
flake,
|
||||
...
|
||||
{ config
|
||||
, lib
|
||||
, pkgs
|
||||
, flake
|
||||
, ...
|
||||
}: {
|
||||
age.secrets.grafana-admin-password = {
|
||||
file = "${flake.self}/secrets/grafana-admin-password.age";
|
||||
|
|
|
@ -1,9 +1,8 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
flake,
|
||||
...
|
||||
{ config
|
||||
, lib
|
||||
, pkgs
|
||||
, flake
|
||||
, ...
|
||||
}: {
|
||||
# source: https://gist.github.com/rickhull/895b0cb38fdd537c1078a858cf15d63e
|
||||
# https://grafana.com/docs/loki/latest/configure/examples/#1-local-configuration-exampleyaml
|
||||
|
|
|
@ -1,9 +1,8 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
flake,
|
||||
...
|
||||
{ config
|
||||
, lib
|
||||
, pkgs
|
||||
, flake
|
||||
, ...
|
||||
}: {
|
||||
age.secrets.nachtigall-metrics-prometheus-basic-auth-password = {
|
||||
file = "${flake.self}/secrets/nachtigall-metrics-prometheus-basic-auth-password.age";
|
||||
|
|
|
@ -1,12 +1,13 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
flake,
|
||||
...
|
||||
}: let
|
||||
{ config
|
||||
, lib
|
||||
, pkgs
|
||||
, flake
|
||||
, ...
|
||||
}:
|
||||
let
|
||||
psCfg = config.pub-solar;
|
||||
in {
|
||||
in
|
||||
{
|
||||
config = {
|
||||
# Override nix.conf for more agressive garbage collection
|
||||
nix.extraOptions = lib.mkForce ''
|
||||
|
|
|
@ -2,7 +2,8 @@
|
|||
|
||||
{
|
||||
imports =
|
||||
[ # Include the results of the hardware scan.
|
||||
[
|
||||
# Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
./configuration.nix
|
||||
./triton-vmtools.nix
|
||||
|
|
|
@ -1,19 +1,18 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
modulesPath,
|
||||
...
|
||||
{ config
|
||||
, lib
|
||||
, pkgs
|
||||
, modulesPath
|
||||
, ...
|
||||
}: {
|
||||
imports = [];
|
||||
imports = [ ];
|
||||
|
||||
boot.initrd.availableKernelModules = ["ahci" "virtio_pci" "xhci_pci" "sr_mod" "virtio_blk"];
|
||||
boot.initrd.kernelModules = [];
|
||||
boot.kernelModules = [];
|
||||
boot.extraModulePackages = [];
|
||||
boot.initrd.availableKernelModules = [ "ahci" "virtio_pci" "xhci_pci" "sr_mod" "virtio_blk" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" = {
|
||||
device = "/dev/disk/by-label/nixos";
|
||||
|
@ -35,7 +34,7 @@
|
|||
];
|
||||
};
|
||||
|
||||
swapDevices = [];
|
||||
swapDevices = [ ];
|
||||
|
||||
networking.useDHCP = lib.mkDefault false;
|
||||
networking.networkmanager.enable = lib.mkForce false;
|
||||
|
|
|
@ -1,7 +1,6 @@
|
|||
{
|
||||
pkgs,
|
||||
flake,
|
||||
...
|
||||
{ pkgs
|
||||
, flake
|
||||
, ...
|
||||
}: {
|
||||
environment.systemPackages = with pkgs; [
|
||||
flake.inputs.triton-vmtools.packages.${pkgs.system}.default
|
||||
|
|
|
@ -1,9 +1,8 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
self,
|
||||
...
|
||||
{ config
|
||||
, lib
|
||||
, pkgs
|
||||
, self
|
||||
, ...
|
||||
}: {
|
||||
services.nginx.virtualHosts."collabora.pub.solar" = {
|
||||
enableACME = true;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{flake, config, lib, ...}:
|
||||
{ flake, config, lib, ... }:
|
||||
{
|
||||
age.secrets."coturn-static-auth-secret" = {
|
||||
file = "${flake.self}/secrets/coturn-static-auth-secret.age";
|
||||
|
@ -19,9 +19,10 @@
|
|||
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
|
||||
extraConfig =
|
||||
let
|
||||
externalIPv4s = lib.strings.concatMapStringsSep "\n" ({address, ...}: "external-ip=${address}") config.networking.interfaces.enp35s0.ipv4.addresses;
|
||||
externalIPv6s = lib.strings.concatMapStringsSep "\n" ({address, ...}: "external-ip=${address}") config.networking.interfaces.enp35s0.ipv6.addresses;
|
||||
in ''
|
||||
externalIPv4s = lib.strings.concatMapStringsSep "\n" ({ address, ... }: "external-ip=${address}") config.networking.interfaces.enp35s0.ipv4.addresses;
|
||||
externalIPv6s = lib.strings.concatMapStringsSep "\n" ({ address, ... }: "external-ip=${address}") config.networking.interfaces.enp35s0.ipv6.addresses;
|
||||
in
|
||||
''
|
||||
${externalIPv4s}
|
||||
${externalIPv6s}
|
||||
|
||||
|
@ -64,11 +65,12 @@
|
|||
};
|
||||
|
||||
networking.firewall = {
|
||||
interfaces.enp35s0 = let
|
||||
range = with config.services.coturn; [ {
|
||||
interfaces.enp35s0 =
|
||||
let
|
||||
range = with config.services.coturn; [{
|
||||
from = min-port;
|
||||
to = max-port;
|
||||
} ];
|
||||
}];
|
||||
in
|
||||
{
|
||||
allowedUDPPortRanges = range;
|
||||
|
|
|
@ -1,9 +1,8 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
flake,
|
||||
...
|
||||
{ config
|
||||
, lib
|
||||
, pkgs
|
||||
, flake
|
||||
, ...
|
||||
}: {
|
||||
age.secrets.forgejo-database-password = {
|
||||
file = "${flake.self}/secrets/forgejo-database-password.age";
|
||||
|
|
|
@ -1,9 +1,8 @@
|
|||
{
|
||||
flake,
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
{ flake
|
||||
, config
|
||||
, lib
|
||||
, pkgs
|
||||
, ...
|
||||
}: {
|
||||
age.secrets.keycloak-database-password = {
|
||||
file = "${flake.self}/secrets/keycloak-database-password.age";
|
||||
|
|
|
@ -1,12 +1,11 @@
|
|||
{
|
||||
flake,
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
{ flake
|
||||
, config
|
||||
, lib
|
||||
, pkgs
|
||||
, ...
|
||||
}:
|
||||
{
|
||||
networking.firewall.allowedTCPPorts = [25];
|
||||
networking.firewall.allowedTCPPorts = [ 25 ];
|
||||
|
||||
users.users.nginx.extraGroups = [ "mailman" ];
|
||||
|
||||
|
@ -23,13 +22,13 @@
|
|||
|
||||
services.postfix = {
|
||||
enable = true;
|
||||
relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"];
|
||||
relayDomains = [ "hash:/var/lib/mailman/data/postfix_domains" ];
|
||||
# get TLS certs for list.pub.solar from acme
|
||||
sslCert = "/var/lib/acme/list.pub.solar/fullchain.pem";
|
||||
sslKey = "/var/lib/acme/list.pub.solar/key.pem";
|
||||
config = {
|
||||
transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
|
||||
local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
|
||||
transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
|
||||
local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
|
||||
};
|
||||
rootAlias = "admins@pub.solar";
|
||||
postmasterAlias = "admins@pub.solar";
|
||||
|
@ -38,34 +37,34 @@
|
|||
|
||||
systemd.paths.watcher-acme-ssl-file = {
|
||||
description = "Watches for changes in acme's TLS cert file (after renewals) to reload postfix";
|
||||
documentation = ["systemd.path(5)"];
|
||||
partOf = ["postfix-reload.service"];
|
||||
documentation = [ "systemd.path(5)" ];
|
||||
partOf = [ "postfix-reload.service" ];
|
||||
pathConfig = {
|
||||
PathChanged = "/var/lib/acme/list.pub.solar/fullchain.pem";
|
||||
Unit = "postfix-reload.service";
|
||||
};
|
||||
wantedBy = ["multi-user.target"];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
};
|
||||
|
||||
systemd.services."postfix-reload" = {
|
||||
description = "Reloads postfix config, e.g. after TLS certs change, notified by watcher-acme-ssl-file.path";
|
||||
documentation = ["systemd.path(5)"];
|
||||
requires = ["postfix.service"];
|
||||
after = ["postfix.service"];
|
||||
documentation = [ "systemd.path(5)" ];
|
||||
requires = [ "postfix.service" ];
|
||||
after = [ "postfix.service" ];
|
||||
startLimitIntervalSec = 10;
|
||||
startLimitBurst = 5;
|
||||
serviceConfig.Type = "oneshot";
|
||||
script = ''
|
||||
${pkgs.systemd}/bin/systemctl reload postfix
|
||||
'';
|
||||
wantedBy = ["multi-user.target"];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
};
|
||||
|
||||
services.mailman = {
|
||||
enable = true;
|
||||
serve.enable = true;
|
||||
hyperkitty.enable = true;
|
||||
webHosts = ["list.pub.solar"];
|
||||
webHosts = [ "list.pub.solar" ];
|
||||
siteOwner = "admins@pub.solar";
|
||||
};
|
||||
|
||||
|
|
|
@ -27,7 +27,7 @@
|
|||
bug_report_endpoint_url = "https://element.io/bugreports/submit";
|
||||
show_labs_settings = true;
|
||||
room_directory = {
|
||||
servers = ["matrix.org"];
|
||||
servers = [ "matrix.org" ];
|
||||
};
|
||||
# TODO: This looks wrong
|
||||
enable_presence_by_hs_url = "\n";
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{config, lib, pkgs, ...}:
|
||||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
systemd.services.matrix-appservice-irc.serviceConfig.SystemCallFilter = lib.mkForce [
|
||||
"@system-service @pkey"
|
||||
|
@ -90,7 +90,8 @@
|
|||
sendConnectionMessages = true;
|
||||
ssl = true;
|
||||
};
|
||||
in {
|
||||
in
|
||||
{
|
||||
"irc.libera.chat" = lib.attrsets.recursiveUpdate commonConfig {
|
||||
name = "libera";
|
||||
dynamicChannels.groupId = "+libera.chat:localhost";
|
||||
|
|
|
@ -59,7 +59,7 @@
|
|||
bot_messages_as_notices = true;
|
||||
bridge_notices = {
|
||||
default = false;
|
||||
exceptions = [];
|
||||
exceptions = [ ];
|
||||
};
|
||||
command_prefix = "!tg";
|
||||
delivery_error_reports = true;
|
||||
|
@ -84,13 +84,13 @@
|
|||
};
|
||||
federate_rooms = true;
|
||||
filter = {
|
||||
list = [];
|
||||
list = [ ];
|
||||
mode = "blacklist";
|
||||
};
|
||||
image_as_file_size = 10;
|
||||
initial_power_level_overrides = {
|
||||
group = {};
|
||||
user = {};
|
||||
group = { };
|
||||
user = { };
|
||||
};
|
||||
inline_images = false;
|
||||
max_document_size = 100;
|
||||
|
@ -112,15 +112,15 @@
|
|||
public_portals = true;
|
||||
relaybot = {
|
||||
authless_portals = true;
|
||||
group_chat_invite = [];
|
||||
group_chat_invite = [ ];
|
||||
ignore_own_incoming_events = true;
|
||||
ignore_unbridged_group_chat = true;
|
||||
private_chat = {
|
||||
invite = [];
|
||||
invite = [ ];
|
||||
message = "This is a Matrix bridge relaybot and does not support direct chats";
|
||||
state_changes = true;
|
||||
};
|
||||
whitelist = [];
|
||||
whitelist = [ ];
|
||||
whitelist_group_admins = true;
|
||||
};
|
||||
resend_bridge_info = false;
|
||||
|
@ -145,7 +145,7 @@
|
|||
};
|
||||
|
||||
logging = {
|
||||
formatters= {
|
||||
formatters = {
|
||||
precise = {
|
||||
format = "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s";
|
||||
};
|
||||
|
@ -156,7 +156,7 @@
|
|||
formatter = "precise";
|
||||
};
|
||||
};
|
||||
loggers={
|
||||
loggers = {
|
||||
aiohttp.level = "WARNING";
|
||||
mau.level = "WARNING";
|
||||
telethon.level = "WARNING";
|
||||
|
|
|
@ -2,7 +2,8 @@
|
|||
let
|
||||
publicDomain = "matrix.pub.solar";
|
||||
serverDomain = "pub.solar";
|
||||
in {
|
||||
in
|
||||
{
|
||||
age.secrets."matrix-synapse-signing-key" = {
|
||||
file = "${flake.self}/secrets/matrix-synapse-signing-key.age";
|
||||
mode = "400";
|
||||
|
@ -41,8 +42,8 @@ in {
|
|||
account_threepid_delegates.msisdn = "";
|
||||
alias_creation_rules = [{
|
||||
action = "allow";
|
||||
alias= "*";
|
||||
room_id = "*" ;
|
||||
alias = "*";
|
||||
room_id = "*";
|
||||
user_id = "*";
|
||||
}];
|
||||
allow_guest_access = false;
|
||||
|
@ -69,14 +70,14 @@ in {
|
|||
federation_rr_transactions_per_room_per_second = 50;
|
||||
forget_rooms_on_leave = true;
|
||||
include_profile_data_on_invite = true;
|
||||
instance_map = {};
|
||||
instance_map = { };
|
||||
limit_profile_requests_to_users_who_share_rooms = false;
|
||||
|
||||
log_config = ./matrix-log-config.yaml;
|
||||
|
||||
max_spider_size = "10M";
|
||||
max_upload_size = "50M";
|
||||
media_storage_providers = [];
|
||||
media_storage_providers = [ ];
|
||||
|
||||
password_config = {
|
||||
enabled = false;
|
||||
|
@ -87,67 +88,67 @@ in {
|
|||
presence.enabled = true;
|
||||
push.include_content = false;
|
||||
|
||||
rc_admin_redaction= {
|
||||
rc_admin_redaction = {
|
||||
burst_count = 50;
|
||||
per_second = 1;
|
||||
};
|
||||
rc_federation= {
|
||||
rc_federation = {
|
||||
concurrent = 3;
|
||||
reject_limit = 50;
|
||||
sleep_delay = 500;
|
||||
sleep_limit = 10;
|
||||
window_size = 1000;
|
||||
};
|
||||
rc_invites= {
|
||||
per_issuer= {
|
||||
rc_invites = {
|
||||
per_issuer = {
|
||||
burst_count = 10;
|
||||
per_second = 0.3;
|
||||
};
|
||||
per_room= {
|
||||
per_room = {
|
||||
burst_count = 10;
|
||||
per_second = 0.3;
|
||||
};
|
||||
per_user= {
|
||||
per_user = {
|
||||
burst_count = 5;
|
||||
per_second = 0.003;
|
||||
};
|
||||
};
|
||||
rc_joins= {
|
||||
local= {
|
||||
rc_joins = {
|
||||
local = {
|
||||
burst_count = 10;
|
||||
per_second = 0.1;
|
||||
};
|
||||
remote= {
|
||||
remote = {
|
||||
burst_count = 10;
|
||||
per_second = 0.01;
|
||||
};
|
||||
};
|
||||
rc_login= {
|
||||
account= {
|
||||
rc_login = {
|
||||
account = {
|
||||
burst_count = 3;
|
||||
per_second = 0.17;
|
||||
};
|
||||
address= {
|
||||
address = {
|
||||
burst_count = 3;
|
||||
per_second = 0.17;
|
||||
};
|
||||
failed_attempts= {
|
||||
failed_attempts = {
|
||||
burst_count = 3;
|
||||
per_second = 0.17;
|
||||
};
|
||||
};
|
||||
rc_message= {
|
||||
rc_message = {
|
||||
burst_count = 10;
|
||||
per_second = 0.2;
|
||||
};
|
||||
rc_registration= {
|
||||
rc_registration = {
|
||||
burst_count = 3;
|
||||
per_second = 0.17;
|
||||
};
|
||||
redaction_retention_period = "7d";
|
||||
redis.enabled = false;
|
||||
registration_requires_token = false;
|
||||
registrations_require_3pid = ["email"];
|
||||
registrations_require_3pid = [ "email" ];
|
||||
report_stats = false;
|
||||
require_auth_for_profile_requests = false;
|
||||
room_list_publication_rules = [{
|
||||
|
@ -159,8 +160,8 @@ in {
|
|||
|
||||
signing_key_path = "/run/agenix/matrix-synapse-signing-key";
|
||||
|
||||
stream_writers = {};
|
||||
trusted_key_servers = [{ server_name = "matrix.org";}];
|
||||
stream_writers = { };
|
||||
trusted_key_servers = [{ server_name = "matrix.org"; }];
|
||||
|
||||
turn_allow_guests = false;
|
||||
turn_uris = [
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
{
|
||||
flake,
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}: let
|
||||
{ flake
|
||||
, config
|
||||
, lib
|
||||
, pkgs
|
||||
, ...
|
||||
}:
|
||||
let
|
||||
localSettingsPHP = pkgs.writeScript "LocalSettings.php" ''
|
||||
<?php
|
||||
<?php
|
||||
# Protect against web entry
|
||||
if ( !defined( 'MEDIAWIKI' ) ) {
|
||||
exit;
|
||||
|
@ -154,7 +154,8 @@
|
|||
|
||||
uid = 986;
|
||||
gid = 984;
|
||||
in {
|
||||
in
|
||||
{
|
||||
age.secrets.mediawiki-database-password = {
|
||||
file = "${flake.self}/secrets/mediawiki-database-password.age";
|
||||
path = "/run/mediawiki/database-password";
|
||||
|
|
|
@ -1,8 +1,7 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
flake,
|
||||
...
|
||||
{ config
|
||||
, pkgs
|
||||
, flake
|
||||
, ...
|
||||
}:
|
||||
{
|
||||
age.secrets."nextcloud-secrets" = {
|
||||
|
|
|
@ -46,10 +46,12 @@ in
|
|||
least_conn;
|
||||
'';
|
||||
servers = builtins.listToAttrs
|
||||
(map (i: {
|
||||
(map
|
||||
(i: {
|
||||
name = "unix:/run/mastodon-streaming/streaming-${toString i}.socket";
|
||||
value = { };
|
||||
}) (lib.range 1 cfg.streamingProcesses));
|
||||
})
|
||||
(lib.range 1 cfg.streamingProcesses));
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -14,7 +14,7 @@ let
|
|||
"io.element.e2ee" = {
|
||||
default = true;
|
||||
secure_backup_required = false;
|
||||
secure_backup_setup_methods = [];
|
||||
secure_backup_setup_methods = [ ];
|
||||
};
|
||||
"m.integrations" = {
|
||||
managers = [
|
||||
|
@ -128,7 +128,8 @@ in
|
|||
port = 8448;
|
||||
addr = "0.0.0.0";
|
||||
ssl = true;
|
||||
} {
|
||||
}
|
||||
{
|
||||
port = 8448;
|
||||
addr = "[::]";
|
||||
ssl = true;
|
||||
|
@ -154,6 +155,6 @@ in
|
|||
};
|
||||
};
|
||||
};
|
||||
networking.firewall.allowedTCPPorts = [8448];
|
||||
networking.firewall.allowedTCPPorts = [ 8448 ];
|
||||
}
|
||||
|
||||
|
|
|
@ -22,17 +22,17 @@
|
|||
forceSSL = true;
|
||||
|
||||
locations = {
|
||||
# serve base domain pub.solar for mastodon.pub.solar
|
||||
# https://masto.host/mastodon-usernames-different-from-the-domain-used-for-installation/
|
||||
# serve base domain pub.solar for mastodon.pub.solar
|
||||
# https://masto.host/mastodon-usernames-different-from-the-domain-used-for-installation/
|
||||
"/.well-known/host-meta" = {
|
||||
extraConfig = ''
|
||||
return 301 https://mastodon.pub.solar$request_uri;
|
||||
'';
|
||||
};
|
||||
|
||||
# Tailscale OIDC webfinger requirement plus Mastodon webfinger redirect
|
||||
# Tailscale OIDC webfinger requirement plus Mastodon webfinger redirect
|
||||
"/.well-known/webfinger" = {
|
||||
# Redirect requests that match /.well-known/webfinger?resource=* to Mastodon
|
||||
# Redirect requests that match /.well-known/webfinger?resource=* to Mastodon
|
||||
extraConfig = ''
|
||||
if ($arg_resource) {
|
||||
return 301 https://mastodon.pub.solar$request_uri;
|
||||
|
|
|
@ -1,13 +1,14 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
self,
|
||||
...
|
||||
}: let
|
||||
{ config
|
||||
, lib
|
||||
, pkgs
|
||||
, self
|
||||
, ...
|
||||
}:
|
||||
let
|
||||
acmeEmailAddress = "admins@pub.solar";
|
||||
webserverGroup = "hakkonaut";
|
||||
in {
|
||||
in
|
||||
{
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
group = webserverGroup;
|
||||
|
@ -30,5 +31,5 @@ in {
|
|||
defaults.email = acmeEmailAddress;
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [80 443];
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
}
|
||||
|
|
|
@ -1,9 +1,8 @@
|
|||
{
|
||||
flake,
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
{ flake
|
||||
, config
|
||||
, lib
|
||||
, pkgs
|
||||
, ...
|
||||
}: {
|
||||
services.nginx.virtualHosts."stream.pub.solar" = {
|
||||
enableACME = true;
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
{
|
||||
config,
|
||||
...
|
||||
{ config
|
||||
, ...
|
||||
}: {
|
||||
services.prometheus = {
|
||||
exporters = {
|
||||
|
|
|
@ -1,9 +1,8 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
flake,
|
||||
...
|
||||
{ config
|
||||
, lib
|
||||
, pkgs
|
||||
, flake
|
||||
, ...
|
||||
}: {
|
||||
age.secrets.nachtigall-metrics-prometheus-basic-auth-password = {
|
||||
file = "${flake.self}/secrets/nachtigall-metrics-prometheus-basic-auth-password.age";
|
||||
|
|
|
@ -1,9 +1,8 @@
|
|||
{
|
||||
flake,
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
{ flake
|
||||
, config
|
||||
, lib
|
||||
, pkgs
|
||||
, ...
|
||||
}:
|
||||
{
|
||||
age.secrets.searx-environment = {
|
||||
|
|
|
@ -1,8 +1,7 @@
|
|||
{
|
||||
flake,
|
||||
config,
|
||||
pkgs,
|
||||
...
|
||||
{ flake
|
||||
, config
|
||||
, pkgs
|
||||
, ...
|
||||
}: {
|
||||
# Use GRUB2 as the boot loader.
|
||||
# We don't use systemd-boot because Hetzner uses BIOS legacy boot.
|
||||
|
|
|
@ -2,7 +2,8 @@
|
|||
|
||||
{
|
||||
imports =
|
||||
[ # Include the results of the hardware scan.
|
||||
[
|
||||
# Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
./configuration.nix
|
||||
|
||||
|
|
|
@ -5,7 +5,8 @@
|
|||
|
||||
{
|
||||
imports =
|
||||
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||
[
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "ahci" "nvme" ];
|
||||
|
@ -14,32 +15,38 @@
|
|||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "root_pool/root";
|
||||
{
|
||||
device = "root_pool/root";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib" =
|
||||
{ device = "root_pool/data";
|
||||
{
|
||||
device = "root_pool/data";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/postgresql" =
|
||||
{ device = "root_pool/data/postgresql";
|
||||
{
|
||||
device = "root_pool/data/postgresql";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/docker" =
|
||||
{ device = "root_pool/data/docker";
|
||||
{
|
||||
device = "root_pool/data/docker";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/boot1" =
|
||||
{ device = "/dev/disk/by-uuid/5493-EFF5";
|
||||
{
|
||||
device = "/dev/disk/by-uuid/5493-EFF5";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
fileSystems."/boot2" =
|
||||
{ device = "/dev/disk/by-uuid/5494-BA1E";
|
||||
{
|
||||
device = "/dev/disk/by-uuid/5494-BA1E";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
|
|
|
@ -18,4 +18,4 @@ let
|
|||
};
|
||||
};
|
||||
in
|
||||
flake
|
||||
flake
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
{...}: let
|
||||
{ ... }:
|
||||
let
|
||||
inherit (default.inputs.nixos) lib;
|
||||
|
||||
host = configs.${hostname} or configs.PubSolarOS;
|
||||
|
@ -6,4 +7,4 @@
|
|||
default = (import ../.).defaultNix;
|
||||
hostname = lib.fileContents /etc/hostname;
|
||||
in
|
||||
host
|
||||
host
|
||||
|
|
|
@ -1,9 +1,11 @@
|
|||
{ self, lib, inputs, ... }: {
|
||||
# Configuration common to all Linux systems
|
||||
flake = {
|
||||
lib = let
|
||||
callLibs = file: import file {inherit lib;};
|
||||
in rec {
|
||||
lib =
|
||||
let
|
||||
callLibs = file: import file { inherit lib; };
|
||||
in
|
||||
rec {
|
||||
## Define your own library functions here!
|
||||
#id = x: x;
|
||||
## Or in files, containing functions that take {lib}
|
||||
|
|
|
@ -5,7 +5,8 @@
|
|||
* Licensed under the MIT license
|
||||
*/
|
||||
|
||||
{ lib, inputs }: let
|
||||
{ lib, inputs }:
|
||||
let
|
||||
# https://github.com/serokell/deploy-rs#overall-usage
|
||||
system = "x86_64-linux";
|
||||
pkgs = import inputs.nixpkgs { inherit system; };
|
||||
|
@ -16,7 +17,8 @@
|
|||
(self: super: { deploy-rs = { inherit (pkgs) deploy-rs; lib = super.deploy-rs.lib; }; })
|
||||
];
|
||||
};
|
||||
getFqdn = c: let
|
||||
getFqdn = c:
|
||||
let
|
||||
net = c.config.networking;
|
||||
fqdn =
|
||||
if (net ? domain) && (net.domain != null)
|
||||
|
@ -24,7 +26,8 @@
|
|||
else net.hostName;
|
||||
in
|
||||
fqdn;
|
||||
in {
|
||||
in
|
||||
{
|
||||
mkDeployNodes = systemConfigurations: extraConfig:
|
||||
/*
|
||||
*
|
||||
|
|
|
@ -1,9 +1,8 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
flake,
|
||||
...
|
||||
{ config
|
||||
, pkgs
|
||||
, lib
|
||||
, flake
|
||||
, ...
|
||||
}: {
|
||||
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
|
||||
];
|
||||
|
@ -26,9 +25,9 @@
|
|||
# Prevents impurities in builds
|
||||
sandbox = true;
|
||||
# Give root and @wheel special privileges with nix
|
||||
trusted-users = ["root" "@wheel"];
|
||||
trusted-users = [ "root" "@wheel" ];
|
||||
# Allow only group wheel to connect to the nix daemon
|
||||
allowed-users = ["@wheel"];
|
||||
allowed-users = [ "@wheel" ];
|
||||
};
|
||||
|
||||
# Generally useful nix option defaults
|
||||
|
|
|
@ -2,11 +2,11 @@
|
|||
users.users.${flake.self.username} = {
|
||||
name = flake.self.username;
|
||||
group = flake.self.username;
|
||||
extraGroups = ["wheel" "docker"];
|
||||
extraGroups = [ "wheel" "docker" ];
|
||||
isNormalUser = true;
|
||||
openssh.authorizedKeys.keys = flake.self.publicKeys.admins;
|
||||
};
|
||||
users.groups.${flake.self.username} = {};
|
||||
users.groups.${flake.self.username} = { };
|
||||
|
||||
# TODO: Remove when we stop locking ourselves out.
|
||||
users.users.root.openssh.authorizedKeys.keys = flake.self.publicKeys.admins;
|
||||
|
@ -22,7 +22,7 @@
|
|||
openssh.authorizedKeys.keys = flake.self.publicKeys.robots;
|
||||
};
|
||||
|
||||
users.groups.hakkonaut = {};
|
||||
users.groups.hakkonaut = { };
|
||||
|
||||
users.users.root.initialHashedPassword = "$y$j9T$bIN6GjQkmPMllOcQsq52K0$q0Z5B5.KW/uxXK9fItB8H6HO79RYAcI/ZZdB0Djke32";
|
||||
|
||||
|
|
|
@ -1,7 +1,6 @@
|
|||
{
|
||||
self,
|
||||
inputs,
|
||||
...
|
||||
{ self
|
||||
, inputs
|
||||
, ...
|
||||
}: {
|
||||
flake = {
|
||||
nixosModules = rec {
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{lib, ...}:
|
||||
{ lib, ... }:
|
||||
{
|
||||
flake = {
|
||||
publicKeys = {
|
||||
|
|
|
@ -24,7 +24,8 @@ let
|
|||
flora6Keys = [
|
||||
flora-6-host
|
||||
];
|
||||
in {
|
||||
in
|
||||
{
|
||||
# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBB5XaH02a6+TchnyQED2VwaltPgeFCbildbE2h6nF5e root@nachtigall
|
||||
"nachtigall-root-ssh-key.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||
|
||||
|
|
Loading…
Reference in a new issue