From 815033c764660e1468b1564a02570bad0f84f77a Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 27 Jan 2024 20:29:30 +0100 Subject: [PATCH] treewide: apply nixpkgs-fmt Used command: nixpkgs-fmt . --- flake.nix | 3 +- hosts/default.nix | 50 ++-- hosts/flora-6/apps/caddy.nix | 21 +- hosts/flora-6/apps/drone.nix | 39 +-- hosts/flora-6/apps/forgejo-actions-runner.nix | 11 +- hosts/flora-6/apps/grafana.nix | 11 +- hosts/flora-6/apps/loki.nix | 11 +- hosts/flora-6/apps/prometheus.nix | 11 +- hosts/flora-6/configuration.nix | 19 +- hosts/flora-6/default.nix | 3 +- hosts/flora-6/hardware-configuration.nix | 23 +- hosts/flora-6/triton-vmtools.nix | 7 +- hosts/nachtigall/apps/collabora.nix | 13 +- hosts/nachtigall/apps/coturn.nix | 88 +++---- hosts/nachtigall/apps/forgejo.nix | 13 +- hosts/nachtigall/apps/keycloak.nix | 11 +- hosts/nachtigall/apps/mailman.nix | 35 ++- .../apps/matrix/element-client-config.nix | 60 ++--- hosts/nachtigall/apps/matrix/irc.nix | 5 +- .../apps/matrix/mautrix-telegram.nix | 26 +- hosts/nachtigall/apps/matrix/synapse.nix | 49 ++-- hosts/nachtigall/apps/mediawiki.nix | 243 +++++++++--------- hosts/nachtigall/apps/nextcloud.nix | 9 +- hosts/nachtigall/apps/nginx-mastodon.nix | 10 +- hosts/nachtigall/apps/nginx-matrix.nix | 45 ++-- hosts/nachtigall/apps/nginx-website.nix | 8 +- hosts/nachtigall/apps/nginx.nix | 21 +- hosts/nachtigall/apps/owncast.nix | 11 +- .../nachtigall/apps/prometheus-exporters.nix | 5 +- hosts/nachtigall/apps/promtail.nix | 11 +- hosts/nachtigall/apps/searx.nix | 13 +- hosts/nachtigall/configuration.nix | 9 +- hosts/nachtigall/default.nix | 3 +- hosts/nachtigall/hardware-configuration.nix | 21 +- lib/compat/default.nix | 24 +- lib/compat/nixos/default.nix | 5 +- lib/default.nix | 22 +- lib/deploy.nix | 95 +++---- modules/nix.nix | 15 +- modules/users.nix | 6 +- overlays/default.nix | 23 +- public-keys/default.nix | 4 +- secrets/secrets.nix | 3 +- 43 files changed, 562 insertions(+), 553 deletions(-) diff --git a/flake.nix b/flake.nix index 7cb4db7..e0c3b49 100644 --- a/flake.nix +++ b/flake.nix @@ -80,7 +80,8 @@ flake = let username = "barkeeper"; - in { + in + { inherit username; checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib; diff --git a/hosts/default.nix b/hosts/default.nix index 22a4f32..45563ee 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -1,28 +1,28 @@ - { self, ... }: - { - flake = { - nixosConfigurations = { - nachtigall = self.nixos-flake.lib.mkLinuxSystem { - imports = [ - self.inputs.agenix.nixosModules.default - self.nixosModules.home-manager - ./nachtigall - self.nixosModules.overlays - self.nixosModules.unlock-zfs-on-boot - self.nixosModules.core - self.nixosModules.docker - ]; - }; +{ self, ... }: +{ + flake = { + nixosConfigurations = { + nachtigall = self.nixos-flake.lib.mkLinuxSystem { + imports = [ + self.inputs.agenix.nixosModules.default + self.nixosModules.home-manager + ./nachtigall + self.nixosModules.overlays + self.nixosModules.unlock-zfs-on-boot + self.nixosModules.core + self.nixosModules.docker + ]; + }; - flora-6 = self.nixos-flake.lib.mkLinuxSystem { - imports = [ - self.inputs.agenix.nixosModules.default - self.nixosModules.home-manager - ./flora-6 - self.nixosModules.overlays - self.nixosModules.core - ]; - }; + flora-6 = self.nixos-flake.lib.mkLinuxSystem { + imports = [ + self.inputs.agenix.nixosModules.default + self.nixosModules.home-manager + ./flora-6 + self.nixosModules.overlays + self.nixosModules.core + ]; }; }; - } + }; +} diff --git a/hosts/flora-6/apps/caddy.nix b/hosts/flora-6/apps/caddy.nix index 01847c4..cf70d8d 100644 --- a/hosts/flora-6/apps/caddy.nix +++ b/hosts/flora-6/apps/caddy.nix @@ -1,9 +1,8 @@ -{ - config, - lib, - pkgs, - flake, - ... +{ config +, lib +, pkgs +, flake +, ... }: { systemd.tmpfiles.rules = [ @@ -32,10 +31,10 @@ output discard ''; extraConfig = '' - basicauth * { - hakkonaut $2a$14$mmIAy/Ezm6YGohUtXa2mWeW6Bcw1MQXPhrRbz14jAD2iUu3oob/t. - } - reverse_proxy :${toString config.services.loki.configuration.server.http_listen_port} + basicauth * { + hakkonaut $2a$14$mmIAy/Ezm6YGohUtXa2mWeW6Bcw1MQXPhrRbz14jAD2iUu3oob/t. + } + reverse_proxy :${toString config.services.loki.configuration.server.http_listen_port} ''; }; "grafana.pub.solar" = { @@ -56,5 +55,5 @@ }; }; }; - networking.firewall.allowedTCPPorts = [80 443]; + networking.firewall.allowedTCPPorts = [ 80 443 ]; } diff --git a/hosts/flora-6/apps/drone.nix b/hosts/flora-6/apps/drone.nix index e8408e7..92fdce6 100644 --- a/hosts/flora-6/apps/drone.nix +++ b/hosts/flora-6/apps/drone.nix @@ -1,9 +1,8 @@ -{ - config, - lib, - pkgs, - flake, - ... +{ config +, lib +, pkgs +, flake +, ... }: { age.secrets.drone-secrets = { file = "${flake.self}/secrets/drone-secrets.age"; @@ -25,22 +24,24 @@ isSystemUser = true; }; - users.groups.drone = {}; + users.groups.drone = { }; systemd.tmpfiles.rules = [ "d '/var/lib/drone-db' 0750 drone drone - -" ]; - systemd.services."docker-network-drone" = let - docker = config.virtualisation.oci-containers.backend; - dockerBin = "${pkgs.${docker}}/bin/${docker}"; - in { - serviceConfig.Type = "oneshot"; - before = ["docker-drone-server.service"]; - script = '' - ${dockerBin} network inspect drone-net >/dev/null 2>&1 || ${dockerBin} network create drone-net --subnet 172.20.0.0/24 - ''; - }; + systemd.services."docker-network-drone" = + let + docker = config.virtualisation.oci-containers.backend; + dockerBin = "${pkgs.${docker}}/bin/${docker}"; + in + { + serviceConfig.Type = "oneshot"; + before = [ "docker-drone-server.service" ]; + script = '' + ${dockerBin} network inspect drone-net >/dev/null 2>&1 || ${dockerBin} network create drone-net --subnet 172.20.0.0/24 + ''; + }; virtualisation = { docker = { @@ -73,7 +74,7 @@ ports = [ "4000:80" ]; - dependsOn = ["drone-db"]; + dependsOn = [ "drone-db" ]; extraOptions = [ "--network=drone-net" "--pull=always" @@ -96,7 +97,7 @@ volumes = [ "/var/run/docker.sock:/var/run/docker.sock" ]; - dependsOn = ["drone-db"]; + dependsOn = [ "drone-db" ]; extraOptions = [ "--network=drone-net" "--pull=always" diff --git a/hosts/flora-6/apps/forgejo-actions-runner.nix b/hosts/flora-6/apps/forgejo-actions-runner.nix index c7d8283..d3f6aeb 100644 --- a/hosts/flora-6/apps/forgejo-actions-runner.nix +++ b/hosts/flora-6/apps/forgejo-actions-runner.nix @@ -1,9 +1,8 @@ -{ - config, - lib, - pkgs, - flake, - ... +{ config +, lib +, pkgs +, flake +, ... }: { age.secrets.forgejo-actions-runner-token = { file = "${flake.self}/secrets/forgejo-actions-runner-token.age"; diff --git a/hosts/flora-6/apps/grafana.nix b/hosts/flora-6/apps/grafana.nix index f796b29..e36c0c2 100644 --- a/hosts/flora-6/apps/grafana.nix +++ b/hosts/flora-6/apps/grafana.nix @@ -1,9 +1,8 @@ -{ - config, - lib, - pkgs, - flake, - ... +{ config +, lib +, pkgs +, flake +, ... }: { age.secrets.grafana-admin-password = { file = "${flake.self}/secrets/grafana-admin-password.age"; diff --git a/hosts/flora-6/apps/loki.nix b/hosts/flora-6/apps/loki.nix index 63a534f..5e7a8cc 100644 --- a/hosts/flora-6/apps/loki.nix +++ b/hosts/flora-6/apps/loki.nix @@ -1,9 +1,8 @@ -{ - config, - lib, - pkgs, - flake, - ... +{ config +, lib +, pkgs +, flake +, ... }: { # source: https://gist.github.com/rickhull/895b0cb38fdd537c1078a858cf15d63e # https://grafana.com/docs/loki/latest/configure/examples/#1-local-configuration-exampleyaml diff --git a/hosts/flora-6/apps/prometheus.nix b/hosts/flora-6/apps/prometheus.nix index 1a008b5..686045a 100644 --- a/hosts/flora-6/apps/prometheus.nix +++ b/hosts/flora-6/apps/prometheus.nix @@ -1,9 +1,8 @@ -{ - config, - lib, - pkgs, - flake, - ... +{ config +, lib +, pkgs +, flake +, ... }: { age.secrets.nachtigall-metrics-prometheus-basic-auth-password = { file = "${flake.self}/secrets/nachtigall-metrics-prometheus-basic-auth-password.age"; diff --git a/hosts/flora-6/configuration.nix b/hosts/flora-6/configuration.nix index 3f108e4..3c3cbf8 100644 --- a/hosts/flora-6/configuration.nix +++ b/hosts/flora-6/configuration.nix @@ -1,12 +1,13 @@ -{ - config, - lib, - pkgs, - flake, - ... -}: let +{ config +, lib +, pkgs +, flake +, ... +}: +let psCfg = config.pub-solar; -in { +in +{ config = { # Override nix.conf for more agressive garbage collection nix.extraOptions = lib.mkForce '' @@ -33,7 +34,7 @@ in { # systemd-networkd-wait-online timeouts #systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug"; systemd.network.wait-online.ignoredInterfaces = [ - "docker0" + "docker0" ]; # List services that you want to enable: diff --git a/hosts/flora-6/default.nix b/hosts/flora-6/default.nix index 52b50e9..a2ad0c5 100644 --- a/hosts/flora-6/default.nix +++ b/hosts/flora-6/default.nix @@ -2,7 +2,8 @@ { imports = - [ # Include the results of the hardware scan. + [ + # Include the results of the hardware scan. ./hardware-configuration.nix ./configuration.nix ./triton-vmtools.nix diff --git a/hosts/flora-6/hardware-configuration.nix b/hosts/flora-6/hardware-configuration.nix index 6b10768..b8375d9 100644 --- a/hosts/flora-6/hardware-configuration.nix +++ b/hosts/flora-6/hardware-configuration.nix @@ -1,19 +1,18 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... +{ config +, lib +, pkgs +, modulesPath +, ... }: { - imports = []; + imports = [ ]; - boot.initrd.availableKernelModules = ["ahci" "virtio_pci" "xhci_pci" "sr_mod" "virtio_blk"]; - boot.initrd.kernelModules = []; - boot.kernelModules = []; - boot.extraModulePackages = []; + boot.initrd.availableKernelModules = [ "ahci" "virtio_pci" "xhci_pci" "sr_mod" "virtio_blk" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; fileSystems."/" = { device = "/dev/disk/by-label/nixos"; @@ -35,7 +34,7 @@ ]; }; - swapDevices = []; + swapDevices = [ ]; networking.useDHCP = lib.mkDefault false; networking.networkmanager.enable = lib.mkForce false; diff --git a/hosts/flora-6/triton-vmtools.nix b/hosts/flora-6/triton-vmtools.nix index 77c8048..0fc5346 100644 --- a/hosts/flora-6/triton-vmtools.nix +++ b/hosts/flora-6/triton-vmtools.nix @@ -1,7 +1,6 @@ -{ - pkgs, - flake, - ... +{ pkgs +, flake +, ... }: { environment.systemPackages = with pkgs; [ flake.inputs.triton-vmtools.packages.${pkgs.system}.default diff --git a/hosts/nachtigall/apps/collabora.nix b/hosts/nachtigall/apps/collabora.nix index b28c5c7..1edebee 100644 --- a/hosts/nachtigall/apps/collabora.nix +++ b/hosts/nachtigall/apps/collabora.nix @@ -1,9 +1,8 @@ -{ - config, - lib, - pkgs, - self, - ... +{ config +, lib +, pkgs +, self +, ... }: { services.nginx.virtualHosts."collabora.pub.solar" = { enableACME = true; @@ -15,7 +14,7 @@ proxy_pass http://127.0.0.1:9980; proxy_set_header Host $host; ''; - }; + }; }; virtualisation = { diff --git a/hosts/nachtigall/apps/coturn.nix b/hosts/nachtigall/apps/coturn.nix index 9667c1c..93bea42 100644 --- a/hosts/nachtigall/apps/coturn.nix +++ b/hosts/nachtigall/apps/coturn.nix @@ -1,4 +1,4 @@ -{flake, config, lib, ...}: +{ flake, config, lib, ... }: { age.secrets."coturn-static-auth-secret" = { file = "${flake.self}/secrets/coturn-static-auth-secret.age"; @@ -19,57 +19,59 @@ pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; extraConfig = let - externalIPv4s = lib.strings.concatMapStringsSep "\n" ({address, ...}: "external-ip=${address}") config.networking.interfaces.enp35s0.ipv4.addresses; - externalIPv6s = lib.strings.concatMapStringsSep "\n" ({address, ...}: "external-ip=${address}") config.networking.interfaces.enp35s0.ipv6.addresses; - in '' - ${externalIPv4s} - ${externalIPv6s} + externalIPv4s = lib.strings.concatMapStringsSep "\n" ({ address, ... }: "external-ip=${address}") config.networking.interfaces.enp35s0.ipv4.addresses; + externalIPv6s = lib.strings.concatMapStringsSep "\n" ({ address, ... }: "external-ip=${address}") config.networking.interfaces.enp35s0.ipv6.addresses; + in + '' + ${externalIPv4s} + ${externalIPv6s} - no-tlsv1 - no-tlsv1_1 + no-tlsv1 + no-tlsv1_1 - no-rfc5780 - response-origin-only-with-rfc5780 + no-rfc5780 + response-origin-only-with-rfc5780 - prod + prod - no-stun-backward-compatibility + no-stun-backward-compatibility - # ban private IP ranges - no-multicast-peers - denied-peer-ip=0.0.0.0-0.255.255.255 - denied-peer-ip=10.0.0.0-10.255.255.255 - denied-peer-ip=100.64.0.0-100.127.255.255 - denied-peer-ip=127.0.0.0-127.255.255.255 - denied-peer-ip=169.254.0.0-169.254.255.255 - denied-peer-ip=172.16.0.0-172.31.255.255 - denied-peer-ip=192.0.0.0-192.0.0.255 - denied-peer-ip=192.0.2.0-192.0.2.255 - denied-peer-ip=192.88.99.0-192.88.99.255 - denied-peer-ip=192.168.0.0-192.168.255.255 - denied-peer-ip=198.18.0.0-198.19.255.255 - denied-peer-ip=198.51.100.0-198.51.100.255 - denied-peer-ip=203.0.113.0-203.0.113.255 - denied-peer-ip=240.0.0.0-255.255.255.255 - denied-peer-ip=::1 - denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff - denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255 - denied-peer-ip=100::-100::ffff:ffff:ffff:ffff - denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff - denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff - denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff - denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff - ''; + # ban private IP ranges + no-multicast-peers + denied-peer-ip=0.0.0.0-0.255.255.255 + denied-peer-ip=10.0.0.0-10.255.255.255 + denied-peer-ip=100.64.0.0-100.127.255.255 + denied-peer-ip=127.0.0.0-127.255.255.255 + denied-peer-ip=169.254.0.0-169.254.255.255 + denied-peer-ip=172.16.0.0-172.31.255.255 + denied-peer-ip=192.0.0.0-192.0.0.255 + denied-peer-ip=192.0.2.0-192.0.2.255 + denied-peer-ip=192.88.99.0-192.88.99.255 + denied-peer-ip=192.168.0.0-192.168.255.255 + denied-peer-ip=198.18.0.0-198.19.255.255 + denied-peer-ip=198.51.100.0-198.51.100.255 + denied-peer-ip=203.0.113.0-203.0.113.255 + denied-peer-ip=240.0.0.0-255.255.255.255 + denied-peer-ip=::1 + denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff + denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255 + denied-peer-ip=100::-100::ffff:ffff:ffff:ffff + denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff + ''; }; networking.firewall = { - interfaces.enp35s0 = let - range = with config.services.coturn; [ { - from = min-port; - to = max-port; - } ]; - in + interfaces.enp35s0 = + let + range = with config.services.coturn; [{ + from = min-port; + to = max-port; + }]; + in { allowedUDPPortRanges = range; allowedUDPPorts = [ 3478 5349 ]; diff --git a/hosts/nachtigall/apps/forgejo.nix b/hosts/nachtigall/apps/forgejo.nix index 70c965b..b12cef6 100644 --- a/hosts/nachtigall/apps/forgejo.nix +++ b/hosts/nachtigall/apps/forgejo.nix @@ -1,9 +1,8 @@ -{ - config, - lib, - pkgs, - flake, - ... +{ config +, lib +, pkgs +, flake +, ... }: { age.secrets.forgejo-database-password = { file = "${flake.self}/secrets/forgejo-database-password.age"; @@ -22,7 +21,7 @@ forceSSL = true; locations."/user/login".extraConfig = '' - return 302 /user/oauth2/keycloak; + return 302 /user/oauth2/keycloak; ''; locations."/" = { diff --git a/hosts/nachtigall/apps/keycloak.nix b/hosts/nachtigall/apps/keycloak.nix index deb13f9..a194276 100644 --- a/hosts/nachtigall/apps/keycloak.nix +++ b/hosts/nachtigall/apps/keycloak.nix @@ -1,9 +1,8 @@ -{ - flake, - config, - lib, - pkgs, - ... +{ flake +, config +, lib +, pkgs +, ... }: { age.secrets.keycloak-database-password = { file = "${flake.self}/secrets/keycloak-database-password.age"; diff --git a/hosts/nachtigall/apps/mailman.nix b/hosts/nachtigall/apps/mailman.nix index f9506e3..0c05483 100644 --- a/hosts/nachtigall/apps/mailman.nix +++ b/hosts/nachtigall/apps/mailman.nix @@ -1,12 +1,11 @@ -{ - flake, - config, - lib, - pkgs, - ... +{ flake +, config +, lib +, pkgs +, ... }: { - networking.firewall.allowedTCPPorts = [25]; + networking.firewall.allowedTCPPorts = [ 25 ]; users.users.nginx.extraGroups = [ "mailman" ]; @@ -23,13 +22,13 @@ services.postfix = { enable = true; - relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"]; + relayDomains = [ "hash:/var/lib/mailman/data/postfix_domains" ]; # get TLS certs for list.pub.solar from acme sslCert = "/var/lib/acme/list.pub.solar/fullchain.pem"; sslKey = "/var/lib/acme/list.pub.solar/key.pem"; config = { - transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"]; - local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"]; + transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ]; + local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ]; }; rootAlias = "admins@pub.solar"; postmasterAlias = "admins@pub.solar"; @@ -38,34 +37,34 @@ systemd.paths.watcher-acme-ssl-file = { description = "Watches for changes in acme's TLS cert file (after renewals) to reload postfix"; - documentation = ["systemd.path(5)"]; - partOf = ["postfix-reload.service"]; + documentation = [ "systemd.path(5)" ]; + partOf = [ "postfix-reload.service" ]; pathConfig = { PathChanged = "/var/lib/acme/list.pub.solar/fullchain.pem"; Unit = "postfix-reload.service"; }; - wantedBy = ["multi-user.target"]; + wantedBy = [ "multi-user.target" ]; }; systemd.services."postfix-reload" = { description = "Reloads postfix config, e.g. after TLS certs change, notified by watcher-acme-ssl-file.path"; - documentation = ["systemd.path(5)"]; - requires = ["postfix.service"]; - after = ["postfix.service"]; + documentation = [ "systemd.path(5)" ]; + requires = [ "postfix.service" ]; + after = [ "postfix.service" ]; startLimitIntervalSec = 10; startLimitBurst = 5; serviceConfig.Type = "oneshot"; script = '' ${pkgs.systemd}/bin/systemctl reload postfix ''; - wantedBy = ["multi-user.target"]; + wantedBy = [ "multi-user.target" ]; }; services.mailman = { enable = true; serve.enable = true; hyperkitty.enable = true; - webHosts = ["list.pub.solar"]; + webHosts = [ "list.pub.solar" ]; siteOwner = "admins@pub.solar"; }; diff --git a/hosts/nachtigall/apps/matrix/element-client-config.nix b/hosts/nachtigall/apps/matrix/element-client-config.nix index 113cb7e..9c8607f 100644 --- a/hosts/nachtigall/apps/matrix/element-client-config.nix +++ b/hosts/nachtigall/apps/matrix/element-client-config.nix @@ -1,45 +1,45 @@ { pkgs, lib, ... }: { - default_server_config = { - "m.homeserver" = { - base_url = "https://matrix.pub.solar"; - server_name = "pub.solar"; - }; - "m.identity_server" = { - base_url = ""; - }; - }; + default_server_config = { + "m.homeserver" = { + base_url = "https://matrix.pub.solar"; + server_name = "pub.solar"; + }; + "m.identity_server" = { + base_url = ""; + }; + }; setting_defaults = { custom_themes = (lib.modules.importJSON "${pkgs.element-themes}").config; }; default_theme = "light"; default_country_code = "DE"; - permalink_prefix = "https://matrix.to"; - disable_custom_urls = true; - disable_guests = true; - brand = "Element Solar"; + permalink_prefix = "https://matrix.to"; + disable_custom_urls = true; + disable_guests = true; + brand = "Element Solar"; # TODO: Configure these - integrations_ui_url = ""; - integrations_rest_url = ""; - integrations_widgets_urls = ""; - integrations_jitsi_widget_url = ""; + integrations_ui_url = ""; + integrations_rest_url = ""; + integrations_widgets_urls = ""; + integrations_jitsi_widget_url = ""; - bug_report_endpoint_url = "https://element.io/bugreports/submit"; - show_labs_settings = true; - room_directory = { - servers = ["matrix.org"]; - }; + bug_report_endpoint_url = "https://element.io/bugreports/submit"; + show_labs_settings = true; + room_directory = { + servers = [ "matrix.org" ]; + }; # TODO: This looks wrong - enable_presence_by_hs_url = "\n"; - embedded_pages = { - homeUrl = ""; - }; - branding = { - auth_footer_links = [{ + enable_presence_by_hs_url = "\n"; + embedded_pages = { + homeUrl = ""; + }; + branding = { + auth_footer_links = [{ text = "Privacy"; url = "https://pub.solar/privacy"; }]; # FUTUREWORK: Replace with pub.solar logo - auth_header_logo_url = "themes/element/img/logos/element-logo.svg"; - }; + auth_header_logo_url = "themes/element/img/logos/element-logo.svg"; + }; } diff --git a/hosts/nachtigall/apps/matrix/irc.nix b/hosts/nachtigall/apps/matrix/irc.nix index 84c1ade..50e566c 100644 --- a/hosts/nachtigall/apps/matrix/irc.nix +++ b/hosts/nachtigall/apps/matrix/irc.nix @@ -1,4 +1,4 @@ -{config, lib, pkgs, ...}: +{ config, lib, pkgs, ... }: { systemd.services.matrix-appservice-irc.serviceConfig.SystemCallFilter = lib.mkForce [ "@system-service @pkey" @@ -90,7 +90,8 @@ sendConnectionMessages = true; ssl = true; }; - in { + in + { "irc.libera.chat" = lib.attrsets.recursiveUpdate commonConfig { name = "libera"; dynamicChannels.groupId = "+libera.chat:localhost"; diff --git a/hosts/nachtigall/apps/matrix/mautrix-telegram.nix b/hosts/nachtigall/apps/matrix/mautrix-telegram.nix index b9fb60a..776c8db 100644 --- a/hosts/nachtigall/apps/matrix/mautrix-telegram.nix +++ b/hosts/nachtigall/apps/matrix/mautrix-telegram.nix @@ -27,7 +27,7 @@ id = "telegram"; max_body_size = 1; port = 8009; - provisioning = { + provisioning = { enabled = false; prefix = "/_matrix/provision/v1"; shared_secret = "generate"; @@ -59,7 +59,7 @@ bot_messages_as_notices = true; bridge_notices = { default = false; - exceptions = []; + exceptions = [ ]; }; command_prefix = "!tg"; delivery_error_reports = true; @@ -84,13 +84,13 @@ }; federate_rooms = true; filter = { - list = []; + list = [ ]; mode = "blacklist"; }; image_as_file_size = 10; initial_power_level_overrides = { - group = {}; - user = {}; + group = { }; + user = { }; }; inline_images = false; max_document_size = 100; @@ -112,15 +112,15 @@ public_portals = true; relaybot = { authless_portals = true; - group_chat_invite = []; + group_chat_invite = [ ]; ignore_own_incoming_events = true; ignore_unbridged_group_chat = true; private_chat = { - invite = []; + invite = [ ]; message = "This is a Matrix bridge relaybot and does not support direct chats"; state_changes = true; }; - whitelist = []; + whitelist = [ ]; whitelist_group_admins = true; }; resend_bridge_info = false; @@ -145,7 +145,7 @@ }; logging = { - formatters= { + formatters = { precise = { format = "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"; }; @@ -156,14 +156,14 @@ formatter = "precise"; }; }; - loggers={ + loggers = { aiohttp.level = "WARNING"; mau.level = "WARNING"; telethon.level = "WARNING"; }; root = { handlers = [ "console" ]; - level = "WARNING"; + level = "WARNING"; }; version = 1; }; @@ -202,8 +202,8 @@ }; systemd.services.mautrix-telegram.path = with pkgs; [ - lottieconverter # for animated stickers conversion, unfree package - ffmpeg # if converting animated stickers to webm (very slow!) + lottieconverter # for animated stickers conversion, unfree package + ffmpeg # if converting animated stickers to webm (very slow!) ]; systemd.services.mautrix-telegram.serviceConfig = { User = "matrix-synapse"; diff --git a/hosts/nachtigall/apps/matrix/synapse.nix b/hosts/nachtigall/apps/matrix/synapse.nix index 1c76e1d..e35c914 100644 --- a/hosts/nachtigall/apps/matrix/synapse.nix +++ b/hosts/nachtigall/apps/matrix/synapse.nix @@ -1,8 +1,9 @@ { flake, config, pkgs, ... }: let - publicDomain = "matrix.pub.solar"; + publicDomain = "matrix.pub.solar"; serverDomain = "pub.solar"; -in { +in +{ age.secrets."matrix-synapse-signing-key" = { file = "${flake.self}/secrets/matrix-synapse-signing-key.age"; mode = "400"; @@ -41,8 +42,8 @@ in { account_threepid_delegates.msisdn = ""; alias_creation_rules = [{ action = "allow"; - alias= "*"; - room_id = "*" ; + alias = "*"; + room_id = "*"; user_id = "*"; }]; allow_guest_access = false; @@ -69,14 +70,14 @@ in { federation_rr_transactions_per_room_per_second = 50; forget_rooms_on_leave = true; include_profile_data_on_invite = true; - instance_map = {}; + instance_map = { }; limit_profile_requests_to_users_who_share_rooms = false; log_config = ./matrix-log-config.yaml; max_spider_size = "10M"; max_upload_size = "50M"; - media_storage_providers = []; + media_storage_providers = [ ]; password_config = { enabled = false; @@ -87,67 +88,67 @@ in { presence.enabled = true; push.include_content = false; - rc_admin_redaction= { + rc_admin_redaction = { burst_count = 50; per_second = 1; }; - rc_federation= { + rc_federation = { concurrent = 3; reject_limit = 50; sleep_delay = 500; sleep_limit = 10; window_size = 1000; }; - rc_invites= { - per_issuer= { + rc_invites = { + per_issuer = { burst_count = 10; per_second = 0.3; }; - per_room= { + per_room = { burst_count = 10; per_second = 0.3; }; - per_user= { + per_user = { burst_count = 5; per_second = 0.003; }; }; - rc_joins= { - local= { + rc_joins = { + local = { burst_count = 10; per_second = 0.1; }; - remote= { + remote = { burst_count = 10; per_second = 0.01; }; }; - rc_login= { - account= { + rc_login = { + account = { burst_count = 3; per_second = 0.17; }; - address= { + address = { burst_count = 3; per_second = 0.17; }; - failed_attempts= { + failed_attempts = { burst_count = 3; per_second = 0.17; }; }; - rc_message= { + rc_message = { burst_count = 10; per_second = 0.2; }; - rc_registration= { + rc_registration = { burst_count = 3; per_second = 0.17; }; redaction_retention_period = "7d"; redis.enabled = false; registration_requires_token = false; - registrations_require_3pid = ["email"]; + registrations_require_3pid = [ "email" ]; report_stats = false; require_auth_for_profile_requests = false; room_list_publication_rules = [{ @@ -159,8 +160,8 @@ in { signing_key_path = "/run/agenix/matrix-synapse-signing-key"; - stream_writers = {}; - trusted_key_servers = [{ server_name = "matrix.org";}]; + stream_writers = { }; + trusted_key_servers = [{ server_name = "matrix.org"; }]; turn_allow_guests = false; turn_uris = [ diff --git a/hosts/nachtigall/apps/mediawiki.nix b/hosts/nachtigall/apps/mediawiki.nix index 98422da..8fd5feb 100644 --- a/hosts/nachtigall/apps/mediawiki.nix +++ b/hosts/nachtigall/apps/mediawiki.nix @@ -1,160 +1,161 @@ -{ - flake, - config, - lib, - pkgs, - ... -}: let +{ flake +, config +, lib +, pkgs +, ... +}: +let localSettingsPHP = pkgs.writeScript "LocalSettings.php" '' - "https://pub.solar/assets/pubsolar.svg", - 'icon' => "https://pub.solar/assets/pubsolar.svg", - 'wordmark' => [ - 'src'=> "https://pub.solar/assets/pubsolar.svg", - 'width'=> 0, - 'height'=> 0, - ], - ]; - $wgFavicon = 'https://pub.solar/assets/pubsolar.svg'; + $wgLogos = [ + 'svg' => "https://pub.solar/assets/pubsolar.svg", + 'icon' => "https://pub.solar/assets/pubsolar.svg", + 'wordmark' => [ + 'src'=> "https://pub.solar/assets/pubsolar.svg", + 'width'=> 0, + 'height'=> 0, + ], + ]; + $wgFavicon = 'https://pub.solar/assets/pubsolar.svg'; - $wgDefaultSkin = 'vector-2022'; + $wgDefaultSkin = 'vector-2022'; - // https://www.mediawiki.org/wiki/Extension:PluggableAuth#Installation - $wgGroupPermissions['*']['autocreateaccount'] = true; + // https://www.mediawiki.org/wiki/Extension:PluggableAuth#Installation + $wgGroupPermissions['*']['autocreateaccount'] = true; - // https://www.mediawiki.org/wiki/Extension:PluggableAuth#Configuration - $wgPluggableAuth_EnableAutoLogin = false; - $wgPluggableAuth_ButtonLabel = 'Login with pub.solar ID'; + // https://www.mediawiki.org/wiki/Extension:PluggableAuth#Configuration + $wgPluggableAuth_EnableAutoLogin = false; + $wgPluggableAuth_ButtonLabel = 'Login with pub.solar ID'; - // https://www.mediawiki.org/wiki/Extension:OpenID_Connect#Keycloak - $wgPluggableAuth_Config[] = [ - 'plugin' => 'OpenIDConnect', - 'data' => [ - 'providerURL' => 'https://auth.pub.solar/realms/pub.solar', - 'clientID' => 'mediawiki', - 'clientsecret' => trim(file_get_contents('/run/mediawiki/oidc-client-secret')) - ] - ]; - $wgOpenIDConnect_SingleLogout = true; - $wgOpenIDConnect_MigrateUsersByEmail = true; + // https://www.mediawiki.org/wiki/Extension:OpenID_Connect#Keycloak + $wgPluggableAuth_Config[] = [ + 'plugin' => 'OpenIDConnect', + 'data' => [ + 'providerURL' => 'https://auth.pub.solar/realms/pub.solar', + 'clientID' => 'mediawiki', + 'clientsecret' => trim(file_get_contents('/run/mediawiki/oidc-client-secret')) + ] + ]; + $wgOpenIDConnect_SingleLogout = true; + $wgOpenIDConnect_MigrateUsersByEmail = true; ''; uid = 986; gid = 984; -in { +in +{ age.secrets.mediawiki-database-password = { file = "${flake.self}/secrets/mediawiki-database-password.age"; path = "/run/mediawiki/database-password"; diff --git a/hosts/nachtigall/apps/nextcloud.nix b/hosts/nachtigall/apps/nextcloud.nix index 71b3df3..547722e 100644 --- a/hosts/nachtigall/apps/nextcloud.nix +++ b/hosts/nachtigall/apps/nextcloud.nix @@ -1,8 +1,7 @@ -{ - config, - pkgs, - flake, - ... +{ config +, pkgs +, flake +, ... }: { age.secrets."nextcloud-secrets" = { diff --git a/hosts/nachtigall/apps/nginx-mastodon.nix b/hosts/nachtigall/apps/nginx-mastodon.nix index 668c296..5e9f9b0 100644 --- a/hosts/nachtigall/apps/nginx-mastodon.nix +++ b/hosts/nachtigall/apps/nginx-mastodon.nix @@ -46,10 +46,12 @@ in least_conn; ''; servers = builtins.listToAttrs - (map (i: { - name = "unix:/run/mastodon-streaming/streaming-${toString i}.socket"; - value = { }; - }) (lib.range 1 cfg.streamingProcesses)); + (map + (i: { + name = "unix:/run/mastodon-streaming/streaming-${toString i}.socket"; + value = { }; + }) + (lib.range 1 cfg.streamingProcesses)); }; }; } diff --git a/hosts/nachtigall/apps/nginx-matrix.nix b/hosts/nachtigall/apps/nginx-matrix.nix index 5dd3c48..c943146 100644 --- a/hosts/nachtigall/apps/nginx-matrix.nix +++ b/hosts/nachtigall/apps/nginx-matrix.nix @@ -14,7 +14,7 @@ let "io.element.e2ee" = { default = true; secure_backup_required = false; - secure_backup_setup_methods = []; + secure_backup_setup_methods = [ ]; }; "m.integrations" = { managers = [ @@ -28,21 +28,21 @@ let wellKnownServer = domain: { "m.server" = "matrix.${domain}:8448"; }; wellKnownSupport = { contacts = [ - { - email_address = "crew@pub.solar"; - matrix_id = "@b12f:pub.solar"; - role = "m.role.admin"; - } - { - email_address = "crew@pub.solar"; - matrix_id = "@hensoko:pub.solar"; - role = "m.role.admin"; - } - { - email_address = "crew@pub.solar"; - matrix_id = "@teutat3s:pub.solar"; - role = "m.role.admin"; - } + { + email_address = "crew@pub.solar"; + matrix_id = "@b12f:pub.solar"; + role = "m.role.admin"; + } + { + email_address = "crew@pub.solar"; + matrix_id = "@hensoko:pub.solar"; + role = "m.role.admin"; + } + { + email_address = "crew@pub.solar"; + matrix_id = "@teutat3s:pub.solar"; + role = "m.role.admin"; + } ]; support_page = "https://pub.solar/about"; }; @@ -128,11 +128,12 @@ in port = 8448; addr = "0.0.0.0"; ssl = true; - } { - port = 8448; - addr = "[::]"; - ssl = true; - }]; + } + { + port = 8448; + addr = "[::]"; + ssl = true; + }]; root = "/dev/null"; extraConfig = '' server_tokens off; @@ -154,6 +155,6 @@ in }; }; }; - networking.firewall.allowedTCPPorts = [8448]; + networking.firewall.allowedTCPPorts = [ 8448 ]; } diff --git a/hosts/nachtigall/apps/nginx-website.nix b/hosts/nachtigall/apps/nginx-website.nix index 592dee4..5ede337 100644 --- a/hosts/nachtigall/apps/nginx-website.nix +++ b/hosts/nachtigall/apps/nginx-website.nix @@ -22,17 +22,17 @@ forceSSL = true; locations = { -# serve base domain pub.solar for mastodon.pub.solar -# https://masto.host/mastodon-usernames-different-from-the-domain-used-for-installation/ + # serve base domain pub.solar for mastodon.pub.solar + # https://masto.host/mastodon-usernames-different-from-the-domain-used-for-installation/ "/.well-known/host-meta" = { extraConfig = '' return 301 https://mastodon.pub.solar$request_uri; ''; }; -# Tailscale OIDC webfinger requirement plus Mastodon webfinger redirect + # Tailscale OIDC webfinger requirement plus Mastodon webfinger redirect "/.well-known/webfinger" = { -# Redirect requests that match /.well-known/webfinger?resource=* to Mastodon + # Redirect requests that match /.well-known/webfinger?resource=* to Mastodon extraConfig = '' if ($arg_resource) { return 301 https://mastodon.pub.solar$request_uri; diff --git a/hosts/nachtigall/apps/nginx.nix b/hosts/nachtigall/apps/nginx.nix index d1f5a3f..748fbe9 100644 --- a/hosts/nachtigall/apps/nginx.nix +++ b/hosts/nachtigall/apps/nginx.nix @@ -1,13 +1,14 @@ -{ - config, - lib, - pkgs, - self, - ... -}: let +{ config +, lib +, pkgs +, self +, ... +}: +let acmeEmailAddress = "admins@pub.solar"; webserverGroup = "hakkonaut"; -in { +in +{ services.nginx = { enable = true; group = webserverGroup; @@ -24,11 +25,11 @@ in { proxy_headers_hash_bucket_size 128; ''; }; - + security.acme = { acceptTerms = true; defaults.email = acmeEmailAddress; }; - networking.firewall.allowedTCPPorts = [80 443]; + networking.firewall.allowedTCPPorts = [ 80 443 ]; } diff --git a/hosts/nachtigall/apps/owncast.nix b/hosts/nachtigall/apps/owncast.nix index 76296da..c5026a4 100644 --- a/hosts/nachtigall/apps/owncast.nix +++ b/hosts/nachtigall/apps/owncast.nix @@ -1,9 +1,8 @@ -{ - flake, - config, - lib, - pkgs, - ... +{ flake +, config +, lib +, pkgs +, ... }: { services.nginx.virtualHosts."stream.pub.solar" = { enableACME = true; diff --git a/hosts/nachtigall/apps/prometheus-exporters.nix b/hosts/nachtigall/apps/prometheus-exporters.nix index 07f6335..585474a 100644 --- a/hosts/nachtigall/apps/prometheus-exporters.nix +++ b/hosts/nachtigall/apps/prometheus-exporters.nix @@ -1,6 +1,5 @@ -{ - config, - ... +{ config +, ... }: { services.prometheus = { exporters = { diff --git a/hosts/nachtigall/apps/promtail.nix b/hosts/nachtigall/apps/promtail.nix index 9f2dfaf..10e641e 100644 --- a/hosts/nachtigall/apps/promtail.nix +++ b/hosts/nachtigall/apps/promtail.nix @@ -1,9 +1,8 @@ -{ - config, - lib, - pkgs, - flake, - ... +{ config +, lib +, pkgs +, flake +, ... }: { age.secrets.nachtigall-metrics-prometheus-basic-auth-password = { file = "${flake.self}/secrets/nachtigall-metrics-prometheus-basic-auth-password.age"; diff --git a/hosts/nachtigall/apps/searx.nix b/hosts/nachtigall/apps/searx.nix index d97a012..febe91b 100644 --- a/hosts/nachtigall/apps/searx.nix +++ b/hosts/nachtigall/apps/searx.nix @@ -1,9 +1,8 @@ -{ - flake, - config, - lib, - pkgs, - ... +{ flake +, config +, lib +, pkgs +, ... }: { age.secrets.searx-environment = { @@ -33,7 +32,7 @@ chmod-socket = "660"; }; - environmentFile = config.age.secrets.searx-environment.path; + environmentFile = config.age.secrets.searx-environment.path; settings = { use_default_settings = true; diff --git a/hosts/nachtigall/configuration.nix b/hosts/nachtigall/configuration.nix index 114dcf6..be33b2b 100644 --- a/hosts/nachtigall/configuration.nix +++ b/hosts/nachtigall/configuration.nix @@ -1,8 +1,7 @@ -{ - flake, - config, - pkgs, - ... +{ flake +, config +, pkgs +, ... }: { # Use GRUB2 as the boot loader. # We don't use systemd-boot because Hetzner uses BIOS legacy boot. diff --git a/hosts/nachtigall/default.nix b/hosts/nachtigall/default.nix index 53137aa..e548482 100644 --- a/hosts/nachtigall/default.nix +++ b/hosts/nachtigall/default.nix @@ -2,7 +2,8 @@ { imports = - [ # Include the results of the hardware scan. + [ + # Include the results of the hardware scan. ./hardware-configuration.nix ./configuration.nix diff --git a/hosts/nachtigall/hardware-configuration.nix b/hosts/nachtigall/hardware-configuration.nix index 9aab804..8fb74b7 100644 --- a/hosts/nachtigall/hardware-configuration.nix +++ b/hosts/nachtigall/hardware-configuration.nix @@ -5,7 +5,8 @@ { imports = - [ (modulesPath + "/installer/scan/not-detected.nix") + [ + (modulesPath + "/installer/scan/not-detected.nix") ]; boot.initrd.availableKernelModules = [ "ahci" "nvme" ]; @@ -14,32 +15,38 @@ boot.extraModulePackages = [ ]; fileSystems."/" = - { device = "root_pool/root"; + { + device = "root_pool/root"; fsType = "zfs"; }; fileSystems."/var/lib" = - { device = "root_pool/data"; + { + device = "root_pool/data"; fsType = "zfs"; }; fileSystems."/var/lib/postgresql" = - { device = "root_pool/data/postgresql"; + { + device = "root_pool/data/postgresql"; fsType = "zfs"; }; fileSystems."/var/lib/docker" = - { device = "root_pool/data/docker"; + { + device = "root_pool/data/docker"; fsType = "zfs"; }; fileSystems."/boot1" = - { device = "/dev/disk/by-uuid/5493-EFF5"; + { + device = "/dev/disk/by-uuid/5493-EFF5"; fsType = "vfat"; }; fileSystems."/boot2" = - { device = "/dev/disk/by-uuid/5494-BA1E"; + { + device = "/dev/disk/by-uuid/5494-BA1E"; fsType = "vfat"; }; diff --git a/lib/compat/default.nix b/lib/compat/default.nix index fc1bc0c..27068ef 100644 --- a/lib/compat/default.nix +++ b/lib/compat/default.nix @@ -5,17 +5,17 @@ let }); flake = import - ( - fetchTarball { - url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz"; - sha256 = lock.nodes.flake-compat.locked.narHash; - } - ) - { - src = builtins.path { - path = ../../.; - name = "projectRoot"; + ( + fetchTarball { + url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz"; + sha256 = lock.nodes.flake-compat.locked.narHash; + } + ) + { + src = builtins.path { + path = ../../.; + name = "projectRoot"; + }; }; - }; in - flake +flake diff --git a/lib/compat/nixos/default.nix b/lib/compat/nixos/default.nix index 617c6a9..83f05f9 100644 --- a/lib/compat/nixos/default.nix +++ b/lib/compat/nixos/default.nix @@ -1,4 +1,5 @@ -{...}: let +{ ... }: +let inherit (default.inputs.nixos) lib; host = configs.${hostname} or configs.PubSolarOS; @@ -6,4 +7,4 @@ default = (import ../.).defaultNix; hostname = lib.fileContents /etc/hostname; in - host +host diff --git a/lib/default.nix b/lib/default.nix index d55c3bf..e1b39cb 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -1,16 +1,18 @@ { self, lib, inputs, ... }: { # Configuration common to all Linux systems flake = { - lib = let - callLibs = file: import file {inherit lib;}; - in rec { - ## Define your own library functions here! - #id = x: x; - ## Or in files, containing functions that take {lib} - #foo = callLibs ./foo.nix; - ## In configs, they can be used under "lib.our" + lib = + let + callLibs = file: import file { inherit lib; }; + in + rec { + ## Define your own library functions here! + #id = x: x; + ## Or in files, containing functions that take {lib} + #foo = callLibs ./foo.nix; + ## In configs, they can be used under "lib.our" - deploy = import ./deploy.nix { inherit inputs lib; }; - }; + deploy = import ./deploy.nix { inherit inputs lib; }; + }; }; } diff --git a/lib/deploy.nix b/lib/deploy.nix index 2ed7eae..1de2801 100644 --- a/lib/deploy.nix +++ b/lib/deploy.nix @@ -5,7 +5,8 @@ * Licensed under the MIT license */ -{ lib, inputs }: let +{ lib, inputs }: +let # https://github.com/serokell/deploy-rs#overall-usage system = "x86_64-linux"; pkgs = import inputs.nixpkgs { inherit system; }; @@ -16,57 +17,59 @@ (self: super: { deploy-rs = { inherit (pkgs) deploy-rs; lib = super.deploy-rs.lib; }; }) ]; }; - getFqdn = c: let - net = c.config.networking; - fqdn = - if (net ? domain) && (net.domain != null) - then "${net.hostName}.${net.domain}" - else net.hostName; - in + getFqdn = c: + let + net = c.config.networking; + fqdn = + if (net ? domain) && (net.domain != null) + then "${net.hostName}.${net.domain}" + else net.hostName; + in fqdn; -in { +in +{ mkDeployNodes = systemConfigurations: extraConfig: - /* - * - Synopsis: mkNodes _systemConfigurations_ _extraConfig_ + /* + * + Synopsis: mkNodes _systemConfigurations_ _extraConfig_ - Generate the `nodes` attribute expected by deploy-rs - where _systemConfigurations_ are `nodes`. + Generate the `nodes` attribute expected by deploy-rs + where _systemConfigurations_ are `nodes`. - _systemConfigurations_ should take the form of a flake's - _nixosConfigurations_. Note that deploy-rs does not currently support - deploying to darwin hosts. + _systemConfigurations_ should take the form of a flake's + _nixosConfigurations_. Note that deploy-rs does not currently support + deploying to darwin hosts. - _extraConfig_, if specified, will be merged into each of the - nodes' configurations. + _extraConfig_, if specified, will be merged into each of the + nodes' configurations. - Example _systemConfigurations_ input: + Example _systemConfigurations_ input: - ``` - { - hostname-1 = { - fastConnection = true; - sshOpts = [ "-p" "25" ]; - }; - hostname-2 = { - sshOpts = [ "-p" "19999" ]; - sshUser = "root"; - }; - } - ``` - * - */ + ``` + { + hostname-1 = { + fastConnection = true; + sshOpts = [ "-p" "25" ]; + }; + hostname-2 = { + sshOpts = [ "-p" "19999" ]; + sshUser = "root"; + }; + } + ``` + * + */ lib.recursiveUpdate - (lib.mapAttrs - ( - _: c: { - hostname = getFqdn c; - profiles.system = { - user = "root"; - path = deployPkgs.deploy-rs.lib.activate.nixos c; - }; - } - ) - systemConfigurations) - extraConfig; + (lib.mapAttrs + ( + _: c: { + hostname = getFqdn c; + profiles.system = { + user = "root"; + path = deployPkgs.deploy-rs.lib.activate.nixos c; + }; + } + ) + systemConfigurations) + extraConfig; } diff --git a/modules/nix.nix b/modules/nix.nix index 906fbd6..4585a04 100644 --- a/modules/nix.nix +++ b/modules/nix.nix @@ -1,9 +1,8 @@ -{ - config, - pkgs, - lib, - flake, - ... +{ config +, pkgs +, lib +, flake +, ... }: { nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ ]; @@ -26,9 +25,9 @@ # Prevents impurities in builds sandbox = true; # Give root and @wheel special privileges with nix - trusted-users = ["root" "@wheel"]; + trusted-users = [ "root" "@wheel" ]; # Allow only group wheel to connect to the nix daemon - allowed-users = ["@wheel"]; + allowed-users = [ "@wheel" ]; }; # Generally useful nix option defaults diff --git a/modules/users.nix b/modules/users.nix index a2e4ca7..8f1f898 100644 --- a/modules/users.nix +++ b/modules/users.nix @@ -2,11 +2,11 @@ users.users.${flake.self.username} = { name = flake.self.username; group = flake.self.username; - extraGroups = ["wheel" "docker"]; + extraGroups = [ "wheel" "docker" ]; isNormalUser = true; openssh.authorizedKeys.keys = flake.self.publicKeys.admins; }; - users.groups.${flake.self.username} = {}; + users.groups.${flake.self.username} = { }; # TODO: Remove when we stop locking ourselves out. users.users.root.openssh.authorizedKeys.keys = flake.self.publicKeys.admins; @@ -22,7 +22,7 @@ openssh.authorizedKeys.keys = flake.self.publicKeys.robots; }; - users.groups.hakkonaut = {}; + users.groups.hakkonaut = { }; users.users.root.initialHashedPassword = "$y$j9T$bIN6GjQkmPMllOcQsq52K0$q0Z5B5.KW/uxXK9fItB8H6HO79RYAcI/ZZdB0Djke32"; diff --git a/overlays/default.nix b/overlays/default.nix index 9bbb22d..6b81e38 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -1,21 +1,20 @@ -{ - self, - inputs, - ... +{ self +, inputs +, ... }: { flake = { nixosModules = rec { overlays = ({ ... }: { nixpkgs.overlays = [ (final: prev: - let - unstable = import inputs.unstable { - system = prev.system; - }; - in - { - element-themes = prev.callPackage ./pkgs/element-themes { inherit (inputs) element-themes; }; - }) + let + unstable = import inputs.unstable { + system = prev.system; + }; + in + { + element-themes = prev.callPackage ./pkgs/element-themes { inherit (inputs) element-themes; }; + }) ]; }); }; diff --git a/public-keys/default.nix b/public-keys/default.nix index f7f05ee..149c363 100644 --- a/public-keys/default.nix +++ b/public-keys/default.nix @@ -1,8 +1,8 @@ -{lib, ...}: +{ lib, ... }: { flake = { publicKeys = { - admins = lib.attrsets.attrValues (import ./admins.nix); + admins = lib.attrsets.attrValues (import ./admins.nix); robots = lib.attrsets.attrValues (import ./robots.nix); }; }; diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 21e7a52..12bebb9 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -24,7 +24,8 @@ let flora6Keys = [ flora-6-host ]; -in { +in +{ # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBB5XaH02a6+TchnyQED2VwaltPgeFCbildbE2h6nF5e root@nachtigall "nachtigall-root-ssh-key.age".publicKeys = nachtigallKeys ++ baseKeys;