treewide: reformat · soopy.moe/gensokyo@17333cf

+18 -17

.sops.nix

··· 19 19 } 20 20 ]; 21 21 22 - mkHost = name: identities: 23 - assert builtins.typeOf identities == "list"; { 22 + mkHost = 23 + name: identities: 24 + assert builtins.typeOf identities == "list"; 25 + { 24 26 path_regex = "creds/sops/${name}/.*"; 25 27 key_groups = [ 26 28 { 27 - age = 28 - [ 29 - # admin 30 - age.soopyc_pxl7ag 31 - age.soopyc_mbp14 32 - ] 33 - ++ identities; 29 + age = [ 30 + # admin 31 + age.soopyc_pxl7ag 32 + age.soopyc_mbp14 33 + ] ++ identities; 34 34 } 35 35 ]; 36 36 }; 37 - in { 37 + in 38 + { 38 39 # remember to run `just utils update-sops-config` and `sops updatekeys` after editing. 39 40 creation_rules = [ 40 41 { ··· 42 43 key_groups = everything; 43 44 } 44 45 45 - (mkHost "koumakan" [age.koumakan]) 46 - (mkHost "satori" [age.satori]) 47 - (mkHost "renko" [age.renko]) 46 + (mkHost "koumakan" [ age.koumakan ]) 47 + (mkHost "satori" [ age.satori ]) 48 + (mkHost "renko" [ age.renko ]) 48 49 49 - (mkHost "bocchi" [age.bocchi]) 50 - (mkHost "kita" [age.kita]) 51 - (mkHost "ryo" [age.ryo]) 52 - (mkHost "nijika" [age.nijika]) 50 + (mkHost "bocchi" [ age.bocchi ]) 51 + (mkHost "kita" [ age.kita ]) 52 + (mkHost "ryo" [ age.ryo ]) 53 + (mkHost "nijika" [ age.nijika ]) 53 54 ]; 54 55 }

+47 -39

flake.nix

··· 67 67 }; 68 68 }; 69 69 70 - outputs = { 71 - self, 72 - nixpkgs, 73 - treefmt-nix, 74 - ... 75 - } @ inputs: let 76 - lib = nixpkgs.lib; 70 + outputs = 71 + { 72 + self, 73 + nixpkgs, 74 + treefmt-nix, 75 + ... 76 + }@inputs: 77 + let 78 + lib = nixpkgs.lib; 77 79 78 - systems = [ 79 - "x86_64-linux" 80 - "aarch64-linux" 81 - "x86_64-darwin" 82 - "aarch64-darwin" 83 - ]; 84 - forAllSystems = fn: lib.genAttrs systems (system: fn nixpkgs.legacyPackages.${system}); 85 - treefmt = forAllSystems (pkgs: treefmt-nix.lib.evalModule pkgs ./nix/treefmt.nix); 86 - in { 87 - lib.x86_64-linux = import ./global/utils.nix { 88 - inherit inputs; 89 - system = "x86_64-linux"; 90 - }; 80 + systems = [ 81 + "x86_64-linux" 82 + "aarch64-linux" 83 + "x86_64-darwin" 84 + "aarch64-darwin" 85 + ]; 86 + forAllSystems = fn: lib.genAttrs systems (system: fn nixpkgs.legacyPackages.${system}); 87 + treefmt = forAllSystems (pkgs: treefmt-nix.lib.evalModule pkgs ./nix/treefmt.nix); 88 + in 89 + { 90 + lib.x86_64-linux = import ./global/utils.nix { 91 + inherit inputs; 92 + system = "x86_64-linux"; 93 + }; 91 94 92 - packages.x86_64-linux = let 93 - system = "x86_64-linux"; 94 - in { 95 - brcmfmac = let 96 - pkgs = import nixpkgs { 97 - inherit system; 98 - config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) ["brcm-mac-firmware"]; 95 + packages.x86_64-linux = 96 + let 97 + system = "x86_64-linux"; 98 + in 99 + { 100 + brcmfmac = 101 + let 102 + pkgs = import nixpkgs { 103 + inherit system; 104 + config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "brcm-mac-firmware" ]; 105 + }; 106 + in 107 + pkgs.callPackage ./vendor/brcmfmac { }; 99 108 }; 100 - in 101 - pkgs.callPackage ./vendor/brcmfmac {}; 102 - }; 103 109 104 - nixosConfigurations = import systems/default.nix {inherit inputs lib;}; 110 + nixosConfigurations = import systems/default.nix { inherit inputs lib; }; 105 111 106 - devShells = forAllSystems (pkgs: import ./nix/devshell.nix {inherit pkgs inputs;}); 112 + devShells = forAllSystems (pkgs: import ./nix/devshell.nix { inherit pkgs inputs; }); 107 113 108 - checks = forAllSystems (pkgs: 109 - (import ./nix/checks.nix {inherit pkgs inputs;}) 110 - // { 111 - formatting = treefmt.${pkgs.system}.config.build.check self; 112 - }); 114 + checks = forAllSystems ( 115 + pkgs: 116 + (import ./nix/checks.nix { inherit pkgs inputs; }) 117 + // { 118 + formatting = treefmt.${pkgs.system}.config.build.check self; 119 + } 120 + ); 113 121 114 - formatter = forAllSystems (pkgs: treefmt.${pkgs.system}.config.build.wrapper); 115 - }; 122 + formatter = forAllSystems (pkgs: treefmt.${pkgs.system}.config.build.wrapper); 123 + }; 116 124 }

+2 -1

global/core.nix

··· 2 2 pkgs, 3 3 inputs, 4 4 ... 5 - }: { 5 + }: 6 + { 6 7 imports = [ 7 8 ./upgrade-diff.nix 8 9 ];

+2 -1

global/default.nix

··· 1 1 # This is a NixOS module, you cannot use this as a standalone file. 2 2 # Other files may be though, but things that starts with {...}: most definitely aren't. 3 - {inputs, ...}: { 3 + { inputs, ... }: 4 + { 4 5 imports = [ 5 6 ./core.nix 6 7 ./gensokyo

+2 -1

global/gensokyo/default.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 imports = [ 3 4 ./traits.nix 4 5 ./presets

+25 -21

global/gensokyo/presets/certificates.nix

··· 3 3 config, 4 4 lib, 5 5 ... 6 - }: let 6 + }: 7 + let 7 8 secrets = _utils.setupSecrets config { 8 9 namespace = "lego"; 9 - secrets = ["cf_token"]; 10 + secrets = [ "cf_token" ]; 10 11 }; 11 - in { 12 - config = lib.mkIf config.gensokyo.presets.certificates (lib.mkMerge [ 13 - { 14 - security.acme = { 15 - acceptTerms = true; 12 + in 13 + { 14 + config = lib.mkIf config.gensokyo.presets.certificates ( 15 + lib.mkMerge [ 16 + { 17 + security.acme = { 18 + acceptTerms = true; 16 19 17 - defaults = { 18 - # == lego Configuration == 19 - # In an ideal world we would have an ed/cv25519 algo here but oh well 20 - keyType = "ec256"; # Ensure we use ec keys 21 - credentialFiles.CLOUDFLARE_DNS_API_TOKEN_FILE = secrets.get "cf_token"; 22 - dnsProvider = "cloudflare"; 20 + defaults = { 21 + # == lego Configuration == 22 + # In an ideal world we would have an ed/cv25519 algo here but oh well 23 + keyType = "ec256"; # Ensure we use ec keys 24 + credentialFiles.CLOUDFLARE_DNS_API_TOKEN_FILE = secrets.get "cf_token"; 25 + dnsProvider = "cloudflare"; 23 26 24 - # == LE Configuration == 25 - email = "me@soopy.moe"; 26 - # server = "https://acme-staging-v02.api.letsencrypt.org/directory"; 27 - server = "https://acme-v02.api.letsencrypt.org/directory"; 27 + # == LE Configuration == 28 + email = "me@soopy.moe"; 29 + # server = "https://acme-staging-v02.api.letsencrypt.org/directory"; 30 + server = "https://acme-v02.api.letsencrypt.org/directory"; 31 + }; 28 32 }; 29 - }; 30 - } 31 - secrets.generate 32 - ]); 33 + } 34 + secrets.generate 35 + ] 36 + ); 33 37 }

+2 -1

global/gensokyo/presets/default.nix

··· 1 - {lib, ...}: { 1 + { lib, ... }: 2 + { 2 3 imports = [ 3 4 ./vmetrics.nix 4 5 ./nginx.nix

+9 -4

global/gensokyo/presets/nginx.nix

··· 3 3 pkgs, 4 4 config, 5 5 ... 6 - }: let 6 + }: 7 + let 7 8 presetConf = config.gensokyo.presets; 8 9 in 9 - lib.mkIf presetConf.nginx (lib.mkMerge [ 10 + lib.mkIf presetConf.nginx ( 11 + lib.mkMerge [ 10 12 { 11 13 services.nginx = { 12 14 enable = lib.mkDefault true; ··· 50 52 services.vmagent.prometheusConfig.scrape_configs = [ 51 53 { 52 54 job_name = "nginx"; 53 - static_configs = [{targets = ["localhost:${builtins.toString config.services.prometheus.exporters.nginx.port}"];}]; 55 + static_configs = [ 56 + { targets = [ "localhost:${builtins.toString config.services.prometheus.exporters.nginx.port}" ]; } 57 + ]; 54 58 relabel_configs = [ 55 59 { 56 60 target_label = "instance"; ··· 60 64 } 61 65 ]; 62 66 }) 63 - ]) 67 + ] 68 + )

+9 -9

global/gensokyo/presets/secureboot.nix

··· 8 8 let 9 9 cfg = config.gensokyo.presets; 10 10 in 11 - lib.mkIf cfg.secureboot { 12 - environment.systemPackages = [pkgs.sbctl]; 11 + lib.mkIf cfg.secureboot { 12 + environment.systemPackages = [ pkgs.sbctl ]; 13 13 14 - # lanzaboote currently replaces systemd-boot, so disable that here. 15 - boot.loader.systemd-boot.enable = lib.mkForce false; 16 - boot.lanzaboote = { 17 - enable = true; 18 - pkiBundle = "/etc/secureboot"; 19 - }; 20 - } 14 + # lanzaboote currently replaces systemd-boot, so disable that here. 15 + boot.loader.systemd-boot.enable = lib.mkForce false; 16 + boot.lanzaboote = { 17 + enable = true; 18 + pkiBundle = "/etc/secureboot"; 19 + }; 20 + }

+36 -30

global/gensokyo/presets/vmetrics.nix

··· 4 4 config, 5 5 _utils, 6 6 ... 7 - }: let 7 + }: 8 + let 8 9 secrets = _utils.setupSecrets config { 9 10 namespace = "vmetrics"; 10 - secrets = ["auth"]; 11 + secrets = [ "auth" ]; 11 12 }; 12 - in { 13 + in 14 + { 13 15 # inb4 this causes conflicts 14 - config = lib.mkIf config.gensokyo.presets.vmetrics (lib.mkMerge [ 15 - { 16 - services.prometheus.exporters.node.enable = true; 17 - services.vmagent.enable = true; 18 - services.vmagent.remoteWrite.url = "https://panopticon.soopy.moe/api/v1/write"; 19 - services.vmagent.extraArgs = ["-remoteWrite.bearerTokenFile=%d/auth_token"]; 20 - services.vmagent.prometheusConfig = { 21 - global.scrape_interval = "30s"; 16 + config = lib.mkIf config.gensokyo.presets.vmetrics ( 17 + lib.mkMerge [ 18 + { 19 + services.prometheus.exporters.node.enable = true; 20 + services.vmagent.enable = true; 21 + services.vmagent.remoteWrite.url = "https://panopticon.soopy.moe/api/v1/write"; 22 + services.vmagent.extraArgs = [ "-remoteWrite.bearerTokenFile=%d/auth_token" ]; 23 + services.vmagent.prometheusConfig = { 24 + global.scrape_interval = "30s"; 22 25 23 - scrape_configs = [ 24 - { 25 - job_name = "node"; 26 - static_configs = [{targets = ["localhost:${builtins.toString config.services.prometheus.exporters.node.port}"];}]; 27 - relabel_configs = [ 28 - { 29 - target_label = "instance"; 30 - replacement = "${hostname}.d.soopy.moe"; 31 - } 32 - ]; 33 - } 26 + scrape_configs = [ 27 + { 28 + job_name = "node"; 29 + static_configs = [ 30 + { targets = [ "localhost:${builtins.toString config.services.prometheus.exporters.node.port}" ]; } 31 + ]; 32 + relabel_configs = [ 33 + { 34 + target_label = "instance"; 35 + replacement = "${hostname}.d.soopy.moe"; 36 + } 37 + ]; 38 + } 39 + ]; 40 + }; 41 + 42 + systemd.services.vmagent.serviceConfig.LoadCredential = [ 43 + "auth_token:${secrets.get "auth"}" 34 44 ]; 35 - }; 36 - 37 - systemd.services.vmagent.serviceConfig.LoadCredential = [ 38 - "auth_token:${secrets.get "auth"}" 39 - ]; 40 - } 45 + } 41 46 42 - secrets.generate 43 - ]); 47 + secrets.generate 48 + ] 49 + ); 44 50 }

+2 -1

global/gensokyo/traits.nix

··· 1 - {lib, ...}: { 1 + { lib, ... }: 2 + { 2 3 options.gensokyo.traits = { 3 4 sensitive = lib.mkEnableOption "or selectively disable options specific to security-sensitive systems"; 4 5 gui = lib.mkEnableOption "graphical programs, related packages and modules";

+2 -1

global/gui/default.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 imports = [ 3 4 ./power.nix 4 5 ./hardware.nix

+1 -1

global/gui/locale.nix

··· 4 4 ... 5 5 }: 6 6 lib.mkIf config.gensokyo.traits.gui { 7 - i18n.supportedLocales = ["all"]; 7 + i18n.supportedLocales = [ "all" ]; 8 8 }

+11 -6

global/gui/power.nix

··· 13 13 killUserProcesses = false; 14 14 }; 15 15 16 - systemd.targets = lib.genAttrs [ 17 - "sleep" 18 - "suspend" 19 - "hibernate" 20 - "hybrid-sleep" 21 - ] (_: {enable = false;}); 16 + systemd.targets = 17 + lib.genAttrs 18 + [ 19 + "sleep" 20 + "suspend" 21 + "hibernate" 22 + "hybrid-sleep" 23 + ] 24 + (_: { 25 + enable = false; 26 + }); 22 27 }

+2 -1

global/home.nix

··· 2 2 config, 3 3 inputs, 4 4 ... 5 - }: { 5 + }: 6 + { 6 7 home-manager = { 7 8 useGlobalPkgs = true; 8 9 useUserPackages = true;

+2 -1

global/programs/compat.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 programs.nix-ld.enable = true; 3 4 }

+2 -1

global/programs/default.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 imports = [ 3 4 ./nix 4 5

+2 -1

global/programs/editors.nix

··· 1 - {pkgs, ...}: { 1 + { pkgs, ... }: 2 + { 2 3 programs.neovim = { 3 4 enable = true; 4 5 defaultEditor = false;

+2 -1

global/programs/misc.nix

··· 1 - {pkgs, ...}: { 1 + { pkgs, ... }: 2 + { 2 3 # Miscellaneous packages that do not have an option. 3 4 # It is recommended to use packages.<package>.enable when possible. 4 5

+2 -1

global/programs/multiplexers.nix

··· 1 - {pkgs, ...}: { 1 + { pkgs, ... }: 2 + { 2 3 programs.tmux = { 3 4 enable = true; 4 5 newSession = true;

+1 -1

global/programs/networking.nix

··· 41 41 42 42 { 43 43 networking.hosts = { 44 - "62.176.231.184" = ["codeberg.org"]; 44 + "62.176.231.184" = [ "codeberg.org" ]; 45 45 }; 46 46 } 47 47 ]

+3 -2

global/programs/nix/config.nix

··· 51 51 { 52 52 n.flake = inputs.nixpkgs; 53 53 } 54 - // (builtins.mapAttrs (_: flake: {inherit flake;}) 55 - (lib.filterAttrs (n: _: n != "nixpkgs") inputs)); 54 + // (builtins.mapAttrs (_: flake: { inherit flake; }) ( 55 + lib.filterAttrs (n: _: n != "nixpkgs") inputs 56 + )); 56 57 57 58 # nix-index[-database] 58 59 programs.nix-index.enable = true;

+2 -1

global/programs/nix/default.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 imports = [ 3 4 ./config.nix 4 5 ./dist-builds.nix

+22 -11

global/programs/nix/dist-builds.nix

··· 5 5 config, 6 6 hostname, 7 7 ... 8 - }: let 8 + }: 9 + let 9 10 baselineFeatures = [ 10 11 "big-parallel" 11 12 "ca-derivations" 12 13 ]; 13 14 14 - mkBuildMachines = attr: let 15 - cleanAttr = builtins.removeAttrs attr [hostname]; 16 - in 17 - lib.mapAttrsToList (name: value: 15 + mkBuildMachines = 16 + attr: 17 + let 18 + cleanAttr = builtins.removeAttrs attr [ hostname ]; 19 + in 20 + lib.mapAttrsToList ( 21 + name: value: 18 22 { 19 23 hostName = name + ".mist-nessie.ts.net"; 20 24 ··· 26 30 maxJobs = 2; 27 31 supportedFeatures = baselineFeatures; 28 32 29 - systems = ["i686-linux" "x86_64-linux"]; 33 + systems = [ 34 + "i686-linux" 35 + "x86_64-linux" 36 + ]; 30 37 } 31 - // value) 32 - cleanAttr; 33 - in { 38 + // value 39 + ) cleanAttr; 40 + in 41 + { 34 42 sops.secrets.builder_key = { 35 43 sopsFile = inputs.self + "/creds/sops/global/id_builder"; 36 44 format = "binary"; ··· 40 48 nix.settings.builders-use-substitutes = true; 41 49 nix.buildMachines = mkBuildMachines { 42 50 renko = { 43 - supportedFeatures = baselineFeatures ++ ["kvm" "nixos-test"]; 51 + supportedFeatures = baselineFeatures ++ [ 52 + "kvm" 53 + "nixos-test" 54 + ]; 44 55 speedFactor = 5; 45 56 publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUoreGNleXA4YnRVNnd0dThpRUFKMkZ4cm5rZlBsS1M3TWFJL2xLT0ZuUDEgcm9vdEByZW5rbwo="; 46 57 }; 47 58 nijika = { 48 - systems = ["aarch64-linux"]; 59 + systems = [ "aarch64-linux" ]; 49 60 publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSVBsWGZ5MnMxejRIQ05oem92Rk55UzBhcCtyMEF2ZzAzNDlKeFFjMW0xaFEK"; 50 61 }; 51 62 };

+2 -1

global/programs/scm.nix

··· 1 - {pkgs, ...}: { 1 + { pkgs, ... }: 2 + { 2 3 programs.git = { 3 4 enable = true; 4 5 config = {

+2 -1

global/programs/security/crypto.nix

··· 1 1 # crypto stands for cryptography, not cryptocurrency 2 - {pkgs, ...}: { 2 + { pkgs, ... }: 3 + { 3 4 environment.systemPackages = with pkgs; [ 4 5 gnupg 5 6 pinentry

+2 -1

global/programs/security/default.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 imports = [ 3 4 ./crypto.nix 4 5 ./sudo.nix

+2 -1

global/programs/security/firewall.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 imports = [ 3 4 ./ip-bans.nix 4 5 ];

+12 -4

global/programs/security/ip-bans.nix

··· 1 - {lib, ...}: let 1 + { lib, ... }: 2 + let 2 3 banned = { 3 4 ip = [ 4 5 "156.229.232.142" # added 2025-04-10: minecraft server scanner with 30m intervals 5 6 ]; 6 - ip6 = []; 7 + ip6 = [ ]; 7 8 }; 8 - in { 9 - networking.firewall.extraCommands = builtins.concatStringsSep "\n" (lib.flatten (lib.mapAttrsToList (family: ips: builtins.map (ip: "${family}tables -w -I INPUT -s ${ip} -j DROP") ips) banned)); 9 + in 10 + { 11 + networking.firewall.extraCommands = builtins.concatStringsSep "\n" ( 12 + lib.flatten ( 13 + lib.mapAttrsToList ( 14 + family: ips: builtins.map (ip: "${family}tables -w -I INPUT -s ${ip} -j DROP") ips 15 + ) banned 16 + ) 17 + ); 10 18 }

+3 -2

global/programs/security/sudo.nix

··· 1 - {pkgs, ...}: { 1 + { pkgs, ... }: 2 + { 2 3 security.sudo.extraConfig = '' 3 4 Defaults insults 4 5 ''; 5 - security.sudo.package = pkgs.sudo.override {withInsults = true;}; 6 + security.sudo.package = pkgs.sudo.override { withInsults = true; }; 6 7 }

+2 -1

global/programs/shells.nix

··· 1 - {pkgs, ...}: { 1 + { pkgs, ... }: 2 + { 2 3 users.defaultUserShell = pkgs.zsh; 3 4 programs.zsh = { 4 5 enable = true;

+8 -3

global/programs/ssh.nix

··· 1 - {config, ...}: let 1 + { config, ... }: 2 + let 2 3 nixos = config.system.nixos; 3 - in { 4 + in 5 + { 4 6 # Enable the OpenSSH daemon. 5 7 services.openssh = { 6 8 enable = true; ··· 30 32 31 33 programs.ssh = { 32 34 startAgent = true; 33 - pubkeyAcceptedKeyTypes = ["ssh-ed25519" "sk-ssh-ed25519@openssh.com"]; 35 + pubkeyAcceptedKeyTypes = [ 36 + "ssh-ed25519" 37 + "sk-ssh-ed25519@openssh.com" 38 + ]; 34 39 # enableAskPassword = true; 35 40 36 41 extraConfig = ''

+5 -3

global/programs/system-manager/default.nix

··· 3 3 config, 4 4 lib, 5 5 ... 6 - }: let 6 + }: 7 + let 7 8 types = lib.types; 8 9 cfg = config.gensokyo.system-manager; 9 - in { 10 + in 11 + { 10 12 options.gensokyo.system-manager = { 11 13 enable = lib.mkEnableOption "a shortcut to manage the system no matter where you are (in the system)"; 12 14 flakeLocation = lib.mkOption { ··· 17 19 18 20 config = lib.mkIf cfg.enable { 19 21 environment.systemPackages = [ 20 - (pkgs.callPackage ./package.nix {inherit (cfg) flakeLocation;}) 22 + (pkgs.callPackage ./package.nix { inherit (cfg) flakeLocation; }) 21 23 ]; 22 24 }; 23 25 }

+1 -1

global/programs/system-manager/package.nix

··· 8 8 meta = { 9 9 description = "A shortcut to run `just` in the local system flake directory."; 10 10 license = lib.licenses.cc0; 11 - maintainers = with lib.maintainers; [soopyc]; 11 + maintainers = with lib.maintainers; [ soopyc ]; 12 12 }; 13 13 14 14 # we could make this more robust by not using `just` and (hardcode?) commands in, but this is by far the easiest

+3 -2

global/sops.nix

··· 2 2 hostname, 3 3 inputs, 4 4 ... 5 - }: { 6 - sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; 5 + }: 6 + { 7 + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; 7 8 sops.defaultSopsFile = "${inputs.self}/creds/sops/${hostname}/default.yaml"; 8 9 }

+2 -1

global/upgrade-diff.nix

··· 3 3 lib, 4 4 pkgs, 5 5 ... 6 - }: { 6 + }: 7 + { 7 8 system.activationScripts.diff = { 8 9 supportsDryActivation = true; 9 10 text = ''

+81 -55

global/utils.nix

··· 7 7 inputs, 8 8 system, 9 9 ... 10 - }: let 10 + }: 11 + let 11 12 pkgs = inputs.nixpkgs.legacyPackages.${system}; 12 13 lib = pkgs.lib; 13 - in rec { 14 - mkVhost = opts: 14 + in 15 + rec { 16 + mkVhost = 17 + opts: 15 18 lib.mkMerge [ 16 19 { 17 20 forceSSL = lib.mkDefault true; ··· 44 47 opts 45 48 ]; 46 49 47 - mkSimpleProxy = { 48 - protocol ? "http", 49 - host ? "localhost", 50 - port ? null, 51 - socketPath ? null, 52 - location ? "/", 53 - websockets ? false, 54 - extraConfig ? {}, 55 - }: 56 - assert lib.assertMsg (port != null || socketPath != null) "one of port or socketPath must be specified"; 50 + mkSimpleProxy = 51 + { 52 + protocol ? "http", 53 + host ? "localhost", 54 + port ? null, 55 + socketPath ? null, 56 + location ? "/", 57 + websockets ? false, 58 + extraConfig ? { }, 59 + }: 60 + assert lib.assertMsg ( 61 + port != null || socketPath != null 62 + ) "one of port or socketPath must be specified"; 57 63 # i dislike logic gates 58 - assert lib.assertMsg (!(port != null && socketPath != null)) "only one of port or socketPath may be specified at the same time"; 59 - assert lib.assertMsg (socketPath != null -> host == "localhost") "setting host has no effect when socketPath is set"; 64 + assert lib.assertMsg ( 65 + !(port != null && socketPath != null) 66 + ) "only one of port or socketPath may be specified at the same time"; 67 + assert lib.assertMsg ( 68 + socketPath != null -> host == "localhost" 69 + ) "setting host has no effect when socketPath is set"; 60 70 assert lib.assertMsg (port != null -> builtins.isInt port) "port must be an integer if specified"; 61 - mkVhost (lib.mkMerge [ 71 + mkVhost ( 72 + lib.mkMerge [ 62 73 extraConfig 63 74 { 64 75 locations."${location}" = { 65 76 proxyPass = 66 77 "${protocol}://" 67 - + ( 68 - if (socketPath == null) 69 - then "${host}:${builtins.toString port}" 70 - else "unix:${socketPath}" 71 - ); 78 + + (if (socketPath == null) then "${host}:${builtins.toString port}" else "unix:${socketPath}"); 72 79 proxyWebsockets = websockets; 73 80 }; 74 81 } 75 - ]); 82 + ] 83 + ); 76 84 77 - setupSecrets = _config: { 78 - namespace ? (lib.warn "secret namespace left as default, which is empty. it is encouraged to set a namespace for easier secret management. to override, explicitly set this to an empty value." ""), 79 - secrets, 80 - config ? {}, 81 - }: let 82 - _r_ns = namespace + lib.optionalString (lib.stringLength namespace != 0) "/"; 83 - check = path: 84 - assert lib.assertMsg (lib.elem path secrets) 85 - "secret path `${path}` is not defined in namespace `${namespace}`. (resolved to: ${_r_ns namespace}/${path})"; path; 86 - getRealPath = path: _r_ns + check path; 87 - in 85 + setupSecrets = 86 + _config: 87 + { 88 + namespace ? ( 89 + lib.warn "secret namespace left as default, which is empty. it is encouraged to set a namespace for easier secret management. to override, explicitly set this to an empty value." "" 90 + ), 91 + secrets, 92 + config ? { }, 93 + }: 94 + let 95 + _r_ns = namespace + lib.optionalString (lib.stringLength namespace != 0) "/"; 96 + check = 97 + path: 98 + assert lib.assertMsg (lib.elem path secrets) 99 + "secret path `${path}` is not defined in namespace `${namespace}`. (resolved to: ${_r_ns namespace}/${path})"; 100 + path; 101 + getRealPath = path: _r_ns + check path; 102 + in 88 103 builtins.addErrorContext "while setting up secrets with namespace ${namespace}" { 89 - generate = {sops.secrets = genSecrets namespace secrets config;}; # i love trolling 104 + generate = { 105 + sops.secrets = genSecrets namespace secrets config; 106 + }; # i love trolling 90 107 get = path: _config.sops.secrets.${getRealPath path}.path; 91 108 92 109 placeholder = path: _config.sops.placeholder.${getRealPath path}; 93 110 getTemplate = file: _config.sops.templates.${file}.path; 94 - mkTemplate = file: content: 111 + mkTemplate = 112 + file: content: 95 113 builtins.addErrorContext "while generating sops template ${file}" { 96 - sops.templates.${file} = 97 - {inherit content;} // (builtins.removeAttrs config ["content"]); 114 + sops.templates.${file} = { 115 + inherit content; 116 + } // (builtins.removeAttrs config [ "content" ]); 98 117 # // (lib.optionalAttrs (builtins.hasAttr "owner" config) {inherit (config) owner;}) 99 118 # // (lib.optionalAttrs (builtins.hasAttr "group" config) {inherit (config) group;}); 100 119 }; 101 120 }; 102 121 103 - genSecrets = namespace: files: value: 104 - lib.genAttrs ( 105 - map (x: namespace + lib.optionalString (lib.stringLength namespace != 0) "/" + x) files 106 - ) (_: value); 122 + genSecrets = 123 + namespace: files: value: 124 + lib.genAttrs (map ( 125 + x: namespace + lib.optionalString (lib.stringLength namespace != 0) "/" + x 126 + ) files) (_: value); 107 127 108 - mkNginxFile = { 109 - filename ? "index.html", 110 - content, 111 - }: 128 + mkNginxFile = 129 + { 130 + filename ? "index.html", 131 + content, 132 + }: 112 133 builtins.addErrorContext "while creating a static nginx file ${filename}" ( 113 134 let 114 - contentDir = assert lib.assertMsg (builtins.typeOf content == "string") 115 - "content must be a string, got `${builtins.typeOf content}`"; 135 + contentDir = 136 + assert lib.assertMsg ( 137 + builtins.typeOf content == "string" 138 + ) "content must be a string, got `${builtins.typeOf content}`"; 116 139 builtins.toString (pkgs.writeTextDir filename content) + "/"; 117 - in { 140 + in 141 + { 118 142 alias = contentDir; 119 143 tryFiles = "${filename} =500"; # if it can't find the file something has gone wrong. 120 144 } 121 145 ); 122 146 123 - mkNginxJSON = filename: attrset: 147 + mkNginxJSON = 148 + filename: attrset: 124 149 builtins.addErrorContext "while creating a static nginx JSON file ${filename}" ( 125 - assert lib.assertMsg (builtins.typeOf attrset == "set") 126 - "expected argument type `set`, got `${builtins.typeOf attrset}` instead."; 127 - mkNginxFile { 128 - inherit filename; 129 - content = builtins.toJSON attrset; 130 - } 150 + assert lib.assertMsg ( 151 + builtins.typeOf attrset == "set" 152 + ) "expected argument type `set`, got `${builtins.typeOf attrset}` instead."; 153 + mkNginxFile { 154 + inherit filename; 155 + content = builtins.toJSON attrset; 156 + } 131 157 ); 132 158 }

+3 -2

nix/checks.nix

··· 1 1 { 2 2 inputs, 3 3 pkgs, 4 - }: { 4 + }: 5 + { 5 6 deadcode = pkgs.stdenvNoCC.mkDerivation { 6 7 name = "deadcode_check"; 7 8 src = inputs.self; 8 9 dontPatch = true; 9 10 dontConfigure = true; 10 11 11 - buildInputs = with pkgs; [deadnix]; 12 + buildInputs = with pkgs; [ deadnix ]; 12 13 buildPhase = '' 13 14 set -euo pipefail 14 15

+2 -1

nix/devshell.nix

··· 1 - {pkgs, ...}: { 1 + { pkgs, ... }: 2 + { 2 3 default = pkgs.mkShellNoCC { 3 4 packages = [ 4 5 pkgs.nixos-rebuild

+3 -2

nix/treefmt.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 projectRootFile = "flake.nix"; 3 - programs.alejandra.enable = true; 4 + programs.nixfmt.enable = true; 4 5 }

+8 -5

systems/default.nix

··· 2 2 lib, 3 3 inputs, 4 4 ... 5 - }: let 5 + }: 6 + let 6 7 utils = import ../global/utils.nix; 7 8 8 - mkSystem = hostname: system: 9 + mkSystem = 10 + hostname: system: 9 11 lib.nixosSystem { 10 12 specialArgs = { 11 13 inherit inputs; 12 14 13 15 hostname = hostname; 14 - _utils = utils {inherit inputs system;}; 16 + _utils = utils { inherit inputs system; }; 15 17 }; 16 18 17 19 modules = [ ··· 20 22 ./${hostname}/hardware-configuration.nix 21 23 22 24 { 23 - home-manager.extraSpecialArgs = {inherit inputs;}; 25 + home-manager.extraSpecialArgs = { inherit inputs; }; 24 26 networking.hostName = hostname; 25 27 nixpkgs.hostPlatform = lib.mkDefault system; # ensure we detect conflicts 26 28 } 27 29 ]; 28 30 }; 29 - in { 31 + in 32 + { 30 33 koumakan = mkSystem "koumakan" "x86_64-linux"; 31 34 satori = mkSystem "satori" "x86_64-linux"; 32 35 renko = mkSystem "renko" "x86_64-linux";

+2 -1

systems/kita/certificates/default.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 imports = [ 3 4 ./mail.nix 4 5 ./web.nix

+2 -1

systems/kita/certificates/mail.nix

··· 1 - {config, ...}: { 1 + { config, ... }: 2 + { 2 3 security.acme.certs."kita.c.soopy.moe" = { 3 4 group = config.services.maddy.group; 4 5 extraLegoRenewFlags = [

+2 -1

systems/kita/certificates/web.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 security.acme.certs."kita-web.c.soopy.moe" = { 3 4 group = "nginx"; 4 5 extraDomainNames = [

+2 -1

systems/kita/configuration.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 imports = [ 3 4 ./certificates 4 5 ./services

+10 -4

systems/kita/hardware-configuration.nix

··· 1 - {modulesPath, ...}: { 2 - imports = [(modulesPath + "/profiles/qemu-guest.nix")]; 1 + { modulesPath, ... }: 2 + { 3 + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; 3 4 boot.loader.grub.device = "/dev/sda"; 4 - boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"]; 5 - boot.initrd.kernelModules = ["nvme"]; 5 + boot.initrd.availableKernelModules = [ 6 + "ata_piix" 7 + "uhci_hcd" 8 + "xen_blkfront" 9 + "vmw_pvscsi" 10 + ]; 11 + boot.initrd.kernelModules = [ "nvme" ]; 6 12 fileSystems."/" = { 7 13 device = "/dev/sda1"; 8 14 fsType = "ext4";

+2 -1

systems/kita/networking.nix

··· 1 - {lib, ...}: { 1 + { lib, ... }: 2 + { 2 3 # This file was populated at runtime with the networking 3 4 # details gathered from the active system. 4 5 networking = {

+2 -1

systems/kita/services/default.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 imports = [ 3 4 ./fallback_page 4 5 ./mail

+2 -1

systems/kita/services/dns.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 services.pdns-recursor = { 3 4 enable = true; 4 5

+3 -2

systems/kita/services/fallback_page/default.nix

··· 2 2 pkgs, 3 3 _utils, 4 4 ... 5 - }: { 5 + }: 6 + { 6 7 services.nginx.virtualHosts."_" = _utils.mkVhost { 7 8 useACMEHost = "kita-web.c.soopy.moe"; 8 9 default = true; 9 10 10 11 locations."/" = { 11 - root = pkgs.callPackage ./package.nix {}; 12 + root = pkgs.callPackage ./package.nix { }; 12 13 tryFiles = "$uri $uri/index.html $uri.html =404"; 13 14 }; 14 15 };

+1 -1

systems/kita/services/fallback_page/package.nix

··· 1 - {stdenvNoCC}: 1 + { stdenvNoCC }: 2 2 stdenvNoCC.mkDerivation (final: { 3 3 name = "kita-landing"; 4 4 src = ./.;

+5 -3

systems/kita/services/gatus.nix

··· 2 2 _utils, 3 3 config, 4 4 ... 5 - }: let 5 + }: 6 + let 6 7 mkHttpEndpoint = name: group: url: { 7 8 inherit name url group; 8 9 enabled = true; ··· 12 13 "[CONNECTED] == true" 13 14 ]; 14 15 }; 15 - in { 16 + in 17 + { 16 18 services.gatus = { 17 19 enable = true; 18 20 settings = { ··· 34 36 endpoints = [ 35 37 (mkHttpEndpoint "Main Site" "core" "https://soopy.moe") 36 38 37 - (mkHttpEndpoint "Gateway (Kanidm)" "koumakan" "https://gateway.soopy.moe" // {enabled = false;}) # TODO 39 + (mkHttpEndpoint "Gateway (Kanidm)" "koumakan" "https://gateway.soopy.moe" // { enabled = false; }) # TODO 38 40 (mkHttpEndpoint "Patchy (Forgejo)" "koumakan" "https://patchy.soopy.moe") 39 41 (mkHttpEndpoint "Suika (Grafana)" "koumakan" "https://suika.soopy.moe/login") 40 42 (mkHttpEndpoint "Nue (Synapse)" "koumakan" "https://nue.soopy.moe/health")

+2 -1

systems/kita/services/mail/default.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 imports = [ 3 4 ./roundcube.nix 4 5

+2 -1

systems/kita/services/mail/maddy.nix

··· 1 - {config, ...}: { 1 + { config, ... }: 2 + { 2 3 services.maddy = { 3 4 enable = true; 4 5 hostname = "mx2.soopy.moe";

+2 -1

systems/kita/services/mail/mta-sts.nix

··· 1 1 # mail-transfer-agent strict transport security policy 2 - {_utils, ...}: { 2 + { _utils, ... }: 3 + { 3 4 services.nginx.virtualHosts."mta-sts.soopy.moe" = _utils.mkVhost { 4 5 useACMEHost = "kita-web.c.soopy.moe"; 5 6

+9 -3

systems/kita/services/mail/roundcube.nix

··· 2 2 pkgs, 3 3 _utils, 4 4 ... 5 - }: { 5 + }: 6 + { 6 7 services.roundcube = { 7 8 enable = true; 8 - package = pkgs.roundcube.withPlugins (plugins: with plugins; [carddav contextmenu]); 9 - dicts = with pkgs.aspellDicts; [en]; 9 + package = pkgs.roundcube.withPlugins ( 10 + plugins: with plugins; [ 11 + carddav 12 + contextmenu 13 + ] 14 + ); 15 + dicts = with pkgs.aspellDicts; [ en ]; 10 16 hostName = "webmail.soopy.moe"; 11 17 12 18 extraConfig = ''

+9 -9

systems/kita/services/mail/rspamd.nix

··· 2 2 config, 3 3 _utils, 4 4 ... 5 - }: let 5 + }: 6 + let 6 7 secrets = _utils.setupSecrets config { 7 8 namespace = "rspamd"; 8 - secrets = ["controller_passwd"]; 9 + secrets = [ "controller_passwd" ]; 9 10 config.owner = config.users.users.rspamd.name; 10 11 }; 11 - in { 12 + in 13 + { 12 14 imports = [ 13 15 secrets.generate 14 - ( 15 - secrets.mkTemplate "rspamd-controller-pwd.inc" '' 16 - password = "${secrets.placeholder "controller_passwd"}"; 17 - '' 18 - ) 16 + (secrets.mkTemplate "rspamd-controller-pwd.inc" '' 17 + password = "${secrets.placeholder "controller_passwd"}"; 18 + '') 19 19 ]; 20 20 services.rspamd = { 21 21 enable = true; ··· 39 39 .include(try=false; priority=10) "${secrets.getTemplate "rspamd-controller-pwd.inc"}" 40 40 ''; 41 41 42 - workers."normal".bindSockets = ["127.0.0.1:11333"]; 42 + workers."normal".bindSockets = [ "127.0.0.1:11333" ]; 43 43 }; 44 44 45 45 services.redis.servers.rspamd.enable = true;

+3 -2

systems/kita/services/postgresql.nix

··· 1 - {pkgs, ...}: { 1 + { pkgs, ... }: 2 + { 2 3 services.postgresql = { 3 4 enable = true; 4 5 package = pkgs.postgresql_16; # we like to specify a package so we know what we're using. ··· 8 9 ensureDBOwnership = true; 9 10 } 10 11 ]; 11 - ensureDatabases = ["maildb"]; 12 + ensureDatabases = [ "maildb" ]; 12 13 }; 13 14 }

+2 -1

systems/kita/services/radicale.nix

··· 1 - {_utils, ...}: { 1 + { _utils, ... }: 2 + { 2 3 services.radicale = { 3 4 enable = true; 4 5 settings = {

+2 -1

systems/koumakan/administration/default.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 imports = [ 3 4 ./telemetry.nix 4 5 ];

+2 -1

systems/koumakan/administration/telemetry.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 services.prometheus.exporters = { 3 4 node = { 4 5 enable = true;

+2 -1

systems/koumakan/certificates/breezewiki.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 # Certificate for breezewiki 3 4 security.acme.certs."bw.c.soopy.moe" = { 4 5 group = "nginx";

+2 -1

systems/koumakan/certificates/bsky-pds.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 # Certificate for fedi services 3 4 security.acme.certs."bsky.c.soopy.moe" = { 4 5 group = "nginx";

+2 -1

systems/koumakan/certificates/default.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 imports = [ 3 4 ./global.nix 4 5 ./postgresql.nix

+2 -1

systems/koumakan/certificates/fediverse.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 # Certificate for fedi services 3 4 security.acme.certs."fedi.c.soopy.moe" = { 4 5 group = "nginx";

+2 -1

systems/koumakan/certificates/global.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 # Global certificate 3 4 security.acme.certs."global.c.soopy.moe" = { 4 5 group = "nginx";

+11 -8

systems/koumakan/certificates/postgresql.nix

··· 1 - {config, ...}: { 1 + { config, ... }: 2 + { 2 3 # PostgreSQL only certificate 3 4 security.acme.certs."phant.soopy.moe" = { 4 5 group = "postgres"; ··· 9 10 10 11 # https://nixos.org/manual/nixos/stable/#module-security-acme-root-owned 11 12 systemd.services.postgresql = { 12 - requires = ["acme-finished-phant.soopy.moe.target"]; 13 - serviceConfig.LoadCredential = let 14 - certDir = config.security.acme.certs."phant.soopy.moe".directory; 15 - in [ 16 - "cert.pem:${certDir}/cert.pem" 17 - "key.pem:${certDir}/key.pem" 18 - ]; 13 + requires = [ "acme-finished-phant.soopy.moe.target" ]; 14 + serviceConfig.LoadCredential = 15 + let 16 + certDir = config.security.acme.certs."phant.soopy.moe".directory; 17 + in 18 + [ 19 + "cert.pem:${certDir}/cert.pem" 20 + "key.pem:${certDir}/key.pem" 21 + ]; 19 22 }; 20 23 }

+2 -1

systems/koumakan/configuration.nix

··· 1 - {inputs, ...}: { 1 + { inputs, ... }: 2 + { 2 3 imports = [ 3 4 inputs.mystia.nixosModules.fixups 4 5 inputs.mystia.nixosModules.vmauth

+19 -7

systems/koumakan/hardware-configuration.nix

··· 6 6 lib, 7 7 modulesPath, 8 8 ... 9 - }: { 9 + }: 10 + { 10 11 imports = [ 11 12 (modulesPath + "/installer/scan/not-detected.nix") 12 13 ]; 13 14 14 - boot.initrd.availableKernelModules = ["xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod"]; 15 - boot.initrd.kernelModules = []; 16 - boot.kernelModules = ["kvm-intel"]; 17 - boot.extraModulePackages = []; 15 + boot.initrd.availableKernelModules = [ 16 + "xhci_pci" 17 + "ehci_pci" 18 + "ahci" 19 + "usbhid" 20 + "usb_storage" 21 + "sd_mod" 22 + "sr_mod" 23 + ]; 24 + boot.initrd.kernelModules = [ ]; 25 + boot.kernelModules = [ "kvm-intel" ]; 26 + boot.extraModulePackages = [ ]; 18 27 19 28 fileSystems."/" = { 20 29 device = "/dev/disk/by-uuid/738969fe-b2a0-4fa1-9ac5-69f2a25536e7"; ··· 24 33 fileSystems."/boot" = { 25 34 device = "/dev/disk/by-uuid/62FD-C60A"; 26 35 fsType = "vfat"; 27 - options = ["fmask=0022" "dmask=0022"]; 36 + options = [ 37 + "fmask=0022" 38 + "dmask=0022" 39 + ]; 28 40 }; 29 41 30 42 swapDevices = [ 31 - {device = "/dev/disk/by-uuid/902b902d-3486-49de-9a58-7a079c9a090d";} 43 + { device = "/dev/disk/by-uuid/902b902d-3486-49de-9a58-7a079c9a090d"; } 32 44 ]; 33 45 34 46 # Enables DHCP on each ethernet and wireless interface. In case of scripted networking

+2 -1

systems/koumakan/networking/cjdns.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 services.cjdns = { 3 4 enable = true; 4 5

+2 -1

systems/koumakan/networking/default.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 imports = [ 3 4 ./firewall.nix 4 5 ./interface.nix

+2 -1

systems/koumakan/networking/firewall.nix

··· 1 - {lib, ...}: { 1 + { lib, ... }: 2 + { 2 3 networking.firewall = { 3 4 enable = true; 4 5 allowedTCPPorts = [

+2 -1

systems/koumakan/networking/interface.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 networking.networkmanager.ethernet.macAddress = "stable"; 3 4 }

+2 -1

systems/koumakan/security/default.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 imports = [ 3 4 ./pam.nix 4 5 ];

+2 -1

systems/koumakan/security/pam.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 security.pam.yubico = { 3 4 enable = true; 4 5 id = "91582";

+8 -8

systems/koumakan/services/anubis.nix

··· 2 2 lib, 3 3 config, 4 4 ... 5 - }: { 6 - assertions = 7 - lib.mapAttrsToList (k: v: { 8 - # assertion = v.settings.METRICS_BIND_NETWORK == "tcp" -> !builtins.isNull (builtins.match "127.0.0.1:.*" v.settings.METRICS_BIND); 9 - assertion = !builtins.isNull (builtins.match "^127.0.0.1:17[[:digit:]]\{3\}$" v.settings.METRICS_BIND); # stricter 10 - message = "koumakan-internal(anubis `${k}`): settings.METRICS_BIND must be in the form `127.0.0.1:17xxx`"; 11 - }) 12 - config.services.anubis.instances; 5 + }: 6 + { 7 + assertions = lib.mapAttrsToList (k: v: { 8 + # assertion = v.settings.METRICS_BIND_NETWORK == "tcp" -> !builtins.isNull (builtins.match "127.0.0.1:.*" v.settings.METRICS_BIND); 9 + assertion = 10 + !builtins.isNull (builtins.match "^127.0.0.1:17[[:digit:]]\{3\}$" v.settings.METRICS_BIND); # stricter 11 + message = "koumakan-internal(anubis `${k}`): settings.METRICS_BIND must be in the form `127.0.0.1:17xxx`"; 12 + }) config.services.anubis.instances; 13 13 14 14 # neither VM nor Prom supports scraping unix domain sockets and i currently cba writing a custom scraper for it 15 15 # prom: https://github.com/prometheus/prometheus/issues/12024

+3 -2

systems/koumakan/services/arion/breezewiki.nix

··· 1 - {_utils, ...}: { 1 + { _utils, ... }: 2 + { 2 3 virtualisation.arion.projects.breezewiki.settings = { 3 4 services.breezewiki = { 4 5 service = { 5 6 image = "quay.io/pussthecatorg/breezewiki"; 6 - ports = ["127.0.0.1:35612:10416"]; 7 + ports = [ "127.0.0.1:35612:10416" ]; 7 8 environment = { 8 9 bw_canonical_origin = "https://bw.soopy.moe"; 9 10 bw_log_outgoing = "false";

+2 -1

systems/koumakan/services/arion/default.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 imports = [ 3 4 ./breezewiki.nix 4 5 ./pixivfe.nix

+5 -3

systems/koumakan/services/arion/pixivfe.nix

··· 3 3 config, 4 4 lib, 5 5 ... 6 - }: let 6 + }: 7 + let 7 8 secrets = _utils.setupSecrets config { 8 9 namespace = "pixivfe"; 9 - secrets = ["token"]; 10 + secrets = [ "token" ]; 10 11 }; 11 - in { 12 + in 13 + { 12 14 imports = [ 13 15 secrets.generate 14 16 (secrets.mkTemplate "pixivfe.env" ''

+2 -1

systems/koumakan/services/ci/default.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 imports = [ 3 4 ./hydra 4 5 ];

+5 -3

systems/koumakan/services/ci/hydra/default.nix

··· 5 5 config, 6 6 lib, 7 7 ... 8 - }: let 8 + }: 9 + let 9 10 secrets = _utils.setupSecrets config { 10 11 namespace = "hydra"; 11 12 secrets = [ ··· 22 23 23 24 webhookScript = pkgs.writeShellApplication { 24 25 name = "hydra-webhook"; 25 - runtimeInputs = with pkgs; [xh]; 26 + runtimeInputs = with pkgs; [ xh ]; 26 27 text = '' 27 28 xh :8000 @"$1" 28 29 ''; 29 30 }; 30 - in { 31 + in 32 + { 31 33 imports = [ 32 34 secrets.generate 33 35 (secrets.mkTemplate "hydra-s3-creds" ''

+2 -1

systems/koumakan/services/databases/default.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 imports = [ 3 4 ./postgresql.nix 4 5 ./redis.nix

+22 -19

systems/koumakan/services/databases/postgresql.nix

··· 2 2 pkgs, 3 3 lib, 4 4 ... 5 - }: { 5 + }: 6 + { 6 7 services.postgresql = { 7 8 enable = true; 8 9 ··· 18 19 host all all ::1/128 scram-sha-256 19 20 ''; 20 21 21 - settings = let 22 - credsDir = "/run/credentials/postgresql.service"; 23 - in { 24 - listen_addresses = pkgs.lib.mkForce "*"; 25 - max_connections = 200; 26 - password_encryption = "scram-sha-256"; 22 + settings = 23 + let 24 + credsDir = "/run/credentials/postgresql.service"; 25 + in 26 + { 27 + listen_addresses = pkgs.lib.mkForce "*"; 28 + max_connections = 200; 29 + password_encryption = "scram-sha-256"; 27 30 28 - log_line_prefix = "%m [%p] %h "; 29 - ssl = "on"; 30 - ssl_cert_file = "${credsDir}/cert.pem"; 31 - ssl_key_file = "${credsDir}/key.pem"; 31 + log_line_prefix = "%m [%p] %h "; 32 + ssl = "on"; 33 + ssl_cert_file = "${credsDir}/cert.pem"; 34 + ssl_key_file = "${credsDir}/key.pem"; 32 35 33 - log_hostname = true; 34 - datestyle = "iso, dmy"; 35 - log_timezone = "Asia/Hong_Kong"; 36 - timezone = "Asia/Hong_Kong"; 37 - default_text_search_config = "pg_catalog.english"; 36 + log_hostname = true; 37 + datestyle = "iso, dmy"; 38 + log_timezone = "Asia/Hong_Kong"; 39 + timezone = "Asia/Hong_Kong"; 40 + default_text_search_config = "pg_catalog.english"; 38 41 39 - max_wal_size = "2GB"; 40 - min_wal_size = "80MB"; 41 - }; 42 + max_wal_size = "2GB"; 43 + min_wal_size = "80MB"; 44 + }; 42 45 }; 43 46 44 47 users.users.postgres.useDefaultShell = lib.mkForce false;

+2 -1

systems/koumakan/services/databases/redis.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 services.redis.servers."" = { 3 4 enable = true; 4 5 };

+2 -1

systems/koumakan/services/default.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 imports = [ 3 4 ./nginx.nix 4 5

+5 -3

systems/koumakan/services/fediverse/bsky-pds.nix

··· 4 4 config, 5 5 _utils, 6 6 ... 7 - }: let 7 + }: 8 + let 8 9 secrets = _utils.setupSecrets config { 9 10 namespace = "pds"; 10 11 secrets = [ ··· 13 14 ]; 14 15 config.owner = config.services.bsky-pds.user; 15 16 }; 16 - in { 17 - imports = [secrets.generate]; 17 + in 18 + { 19 + imports = [ secrets.generate ]; 18 20 services.bsky-pds = { 19 21 enable = true; 20 22 package = inputs.mystia.packages.${pkgs.system}.bsky-pds;

+2 -1

systems/koumakan/services/fediverse/default.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 imports = [ 3 4 ./writefreely.nix 4 5 ./bsky-pds.nix

+2 -1

systems/koumakan/services/fediverse/writefreely.nix

··· 5 5 # inputs, 6 6 # pkgs, 7 7 ... 8 - }: { 8 + }: 9 + { 9 10 services.writefreely = { 10 11 enable = true; 11 12 # package = inputs.nixpkgs-wf.legacyPackages.${pkgs.system}.writefreely;

+2 -1

systems/koumakan/services/feeds/default.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 imports = [ 3 4 ./miniflux.nix 4 5 ];

+2 -1

systems/koumakan/services/feeds/miniflux.nix

··· 1 - {_utils, ...}: { 1 + { _utils, ... }: 2 + { 2 3 services.miniflux = { 3 4 enable = true; 4 5 config = {

+5 -4

systems/koumakan/services/ftp.nix

··· 3 3 config, 4 4 inputs, 5 5 ... 6 - }: { 6 + }: 7 + { 7 8 sops.secrets = { 8 9 "vsftpdUsers.db" = { 9 10 sopsFile = inputs.self + "/creds/sops/koumakan/vsftpdUsers.db"; ··· 51 52 group = "vsftpd"; 52 53 enable = true; 53 54 settings = { 54 - server.listen = ["100.100.16.16:38563"]; 55 + server.listen = [ "100.100.16.16:38563" ]; 55 56 accounts.auth-type = "htpasswd.default"; 56 57 57 58 htpasswd.default.htpasswd = config.sops.secrets."webdav.scan.htpasswd".path; ··· 59 60 60 61 location = [ 61 62 { 62 - route = ["/*path"]; 63 + route = [ "/*path" ]; 63 64 auth = "true"; 64 65 handler = "filesystem"; 65 - methods = ["webdav-rw"]; 66 + methods = [ "webdav-rw" ]; 66 67 67 68 directory = "/var/www/ftp"; 68 69 }

+2 -1

systems/koumakan/services/matrix/default.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 imports = [ 3 4 ./synapse.nix 4 5 ];

+8 -6

systems/koumakan/services/matrix/synapse.nix

··· 4 4 lib, 5 5 config, 6 6 ... 7 - }: let 7 + }: 8 + let 8 9 getSocket = file: "/run/matrix-synapse/${file}.sock"; 9 - in { 10 + in 11 + { 10 12 sops.secrets."synapse.yaml" = { 11 13 mode = "0400"; 12 14 owner = config.users.users.matrix-synapse.name; ··· 35 37 ]; 36 38 37 39 workers = { 38 - federation-sender-0 = {}; 39 - pusher-0 = {}; 40 + federation-sender-0 = { }; 41 + pusher-0 = { }; 40 42 }; 41 43 42 44 settings = { ··· 111 113 }; 112 114 113 115 services.postgresql = { 114 - ensureDatabases = ["synapse"]; 116 + ensureDatabases = [ "synapse" ]; 115 117 ensureUsers = [ 116 118 { 117 119 name = "synapse"; ··· 120 122 ]; 121 123 }; 122 124 123 - users.users.nginx.extraGroups = ["matrix-synapse"]; 125 + users.users.nginx.extraGroups = [ "matrix-synapse" ]; 124 126 services.nginx.virtualHosts."nue.soopy.moe" = _utils.mkVhost { 125 127 extraConfig = '' 126 128 access_log off;

+3 -2

systems/koumakan/services/nginx.nix

··· 1 - {pkgs, ...}: { 1 + { pkgs, ... }: 2 + { 2 3 gensokyo.presets.nginx = true; 3 4 4 - users.users.nginx.extraGroups = ["anubis"]; 5 + users.users.nginx.extraGroups = [ "anubis" ]; 5 6 services.nginx = { 6 7 enable = true; 7 8 clientMaxBodySize = "50m";

+2 -1

systems/koumakan/services/proxies/default.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 imports = [ 3 4 ./nitter.nix 4 5 ./searxng.nix

+2 -1

systems/koumakan/services/proxies/minio.nix

··· 2 2 _utils, 3 3 inputs, 4 4 ... 5 - }: { 5 + }: 6 + { 6 7 services.nginx.virtualHosts = { 7 8 "s3.soopy.moe" = _utils.mkSimpleProxy { 8 9 host = "renko.mist-nessie.ts.net";

+2 -1

systems/koumakan/services/proxies/nitter.nix

··· 1 - {_utils, ...}: { 1 + { _utils, ... }: 2 + { 2 3 services.nginx.virtualHosts."nitter.soopy.moe" = _utils.mkVhost { 3 4 locations."/".return = "301 https://twiiit.com$request_uri"; 4 5 };

+10 -5

systems/koumakan/services/proxies/searxng.nix

··· 3 3 config, 4 4 lib, 5 5 ... 6 - }: let 6 + }: 7 + let 7 8 secrets = _utils.setupSecrets config { 8 9 namespace = "searxng"; 9 - secrets = ["secret"]; 10 + secrets = [ "secret" ]; 10 11 }; 11 - in { 12 + in 13 + { 12 14 imports = [ 13 15 secrets.generate 14 16 (secrets.mkTemplate "searxng.env" '' ··· 16 18 '') 17 19 ]; 18 20 19 - users.users.nginx.extraGroups = [config.users.groups.searx.name]; 21 + users.users.nginx.extraGroups = [ config.users.groups.searx.name ]; 20 22 21 23 services.searx = { 22 24 enable = true; ··· 100 102 engine = "discourse"; 101 103 shortcut = "dno"; 102 104 base_url = "https://discourse.nixos.org"; 103 - categories = ["it" "q&a"]; 105 + categories = [ 106 + "it" 107 + "q&a" 108 + ]; 104 109 } 105 110 ]; 106 111 };

+2 -1

systems/koumakan/services/scm/default.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 imports = [ 3 4 ./forgejo.nix 4 5 ./tangled-knot.nix

+4 -3

systems/koumakan/services/scm/forgejo.nix

··· 4 4 config, 5 5 pkgs, 6 6 ... 7 - }: let 7 + }: 8 + let 8 9 secrets = [ 9 10 "database/pass" 10 11 "turnstile/secret" ··· 23 24 # else "/run/secrets/${ns}"; 24 25 25 26 runConfig = config.services.forgejo.customDir + "/conf/app.ini"; 26 - in { 27 + in 28 + { 27 29 sops.secrets = _utils.genSecrets ns secrets { 28 30 owner = config.services.forgejo.user; 29 31 }; ··· 242 244 # }}} 243 245 } 244 246 # vim:foldmethod=marker 245 -

+5 -3

systems/koumakan/services/scm/tangled-knot.nix

··· 2 2 _utils, 3 3 config, 4 4 ... 5 - }: let 5 + }: 6 + let 6 7 secrets = _utils.setupSecrets config { 7 8 namespace = "tangled"; 8 - secrets = ["knot/key"]; 9 + secrets = [ "knot/key" ]; 9 10 }; 10 - in { 11 + in 12 + { 11 13 imports = [ 12 14 secrets.generate 13 15

+2 -1

systems/koumakan/services/security/default.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 imports = [ 3 4 ./vaultwarden.nix 4 5 ];

+24 -20

systems/koumakan/services/security/vaultwarden.nix

··· 3 3 config, 4 4 # lib, 5 5 ... 6 - }: let 6 + }: 7 + let 7 8 # mkSecrets = file: 8 9 # if !lib.elem file secrets 9 10 # then throw "Provided secret file ${file} is not in the list of defined secrets." ··· 23 24 "push/installation_id" 24 25 "push/installation_key" 25 26 ]; 26 - in { 27 - sops.secrets = _utils.genSecrets "vaultwarden" secrets {}; 28 - sops.templates."vaultwarden.env".content = let 29 - ph = p: config.sops.placeholder."vaultwarden/${p}"; 30 - in '' 31 - DATABASE_URL=postgresql://${ph "database/username"}:${ph "database/password"}@localhost/vaultwarden 32 - ADMIN_TOKEN=${ph "admin_token"} 33 - YUBICO_CLIENT_ID=${ph "yubico/id"} 34 - YUBICO_SECRET_KEY=${ph "yubico/secret"} 35 - SMTP_USERNAME=${ph "smtp/username"} 36 - SMTP_FROM=${ph "smtp/username"} 37 - SMTP_PASSWORD=${ph "smtp/password"} 38 - SMTP_HOST=${ph "smtp/host"} 39 - SMTP_SECURITY=${ph "smtp/security"} 40 - SMTP_PORT=${ph "smtp/port"} 41 - PUSH_INSTALLATION_ID=${ph "push/installation_id"} 42 - PUSH_INSTALLATION_KEY=${ph "push/installation_key"} 43 - ''; 27 + in 28 + { 29 + sops.secrets = _utils.genSecrets "vaultwarden" secrets { }; 30 + sops.templates."vaultwarden.env".content = 31 + let 32 + ph = p: config.sops.placeholder."vaultwarden/${p}"; 33 + in 34 + '' 35 + DATABASE_URL=postgresql://${ph "database/username"}:${ph "database/password"}@localhost/vaultwarden 36 + ADMIN_TOKEN=${ph "admin_token"} 37 + YUBICO_CLIENT_ID=${ph "yubico/id"} 38 + YUBICO_SECRET_KEY=${ph "yubico/secret"} 39 + SMTP_USERNAME=${ph "smtp/username"} 40 + SMTP_FROM=${ph "smtp/username"} 41 + SMTP_PASSWORD=${ph "smtp/password"} 42 + SMTP_HOST=${ph "smtp/host"} 43 + SMTP_SECURITY=${ph "smtp/security"} 44 + SMTP_PORT=${ph "smtp/port"} 45 + PUSH_INSTALLATION_ID=${ph "push/installation_id"} 46 + PUSH_INSTALLATION_KEY=${ph "push/installation_key"} 47 + ''; 44 48 45 49 services.vaultwarden = { 46 50 enable = true; ··· 106 110 upstreams = { 107 111 vault-default = { 108 112 servers = { 109 - "[::1]:38480" = {}; 113 + "[::1]:38480" = { }; 110 114 }; 111 115 extraConfig = '' 112 116 zone vaultwarden 128k; # XXX: are there any security implications if we reuse the same zone for both webvault and the ws server?

+2 -1

systems/koumakan/services/static-sites/assets.nix

··· 1 - {_utils, ...}: { 1 + { _utils, ... }: 2 + { 2 3 services.nginx.virtualHosts."assets.soopy.moe" = _utils.mkVhost { 3 4 root = "/opt/public-assets"; 4 5 locations = {

+2 -1

systems/koumakan/services/static-sites/default.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 imports = [ 3 4 ./assets.nix 4 5 ./nonbunary.nix

+2 -1

systems/koumakan/services/static-sites/nonbunary.nix

··· 1 - {_utils, ...}: { 1 + { _utils, ... }: 2 + { 2 3 services.nginx.virtualHosts."nonbunary.soopy.moe" = _utils.mkVhost { 3 4 locations."/".return = "404"; 4 5 locations."= /" = _utils.mkNginxFile {

+11 -7

systems/koumakan/services/static-sites/photography.nix

··· 4 4 lib, 5 5 _utils, 6 6 ... 7 - }: { 7 + }: 8 + { 8 9 # TODO: we can make this better by just automating everything needed to make a h5ai site. 9 10 services.phpfpm.pools."photography" = { 10 11 user = "photography"; ··· 22 23 "php_admin_flag[log_errors]" = true; 23 24 "catch_workers_output" = true; 24 25 }; 25 - phpEnv."PATH" = lib.makeBinPath (with pkgs; [ 26 - zip 27 - ]); 26 + phpEnv."PATH" = lib.makeBinPath ( 27 + with pkgs; 28 + [ 29 + zip 30 + ] 31 + ); 28 32 }; 29 33 30 34 services.nginx.virtualHosts."photography.soopy.moe" = _utils.mkVhost { ··· 54 58 group = "photography"; 55 59 createHome = false; 56 60 }; 57 - users.groups.photography = {}; 61 + users.groups.photography = { }; 58 62 59 - users.users.nginx.extraGroups = ["photography"]; 60 - users.users.cassie.extraGroups = ["photography"]; 63 + users.users.nginx.extraGroups = [ "photography" ]; 64 + users.users.cassie.extraGroups = [ "photography" ]; 61 65 }

+2 -1

systems/koumakan/services/storage/atuin.nix

··· 1 - {_utils, ...}: { 1 + { _utils, ... }: 2 + { 2 3 services.atuin = { 3 4 enable = true; 4 5 database.createLocally = true;

+5 -3

systems/koumakan/services/storage/wastebin.nix

··· 2 2 _utils, 3 3 config, 4 4 ... 5 - }: let 5 + }: 6 + let 6 7 secrets = _utils.setupSecrets config { 7 8 namespace = "wastebasket"; 8 - secrets = ["key"]; 9 + secrets = [ "key" ]; 9 10 }; 10 - in { 11 + in 12 + { 11 13 # figure out a way to disable encryption, i don't trust the impl. 12 14 imports = [ 13 15 secrets.generate

+4 -2

systems/koumakan/services/storage/zipline.nix

··· 3 3 lib, 4 4 config, 5 5 ... 6 - }: let 6 + }: 7 + let 7 8 secrets = _utils.setupSecrets config { 8 9 namespace = "zipline"; 9 10 secrets = [ ··· 12 13 "s3/access_secret" 13 14 ]; 14 15 }; 15 - in { 16 + in 17 + { 16 18 imports = [ 17 19 secrets.generate 18 20 (secrets.mkTemplate "zipline.env" ''

+2 -1

systems/koumakan/services/telemetry/default.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 imports = [ 3 4 ./victoriametrics.nix 4 5 ./grafana

+4 -2

systems/koumakan/services/telemetry/grafana/default.nix

··· 2 2 _utils, 3 3 config, 4 4 ... 5 - }: let 5 + }: 6 + let 6 7 secrets = _utils.setupSecrets config { 7 8 namespace = "grafana"; 8 9 secrets = [ ··· 16 17 }; 17 18 }; 18 19 fromSecret = path: "$__file{${secrets.get path}}"; 19 - in { 20 + in 21 + { 20 22 imports = [ 21 23 secrets.generate 22 24 ./provisioning.nix

+5 -2

systems/koumakan/services/telemetry/grafana/provisioning.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 services.grafana.provision = { 3 4 datasources.settings = { 4 5 apiVersion = 1; # i am stupid. keep this as 1. ··· 11 12 uid = "gs_panopticon"; 12 13 url = "http://localhost:20090"; 13 14 isDefault = true; 14 - jsonData = {prometheusVersion = "2.44.0";}; 15 + jsonData = { 16 + prometheusVersion = "2.44.0"; 17 + }; 15 18 } 16 19 ]; 17 20 };

+24 -24

systems/koumakan/services/telemetry/victoriametrics.nix

··· 3 3 lib, 4 4 _utils, 5 5 ... 6 - }: let 6 + }: 7 + let 7 8 monitoredHosts = [ 8 9 "mail" 9 10 "satori" ··· 14 15 ]; 15 16 secrets = _utils.setupSecrets config { 16 17 namespace = "vmetrics"; 17 - secrets = ["agent/akkoma"] ++ builtins.map (f: "auth/hosts/" + f) monitoredHosts; 18 + secrets = [ "agent/akkoma" ] ++ builtins.map (f: "auth/hosts/" + f) monitoredHosts; 18 19 }; 19 - in { 20 + in 21 + { 20 22 imports = [ 21 23 secrets.generate 22 24 ··· 24 26 VMA_AKKOMA_CRED=${secrets.placeholder "agent/akkoma"} 25 27 '') 26 28 (secrets.mkTemplate "vmauth.env" ( 27 - lib.concatLines (builtins.map ( 29 + lib.concatLines ( 30 + builtins.map ( 28 31 host: "AUTH_${lib.toUpper host}_TOKEN=${secrets.placeholder "auth/hosts/${host}"}" 29 - ) 30 - monitoredHosts) 32 + ) monitoredHosts 33 + ) 31 34 )) 32 35 ]; 33 36 ··· 63 66 static_configs = lib.singleton { 64 67 targets = lib.singleton "localhost:${builtins.toString config.services.prometheus.exporters.node.port}"; 65 68 }; 66 - relabel_configs = 67 - lib.singleton 68 - { 69 - target_label = "instance"; 70 - replacement = "koumakan"; 71 - }; 69 + relabel_configs = lib.singleton { 70 + target_label = "instance"; 71 + replacement = "koumakan"; 72 + }; 72 73 } 73 74 74 75 # external nodes uses remote write ··· 77 78 # other services' metrics 78 79 { 79 80 job_name = "nginx"; 80 - static_configs = lib.singleton {targets = lib.singleton "localhost:${builtins.toString config.services.prometheus.exporters.nginx.port}";}; 81 - relabel_configs = 82 - lib.singleton 83 - { 84 - target_label = "instance"; 85 - replacement = "koumakan"; 86 - }; 81 + static_configs = lib.singleton { 82 + targets = lib.singleton "localhost:${builtins.toString config.services.prometheus.exporters.nginx.port}"; 83 + }; 84 + relabel_configs = lib.singleton { 85 + target_label = "instance"; 86 + replacement = "koumakan"; 87 + }; 87 88 } 88 89 ]; 89 90 }; ··· 101 102 authConfig = { 102 103 users = builtins.concatMap ( 103 104 token: 104 - lib.singleton 105 - { 106 - bearer_token = token; 107 - url_prefix = "http://${config.services.victoriametrics.listenAddress}"; # send directly to vm 108 - } 105 + lib.singleton { 106 + bearer_token = token; 107 + url_prefix = "http://${config.services.victoriametrics.listenAddress}"; # send directly to vm 108 + } 109 109 ) (builtins.map (host: "%{AUTH_${lib.toUpper host}_TOKEN}") monitoredHosts); 110 110 }; 111 111 environmentFile = secrets.getTemplate "vmauth.env";

+2 -1

systems/nijika/configuration.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 imports = [ 3 4 ./services 4 5 ./networking.nix # generated at runtime by nixos-infect

+9 -4

systems/nijika/hardware-configuration.nix

··· 1 - {modulesPath, ...}: { 2 - imports = [(modulesPath + "/profiles/qemu-guest.nix")]; 1 + { modulesPath, ... }: 2 + { 3 + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; 3 4 boot.loader.grub = { 4 5 efiSupport = true; 5 6 efiInstallAsRemovable = true; ··· 9 10 device = "/dev/disk/by-uuid/5E93-6B15"; 10 11 fsType = "vfat"; 11 12 }; 12 - boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront"]; 13 - boot.initrd.kernelModules = ["nvme"]; 13 + boot.initrd.availableKernelModules = [ 14 + "ata_piix" 15 + "uhci_hcd" 16 + "xen_blkfront" 17 + ]; 18 + boot.initrd.kernelModules = [ "nvme" ]; 14 19 fileSystems."/" = { 15 20 device = "/dev/sda1"; 16 21 fsType = "ext4";

+2 -1

systems/nijika/networking.nix

··· 1 - {lib, ...}: { 1 + { lib, ... }: 2 + { 2 3 # This file was populated at runtime with the networking 3 4 # details gathered from the active system. 4 5 networking = {

+2 -1

systems/nijika/services/default.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 imports = [ 3 4 ./fallback_page 4 5 ];

+3 -2

systems/nijika/services/fallback_page/default.nix

··· 2 2 pkgs, 3 3 _utils, 4 4 ... 5 - }: { 5 + }: 6 + { 6 7 services.nginx.virtualHosts."nijika.soopy.moe" = _utils.mkVhost { 7 8 useACMEHost = null; 8 9 enableACME = true; 9 10 default = true; 10 11 11 12 locations."/" = { 12 - root = pkgs.callPackage ./package.nix {}; 13 + root = pkgs.callPackage ./package.nix { }; 13 14 tryFiles = "$uri $uri/index.html $uri.html =404"; 14 15 }; 15 16 };

+1 -1

systems/nijika/services/fallback_page/package.nix

··· 1 - {stdenvNoCC}: 1 + { stdenvNoCC }: 2 2 stdenvNoCC.mkDerivation (final: { 3 3 name = "nijika-landing"; 4 4 src = ./.;

+2 -1

systems/renko/configuration.nix

··· 2 2 inputs, 3 3 pkgs, 4 4 ... 5 - }: { 5 + }: 6 + { 6 7 imports = [ 7 8 ./gui 8 9 ./development

+2 -1

systems/renko/development/default.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 imports = [ 3 4 ./docker.nix 4 5 ./postgresql.nix

+2 -1

systems/renko/development/docker.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 virtualisation.docker = { 3 4 enable = true; 4 5 storageDriver = "btrfs";

+2 -1

systems/renko/development/postgresql.nix

··· 1 - {lib, ...}: { 1 + { lib, ... }: 2 + { 2 3 services.postgresql = { 3 4 enable = true; 4 5 enableTCPIP = true;

+2 -1

systems/renko/gui/default.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 imports = [ 3 4 ./virt.nix 4 5 ./finance.nix

+2 -1

systems/renko/gui/finance.nix

··· 1 - {pkgs, ...}: { 1 + { pkgs, ... }: 2 + { 2 3 environment.systemPackages = [ 3 4 pkgs.kmymoney 4 5 ];

+2 -1

systems/renko/gui/games/default.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 imports = [ 3 4 ./osu.nix 4 5 ./steam.nix

+2 -1

systems/renko/gui/graphics.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 # enforce settings 3 4 hardware.opengl = { 4 5 enable = true;

+2 -1

systems/renko/gui/virt.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 programs.virt-manager.enable = true; 3 4 virtualisation.libvirtd = { 4 5 enable = true;

+17 -7

systems/renko/hardware-configuration.nix

··· 6 6 lib, 7 7 modulesPath, 8 8 ... 9 - }: { 9 + }: 10 + { 10 11 imports = [ 11 12 (modulesPath + "/installer/scan/not-detected.nix") 12 13 ]; 13 14 14 - boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usbhid"]; 15 - boot.initrd.kernelModules = []; 16 - boot.kernelModules = ["kvm-amd"]; 17 - boot.extraModulePackages = []; 15 + boot.initrd.availableKernelModules = [ 16 + "nvme" 17 + "xhci_pci" 18 + "ahci" 19 + "usbhid" 20 + ]; 21 + boot.initrd.kernelModules = [ ]; 22 + boot.kernelModules = [ "kvm-amd" ]; 23 + boot.extraModulePackages = [ ]; 18 24 19 25 fileSystems."/" = { 20 26 device = "/dev/disk/by-uuid/e6637f8a-12fc-4aa4-8335-3fad10d8f63a"; ··· 31 37 fileSystems."/efi" = { 32 38 device = "/dev/disk/by-uuid/77E6-011C"; 33 39 fsType = "vfat"; 34 - options = ["fmask=0022" "dmask=0022" "umask=0077"]; 40 + options = [ 41 + "fmask=0022" 42 + "dmask=0022" 43 + "umask=0077" 44 + ]; 35 45 }; 36 46 37 47 swapDevices = [ 38 - {device = "/dev/disk/by-uuid/40a77774-ab28-45db-8f8a-845814eacba9";} 48 + { device = "/dev/disk/by-uuid/40a77774-ab28-45db-8f8a-845814eacba9"; } 39 49 ]; 40 50 41 51 # Enables DHCP on each ethernet and wireless interface. In case of scripted networking

+2 -1

systems/renko/services/default.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 imports = [ 3 4 ./vmagent.nix 4 5 ./minio.nix

+4 -2

systems/renko/services/minio.nix

··· 2 2 _utils, 3 3 config, 4 4 ... 5 - }: let 5 + }: 6 + let 6 7 secrets = _utils.setupSecrets config { 7 8 namespace = "minio"; 8 9 secrets = [ ··· 10 11 "root_pass" 11 12 ]; 12 13 }; 13 - in { 14 + in 15 + { 14 16 imports = [ 15 17 secrets.generate 16 18 (secrets.mkTemplate "minio.env" ''

+6 -4

systems/renko/services/vmagent.nix

··· 3 3 config, 4 4 lib, 5 5 ... 6 - }: let 6 + }: 7 + let 7 8 secrets = _utils.setupSecrets config { 8 9 namespace = "vmetrics"; 9 - secrets = ["minio_token"]; 10 + secrets = [ "minio_token" ]; 10 11 }; 11 - in { 12 + in 13 + { 12 14 imports = lib.singleton secrets.generate; 13 15 systemd.services.vmagent.serviceConfig.LoadCredential = [ 14 16 "minio_token:${secrets.get "minio_token"}" ··· 18 20 job_name = "minio-job"; 19 21 metrics_path = "/minio/v2/metrics/cluster"; 20 22 scheme = "http"; 21 - static_configs = lib.singleton {targets = lib.singleton "localhost:26531";}; 23 + static_configs = lib.singleton { targets = lib.singleton "localhost:26531"; }; 22 24 relabel_configs = lib.singleton { 23 25 target_label = "instance"; 24 26 replacement = config.networking.fqdnOrHostName;

+2 -1

systems/ryo/configuration.nix

··· 1 1 # ryo because empty-headed. also btr naming scheme. 2 2 # DO NOT copy anything done on this host, it's insecure by design. 3 - {...}: { 3 + { ... }: 4 + { 4 5 imports = [ 5 6 ./services 6 7 ];

+13 -4

systems/ryo/hardware-configuration.nix

··· 2 2 modulesPath, 3 3 lib, 4 4 ... 5 - }: { 6 - imports = [(modulesPath + "/profiles/qemu-guest.nix")]; 5 + }: 6 + { 7 + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; 7 8 8 - boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "xen_blkfront" "vmw_pvscsi"]; 9 - boot.initrd.kernelModules = ["nvme"]; 9 + boot.initrd.availableKernelModules = [ 10 + "ata_piix" 11 + "uhci_hcd" 12 + "virtio_pci" 13 + "virtio_scsi" 14 + "sd_mod" 15 + "xen_blkfront" 16 + "vmw_pvscsi" 17 + ]; 18 + boot.initrd.kernelModules = [ "nvme" ]; 10 19 boot.loader.grub = { 11 20 efiSupport = true; 12 21 efiInstallAsRemovable = true;

+2 -1

systems/ryo/services/default.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 imports = [ 3 4 ./novnc.nix 4 5 ./thefunny.nix

+4 -3

systems/ryo/services/novnc.nix

··· 3 3 pkgs, 4 4 lib, 5 5 ... 6 - }: { 6 + }: 7 + { 7 8 services.nginx.virtualHosts."ryo.soopy.moe" = _utils.mkSimpleProxy { 8 9 port = 6080; 9 10 websockets = true; ··· 16 17 17 18 systemd.services."novnc" = { 18 19 enable = true; 19 - wantedBy = ["multi-user.target"]; 20 - path = with pkgs; [procps]; 20 + wantedBy = [ "multi-user.target" ]; 21 + path = with pkgs; [ procps ]; 21 22 serviceConfig = { 22 23 DynamicUser = true; 23 24 ExecStart = "${lib.getExe pkgs.novnc} --file-only";

+26 -25

systems/ryo/services/thefunny.nix

··· 2 2 pkgs, 3 3 lib, 4 4 ... 5 - }: let 5 + }: 6 + let 6 7 serviceHardening = { 7 8 PrivateUsers = true; 8 9 LockPersonality = true; ··· 27 28 # "~@privileged" # cage/wlroots needs setgid for some reason? 28 29 ]; 29 30 }; 30 - in { 31 + in 32 + { 31 33 users.users.funny = { 32 34 isSystemUser = true; 33 35 group = "funny"; 34 36 }; 35 - users.groups.funny = {}; 37 + users.groups.funny = { }; 36 38 37 39 systemd.services = { 38 40 cage-feh = { 39 - wantedBy = ["multi-user.target"]; 40 - serviceConfig = 41 - { 42 - User = "funny"; 43 - RuntimeDirectory = "funny"; 44 - Restart = "on-failure"; 45 - RestartSec = "1"; 46 - } 47 - // serviceHardening; 48 - path = with pkgs; [cage feh]; 41 + wantedBy = [ "multi-user.target" ]; 42 + serviceConfig = { 43 + User = "funny"; 44 + RuntimeDirectory = "funny"; 45 + Restart = "on-failure"; 46 + RestartSec = "1"; 47 + } // serviceHardening; 48 + path = with pkgs; [ 49 + cage 50 + feh 51 + ]; 49 52 script = '' 50 53 set -e 51 54 cage -d feh -- -.dz -D10 --draw-tinted /srv/funny ··· 58 61 }; 59 62 60 63 wayvnc-feh = { 61 - wantedBy = ["multi-user.target"]; 62 - requires = ["cage-feh.service"]; 63 - after = ["cage-feh.service"]; 64 - serviceConfig = 65 - { 66 - User = "funny"; 67 - RuntimeDirectory = "funny"; 68 - ExecStart = "${lib.getExe pkgs.wayvnc} -d 0.0.0.0"; 69 - Restart = "on-failure"; 70 - RestartSec = "1"; 71 - } 72 - // serviceHardening; 64 + wantedBy = [ "multi-user.target" ]; 65 + requires = [ "cage-feh.service" ]; 66 + after = [ "cage-feh.service" ]; 67 + serviceConfig = { 68 + User = "funny"; 69 + RuntimeDirectory = "funny"; 70 + ExecStart = "${lib.getExe pkgs.wayvnc} -d 0.0.0.0"; 71 + Restart = "on-failure"; 72 + RestartSec = "1"; 73 + } // serviceHardening; 73 74 environment = { 74 75 WAYLAND_DISPLAY = "wayland-0"; 75 76 XDG_RUNTIME_DIR = "%t/funny";

+2 -1

systems/satori/configuration.nix

··· 3 3 pkgs, 4 4 lib, 5 5 ... 6 - }: { 6 + }: 7 + { 7 8 imports = [ 8 9 ./steam.nix 9 10 inputs.nixos-hardware.nixosModules.apple-t2

+18 -7

systems/satori/hardware-configuration.nix

··· 6 6 lib, 7 7 modulesPath, 8 8 ... 9 - }: { 9 + }: 10 + { 10 11 imports = [ 11 12 (modulesPath + "/installer/scan/not-detected.nix") 12 13 ]; 13 14 14 - boot.initrd.availableKernelModules = ["xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod"]; 15 - boot.initrd.kernelModules = []; 16 - boot.kernelModules = ["kvm-intel"]; 17 - boot.extraModulePackages = []; 15 + boot.initrd.availableKernelModules = [ 16 + "xhci_pci" 17 + "nvme" 18 + "usbhid" 19 + "usb_storage" 20 + "sd_mod" 21 + ]; 22 + boot.initrd.kernelModules = [ ]; 23 + boot.kernelModules = [ "kvm-intel" ]; 24 + boot.extraModulePackages = [ ]; 18 25 19 26 fileSystems."/" = { 20 27 device = "/dev/disk/by-uuid/f4bb41e2-b477-49e7-ae96-61fd80a63b2e"; ··· 24 31 fileSystems."/boot" = { 25 32 device = "/dev/disk/by-uuid/3231-A446"; 26 33 fsType = "vfat"; 27 - options = ["fmask=0022" "dmask=0022" "umask=0077"]; 34 + options = [ 35 + "fmask=0022" 36 + "dmask=0022" 37 + "umask=0077" 38 + ]; 28 39 }; 29 40 30 - swapDevices = []; 41 + swapDevices = [ ]; 31 42 32 43 # Enables DHCP on each ethernet and wireless interface. In case of scripted networking 33 44 # (the default) this is the recommended approach. When using systemd-networkd it's

+2 -1

systems/satori/steam.nix

··· 1 - {pkgs, ...}: { 1 + { pkgs, ... }: 2 + { 2 3 programs.steam = { 3 4 enable = true; 4 5

+3 -2

users/_tester.nix

··· 1 - {...}: { 1 + { ... }: 2 + { 2 3 virtualisation.vmVariant.users.users._tester = builtins.warn "[vm] building tester user..." { 3 4 password = "explode"; 4 5 isNormalUser = true; 5 - extraGroups = ["wheel"]; 6 + extraGroups = [ "wheel" ]; 6 7 }; 7 8 }

+1 -1

users/builder.nix

··· 24 24 shell = pkgs.zsh; 25 25 }; 26 26 27 - users.groups.remote-builder = {}; 27 + users.groups.remote-builder = { }; 28 28 }

Configure Feed

Configure Feed