ahuston-0/nix-dotfiles
1
0
Fork 0
Code Issues Pull Requests 3 Actions 2 Packages Projects Releases Wiki Activity

enable external SMTP for hydra (#49)

Browse Source 
* external SMTP for hydra

Signed-off-by: ahuston-0 <aliceghuston@gmail.com>

* nix-serve sops

Signed-off-by: ahuston-0 <aliceghuston@gmail.com>

* add binary cache

* add hydra jobs

* cleanup (#50)

* finish up cleanup branch merge

* switched back to nixpkgs-fmt

* add nixpkgs-fmt to hydrajobs.build

---------

Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
Co-authored-by: Dennis Wuitz <dennish@wuitz.de>
Co-authored-by: Dennis <52411861+DerDennisOP@users.noreply.github.com>
This commit is contained in:
Alice Huston
2024-02-01 16:50:14 -05:00
committed by GitHub
parent 10ed0c633b
commit 241c66f5ec
27 changed files with 412 additions and 361 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
modules/backup.nix
View File

@ -1,9 +1,7 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.backup;
in
{
let cfg = config.services.backup;
in {
options.services.backup = {
enable = lib.mkEnableOption "backup";
@ -54,9 +52,7 @@ in
restic.backups =
let
commonOpts = {
extraBackupArgs = [
"--exclude-file=${pkgs.writeText "restic-exclude-file" (lib.concatMapStrings (x: x + "\n") cfg.exclude)}"
];
extraBackupArgs = [ "--exclude-file=${pkgs.writeText "restic-exclude-file" (lib.concatMapStrings (x: x + "\n") cfg.exclude)}" ];
initialize = true;
passwordFile = config.sops.secrets."restic/password".path;
@ -74,19 +70,11 @@ in
"/etc/subgid"
"/etc/subuid"
"/var/lib/nixos/"
] ++ cfg.paths
++ lib.optional config.services.postgresql.enable "/var/backup/postgresql/"
++ lib.optional config.services.mysql.enable "/var/lib/mysql/"
++ lib.optional (config.security.acme.certs != { }) "/var/lib/acme/"
++ lib.optional config.security.dhparams.enable "/var/lib/dhparams/"
] ++ cfg.paths ++ lib.optional config.services.postgresql.enable "/var/backup/postgresql/" ++ lib.optional config.services.mysql.enable "/var/lib/mysql/"
++ lib.optional (config.security.acme.certs != { }) "/var/lib/acme/" ++ lib.optional config.security.dhparams.enable "/var/lib/dhparams/"
++ lib.optional config.mailserver.enable config.mailserver.mailDirectory;
pruneOpts = [
"--group-by host"
"--keep-daily 7"
"--keep-weekly 4"
"--keep-monthly 12"
];
pruneOpts = [ "--group-by host" "--keep-daily 7" "--keep-weekly 4" "--keep-monthly 12" ];
timerConfig = {
OnCalendar = "*-*-* ${lib.fixedWidthString 2 "0" (toString cfg.backup_at)}:30:00";
@ -95,13 +83,9 @@ in
};
in
lib.mkIf cfg.enable {
local = commonOpts // {
repository = "/var/backup";
};
local = commonOpts // { repository = "/var/backup"; };
offsite = lib.mkIf (cfg.offsite != [ ]) commonOpts // {
repository = "sftp://offsite/${config.networking.hostName}";
};
offsite = lib.mkIf (cfg.offsite != [ ]) commonOpts // { repository = "sftp://offsite/${config.networking.hostName}"; };
};
};
@ -124,9 +108,7 @@ in
path = "/root/.ssh/config";
sopsFile = ./backup.yaml;
};
} // lib.mkIf cfg.enable {
"restic/password".owner = "root";
};
} // lib.mkIf cfg.enable { "restic/password".owner = "root"; };
system.activationScripts.linkResticSSHConfigIntoVirtioFS = lib.mkIf (cfg.enable && cfg.offsite != [ ]) ''
echo "Linking restic ssh config..."
@ -142,9 +124,7 @@ in
restic-backups-offsite.serviceConfig.Environment = lib.mkIf (cfg.offsite != [ ]) "RESTIC_PROGRESS_FPS=0.016666";
};
timers = lib.mkIf config.services.postgresqlBackup.enable {
postgresqlBackup.timerConfig.RandomizedDelaySec = "5m";
};
timers = lib.mkIf config.services.postgresqlBackup.enable { postgresqlBackup.timerConfig.RandomizedDelaySec = "5m"; };
};
};
}

15
modules/boot.nix
View File

@ -1,9 +1,7 @@
{ config, lib, libS, ... }:
let
cfg = config.boot;
in
{
let cfg = config.boot;
in {
options = {
boot = {
default = libS.mkOpinionatedOption "enable the boot builder";
@ -42,10 +40,7 @@ in
supportedFilesystems = [ cfg.filesystem ];
tmp.useTmpfs = true;
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
kernelParams = [
"nordrand"
] ++ lib.optional (cfg.cpuType == "amd") "kvm-amd"
++ lib.optional cfg.fullDiskEncryption "ip=<ip-addr>::<ip-gateway>:<netmask>";
kernelParams = [ "nordrand" ] ++ lib.optional (cfg.cpuType == "amd") "kvm-amd" ++ lib.optional cfg.fullDiskEncryption "ip=<ip-addr>::<ip-gateway>:<netmask>";
zfs = lib.mkIf (cfg.filesystem == "zfs") {
enableUnstable = true;
@ -54,9 +49,7 @@ in
};
loader = {
efi = {
canTouchEfiVariables = false;
};
efi = { canTouchEfiVariables = false; };
generationsDir.copyKernels = true;
systemd-boot.enable = lib.mkIf cfg.useSystemdBoot true;
grub = lib.mkIf (!cfg.useSystemdBoot) {

12
modules/fail2ban.nix
View File

@ -1,14 +1,8 @@
{ config, lib, libS, ... }:
let
cfg = config.services.fail2ban;
in
{
options = {
services.fail2ban = {
recommendedDefaults = libS.mkOpinionatedOption "use fail2ban with recommended defaults";
};
};
let cfg = config.services.fail2ban;
in {
options = { services.fail2ban = { recommendedDefaults = libS.mkOpinionatedOption "use fail2ban with recommended defaults"; }; };
config.services.fail2ban = lib.mkIf cfg.recommendedDefaults {
maxretry = 5;

9
modules/flake-update-service.nix
View File

@ -1,9 +1,7 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.autopull;
in
{
let cfg = config.services.autopull;
in {
options = {
services.autopull = {
enable = lib.mkEnableOption "autopull";
@ -29,7 +27,8 @@ in
triggersRebuild = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''Whether or not the rebuild service should be triggered after pulling. Note that system.autoUpgrade must be pointed at the same directory as this service if you'd like to use this option.'';
description =
"Whether or not the rebuild service should be triggered after pulling. Note that system.autoUpgrade must be pointed at the same directory as this service if you'd like to use this option.";
};
};
};

6
modules/hydra.nix
View File

@ -1,9 +1,7 @@
{ config, lib, ... }:
let
cfg = config.services.hydra;
in
{
let cfg = config.services.hydra;
in {
config = {
services.hydra.extraConfig = lib.mkDefault (lib.concatLines [
cfg.extraConfig

7
modules/security.nix
View File

@ -1,6 +1,5 @@
# BIASED
{ config, lib, ... }:
{
{ config, lib, ... }: {
config = {
services = {
@ -23,8 +22,6 @@
};
};
networking.firewall = lib.mkIf config.services.openssh.enable {
allowedTCPPorts = config.services.openssh.ports ++ [ 22 ];
};
networking.firewall = lib.mkIf config.services.openssh.enable { allowedTCPPorts = config.services.openssh.ports ++ [ 22 ]; };
};
}

73
modules/website.nix
View File

@ -2,42 +2,41 @@
let
eachSite = config.services.staticpage.sites;
siteOpts = { lib, name, config, ... }:
{
options = {
package = lib.mkPackageOption pkgs "page" { };
siteOpts = { lib, name, config, ... }: {
options = {
package = lib.mkPackageOption pkgs "page" { };
root = lib.mkOption {
type = lib.types.str;
description = "The Document-Root folder in /var/lib";
};
root = lib.mkOption {
type = lib.types.str;
description = "The Document-Root folder in /var/lib";
};
domain = lib.mkOption {
type = lib.types.str;
example = "example.com";
description = "The staticpage's domain.";
};
domain = lib.mkOption {
type = lib.types.str;
example = "example.com";
description = "The staticpage's domain.";
};
subdomain = lib.mkOption {
type = with lib.types; nullOr str;
default = null;
example = "app";
description = "The staticpage subdomain.";
};
subdomain = lib.mkOption {
type = with lib.types; nullOr str;
default = null;
example = "app";
description = "The staticpage subdomain.";
};
usePHP = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Configure the Nginx Server to use PHP";
};
usePHP = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Configure the Nginx Server to use PHP";
};
configureNginx = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Configure the Nginx Server to serve the site with acne";
};
configureNginx = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Configure the Nginx Server to serve the site with acne";
};
};
};
in
{
options.services.staticpage = {
@ -81,7 +80,7 @@ in
allow all;
'';
};
locations."~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$" = {
locations."~* .(js|css|png|jpg|jpeg|gif|ico|svg)$" = {
extraConfig = ''
try_files $uri @rewrite;
expires max;
@ -94,17 +93,17 @@ in
'';
};
} // lib.optionalAttrs cfg.usePHP {
locations."~ '\.php$|^/update.php'" = {
locations."~ '.php$|^/update.php'" = {
extraConfig = ''
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
fastcgi_pass unix:${config.services.phpfpm.pools.${name}.socket};
fastcgi_index index.php;
fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
# Ensure the php file exists. Mitigates CVE-2019-11043
try_files $fastcgi_script_name =404;
# Block httpoxy attacks. See https://httpoxy.org/.
fastcgi_param HTTP_PROXY "";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
@ -114,7 +113,7 @@ in
'';
};
locations."~ \..*/.*\.php$" = {
locations."~ ..*/.*.php$" = {
extraConfig = ''
return 403;
'';
@ -124,7 +123,7 @@ in
return 403;
'';
};
locations."~ ^/sites/[^/]+/files/.*\.php$" = {
locations."~ ^/sites/[^/]+/files/.*.php$" = {
extraConfig = ''
deny all;
'';
@ -139,7 +138,7 @@ in
rewrite ^ /index.php;
'';
};
locations."~ /vendor/.*\.php$" = {
locations."~ /vendor/.*.php$" = {
extraConfig = ''
deny all;
return 404;
@ -150,7 +149,7 @@ in
try_files $uri @rewrite;
'';
};
locations."~ ^(/[a-z\-]+)?/system/files/" = {
locations."~ ^(/[a-z-]+)?/system/files/" = {
extraConfig = ''
try_files $uri /index.php?$query_string;
'';