ahuston-0/nix-dotfiles
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases Wiki Activity

dennis the formatter (#75)

Browse Source 
* dennis the formatter

* changed comment

* fixup
This commit is contained in:
Dennis
2024-02-05 22:45:43 +01:00
committed by GitHub
parent 47a65a151c
commit 4c1e86907a
15 changed files with 247 additions and 235 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
modules/backup.nix
View File

@ -52,9 +52,9 @@ in {
restic.backups =
let
commonOpts = {
extraBackupArgs = [ "--exclude-file=${pkgs.writeText "restic-exclude-file" (lib.concatMapStrings (x: x + "\n") cfg.exclude)}" ];
initialize = true;
extraBackupArgs = [ "--exclude-file=${pkgs.writeText "restic-exclude-file" (lib.concatMapStrings (x: x + "\n") cfg.exclude)}" ];
pruneOpts = [ "--group-by host" "--keep-daily 7" "--keep-weekly 4" "--keep-monthly 12" ];
passwordFile = config.sops.secrets."restic/password".path;
paths = [
"/etc/group"
@ -85,8 +85,6 @@ in {
"/var/lib/gitea/data/tmp/"
];
pruneOpts = [ "--group-by host" "--keep-daily 7" "--keep-weekly 4" "--keep-monthly 12" ];
timerConfig = {
OnCalendar = "*-*-* ${lib.fixedWidthString 2 "0" (toString cfg.backup_at)}:30:00";
RandomizedDelaySec = "5m";
@ -95,31 +93,29 @@ in {
in
lib.mkIf cfg.enable {
local = commonOpts // { repository = "/var/backup"; };
offsite = lib.mkIf (cfg.offsite != [ ]) commonOpts // { repository = "sftp://offsite/${config.networking.hostName}"; };
};
};
sops.secrets = lib.mkIf (cfg.enable && cfg.offsite != [ ])
{
"restic/offsite/private" = {
owner = "root";
path = "/root/.ssh/id_offsite-backup";
sopsFile = ./backup.yaml;
};
sops.secrets = lib.mkIf (cfg.enable && cfg.offsite != [ ]) {
"restic/offsite/private" = {
owner = "root";
path = "/root/.ssh/id_offsite-backup";
sopsFile = ./backup.yaml;
};
"restic/offsite/public" = {
owner = "root";
path = "/root/.ssh/id_offsite-backup.pub";
sopsFile = ./backup.yaml;
};
"restic/offsite/public" = {
owner = "root";
path = "/root/.ssh/id_offsite-backup.pub";
sopsFile = ./backup.yaml;
};
"restic/offsite/ssh-config" = {
owner = "root";
path = "/root/.ssh/config";
sopsFile = ./backup.yaml;
};
} // lib.mkIf cfg.enable { "restic/password".owner = "root"; };
"restic/offsite/ssh-config" = {
owner = "root";
path = "/root/.ssh/config";
sopsFile = ./backup.yaml;
};
} // lib.mkIf cfg.enable { "restic/password".owner = "root"; };
system.activationScripts.linkResticSSHConfigIntoVirtioFS = lib.mkIf (cfg.enable && cfg.offsite != [ ]) ''
echo "Linking restic ssh config..."
@ -130,12 +126,11 @@ in {
'';
systemd = lib.mkIf cfg.enable {
timers = lib.mkIf config.services.postgresqlBackup.enable { postgresqlBackup.timerConfig.RandomizedDelaySec = "5m"; };
services = {
restic-backups-local.serviceConfig.Environment = "RESTIC_PROGRESS_FPS=0.016666";
restic-backups-offsite.serviceConfig.Environment = lib.mkIf (cfg.offsite != [ ]) "RESTIC_PROGRESS_FPS=0.016666";
};
timers = lib.mkIf config.services.postgresqlBackup.enable { postgresqlBackup.timerConfig.RandomizedDelaySec = "5m"; };
};
};
}

18
modules/boot.nix
View File

@ -5,12 +5,15 @@ in {
options = {
boot = {
default = libS.mkOpinionatedOption "enable the boot builder";
fullDiskEncryption = libS.mkOpinionatedOption "use luks full disk encrytion";
useSystemdBoot = libS.mkOpinionatedOption "use systemd boot";
cpuType = lib.mkOption {
type = lib.types.str;
example = "amd";
default = "";
description = "The cpu-type installed on the server.";
};
amdGPU = libS.mkOpinionatedOption "the system contains a AMD GPU";
filesystem = lib.mkOption {
type = lib.types.str;
@ -18,16 +21,16 @@ in {
default = "ext4";
description = "The filesystem installed.";
};
fullDiskEncryption = libS.mkOpinionatedOption "use luks full disk encrytion";
useSystemdBoot = libS.mkOpinionatedOption "use systemd boot";
};
};
config.boot = lib.mkIf cfg.default {
supportedFilesystems = [ cfg.filesystem ];
tmp.useTmpfs = true;
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
kernelParams = [ "nordrand" ] ++ lib.optional (cfg.cpuType == "amd") "kvm-amd" ++ lib.optional cfg.fullDiskEncryption "ip=<ip-addr>::<ip-gateway>:<netmask>";
initrd = {
# networking for netcard kernelModules = [ "e1000e" ];
kernelModules = lib.mkIf cfg.amdGPU [ "amdgpu" ];
network = lib.mkIf cfg.fullDiskEncryption {
enable = true;
ssh = {
@ -37,11 +40,6 @@ in {
};
};
supportedFilesystems = [ cfg.filesystem ];
tmp.useTmpfs = true;
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
kernelParams = [ "nordrand" ] ++ lib.optional (cfg.cpuType == "amd") "kvm-amd" ++ lib.optional cfg.fullDiskEncryption "ip=<ip-addr>::<ip-gateway>:<netmask>";
zfs = lib.mkIf (cfg.filesystem == "zfs") {
enableUnstable = true;
devNodes = "/dev/disk/by-id/";
@ -49,7 +47,7 @@ in {
};
loader = {
efi = { canTouchEfiVariables = false; };
efi.canTouchEfiVariables = false;
generationsDir.copyKernels = true;
systemd-boot.enable = lib.mkIf cfg.useSystemdBoot true;
grub = lib.mkIf (!cfg.useSystemdBoot) {

2
modules/fail2ban.nix
View File

@ -2,7 +2,7 @@
let cfg = config.services.fail2ban;
in {
options = { services.fail2ban = { recommendedDefaults = libS.mkOpinionatedOption "use fail2ban with recommended defaults"; }; };
options.services.fail2ban.recommendedDefaults = libS.mkOpinionatedOption "use fail2ban with recommended defaults";
config.services.fail2ban = lib.mkIf cfg.recommendedDefaults {
maxretry = 5;

12
modules/flake-update-service.nix
View File

@ -10,38 +10,40 @@ in {
default = "dotfiles";
description = "A name for the service which needs to be pulled";
};
path = lib.mkOption {
type = lib.types.nullOr lib.types.path;
default = null;
description = "Path that needs to be updated via git pull";
};
frequency = lib.mkOption {
type = lib.types.str;
description = "systemd-timer compatible time between pulls";
default = "1h";
};
ssh-key = lib.mkOption {
type = lib.types.str;
description = "ssh-key used to pull the repository";
};
triggersRebuild = lib.mkOption {
type = lib.types.bool;
default = false;
description =
"Whether or not the rebuild service should be triggered after pulling. Note that system.autoUpgrade must be pointed at the same directory as this service if you'd like to use this option.";
description = "Whether or not the rebuild service should be triggered after pulling. Note that system.autoUpgrade must be pointed at the same directory as this service if you'd like to use this option.";
};
};
};
# implementation
config = lib.mkIf (cfg.enable && !(builtins.isNull cfg.path)) {
environment.systemPackages = [ pkgs.openssh pkgs.git ];
systemd.services."autopull@${cfg.name}" = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
description = "Pull the latest data for ${cfg.name}";
serviceConfig = {
Type = "oneshot";
# TODO: See how we can migrate this to DynamicUser=yes instead
User = "root";
WorkingDirectory = cfg.path;
Environment = lib.mkIf (cfg.ssh-key != "") "GIT_SSH_COMMAND=${pkgs.openssh}/bin/ssh -i ${cfg.ssh-key} -o IdentitiesOnly=yes";
@ -50,6 +52,7 @@ in {
Wants = "nixos-upgrade.service";
};
};
systemd.timers."autopull@${cfg.name}" = {
wantedBy = [ "timers.target" ];
timerConfig = {
@ -58,6 +61,5 @@ in {
Unit = "autopull@${cfg.name}.service";
};
};
environment.systemPackages = [ pkgs.openssh pkgs.git ];
};
}

5
modules/security.nix
View File

@ -2,7 +2,6 @@
{ config, lib, ... }: {
config = {
services = {
openssh = lib.mkIf config.services.gitea.enable {
extraConfig = ''
Match User gitea
@ -22,6 +21,8 @@
};
};
networking.firewall = lib.mkIf config.services.openssh.enable { allowedTCPPorts = config.services.openssh.ports ++ [ 22 ]; };
networking.firewall = lib.mkIf config.services.openssh.enable {
allowedTCPPorts = config.services.openssh.ports ++ [ 22 ];
};
};
}

16
modules/website.nix
View File

@ -1,7 +1,6 @@
{ config, pkgs, lib, ... }:
let
eachSite = config.services.staticpage.sites;
siteOpts = { lib, name, config, ... }: {
options = {
package = lib.mkPackageOption pkgs "page" { };
@ -41,7 +40,6 @@ in
{
options.services.staticpage = {
enable = lib.mkEnableOption "staticpage";
sites = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule siteOpts);
default = { };
@ -57,7 +55,6 @@ in
name = "${(if (cfg.subdomain == null) then "${cfg.domain}" else "${cfg.subdomain}.${cfg.domain}")}";
value = {
root = "/var/lib/www/${cfg.root}";
forceSSL = true;
enableACME = true;
serverAliases = lib.mkIf (cfg.subdomain == null) [ "www.${cfg.domain}" ];
@ -68,6 +65,7 @@ in
access_log off;
'';
};
locations."= /robots.txt" = {
extraConfig = ''
allow all;
@ -75,11 +73,13 @@ in
access_log off;
'';
};
locations."~* ^/.well-known/" = {
extraConfig = ''
allow all;
'';
};
locations."~* .(js|css|png|jpg|jpeg|gif|ico|svg)$" = {
extraConfig = ''
try_files $uri @rewrite;
@ -87,6 +87,7 @@ in
log_not_found off;
'';
};
locations."~ ^/sites/.*/files/styles/" = {
extraConfig = ''
try_files $uri @rewrite;
@ -118,37 +119,44 @@ in
return 403;
'';
};
locations."~ ^/sites/.*/private/" = {
extraConfig = ''
return 403;
'';
};
locations."~ ^/sites/[^/]+/files/.*.php$" = {
extraConfig = ''
deny all;
'';
};
locations."/" = {
extraConfig = ''
try_files $uri /index.php?$query_string;
'';
};
locations."@rewrite" = {
extraConfig = ''
rewrite ^ /index.php;
'';
};
locations."~ /vendor/.*.php$" = {
extraConfig = ''
deny all;
return 404;
'';
};
locations."~ ^/sites/.*/files/styles/" = {
extraConfig = ''
try_files $uri @rewrite;
'';
};
locations."~ ^(/[a-z-]+)?/system/files/" = {
extraConfig = ''
try_files $uri /index.php?$query_string;
@ -171,6 +179,7 @@ in
(lib.mapAttrs
(name: cfg: {
user = "nginx";
phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
settings = {
"listen.owner" = config.services.nginx.user;
"pm" = "dynamic";
@ -183,7 +192,6 @@ in
"php_admin_flag[log_errors]" = true;
"catch_workers_output" = true;
};
phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
})
(lib.filterAttrs (n: v: v.usePHP) eachSite))
];