diff --git a/config/etc.nix b/config/etc.nix index 6d0e1fa..97af529 100644 --- a/config/etc.nix +++ b/config/etc.nix @@ -4,11 +4,12 @@ pkgs, ... }: -with lib; { +with lib; +{ environment.etc = mkIf (elem "etcfiles" config.machine.conffiles) { - "rofi.rasi".source = import ./etc/rofi.rasi.nix {inherit pkgs;}; + "rofi.rasi".source = import ./etc/rofi.rasi.nix { inherit pkgs; }; "i3/py3status".source = ./etc/i3/py3status; - "sway/config".source = mkDefault (import ./etc/sway/config.nix {inherit pkgs;}); + "sway/config".source = mkDefault (import ./etc/sway/config.nix { inherit pkgs; }); "mpv/input.conf".source = ./etc/mpv/input.conf; "mpv/mpv.conf".source = ./etc/mpv/mpv.conf; "youtube-dl.conf".source = ./etc/youtube-dl.conf; diff --git a/config/etc/i3/config.nix b/config/etc/i3/config.nix index 1221fc8..4c29cff 100644 --- a/config/etc/i3/config.nix +++ b/config/etc/i3/config.nix @@ -1,4 +1,5 @@ -{pkgs, ...}: (pkgs.writeText "config" '' +{ pkgs, ... }: +(pkgs.writeText "config" '' # i3 config file (v4) # # Please see http://i3wm.org/docs/userguide.html for a complete reference! diff --git a/config/etc/rofi.rasi.nix b/config/etc/rofi.rasi.nix index 483aa5c..9a0da43 100644 --- a/config/etc/rofi.rasi.nix +++ b/config/etc/rofi.rasi.nix @@ -1,26 +1,30 @@ -{pkgs}: let - tabMode = pkgs.writeScript "tab-finder.sh" (with pkgs; /* bash */ '' - #!/usr/bin/env bash - if [ -z ''${1} ]; then - ${brotab}/bin/bt list; - else - TARGET_TAB=$(sed "s/\t.*$//g" <<< ''${1}); - # activate window as focused to it is easy to switch to - ${brotab}/bin/bt activate --focused ''${TARGET_TAB} > /dev/null 2>&1; - if [ -n ''${SWAYSOCK} ] && which swaymsg; then - swaymsg "[urgent=latest] focus" > /dev/null 2>&1; +{ pkgs }: +let + tabMode = pkgs.writeScript "tab-finder.sh" ( + with pkgs; # bash + '' + #!/usr/bin/env bash + if [ -z ''${1} ]; then + ${brotab}/bin/bt list; + else + TARGET_TAB=$(sed "s/\t.*$//g" <<< ''${1}); + # activate window as focused to it is easy to switch to + ${brotab}/bin/bt activate --focused ''${TARGET_TAB} > /dev/null 2>&1; + if [ -n ''${SWAYSOCK} ] && which swaymsg; then + swaymsg "[urgent=latest] focus" > /dev/null 2>&1; + fi fi - fi - exit 0; - ''); + exit 0; + '' + ); in - pkgs.writeText "rofi.rasi" '' - configuration { - modi: "combi,window,drun,ssh,tabFinder:${tabMode}"; - font: "hack 10"; - combi-modi: "window,drun,ssh,tabFinder"; - icon-theme: "Papirus"; - show-icons: true; - } - @theme "DarkBlue" - '' +pkgs.writeText "rofi.rasi" '' + configuration { + modi: "combi,window,drun,ssh,tabFinder:${tabMode}"; + font: "hack 10"; + combi-modi: "window,drun,ssh,tabFinder"; + icon-theme: "Papirus"; + show-icons: true; + } + @theme "DarkBlue" +'' diff --git a/config/etc/sway/config.nix b/config/etc/sway/config.nix index 276ffa6..fa56607 100644 --- a/config/etc/sway/config.nix +++ b/config/etc/sway/config.nix @@ -1,36 +1,38 @@ -{pkgs}: +{ pkgs }: let # TODO/FIX: pkgs.sway-unwrapped is not the same sway derivation as the one running the desktop - grim-wrapper = pkgs.writeShellScript "grim-wrapper" /* bash */ '' - OUTPUT_DIR="$(${pkgs.xdg-user-dirs}/bin/xdg-user-dir PICTURES)" - DATE="$(${pkgs.coreutils}/bin/date +'%Y-%m-%d;%H:%M:%S;')"; - WINDOW_LIST="$(${pkgs.sway-unwrapped}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq -r '.. | select(.pid? and .visible?) | "\(.rect.x+.window_rect.x),\(.rect.y+.window_rect.y) \(.window_rect.width)x\(.window_rect.height) \(.app_id):\(.name)"' | ${pkgs.coreutils}/bin/tr -d '"/;\\')"; + grim-wrapper = + pkgs.writeShellScript "grim-wrapper" # bash + '' + OUTPUT_DIR="$(${pkgs.xdg-user-dirs}/bin/xdg-user-dir PICTURES)" + DATE="$(${pkgs.coreutils}/bin/date +'%Y-%m-%d;%H:%M:%S;')"; + WINDOW_LIST="$(${pkgs.sway-unwrapped}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq -r '.. | select(.pid? and .visible?) | "\(.rect.x+.window_rect.x),\(.rect.y+.window_rect.y) \(.window_rect.width)x\(.window_rect.height) \(.app_id):\(.name)"' | ${pkgs.coreutils}/bin/tr -d '"/;\\')"; - case "''${1}" in - selection) - # split slurp selection result into jseon selectable screen area (for grim) and output name - SELECTION_FORMAT='{ "area": "%x,%y %wx%h", "name": "%wx%h;%o;%l" }'; - SELECTION="$(${pkgs.slurp}/bin/slurp -d -f "''${SELECTION_FORMAT}" <<< ''${WINDOW_LIST})"; - SELECTION_AREA="$(${pkgs.jq}/bin/jq -r '.area' <<< "''${SELECTION}")"; - SELECTION_NAME="$(${pkgs.jq}/bin/jq -r '.name' <<< "''${SELECTION}"| ${pkgs.coreutils}/bin/tr ' ' '_')"; - OUTNAME="''${OUTPUT_DIR}/''${DATE}''${SELECTION_NAME}.png"; - ${pkgs.grim}/bin/grim -g "''${SELECTION_AREA}" "''${OUTNAME}"; - ;; - clip) - SELECTION="$(${pkgs.slurp}/bin/slurp -d <<< ''${WINDOW_LIST})"; - ${pkgs.grim}/bin/grim - | ${pkgs.wl-clipboard}/bin/wl-copy; - ;; - *) - DISPLAY="$(${pkgs.sway-unwrapped}/bin/swaymsg -t get_outputs | ${pkgs.jq}/bin/jq -r '.[] | select(.focused) | .name')"; - DISPLAY_RES="$(${pkgs.sway-unwrapped}/bin/swaymsg -t get_outputs | jq -r '.[] | select(.focused) | .current_mode | "\(.width)x\(.height)"')"; - OUTNAME="''${OUTPUT_DIR}/''${DATE}''${DISPLAY_RES};''${DISPLAY};.png" - ${pkgs.grim}/bin/grim -o "''${DISPLAY}" "''${OUTNAME}"; - ;; - esac; - ''; -in pkgs.writeText "config" -'' + case "''${1}" in + selection) + # split slurp selection result into jseon selectable screen area (for grim) and output name + SELECTION_FORMAT='{ "area": "%x,%y %wx%h", "name": "%wx%h;%o;%l" }'; + SELECTION="$(${pkgs.slurp}/bin/slurp -d -f "''${SELECTION_FORMAT}" <<< ''${WINDOW_LIST})"; + SELECTION_AREA="$(${pkgs.jq}/bin/jq -r '.area' <<< "''${SELECTION}")"; + SELECTION_NAME="$(${pkgs.jq}/bin/jq -r '.name' <<< "''${SELECTION}"| ${pkgs.coreutils}/bin/tr ' ' '_')"; + OUTNAME="''${OUTPUT_DIR}/''${DATE}''${SELECTION_NAME}.png"; + ${pkgs.grim}/bin/grim -g "''${SELECTION_AREA}" "''${OUTNAME}"; + ;; + clip) + SELECTION="$(${pkgs.slurp}/bin/slurp -d <<< ''${WINDOW_LIST})"; + ${pkgs.grim}/bin/grim - | ${pkgs.wl-clipboard}/bin/wl-copy; + ;; + *) + DISPLAY="$(${pkgs.sway-unwrapped}/bin/swaymsg -t get_outputs | ${pkgs.jq}/bin/jq -r '.[] | select(.focused) | .name')"; + DISPLAY_RES="$(${pkgs.sway-unwrapped}/bin/swaymsg -t get_outputs | jq -r '.[] | select(.focused) | .current_mode | "\(.width)x\(.height)"')"; + OUTNAME="''${OUTPUT_DIR}/''${DATE}''${DISPLAY_RES};''${DISPLAY};.png" + ${pkgs.grim}/bin/grim -o "''${DISPLAY}" "''${OUTNAME}"; + ;; + esac; + ''; +in +pkgs.writeText "config" '' include /etc/sway/config.d/* # Read `man 5 sway` for a complete reference. diff --git a/config/fonts.nix b/config/fonts.nix index a208f1d..155b8af 100644 --- a/config/fonts.nix +++ b/config/fonts.nix @@ -5,20 +5,20 @@ ... }: with lib; - mkIf (elem "fonts" config.machine.conffiles) { - fonts = { - fontDir.enable = true; - enableGhostscriptFonts = true; - fontconfig = { - enable = true; - includeUserConf = false; - }; - packages = with pkgs; [ - (nerdfonts.override { - fonts = [ - "JetBrainsMono" - ]; - }) - ]; +mkIf (elem "fonts" config.machine.conffiles) { + fonts = { + fontDir.enable = true; + enableGhostscriptFonts = true; + fontconfig = { + enable = true; + includeUserConf = false; }; - } + packages = with pkgs; [ + (nerdfonts.override { + fonts = [ + "JetBrainsMono" + ]; + }) + ]; + }; +} diff --git a/config/locale.nix b/config/locale.nix index d9f9ed5..984863d 100644 --- a/config/locale.nix +++ b/config/locale.nix @@ -3,17 +3,22 @@ lib, pkgs, ... -}: { +}: +{ console.keyMap = "de"; i18n = { defaultLocale = "en_US.UTF-8"; - supportedLocales = ["all"]; + supportedLocales = [ "all" ]; inputMethod = { enable = (lib.elem "desktop" config.machine.services); type = "fcitx5"; fcitx5 = { waylandFrontend = true; - addons = with pkgs; [fcitx5-chinese-addons fcitx5-mozc fcitx5-table-extra]; + addons = with pkgs; [ + fcitx5-chinese-addons + fcitx5-mozc + fcitx5-table-extra + ]; }; }; }; diff --git a/config/networking.nix b/config/networking.nix index cf421c0..b26903d 100644 --- a/config/networking.nix +++ b/config/networking.nix @@ -3,9 +3,11 @@ lib, ... }: -with lib; let +with lib; +let inherit (config.machine) networkD; -in { +in +{ networking = { inherit (config.machine) hostName; useNetworkd = networkD.enable; @@ -16,44 +18,49 @@ in { # https://github.com/NixOS/nixpkgs/issues/10001#issuecomment-905532069 systemd.network = mkIf networkD.enable { enable = true; - networks = let - networkConfig = { - DHCP = "yes"; - DNSSEC = "yes"; - DNSOverTLS = "yes"; - DNS = ["1.1.1.1" "1.0.0.1"]; - }; - in { - "40-wired" = { - enable = true; - name = "en*"; - dhcpV4Config.RouteMetric = 2048; - inherit networkConfig; - }; - "40-wireless" = { - enable = true; - name = "wl*"; - dhcpV4Config.RouteMetric = 1024; - inherit networkConfig; - }; - "50-vlan" = { - enable = true; - matchConfig = { - Name = "br0"; - }; + networks = + let networkConfig = { - DNS = "10.0.0.1"; - Address = "10.0.0.100/16"; - # DHCPServer = true; - # IPMasquerade = true; + DHCP = "yes"; + DNSSEC = "yes"; + DNSOverTLS = "yes"; + DNS = [ + "1.1.1.1" + "1.0.0.1" + ]; + }; + in + { + "40-wired" = { + enable = true; + name = "en*"; + dhcpV4Config.RouteMetric = 2048; + inherit networkConfig; + }; + "40-wireless" = { + enable = true; + name = "wl*"; + dhcpV4Config.RouteMetric = 1024; + inherit networkConfig; + }; + "50-vlan" = { + enable = true; + matchConfig = { + Name = "br0"; + }; + networkConfig = { + DNS = "10.0.0.1"; + Address = "10.0.0.100/16"; + # DHCPServer = true; + # IPMasquerade = true; + }; + # dhcpServerConfig = { + # ServerAddress = "172.16.9.1/12"; + # PoolOffset = 100; + # EmitDNS = false; + # }; }; - # dhcpServerConfig = { - # ServerAddress = "172.16.9.1/12"; - # PoolOffset = 100; - # EmitDNS = false; - # }; }; - }; }; # Wait for any interface to become available, not for all systemd.services."systemd-networkd-wait-online" = { diff --git a/config/nix.nix b/config/nix.nix index afa6235..f0e295e 100644 --- a/config/nix.nix +++ b/config/nix.nix @@ -6,10 +6,12 @@ config, lib, ... -}: let +}: +let cfg = config.machine; emptyGlobalRegistry = pkgs.writeText "registry.json" ''{ "flakes": [], "version": 2 }''; -in { +in +{ nix = { package = pkgs.nix; registry = { @@ -22,19 +24,15 @@ in { cores = 1; sandbox = true; auto-optimise-store = true; - trusted-substituters = - [ - "https://cache.nixos.org" - ] - ++ cfg.binaryCaches; + trusted-substituters = [ + "https://cache.nixos.org" + ] ++ cfg.binaryCaches; # TODO: integrate into sops # trusted-public-keys = [ (lib.fileContents "${cfg.secretPath}/hydra_cache.pub") ]; - substituters = - [ - "https://cache.nixos.org" - ] - ++ cfg.binaryCaches; - allowed-users = ["root"] ++ (map (n: n.name) cfg.administrators); + substituters = [ + "https://cache.nixos.org" + ] ++ cfg.binaryCaches; + allowed-users = [ "root" ] ++ (map (n: n.name) cfg.administrators); }; extraOptions = '' build-timeout = 86400 # 24 hours diff --git a/config/security.nix b/config/security.nix index 2af82fa..2293a18 100644 --- a/config/security.nix +++ b/config/security.nix @@ -4,9 +4,9 @@ ... }: with lib; - mkIf (elem "security" config.machine.conffiles) { - security = { - audit.enable = true; - auditd.enable = true; - }; - } +mkIf (elem "security" config.machine.conffiles) { + security = { + audit.enable = true; + auditd.enable = true; + }; +} diff --git a/config/users.nix b/config/users.nix index 5db84b4..05562b2 100644 --- a/config/users.nix +++ b/config/users.nix @@ -5,39 +5,52 @@ pkgs, ... }: -with lib; let +with lib; +let withDocker = config.virtualisation.docker.enable; withPodman = config.virtualisation.podman.enable; administrators = user: { inherit (user) name; - value = let - cfg = config.services; - passPath = config.sops.secrets."users/${user.name}/password".path; - in { - isNormalUser = true; - inherit (user) name; - uid = user.id; - subUidRanges = optional withPodman { - startUid = 100000; - count = 65536; + value = + let + cfg = config.services; + passPath = config.sops.secrets."users/${user.name}/password".path; + in + { + isNormalUser = true; + inherit (user) name; + uid = user.id; + subUidRanges = optional withPodman { + startUid = 100000; + count = 65536; + }; + subGidRanges = optional withPodman { + startGid = 100000; + count = 65536; + }; + home = builtins.toPath "/home/${user.name}"; + createHome = true; + description = "Administrative user ${user.name}."; + group = user.name; + extraGroups = + [ + "audio" + "wheel" + "network" + ] + ++ (optionals (lib.elem "desktop" config.machine.services) [ + "input" + "video" + ]) + ++ (optionals cfg.printing.enable [ + "cups" + "lp" + ]) + ++ (optional (withDocker && !withPodman) "docker") + ++ (optional withPodman "podman"); + shell = "${pkgs.zsh}/bin/zsh"; + hashedPasswordFile = passPath; }; - subGidRanges = optional withPodman { - startGid = 100000; - count = 65536; - }; - home = builtins.toPath "/home/${user.name}"; - createHome = true; - description = "Administrative user ${user.name}."; - group = user.name; - extraGroups = - ["audio" "wheel" "network"] - ++ (optionals (lib.elem "desktop" config.machine.services) ["input" "video"]) - ++ (optionals cfg.printing.enable ["cups" "lp"]) - ++ (optional (withDocker && !withPodman) "docker") - ++ (optional withPodman "podman"); - shell = "${pkgs.zsh}/bin/zsh"; - hashedPasswordFile = passPath; - }; }; mkusergroup = user: { @@ -45,15 +58,14 @@ with lib; let value = { inherit (user) name; gid = user.id; - members = [user.name]; + members = [ user.name ]; }; }; -in { - sops.secrets = - fn.sopsHelper - (user: "users/${user.name}/password") - config.machine.administrators - {neededForUsers = true;}; +in +{ + sops.secrets = fn.sopsHelper (user: "users/${user.name}/password") config.machine.administrators { + neededForUsers = true; + }; users = { mutableUsers = false; users = listToAttrs (map administrators config.machine.administrators); diff --git a/config/zsh.nix b/config/zsh.nix index 844ae5f..fd9d0d4 100644 --- a/config/zsh.nix +++ b/config/zsh.nix @@ -4,35 +4,44 @@ ... }: with lib; - mkIf (elem "zsh" config.machine.conffiles) { - programs.zsh = { - enable = true; - autosuggestions.enable = true; - syntaxHighlighting.enable = true; - shellAliases = { - cat = ''bat --paging=never --theme="Solarized (dark)"''; - less = ''bat --paging=always --style=changes --color=always --theme="Solarized (dark)"''; - ls = "eza"; - l = "eza -abgHhl@ --git --color=always --group-directories-first"; - tree = "exa --tree --color=always"; - ustrip = "sed -e '/\.service\|\.timer\|\.target\|\.socket\|\.slice\|\.scope\|\.path\|\.mount\|\.device)/!d' -e 's/loaded.*$//g' -e 's/^ \|^● //g'"; - lsunits = "systemctl list-units | ustrip"; - }; - - shellInit = '' - function ll() { eza -abgHhl@ --git --color=always --group-directories-first $@ | bat --paging=always --style=changes --color=always --theme="Solarized (dark)" } - function lln() { eza -abgHhl@ --git --color=always --group-directories-first $@ | bat --paging=always --style=changes --color=always --theme="Solarized (dark)" -n } - function lszip() { unzip -l $@ 2>&1 | sed -e "1,3d" -e "s/^.*:.. *//g" | head --lines=-2 } - function rwhich() { realpath $(which $@) } - function cdf() { cd $(rwhich $@ | sed "s/$@$//") } - function sfu() { lsunits | rg -i $@ } - function map() { for f in "$\{@:2\}"; do; eval $1 \"$f\"; done } - ''; - - ohMyZsh = { - enable = true; - plugins = ["cabal" "docker" "gitfast" "python" "pip" "sudo" "systemd" "man"]; - theme = "gentoo"; - }; +mkIf (elem "zsh" config.machine.conffiles) { + programs.zsh = { + enable = true; + autosuggestions.enable = true; + syntaxHighlighting.enable = true; + shellAliases = { + cat = ''bat --paging=never --theme="Solarized (dark)"''; + less = ''bat --paging=always --style=changes --color=always --theme="Solarized (dark)"''; + ls = "eza"; + l = "eza -abgHhl@ --git --color=always --group-directories-first"; + tree = "exa --tree --color=always"; + ustrip = "sed -e '/\.service\|\.timer\|\.target\|\.socket\|\.slice\|\.scope\|\.path\|\.mount\|\.device)/!d' -e 's/loaded.*$//g' -e 's/^ \|^● //g'"; + lsunits = "systemctl list-units | ustrip"; }; - } + + shellInit = '' + function ll() { eza -abgHhl@ --git --color=always --group-directories-first $@ | bat --paging=always --style=changes --color=always --theme="Solarized (dark)" } + function lln() { eza -abgHhl@ --git --color=always --group-directories-first $@ | bat --paging=always --style=changes --color=always --theme="Solarized (dark)" -n } + function lszip() { unzip -l $@ 2>&1 | sed -e "1,3d" -e "s/^.*:.. *//g" | head --lines=-2 } + function rwhich() { realpath $(which $@) } + function cdf() { cd $(rwhich $@ | sed "s/$@$//") } + function sfu() { lsunits | rg -i $@ } + function map() { for f in "$\{@:2\}"; do; eval $1 \"$f\"; done } + ''; + + ohMyZsh = { + enable = true; + plugins = [ + "cabal" + "docker" + "gitfast" + "python" + "pip" + "sudo" + "systemd" + "man" + ]; + theme = "gentoo"; + }; + }; +} diff --git a/flake.nix b/flake.nix index 403f54a..81be96f 100644 --- a/flake.nix +++ b/flake.nix @@ -18,19 +18,21 @@ inputs.nixpkgs.follows = "nixpkgs"; }; }; - outputs = { - self, - nixpkgs, - flake-utils, - nixpkgs-wayland, - mailserver, - sops-nix, - ... - } @ attrs: + outputs = + { + self, + nixpkgs, + flake-utils, + nixpkgs-wayland, + mailserver, + sops-nix, + ... + }@attrs: flake-utils.lib.eachDefaultSystem ( - system: let + system: + let inherit (nixpkgs) lib; - fn = import ./fn.nix {inherit lib;}; + fn = import ./fn.nix { inherit lib; }; pkgs = nixpkgs.legacyPackages."${system}"; machineList = fn.lst { p = toString ./machines; @@ -39,46 +41,52 @@ }; nixosSystemFor = machine: { name = machine; - value = let - configFiles = fn.lst { - p = toString ./config; - b = true; - }; - pkgsFiles = fn.lst { - p = toString ./pkgs; - b = true; - }; - serviceFiles = fn.lst { - p = toString ./services; - b = true; - }; - machinePath = lib.concatStringsSep "/" [(toString ./.) "machines" machine]; - machineFiles = lib.filter (lib.strings.hasSuffix ".nix") (fn.lst { - p = machinePath; - b = true; - }); - in + value = + let + configFiles = fn.lst { + p = toString ./config; + b = true; + }; + pkgsFiles = fn.lst { + p = toString ./pkgs; + b = true; + }; + serviceFiles = fn.lst { + p = toString ./services; + b = true; + }; + machinePath = lib.concatStringsSep "/" [ + (toString ./.) + "machines" + machine + ]; + machineFiles = lib.filter (lib.strings.hasSuffix ".nix") ( + fn.lst { + p = machinePath; + b = true; + } + ); + in nixpkgs.lib.nixosSystem { inherit system; - specialArgs = - attrs - // { - inherit system; - inherit fn; - }; - modules = - [ - ({config, ...}: {config.nixpkgs.overlays = [nixpkgs-wayland.overlay];}) - (toString ./options/machine.nix) - sops-nix.nixosModules.sops - ] - ++ machineFiles - ++ configFiles - ++ pkgsFiles - ++ serviceFiles; + specialArgs = attrs // { + inherit system; + inherit fn; + }; + modules = [ + ( + { config, ... }: + { + config.nixpkgs.overlays = [ nixpkgs-wayland.overlay ]; + } + ) + (toString ./options/machine.nix) + sops-nix.nixosModules.sops + ] ++ machineFiles ++ configFiles ++ pkgsFiles ++ serviceFiles; }; }; - in { + in + { apps = { "lint" = { type = "app"; diff --git a/fn.nix b/fn.nix index b2b79dd..2a4a59e 100644 --- a/fn.nix +++ b/fn.nix @@ -1,85 +1,94 @@ -{lib}: +{ lib }: with builtins; -with lib; rec { - ifelse = a: b: c: - if a - then b - else c; - fileContentsOr = a: b: (ifelse - (pathIsRegularFile a) - a - b); +with lib; +rec { + ifelse = + a: b: c: + if a then b else c; + fileContentsOr = a: b: (ifelse (pathIsRegularFile a) a b); cwd = builtins.getEnv "PWD"; # lst (string PATH) (string FILETYPE) (bool RETURNFULLPATH) - lst = { - p ? cwd, - t ? "regular", - b ? false, - }: (lists.forEach - (attrNames - (filterAttrs (n: v: v == t) - (readDir p))) - (v: ((optionalString b "${p}/") + v))); - lsf = p: (lst {inherit p;}); - lsd = p: (lst { - inherit p; - t = "directory"; - b = true; - }); - lsfRec = p: b: - flatten ((map (np: lsfRec np b) (lsd p)) + lst = + { + p ? cwd, + t ? "regular", + b ? false, + }: + (lists.forEach (attrNames (filterAttrs (n: v: v == t) (readDir p))) ( + v: ((optionalString b "${p}/") + v) + )); + lsf = p: (lst { inherit p; }); + lsd = + p: + (lst { + inherit p; + t = "directory"; + b = true; + }); + lsfRec = + p: b: + flatten ( + (map (np: lsfRec np b) (lsd p)) ++ (lst { inherit p; inherit b; - })); - hasAttrs = aList: d: (map - (a: (ifelse (isList a) - (hasAttrByPath a d) - (hasAttr a d))) - aList); + }) + ); + hasAttrs = aList: d: (map (a: (ifelse (isList a) (hasAttrByPath a d) (hasAttr a d))) aList); # Not sure how list operations are implemented in Nix # This might be a tad bit inefficient. # TODO: look for better implementation (map is a builtin function so checking that probably won't help) # Sequentially checks elements of list (l) for condition (cond) and executes do on first match. - meetsConDo = cond: do: l: - ifelse (l == []) false - (let - h = head l; - t = tail l; - in - ifelse (cond h) (do h) - (meetsConDo cond do t)); - deps = p: - ifelse (isAttrs p) ( - filter isAttrs - (p.buildInputs ++ p.nativeBuildInputs ++ p.propagatedBuildInputs ++ p.propagatedNativeBuildInputs) - ) []; + meetsConDo = + cond: do: l: + ifelse (l == [ ]) false ( + let + h = head l; + t = tail l; + in + ifelse (cond h) (do h) (meetsConDo cond do t) + ); + deps = + p: + ifelse (isAttrs p) (filter isAttrs ( + p.buildInputs ++ p.nativeBuildInputs ++ p.propagatedBuildInputs ++ p.propagatedNativeBuildInputs + )) [ ]; importFilter = l: filter (n: elem (nameFromURL (toString n) ".") l); - depsRec = ld: ifelse (ld == []) [] ((toList ld) ++ (depsRec (lists.unique (lists.flatten (map deps (toList ld)))))); - isBroken = p: - meetsConDo (s: ((hasAttrByPath s.path p) && (s.check (getAttrFromPath s.path p)))) (s: s.msg) - [ + depsRec = + ld: + ifelse (ld == [ ]) [ ] ( + (toList ld) ++ (depsRec (lists.unique (lists.flatten (map deps (toList ld))))) + ); + isBroken = + p: + meetsConDo (s: ((hasAttrByPath s.path p) && (s.check (getAttrFromPath s.path p)))) (s: s.msg) [ { - path = ["meta" "broken"]; + path = [ + "meta" + "broken" + ]; msg = warn "Package ${p.name} is marked as broken." true; check = m: m; } { - path = ["meta" "knownVulnerabilities"]; + path = [ + "meta" + "knownVulnerabilities" + ]; msg = warn "Package ${p.name} has known Vulnerabilities.." true; - check = m: m != []; + check = m: m != [ ]; } { - path = ["name"]; + path = [ "name" ]; msg = warn "${p.name}: python2 is depricated." false; check = m: (strings.hasInfix "python2" m) || (strings.hasInfix "python-2" m); } # not sure if the following test creates false positives (AFAIK every derivation/package needs to have an outPath) # , definitely should catch all corner cases/everything that fails to evaluate. { - path = ["outPath"]; + path = [ "outPath" ]; msg = warn "Package ${p.name} has no outPath" true; check = m: !(tryEval m).success; } @@ -87,35 +96,45 @@ with lib; rec { depsBroken = p: lists.any (p: (isBroken p)) (deps p); # No more magic 🧙 here 😢 # But at least it now (hopefully) checks ONLY dependencies (and all of them at that). - depsBrokenRec = p: ( - meetsConDo - (p: ifelse (depsBroken p) true (depsBrokenRec (deps p))) - (p: true) (deps p) - ); - sopsHelper = template: names: options: let - optionsIsFunction = (typeOf options) == "lambda"; - in - listToAttrs (map - (name: { + depsBrokenRec = + p: (meetsConDo (p: ifelse (depsBroken p) true (depsBrokenRec (deps p))) (p: true) (deps p)); + sopsHelper = + template: names: options: + let + optionsIsFunction = (typeOf options) == "lambda"; + in + listToAttrs ( + map (name: { name = template name; value = ifelse optionsIsFunction (options name) options; - }) - names); - pkgFilter = ld: (filter - (p: ( - ifelse (isBroken p) - false - (ifelse (depsBrokenRec p) - (warn "Dependency of ${p.name} is marked as broken." false) - true) - )) - ld); - makeOptionTypeList = path: ( - lists.forEach - # get a list of all files ending in .nix in path - (filter (hasSuffix ".nix") - (lsfRec path true)) - # remove leading path and trailing ".nix", replace every slash with "::" - (replaceStrings ["${path}/" "/" ".nix"] ["" "::" ""]) - ); + }) names + ); + pkgFilter = + ld: + (filter ( + p: + (ifelse (isBroken p) false ( + ifelse (depsBrokenRec p) (warn "Dependency of ${p.name} is marked as broken." false) true + )) + ) ld); + makeOptionTypeList = + path: + (lists.forEach + # get a list of all files ending in .nix in path + (filter (hasSuffix ".nix") (lsfRec path true)) + # remove leading path and trailing ".nix", replace every slash with "::" + ( + replaceStrings + [ + "${path}/" + "/" + ".nix" + ] + [ + "" + "::" + "" + ] + ) + ); } diff --git a/machines/Lilim/configuration.nix b/machines/Lilim/configuration.nix index 1a4366f..db49a1a 100644 --- a/machines/Lilim/configuration.nix +++ b/machines/Lilim/configuration.nix @@ -2,7 +2,8 @@ pkgs, lib, ... -}: { +}: +{ services.cron.enable = false; networking.dhcpcd.extraConfig = "noarp"; @@ -56,7 +57,7 @@ }; joycond.enable = true; udev = { - packages = []; + packages = [ ]; extraRules = '' KERNEL=="rtc0", GROUP="audio" KERNEL=="hpet", GROUP="audio" @@ -64,8 +65,13 @@ }; }; boot = { - kernelModules = ["snd-usb-audio" "snd-aloop" "snd-seq" "snd-rawmidi"]; - kernelParams = ["threadirq"]; + kernelModules = [ + "snd-usb-audio" + "snd-aloop" + "snd-seq" + "snd-rawmidi" + ]; + kernelParams = [ "threadirq" ]; extraModprobeConfig = '' options snd-usb-audio nrpacks=1 ''; diff --git a/machines/Lilim/hardware-configuration.nix b/machines/Lilim/hardware-configuration.nix index d6ab965..f52b648 100644 --- a/machines/Lilim/hardware-configuration.nix +++ b/machines/Lilim/hardware-configuration.nix @@ -3,10 +3,12 @@ config, pkgs, ... -}: let +}: +let cfg = config.machine; -in { - imports = ["${nixpkgs}/nixos/modules/installer/scan/not-detected.nix"]; +in +{ + imports = [ "${nixpkgs}/nixos/modules/installer/scan/not-detected.nix" ]; boot = { loader.systemd-boot = { @@ -22,14 +24,24 @@ in { }; kernelPackages = pkgs.linuxPackages_latest; - initrd.availableKernelModules = ["xhci_pci" "ahci" "sd_mod" "rtsx_pci_sdmmc"]; - kernelModules = ["acpi_call" "i915" "kvm-intel" "uinput"]; + initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "sd_mod" + "rtsx_pci_sdmmc" + ]; + kernelModules = [ + "acpi_call" + "i915" + "kvm-intel" + "uinput" + ]; # 5_10 breaks my touchpad/mouse buttons # https://bbs.archlinux.org/viewtopic.php?id=254885 # maybe modprobe hid_rmi or i2c_i801 # blacklistedKernelModules = [ "i2c_i801" ]; - extraModulePackages = with config.boot.kernelPackages; [acpi_call]; #pkgs.gitpkgs.linuxPackages_latest.hid-nintendo ]; - kernelParams = ["intel_iommu=on"]; + extraModulePackages = with config.boot.kernelPackages; [ acpi_call ]; # pkgs.gitpkgs.linuxPackages_latest.hid-nintendo ]; + kernelParams = [ "intel_iommu=on" ]; extraModprobeConfig = '' options i915 enable_fbc=1 enable_guc=3 ''; @@ -51,13 +63,15 @@ in { }; hardware = { - firmware = with pkgs; [firmwareLinuxNonfree]; + firmware = with pkgs; [ firmwareLinuxNonfree ]; cpu.intel.updateMicrocode = true; enableAllFirmware = false; ksm.enable = true; graphics = { extraPackages = with pkgs; [ (intel-vaapi-driver.override { enableHybridCodec = true; }) ]; - extraPackages32 = with pkgs.pkgsi686Linux; [ (intel-vaapi-driver.override { enableHybridCodec = true; }) ]; + extraPackages32 = with pkgs.pkgsi686Linux; [ + (intel-vaapi-driver.override { enableHybridCodec = true; }) + ]; }; pulseaudio = { @@ -82,7 +96,7 @@ in { }; services = { upower.enable = true; - xserver.videoDrivers = ["intel"]; + xserver.videoDrivers = [ "intel" ]; }; environment.variables.LIBVA_DRIVER_NAME = "i915"; time.timeZone = "Europe/Berlin"; diff --git a/machines/Lilim/options.nix b/machines/Lilim/options.nix index 64f2fe2..19e6904 100644 --- a/machines/Lilim/options.nix +++ b/machines/Lilim/options.nix @@ -3,7 +3,8 @@ lib, ... }: -with lib; { +with lib; +{ imports = [ ../../options/copySysConf.nix ]; @@ -51,8 +52,8 @@ with lib; { firewall = { enable = true; allowPing = true; - allowedUDPPorts = [24642]; - allowedTCPPorts = [24642]; + allowedUDPPorts = [ 24642 ]; + allowedTCPPorts = [ 24642 ]; allowedUDPPortRanges = [ { from = 1714; diff --git a/machines/Lilim/sops.nix b/machines/Lilim/sops.nix index 3da6c4c..b6183b9 100644 --- a/machines/Lilim/sops.nix +++ b/machines/Lilim/sops.nix @@ -2,7 +2,8 @@ config, lib, ... -}: { +}: +{ sops = { defaultSopsFile = ./secrets.yaml; age = { diff --git a/machines/Marid/configuration.nix b/machines/Marid/configuration.nix index 9833363..9ac7145 100644 --- a/machines/Marid/configuration.nix +++ b/machines/Marid/configuration.nix @@ -1,4 +1,5 @@ -{pkgs, ...}: { +{ pkgs, ... }: +{ services.cron.enable = false; security.pki.certificateFiles = [ ./certs/proxy diff --git a/machines/Marid/hardware-configuration.nix b/machines/Marid/hardware-configuration.nix index af21d61..fd2f810 100644 --- a/machines/Marid/hardware-configuration.nix +++ b/machines/Marid/hardware-configuration.nix @@ -3,10 +3,12 @@ pkgs, modulesPath, ... -}: let +}: +let cfg = config.machine; -in { - imports = [(modulesPath + "/installer/scan/not-detected.nix")]; +in +{ + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; boot = { loader.systemd-boot = { @@ -19,8 +21,14 @@ in { }; kernelPackages = pkgs.linuxPackages_latest; - initrd.availableKernelModules = ["nvme" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc"]; - kernelModules = ["kvm-amd"]; + initrd.availableKernelModules = [ + "nvme" + "xhci_pci" + "usb_storage" + "sd_mod" + "rtsx_pci_sdmmc" + ]; + kernelModules = [ "kvm-amd" ]; kernelParams = [ # get backlight service to work part one (fixes systemd backlight service) "acpi_backlight=native" @@ -43,7 +51,7 @@ in { }; hardware = { - firmware = with pkgs; [firmwareLinuxNonfree]; + firmware = with pkgs; [ firmwareLinuxNonfree ]; enableAllFirmware = true; ksm.enable = true; opengl = { diff --git a/machines/Marid/options.nix b/machines/Marid/options.nix index 1337599..f6da60b 100644 --- a/machines/Marid/options.nix +++ b/machines/Marid/options.nix @@ -3,7 +3,8 @@ lib, ... }: -with lib; { +with lib; +{ imports = [ ../../options/copySysConf.nix ]; @@ -41,10 +42,10 @@ with lib; { firewall = { enable = true; allowPing = true; - allowedUDPPorts = []; - allowedTCPPorts = []; - allowedUDPPortRanges = []; - allowedTCPPortRanges = []; + allowedUDPPorts = [ ]; + allowedTCPPorts = [ ]; + allowedUDPPortRanges = [ ]; + allowedTCPPortRanges = [ ]; }; }; diff --git a/machines/Marid/sops.nix b/machines/Marid/sops.nix index 3da6c4c..b6183b9 100644 --- a/machines/Marid/sops.nix +++ b/machines/Marid/sops.nix @@ -2,7 +2,8 @@ config, lib, ... -}: { +}: +{ sops = { defaultSopsFile = ./secrets.yaml; age = { diff --git a/machines/Ophanim/hardware-configuration.nix b/machines/Ophanim/hardware-configuration.nix index c9c6410..6a6a7e7 100644 --- a/machines/Ophanim/hardware-configuration.nix +++ b/machines/Ophanim/hardware-configuration.nix @@ -2,16 +2,23 @@ nixpkgs, pkgs, ... -}: { +}: +{ imports = [ "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix" ]; boot = { - initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod"]; + initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "sd_mod" + "sr_mod" + ]; kernelPackages = pkgs.linuxPackages_latest; - kernelModules = []; - extraModulePackages = []; + kernelModules = [ ]; + extraModulePackages = [ ]; loader.grub = { enable = true; device = "/dev/sda"; # or "nodev" for efi only @@ -25,5 +32,5 @@ fsType = "ext4"; }; - swapDevices = []; + swapDevices = [ ]; } diff --git a/machines/Ophanim/options.nix b/machines/Ophanim/options.nix index a7d86dc..3a6269e 100644 --- a/machines/Ophanim/options.nix +++ b/machines/Ophanim/options.nix @@ -3,9 +3,11 @@ lib, ... }: -with lib; let +with lib; +let cfg = config.machine; -in { +in +{ config.machine = rec { hostName = "Ophanim"; domain = "ophanim.de"; @@ -18,7 +20,10 @@ in { mailAccounts = [ { name = "derped"; - aliases = ["postmaster" "baensch"]; + aliases = [ + "postmaster" + "baensch" + ]; } ]; allowUnfree = true; @@ -42,37 +47,48 @@ in { "nginx" "openssh" ]; - vHosts = let - base = domain; - in [ - { - domain = base; - service = "simple"; - } - # { domain = "builder.${base}"; service = "hydra"; } - # { domain = "cache.${base}"; service = "cache"; } - { - domain = "storage.${base}"; - service = "nextcloud"; - } - { - domain = "mail.${base}"; - service = "mail"; - } - { - domain = "git.${base}"; - service = "forgejo"; - } - { - domain = "food.${base}"; - service = "tandoor"; - } - ]; + vHosts = + let + base = domain; + in + [ + { + domain = base; + service = "simple"; + } + # { domain = "builder.${base}"; service = "hydra"; } + # { domain = "cache.${base}"; service = "cache"; } + { + domain = "storage.${base}"; + service = "nextcloud"; + } + { + domain = "mail.${base}"; + service = "mail"; + } + { + domain = "git.${base}"; + service = "forgejo"; + } + { + domain = "food.${base}"; + service = "tandoor"; + } + ]; firewall = { enable = true; allowPing = false; - allowedUDPPorts = [22 80 443 7776]; - allowedTCPPorts = [80 443 7776]; + allowedUDPPorts = [ + 22 + 80 + 443 + 7776 + ]; + allowedTCPPorts = [ + 80 + 443 + 7776 + ]; }; }; } diff --git a/machines/Ophanim/sops.nix b/machines/Ophanim/sops.nix index 3da6c4c..b6183b9 100644 --- a/machines/Ophanim/sops.nix +++ b/machines/Ophanim/sops.nix @@ -2,7 +2,8 @@ config, lib, ... -}: { +}: +{ sops = { defaultSopsFile = ./secrets.yaml; age = { diff --git a/machines/Sheol/august.nix b/machines/Sheol/august.nix index 710a169..f54cd4a 100644 --- a/machines/Sheol/august.nix +++ b/machines/Sheol/august.nix @@ -18,7 +18,11 @@ }; fileSystems."/home/august/Videos" = { device = "/mnt/WD/Videos/Movies/"; - options = [ "nofail" "bind" "x-systemd.automount" ]; + options = [ + "nofail" + "bind" + "x-systemd.automount" + ]; neededForBoot = false; }; } diff --git a/machines/Sheol/configuration.nix b/machines/Sheol/configuration.nix index 10468dc..47991b3 100644 --- a/machines/Sheol/configuration.nix +++ b/machines/Sheol/configuration.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ services = { avahi = { enable = true; @@ -13,16 +14,18 @@ }; # udp5353 1024-65535 - networking.firewall = let - range = { - from = 1024; - to = 65535; + networking.firewall = + let + range = { + from = 1024; + to = 65535; + }; + in + { + allowedUDPPorts = [ 5353 ]; + allowedUDPPortRanges = [ range ]; + allowedTCPPortRanges = [ range ]; }; - in { - allowedUDPPorts = [ 5353 ]; - allowedUDPPortRanges = [ range ]; - allowedTCPPortRanges = [ range ]; - }; networking.dhcpcd.extraConfig = "noarp"; system.stateVersion = "24.05"; } diff --git a/machines/Sheol/hardware-configuration.nix b/machines/Sheol/hardware-configuration.nix index c91ae2b..1ad7aae 100644 --- a/machines/Sheol/hardware-configuration.nix +++ b/machines/Sheol/hardware-configuration.nix @@ -1,11 +1,16 @@ -{nixos-hardware, ...}: { +{ nixos-hardware, ... }: +{ imports = [ nixos-hardware.nixosModules.raspberry-pi-5 ]; boot = { - kernelParams = [ "8250.nr_uarts=11" "console=ttyAMA10,9600" "console=tty0" ]; - supportedFilesystems = ["btrfs"]; + kernelParams = [ + "8250.nr_uarts=11" + "console=ttyAMA10,9600" + "console=tty0" + ]; + supportedFilesystems = [ "btrfs" ]; initrd.systemd.enableTpm2 = false; loader.systemd-boot.enable = true; loader.efi.canTouchEfiVariables = false; @@ -14,7 +19,12 @@ "/" = { device = "none"; fsType = "tmpfs"; - options = ["defaults" "size=2G" "mode=755" "noexec"]; + options = [ + "defaults" + "size=2G" + "mode=755" + "noexec" + ]; }; "/boot" = { device = "/dev/disk/by-uuid/F8BB-8019"; @@ -23,25 +33,40 @@ "/nix" = { device = "/dev/disk/by-uuid/7741fa2e-ce5d-4aef-bf3c-8e283e973409"; fsType = "btrfs"; - options = ["subvol=nix" "compress=zstd" "noatime"]; + options = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; neededForBoot = true; }; "/persist" = { device = "/dev/disk/by-uuid/7741fa2e-ce5d-4aef-bf3c-8e283e973409"; fsType = "btrfs"; - options = ["subvol=persist" "compress=zstd" "noexec"]; + options = [ + "subvol=persist" + "compress=zstd" + "noexec" + ]; neededForBoot = true; }; "/snapshots" = { device = "/dev/disk/by-uuid/7741fa2e-ce5d-4aef-bf3c-8e283e973409"; fsType = "btrfs"; - options = ["subvol=snapshots" "compress=zstd" "noexec"]; + options = [ + "subvol=snapshots" + "compress=zstd" + "noexec" + ]; neededForBoot = false; }; "/mnt/WD" = { device = "/dev/disk/by-uuid/EA2866C92866947B"; fsType = "ntfs"; - options = ["nofail" "x-systemd.automount"]; + options = [ + "nofail" + "x-systemd.automount" + ]; neededForBoot = false; }; }; diff --git a/machines/Sheol/impermanence.nix b/machines/Sheol/impermanence.nix index e6d0f5a..d1324c0 100644 --- a/machines/Sheol/impermanence.nix +++ b/machines/Sheol/impermanence.nix @@ -1,4 +1,5 @@ -{impermanence, ...}: { +{ impermanence, ... }: +{ imports = [ impermanence.nixosModules.impermanence ]; diff --git a/machines/Sheol/options.nix b/machines/Sheol/options.nix index d5792a7..057c6e4 100644 --- a/machines/Sheol/options.nix +++ b/machines/Sheol/options.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ../../options/copySysConf.nix ]; diff --git a/machines/Sheol/sops.nix b/machines/Sheol/sops.nix index 33e5731..fac49cc 100644 --- a/machines/Sheol/sops.nix +++ b/machines/Sheol/sops.nix @@ -2,7 +2,8 @@ config, lib, ... -}: { +}: +{ sops = { defaultSopsFile = ./secrets.yaml; age = { diff --git a/options/copySysConf.nix b/options/copySysConf.nix index c7eb5ad..a33c202 100644 --- a/options/copySysConf.nix +++ b/options/copySysConf.nix @@ -4,12 +4,12 @@ lib, ... }: -with lib; let +with lib; +let cfg = config.system.copySysConf; cfgPath = ../.; copySysConf = - if !(isStorePath cfgPath) - then + if !(isStorePath cfgPath) then pkgs.stdenv.mkDerivation rec { name = "NixOS_Configuration-${version}"; version = commitIdFromGitRepo (cfgPath + "/.git"); @@ -20,8 +20,10 @@ with lib; let cp -R ./. $out ''; } - else (builtins.toPath ../.); -in { + else + (builtins.toPath ../.); +in +{ options.system.copySysConf = { enable = mkOption { type = types.bool; diff --git a/options/machine.nix b/options/machine.nix index d48ec20..8a5b860 100644 --- a/options/machine.nix +++ b/options/machine.nix @@ -5,7 +5,8 @@ ... }: with builtins; -with lib; let +with lib; +let cfg = config.machine; pkgsetList = fn.makeOptionTypeList (toString ../pkgsets); serviceList = fn.makeOptionTypeList (toString ../services); @@ -13,7 +14,12 @@ with lib; let name = pname; value = rec { pkgwrap = mkOption { - type = with types; oneOf [package (listOf package)]; + type = + with types; + oneOf [ + package + (listOf package) + ]; default = fn.pkgFilter cfg.pkgsets."${pname}".pkgs; description = '' Package Wrapper for packages using a wrapper function (like python, haskell, ...) @@ -21,18 +27,19 @@ with lib; let }; pkgs = mkOption { type = types.unspecified; - default = []; + default = [ ]; description = '' ${pname} package list. ''; }; }; }; -in { +in +{ options.machine = { pkgs = mkOption { type = types.listOf (types.enum pkgsetList); - default = ["base"]; + default = [ "base" ]; description = '' The list of metapackages to be installed. ''; @@ -41,14 +48,14 @@ in { pkgsets = listToAttrs (map pkgOption (lists.filter (v: !(strings.hasInfix "::" v)) pkgsetList)); services = mkOption { type = types.listOf (types.enum serviceList); - default = []; + default = [ ]; description = '' List of services to be enabled. ''; }; conffiles = mkOption { type = types.listOf types.str; - default = ["zsh"]; + default = [ "zsh" ]; description = '' List of configuration files to be enabled. ''; @@ -77,7 +84,7 @@ in { }; binaryCaches = mkOption { type = types.listOf types.str; - default = []; + default = [ ]; description = '' Adds binary caches to both nix.trustedBinaryCaches and nix.binaryCaches. ("https://cache.nixos.org" is kept by default) ''; @@ -97,28 +104,47 @@ in { }; extraDomains = mkOption { type = types.listOf types.str; - default = []; + default = [ ]; description = '' Extra domains used in various services. ''; }; mailAccounts = mkOption { type = types.listOf types.attrs; - default = []; + default = [ ]; description = '' List of mail account user names. ''; }; vHosts = mkOption { type = types.listOf types.attrs; - default = []; + default = [ ]; description = '' Domain - Service mappings for nginx vHost config. ''; }; }; imports = [ - (mkAliasOptionModule ["machine" "firewall"] ["networking" "firewall"]) - (mkAliasOptionModule ["machine" "allowUnfree"] ["nixpkgs" "config" "allowUnfree"]) + (mkAliasOptionModule + [ + "machine" + "firewall" + ] + [ + "networking" + "firewall" + ] + ) + (mkAliasOptionModule + [ + "machine" + "allowUnfree" + ] + [ + "nixpkgs" + "config" + "allowUnfree" + ] + ) ]; } diff --git a/options/mailman3/core.nix b/options/mailman3/core.nix index ff65b72..d7185ba 100644 --- a/options/mailman3/core.nix +++ b/options/mailman3/core.nix @@ -68,7 +68,7 @@ buildPythonPackage rec { meta = with stdenv.lib; { description = "GNU Mailman, a mailing list management system"; license = licenses.gpl3; - maintainers = with maintainers; []; + maintainers = with maintainers; [ ]; homepage = "http://list.org/"; }; } diff --git a/options/mailman3/extraPackages/aiosmtpd.nix b/options/mailman3/extraPackages/aiosmtpd.nix index e72a047..273edae 100644 --- a/options/mailman3/extraPackages/aiosmtpd.nix +++ b/options/mailman3/extraPackages/aiosmtpd.nix @@ -14,5 +14,5 @@ buildPythonPackage rec { sha256 = "1xdfk741pjmz1cm8dsi4n5vq4517i175rm94696m3f7kcgk7xsmp"; }; doCheck = false; - propagatedBuildInputs = [atpublic]; + propagatedBuildInputs = [ atpublic ]; } diff --git a/options/mailman3/extraPackages/flufl_bounce.nix b/options/mailman3/extraPackages/flufl_bounce.nix index 7ed3bef..1a05bb2 100644 --- a/options/mailman3/extraPackages/flufl_bounce.nix +++ b/options/mailman3/extraPackages/flufl_bounce.nix @@ -16,7 +16,10 @@ buildPythonPackage rec { sha256 = "0k5kjqa3x6gvwwxyzb2vwi1g1i6asm1zw5fivylxz3d583y4kid2"; }; - propagatedBuildInputs = [atpublic zope_interface]; + propagatedBuildInputs = [ + atpublic + zope_interface + ]; doCheck = false; } diff --git a/options/mailman3/extraPackages/flufl_i18n.nix b/options/mailman3/extraPackages/flufl_i18n.nix index fa29a29..99d5ae6 100644 --- a/options/mailman3/extraPackages/flufl_i18n.nix +++ b/options/mailman3/extraPackages/flufl_i18n.nix @@ -15,7 +15,7 @@ buildPythonPackage rec { sha256 = "1csgds59nx0ann9v2alqr69lakp1cnc1ikmbgn96l6n23js7c2ah"; }; - propagatedBuildInputs = [atpublic]; + propagatedBuildInputs = [ atpublic ]; doCheck = false; } diff --git a/options/mailman3/extraPackages/flufl_lock.nix b/options/mailman3/extraPackages/flufl_lock.nix index e3fcf8a..70cb023 100644 --- a/options/mailman3/extraPackages/flufl_lock.nix +++ b/options/mailman3/extraPackages/flufl_lock.nix @@ -15,7 +15,7 @@ buildPythonPackage rec { sha256 = "0nzzd6l30ff6cwsrlrb94xzfja4wkyrqv3ydc6cz0hdbr766mmm8"; }; - propagatedBuildInputs = [atpublic]; + propagatedBuildInputs = [ atpublic ]; doCheck = false; } diff --git a/options/mailman3/extraPackages/lazr_config.nix b/options/mailman3/extraPackages/lazr_config.nix index 8216e01..cd8d431 100644 --- a/options/mailman3/extraPackages/lazr_config.nix +++ b/options/mailman3/extraPackages/lazr_config.nix @@ -15,7 +15,7 @@ buildPythonPackage rec { sha256 = "1s7pyvlq06qjrkaw9r6nc290lb095n25ybzgavvy51ygpxkgqxwn"; }; - propagatedBuildInputs = [lazr_delegates]; + propagatedBuildInputs = [ lazr_delegates ]; doCheck = false; } diff --git a/options/mailman3/extraPackages/lazr_delegates.nix b/options/mailman3/extraPackages/lazr_delegates.nix index ace5efa..b658322 100644 --- a/options/mailman3/extraPackages/lazr_delegates.nix +++ b/options/mailman3/extraPackages/lazr_delegates.nix @@ -16,7 +16,10 @@ buildPythonPackage rec { sha256 = "1rdnl85j9ayp8n85l0ciip621j9dcziz5qnmv2m7krgwgcn31vfx"; }; - propagatedBuildInputs = [nose zope_interface]; + propagatedBuildInputs = [ + nose + zope_interface + ]; doCheck = false; } diff --git a/options/mailman3/options.nix b/options/mailman3/options.nix index be92022..dcae3b6 100644 --- a/options/mailman3/options.nix +++ b/options/mailman3/options.nix @@ -4,8 +4,9 @@ config, ... }: -with lib; let - mailman3 = import ./release.nix {}; +with lib; +let + mailman3 = import ./release.nix { }; cfg = config.services.mailman3; usePostgresql = cfg.database.type == "postgresql"; useSqlite = cfg.database.type == "sqlite3"; @@ -75,7 +76,8 @@ with lib; let ${cfg.extraConfig} ''; -in { +in +{ options.services.mailman3 = { enable = mkOption { type = types.bool; @@ -104,7 +106,11 @@ in { database = { type = mkOption { - type = types.enum ["sqlite3" "mysql" "postgres"]; + type = types.enum [ + "sqlite3" + "mysql" + "postgres" + ]; default = "sqlite3"; example = "mysql"; description = '' @@ -273,7 +279,10 @@ in { mta = { # TODO: add Sentmail and qmail type = mkOption { - type = types.enum ["postfix" "exim4"]; + type = types.enum [ + "postfix" + "exim4" + ]; default = "postfix"; example = "exim4"; description = '' @@ -366,42 +375,55 @@ in { home = cfg.paths.var_dir; createHome = true; useDefaultShell = true; - packages = [mailman3.core]; + packages = [ mailman3.core ]; }; }; services.postfix.recipientDelimiter = mkIf usePostfix (mkDefault "+"); - services.postfix.mapFiles."transport_maps" = mkIf usePostfix (mkDefault "${cfg.paths.data_dir}/postfix_lmtp"); - services.postfix.mapFiles."local_recipient_maps" = mkIf usePostfix (mkDefault "${cfg.paths.data_dir}/postfix_lmtp"); - services.postfix.mapFiles."relay_domains" = mkIf usePostfix (mkDefault "${cfg.paths.data_dir}/postfix_domains"); + services.postfix.mapFiles."transport_maps" = mkIf usePostfix ( + mkDefault "${cfg.paths.data_dir}/postfix_lmtp" + ); + services.postfix.mapFiles."local_recipient_maps" = mkIf usePostfix ( + mkDefault "${cfg.paths.data_dir}/postfix_lmtp" + ); + services.postfix.mapFiles."relay_domains" = mkIf usePostfix ( + mkDefault "${cfg.paths.data_dir}/postfix_domains" + ); - warnings = - optional (cfg.database.password != "") - '' config.services.mailman3.database.password will be stored as plaintext - in the Nix store. Use database.passwordFile instead.''; + warnings = optional (cfg.database.password != "") '' + config.services.mailman3.database.password will be stored as plaintext + in the Nix store. Use database.passwordFile instead.''; # Create database passwordFile default when password is configured. - services.mailman3.database.passwordFile = mkDefault (toString (pkgs.writeTextFile { - name = "mailman3-database-password"; - text = cfg.database.password; - })); + services.mailman3.database.passwordFile = mkDefault ( + toString ( + pkgs.writeTextFile { + name = "mailman3-database-password"; + text = cfg.database.password; + } + ) + ); systemd.services.mailman3 = { description = "GNU Mailing List Manager"; - after = ["network.target"] ++ lib.optional usePostgresql "postgresql.service" ++ lib.optional useMysql "mysql.service"; - wantedBy = ["multi-user.target"]; + after = [ + "network.target" + ] ++ lib.optional usePostgresql "postgresql.service" ++ lib.optional useMysql "mysql.service"; + wantedBy = [ "multi-user.target" ]; - preStart = let - dbpass = fileContents cfg.database.passwordFile; - smtppass = fileContents cfg.mta.smtp_passFile; - in '' - mkdir -p ${cfg.paths.etc_dir} - cp ${configFile} ${cfg.paths.etc_dir}/mailman.cfg - ${optionalString (useMysql || usePostgresql) '' - sed -e "s/#dbpass#/${dbpass}/g" -e "s/#smtppass#/${smtppass}/g" -i ${cfg.paths.etc_dir}/mailman.cfg - ''} - chmod 640 ${cfg.paths.etc_dir}/mailman.cfg - ''; + preStart = + let + dbpass = fileContents cfg.database.passwordFile; + smtppass = fileContents cfg.mta.smtp_passFile; + in + '' + mkdir -p ${cfg.paths.etc_dir} + cp ${configFile} ${cfg.paths.etc_dir}/mailman.cfg + ${optionalString (useMysql || usePostgresql) '' + sed -e "s/#dbpass#/${dbpass}/g" -e "s/#smtppass#/${smtppass}/g" -i ${cfg.paths.etc_dir}/mailman.cfg + ''} + chmod 640 ${cfg.paths.etc_dir}/mailman.cfg + ''; serviceConfig = { Type = "forking"; diff --git a/options/mailman3/release.nix b/options/mailman3/release.nix index 96e70fb..14b1ed8 100644 --- a/options/mailman3/release.nix +++ b/options/mailman3/release.nix @@ -1,17 +1,28 @@ { - pkgs ? import {}, + pkgs ? import { }, python3Packages ? pkgs.python3Packages, -}: let +}: +let mailman3 = { - core = python3Packages.callPackage ./core.nix (with deps; { - inherit aiosmtpd atpublic flufl_bounce flufl_i18n flufl_lock lazr_config; - }); + core = python3Packages.callPackage ./core.nix ( + with deps; + { + inherit + aiosmtpd + atpublic + flufl_bounce + flufl_i18n + flufl_lock + lazr_config + ; + } + ); }; deps = rec { aiosmtpd = python3Packages.callPackage ./extraPackages/aiosmtpd.nix { inherit atpublic; }; - atpublic = python3Packages.callPackage ./extraPackages/atpublic.nix {}; + atpublic = python3Packages.callPackage ./extraPackages/atpublic.nix { }; flufl_bounce = python3Packages.callPackage ./extraPackages/flufl_bounce.nix { inherit atpublic; }; @@ -24,7 +35,7 @@ lazr_config = python3Packages.callPackage ./extraPackages/lazr_config.nix { inherit lazr_delegates; }; - lazr_delegates = python3Packages.callPackage ./extraPackages/lazr_delegates.nix {}; + lazr_delegates = python3Packages.callPackage ./extraPackages/lazr_delegates.nix { }; }; in - mailman3 +mailman3 diff --git a/pkgs/flat-remix/default.nix b/pkgs/flat-remix/default.nix index 8807997..b3ceb2d 100644 --- a/pkgs/flat-remix/default.nix +++ b/pkgs/flat-remix/default.nix @@ -13,6 +13,6 @@ stdenv.mkDerivation { sha256 = "0rfv75w9yr8drc3x9g4iz2cb88ixy1lqbflvmb7farw4dz74fk5f"; fetchSubmodules = true; }; - makeFlags = ["PREFIX=$(out)"]; - propagatedUserEnvPkgs = [gtk-engine-murrine]; + makeFlags = [ "PREFIX=$(out)" ]; + propagatedUserEnvPkgs = [ gtk-engine-murrine ]; } diff --git a/pkgs/kanagawa/default.nix b/pkgs/kanagawa/default.nix index 788855d..6f40086 100644 --- a/pkgs/kanagawa/default.nix +++ b/pkgs/kanagawa/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation { sha256 = "sha256-BZRmjVas8q6zsYbXFk4bCk5Ec/3liy9PQ8fqFGHAXe0="; }; - propagatedUserEnvPkgs = [gtk-engine-murrine]; + propagatedUserEnvPkgs = [ gtk-engine-murrine ]; installPhase = '' runHook preInstall diff --git a/pkgs/nixpkgs.nix b/pkgs/nixpkgs.nix index 8192662..412a3c7 100644 --- a/pkgs/nixpkgs.nix +++ b/pkgs/nixpkgs.nix @@ -6,20 +6,22 @@ nixpkgs-stable, nixpkgs-git, ... -}: let +}: +let inherit (pkgs) callPackage; -in { +in +{ nixpkgs = { config = { allowUnfree = true; mpv.vaapiSupport = lib.elem "xserver" config.machine.services; packageOverrides = { - pyluxafor = pkgs.python3Packages.callPackage ./pyluxafor {}; - theme_flat-remix = callPackage ./flat-remix {}; - theme_sddm_midnight = callPackage ./sddm_midnight {}; - xdiskusage = callPackage ./xdiskusage {}; - kanagawa = callPackage ./kanagawa {}; + pyluxafor = pkgs.python3Packages.callPackage ./pyluxafor { }; + theme_flat-remix = callPackage ./flat-remix { }; + theme_sddm_midnight = callPackage ./sddm_midnight { }; + xdiskusage = callPackage ./xdiskusage { }; + kanagawa = callPackage ./kanagawa { }; }; }; overlays = [ diff --git a/pkgs/pyluxafor/default.nix b/pkgs/pyluxafor/default.nix index d71565f..5adb43f 100644 --- a/pkgs/pyluxafor/default.nix +++ b/pkgs/pyluxafor/default.nix @@ -18,5 +18,8 @@ buildPythonApplication rec { substituteInPlace setup.py --replace '"click>=6.0,<=6.7.99",' "" substituteInPlace setup.py --replace '"pyusb==1.0.0",' "" ''; - propagatedBuildInputs = [click pyusb]; + propagatedBuildInputs = [ + click + pyusb + ]; } diff --git a/pkgs/systemPackages.nix b/pkgs/systemPackages.nix index 1369ae6..1578d5d 100644 --- a/pkgs/systemPackages.nix +++ b/pkgs/systemPackages.nix @@ -5,22 +5,20 @@ pkgs, ... }: -with lib; let +with lib; +let cfg = config.machine; pkgsets = fn.lst { p = toString ../pkgsets; b = true; }; -in { +in +{ imports = pkgsets; - environment.systemPackages = - flatten - (lists.forEach - (attrVals - (filter - (v: !(strings.hasInfix "::" v)) - cfg.pkgs) - cfg.pkgsets) - (v: v.pkgwrap)); + environment.systemPackages = flatten ( + lists.forEach (attrVals (filter (v: !(strings.hasInfix "::" v)) cfg.pkgs) cfg.pkgsets) ( + v: v.pkgwrap + ) + ); } diff --git a/pkgs/xdiskusage/default.nix b/pkgs/xdiskusage/default.nix index 03757c5..eb8b1d9 100644 --- a/pkgs/xdiskusage/default.nix +++ b/pkgs/xdiskusage/default.nix @@ -7,7 +7,7 @@ stdenv.mkDerivation rec { name = "xdiskusage"; version = "1.51"; - buildInputs = [fltk]; + buildInputs = [ fltk ]; src = fetchurl { url = "http://xdiskusage.sourceforge.net/${name}-${version}.tgz"; diff --git a/pkgsets/base.nix b/pkgsets/base.nix index a693807..c43f65e 100644 --- a/pkgsets/base.nix +++ b/pkgsets/base.nix @@ -3,7 +3,8 @@ config, pkgs, ... -}: { +}: +{ config.machine.pkgsets.base.pkgs = with pkgs; [ age sops diff --git a/pkgsets/cpp.nix b/pkgsets/cpp.nix index b45ef08..e1c5ec3 100644 --- a/pkgsets/cpp.nix +++ b/pkgsets/cpp.nix @@ -2,7 +2,8 @@ config, pkgs, ... -}: { +}: +{ config.machine.pkgsets.cpp.pkgs = with pkgs; [ clang cmake diff --git a/pkgsets/dict.nix b/pkgsets/dict.nix index dd8ec60..c15d7a2 100644 --- a/pkgsets/dict.nix +++ b/pkgsets/dict.nix @@ -2,10 +2,24 @@ config, pkgs, ... -}: { +}: +{ config.machine.pkgsets.dict.pkgs = with pkgs; [ translate-shell - (hunspellWithDicts (with pkgs.hunspellDicts; [de-de en-us])) - (aspellWithDicts (d: with d; [de en en-computers en-science])) + (hunspellWithDicts ( + with pkgs.hunspellDicts; + [ + de-de + en-us + ] + )) + (aspellWithDicts ( + d: with d; [ + de + en + en-computers + en-science + ] + )) ]; } diff --git a/pkgsets/extra.nix b/pkgsets/extra.nix index ffe935a..f4964ed 100644 --- a/pkgsets/extra.nix +++ b/pkgsets/extra.nix @@ -2,7 +2,8 @@ config, pkgs, ... -}: { +}: +{ config.machine.pkgsets.extra.pkgs = with pkgs; [ alsaUtils binutils-unwrapped diff --git a/pkgsets/haskell-tools.nix b/pkgsets/haskell-tools.nix index 8d5d1f4..b3a5eb6 100644 --- a/pkgsets/haskell-tools.nix +++ b/pkgsets/haskell-tools.nix @@ -2,6 +2,10 @@ config, pkgs, ... -}: { - config.machine.pkgsets.haskell-tools.pkgs = with pkgs; [cabal-install hlint]; # ghcid +}: +{ + config.machine.pkgsets.haskell-tools.pkgs = with pkgs; [ + cabal-install + hlint + ]; # ghcid } diff --git a/pkgsets/haskell.nix b/pkgsets/haskell.nix index a47941b..fc59edb 100644 --- a/pkgsets/haskell.nix +++ b/pkgsets/haskell.nix @@ -4,8 +4,11 @@ fn, pkgs, ... -}: { - config.machine.pkgsets.haskell.pkgwrap = pkgs.haskellPackages.ghcWithPackages (pkgs: (fn.pkgFilter config.machine.pkgsets.haskell.pkgs)); +}: +{ + config.machine.pkgsets.haskell.pkgwrap = pkgs.haskellPackages.ghcWithPackages ( + pkgs: (fn.pkgFilter config.machine.pkgsets.haskell.pkgs) + ); config.machine.pkgsets.haskell.pkgs = with pkgs.haskellPackages; [ hindent mtl diff --git a/pkgsets/latex.nix b/pkgsets/latex.nix index 6dd47eb..86399af 100644 --- a/pkgsets/latex.nix +++ b/pkgsets/latex.nix @@ -4,7 +4,8 @@ pkgs, ... }: -with lib; { +with lib; +{ config.machine.pkgsets.latex.pkgs = with pkgs; [ texlive.combined.scheme-full texlab diff --git a/pkgsets/mail_utils.nix b/pkgsets/mail_utils.nix index 01a669b..cf418e0 100644 --- a/pkgsets/mail_utils.nix +++ b/pkgsets/mail_utils.nix @@ -1,7 +1,8 @@ { pkgs, ... -}: { +}: +{ config.machine.pkgsets.mail_utils.pkgs = with pkgs; [ aerc abook diff --git a/pkgsets/nodejs.nix b/pkgsets/nodejs.nix index 97de8b6..de1fdc4 100644 --- a/pkgsets/nodejs.nix +++ b/pkgsets/nodejs.nix @@ -1,6 +1,11 @@ -{pkgs, ...}: { +{ pkgs, ... }: +{ config.machine.pkgsets.nodejs.pkgs = - (with pkgs; [nodejs yarn deno]) + (with pkgs; [ + nodejs + yarn + deno + ]) ++ (with pkgs.nodePackages; [ autoprefixer mermaid-cli diff --git a/pkgsets/php.nix b/pkgsets/php.nix index a6a88f0..a979a9d 100644 --- a/pkgsets/php.nix +++ b/pkgsets/php.nix @@ -4,11 +4,12 @@ fn, pkgs, ... -}: { +}: +{ config.machine.pkgsets.php.pkgwrap = fn.pkgFilter config.machine.pkgsets.php.pkgs; config.machine.pkgsets.php.pkgs = (with pkgs.php82Packages; [ composer ]) - ++ (with pkgs; [php82]); + ++ (with pkgs; [ php82 ]); } diff --git a/pkgsets/python3.nix b/pkgsets/python3.nix index e7b0f9c..6d5e288 100644 --- a/pkgsets/python3.nix +++ b/pkgsets/python3.nix @@ -5,8 +5,11 @@ pkgs, ... }: -with lib; { - config.machine.pkgsets.python3.pkgwrap = pkgs.python3.withPackages (ps: (fn.pkgFilter config.machine.pkgsets.python3.pkgs)); +with lib; +{ + config.machine.pkgsets.python3.pkgwrap = pkgs.python3.withPackages ( + ps: (fn.pkgFilter config.machine.pkgsets.python3.pkgs) + ); config.machine.pkgsets.python3.pkgs = with pkgs.python3Packages; [ bpython flake8 diff --git a/pkgsets/rustpkgs.nix b/pkgsets/rustpkgs.nix index f3a49a0..d391192 100644 --- a/pkgsets/rustpkgs.nix +++ b/pkgsets/rustpkgs.nix @@ -1,15 +1,22 @@ -{config, ...}: let - mozRust = with builtins; - (map (p: - import ((fetchTarball { +{ config, ... }: +let + mozRust = + with builtins; + (map ( + p: + import ( + (fetchTarball { url = "https://github.com/mozilla/nixpkgs-mozilla/archive/e912ed4.tar.gz"; sha256 = "08fvzb8w80bkkabc1iyhzd15f4sm7ra10jn32kfch5klgl0gj3j3"; }) - + p))) [ - (toPath "/lib-overlay.nix") - (toPath "/rust-overlay.nix") - ]; - stablepkgs = import {overlays = mozRust;}; + + p + ) + )) + [ + (toPath "/lib-overlay.nix") + (toPath "/rust-overlay.nix") + ]; + stablepkgs = import { overlays = mozRust; }; # https://rust-lang.github.io/rustup-components-history nightly = stablepkgs.rustChannelOf { @@ -27,18 +34,26 @@ "rustfmt-preview" ]; } - // {src = nightly.rust-src;}; + // { + src = nightly.rust-src; + }; inherit (nightly) cargo; }; - rustPNightly = stablepkgs.recurseIntoAttrs (stablepkgs.makeRustPlatform { - inherit (rustNightly) rustc cargo; - }); -in { + rustPNightly = stablepkgs.recurseIntoAttrs ( + stablepkgs.makeRustPlatform { + inherit (rustNightly) rustc cargo; + } + ); +in +{ config.machine.pkgsets.rustpkgs.pkgs = (with stablepkgs; [ diesel-cli carnix rustracer ]) - ++ (with rustNightly; [rustc cargo]); + ++ (with rustNightly; [ + rustc + cargo + ]); } diff --git a/pkgsets/server.nix b/pkgsets/server.nix index 661f44a..ecec0d2 100644 --- a/pkgsets/server.nix +++ b/pkgsets/server.nix @@ -2,7 +2,8 @@ config, pkgs, ... -}: { +}: +{ config.machine.pkgsets.server.pkgs = with pkgs; [ audit certbot diff --git a/pkgsets/tracking.nix b/pkgsets/tracking.nix index c525108..e8d2806 100644 --- a/pkgsets/tracking.nix +++ b/pkgsets/tracking.nix @@ -4,7 +4,8 @@ pkgs, ... }: -with lib; { +with lib; +{ config.machine.pkgsets.tracking.pkgs = with pkgs; [ aw-qt aw-server-rust diff --git a/pkgsets/uniProgs.nix b/pkgsets/uniProgs.nix index 455f786..141b3ed 100644 --- a/pkgsets/uniProgs.nix +++ b/pkgsets/uniProgs.nix @@ -2,6 +2,7 @@ config, pkgs, ... -}: { - config.machine.pkgsets.uniProgs.pkgs = with pkgs; [qucs]; +}: +{ + config.machine.pkgsets.uniProgs.pkgs = with pkgs; [ qucs ]; } diff --git a/pkgsets/xpkgs.nix b/pkgsets/xpkgs.nix index ebd7b49..af5ec2e 100644 --- a/pkgsets/xpkgs.nix +++ b/pkgsets/xpkgs.nix @@ -2,9 +2,11 @@ config, pkgs, ... -}: let +}: +let cfg = config.machine; -in { +in +{ config.machine.pkgsets.xpkgs.pkgs = with pkgs; [ acpilight feh diff --git a/services/acme.nix b/services/acme.nix index 25eb2f3..8b96298 100644 --- a/services/acme.nix +++ b/services/acme.nix @@ -7,13 +7,14 @@ ... }: with builtins; -with lib; let +with lib; +let cfg = config.machine; in - mkIf (elem "acme" cfg.services) { - security.acme = { - # see https://letsencrypt.org/repository/ - acceptTerms = true; - defaults.email = "${(elemAt cfg.mailAccounts 0).name}@${cfg.domain}"; - }; - } +mkIf (elem "acme" cfg.services) { + security.acme = { + # see https://letsencrypt.org/repository/ + acceptTerms = true; + defaults.email = "${(elemAt cfg.mailAccounts 0).name}@${cfg.domain}"; + }; +} diff --git a/services/bind.nix b/services/bind.nix index 1ac87b1..cabea64 100644 --- a/services/bind.nix +++ b/services/bind.nix @@ -8,29 +8,30 @@ ... }: with builtins; -with lib; let +with lib; +let cfg = config.machine; in - mkIf (elem "bind" cfg.services) { - services.bind = { - enable = true; - listenOn = ["127.0.0.1"]; - forwarders = [ - # Cloudflare CDN - "1.1.1.1" - "1.0.0.1" - #CCC DNS - "204.152.184.76" - "159.203.38.175" - "207.148.83.241" - ]; - # TODO: add DNSSEC - extraOptions = '' - dnssec-validation auto; +mkIf (elem "bind" cfg.services) { + services.bind = { + enable = true; + listenOn = [ "127.0.0.1" ]; + forwarders = [ + # Cloudflare CDN + "1.1.1.1" + "1.0.0.1" + #CCC DNS + "204.152.184.76" + "159.203.38.175" + "207.148.83.241" + ]; + # TODO: add DNSSEC + extraOptions = '' + dnssec-validation auto; - recursion yes; - allow-recursion { 127.0.0.1; }; - version none; - ''; - }; - } + recursion yes; + allow-recursion { 127.0.0.1; }; + version none; + ''; + }; +} diff --git a/services/containers.nix b/services/containers.nix index dac6070..1a11a2e 100644 --- a/services/containers.nix +++ b/services/containers.nix @@ -4,21 +4,21 @@ ... }: with lib; - mkIf (elem "containers" config.machine.services) { - containers.CDServer = { - privateNetwork = true; - hostAddress = "192.168.100.10"; - localAddress = "192.168.100.11"; - config = { - imports = [ - ../machines/CDServer/options.nix - ./default.nix - ../config/default.nix - ../pkgs/nixpkgs.nix - ../pkgs/pkgsets.nix - ]; - services.nixosManual.showManual = false; - services.ntp.enable = false; - }; +mkIf (elem "containers" config.machine.services) { + containers.CDServer = { + privateNetwork = true; + hostAddress = "192.168.100.10"; + localAddress = "192.168.100.11"; + config = { + imports = [ + ../machines/CDServer/options.nix + ./default.nix + ../config/default.nix + ../pkgs/nixpkgs.nix + ../pkgs/pkgsets.nix + ]; + services.nixosManual.showManual = false; + services.ntp.enable = false; }; - } + }; +} diff --git a/services/cups.nix b/services/cups.nix index fd29298..378ec30 100644 --- a/services/cups.nix +++ b/services/cups.nix @@ -5,11 +5,16 @@ ... }: with lib; - mkIf (elem "cups" config.machine.services) { - services.printing = { - enable = true; - browsed.enable = false; - startWhenNeeded = true; - drivers = with pkgs; [gutenprint hplip splix samsung-unified-linux-driver]; - }; - } +mkIf (elem "cups" config.machine.services) { + services.printing = { + enable = true; + browsed.enable = false; + startWhenNeeded = true; + drivers = with pkgs; [ + gutenprint + hplip + splix + samsung-unified-linux-driver + ]; + }; +} diff --git a/services/desktop.nix b/services/desktop.nix index 91dfc73..3c22ea9 100644 --- a/services/desktop.nix +++ b/services/desktop.nix @@ -5,68 +5,69 @@ pkgs, ... }: -with lib; let +with lib; +let cfg = config.machine; desktopFiles = fn.lst { p = toString ./desktop; b = true; }; in - { - imports = desktopFiles; - } - // mkIf (elem "desktop" cfg.services) { - xdg.portal = { +{ + imports = desktopFiles; +} +// mkIf (elem "desktop" cfg.services) { + xdg.portal = { + enable = true; + wlr.enable = true; + extraPortals = with pkgs; [ + xdg-desktop-portal-gtk + xdg-desktop-portal-gnome + ]; + }; + services = { + gvfs.enable = true; + libinput = { enable = true; - wlr.enable = true; - extraPortals = with pkgs; [ - xdg-desktop-portal-gtk - xdg-desktop-portal-gnome - ]; + touchpad = { + tapping = true; + disableWhileTyping = false; + naturalScrolling = false; + horizontalScrolling = true; + }; }; - services = { - gvfs.enable = true; - libinput = { - enable = true; - touchpad = { - tapping = true; - disableWhileTyping = false; - naturalScrolling = false; - horizontalScrolling = true; - }; - }; - }; - programs = { - dconf.enable = true; - regreet = { - enable = true; - settings = { - GTK = { - application_prefer_dark_theme = true; - theme_name = lib.mkForce "Kanagawa-BL"; - }; + }; + programs = { + dconf.enable = true; + regreet = { + enable = true; + settings = { + GTK = { + application_prefer_dark_theme = true; + theme_name = lib.mkForce "Kanagawa-BL"; }; }; }; + }; - environment = { - systemPackages = with pkgs; [kanagawa]; - etc."xdg/gtk-2.0/gtkrc".text = '' - gtk-key-theme-name = "Kanagawa-BL" - ''; - etc."xdg/gtk-3.0/settings.ini".text = '' - [Settings] - gtk-key-theme-name = Kanagawa-BL - ''; - # Set keyboard layout for regreet cage - # see man cage or: - # https://man.archlinux.org/man/cage.1.en#ENVIRONMENT - variables.XKB_DEFAULT_LAYOUT = "de"; - }; - - # Allow users in the video group to change the display brightness - services.udev.extraRules = '' - ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chgrp video /sys/class/backlight/%k/brightness" - ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chmod 664 /sys/class/backlight/%k/brightness" + environment = { + systemPackages = with pkgs; [ kanagawa ]; + etc."xdg/gtk-2.0/gtkrc".text = '' + gtk-key-theme-name = "Kanagawa-BL" ''; - } + etc."xdg/gtk-3.0/settings.ini".text = '' + [Settings] + gtk-key-theme-name = Kanagawa-BL + ''; + # Set keyboard layout for regreet cage + # see man cage or: + # https://man.archlinux.org/man/cage.1.en#ENVIRONMENT + variables.XKB_DEFAULT_LAYOUT = "de"; + }; + + # Allow users in the video group to change the display brightness + services.udev.extraRules = '' + ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chgrp video /sys/class/backlight/%k/brightness" + ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chmod 664 /sys/class/backlight/%k/brightness" + ''; +} diff --git a/services/desktop/i3.nix b/services/desktop/i3.nix index 88326cf..daf8f78 100644 --- a/services/desktop/i3.nix +++ b/services/desktop/i3.nix @@ -5,20 +5,24 @@ ... }: with lib; - mkIf (elem "desktop::i3" config.machine.services) { - services.xserver = { +mkIf (elem "desktop::i3" config.machine.services) { + services.xserver = { + enable = true; + windowManager.i3 = { enable = true; - windowManager.i3 = { - enable = true; - configFile = import ../../config/etc/i3/config.nix {inherit pkgs;}; - extraPackages = with pkgs; [ - dmenu - file - i3lock - i3status - xdg-user-dirs - ]; - }; + configFile = import ../../config/etc/i3/config.nix { inherit pkgs; }; + extraPackages = with pkgs; [ + dmenu + file + i3lock + i3status + xdg-user-dirs + ]; }; - machine.pkgsets.python3.pkgs = with pkgs.python3Packages; [py3status pytz tzlocal]; - } + }; + machine.pkgsets.python3.pkgs = with pkgs.python3Packages; [ + py3status + pytz + tzlocal + ]; +} diff --git a/services/desktop/sway.nix b/services/desktop/sway.nix index 8245b7b..4ccb19e 100644 --- a/services/desktop/sway.nix +++ b/services/desktop/sway.nix @@ -5,47 +5,47 @@ ... }: with lib; - mkIf (elem "desktop::sway" config.machine.services) { - programs.sway = { - enable = true; - package = pkgs.sway.override { - enableXWayland = true; - }; - extraPackages = with pkgs; [ - file - gnome.adwaita-icon-theme - grim - gsettings-desktop-schemas - gtk3 - i3status - kanagawa - light - mako - qt5.qtwayland - rofi-wayland - slurp - swayidle - swaylock - wf-recorder - wl-clipboard - ]; - wrapperFeatures = { - base = true; - gtk = true; - }; - extraSessionCommands = '' - export GDK_BACKEND=wayland - export CLUTTER_BACKEND=wayland - export SDL_VIDEODRIVER=wayland - # needs qt5.qtwayland in systemPackages - export QT_QPA_PLATFORM=wayland-egl - export QT_WAYLAND_FORCE_DPI=physical - export QT_WAYLAND_DISABLE_WINDOWDECORATION="1" - # Fix for some Java AWT applications (e.g. Android Studio), - # use this if they aren't displayed properly: - export _JAVA_AWT_WM_NONREPARENTING=1 - # Chromium (based) applications - export NIXOS_OZONE_WL=1 - ''; +mkIf (elem "desktop::sway" config.machine.services) { + programs.sway = { + enable = true; + package = pkgs.sway.override { + enableXWayland = true; }; - } + extraPackages = with pkgs; [ + file + gnome.adwaita-icon-theme + grim + gsettings-desktop-schemas + gtk3 + i3status + kanagawa + light + mako + qt5.qtwayland + rofi-wayland + slurp + swayidle + swaylock + wf-recorder + wl-clipboard + ]; + wrapperFeatures = { + base = true; + gtk = true; + }; + extraSessionCommands = '' + export GDK_BACKEND=wayland + export CLUTTER_BACKEND=wayland + export SDL_VIDEODRIVER=wayland + # needs qt5.qtwayland in systemPackages + export QT_QPA_PLATFORM=wayland-egl + export QT_WAYLAND_FORCE_DPI=physical + export QT_WAYLAND_DISABLE_WINDOWDECORATION="1" + # Fix for some Java AWT applications (e.g. Android Studio), + # use this if they aren't displayed properly: + export _JAVA_AWT_WM_NONREPARENTING=1 + # Chromium (based) applications + export NIXOS_OZONE_WL=1 + ''; + }; +} diff --git a/services/docker.nix b/services/docker.nix index f19daa5..d1a598c 100644 --- a/services/docker.nix +++ b/services/docker.nix @@ -6,11 +6,15 @@ }: # Note: add privileged users to docker group for access with lib; - mkIf ((elem "docker" config.machine.services) && !(elem "podman" config.machine.services)) { - virtualisation.docker = { - enable = true; - # Disable live restore as it tends to delay/block system shutdown - liveRestore = false; - }; - environment.systemPackages = with pkgs; [docker-compose docker-machine cntr]; - } +mkIf ((elem "docker" config.machine.services) && !(elem "podman" config.machine.services)) { + virtualisation.docker = { + enable = true; + # Disable live restore as it tends to delay/block system shutdown + liveRestore = false; + }; + environment.systemPackages = with pkgs; [ + docker-compose + docker-machine + cntr + ]; +} diff --git a/services/fail2ban.nix b/services/fail2ban.nix index ed6fda6..32d2953 100644 --- a/services/fail2ban.nix +++ b/services/fail2ban.nix @@ -3,102 +3,103 @@ lib, ... }: -with lib; let +with lib; +let cfg = config.machine; active = name: (elem name cfg.services); in - mkIf (elem "fail2ban" cfg.services) { - services.fail2ban = { - enable = true; - jails = { - DEFAULT = '' - bantime = 3600 - blocktype = DROP - logpath = /var/log/auth.log - ''; +mkIf (elem "fail2ban" cfg.services) { + services.fail2ban = { + enable = true; + jails = { + DEFAULT = '' + bantime = 3600 + blocktype = DROP + logpath = /var/log/auth.log + ''; - ssh = '' - enabled = ${boolToString (active "openssh")} - filter = sshd - maxretry = 4 - action = iptables[name=SSH, port=ssh, protocol=tcp] - ''; - sshd-ddos = '' - enabled = ${boolToString (active "openssh")} - filter = sshd-ddos - maxretry = 4 - action = iptables[name=ssh, port=ssh, protocol=tcp] - ''; + ssh = '' + enabled = ${boolToString (active "openssh")} + filter = sshd + maxretry = 4 + action = iptables[name=SSH, port=ssh, protocol=tcp] + ''; + sshd-ddos = '' + enabled = ${boolToString (active "openssh")} + filter = sshd-ddos + maxretry = 4 + action = iptables[name=ssh, port=ssh, protocol=tcp] + ''; - postfix = '' - enabled = ${boolToString (active "mailserver")} - filter = postfix - maxretry = 3 - action = iptables[name=postfix, port=smtp, protocol=tcp] - ''; - postfix-sasl = '' - enabled = ${boolToString (active "mailserver")} - filter = postfix-sasl - port = postfix,imap3,imaps,pop3,pop3s - maxretry = 3 - action = iptables[name=postfix, port=smtp, protocol=tcp] - ''; - postfix-ddos = '' - enabled = ${boolToString (active "mailserver")} - filter = postfix-ddos - maxretry = 3 - action = iptables[name=postfix, port=submission, protocol=tcp] - bantime = 7200 - ''; + postfix = '' + enabled = ${boolToString (active "mailserver")} + filter = postfix + maxretry = 3 + action = iptables[name=postfix, port=smtp, protocol=tcp] + ''; + postfix-sasl = '' + enabled = ${boolToString (active "mailserver")} + filter = postfix-sasl + port = postfix,imap3,imaps,pop3,pop3s + maxretry = 3 + action = iptables[name=postfix, port=smtp, protocol=tcp] + ''; + postfix-ddos = '' + enabled = ${boolToString (active "mailserver")} + filter = postfix-ddos + maxretry = 3 + action = iptables[name=postfix, port=submission, protocol=tcp] + bantime = 7200 + ''; - nginx-req-limit = '' - enabled = ${boolToString (active "nginx")} - filter = nginx-req-limit - maxretry = 10 - action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp] - findtime = 600 - bantime = 7200 - ''; - }; - }; - - environment.etc."fail2ban/filter.d/sshd-ddos.conf" = { - enable = active "openssh"; - text = '' - [Definition] - failregex = sshd(?:\[\d+\])?: Did not receive identification string from $ - ignoreregex = + nginx-req-limit = '' + enabled = ${boolToString (active "nginx")} + filter = nginx-req-limit + maxretry = 10 + action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp] + findtime = 600 + bantime = 7200 ''; }; + }; - environment.etc."fail2ban/filter.d/postfix-sasl.conf" = { - enable = active "mailserver"; - text = '' - # Fail2Ban filter for postfix authentication failures - [INCLUDES] - before = common.conf - [Definition] - daemon = postfix/smtpd - failregex = ^%(__prefix_line)swarning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$ - ''; - }; + environment.etc."fail2ban/filter.d/sshd-ddos.conf" = { + enable = active "openssh"; + text = '' + [Definition] + failregex = sshd(?:\[\d+\])?: Did not receive identification string from $ + ignoreregex = + ''; + }; - environment.etc."fail2ban/filter.d/postfix-ddos.conf" = { - enable = active "mailserver"; - text = '' - [Definition] - failregex = lost connection after EHLO from \S+\[\] - ''; - }; + environment.etc."fail2ban/filter.d/postfix-sasl.conf" = { + enable = active "mailserver"; + text = '' + # Fail2Ban filter for postfix authentication failures + [INCLUDES] + before = common.conf + [Definition] + daemon = postfix/smtpd + failregex = ^%(__prefix_line)swarning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$ + ''; + }; - environment.etc."fail2ban/filter.d/nginx-req-limit.conf" = { - enable = active "nginx"; - text = '' - [Definition] - failregex = limiting requests, excess:.* by zone.*client: - ''; - }; + environment.etc."fail2ban/filter.d/postfix-ddos.conf" = { + enable = active "mailserver"; + text = '' + [Definition] + failregex = lost connection after EHLO from \S+\[\] + ''; + }; - # Limit stack size to reduce memory usage - systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024; - } + environment.etc."fail2ban/filter.d/nginx-req-limit.conf" = { + enable = active "nginx"; + text = '' + [Definition] + failregex = limiting requests, excess:.* by zone.*client: + ''; + }; + + # Limit stack size to reduce memory usage + systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024; +} diff --git a/services/forgejo.nix b/services/forgejo.nix index 8135a69..6ee37a1 100644 --- a/services/forgejo.nix +++ b/services/forgejo.nix @@ -4,12 +4,14 @@ ... }: with lib; - mkIf (elem "forgejo" config.machine.services) { - services = { - forgejo = let +mkIf (elem "forgejo" config.machine.services) { + services = { + forgejo = + let cfg = config.machine; inherit ((findFirst (s: s.service == "forgejo") cfg cfg.vHosts)) domain; - in { + in + { enable = true; user = "git"; database = { @@ -44,16 +46,16 @@ with lib; }; }; }; - }; - sops.secrets."services/forgejo/dbPass" = { - owner = "git"; - group = "forgejo"; - }; - users.users.git = { - description = "Forgejo Service"; - isNormalUser = true; - home = config.services.forgejo.stateDir; - createHome = false; - useDefaultShell = true; - }; - } + }; + sops.secrets."services/forgejo/dbPass" = { + owner = "git"; + group = "forgejo"; + }; + users.users.git = { + description = "Forgejo Service"; + isNormalUser = true; + home = config.services.forgejo.stateDir; + createHome = false; + useDefaultShell = true; + }; +} diff --git a/services/fprintd.nix b/services/fprintd.nix index 50cf201..933e202 100644 --- a/services/fprintd.nix +++ b/services/fprintd.nix @@ -4,8 +4,9 @@ ... }: with lib; - mkIf (elem "fprintd" config.machine.services) { - security.pam.services = let +mkIf (elem "fprintd" config.machine.services) { + security.pam.services = + let unlock = [ "sudo" "i3lock" @@ -13,12 +14,16 @@ with lib; "lightdm" ]; in - listToAttrs (forEach unlock (n: { + listToAttrs ( + forEach unlock (n: { name = n; - value = {fprintAuth = true;}; - })); + value = { + fprintAuth = true; + }; + }) + ); - services.fprintd = { - enable = true; - }; - } + services.fprintd = { + enable = true; + }; +} diff --git a/services/hydra.nix b/services/hydra.nix index dae890a..20f9460 100644 --- a/services/hydra.nix +++ b/services/hydra.nix @@ -9,24 +9,32 @@ # https://qfpl.io/posts/nix/starting-simple-hydra/ # also for reference a well written hydra config: # https://github.com/NixOS/nixos-org-configurations/blob/master/delft/hydra.nix -with lib; let +with lib; +let cacheDir = "/var/cache/hydra"; in - mkIf (elem "hydra" config.machine.services) { - # also take a look at ../conf/nix.nix - nix.buildMachines = [ - { - hostName = "localhost"; - system = "x86_64-linux"; - supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"]; - maxJobs = 8; - } - ]; +mkIf (elem "hydra" config.machine.services) { + # also take a look at ../conf/nix.nix + nix.buildMachines = [ + { + hostName = "localhost"; + system = "x86_64-linux"; + supportedFeatures = [ + "kvm" + "nixos-test" + "big-parallel" + "benchmark" + ]; + maxJobs = 8; + } + ]; - services = let + services = + let cfg = config.machine; inherit ((findFirst (s: s.service == "hydra") cfg cfg.vHosts)) domain; - in { + in + { hydra = { enable = true; hydraURL = domain; # externally visible URL @@ -42,7 +50,9 @@ in # hydra.conf: binary_cache_secret_key_file is deprecated and ignored. use store_uri=...?secret-key= instead extraConfig = '' max_output_size = 4294967296 - store_uri = file://${cacheDir}?secret-key=${config.sops.secrets."services.hydra.secretKey".path}&write-nar-listing=1&ls-compression=br&log-compression=br + store_uri = file://${cacheDir}?secret-key=${ + config.sops.secrets."services.hydra.secretKey".path + }&write-nar-listing=1&ls-compression=br&log-compression=br # add ?local-nar-cache= to set nar cache location server_store_uri = https://cache.${cfg.domain} binary_cache_public_uri https://cache.${cfg.domain} @@ -62,10 +72,10 @@ in ''; }; }; - systemd.services.nix-serve.serviceConfig.User = mkForce "hydra"; - systemd.services.nix-serve.environment.NIX_STORE_DIR = cacheDir; - sops.secrets."services/hydra/secretKey" = { - owner = "hydra"; - group = "hydra"; - }; - } + systemd.services.nix-serve.serviceConfig.User = mkForce "hydra"; + systemd.services.nix-serve.environment.NIX_STORE_DIR = cacheDir; + sops.secrets."services/hydra/secretKey" = { + owner = "hydra"; + group = "hydra"; + }; +} diff --git a/services/mailserver.nix b/services/mailserver.nix index 33d4c40..69457e6 100644 --- a/services/mailserver.nix +++ b/services/mailserver.nix @@ -6,32 +6,40 @@ ... }: with lib; - { - imports = [ - mailserver.nixosModules.mailserver - ]; - } - // mkIf (elem "mailserver" config.machine.services) { - mailserver = let +{ + imports = [ + mailserver.nixosModules.mailserver + ]; +} +// mkIf (elem "mailserver" config.machine.services) { + mailserver = + let cfg = config.machine; inherit (cfg) domain; fdomain = (findFirst (s: s.service == "mail") cfg cfg.vHosts).domain; - mkFqdnAlias = name: ["${name}@${domain}" "${name}@${fdomain}"]; + mkFqdnAlias = name: [ + "${name}@${domain}" + "${name}@${fdomain}" + ]; mkExDomAlias = name: (map (exDom: "${name}@${exDom}") cfg.extraDomains); mkUser = user: rec { name = "${user.name}@${domain}"; value = { hashedPasswordFile = config.sops.secrets."users/${user.name}/mail".path; aliases = - ["${user.name}@${fdomain}"] + [ "${user.name}@${fdomain}" ] ++ (flatten (map mkFqdnAlias user.aliases)) - ++ (flatten (map mkExDomAlias ([user.name] ++ user.aliases))); + ++ (flatten (map mkExDomAlias ([ user.name ] ++ user.aliases))); }; }; - in rec { + in + rec { enable = true; fqdn = fdomain; - domains = [fdomain domain] ++ cfg.extraDomains; + domains = [ + fdomain + domain + ] ++ cfg.extraDomains; loginAccounts = listToAttrs (map mkUser cfg.mailAccounts); # Use Let's Encrypt certificates. Note that this needs to set up a stripped @@ -55,9 +63,5 @@ with lib; # 1 Gb RAM for the server. Without virus scanning 256 MB RAM should be plenty) virusScanning = false; }; - sops.secrets = - fn.sopsHelper - (user: "users/${user.name}/mail") - config.machine.mailAccounts - {}; - } + sops.secrets = fn.sopsHelper (user: "users/${user.name}/mail") config.machine.mailAccounts { }; +} diff --git a/services/mariaDB.nix b/services/mariaDB.nix index 362ba1c..506d1e6 100644 --- a/services/mariaDB.nix +++ b/services/mariaDB.nix @@ -5,9 +5,9 @@ ... }: with lib; - mkIf (elem "mariaDB" config.machine.services) { - services.mysql = rec { - enable = true; - package = pkgs.mariadb; - }; - } +mkIf (elem "mariaDB" config.machine.services) { + services.mysql = rec { + enable = true; + package = pkgs.mariadb; + }; +} diff --git a/services/mullvad.nix b/services/mullvad.nix index 5099737..9980e9c 100644 --- a/services/mullvad.nix +++ b/services/mullvad.nix @@ -4,6 +4,6 @@ ... }: with lib; - mkIf (elem "mullvad" config.machine.services) { - services.mullvad-vpn.enable = true; - } +mkIf (elem "mullvad" config.machine.services) { + services.mullvad-vpn.enable = true; +} diff --git a/services/nextcloud.nix b/services/nextcloud.nix index 96a0431..7789a06 100644 --- a/services/nextcloud.nix +++ b/services/nextcloud.nix @@ -6,11 +6,13 @@ ... }: with lib; - mkIf (elem "nextcloud" config.machine.services) { - services = let +mkIf (elem "nextcloud" config.machine.services) { + services = + let cfg = config.machine; inherit ((findFirst (s: s.service == "nextcloud") cfg cfg.vHosts)) domain; - in { + in + { nextcloud = { enable = true; home = "/var/lib/nextcloud"; @@ -54,12 +56,14 @@ with lib; ''; }; }; - sops.secrets = - fn.sopsHelper - (name: "services/nextcloud/${name}") - ["adminPass" "dbPass"] + sops.secrets = + fn.sopsHelper (name: "services/nextcloud/${name}") + [ + "adminPass" + "dbPass" + ] { owner = "nextcloud"; group = "nextcloud"; }; - } +} diff --git a/services/nginx.nix b/services/nginx.nix index e781287..1768d33 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -15,28 +15,35 @@ }: with lib; with builtins; - mkIf (elem "nginx" config.machine.services) { - services.nginx = let - vHostConfigs = listToAttrs (map - (name: { - name = replaceStrings [".nix"] [""] name; - value = import (./. + (toPath "/nginx_vHosts/${name}")) {inherit options config lib pkgs;}; - }) - (attrNames (readDir ./nginx_vHosts))); +mkIf (elem "nginx" config.machine.services) { + services.nginx = + let + vHostConfigs = listToAttrs ( + map (name: { + name = replaceStrings [ ".nix" ] [ "" ] name; + value = import (./. + (toPath "/nginx_vHosts/${name}")) { + inherit + options + config + lib + pkgs + ; + }; + }) (attrNames (readDir ./nginx_vHosts)) + ); mkVHost = vHost: { name = vHost.domain; - value = - { - enableACME = true; - forceSSL = true; - acmeRoot = "/var/lib/acme/acme-challenge"; - } - // vHostConfigs."${vHost.service}"; + value = { + enableACME = true; + forceSSL = true; + acmeRoot = "/var/lib/acme/acme-challenge"; + } // vHostConfigs."${vHost.service}"; }; vHosts = listToAttrs (map mkVHost config.machine.vHosts); - in { + in + { enable = true; recommendedGzipSettings = true; recommendedOptimisation = true; @@ -56,4 +63,4 @@ with builtins; ''; virtualHosts = vHosts; }; - } +} diff --git a/services/nginx_vHosts/cache.nix b/services/nginx_vHosts/cache.nix index a402a0f..194e865 100644 --- a/services/nginx_vHosts/cache.nix +++ b/services/nginx_vHosts/cache.nix @@ -4,10 +4,10 @@ ... }: with lib; - { - vHost = - if config.services.nix-serve.enable - then { +{ + vHost = + if config.services.nix-serve.enable then + { extraConfig = '' location / { proxy_pass http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}; @@ -18,6 +18,7 @@ with lib; } ''; } - else {}; - } - .vHost + else + { }; +} +.vHost diff --git a/services/nginx_vHosts/forgejo.nix b/services/nginx_vHosts/forgejo.nix index bee28bc..6f256e3 100644 --- a/services/nginx_vHosts/forgejo.nix +++ b/services/nginx_vHosts/forgejo.nix @@ -4,10 +4,10 @@ ... }: with lib; - { - vHost = - if config.services.forgejo.enable - then { +{ + vHost = + if config.services.forgejo.enable then + { root = "${config.services.forgejo.stateDir}/public"; extraConfig = '' location / { @@ -28,6 +28,7 @@ with lib; } ''; } - else {}; - } - .vHost + else + { }; +} +.vHost diff --git a/services/nginx_vHosts/hydra.nix b/services/nginx_vHosts/hydra.nix index 4ece547..fe5911e 100644 --- a/services/nginx_vHosts/hydra.nix +++ b/services/nginx_vHosts/hydra.nix @@ -4,10 +4,10 @@ ... }: with lib; - { - vHost = - if config.services.hydra.enable - then { +{ + vHost = + if config.services.hydra.enable then + { extraConfig = '' location / { proxy_pass http://${config.services.hydra.listenHost}:${toString config.services.hydra.port}; @@ -18,6 +18,7 @@ with lib; } ''; } - else {}; - } - .vHost + else + { }; +} +.vHost diff --git a/services/nginx_vHosts/mail.nix b/services/nginx_vHosts/mail.nix index d9ddb70..40639ef 100644 --- a/services/nginx_vHosts/mail.nix +++ b/services/nginx_vHosts/mail.nix @@ -4,14 +4,15 @@ ... }: with lib; - { - vHost = - if config.mailserver.enable - then { +{ + vHost = + if config.mailserver.enable then + { serverName = config.mailserver.fqdn; enableACME = true; forceSSL = true; } - else {}; - } - .vHost + else + { }; +} +.vHost diff --git a/services/nginx_vHosts/nextcloud.nix b/services/nginx_vHosts/nextcloud.nix index 750aad9..215cfc3 100644 --- a/services/nginx_vHosts/nextcloud.nix +++ b/services/nginx_vHosts/nextcloud.nix @@ -6,13 +6,13 @@ ... }: with lib; - if config.services.nextcloud.enable - then - { - vHost = { - enableACME = config.services.nextcloud.https; - forceSSL = config.services.nextcloud.https; - }; - } - .vHost - else {} +if config.services.nextcloud.enable then + { + vHost = { + enableACME = config.services.nextcloud.https; + forceSSL = config.services.nextcloud.https; + }; + } + .vHost +else + { } diff --git a/services/nginx_vHosts/simple.nix b/services/nginx_vHosts/simple.nix index 872e39e..38539ba 100644 --- a/services/nginx_vHosts/simple.nix +++ b/services/nginx_vHosts/simple.nix @@ -4,9 +4,9 @@ ... }: with lib; - { - vHost = { - root = "/var/www"; - }; - } - .vHost +{ + vHost = { + root = "/var/www"; + }; +} +.vHost diff --git a/services/nginx_vHosts/tandoor.nix b/services/nginx_vHosts/tandoor.nix index b2c4f53..0125798 100644 --- a/services/nginx_vHosts/tandoor.nix +++ b/services/nginx_vHosts/tandoor.nix @@ -6,10 +6,11 @@ with lib; let tandoor = config.services.tandoor-recipes; -in { - vHost = - if tandoor.enable - then { +in +{ + vHost = + if tandoor.enable then + { extraConfig = '' location /media/ { alias ${tandoor.extraConfig.MEDIA_ROOT}; @@ -24,6 +25,7 @@ in { } ''; } - else {}; - } - .vHost + else + { }; +} +.vHost diff --git a/services/openssh.nix b/services/openssh.nix index 30fc229..7467210 100644 --- a/services/openssh.nix +++ b/services/openssh.nix @@ -8,35 +8,38 @@ # https://infosec.mozilla.org/guidelines/openssh.html # https://stribika.github.io/2015/01/04/secure-secure-shell.html with lib; - mkIf (elem "openssh" config.machine.services) { - services.openssh = { - enable = true; - settings.KexAlgorithms = ["curve25519-sha256@libssh.org"]; - sftpFlags = ["-f AUTHPRIV" "-l INFO"]; - startWhenNeeded = false; - settings = { - KbdInteractiveAuthentication = false; - PasswordAuthentication = false; - PermitRootLogin = "no"; - }; - extraConfig = let +mkIf (elem "openssh" config.machine.services) { + services.openssh = { + enable = true; + settings.KexAlgorithms = [ "curve25519-sha256@libssh.org" ]; + sftpFlags = [ + "-f AUTHPRIV" + "-l INFO" + ]; + startWhenNeeded = false; + settings = { + KbdInteractiveAuthentication = false; + PasswordAuthentication = false; + PermitRootLogin = "no"; + }; + extraConfig = + let users = concatMapStrings (user: "${user.name} ") config.machine.administrators + (optionalString config.services.forgejo.enable (config.services.forgejo.user + " ")); - in '' + in + '' UsePAM no AllowUsers ${users} LogLevel VERBOSE ''; - }; - # Add public keys to /etc/ssh/authorized_keys.d - # This replaces users.users.*.openssh.authorizedKeys.* - sops.secrets = - fn.sopsHelper - (user: "users/${user.name}/publicKey") - config.machine.administrators + }; + # Add public keys to /etc/ssh/authorized_keys.d + # This replaces users.users.*.openssh.authorizedKeys.* + sops.secrets = + fn.sopsHelper (user: "users/${user.name}/publicKey") config.machine.administrators (user: { path = "/etc/ssh/authorized_keys.d/${user.name}"; mode = "444"; }); - } +} diff --git a/services/podman.nix b/services/podman.nix index ee48f29..a47ebe5 100644 --- a/services/podman.nix +++ b/services/podman.nix @@ -4,19 +4,25 @@ pkgs, ... }: -with lib; let +with lib; +let withDocker = elem "docker" config.machine.services; in - mkIf (elem "podman" config.machine.services) { - virtualisation.podman = { - enable = true; - dockerSocket.enable = withDocker; - dockerCompat = withDocker; - defaultNetwork = { - settings.dns_enabled = true; - }; +mkIf (elem "podman" config.machine.services) { + virtualisation.podman = { + enable = true; + dockerSocket.enable = withDocker; + dockerCompat = withDocker; + defaultNetwork = { + settings.dns_enabled = true; }; - environment.systemPackages = - (with pkgs; [podman-compose cntr img skopeo]) - ++ (optional withDocker pkgs.docker-compose); - } + }; + environment.systemPackages = + (with pkgs; [ + podman-compose + cntr + img + skopeo + ]) + ++ (optional withDocker pkgs.docker-compose); +} diff --git a/services/tandoor.nix b/services/tandoor.nix index 0965578..41af252 100644 --- a/services/tandoor.nix +++ b/services/tandoor.nix @@ -5,12 +5,12 @@ ... }: with lib; - mkIf (elem "tandoor" config.machine.services) { - services.tandoor-recipes = { - enable = true; - extraConfig = { - # Set explicitly so it can be referenced by web-server - MEDIA_ROOT = "/var/lib/tandoor-recipes/media/"; - }; +mkIf (elem "tandoor" config.machine.services) { + services.tandoor-recipes = { + enable = true; + extraConfig = { + # Set explicitly so it can be referenced by web-server + MEDIA_ROOT = "/var/lib/tandoor-recipes/media/"; }; - } + }; +} diff --git a/services/udev.nix b/services/udev.nix index b397ff3..df8220c 100644 --- a/services/udev.nix +++ b/services/udev.nix @@ -5,6 +5,6 @@ ... }: with lib; - mkIf (elem "udev" config.machine.services) { - hardware.steam-hardware.enable = true; - } +mkIf (elem "udev" config.machine.services) { + hardware.steam-hardware.enable = true; +}